@atlashub/smartstack-cli 3.8.0 → 3.10.0

package/templates/skills/ralph-loop/references/core-seed-data.md

@@ -279,7 +279,129 @@ If MCP `generate_permissions` fails, use the template above directly with values
 
 ---
 
-## 4. RolesSeedData.cs
+## 4. ApplicationRolesSeedData.cs (Application-Level, Once per Application)
+
+**File:** `Infrastructure/Persistence/Seeding/Data/ApplicationRolesSeedData.cs`
+
+### Purpose
+
+Creates the 4 standard application-scoped roles: Admin, Manager, Contributor, Viewer.
+
+**CRITICAL:** This file is created **ONCE per application** (not per module).
+Without these roles, role-permission mappings in `SeedRolePermissionsAsync()` will fail silently.
+
+### GUID Generation Rule
+
+```csharp
+// Deterministic GUID from application ID + role type
+private static Guid GenerateRoleGuid(string roleType)
+{
+    using var sha256 = System.Security.Cryptography.SHA256.Create();
+    var hash = sha256.ComputeHash(System.Text.Encoding.UTF8.GetBytes($"role-{ApplicationId}-{roleType}"));
+    return new Guid(hash.Take(16).ToArray());
+}
+// roleType values: "admin", "manager", "contributor", "viewer"
+```
+
+### Template
+
+```csharp
+using SmartStack.Domain.Platform.Administration.Roles;
+
+namespace {BaseNamespace}.Infrastructure.Persistence.Seeding.Data;
+
+/// <summary>
+/// Application-scoped role seed data for {AppLabel}.
+/// Defines the 4 standard application roles: Admin, Manager, Contributor, Viewer.
+/// Consumed by IClientSeedDataProvider at application startup.
+/// </summary>
+public static class ApplicationRolesSeedData
+{
+    // Application ID from NavigationApplicationSeedData
+    private static readonly Guid ApplicationId = {ApplicationGuid};
+
+    public static readonly Guid AdminRoleId = GenerateRoleGuid("admin");
+    public static readonly Guid ManagerRoleId = GenerateRoleGuid("manager");
+    public static readonly Guid ContributorRoleId = GenerateRoleGuid("contributor");
+    public static readonly Guid ViewerRoleId = GenerateRoleGuid("viewer");
+
+    public static IEnumerable<ApplicationRoleSeedEntry> GetRoleEntries()
+    {
+        yield return new ApplicationRoleSeedEntry
+        {
+            Id = AdminRoleId,
+            Code = "admin",
+            Name = "{AppLabel} Admin",
+            Description = "Full administrative access to {AppLabel}",
+            ApplicationId = ApplicationId,
+            IsSystem = false,
+            IsActive = true,
+            DisplayOrder = 1
+        };
+
+        yield return new ApplicationRoleSeedEntry
+        {
+            Id = ManagerRoleId,
+            Code = "manager",
+            Name = "{AppLabel} Manager",
+            Description = "Management access to {AppLabel} (Create, Read, Update)",
+            ApplicationId = ApplicationId,
+            IsSystem = false,
+            IsActive = true,
+            DisplayOrder = 2
+        };
+
+        yield return new ApplicationRoleSeedEntry
+        {
+            Id = ContributorRoleId,
+            Code = "contributor",
+            Name = "{AppLabel} Contributor",
+            Description = "Contributor access to {AppLabel} (Create, Read)",
+            ApplicationId = ApplicationId,
+            IsSystem = false,
+            IsActive = true,
+            DisplayOrder = 3
+        };
+
+        yield return new ApplicationRoleSeedEntry
+        {
+            Id = ViewerRoleId,
+            Code = "viewer",
+            Name = "{AppLabel} Viewer",
+            Description = "Read-only access to {AppLabel}",
+            ApplicationId = ApplicationId,
+            IsSystem = false,
+            IsActive = true,
+            DisplayOrder = 4
+        };
+    }
+
+    private static Guid GenerateRoleGuid(string roleType)
+    {
+        using var sha256 = System.Security.Cryptography.SHA256.Create();
+        var hash = sha256.ComputeHash(System.Text.Encoding.UTF8.GetBytes($"role-{ApplicationId}-{roleType}"));
+        return new Guid(hash.Take(16).ToArray());
+    }
+}
+
+public class ApplicationRoleSeedEntry
+{
+    public Guid Id { get; init; }
+    public string Code { get; init; } = null!;
+    public string Name { get; init; } = null!;
+    public string Description { get; init; } = null!;
+    public Guid ApplicationId { get; init; }
+    public bool IsSystem { get; init; }
+    public bool IsActive { get; init; }
+    public int DisplayOrder { get; init; }
+}
+```
+
+**Replace placeholders** with values from PRD and navigation metadata.
+
+---
+
+## 5. {Module}RolesSeedData.cs (Per Module)
 
