@atlashub/smartstack-cli 4.31.0 → 4.33.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@atlashub/smartstack-cli",
-  "version": "4.31.0",
+  "version": "4.33.0",
   "description": "SmartStack Claude Code automation toolkit - GitFlow, EF Core migrations, prompts and more",
   "author": {
     "name": "SmartStack",

package/templates/mcp-scaffolding/controller.cs.hbs

@@ -1,192 +1,118 @@
-using System;
-using System.Collections.Generic;
-using System.Threading;
-using System.Threading.Tasks;
-using Microsoft.AspNetCore.Authorization;
+using MediatR;
 using Microsoft.AspNetCore.Mvc;
-using Microsoft.Extensions.Logging;
 using SmartStack.Api.Authorization;
 {{#if navRoute}}
 using SmartStack.Api.Routing;
 {{/if}}
-using SmartStack.Application.Common.Models;
+using SmartStack.Application.Common.Authorization;
 
-namespace {{namespace}}.Controllers;
+namespace {{namespace}};
 
 /// <summary>
-/// API controller for {{name}} operations
+/// API controller for {{name}} operations.
 /// </summary>
 [ApiController]
 {{#if navRoute}}
-[NavRoute("{{navRoute}}")]
+[NavRoute("{{navRoute}}"{{#if navRouteSuffix}}, Suffix = "{{navRouteSuffix}}"{{/if}}{{#if customSegment}}, CustomSegment = "{{customSegment}}"{{/if}})]
 {{else}}
 [Route("api/[controller]")]
 {{/if}}
-[Authorize]
+[Microsoft.AspNetCore.Authorization.Authorize]
 [Produces("application/json")]
+[Tags("{{namePlural}}")]
 public class {{name}}Controller : ControllerBase
 {
-    private readonly ILogger<{{name}}Controller> _logger;
-    // private readonly I{{name}}Service _{{nameCamel}}Service;
+    private readonly ISender _mediator;
 
-    public {{name}}Controller(
-        ILogger<{{name}}Controller> logger
-        // I{{name}}Service {{nameCamel}}Service
-    )
-    {
-        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
-        // _{{nameCamel}}Service = {{nameCamel}}Service ?? throw new ArgumentNullException(nameof({{nameCamel}}Service));
-    }
+    public {{name}}Controller(ISender mediator) => _mediator = mediator;
 
     /// <summary>
     /// Get all {{namePlural}} with pagination
     /// </summary>
     [HttpGet]
 {{#if navRoute}}
-    [RequirePermission("{{navRoute}}.read")]
+    [RequirePermission(Permissions.{{module}}.{{namePlural}}.View)]
 {{/if}}
-    [ProducesResponseType(typeof(PaginatedResult<{{name}}Dto>), 200)]
-    public async Task<ActionResult<PaginatedResult<{{name}}Dto>>> GetAll(
-        [FromQuery] string? search = null,
-        [FromQuery] int page = 1,
-        [FromQuery] int pageSize = 20,
-        CancellationToken cancellationToken = default)
+    [ProducesResponseType(typeof(List<{{name}}ListDto>), StatusCodes.Status200OK)]
+    [ProducesResponseType(StatusCodes.Status401Unauthorized)]
+    [ProducesResponseType(StatusCodes.Status403Forbidden)]
+    public async Task<ActionResult<List<{{name}}ListDto>>> GetAll(CancellationToken ct)
     {
-        _logger.LogInformation("Getting all {{namePlural}}");
-
-        // TODO: Implement using service
-        // var result = await _{{nameCamel}}Service.GetAllAsync(search, page, pageSize, cancellationToken);
-        // return Ok(result);
-
-        return Ok(PaginatedResult<{{name}}Dto>.Empty(page, pageSize));
+        var result = await _mediator.Send(new Get{{namePlural}}Query(), ct);
+        return Ok(result);
     }
 
