@atlashub/smartstack-cli 3.9.0 → 3.12.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@atlashub/smartstack-cli",
-  "version": "3.9.0",
+  "version": "3.12.0",
   "description": "SmartStack Claude Code automation toolkit - GitFlow, EF Core migrations, prompts and more",
   "author": {
     "name": "SmartStack",

package/templates/agents/ba-writer.md

@@ -88,6 +88,102 @@ Merge a section into an existing feature.json.
 9. **Cross-Reference Validation (for specification and handoff sections):** See CROSS-REFERENCE VALIDATION section below
 10. Return confirmation with section size and status
 
+### enrichSectionIncremental
+Incrementally update a section in feature.json using PATCH-style operations instead of full section replacement. Optimized for large files and preventing file size issues.
+
+**Input:**
+- featureId: FEAT-NNN or full path to feature.json
+- section: one of [discovery, analysis, specification, validation, handoff, suggestions, cadrage, consolidation, modules, dependencyGraph, metadata.workflow]
+- operation: "merge" | "append" | "update" | "delete"
+- path: JSON path within the section (e.g., "entities[2]", "useCases", "modules[0].status")
+- data: the data to merge/append/update
+
+**Operations:**
+
+1. **merge** - Deep merge data into existing section
+   ```javascript
+   // Example: Add new entities to analysis.entities without rewriting entire analysis
+   enrichSectionIncremental({
+     featureId: "FEAT-001",
+     section: "analysis",
+     operation: "merge",
+     path: "entities",
+     data: [
+       { name: "NewEntity", description: "...", attributes: [...] }
+     ]
+   })
+   // Result: analysis.entities now has existing entities + NewEntity
+   ```
+
+2. **append** - Append item to an array
+   ```javascript
+   // Example: Add a single business rule without rewriting all rules
+   enrichSectionIncremental({
+     featureId: "FEAT-001",
+     section: "analysis",
+     operation: "append",
+     path: "businessRules",
+     data: { id: "BR-VAL-ABC-042", name: "...", statement: "..." }
+   })
+   ```
+
+3. **update** - Update specific field in section
+   ```javascript
+   // Example: Update module status without rewriting entire modules array
+   enrichSectionIncremental({
+     featureId: "FEAT-001",
+     section: "modules",
+     operation: "update",
+     path: "[0].status",  // Path to first module's status field
+     data: "handed-off"
+   })
+   ```
+
+4. **delete** - Remove item from section
+   ```javascript
+   // Example: Remove a specific entity
+   enrichSectionIncremental({
+     featureId: "FEAT-001",
+     section: "analysis",
+     operation: "delete",
+     path: "entities[2]"  // Delete third entity
+   })
+   ```
+
+**Process:**
+1. Find and read feature.json (use findFeature if given ID)
+2. Navigate to the specified section
+3. Apply the incremental operation:
+   - **merge**: Deep merge arrays (append unique items), shallow merge objects
+   - **append**: Push item to array at path
+   - **update**: Set value at path
+   - **delete**: Remove item at path
+4. Update metadata.updatedAt with current timestamp
+5. Update metadata.updatedBy with agent name
+6. Write back with pretty-print (2-space indent)
+7. **File Size Check:** If resulting file > 100KB, display WARNING
+8. Validate schema before writing
+9. **Cross-Reference Validation:** Same rules as enrichSection
+10. Return confirmation with operation summary and file size
+
+**File Size Management:**
+- Before write: Check if file would exceed 100KB
+- If > 100KB: Display WARNING with recommendation to split into smaller operations
+- If > 500KB: BLOCKING ERROR - file too large, must use smaller chunks
+- Track cumulative file size growth across operations
+
+**Advantages over enrichSection:**
+- 50-70% reduction in tokens for large sections
+- Avoids "file too large" errors by updating incrementally
+- Allows progressive enrichment without reading/writing entire sections
+- Better performance for repeated updates (e.g., module loop)
+
+**Use Cases:**
+- Adding entities one-by-one during module specification
+- Updating module status in master without rewriting all modules
+- Appending business rules progressively
+- Updating handoff sections module-by-module
+
 ### enrichModuleHandoff
 Write the handoff section into a module feature.json. Specialized operation for step-05 module loop.
 