 **File:** `Infrastructure/Persistence/Seeding/Data/{ModulePascal}/RolesSeedData.cs`
 
@@ -335,7 +457,7 @@ public class RolePermissionSeedEntry
 
 ---
 
-## 5. IClientSeedDataProvider Implementation
+## 6. IClientSeedDataProvider Implementation
 
 **File:** `Infrastructure/Persistence/Seeding/{AppPascalName}SeedDataProvider.cs`
 
@@ -343,10 +465,11 @@ public class RolePermissionSeedEntry
 
 | Rule | Description |
 |------|-------------|
-| Factory methods | `NavigationModule.Create(...)`, `Permission.CreateForModule(...)`, `RolePermission.Create(...)` — NEVER `new Entity()` |
+| Factory methods | `NavigationModule.Create(...)`, `Role.Create(...)`, `Permission.CreateForModule(...)`, `RolePermission.Create(...)` — NEVER `new Entity()` |
 | Idempotence | Each Seed method checks existence before inserting |
-| SaveChanges per group | Navigation -> save -> Permissions -> save -> RolePermissions -> save |
-| FK resolution by Code | Parent entities found by `Code`, not hardcoded GUID |
+| Execution order | Navigation → Roles → Permissions → RolePermissions (roles MUST exist before mapping) |
+| SaveChanges per group | Navigation -> save -> Roles -> save -> Permissions -> save -> RolePermissions -> save |
+| FK resolution by Code | Parent entities (modules, roles) found by `Code`, not hardcoded GUID |
 | DI registration | `services.AddScoped<IClientSeedDataProvider, {AppPascalName}SeedDataProvider>()` |
 
 ### Template
@@ -357,13 +480,14 @@ using SmartStack.Application.Common.Interfaces;
 using SmartStack.Application.Common.Interfaces.Seeding;
 using SmartStack.Domain.Navigation;
 using SmartStack.Domain.Platform.Administration.Roles;
+using {BaseNamespace}.Infrastructure.Persistence.Seeding.Data;
 using {BaseNamespace}.Infrastructure.Persistence.Seeding.Data.{Module1Pascal};
 // using {BaseNamespace}.Infrastructure.Persistence.Seeding.Data.{Module2Pascal}; // Add per module
 
 namespace {BaseNamespace}.Infrastructure.Persistence.Seeding;
 
 /// <summary>
-/// Seeds {AppLabel} navigation, permissions, and role-permission data
+/// Seeds {AppLabel} navigation, roles, permissions, and role-permission data
 /// into the SmartStack Core schema at application startup.
 /// </summary>
 public class {AppPascalName}SeedDataProvider : IClientSeedDataProvider
@@ -420,6 +544,28 @@ public class {AppPascalName}SeedDataProvider : IClientSeedDataProvider
         await ((DbContext)context).SaveChangesAsync(ct);
     }
 
+    public async Task SeedRolesAsync(ICoreDbContext context, CancellationToken ct)
+    {
+        // Check idempotence
+        var applicationId = ApplicationRolesSeedData.ApplicationId;
+        var exists = await context.Roles
+            .AnyAsync(r => r.ApplicationId == applicationId, ct);
+        if (exists) return;
+
+        // Create application-scoped roles (Admin, Manager, Contributor, Viewer)
+        foreach (var entry in ApplicationRolesSeedData.GetRoleEntries())
+        {
+            var role = Role.Create(
+                entry.Code,
+                entry.Name,
+                entry.Description,
+                entry.ApplicationId,
+                entry.IsSystem);
+            context.Roles.Add(role);
+        }
+        await ((DbContext)context).SaveChangesAsync(ct);
+    }
+
     public async Task SeedPermissionsAsync(ICoreDbContext context, CancellationToken ct)
     {
         var exists = await context.Permissions
@@ -495,43 +641,49 @@ services.AddScoped<IClientSeedDataProvider, {AppPascalName}SeedDataProvider>();
 
