@atlashub/smartstack-cli 4.27.0 → 4.28.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@atlashub/smartstack-cli",
-  "version": "4.27.0",
+  "version": "4.28.0",
   "description": "SmartStack Claude Code automation toolkit - GitFlow, EF Core migrations, prompts and more",
   "author": {
     "name": "SmartStack",

package/templates/skills/apex/references/core-seed-data.md

@@ -274,7 +274,7 @@ public static class {ModulePascal}NavigationSeedData
             Description = "{desc_en}",
             Icon = "{icon}",              // Lucide React icon name
             IconType = IconType.Lucide,
-            Route = ToKebabCase($"/{appCode}/{moduleCode}"),
+            Route = ToKebabCase($"/{appCode}/{moduleCode}"),  // Absolute path for sidebar navigation (App.tsx routes are RELATIVE to module root)
             DisplayOrder = {displayOrder},
             IsActive = true
         };
@@ -731,13 +731,33 @@ public class PermissionSeedEntry
 }
 ```
 
-### Step C2: Section-Level Permissions (CONDITIONAL: only if `navSections[]` defined)
+### Step C2: Section-Level Permissions (CONDITIONAL — filtered by `permissionMode`)
 
 > When `seedDataCore.navigationSections` exists and is non-empty in feature.json,
 > add section-level permission GUIDs and entries to `PermissionsSeedData.cs`.
+>
+> **Permission generation is conditional on each section's `permissionMode`:**
+>
+> | permissionMode | Permissions generated |
+> |---|---|
+> | `crud` | wildcard + read + create + update + delete |
+> | `custom:action1,action2` | wildcard + read + custom actions |
+> | `read-only` | read only (NO CRUD wildcard) |
+> | `inherit` | NO section-level permissions (inherits from module) |
+>
+> **Default inference (when `permissionMode` is absent):**
+> - `code === "detail"` → `inherit`
+> - `code === "dashboard"` → `read-only`
+> - otherwise → `crud`
+>
+> **IMPORTANT:** Sections with `permissionMode: inherit` MUST be skipped entirely.
+> Do NOT generate any permission GUIDs, entries, or constants for them.
 
 ```csharp
 // --- Add to {ModulePascal}PermissionsSeedData class AFTER module-level permissions ---
+// FILTER: Only generate for sections where permissionMode is NOT "inherit"
+// For "read-only" sections: generate ONLY ReadPermId (no Wildcard, Create, Update, Delete)
+// For "custom:x,y" sections: generate Wildcard + Read + custom action GUIDs
 
 // Section-level permissions (for each section in navSections[])
 public static readonly Guid {SectionPascal}WildcardPermId = Guid.NewGuid();
@@ -1155,8 +1175,10 @@ public class {AppPascalName}SeedDataProvider : IClientSeedDataProvider
     public async Task SeedRolesAsync(ICoreDbContext context, CancellationToken ct)
     {
         // Check idempotence — verify by Code (roles may already exist from SmartStack core)
+        // Scope by ApplicationId — without this, roles from OTHER apps cause false positives
         var existingRoleCodes = await context.Roles
-            .Where(r => r.Code == "admin" || r.Code == "manager" || r.Code == "contributor" || r.Code == "viewer")
+            .Where(r => r.ApplicationId == ApplicationRolesSeedData.ApplicationId
+                && (r.Code == "admin" || r.Code == "manager" || r.Code == "contributor" || r.Code == "viewer"))
             .Select(r => r.Code)
             .ToListAsync(ct);
 
@@ -1213,8 +1235,9 @@ public class {AppPascalName}SeedDataProvider : IClientSeedDataProvider
         // Application-scoped roles (admin, manager, contributor, viewer) are created by
         // SeedRolesAsync() above. System roles use their own IDs that do not match
         // DeterministicGuid("role:admin").
+        // Load THIS application's roles + system roles only
         var roles = await context.Roles
-            .Where(r => r.ApplicationId != null || r.IsSystem)
+            .Where(r => r.ApplicationId == ApplicationRolesSeedData.ApplicationId || r.IsSystem)
             .ToListAsync(ct);
 