     /// <summary>
     /// Get {{nameCamel}} by ID
     /// </summary>
-    /// <param name="id">{{name}} ID</param>
-    /// <param name="cancellationToken">Cancellation token</param>
-    /// <returns>{{name}} details</returns>
     [HttpGet("{id:guid}")]
 {{#if navRoute}}
-    [RequirePermission("{{navRoute}}.read")]
+    [RequirePermission(Permissions.{{module}}.{{namePlural}}.View)]
 {{/if}}
-    [ProducesResponseType(typeof({{name}}Dto), 200)]
-    [ProducesResponseType(404)]
-    public async Task<ActionResult<{{name}}Dto>> GetById(
-        Guid id,
-        CancellationToken cancellationToken = default)
+    [ProducesResponseType(typeof({{name}}DetailDto), StatusCodes.Status200OK)]
+    [ProducesResponseType(StatusCodes.Status404NotFound)]
+    [ProducesResponseType(StatusCodes.Status401Unauthorized)]
+    [ProducesResponseType(StatusCodes.Status403Forbidden)]
+    public async Task<ActionResult<{{name}}DetailDto>> GetById(
+        Guid id, CancellationToken ct)
     {
-        _logger.LogInformation("Getting {{nameCamel}} {Id}", id);
-
-        // TODO: Implement using service
-        // var result = await _{{nameCamel}}Service.GetByIdAsync(id, cancellationToken);
-        // if (result == null) return NotFound();
-        // return Ok(result);
-
-        return NotFound();
+        var result = await _mediator.Send(new Get{{name}}ByIdQuery(id), ct);
+        if (result == null) return NotFound(new { message = "{{name}} not found" });
+        return Ok(result);
     }
 
     /// <summary>
     /// Create new {{nameCamel}}
     /// </summary>
-    /// <param name="request">Create request</param>
-    /// <param name="cancellationToken">Cancellation token</param>
-    /// <returns>Created {{nameCamel}}</returns>
     [HttpPost]
 {{#if navRoute}}
-    [RequirePermission("{{navRoute}}.create")]
+    [RequirePermission(Permissions.{{module}}.{{namePlural}}.Create)]
 {{/if}}
-    [ProducesResponseType(typeof({{name}}Dto), 201)]
-    [ProducesResponseType(400)]
-    public async Task<ActionResult<{{name}}Dto>> Create(
-        [FromBody] Create{{name}}Request request,
-        CancellationToken cancellationToken = default)
+    [ProducesResponseType(typeof({{name}}DetailDto), StatusCodes.Status201Created)]
+    [ProducesResponseType(StatusCodes.Status400BadRequest)]
+    [ProducesResponseType(StatusCodes.Status401Unauthorized)]
+    [ProducesResponseType(StatusCodes.Status403Forbidden)]
+    public async Task<ActionResult<{{name}}DetailDto>> Create(
+        [FromBody] Create{{name}}Request request, CancellationToken ct)
     {
-        _logger.LogInformation("Creating new {{nameCamel}}");
-
-        // TODO: Validate and create using service
-        // var result = await _{{nameCamel}}Service.CreateAsync(request, cancellationToken);
-        // return CreatedAtAction(nameof(GetById), new { id = result.Id }, result);
-
-        var id = Guid.NewGuid();
-        return CreatedAtAction(nameof(GetById), new { id }, null);
+        var result = await _mediator.Send(new Create{{name}}Command(request), ct);
+        return CreatedAtAction(nameof(GetById), new { id = result.Id }, result);
     }
 
     /// <summary>
     /// Update {{nameCamel}}
     /// </summary>
-    /// <param name="id">{{name}} ID</param>
-    /// <param name="request">Update request</param>
-    /// <param name="cancellationToken">Cancellation token</param>
     [HttpPut("{id:guid}")]
 {{#if navRoute}}
-    [RequirePermission("{{navRoute}}.update")]
+    [RequirePermission(Permissions.{{module}}.{{namePlural}}.Update)]
 {{/if}}
-    [ProducesResponseType(204)]
-    [ProducesResponseType(404)]
-    [ProducesResponseType(400)]
-    public async Task<ActionResult> Update(
-        Guid id,
-        [FromBody] Update{{name}}Request request,
-        CancellationToken cancellationToken = default)
+    [ProducesResponseType(typeof({{name}}DetailDto), StatusCodes.Status200OK)]
+    [ProducesResponseType(StatusCodes.Status404NotFound)]
+    [ProducesResponseType(StatusCodes.Status400BadRequest)]
+    [ProducesResponseType(StatusCodes.Status401Unauthorized)]
+    [ProducesResponseType(StatusCodes.Status403Forbidden)]
+    public async Task<ActionResult<{{name}}DetailDto>> Update(
+        Guid id, [FromBody] Update{{name}}Request request, CancellationToken ct)
     {
-        _logger.LogInformation("Updating {{nameCamel}} {Id}", id);
-
-        // TODO: Implement using service
-        // await _{{nameCamel}}Service.UpdateAsync(id, request, cancellationToken);
-
-        return NoContent();
+        var result = await _mediator.Send(new Update{{name}}Command(id, request), ct);
+        if (result.IsNotFound) return NotFound(new { message = "{{name}} not found" });
+        return Ok(result.Data);
     }
 