@@ -474,6 +570,88 @@ Before EVERY enrichSection() call for specification or handoff sections, validat
 6. **Pretty-print JSON** - use 2-space indentation
 7. **Timestamp management** - always set metadata.updatedAt to current ISO timestamp on write
 8. **Idempotency** - calling the same operation twice with same data should produce same result
+9. **File size management** - check file size before write, use incremental operations for large files
+
+## File Size Management (CRITICAL)
+
+**Problem:** Large feature.json files (>100KB) can cause write failures and token exhaustion.
+
+**Solution:** Progressive monitoring and incremental operations.
+
+### Size Thresholds
+
+| File Size | Status | Action |
+|-----------|--------|--------|
+| < 50KB | ✓ Safe | Use enrichSection normally |
+| 50-100KB | ⚠ Warning | Display warning, recommend enrichSectionIncremental for next operations |
+| 100-500KB | ⚠ High | STRONGLY recommend enrichSectionIncremental, limit enrichSection use |
+| > 500KB | ✗ Critical | BLOCK enrichSection, REQUIRE enrichSectionIncremental or split file |
+
+### Pre-Write File Size Check
+
+Before EVERY write operation:
+
+```javascript
+const currentFileSize = getFileSize(featurePath);
+const estimatedNewSize = currentFileSize + newDataSize;
+
+if (estimatedNewSize > 100 * 1024) {  // 100KB
+  WARNING(`Feature.json will be ${formatBytes(estimatedNewSize)} after write`);
+  WARNING(`Recommend using enrichSectionIncremental for future operations`);
+}
+
+if (estimatedNewSize > 500 * 1024) {  // 500KB
+  BLOCKING_ERROR(`Feature.json would exceed 500KB (${formatBytes(estimatedNewSize)})`);
+  BLOCKING_ERROR(`Use enrichSectionIncremental instead of enrichSection`);
+  STOP;
+}
+```
+
+### Operation Selection Guide
+
+| Scenario | Recommended Operation | Reason |
+|----------|----------------------|--------|
+| First-time section write | `enrichSection` | No existing data, full write needed |
+| Module loop (3+ iterations) | `enrichSectionIncremental` | Avoids rewriting same data multiple times |
+| Large sections (>20KB) | `enrichSectionIncremental` | Reduces token usage by 50-70% |
+| File size > 100KB | `enrichSectionIncremental` (REQUIRED) | Prevents file size bloat |
+| Single field update | `enrichSectionIncremental` with `update` | Most efficient for targeted changes |
+
+### Monitoring & Reporting
+
+After EVERY write, report file size status:
+
+```
+✓ feature.json written successfully
+  Path: docs/business/HumanResources/Projects/business-analyse/v1.0/feature.json
+  Size: 87.3 KB (↑ 12.1 KB from previous)
+  Status: ⚠ Approaching 100KB threshold
+  Recommendation: Use enrichSectionIncremental for remaining modules
+```
+
+### Splitting Large Files (Advanced)
+
+If a module feature.json exceeds 500KB despite incremental operations:
+
+1. **Split specification section** into separate files:
+   - `specification-entities.json` (entities, relationships)
+   - `specification-rules.json` (business rules, validations)
+   - `specification-ui.json` (wireframes, sections, navigation)
+
+2. **Update feature.json** with file references:
+   ```json
+   {
+     "specification": {
+       "$ref": "./specification-entities.json",
+       "$ref2": "./specification-rules.json",
+       "$ref3": "./specification-ui.json"
+     }
+   }
+   ```
+
+3. **ba-reader** auto-resolves references when reading
+
+**Note:** File splitting is a LAST RESORT. Prefer enrichSectionIncremental first.
 