 ---
 
-## 6. Multi-Module Handling
+## 7. Multi-Module Handling
 
 When processing multiple modules in the same ralph-loop run:
 
 ### Module 1 (first): Creates everything from scratch
 
-1. `{Module1}NavigationSeedData.cs`
-2. `{Module1}PermissionsSeedData.cs`
-3. `{Module1}RolesSeedData.cs`
-4. `{AppPascalName}SeedDataProvider.cs` (new)
-5. DI registration (new)
+1. `ApplicationRolesSeedData.cs` (application-level, once per app)
+2. `{Module1}NavigationSeedData.cs`
+3. `{Module1}PermissionsSeedData.cs`
+4. `{Module1}RolesSeedData.cs`
+5. `{AppPascalName}SeedDataProvider.cs` (new, with 4 methods)
+6. DI registration (new)
 
 ### Module 2+ (subsequent): Append to existing provider
 
-1. `{Module2}NavigationSeedData.cs` (new file)
-2. `{Module2}PermissionsSeedData.cs` (new file)
-3. `{Module2}RolesSeedData.cs` (new file)
-4. `{AppPascalName}SeedDataProvider.cs` (**modify** — add using, add entries in each Seed method)
-5. DI registration (already exists — skip)
+1. `ApplicationRolesSeedData.cs` (already exists — skip)
+2. `{Module2}NavigationSeedData.cs` (new file)
+3. `{Module2}PermissionsSeedData.cs` (new file)
+4. `{Module2}RolesSeedData.cs` (new file)
+5. `{AppPascalName}SeedDataProvider.cs` (**modify** — add using, add entries in Navigation/Permissions/RolePermissions methods)
+6. DI registration (already exists — skip)
 
-**Detection:** Check if `{AppPascalName}SeedDataProvider.cs` exists. If yes, READ it and ADD the new module's entries to each of the 3 methods.
+**Detection:** Check if `{AppPascalName}SeedDataProvider.cs` exists. If yes, READ it and ADD the new module's entries to the appropriate methods (Navigation, Permissions, RolePermissions). Do NOT modify SeedRolesAsync().
 
 ---
 
-## 7. Verification Checklist (BLOCKING)
+## 8. Verification Checklist (BLOCKING)
 
 Before marking the task as completed, verify ALL:
 
 - [ ] Deterministic GUIDs (NEVER `Guid.NewGuid()`) — SHA256 of path
 - [ ] 4 languages for each navigation entity (fr, en, it, de)
+- [ ] `ApplicationRolesSeedData.cs` created (once per application)
+- [ ] 4 application roles defined: Admin, Manager, Contributor, Viewer
+- [ ] Each role has a valid `Code` value ("admin", "manager", "contributor", "viewer")
 - [ ] `Permissions.cs` constants match seed data paths
 - [ ] MCP `generate_permissions` called (or fallback used)
 - [ ] Role-permission mappings assigned (Admin, Manager, Contributor, Viewer)
-- [ ] `IClientSeedDataProvider` generated with 3 methods
+- [ ] `IClientSeedDataProvider` generated with 4 methods (Navigation, Roles, Permissions, RolePermissions)
+- [ ] Execution order: Navigation → Roles → Permissions → RolePermissions
 - [ ] Each Seed method is idempotent (checks existence before inserting)
 - [ ] Factory methods used throughout (NEVER `new Entity()`)
-- [ ] `SaveChangesAsync` called per group (Navigation → Permissions → RolePermissions)
+- [ ] `SaveChangesAsync` called per group (Navigation → Roles → Permissions → RolePermissions)
 - [ ] DI registration added: `services.AddScoped<IClientSeedDataProvider, ...>()`
 - [ ] `dotnet build` passes after generation
 