     /// <summary>
     /// Delete {{nameCamel}}
     /// </summary>
-    /// <param name="id">{{name}} ID</param>
-    /// <param name="cancellationToken">Cancellation token</param>
     [HttpDelete("{id:guid}")]
 {{#if navRoute}}
-    [RequirePermission("{{navRoute}}.delete")]
+    [RequirePermission(Permissions.{{module}}.{{namePlural}}.Delete)]
 {{/if}}
-    [ProducesResponseType(204)]
-    [ProducesResponseType(404)]
-    public async Task<ActionResult> Delete(
-        Guid id,
-        CancellationToken cancellationToken = default)
+    [ProducesResponseType(StatusCodes.Status204NoContent)]
+    [ProducesResponseType(StatusCodes.Status404NotFound)]
+    [ProducesResponseType(StatusCodes.Status401Unauthorized)]
+    [ProducesResponseType(StatusCodes.Status403Forbidden)]
+    public async Task<IActionResult> Delete(Guid id, CancellationToken ct)
     {
-        _logger.LogInformation("Deleting {{nameCamel}} {Id}", id);
-
-        // TODO: Implement using service
-        // await _{{nameCamel}}Service.DeleteAsync(id, cancellationToken);
-
-        return NoContent();
+        var success = await _mediator.Send(new Delete{{name}}Command(id), ct);
+        return success ? NoContent() : NotFound(new { message = "{{name}} not found" });
     }
 }
-
-// ============================================================================
-// DTOs
-// ============================================================================
-
-/// <summary>
-/// {{name}} data transfer object
-/// </summary>
-public record {{name}}Dto(
-    Guid Id,
-    DateTime CreatedAt,
-    DateTime? UpdatedAt
-    // TODO: Add additional properties
-);
-
-/// <summary>
-/// Request to create a new {{nameCamel}}
-/// </summary>
-public record Create{{name}}Request(
-    // TODO: Add creation properties
-);
-
-/// <summary>
-/// Request to update a {{nameCamel}}
-/// </summary>
-public record Update{{name}}Request(
-    // TODO: Add update properties
-);

package/templates/project/README.md

@@ -62,6 +62,25 @@ Migrations must be applied in order:
 
 This is handled automatically in `Program.cs.template`.
 
