@atlashub/smartstack-cli 3.54.0 → 4.0.0

package/templates/skills/apex/steps/step-03-execute.md

@@ -16,8 +16,8 @@ All code goes through skills (/controller, /application, /ui-components, /efcore
 > **CONTEXT REUSE:** `smartstack-api.md` (loaded in step-01) and `smartstack-layers.md` (loaded in step-02) are already in context. Do NOT re-read them.
 
 - **ALWAYS** read `references/smartstack-frontend.md` — lazy loading, i18n, page structure, CSS variables, EntityLookup, compliance gates (sections 1-9)
-- If NOT `{economy_mode}` AND Layer 1 has parallel work: read `references/agent-teams-protocol.md`
-- If `{delegate_mode}` AND seedData tasks exist: read `references/core-seed-data.md` — comprehensive seed data templates
+- **ALWAYS** read `references/core-seed-data.md` — comprehensive seed data templates (Layer 1)
+- If NOT `{economy_mode}` AND a layer has multi-entity work: read `references/agent-teams-protocol.md`
 - If build failure during execution: read `references/error-classification.md` — error diagnosis categories A-F
 
 ---
@@ -30,9 +30,10 @@ This is a foundation-only execution (called by ralph-loop Phase 0). Execute ONLY
 - Layer 0: Domain entities + EF configs + Migration
 
 **SKIP ALL OTHER LAYERS:**
-- Layer 1: Application + API + Seed Data → SKIP
-- Layer 2: Frontend → SKIP
-- Layer 3: Tests → SKIP
+- Layer 1: Seed Data → SKIP
+- Layer 2: Backend → SKIP
+- Layer 3: Frontend → SKIP
+- Layer 4: DevData → SKIP
 
 After Layer 0 completes and builds successfully:
 - Commit with message: `chore(foundation): entities for {module_code}`
@@ -40,7 +41,7 @@ After Layer 0 completes and builds successfully:
 - End execution
 
 **IF `{foundation_mode}` == false:**
-Execute ALL layers normally (Layer 0 → Layer 1 → Layer 2 → Layer 3).
+Execute ALL layers normally (Layer 0 → Layer 1 → Layer 2 → Layer 3 → Layer 4).
 
 ---
 
@@ -107,137 +108,233 @@ dotnet build
 
 **MUST PASS before Layer 1. If NuGet error, run `dotnet restore` first. If file lock (MSB3021), use `--output /tmp/{project}_build`.**
 
+### Layer 0 Commit
+
+```
+feat({module}): [domain+infra] {short description}
+```
+
+---
+
+## Layer 1 — Seed Data (DEDICATED LAYER — sequential, agent principal)
+
+> **This layer is DEDICATED and MANDATORY.** Seed data makes modules visible in the UI.
+> Without seed data, the module exists in code but is invisible to users.
+> Reference: `references/core-seed-data.md` (loaded above) for complete C# templates.
+
+### Application-Level Seed Data (ONCE per application)
+
+```
+1. NavigationApplicationSeedData.cs
+   → Application-level navigation entry (MUST be first)
+   → Random GUID via Guid.NewGuid()
+   → 4 language translations (fr, en, it, de)
+
+2. ApplicationRolesSeedData.cs
+   → 4 roles: admin, manager, contributor, viewer
+   → Random GUIDs (Guid.NewGuid())
+   → References NavigationApplicationSeedData.ApplicationId
+```
+
+### Per-Module Seed Data
+
+```
+3. NavigationModuleSeedData.cs
+   → Random GUIDs (Guid.NewGuid()), 4 languages (fr, en, it, de)
+   → GetModuleEntry() + GetTranslationEntries()
+   → If sections defined: GetSectionEntries() + GetSectionTranslationEntries()
+   → If resources defined: GetResourceEntries() + resource translations
+   → Query actual parent from DB for FK (NOT deterministic GUID)
+
+4. Permissions.cs
+   → MCP generate_permissions (PRIMARY tool)
+   → Static constants: public static class {Module} { public const string Read = "..."; }
+   → Permission paths MUST use kebab-case matching NavRoute codes
+
+5. PermissionsSeedData.cs
+   → MCP generate_permissions first, fallback template
+   → Paths match Permissions.cs, wildcard + CRUD
+
+6. RolesSeedData.cs
+   → Admin=wildcard(*), Manager=CRU, Contributor=CR, Viewer=R
+   → Code-based role mapping (NEVER deterministic GUIDs for roles)
+   → Look up roles by Code at runtime
+```
+
+### Infrastructure Provider (ONCE per application)
+
+```
+7. {App}SeedDataProvider.cs
+   → Implements IClientSeedDataProvider
+   → SeedNavigationAsync(): Application → Module → Section → Resource + translations
+   → SeedRolesAsync(): application-scoped roles from ApplicationRolesSeedData
+   → SeedPermissionsAsync(): permission entries from PermissionsSeedData
+   → SeedRolePermissionsAsync(): maps roles to permissions (by Code, NOT by GUID)
+   → DI: services.AddScoped<IClientSeedDataProvider, {App}SeedDataProvider>()
+```
+
+### Post-Layer 1 Build Gate
+
+```bash
+dotnet build
+```
+
+**MUST PASS before Layer 2.**
+
+### Layer 1 Commit
+
+```
+feat({module}): [seed] navigation, permissions, roles
+```
+
 ---
 