package/templates/skills/ralph-loop/references/task-transform-legacy.md

@@ -0,0 +1,259 @@
+# Task Transform: Legacy PrdJson → Ralph v2 (DEPRECATED)
+
+> Reference for step-01-task.md — fallback transformation for old FORMAT A PRDs (pre-v3.9.0).
+> New PRDs generated by `ss derive-prd` use unified v3 format (`$version: "3.0.0"`)
+> with pre-computed tasks. The v3 fast path in sections 0 and 1 bypasses this entirely.
+> This function will be removed in a future release.
+
+## FORMAT A Input Structure
+
+```
+{ version, source, project, requirements, businessRules, architecture, implementation, seedData }
+```
+
+## transformPrdJsonToRalphV2(prdJson, moduleCode)
+
+```javascript
+function transformPrdJsonToRalphV2(prdJson, moduleCode) {
+  const tasks = [];
+  let taskId = 1;
+
+  const layerOrder = [
+    { key: "domain", category: "domain" },
+    { key: "infrastructure", category: "infrastructure" },
+    { key: "application", category: "application" },
+    { key: "api", category: "api" },
+    { key: "frontend", category: "frontend" },
+    { key: "seedData", category: "infrastructure" },
+    { key: "tests", category: "test" }
+  ];
+
+  const filesToCreate = prdJson.implementation?.filesToCreate || prdJson.filesToCreate || {};
+  const lastIdByCategory = {};
+  const frontendFiles = [];
+  const i18nFiles = [];
+
+  // --- Generate tasks from filesToCreate ---
+  for (const layer of layerOrder) {
+    const files = filesToCreate[layer.key] || [];
+    if (layer.category === "frontend") { frontendFiles.push(...files); continue; }
+
+    for (const fileSpec of files) {
+      if (fileSpec.path?.includes('i18n/') || fileSpec.path?.includes('/locales/')) {
+        i18nFiles.push(fileSpec); continue;
+      }
+
+      const depIds = [];
+      if (lastIdByCategory[layer.category]) depIds.push(lastIdByCategory[layer.category]);
+      if (layer.category === "api" && lastIdByCategory["application"]) depIds.push(lastIdByCategory["application"]);
+      if (layer.category === "test" && lastIdByCategory["api"]) depIds.push(lastIdByCategory["api"]);
+
+      const allFRs = prdJson.requirements?.functionalRequirements || prdJson.functionalRequirements || [];
+      const linkedFRs = (fileSpec.linkedFRs || []).map(frId => allFRs.find(f => f.id === frId)?.statement || frId);
+      let criteria = linkedFRs.length > 0 ? `Implements: ${linkedFRs.join("; ")}` : `File ${fileSpec.path} created and compiles`;
+
+      const permMatrix = prdJson.architecture?.permissionMatrix || prdJson.permissionMatrix;
+      if (layer.category === "api" && permMatrix?.permissions?.length > 0) {
+        criteria += "; MANDATORY: [RequirePermission] on every endpoint (NOT [Authorize])";
+      }
+
+      tasks.push({
+        id: taskId, description: fileSpec.description ? `[${layer.category}] ${fileSpec.description} → ${fileSpec.path}` : `[${layer.category}] Create ${fileSpec.type}: ${fileSpec.path}`,
+        status: "pending", category: layer.category, dependencies: [...new Set(depIds)],
+        acceptance_criteria: criteria, started_at: null, completed_at: null, iteration: null,
+        commit_hash: null, files_changed: { created: [fileSpec.path], modified: [] },
+        validation: null, error: null, module: moduleCode
+      });
+      lastIdByCategory[layer.category] = taskId;
+      taskId++;
+    }
+  }
+
+  // --- 1b. Consolidated frontend task ---
+  if (frontendFiles.length > 0) {
+    const apiDepId = lastIdByCategory["api"] || lastIdByCategory["application"];
+    const ctx = (prdJson.project?.context || 'Business').replace(/^./, c => c.toUpperCase());
+    const app = prdJson.project?.application || moduleCode;
+    tasks.push({
+      id: taskId,
+      description: `[frontend] Generate COMPLETE frontend for module ${moduleCode} via MCP (${frontendFiles.length} files)`,
+      status: "pending", category: "frontend", dependencies: apiDepId ? [apiDepId] : [],