         // Resolve permissions

package/templates/skills/apex/references/post-checks.md

@@ -132,10 +132,121 @@ if [ -n "$CTRL_FILES" ]; then
 fi
 ```
 
+### POST-CHECK S8: Write endpoints must NOT use Read permissions (BLOCKING)
+
+> **Source:** audit ba-002 finding C1 — Cancel endpoint (POST) used `Permissions.Absences.Read`,
+> allowing any reader to cancel absences. Write operations MUST use write permissions.
+
+```bash
+CTRL_FILES=$(find src/ -path "*/Controllers/*" -name "*Controller.cs" 2>/dev/null)
+if [ -n "$CTRL_FILES" ]; then
+  for f in $CTRL_FILES; do
+    # Extract blocks: find each method with Http verb + RequirePermission
+    # Check POST/PUT/DELETE/PATCH endpoints that use *.Read permission
+    WRITE_WITH_READ=$(grep -Pn '\[(HttpPost|HttpPut|HttpDelete|HttpPatch)' "$f" | while read -r line; do
+      LINE_NUM=$(echo "$line" | cut -d: -f1)
+      # Look within 5 lines for RequirePermission with .Read
+      sed -n "$((LINE_NUM-2)),$((LINE_NUM+5))p" "$f" | grep -P 'RequirePermission.*\.Read\b' | head -1
+    done)
+    if [ -n "$WRITE_WITH_READ" ]; then
+      echo "BLOCKING: Write endpoint uses Read permission in $f"
+      echo "$WRITE_WITH_READ"
+      echo "Fix: POST/PUT/DELETE/PATCH endpoints must use Create/Update/Delete permissions, never Read"
+      exit 1
+    fi
+  done
+fi
+```
+
+### POST-CHECK S9: FK relationships must enforce tenant isolation (BLOCKING)
+
+> **Source:** audit ba-002 finding C5 — Department.ManagerId FK referenced Employee without
+> tenant constraint, allowing cross-tenant data leakage through navigation properties.
+
+```bash
+CONFIG_FILES=$(find src/ -path "*/Configurations/*" -name "*Configuration.cs" 2>/dev/null)
+if [ -n "$CONFIG_FILES" ]; then
+  for f in $CONFIG_FILES; do
+    # Check if entity implements ITenantEntity
+    ENTITY_NAME=$(grep -oP 'IEntityTypeConfiguration<(\w+)>' "$f" | grep -oP '<\K[^>]+')
+    if [ -z "$ENTITY_NAME" ]; then continue; fi
+
+    # Check if the entity is tenant-scoped (has TenantId in its properties or base class)
+    ENTITY_FILE=$(find src/ -path "*/Domain/*" -name "${ENTITY_NAME}.cs" 2>/dev/null | head -1)
+    if [ -z "$ENTITY_FILE" ]; then continue; fi
+
+    IS_TENANT=$(grep -cE 'ITenantEntity|BaseEntity|TenantId' "$ENTITY_FILE")
+    if [ "$IS_TENANT" -eq 0 ]; then continue; fi
+
+    # For tenant entities, check FK relationships point to other tenant entities
+    # Warning: FK to non-tenant entity from tenant entity = potential cross-tenant leak
+    FK_TARGETS=$(grep -oP 'HasOne<(\w+)>|HasOne\(e\s*=>\s*e\.(\w+)\)' "$f" | grep -oP '\w+(?=>|\))' | sort -u)
+    for TARGET in $FK_TARGETS; do
+      TARGET_FILE=$(find src/ -path "*/Domain/*" -name "${TARGET}.cs" 2>/dev/null | head -1)
+      if [ -n "$TARGET_FILE" ]; then
+        TARGET_IS_TENANT=$(grep -cE 'ITenantEntity|BaseEntity|TenantId' "$TARGET_FILE")
+        if [ "$TARGET_IS_TENANT" -gt 0 ]; then
+          # Both are tenant entities — verify the FK has a composite or filtered relationship
+          # At minimum, warn that cross-tenant reference is possible without query filter
+          HAS_QUERY_FILTER=$(grep -c 'HasQueryFilter' "$f")
+          if [ "$HAS_QUERY_FILTER" -eq 0 ]; then
+            echo "WARNING: $f — FK from tenant entity $ENTITY_NAME to tenant entity $TARGET without HasQueryFilter"
+            echo "Cross-tenant data leakage possible if FK is assigned without tenant validation"
+            echo "Fix: Add tenant validation in service layer before assigning FK, or use composite FK (TenantId + EntityId)"
+          fi
+        fi
+      fi
+    done
+  done
+fi
+```
+
 ---
 
 ## Backend — Entity, Service & Controller Checks
 
+### POST-CHECK V1: Controllers with POST/PUT must have corresponding Validators (BLOCKING)
+
+```bash
+CTRL_FILES=$(find src/ -path "*/Controllers/*" -name "*Controller.cs" 2>/dev/null)
+if [ -n "$CTRL_FILES" ]; then
+  for f in $CTRL_FILES; do
+    # Check if controller has POST or PUT endpoints
+    HAS_WRITE=$(grep -cE "\[Http(Post|Put)\]" "$f")
+    if [ "$HAS_WRITE" -gt 0 ]; then
+      # Extract DTO names from POST/PUT method parameters
+      DTOS=$(grep -oP '(?:Create|Update)\w+Dto' "$f" | sort -u)
+      for DTO in $DTOS; do
+        VALIDATOR_NAME=$(echo "$DTO" | sed 's/Dto$/Validator/')
+        VALIDATOR_FILE=$(find src/ -path "*/Validators/*" -name "${VALIDATOR_NAME}.cs" 2>/dev/null)
+        if [ -z "$VALIDATOR_FILE" ]; then
+          echo "BLOCKING: Controller $f uses $DTO but no ${VALIDATOR_NAME}.cs found"
+          echo "Fix: Create Validator with FluentValidation rules from business rules"
+          exit 1
+        fi
+      done
+    fi
+  done
+fi
+```
+
+### POST-CHECK V2: Validators must be registered in DI (WARNING)
+
+```bash
+VALIDATOR_FILES=$(find src/ -path "*/Validators/*" -name "*Validator.cs" 2>/dev/null)
+if [ -n "$VALIDATOR_FILES" ]; then
+  DI_FILE=$(find src/ -name "DependencyInjection.cs" -o -name "ServiceCollectionExtensions.cs" 2>/dev/null | head -1)
+  if [ -n "$DI_FILE" ]; then
+    for f in $VALIDATOR_FILES; do
+      VALIDATOR_NAME=$(basename "$f" .cs)
+      if ! grep -q "$VALIDATOR_NAME" "$DI_FILE"; then
+        echo "WARNING: Validator $VALIDATOR_NAME not registered in DI: $DI_FILE"
+      fi
+    done
+  fi
+fi
+```
+
 ### POST-CHECK C1: Navigation routes must be full paths starting with /
 