-## Layer 1 — Application + API + Seed Data
+## Layer 2 — Backend (Services + Controllers)
 
-> **Layer 1 rules** are in `references/smartstack-layers.md` (already in context from step-02):
-> - NavRoute and permission kebab-case (Layer 1 - API section)
+> **Layer 2 rules** are in `references/smartstack-layers.md` (already in context from step-02):
+> - NavRoute and permission kebab-case (Layer 2 - API section)
 > - Controller route attributes (FORBIDDEN: [Route] alongside [NavRoute])
 > - Validators DI registration
 > - DateOnly vs string for DTO date fields
 > - Code generation patterns (ICodeGenerator<T> registration, see references/code-generation.md)
 
-### Backend Tasks (sequential or parallel)
+### Backend Tasks (sequential or parallel within layer)
 
 - **Services/DTOs:** MCP scaffold_extension
 - **Controllers:** use /controller skill for complex, MCP scaffold_extension for simple
 - **IMPORTANT:** ALL GetAll endpoints MUST support `?search=` query parameter (enables EntityLookup on frontend)
-- **Seed data:** MCP generate_permissions, then follow smartstack-layers.md templates
 
-### Frontend Tasks (sequential or parallel)
+### Skill Delegation
 
-> **Frontend patterns** are in `references/smartstack-frontend.md` (already loaded above):
-> - API client generation (MCP scaffold_api_client)
-> - Route scaffolding (MCP scaffold_routes) — section 1 + 3b
-> - Page types (ListPage, DetailPage, CreatePage, EditPage) — section 3
-> - FK field handling (EntityLookup component) — section 6
-> - Form structure (ZERO modals — all full pages) — section 3b
-> - Detail page tabs (local state only) — section 3 "Tab Behavior Rules"
-> - Testing patterns (co-located form tests) — section 8
-> - Section-level routes and permissions — section 3b
-> - I18n JSON structure and registration — section 2
-> - Compliance gates (5 mandatory checks) — section 9
+| Skill | When | Context to provide |
+|-------|------|--------------------|
+| /controller | Custom routes, complex auth, file upload | entity, CRUD actions, permissions, routes |
+| /application | Full app/module from scratch | app, module names |
+| /ui-components | Complex pages (tables, grids, dashboards) | entity, fields, page type |
+| /efcore | Complex EF configs, inheritance | relationships, indexes |
+| /notification | In-app or email notifications | trigger, recipients, template |
+| /workflow | Automated workflows | trigger, steps, conditions |
 
-### If NOT economy_mode: Agent Teams (parallel)
+### If NOT economy_mode AND multiple entities: Agent Teams (parallel within layer)
 