 ## Error Handling
 

package/templates/agents/db-reader.md

@@ -0,0 +1,149 @@
+---
+name: db-reader
+description: Read-only database inspector for debugging - verifies data state, relationships, and integrity without any modification.
+color: cyan
+model: haiku
+tools: Read, Glob, Grep, Bash
+---
+
+You are a **read-only database inspector**. Your mission is to verify data state in the database to help diagnose bugs. You MUST NEVER modify any data.
+
+## ABSOLUTE RESTRICTIONS
+
+**YOU MUST NEVER EXECUTE:**
+- `INSERT`, `UPDATE`, `DELETE`, `MERGE`, `TRUNCATE`
+- `DROP`, `ALTER`, `CREATE`, `RENAME`
+- `EXEC`, `EXECUTE` (stored procedures that could modify data)
+- `GRANT`, `REVOKE`, `DENY`
+- `BACKUP`, `RESTORE`
+- `dotnet ef database update`, `dotnet ef database drop`
+- `dotnet ef migrations` (any subcommand)
+- Any command that writes, modifies, or deletes data or schema
+
+**YOU MAY ONLY EXECUTE:**
+- `SELECT` queries (read-only)
+- `sp_help`, `sp_helptext`, `sp_columns` (metadata inspection)
+- `INFORMATION_SCHEMA` queries (schema inspection)
+- `sys.*` catalog views (read-only system views)
+- `dotnet ef dbcontext info` (read-only context info)
+- `dotnet ef dbcontext list` (list contexts)
+
+**BEFORE EVERY BASH COMMAND**: Re-read this restrictions section. If the command could modify data in ANY way, DO NOT execute it.
+
+## Connection Discovery
+
+1. Search for connection strings in the project:
+   - `appsettings.json`, `appsettings.Development.json`
+   - `.env` files, `launchSettings.json`
+   - User secrets (check for `UserSecretsId` in `.csproj`)
+2. Identify the database provider (SQL Server, PostgreSQL, SQLite)
+3. Use the appropriate CLI tool:
+   - **SQL Server**: `sqlcmd` or `Invoke-Sqlcmd`
+   - **PostgreSQL**: `psql`
+   - **SQLite**: `sqlite3`
+
+## Verification Operations
+
+### Data State Verification
+```sql
+-- Check if records exist
+SELECT COUNT(*) FROM [Table] WHERE [condition];
+
+-- Inspect specific records
+SELECT * FROM [Table] WHERE [Id] = @id;
+
+-- Check for NULL/empty fields
+SELECT Id, [Field] FROM [Table] WHERE [Field] IS NULL;
+```
+
+### Relationship Integrity
+```sql
+-- Check foreign key references
+SELECT t1.Id, t1.ForeignKeyId
+FROM [Table1] t1
+LEFT JOIN [Table2] t2 ON t1.ForeignKeyId = t2.Id
+WHERE t2.Id IS NULL;
+
+-- Check orphaned records
+SELECT COUNT(*) FROM [ChildTable] c
+WHERE NOT EXISTS (SELECT 1 FROM [ParentTable] p WHERE p.Id = c.ParentId);
+```
+
+### Multi-Tenant Isolation
+```sql
+-- Verify tenant isolation
+SELECT TenantId, COUNT(*) as RecordCount
+FROM [Table]
+GROUP BY TenantId;
+
+-- Check for records without TenantId
+SELECT * FROM [Table] WHERE TenantId IS NULL;
+```
+
+### Schema Inspection
+```sql
+-- List tables
+SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE = 'BASE TABLE';
+
+-- Check column definitions
+SELECT COLUMN_NAME, DATA_TYPE, IS_NULLABLE, COLUMN_DEFAULT
+FROM INFORMATION_SCHEMA.COLUMNS
+WHERE TABLE_NAME = '[TableName]';
+
+-- Check constraints
+SELECT * FROM INFORMATION_SCHEMA.TABLE_CONSTRAINTS
+WHERE TABLE_NAME = '[TableName]';
+
+-- Check indexes
+SELECT name, type_desc, is_unique
+FROM sys.indexes
+WHERE object_id = OBJECT_ID('[TableName]');
+```
+
+### Audit & Soft Delete
+```sql
+-- Check soft-deleted records
+SELECT Id, IsDeleted, DeletedAt FROM [Table] WHERE IsDeleted = 1;
+
+-- Check audit fields
+SELECT Id, CreatedAt, CreatedBy, UpdatedAt, UpdatedBy
+FROM [Table] WHERE Id = @id;
+```
+
+## Output Format
+
+Report findings in a structured format:
+
+```markdown
+## Database Verification Report
+
+### Connection
+- **Provider:** SQL Server
+- **Database:** SmartStack_Dev
+- **Context:** ApplicationDbContext
+
+### Findings
+
+| Check | Table | Result | Details |
+|-------|-------|--------|---------|
+| Record exists | Users | PASS | Found 1 record with Id=X |
+| FK integrity | Orders→Users | FAIL | 3 orphaned orders found |
+| Tenant isolation | Products | PASS | All records have TenantId |
+| Soft delete | Invoices | WARN | 12 soft-deleted without DeletedBy |
+
+### Data Snapshot
+{Relevant SELECT results formatted as tables}
+
+### Issues Found
+1. **[CRITICAL]** Orphaned records in Orders table (Ids: 45, 67, 89)
+2. **[WARNING]** Missing audit trail on soft-deleted Invoices
+```
+
+## Rules
+
+- **NEVER** suggest or execute data modifications, even if asked
+- If a data fix is needed, report the issue and suggest the fix as text — do NOT execute it
+- Always use parameterized queries or proper escaping to avoid SQL injection
+- Limit result sets with `TOP` or `LIMIT` to avoid overwhelming output
+- Mask sensitive data (passwords, tokens, PII) in output
+- If you cannot determine the connection string, ask for help — do NOT guess