 ```bash
@@ -1659,6 +1770,120 @@ if [ -n "$ENTITY_FILES" ]; then
 fi
 ```
 
+### POST-CHECK C49: Route Ordering in App.tsx — static before dynamic (BLOCKING)
+
+> **Source:** Dashboard 404 bug — `:id` route declared before `dashboard` route in applicationRoutes,
+> React Router matched `dashboard` as an `id` parameter → page not found.
+
+```bash
+APP_TSX=$(find web/ src/ -name "App.tsx" -not -path "*/node_modules/*" 2>/dev/null | head -1)
+if [ -n "$APP_TSX" ]; then
+  # Extract all route paths from applicationRoutes in order
+  ROUTE_PATHS=$(grep -oP "path:\s*'([^']+)'" "$APP_TSX" | sed "s/path: '//;s/'//")
+  FAIL=false
+  PREV_PREFIX=""
+  PREV_IS_DYNAMIC=false
+
+  while IFS= read -r ROUTE; do
+    [ -z "$ROUTE" ] && continue
+    # Extract prefix (everything before last segment)
+    PREFIX=$(echo "$ROUTE" | sed 's|/[^/]*$||')
+    LAST_SEGMENT=$(echo "$ROUTE" | grep -oP '[^/]+$')
+    IS_DYNAMIC=$(echo "$LAST_SEGMENT" | grep -c '^:')
+
+    # Check: if previous route was dynamic and current route is static with same prefix
+    if [ "$PREV_IS_DYNAMIC" = true ] && [ "$IS_DYNAMIC" -eq 0 ] && [ "$PREFIX" = "$PREV_PREFIX" ]; then
+      echo "BLOCKING: Static route '$ROUTE' is AFTER a dynamic route with prefix '$PREFIX' in App.tsx"
+      echo "  React Router will match the dynamic route first → '$ROUTE' is unreachable (404)"
+      echo "  Fix: Move static routes BEFORE dynamic routes within the same prefix group"
+      FAIL=true
+    fi
+
+    PREV_PREFIX="$PREFIX"
+    if [ "$IS_DYNAMIC" -gt 0 ]; then
+      PREV_IS_DYNAMIC=true
+    else
+      PREV_IS_DYNAMIC=false
+    fi
+  done <<< "$ROUTE_PATHS"
+
+  # Also check: Navigate (redirect) routes must be at the end
+  REDIRECT_LINE=$(grep -n "Navigate" "$APP_TSX" | head -1 | cut -d: -f1)
+  if [ -n "$REDIRECT_LINE" ]; then
+    ROUTES_AFTER=$(tail -n +"$((REDIRECT_LINE+1))" "$APP_TSX" | grep -cP "path:\s*'" 2>/dev/null)
+    if [ "$ROUTES_AFTER" -gt 0 ]; then
+      echo "WARNING: Route definitions found AFTER Navigate redirect — redirects should be LAST"
+    fi
+  fi
+
+  if [ "$FAIL" = true ]; then
+    exit 1
+  fi
+fi
+```
+
+### POST-CHECK C50: NavRoute Uniqueness — no duplicate NavRoute values (BLOCKING)
+
+> **Source:** Two controllers sharing the same NavRoute causes routing conflicts — one endpoint
+> silently overrides the other → 404 on the shadowed controller.
+
+```bash
+CTRL_FILES=$(find src/ -path "*/Controllers/*" -name "*Controller.cs" 2>/dev/null)
+if [ -n "$CTRL_FILES" ]; then
+  # Extract all NavRoute values with their file paths
+  NAVROUTES=$(grep -Pn '\[NavRoute\("([^"]+)"\)' $CTRL_FILES 2>/dev/null | sed 's/.*\[NavRoute("\([^"]*\)").*/\1/' | sort)
+  DUPLICATES=$(echo "$NAVROUTES" | uniq -d)
+  if [ -n "$DUPLICATES" ]; then
+    echo "BLOCKING: Duplicate NavRoute values detected:"
+    for DUP in $DUPLICATES; do
+      echo "  NavRoute: $DUP"
+      grep -l "\[NavRoute(\"$DUP\")\]" $CTRL_FILES 2>/dev/null | while read -r f; do
+        echo "    - $f"
+      done
+    done
+    echo "  Fix: Each controller MUST have a unique NavRoute value"
+    exit 1
+  fi
+fi
+```
+
+### POST-CHECK C51: NavRoute Segments vs Controller Hierarchy (WARNING)
+
+> **Source:** ContractsController in `Controllers/{App}/Employees/` subfolder had NavRoute
+> `human-resources.contracts` (2 segments) instead of `human-resources.employees.contracts`
+> (3 segments) → API resolved to wrong path → 404 on contracts endpoints.
+
+```bash
+CTRL_FILES=$(find src/ -path "*/Controllers/*" -name "*Controller.cs" 2>/dev/null)
+if [ -n "$CTRL_FILES" ]; then
+  for f in $CTRL_FILES; do
+    NAVROUTE=$(grep -oP '\[NavRoute\("\K[^"]+' "$f")
+    if [ -z "$NAVROUTE" ]; then continue; fi
+
+    DOTS=$(echo "$NAVROUTE" | tr -cd '.' | wc -c)
+
+    # Count directory depth after Controllers/
+    # e.g., Controllers/HumanResources/Employees/ContractsController.cs = depth 2 (section)
+    REL_PATH=$(echo "$f" | sed 's|.*/Controllers/||')
+    DIR_DEPTH=$(echo "$REL_PATH" | tr '/' '\n' | wc -l)
+    # DIR_DEPTH: 2 = module level (App/Controller.cs), 3 = section level (App/Module/Controller.cs)
+
+    if [ "$DIR_DEPTH" -ge 3 ] && [ "$DOTS" -le 1 ]; then
+      echo "WARNING: Controller in section subfolder but NavRoute has only $((DOTS+1)) segments"
+      echo "  File: $f"
+      echo "  NavRoute: $NAVROUTE"
+      echo "  Expected: 3+ segments (app.module.section) for controllers in section subfolders"
+      echo "  Fix: Update NavRoute to include the module segment (e.g., 'app.module.section')"
+    fi
+
+    if [ "$DOTS" -eq 0 ]; then
+      echo "BLOCKING: NavRoute '$NAVROUTE' has only 1 segment (minimum 2 required): $f"
+      exit 1
+    fi
+  done
+fi
+```
+
 ---
 
 ## Architecture — Clean Architecture Layer Isolation
@@ -1785,6 +2010,63 @@ if [ -n "$CTRL_FILES" ]; then
 fi
 ```
 