 > **Protocol:** See `references/agent-teams-protocol.md`
 
 ```
-TeamCreate("apex-exec", description: "Execute Layer 1 in parallel")
-
-Spawn 2 teammates (Opus, full tools):
+TeamCreate("apex-layer2", description: "Execute Layer 2 backend in parallel")
 
-1. exec-backend (team_name: "apex-exec", name: "exec-backend"):
-   "Execute these Layer 1 backend tasks for module {module_code}:
-    {list of application + api + seed data tasks from plan}
+Spawn 1 teammate per entity (Opus, full tools):
 
-    For each task:
-    - Application services/DTOs: MCP scaffold_extension
-    - Controllers: use /controller skill for complex, MCP scaffold_extension for simple
-    - IMPORTANT: ALL GetAll endpoints MUST support ?search= query parameter (enables EntityLookup on frontend)
-    - Seed data: MCP generate_permissions, then follow smartstack-layers.md templates
+For each entity:
+  Task: "Execute Layer 2 backend for entity {EntityName}:
+    - Application service/DTO: MCP scaffold_extension
+    - Controller: /controller skill or MCP scaffold_extension
+    - IMPORTANT: GetAll endpoint MUST support ?search= parameter
+    - Validators: FluentValidation + DI registration
 
     After ALL tasks done:
-    SendMessage(type:'message', recipient:'team-lead', content:'BACKEND_COMPLETE', summary:'Backend layer done')"
+    SendMessage(type:'message', recipient:'team-lead', content:'ENTITY_COMPLETE: {EntityName}', summary:'{EntityName} backend done')"
 
-2. exec-frontend (team_name: "apex-exec", name: "exec-frontend"):
-   "Execute these Layer 1 frontend tasks for module {module_code}:
-    {list of frontend + i18n tasks from plan}
+Wait for all teammates to report completion.
+shutdown_request → shutdown_response → TeamDelete("apex-layer2")
+```
 
-    **MANDATORY: Read references/smartstack-frontend.md FIRST** — contains all required patterns.
+### Post-Layer 2 Build Gate
 
-    For each task:
-    - API client: MCP scaffold_api_client
-    - Routes: MCP scaffold_routes (outputFormat: 'clientRoutes') → generates lazy imports + Suspense
-    - Pages: use /ui-components skill — MUST follow smartstack-frontend.md patterns:
-      → React.lazy() for all page imports (named export wrapping)
-      → <Suspense fallback={<PageLoader />}> around all lazy components
-      → Page structure: hooks → useEffect(load) → loading → error → content
-      → CSS variables only: bg-[var(--bg-card)], text-[var(--text-primary)]
-      → SmartTable/SmartFilter/EntityCard (NEVER raw HTML)
-    - **FORM PAGES (CRITICAL):** Create/Edit forms are FULL PAGES with own routes:
-      → EntityCreatePage.tsx with route /{module}/create
-      → EntityEditPage.tsx with route /{module}/:id/edit
-      → ZERO modals/popups/drawers/dialogs for forms
-      → Back button with navigate(-1) on every form page
-      → See smartstack-frontend.md section 3b for templates
-    - **TABS ON DETAIL PAGES (CRITICAL):** Tabs MUST switch content LOCALLY:
-      → Tab click handler: setActiveTab(tabKey) ONLY — NEVER navigate() to another page
-      → Tab content: render inline with {activeTab === 'tabKey' && <TabContent />}
-      → Sub-resource data: fetch via API filtered by parent ID, display in tab panel