package/templates/skills/application/references/application-roles-template.md

@@ -0,0 +1,227 @@
+# Application Roles Seed Data Template
+
+> Referenced from `core-seed-data.md` and `step-03-roles.md` — C# template for application-scoped roles in client projects.
+
+---
+
+## Problem Statement
+
+When using `IClientSeedDataProvider` (client projects with `seeding_strategy = "provider"`), role-permission mappings reference roles by their `Code`:
+
+```csharp
+var role = roles.FirstOrDefault(r => r.Code == mapping.RoleCode);  // "admin", "manager", "contributor", "viewer"
+```
+
+**However**, the current templates do NOT create these application-scoped roles. They assume:
+- System roles (SuperAdmin, PlatformAdmin, TenantAdmin, StandardUser) exist in Core
+- Application-scoped roles (Admin, Manager, Contributor, Viewer) already exist with valid `Code` values
+
+**Result:** Role-permission mappings fail silently when `role == null`.
+
+---
+
+## Solution: Application Roles Seed Data
+
+Create application-scoped roles with deterministic GUIDs and valid `Code` values.
+
+---
+
+## File Location
+
+**Path:** `Infrastructure/Persistence/Seeding/Data/ApplicationRolesSeedData.cs`
+
+This file should be created **ONCE per application** (not per module).
+
+---
+
+## Template
+
+```csharp
+using SmartStack.Domain.Platform.Administration.Roles;
+
+namespace {BaseNamespace}.Infrastructure.Persistence.Seeding.Data;
+
+/// <summary>
+/// Application-scoped role seed data for {AppLabel}.
+/// Defines the 4 standard application roles: Admin, Manager, Contributor, Viewer.
+/// Consumed by IClientSeedDataProvider at application startup.
+/// </summary>
+public static class ApplicationRolesSeedData
+{
+    // Deterministic GUIDs for application roles
+    // Generated from: "role-{applicationId}-{roleType}"
+    private static readonly Guid ApplicationId = {ApplicationGuid}; // From NavigationApplicationSeedData
+
+    public static readonly Guid AdminRoleId = GenerateRoleGuid("admin");
+    public static readonly Guid ManagerRoleId = GenerateRoleGuid("manager");
+    public static readonly Guid ContributorRoleId = GenerateRoleGuid("contributor");
+    public static readonly Guid ViewerRoleId = GenerateRoleGuid("viewer");
+
+    /// <summary>
+    /// Returns application-scoped role entries for seeding into core.auth_Roles.
+    /// </summary>
+    public static IEnumerable<ApplicationRoleSeedEntry> GetRoleEntries()
+    {
+        yield return new ApplicationRoleSeedEntry
+        {
+            Id = AdminRoleId,
+            Code = "admin",
+            Name = "{AppLabel} Admin",
+            Description = "Full administrative access to {AppLabel}",
+            ApplicationId = ApplicationId,
+            IsSystem = false,
+            IsActive = true,
+            DisplayOrder = 1
+        };
+
+        yield return new ApplicationRoleSeedEntry
+        {
+            Id = ManagerRoleId,
+            Code = "manager",
+            Name = "{AppLabel} Manager",
+            Description = "Management access to {AppLabel} (Create, Read, Update)",
+            ApplicationId = ApplicationId,
+            IsSystem = false,
+            IsActive = true,
+            DisplayOrder = 2
+        };
+
+        yield return new ApplicationRoleSeedEntry
+        {
+            Id = ContributorRoleId,
+            Code = "contributor",
+            Name = "{AppLabel} Contributor",
+            Description = "Contributor access to {AppLabel} (Create, Read)",
+            ApplicationId = ApplicationId,
+            IsSystem = false,
+            IsActive = true,
+            DisplayOrder = 3
+        };
+
+        yield return new ApplicationRoleSeedEntry
+        {
+            Id = ViewerRoleId,
+            Code = "viewer",
+            Name = "{AppLabel} Viewer",
+            Description = "Read-only access to {AppLabel}",
+            ApplicationId = ApplicationId,
+            IsSystem = false,
+            IsActive = true,
+            DisplayOrder = 4
+        };
+    }
+
+    private static Guid GenerateRoleGuid(string roleType)
+    {
+        using var sha256 = System.Security.Cryptography.SHA256.Create();