+### POST-CHECK A8: API endpoints must match handoff apiEndpointSummary (BLOCKING)
+
+> **LESSON LEARNED (audit ba-002):** 4/17 API endpoints (export, calculate, balance upsert, year-end)
+> were missing but all API tasks were marked COMPLETE. This check reconciles actual controller
+> endpoints against the handoff contract.
+
+```bash
+# Read apiEndpointSummary from PRD and verify each operation exists in controllers
+PRD_FILE=".ralph/prd.json"
+if [ ! -f "$PRD_FILE" ]; then
+  # Try module-specific PRD
+  if [ -f ".ralph/modules-queue.json" ]; then
+    PRD_FILE=$(cat .ralph/modules-queue.json | grep -o '"prdFile":"[^"]*"' | tail -1 | cut -d'"' -f4)
+  fi
+fi
+
+if [ -f "$PRD_FILE" ]; then
+  # Extract operation names from apiEndpointSummary
+  OPERATIONS=$(cat "$PRD_FILE" | grep -o '"operation"\s*:\s*"[^"]*"' | cut -d'"' -f4 2>/dev/null)
+
+  if [ -n "$OPERATIONS" ]; then
+    CTRL_FILES=$(find src/ -path "*/Controllers/*" -name "*Controller.cs" 2>/dev/null)
+    MISSING_OPS=""
+    TOTAL_OPS=0
+    FOUND_OPS=0
+
+    for op in $OPERATIONS; do
+      TOTAL_OPS=$((TOTAL_OPS + 1))
+      FOUND=false
+      if [ -n "$CTRL_FILES" ]; then
+        for f in $CTRL_FILES; do
+          if grep -q "$op" "$f" 2>/dev/null; then
+            FOUND=true
+            break
+          fi
+        done
+      fi
+      if [ "$FOUND" = true ]; then
+        FOUND_OPS=$((FOUND_OPS + 1))
+      else
+        MISSING_OPS="$MISSING_OPS $op"
+      fi
+    done
+
+    if [ -n "$MISSING_OPS" ]; then
+      echo "BLOCKING: API endpoints missing from controllers (handoff contract violation)"
+      echo "Found: $FOUND_OPS/$TOTAL_OPS operations"
+      echo "Missing operations:$MISSING_OPS"
+      echo "Fix: Implement missing endpoints in the appropriate Controller"
+      exit 1
+    else
+      echo "POST-CHECK A8: OK — $FOUND_OPS/$TOTAL_OPS API operations found"
+    fi
+  fi
+fi
+```
+
 ---
 