-      → FORBIDDEN: navigate('../leaves?employee=${id}') in tab handler
-      → See smartstack-frontend.md section 3 'Tab Behavior Rules'
-    - **FK FIELDS (CRITICAL):** Foreign key Guid fields (e.g., EmployeeId) MUST use EntityLookup:
-      → NEVER render FK fields as `<input>` — users cannot type GUIDs
-      → NEVER render FK fields as `<select>` — even with API-loaded options, `<select>` is NOT acceptable
-      → ONLY use `<EntityLookup />` from @/components/ui/EntityLookup for searchable selection
-      → Each FK field needs: apiEndpoint, mapOption (display name), search support on backend
-      → FORBIDDEN: `<select value={formData.departmentId}>`, `<option value={dept.id}>`, `e.target.value` for FK fields
-      → See smartstack-frontend.md section 6 for the full EntityLookup pattern
-    - **FORM TESTS (MANDATORY):**
-      → EntityCreatePage.test.tsx (co-located next to page)
-      → EntityEditPage.test.tsx (co-located next to page)
-      → Cover: rendering, validation, submit, pre-fill, navigation, errors
-      → See smartstack-frontend.md section 8 for test templates
-    - **PERMISSIONS:** Call MCP generate_permissions for the module permission root (2 segments: {app}.{module}),
-      then also call MCP generate_permissions for EACH section (3 segments: {app}.{module}.{section}).
-    - **SECTION ROUTES:** Add section child routes to the module's children array.
-      Wire PermissionGuard for section routes with section-level permissions.
-    - I18n: Generate 4 JSON files per module namespace (fr, en, it, de)
-      → Follow JSON template from smartstack-frontend.md
-      → Keys: actions, labels, errors, validation, columns, form, messages, empty
-      → ALL t() calls MUST use namespace prefix + fallback: t('ns:key', 'Default text')
-    - MUST use src/pages/{App}/{Module}/ hierarchy (NOT flat)
+```bash
+dotnet build
+```
 
-    After ALL tasks done:
-    SendMessage(type:'message', recipient:'team-lead', content:'FRONTEND_COMPLETE', summary:'Frontend layer done')"
+**MUST PASS before backend tests.**
 
-Wait for both teammates to report completion.
+### Backend Tests Inline
 
-Build verification:
-  dotnet build  (backend)
-  npm run typecheck           (frontend, if applicable)
+> **Tests are scaffolded and run WITHIN Layer 2, not deferred to step-07.**
 
-shutdown_request → shutdown_response → TeamDelete("apex-exec")
+```
+1. Scaffold backend tests:
+   → MCP scaffold_tests (target_layer: "domain", module: "{module_code}", test_type: "unit")
+   → MCP scaffold_tests (target_layer: "application", module: "{module_code}", test_type: "unit")
+   → MCP scaffold_tests (target_layer: "api", module: "{module_code}", test_type: "integration")
+
+2. Run tests:
+   dotnet test --no-build --verbosity normal
+
+3. Fix loop (max 3 iterations):
+   IF tests fail:
+     → Identify root cause (ALWAYS code bug, not test bug)
+     → Fix production CODE via appropriate skill/MCP
+     → dotnet build --no-restore
+     → dotnet test --no-build
+     → Repeat until pass or max 3
+
+4. If still failing after 3 iterations: note failures, continue to Layer 3.
+   Step-07 "Final Test Sweep" will handle remaining failures.
 ```
 