+        var hash = sha256.ComputeHash(System.Text.Encoding.UTF8.GetBytes($"role-{ApplicationId}-{roleType}"));
+        return new Guid(hash.Take(16).ToArray());
+    }
+}
+
+/// <summary>Seed entry DTO for application role.</summary>
+public class ApplicationRoleSeedEntry
+{
+    public Guid Id { get; init; }
+    public string Code { get; init; } = null!;
+    public string Name { get; init; } = null!;
+    public string Description { get; init; } = null!;
+    public Guid ApplicationId { get; init; }
+    public bool IsSystem { get; init; }
+    public bool IsActive { get; init; }
+    public int DisplayOrder { get; init; }
+}
+```
+
+---
+
+## Placeholder Replacement
+
+| Placeholder | Description | Example |
+|-------------|-------------|---------|
+| `{BaseNamespace}` | Root namespace of the client project | `SmartStack.Modules.RessourcesHumaines` |
+| `{AppLabel}` | Human-readable application label (EN) | `Human Resources` |
+| `{ApplicationGuid}` | GUID of the application (from NavigationApplicationSeedData) | `30f1fbba-e8c3-4879-9a49-d18deaa70a83` |
+
+---
+
+## Integration into IClientSeedDataProvider
+
+Add a new method `SeedRolesAsync()` to the provider:
+
+```csharp
+public async Task SeedRolesAsync(ICoreDbContext context, CancellationToken ct)
+{
+    // Check idempotence
+    var exists = await context.Roles
+        .AnyAsync(r => r.ApplicationId == ApplicationRolesSeedData.ApplicationId, ct);
+    if (exists) return;
+
+    // Create application-scoped roles using factory method
+    foreach (var entry in ApplicationRolesSeedData.GetRoleEntries())
+    {
+        var role = Role.Create(
+            entry.Code,
+            entry.Name,
+            entry.Description,
+            entry.ApplicationId,
+            entry.IsSystem);
+
+        context.Roles.Add(role);
+    }
+
+    await ((DbContext)context).SaveChangesAsync(ct);
+}
+```
+
+---
+
+## Execution Order in Provider
+
+**CRITICAL:** Roles must be created BEFORE role-permission mappings.
+
+```
+1. SeedNavigationAsync()   → Creates application + modules + translations
+2. SeedRolesAsync()         → Creates application-scoped roles (NEW)
+3. SeedPermissionsAsync()   → Creates permissions
+4. SeedRolePermissionsAsync() → Maps roles to permissions (now succeeds because roles exist)
+```
+
+---
+
+## Verification Checklist
+
+Before marking the task as completed, verify:
+
+- [ ] `ApplicationRolesSeedData.cs` created in `Infrastructure/Persistence/Seeding/Data/`
+- [ ] Deterministic GUIDs used (NEVER `Guid.NewGuid()`)
+- [ ] 4 roles defined: Admin, Manager, Contributor, Viewer
+- [ ] Each role has a valid `Code` value ("admin", "manager", "contributor", "viewer")
+- [ ] Each role has `ApplicationId` set to the application GUID
+- [ ] `SeedRolesAsync()` method added to `IClientSeedDataProvider`
+- [ ] `SeedRolesAsync()` is idempotent (checks existence before inserting)
+- [ ] `Role.Create()` factory method used (NEVER `new Role()`)
+- [ ] `SaveChangesAsync()` called after role creation
+- [ ] Execution order: Navigation → Roles → Permissions → RolePermissions
+- [ ] `dotnet build` passes after generation
+
+---
+
+## Notes
+
+- **Application ID source:** Read from the navigation application created in `SeedNavigationAsync()` or from `{AppPascal}NavigationSeedData.cs`
+- **Role factory method:** Use `Role.Create(code, name, description, applicationId, isSystem)` from SmartStack.Domain
+- **Code uniqueness:** Role codes must be unique within the application scope
+- **System roles:** These are NOT system roles (IsSystem = false) - they are application-scoped roles
+- **Tenant isolation:** Application-scoped roles are automatically tenant-isolated via the Core authorization system
+
+---
+
+## Migration Impact
+
+**For existing projects without application roles:**
+1. Generate `ApplicationRolesSeedData.cs` using this template
+2. Add `SeedRolesAsync()` method to the existing `IClientSeedDataProvider`
+3. Update the provider's execution to call `SeedRolesAsync()` BEFORE `SeedRolePermissionsAsync()`
+4. Run the application - roles will be created on next startup
+5. Role-permission mappings will now succeed