 ## Summary

package/templates/skills/apex/references/smartstack-layers.md

@@ -257,6 +257,8 @@ var sectionRoute = $"{moduleRoute}/{ToKebabCase(sectionCode)}";
 - POST-CHECK C34 detects non-kebab-case NavRoute values. POST-CHECK C35 detects non-kebab-case permissions
 - Do not combine `[Route("api/...")]` with `[NavRoute]` — causes 404s (POST-CHECK C43)
 - `[NavRoute]` is the only route attribute needed — resolves routes from DB at startup
+- **NavRoute uniqueness:** Each controller MUST have a unique NavRoute value. Two controllers sharing the same NavRoute causes routing conflicts and 404s (POST-CHECK C50)
+- **NavRoute segment count vs hierarchy:** If a controller lives in a section subfolder (e.g., `Controllers/{App}/Employees/ContractsController.cs`), its NavRoute MUST have 3 segments (`app.module.section`), not 2. A 2-segment NavRoute on a section controller causes API 404s because the resolved route doesn't match the expected path (POST-CHECK C51)
 - Do not use `[Authorize]` without specific permission
 - Swagger XML documentation
 - Return DTOs, never domain entities
@@ -307,12 +309,41 @@ const [loading, setLoading] = useState(true);
 
 **Loader:** `Loader2` from `lucide-react` for spinners, `PageLoader` for Suspense fallback
 
+### RULE — Frontend Route Ordering
+
+> **CRITICAL:** React Router matches routes top-to-bottom. Dynamic routes (`:id`, `:id/edit`) placed BEFORE static routes (`dashboard`, `create`) will swallow the static paths — e.g., `/employees/dashboard` matches `:id` with `id="dashboard"` → 404.
+
+**Order (MANDATORY):**
+
+1. Index/list route (path: `''` or `'{section}'`)
+2. Create route (`'{section}/create'`)
+3. Static sections (`'{section}/dashboard'`, `'{section}/departments'`, etc.)
+4. Dynamic routes (`'{section}/:id'`, `'{section}/:id/edit'`)
+5. Redirect routes (`Navigate`) — ALWAYS LAST
+
+```tsx
+// ✅ CORRECT — static before dynamic
+{ path: 'employees', element: <EmployeesPage /> },
+{ path: 'employees/create', element: <CreateEmployeePage /> },
+{ path: 'employees/dashboard', element: <EmployeeDashboardPage /> },
+{ path: 'employees/:id', element: <EmployeeDetailPage /> },
+{ path: 'employees/:id/edit', element: <EditEmployeePage /> },
+{ path: '', element: <Navigate to="employees" replace /> },
+
+// ❌ WRONG — :id before dashboard → dashboard is unreachable (matched as id="dashboard")
+{ path: 'employees/:id', element: <EmployeeDetailPage /> },
+{ path: 'employees/dashboard', element: <EmployeeDashboardPage /> },  // NEVER REACHED
+```
+
+POST-CHECK C49 detects this anti-pattern and BLOCKS.
+
 ### Section Routes (when module has sections)
 
 If the module defines `{sections}`, generate frontend routes for EACH section as children of the module route:
 
 ```tsx
 // Section routes are nested inside the module's children array
+// IMPORTANT: static routes BEFORE dynamic routes (see Route Ordering rule above)
 { path: '{section-kebab}', element: <Suspense fallback={<PageLoader />}><{Section}Page /></Suspense> },
 { path: '{section-kebab}/create', element: <Suspense fallback={<PageLoader />}><Create{Section}Page /></Suspense> },
 { path: '{section-kebab}/:id', element: <Suspense fallback={<PageLoader />}><{Section}DetailPage /></Suspense> },

package/templates/skills/apex/steps/step-02-plan.md

@@ -108,6 +108,15 @@ Verify the plan respects dependencies:
 - Build gate between EVERY layer (must pass): Layer 0 → 1 → 2 → 3 → 4
 ```
 
+### 4b. Module Code Collision Guard (BLOCKING)
+
+```
+IF appCode == moduleCode:
+  BLOCK — module_code identique à app_code cause des segments doublés (e.g. /hr/hr).
+  Suggestion : "{appCode}-core", "{appCode}-management"
+  ASK user pour un module_code différent.
+```
+
 ---
 
 ## 5. Estimated Commits

package/templates/skills/apex/steps/step-03-execute.md

@@ -298,6 +298,39 @@ After controller generation, verify `[NavRoute]` attribute is present on every c
 - When calling `scaffold_extension(type: "controller")`, always pass `navRoute` in options
 - This is REQUIRED for `scaffold_routes` to auto-detect routes in Layer 3
 