----
-
-## Layer 1 — Skill Delegation
+### Layer 2 Commits
 
-| Skill | When | Context to provide |
-|-------|------|--------------------|
-| /controller | Custom routes, complex auth, file upload | entity, CRUD actions, permissions, routes |
-| /application | Full app/module from scratch | app, module names |
-| /ui-components | Complex pages (tables, grids, dashboards) | entity, fields, page type |
-| /efcore | Complex EF configs, inheritance | relationships, indexes |
-| /notification | In-app or email notifications | trigger, recipients, template |
-| /workflow | Automated workflows | trigger, steps, conditions |
+```
+feat({module}): [app+api] {short description}
+test({module}): backend unit and integration tests
+```
 
 ---
 
-## Layer 2b — Documentation (after frontend pages exist)
+## Layer 3 — Frontend (Pages + I18n + Documentation)
+
+> **Frontend patterns** are in `references/smartstack-frontend.md` (already loaded above):
+> - API client generation (MCP scaffold_api_client)
+> - Route scaffolding (MCP scaffold_routes) — section 1 + 3b
+> - Page types (ListPage, DetailPage, CreatePage, EditPage) — section 3
+> - FK field handling (EntityLookup component) — section 6
+> - Form structure (ZERO modals — all full pages) — section 3b
+> - Detail page tabs (local state only) — section 3 "Tab Behavior Rules"
+> - Testing patterns (co-located form tests) — section 8
+> - Section-level routes and permissions — section 3b
+> - I18n JSON structure and registration — section 2
+> - Compliance gates (5 mandatory checks) — section 9
+
+### Frontend Tasks (sequential or parallel within layer)
+
+For each module:
+- **API client:** MCP scaffold_api_client
+- **Routes:** MCP scaffold_routes (outputFormat: 'clientRoutes') → generates lazy imports + Suspense
+- **Pages:** use /ui-components skill — MUST follow smartstack-frontend.md patterns:
+  → React.lazy() for all page imports (named export wrapping)
+  → `<Suspense fallback={<PageLoader />}>` around all lazy components
+  → Page structure: hooks → useEffect(load) → loading → error → content
+  → CSS variables only: bg-[var(--bg-card)], text-[var(--text-primary)]
+  → SmartTable/SmartFilter/EntityCard (NEVER raw HTML)
+- **FORM PAGES (CRITICAL):** Create/Edit forms are FULL PAGES with own routes:
+  → EntityCreatePage.tsx with route /{module}/create
+  → EntityEditPage.tsx with route /{module}/:id/edit
+  → ZERO modals/popups/drawers/dialogs for forms
+  → Back button with navigate(-1) on every form page
+  → See smartstack-frontend.md section 3b for templates
+- **TABS ON DETAIL PAGES (CRITICAL):** Tabs MUST switch content LOCALLY:
+  → Tab click handler: setActiveTab(tabKey) ONLY — NEVER navigate() to another page
+  → Tab content: render inline with {activeTab === 'tabKey' && <TabContent />}
+  → Sub-resource data: fetch via API filtered by parent ID, display in tab panel
+  → FORBIDDEN: navigate('../leaves?employee=${id}') in tab handler
+  → See smartstack-frontend.md section 3 'Tab Behavior Rules'
+- **FK FIELDS (CRITICAL):** Foreign key Guid fields (e.g., EmployeeId) MUST use EntityLookup:
+  → NEVER render FK fields as `<input>` — users cannot type GUIDs
+  → NEVER render FK fields as `<select>` — even with API-loaded options, `<select>` is NOT acceptable
+  → ONLY use `<EntityLookup />` from @/components/ui/EntityLookup for searchable selection
+  → Each FK field needs: apiEndpoint, mapOption (display name), search support on backend
+  → FORBIDDEN: `<select value={formData.departmentId}>`, `<option value={dept.id}>`, `e.target.value` for FK fields
+  → See smartstack-frontend.md section 6 for the full EntityLookup pattern
+- **I18n:** Generate 4 JSON files per module namespace (fr, en, it, de)
+  → Follow JSON template from smartstack-frontend.md
+  → Keys: actions, labels, errors, validation, columns, form, messages, empty
+  → ALL t() calls MUST use namespace prefix + fallback: t('ns:key', 'Default text')
+- **PERMISSIONS:** Call MCP generate_permissions for the module permission root (2 segments: {app}.{module}),
+  then also call MCP generate_permissions for EACH section (3 segments: {app}.{module}.{section}).
+- **SECTION ROUTES:** Add section child routes to the module's children array.
+  Wire PermissionGuard for section routes with section-level permissions.
+- MUST use src/pages/{App}/{Module}/ hierarchy (NOT flat)
+
+### Documentation (after frontend pages exist)
 
 > **After frontend pages are created, generate module documentation via `/documentation` skill.**
 
@@ -257,28 +354,35 @@ This generates:
 - Import: `import { DocToggleButton } from '@/components/docs/DocToggleButton';`
 - Placement: inside the header actions area (see `smartstack-frontend.md` section 7)
 
----
-
-## Layer 2 — Final Seed Data + Validation (sequential)
+### If NOT economy_mode AND multiple entities: Agent Teams (parallel within layer)
 