+      acceptance_criteria: `Pages in src/pages/${ctx}/${app}/${moduleCode}/; MCP scaffold_api_client + scaffold_routes; SmartTable for lists; CSS variables ONLY; 4-language i18n; npm run typecheck passes`,
+      started_at: null, completed_at: null, iteration: null, commit_hash: null,
+      files_changed: { created: frontendFiles.map(f => f.path), modified: [] },
+      validation: null, error: null, module: moduleCode,
+      _frontendMeta: { wireframes: [...new Set(frontendFiles.flatMap(f => f.linkedWireframes || []))], filesToCreate: frontendFiles }
+    });
+    lastIdByCategory["frontend"] = taskId; taskId++;
+  }
+
+  // --- 1c. Consolidated i18n task ---
+  if (i18nFiles.length > 0) {
+    tasks.push({
+      id: taskId, description: `[i18n] Generate i18n for module ${moduleCode} (4 languages)`,
+      status: "pending", category: "i18n", dependencies: lastIdByCategory["frontend"] ? [lastIdByCategory["frontend"]] : [],
+      acceptance_criteria: "4 JSON files (fr, en, it, de) with identical keys",
+      started_at: null, completed_at: null, iteration: null, commit_hash: null,
+      files_changed: { created: i18nFiles.map(f => f.path), modified: [] },
+      validation: null, error: null, module: moduleCode
+    });
+    lastIdByCategory["i18n"] = taskId; taskId++;
+  }
+
+  // --- GUARDRAILS: Inject missing layers ---
+  const entities = prdJson.architecture?.entities || prdJson.entities || [];
+  const apiEndpoints = prdJson.architecture?.apiEndpoints || prdJson.apiEndpoints || [];
+  const sections = prdJson.architecture?.sections || prdJson.sections || [];
+  const wireframes = prdJson.specification?.uiWireframes || prdJson.uiWireframes || [];
+  const dashboards = prdJson.specification?.dashboards || prdJson.dashboards || [];
+
+  // 1d. INJECT missing infrastructure
+  if (!tasks.some(t => t.category === 'infrastructure') && entities.length > 0) {
+    tasks.push({ id: taskId, description: `[infrastructure] Create EF Core configs and seed data for ${moduleCode} (${entities.length} entities)`,
+      status: "pending", category: "infrastructure", dependencies: lastIdByCategory["domain"] ? [lastIdByCategory["domain"]] : [],
+      acceptance_criteria: `EF configs for ${entities.length} entities; DbSet in ExtensionsDbContext; DI registration`,
+      started_at: null, completed_at: null, iteration: null, commit_hash: null,
+      files_changed: { created: [], modified: [] }, validation: null, error: null, module: moduleCode });
+    lastIdByCategory["infrastructure"] = taskId; taskId++;
+  }
+
+  // 1e. INJECT missing API
+  if (!tasks.some(t => t.category === 'api') && apiEndpoints.length > 0) {
+    const permMatrix = prdJson.architecture?.permissionMatrix || prdJson.permissionMatrix;
+    tasks.push({ id: taskId, description: `[api] Create controllers for ${moduleCode} (${apiEndpoints.length} endpoints)`,
+      status: "pending", category: "api", dependencies: [lastIdByCategory["application"] || lastIdByCategory["infrastructure"]].filter(Boolean),
+      acceptance_criteria: `${apiEndpoints.length} endpoints; ${permMatrix?.permissions?.length > 0 ? "[RequirePermission] on every endpoint" : "Authorization"}; Swagger`,
+      started_at: null, completed_at: null, iteration: null, commit_hash: null,
+      files_changed: { created: [], modified: [] }, validation: null, error: null, module: moduleCode });
+    lastIdByCategory["api"] = taskId; taskId++;
+  }
+
+  // 1f. INJECT missing frontend
+  if (frontendFiles.length === 0 && (sections.length > 0 || wireframes.length > 0 || apiEndpoints.length > 0)) {
+    const ctx = (prdJson.project?.context || 'Business').replace(/^./, c => c.toUpperCase());
+    const app = prdJson.project?.application || moduleCode;
+    const derivedFiles = wireframes.map(wf => ({ path: `web/src/pages/${ctx}/${app}/${moduleCode}/${wf.screen || wf.id}.tsx`, type: 'Page' }));
+    if (apiEndpoints.length > 0) derivedFiles.push({ path: `web/src/services/api/${moduleCode}Api.ts`, type: 'ApiService' });
+
+    tasks.push({ id: taskId,
+      description: `[frontend] Generate COMPLETE frontend for ${moduleCode} via MCP (${derivedFiles.length} files)`,