+### Guard: NavRoute Uniqueness and Segment Count (MANDATORY)
+
+**BEFORE proceeding past Layer 2**, verify for EACH controller:
+
+1. **Unique NavRoute:** No two controllers may share the same `[NavRoute("...")]` value. Duplicate NavRoutes cause routing conflicts → 404s on one of the controllers.
+
+2. **Segment count matches hierarchy:** Count the dots in the NavRoute value:
+   - 1 dot = 2 segments (module-level, e.g., `human-resources.employees`) — controller is at `Controllers/{App}/`
+   - 2 dots = 3 segments (section-level, e.g., `human-resources.employees.contracts`) — controller is at `Controllers/{App}/{Module}/` or in a section subfolder
+   - **If a controller is in a section subfolder** (e.g., `Controllers/{App}/Employees/ContractsController.cs`) **but has only 2 segments** → the API route will be wrong → 404. It MUST have 3 segments.
+   - 0 dots = INVALID → BLOCK
+
+```bash
+# Quick validation
+CTRL_FILES=$(find src/ -path "*/Controllers/*" -name "*Controller.cs" 2>/dev/null)
+for f in $CTRL_FILES; do
+  NAVROUTE=$(grep -oP '\[NavRoute\("\K[^"]+' "$f")
+  if [ -n "$NAVROUTE" ]; then
+    DOTS=$(echo "$NAVROUTE" | tr -cd '.' | wc -c)
+    if [ "$DOTS" -eq 0 ]; then
+      echo "BLOCKING: NavRoute '$NAVROUTE' has only 1 segment (need minimum 2): $f"
+      exit 1
+    fi
+    # Check if controller is in a section subfolder but NavRoute has only 2 segments
+    DEPTH=$(echo "$f" | grep -oP 'Controllers/[^/]+/[^/]+/' | wc -l)
+    if [ "$DEPTH" -gt 0 ] && [ "$DOTS" -eq 1 ]; then
+      echo "WARNING: Controller in section subfolder but NavRoute has only 2 segments: $f"
+      echo "  NavRoute: $NAVROUTE — expected 3 segments (app.module.section)"
+    fi
+  fi
+done
+```
+
 ```bash
 # Quick check: all controllers must have [NavRoute] (not just [Route])
 CTRL_FILES=$(find src/ -path "*/Controllers/*" -name "*Controller.cs" 2>/dev/null)
@@ -386,11 +419,15 @@ TaskUpdate(taskId: progress_tracker_id,
 
 For each module:
 - API client: MCP scaffold_api_client
-- Routes: MCP scaffold_routes (outputFormat: 'applicationRoutes') → generates lazy imports + Suspense
+- Routes — TWO mandatory steps:
+  1. Generate registry: MCP scaffold_routes (source: 'controllers', outputFormat: 'applicationRoutes', dryRun: false)
+     → Creates navRoutes.generated.ts (required by POST-CHECK C2)
+  2. Wire to App.tsx (see below)
 - Wire Routes to App.tsx: After scaffold_routes, routes must be wired into App.tsx:
   → Read App.tsx and detect the routing pattern
   → Pattern A (`applicationRoutes: ApplicationRouteExtensions`): add routes to `applicationRoutes['{application_kebab}'][]` with RELATIVE paths
   → Pattern B (JSX `<Route>`): nest routes inside `<Route path="/{application}" element={<AppLayout />}>` + duplicate in tenant block
+  → **BEFORE wiring:** Verify route ordering — static routes (`create`, `dashboard`, `departments`) MUST come BEFORE dynamic routes (`:id`, `:id/edit`). Redirect routes (`Navigate`) MUST be LAST. See `references/smartstack-layers.md` "RULE — Frontend Route Ordering".