-After Layer 1 completes:
+> **Protocol:** See `references/agent-teams-protocol.md`
 
 ```
-1. Verify seed data completeness:
-   - NavigationModuleSeedData.cs with 4 languages
-   - PermissionsSeedData.cs with Guid.NewGuid()
-   - RolesSeedData.cs with context-based role mapping
-   - IClientSeedDataProvider updated
-   - DI registration added
+TeamCreate("apex-layer3", description: "Execute Layer 3 frontend in parallel")
 
-2. Build gate:
-   dotnet build → MUST PASS
-   npm run typecheck → MUST PASS (if frontend)
-```
+Spawn 1 teammate per entity (Opus, full tools):
 
----
+For each entity:
+  Task: "Execute Layer 3 frontend for entity {EntityName}:
+    **MANDATORY: Read references/smartstack-frontend.md FIRST**
+    - API client: MCP scaffold_api_client
+    - Routes: MCP scaffold_routes (outputFormat: 'clientRoutes')
+    - Pages: /ui-components skill (ALL 4 types: List, Detail, Create, Edit)
+    - I18n: 4 JSON files (fr, en, it, de)
+    - FORM PAGES: Full pages with own routes (ZERO modals)
+    - FK FIELDS: EntityLookup for all FK Guid fields
+    - TABS: Local state only (NEVER navigate())
+    - FORM TESTS: Co-located .test.tsx for Create and Edit pages
+
+    After ALL tasks done:
+    SendMessage(type:'message', recipient:'team-lead', content:'ENTITY_COMPLETE: {EntityName}', summary:'{EntityName} frontend done')"
 
-## FRONTEND COMPLIANCE GATE (MANDATORY before commit)
+Wait for all teammates to report completion.
+shutdown_request → shutdown_response → TeamDelete("apex-layer3")
+```
+
+### FRONTEND COMPLIANCE GATE (MANDATORY before commit)
 
 > **Reference:** See `references/smartstack-frontend.md` section 9 "Compliance Gates" for all 5 mandatory checks:
 > 1. CSS Variables (theme system)
@@ -294,6 +398,74 @@ When delegating to `/ui-components` skill, include explicit instructions:
 - "Forms: Create/Edit forms are FULL PAGES with own routes (e.g., `/create`, `/:id/edit`)."
 - "I18n: ALL text must use `t('namespace:key', 'Fallback')`. Generate JSON files in `src/i18n/locales/`."
 
+### Frontend Tests Inline
+
+> **Tests are scaffolded and run WITHIN Layer 3, not deferred to step-07.**
+
+```
+1. Scaffold frontend tests:
+   → For each module with create/edit pages:
+     → Generate EntityCreatePage.test.tsx and EntityEditPage.test.tsx
+     → Co-located next to the page component (NOT in __tests__/ folder)
+     → Cover: rendering, validation, submit, pre-fill, navigation, errors
+     → Tools: Vitest + React Testing Library + @testing-library/user-event
+     → Mock API: vi.mock() or MSW — NEVER real API calls
+
+2. Run tests:
+   WEB_DIR=$(find . -name "vitest.config.ts" -not -path "*/node_modules/*" -exec dirname {} \; 2>/dev/null | head -1)
+   if [ -n "$WEB_DIR" ]; then
+     (cd "$WEB_DIR" && npm run test)
+   fi
+
+3. Fix loop (max 3 iterations):
+   IF tests fail:
+     → Identify root cause (ALWAYS code bug, not test bug)
+     → Fix production CODE
+     → Re-run tests
+     → Repeat until pass or max 3
+
+4. If still failing after 3 iterations: note failures, continue.
+   Step-07 "Final Test Sweep" will handle remaining failures.
+```
+
+### Typecheck Gate
+
+```bash
+npm run typecheck
+```
+
+**MUST PASS before commit.**
+
+### Layer 3 Commits
+
+```
+feat({module}): [frontend] pages, routes, i18n, documentation
+test({module}): frontend form tests
+```
+
+---
+
+## Layer 4 — DevData (optional)
+
+> **Business test data for development/demo environments.**
+> Skip this layer if no meaningful test data is needed.
+
+```
+1. Create DevDataSeeder:
+   → Infrastructure/Persistence/Seeding/DevData/{Module}DevDataSeeder.cs
+   → ALL entities MUST include TenantId
+   → Realistic business data for demo purposes
+
+2. Build gate:
+   dotnet build → MUST PASS
+```
+
+### Layer 4 Commit (if applicable)
+
+```
+feat({module}): [devdata] test data for development
+```
+
 ---
 
 ## PRD State Update (delegate mode only)
@@ -323,11 +495,16 @@ After each layer completes, gates pass, and builds pass:
 