package/templates/skills/application/references/provider-template.md

@@ -19,7 +19,7 @@ using SmartStack.Domain.Platform.Administration.Roles;
 namespace {BaseNamespace}.Infrastructure.Persistence.Seeding;
 
 /// <summary>
-/// Seeds {AppLabel} navigation, permissions, and role-permission data
+/// Seeds {AppLabel} navigation, roles, permissions, and role-permission data
 /// into the SmartStack Core schema at application startup.
 /// Implements <see cref="IClientSeedDataProvider"/> for runtime seeding
 /// (no Core migrations required).
@@ -75,6 +75,29 @@ public class {AppPascalName}SeedDataProvider : IClientSeedDataProvider
         await ((DbContext)context).SaveChangesAsync(ct);
     }
 
+    public async Task SeedRolesAsync(ICoreDbContext context, CancellationToken ct)
+    {
+        // Check idempotence
+        var applicationId = ApplicationRolesSeedData.ApplicationId;
+        var exists = await context.Roles
+            .AnyAsync(r => r.ApplicationId == applicationId, ct);
+        if (exists) return;
+
+        // Create application-scoped roles (Admin, Manager, Contributor, Viewer)
+        // Use data from ApplicationRolesSeedData.cs
+        foreach (var entry in ApplicationRolesSeedData.GetRoleEntries())
+        {
+            var role = Role.Create(
+                entry.Code,
+                entry.Name,
+                entry.Description,
+                entry.ApplicationId,
+                entry.IsSystem);
+            context.Roles.Add(role);
+        }
+        await ((DbContext)context).SaveChangesAsync(ct);
+    }
+
     public async Task SeedPermissionsAsync(ICoreDbContext context, CancellationToken ct)
     {
         // Check idempotence
@@ -126,9 +149,10 @@ services.AddScoped<IClientSeedDataProvider, {AppPascalName}SeedDataProvider>();
 
 ## Critical Rules
 
-1. **Factory methods mandatory**: `NavigationModule.Create(...)`, `Permission.CreateForModule(...)`, `RolePermission.Create(...)` — NEVER `new Entity()`
+1. **Factory methods mandatory**: `NavigationModule.Create(...)`, `Role.Create(...)`, `Permission.CreateForModule(...)`, `RolePermission.Create(...)` — NEVER `new Entity()`
 2. **Idempotence**: Each Seed method checks existence before inserting
-3. **SaveChangesAsync per group**: Navigation → save → Permissions → save → RolePermissions → save
-4. **Deterministic GUIDs**: Use IDs from SeedData classes (not `Guid.NewGuid()`)
-5. **Resolve FK by Code**: Parent modules are found by `Code`, not hardcoded GUID
-6. **Order property**: Use `100` as default. If multiple providers exist, they run in Order sequence
+3. **SaveChangesAsync per group**: Navigation → save → Roles → save → Permissions → save → RolePermissions → save
+4. **Execution order**: `SeedRolesAsync()` MUST be called BEFORE `SeedRolePermissionsAsync()` (roles must exist before mapping)
+5. **Deterministic GUIDs**: Use IDs from SeedData classes (not `Guid.NewGuid()`)
+6. **Resolve FK by Code**: Parent modules and roles are found by `Code`, not hardcoded GUID
+7. **Order property**: Use `100` as default. If multiple providers exist, they run in Order sequence