   → Do not add business routes to `clientRoutes[]` — it is only for non-app routes (`/about`, `/pricing`)
   → All business applications use `<AppLayout />` as layout wrapper
   → See `references/frontend-route-wiring-app-tsx.md` for full Pattern A/B detection and examples
@@ -480,7 +517,7 @@ IF NOT economy_mode AND entities.length > 1:
       prompt='Execute Layer 3 frontend for {EntityName}:
         **MANDATORY: Read references/smartstack-frontend.md FIRST**
         - API client: MCP scaffold_api_client
-        - Routes: MCP scaffold_routes (outputFormat: "applicationRoutes")
+        - Routes: MCP scaffold_routes (outputFormat: "applicationRoutes", dryRun: false) → MUST generate navRoutes.generated.ts
         - Wire Routes to App.tsx (BLOCKING): detect Pattern A/B, wire accordingly
           → See references/frontend-route-wiring-app-tsx.md for full patterns
           → Verify: mcp__smartstack__validate_frontend_routes (scope: "routes")

package/templates/skills/application/references/frontend-route-wiring-app-tsx.md

@@ -69,6 +69,39 @@ const applicationRoutes: ApplicationRouteExtensions = {
 
 Routes are automatically injected into BOTH standard (`/{application}/...`) and tenant-prefixed (`/t/:slug/{application}/...`) route trees by `mergeRoutes()`. No manual duplication needed.
 
+#### RULE — Route Ordering in applicationRoutes
+
+> **CRITICAL:** Routes within each application key MUST follow static-before-dynamic order.
+> React Router matches top-to-bottom — a `:id` route placed before a `dashboard` route
+> will match `dashboard` as an `id` parameter → 404.
+
+```tsx
+const applicationRoutes: ApplicationRouteExtensions = {
+  'human-resources': [
+    // ✅ CORRECT ORDER — static before dynamic
+    { path: 'employees', element: <EmployeesPage /> },
+    { path: 'employees/create', element: <CreateEmployeePage /> },
+    { path: 'employees/dashboard', element: <EmployeeDashboardPage /> },
+    { path: 'employees/:id', element: <EmployeeDetailPage /> },
+    { path: 'employees/:id/edit', element: <EditEmployeePage /> },
+
+    // Redirect routes ALWAYS LAST
+    { path: '', element: <Navigate to="employees" replace /> },
+  ],
+};
+```
+
+```tsx
+// ❌ FORBIDDEN — :id before static routes
+'human-resources': [
+  { path: 'employees/:id', element: <EmployeeDetailPage /> },      // ← WRONG: catches 'dashboard'
+  { path: 'employees/dashboard', element: <DashboardPage /> },      // ← NEVER REACHED
+]
+```
+
+See `smartstack-layers.md` "RULE — Frontend Route Ordering" for the full ordering specification.
+POST-CHECK C49 detects and BLOCKS this anti-pattern.
+
 #### Custom Applications (Pattern A)
 
 Custom application keys (any key **not** in the built-in list: `administration`, `support`, `user`, `api`) are fully supported in `applicationRoutes`. `mergeRoutes()` automatically:

package/templates/skills/business-analyse/references/consolidation-structural-checks.md

@@ -89,6 +89,21 @@ FOR each entity in analysis.entities[]:
   IF endpoints.length === 0 -> ERROR: "Entity {entity.name} has NO endpoints — missing controller"
 ```
 