 ```
 Layer 0: feat({module}): [domain+infra] {short description}
-Layer 1: feat({module}): [app+api] {short description}
-Layer 1: feat({module}): [frontend] {short description}  # if applicable — AFTER all 5 gates pass
-Layer 2: feat({module}): [seed] {short description}       # if applicable
+Layer 1: feat({module}): [seed] navigation, permissions, roles
+Layer 2: feat({module}): [app+api] {short description}
+Layer 2: test({module}): backend unit and integration tests
+Layer 3: feat({module}): [frontend] pages, routes, i18n, documentation
+Layer 3: test({module}): frontend form tests
+Layer 4: feat({module}): [devdata] test data for development  # if applicable
 ```
 
+**Maximum 7 commits per module.**
+
 ---
 
 ## Save Output (if save_mode)

package/templates/skills/apex/steps/step-04-examine.md

@@ -225,6 +225,14 @@ AC2: {criterion} → PASS / FAIL (evidence: {file:line or test})
 ```
 **APEX SmartStack - eXamine Complete**
 
+| Layer | Status | Details |
+|-------|--------|---------|
+| Layer 0 — Domain + Infrastructure | PASS / N/A | Entities, EF configs, migration, build gate |
+| Layer 1 — Seed Data | PASS / N/A | Navigation, permissions, roles, provider, build gate |
+| Layer 2 — Backend | PASS / N/A | Services, controllers, build gate, inline tests |
+| Layer 3 — Frontend | PASS / N/A | Pages, i18n, docs, compliance gate, inline tests |
+| Layer 4 — DevData | PASS / N/A / SKIPPED | Optional test data |
+
 | Category | Checks | Status |
 |----------|--------|--------|
 | MCP conventions | validate_conventions | PASS (0 errors) |
@@ -244,6 +252,8 @@ AC2: {criterion} → PASS / FAIL (evidence: {file:line or test})
 | Role-permission matrix | Admin=wildcard, Manager=CRU, Contributor=CR, Viewer=R (POST-CHECK 42) | PASS / N/A |
 | PermissionAction enum | No Enum.Parse, only typed enum values 0-10 (POST-CHECK 43) | PASS / N/A |
 | Navigation translations | 4 langs per level, section/resource translations present (POST-CHECK 44) | PASS / N/A |
+| Inline tests (Layer 2) | Backend unit + integration tests | PASS / N/A |
+| Inline tests (Layer 3) | Frontend form tests | PASS / N/A |
 | POST-CHECKs | 3 MCP tools + 50 bash checks (6 security + 44 convention) | PASS / N/A |
 | Acceptance criteria | AC1..ACn | {X}/{Y} PASS |
 ```
@@ -256,24 +266,23 @@ Write to `{output_dir}/04-examine.md` with validation results.
 
 ---
 
-## 10. Route to Next Step — TESTS ARE MANDATORY
+## 10. Route to Next Step — FINAL TEST SWEEP
 
-> **CRITICAL — DO NOT STOP HERE.**
-> Step-04 (eXamine) is NOT the final step. Tests MUST be scaffolded and run.
-> Completing APEX without tests violates the methodology — skip is FORBIDDEN.
+> **Note:** Backend tests (Layer 2) and frontend tests (Layer 3) have already been scaffolded and run inline.
+> Step-07 "Final Test Sweep" handles: security tests, coverage analysis, cross-layer scenarios, and remaining failures.
 
 ```
 IF examine_mode (-x flag):
   → Load steps/step-05-deep-review.md (adversarial review)
   → Then step-06 (resolve) if BLOCKING findings
-  → Then step-07 (tests) — ALWAYS
+  → Then step-07 (Final Test Sweep) — ALWAYS
 
 ELSE:
   → Load steps/step-07-tests.md — IMMEDIATELY after eXamine completes
 ```
 
 **BLOCKING RULE:** The APEX workflow is NOT complete until steps 07-08 execute.
-The success criteria require: "Tests: 100% pass, >= 80% coverage" — this is impossible without step-07.
+The success criteria require: "Tests: 100% pass, >= 80% coverage" — step-07 verifies coverage and adds security tests.
 
 **NEXT ACTION:** Load `steps/step-07-tests.md` now.