+      status: "pending", category: "frontend", dependencies: [lastIdByCategory["api"] || lastIdByCategory["application"]].filter(Boolean),
+      acceptance_criteria: `Pages in src/pages/${ctx}/${app}/${moduleCode}/; SmartTable for lists; CSS variables ONLY; 4-language i18n; npm run typecheck passes`,
+      started_at: null, completed_at: null, iteration: null, commit_hash: null,
+      files_changed: { created: derivedFiles.map(f => f.path), modified: [] },
+      validation: null, error: null, module: moduleCode,
+      _frontendMeta: { wireframes: wireframes.map(w => w.screen || w.id), filesToCreate: derivedFiles, source: "guardrail-derived" }
+    });
+    lastIdByCategory["frontend"] = taskId; taskId++;
+
+    // Also inject i18n
+    if (i18nFiles.length === 0) {
+      tasks.push({ id: taskId, description: `[i18n] Generate i18n for ${moduleCode} (4 languages)`,
+        status: "pending", category: "i18n", dependencies: [lastIdByCategory["frontend"]],
+        acceptance_criteria: "4 JSON files (fr, en, it, de) with identical keys",
+        started_at: null, completed_at: null, iteration: null, commit_hash: null,
+        files_changed: { created: [], modified: [] }, validation: null, error: null, module: moduleCode });
+      lastIdByCategory["i18n"] = taskId; taskId++;
+    }
+  }
+
+  // 1g. INJECT missing tests
+  if (!tasks.some(t => t.category === 'test') && entities.length > 0) {
+    const migDepId = lastIdByCategory["migration"] || lastIdByCategory["api"] || lastIdByCategory["application"];
+    tasks.push({ id: taskId, description: `[test] Create unit and integration tests for ${moduleCode}`,
+      status: "pending", category: "test", dependencies: migDepId ? [migDepId] : [],
+      acceptance_criteria: "Domain + service + controller tests; dotnet test passes; coverage >= 80%",
+      started_at: null, completed_at: null, iteration: null, commit_hash: null,
+      files_changed: { created: [], modified: [] }, validation: null, error: null, module: moduleCode });
+    lastIdByCategory["test"] = taskId; taskId++;
+  }
+
+  // 1h. GUARDRAIL: Core seed data (navigation, permissions, roles)
+  const coreSeedData = prdJson.seedData?.core || prdJson.seedDataCore || prdJson.specification?.seedDataCore;
+  const hasSeedDataInTasks = tasks.some(t => t.description?.includes("SeedData") || t.description?.includes("seed data"));
+  if (coreSeedData && !hasSeedDataInTasks) {
+    const infraDepId = lastIdByCategory["infrastructure"] || lastIdByCategory["domain"];
+    const navModules = coreSeedData.navigationModules || coreSeedData.navigation || [];
+    const permissions = coreSeedData.permissions || [];
+    const rolePerms = coreSeedData.rolePermissions || [];
+    tasks.push({
+      id: taskId, description: `[infrastructure] Create core seed data for ${moduleCode}: NavigationModuleSeedData, PermissionsSeedData, RolesSeedData`,
+      status: "pending", category: "infrastructure", dependencies: infraDepId ? [infraDepId] : [],
+      acceptance_criteria: `NavigationModuleSeedData (${navModules.length} nav); PermissionsSeedData (${permissions.length} perms); RolesSeedData (${rolePerms.length} roles); SeedConstants; dotnet build passes`,
+      started_at: null, completed_at: null, iteration: null, commit_hash: null,
+      files_changed: { created: [], modified: [] }, validation: null, error: null, module: moduleCode,
+      _seedDataMeta: {
+        source: "guardrail-derived", coreSeedData,
+        navRoute: prdJson.project?.navRoute || `business.${prdJson.project?.application || 'app'}.${moduleCode}`,
+        contextCode: prdJson.project?.context || 'business',
+        appCode: prdJson.project?.application, appLabels: prdJson.project?.labels || null
+      }
+    });
+    lastIdByCategory["infrastructure"] = taskId; taskId++;
+  }
+
+  // 1i. GUARDRAIL: IClientSeedDataProvider
+  const hasProvider = tasks.some(t => t.description?.includes("IClientSeedDataProvider") || t.description?.includes("SeedDataProvider"));