+## H. Permission Granularity Check
+
+> Validates that section permission modes are respected in the generated permission data.
+
+```
+FOR each module:
+  FOR each section in anticipatedSections[]:
+    IF section.sectionType == "view" OR section.permissionMode == "inherit":
+      IF section has own permissions in seedDataCore.permissions[] -> WARNING: "Section '{code}' is type 'view' but has own permissions — should inherit from module"
+    IF section.permissionMode == "read-only":
+      IF section has create/update/delete permissions -> ERROR: "Section '{code}' is read-only but has write permissions"
+    IF section.sectionType == "primary" AND NOT section.permissionMode:
+      -> WARNING: "Primary section '{code}' missing explicit permissionMode — defaulting to 'crud'"
+```
+
 ## Result Aggregation
 
 ```json
@@ -100,6 +115,8 @@ FOR each entity in analysis.entities[]:
     { "check": "id-uniqueness", "module": "...", "status": "PASS|ERROR", "details": "..." },
     { "check": "wireframe-layout", "module": "...", "status": "PASS|ERROR", "details": "..." },
     { "check": "seeddata-translations", "module": "...", "status": "PASS|ERROR", "details": "..." }
+    ,
+    { "check": "permission-granularity", "module": "...", "status": "PASS|WARNING|ERROR", "details": "..." }
   ]
 }
 ```

package/templates/skills/business-analyse/references/spec-auto-inference.md

@@ -34,13 +34,18 @@
 
 > **RULE:** Sections = functional zones only. `create`/`edit` are separate pages with own URL routes (`/create` and `/:id/edit`). `detail` is a tabbed page reached from `list`.
 
-| featureType | Sections (functional zones) | List page includes | Form pages | Detail page tabs |
-|---|---|---|---|---|
-| data-centric | list | grid, filters, create button | `/create` page, `/:id/edit` page | Infos, {relations} |
-| workflow | list, approve | grid, filters, create button | `/create` page, `/:id/edit` page | Infos, {relations}, Historique |
-| integration | list | grid, filters, config button | `/create` page, `/:id/edit` page | Infos, Config, Logs |
-| reporting | dashboard | — | — | — |
-| full-module | list, dashboard | grid, filters, create button | `/create` page, `/:id/edit` page | Infos, {relations}, Historique |
+| featureType | Sections (functional zones) | permissionMode | List page includes | Form pages | Detail page tabs |
+|---|---|---|---|---|---|
+| data-centric | list | `crud` | grid, filters, create button | `/create` page, `/:id/edit` page | Infos, {relations} |
+| data-centric | (detail — implicit) | `inherit` | — | — | — |
+| workflow | list | `crud` | grid, filters, create button | `/create` page, `/:id/edit` page | Infos, {relations}, Historique |
+| workflow | approve | `custom:approve,reject` | — | — | — |
+| integration | list | `crud` | grid, filters, config button | `/create` page, `/:id/edit` page | Infos, Config, Logs |
+| reporting | dashboard | `read-only` | — | — | — |
+| full-module | list | `crud` | grid, filters, create button | `/create` page, `/:id/edit` page | Infos, {relations}, Historique |
+| full-module | dashboard | `read-only` | — | — | — |
+
+> **RULE:** `detail` is NEVER a section with its own permission set. It is always `sectionType: view`, `permissionMode: inherit`. Detail pages inherit permissions from their parent module.
 
 ## Component Generation Rules