+  if (!hasProvider && (filesToCreate["seedData"]?.length > 0 || coreSeedData)) {
+    tasks.push({
+      id: taskId, description: `[infrastructure] Create IClientSeedDataProvider for core seed data injection`,
+      status: "pending", category: "infrastructure",
+      dependencies: [lastIdByCategory["infrastructure"] || lastIdByCategory["domain"]].filter(Boolean),
+      acceptance_criteria: "SeedNavigationAsync + SeedPermissionsAsync + SeedRolePermissionsAsync; DI registered; idempotent",
+      started_at: null, completed_at: null, iteration: null, commit_hash: null,
+      files_changed: { created: [], modified: [] }, validation: null, error: null, module: moduleCode,
+      _providerMeta: {
+        navRoute: prdJson.project?.navRoute || `business.${prdJson.project?.application || 'app'}.${moduleCode}`,
+        contextCode: prdJson.project?.context || 'business', appCode: prdJson.project?.application
+      }
+    });
+    lastIdByCategory["infrastructure"] = taskId; taskId++;
+  }
+
+  // 1j. GUARDRAIL: EF Core migration (CRITICAL — without this, no DB schema, no tests)
+  const hasEntities = entities.length > 0 || tasks.some(t => t.category === 'domain');
+  const hasMigration = tasks.some(t => t.description?.toLowerCase().includes('migration'));
+  if (hasEntities && !hasMigration) {
+    tasks.push({
+      id: taskId, description: `[infrastructure] Create EF Core migration for ${moduleCode}`,
+      status: "pending", category: "infrastructure",
+      dependencies: [lastIdByCategory["infrastructure"]].filter(Boolean),
+      acceptance_criteria: "MCP suggest_migration → name; dotnet ef migrations add; dotnet ef database update; dotnet build passes",
+      started_at: null, completed_at: null, iteration: null, commit_hash: null,
+      files_changed: { created: [], modified: [] }, validation: null, error: null, module: moduleCode,
+      _migrationMeta: { entities: entities.map(e => e.name || e.code), moduleCode }
+    });
+    lastIdByCategory["migration"] = taskId; taskId++;
+  }
+
+  // Final validation task
+  tasks.push({
+    id: taskId, description: `[validation] Build, test, and MCP validate module ${moduleCode}`,
+    status: "pending", category: "validation", dependencies: Object.values(lastIdByCategory),
+    acceptance_criteria: "dotnet build succeeds; dotnet test passes; MCP validate_conventions clean",
+    started_at: null, completed_at: null, iteration: null, commit_hash: null,
+    files_changed: { created: [], modified: [] }, validation: null, error: null, module: moduleCode
+  });
+
+  return {
+    $version: "2.0.0", feature: `${prdJson.project?.module || moduleCode} (${prdJson.project?.application || "app"})`,
+    status: "in_progress", created: new Date().toISOString(), updated_at: new Date().toISOString(),
+    metadata: { cli_version: "unknown", branch: getCurrentBranch(), project_path: process.cwd(), mcp_servers: { smartstack: true, context7: true }, moduleCode },
+    config: { max_iterations: {max_iterations}, completion_promise: "{completion_promise}", current_iteration: 1 },
+    source: { type: "ba-handoff", handoff_path: null, feature_json_path: prdJson.source?.featureJson || null, module: moduleCode },
+    tasks, history: []
+  };
+}
+```
+
+## Guardrails Summary
+
+| ID | Guardrail | Condition | Injection |
+|----|-----------|-----------|-----------|
+| 1d | Missing infrastructure | entities exist, no infra tasks | EF Core configs + seed data |
+| 1e | Missing API | apiEndpoints exist, no api tasks | Controllers |
+| 1f | Missing frontend | sections/wireframes exist, no frontend tasks | Pages + API service |
+| 1g | Missing tests | entities exist, no test tasks | Unit + integration tests |
+| 1h | Core seed data | coreSeedData exists, no seed tasks | Navigation + Permissions + Roles |
+| 1i | IClientSeedDataProvider | seedData files or coreSeedData, no provider task | Provider class |
+| 1j | EF Core migration | entities exist, no migration task | Migration (CRITICAL) |