+## Frontend Setup (React)
+
+### Route Registration
+
+SmartStack uses **PageRegistry + DynamicRouter** for routing. Register your pages:
+
+```tsx
+import { PageRegistry } from '@atlashub/smartstack';
+import { lazy } from 'react';
+
+// Register your application pages
+PageRegistry.register('rh.time.dashboard', lazy(() => import('./pages/TimeDashboard')));
+PageRegistry.register('rh.time.list', lazy(() => import('./pages/TimeList')));
+PageRegistry.register('rh.time.detail', lazy(() => import('./pages/TimeDetail')));
+```
+
+Navigation entries (menu, permissions, routes) are managed in the database.
+DynamicRouter resolves everything automatically — no manual route wiring needed.
+
 ## Usage
 
 ```bash

package/templates/skills/apex/SKILL.md

@@ -91,14 +91,19 @@ Execute incremental SmartStack development using the APEX methodology. This skil
 </entry_point>
 
 <step_files>
-**Progressive loading - only load current step:**
+**Progressive loading — only load current step. Step 03 dispatches to layer sub-steps.**
 
 | Step | File | Model | Purpose |
 |------|------|-------|---------|
 | 00 | `steps/step-00-init.md` | Sonnet | Parse flags, detect application, verify MCP, define hierarchy (4 levels), scope validation |
 | 01 | `steps/step-01-analyze.md` | Opus | Explore existing code (parallel Agent tool or sequential) |
 | 02 | `steps/step-02-plan.md` | Opus | Layer-by-layer plan with skill/MCP mapping |
-| 03 | `steps/step-03-execute.md` | Opus | Orchestrate execution via skills and MCP |
+| 03 | `steps/step-03-execute.md` | Opus | **Orchestrator** — dispatches to layer sub-steps below |
+| 03a | `steps/step-03a-layer0-domain.md` | Opus | Layer 0: Domain entities, EF configs, migration |
+| 03b | `steps/step-03b-layer1-seed.md` | Opus | Layer 1: Seed data (navigation, permissions, roles) |
+| 03c | `steps/step-03c-layer2-backend.md` | Opus | Layer 2: Services, controllers, backend tests |
+| 03d | `steps/step-03d-layer3-frontend.md` | Opus | Layer 3: Pages, i18n, routes, frontend tests |
+| 03e | `steps/step-03e-layer4-devdata.md` | Opus | Layer 4: Development test data (optional) |
 | 04 | `steps/step-04-examine.md` | Opus | eXamine: MCP validation, build, POST-CHECKs, acceptance criteria |
 | 05 | `steps/step-05-deep-review.md` | Opus | Deep Review: adversarial code review (if -x) |
 | 06 | `steps/step-06-resolve.md` | Opus | Fix BLOCKING findings (if any) |
@@ -126,15 +131,16 @@ Execute incremental SmartStack development using the APEX methodology. This skil
 
 | File | Purpose | Loaded by | Stays in context for |
 |------|---------|-----------|---------------------|
-| `references/smartstack-api.md` | BaseEntity, interfaces, entity/config/controller patterns | step-01 | step-03 L0-L2 (released after L2) |
-| `references/smartstack-layers.md` | Layer rules, skill/MCP mapping, planning templates, delegate fast path | step-02 | step-03 L0-L2 (released after L2) |
-| `references/core-seed-data.md` | Comprehensive seed data templates (navigation, permissions, roles) | step-03 Layer 1 | released after Layer 1 |
-| `references/smartstack-frontend.md` | Frontend patterns, EntityLookup, i18n (sections 1-6) | step-03 Layer 3 (deferred) | step-04 |
-| `references/smartstack-frontend-compliance.md` | Documentation, form testing, compliance gates (sections 7-9) | step-03 Layer 3 (deferred) | step-04 |
+| `references/smartstack-api.md` | BaseEntity, interfaces, entity/config/controller patterns | step-01 | step-03a/03b/03c (released after L2) |
+| `references/smartstack-layers.md` | Layer rules, skill/MCP mapping, planning templates, delegate fast path | step-02 | step-03a/03b/03c (released after L2) |
+| `references/core-seed-data.md` | Comprehensive seed data templates (navigation, permissions, roles) | step-03b (Layer 1) | released after Layer 1 |
+| `references/smartstack-frontend.md` | Frontend patterns, EntityLookup, i18n (sections 1-6) | step-03d (Layer 3, deferred) | step-04 |
+| `references/smartstack-frontend-compliance.md` | Documentation, form testing, compliance gates (sections 7-9) | step-03d (Layer 3, deferred) | step-04 |
 | `references/challenge-questions.md` | Hierarchy rules, challenge questions, delegate mode skip | step-00 | — |
 | `references/error-classification.md` | Build error diagnosis categories A-F | step-03 (build failure), step-04 | — |
-| `references/parallel-execution.md` | Agent tool launch patterns, task coordination, decision matrix | step-01, step-03 (if NOT economy_mode) | — |
-| `references/post-checks.md` | Security + convention + architecture bash checks (MCP tools run first) | step-04 | — |
+| `references/parallel-execution.md` | Agent tool launch patterns, task coordination, decision matrix | step-01, step-03c/03d (if NOT economy_mode) | — |
+| `references/post-checks.md` | Compact checklist — indexes checks in `references/checks/*.sh` | step-04 | — |
+| `references/checks/*.sh` | Bash check scripts (security, backend, frontend, seed, architecture, infrastructure) | step-04 (executed via bash) | — |
 
 **Context propagation rule:** Files loaded in step N remain in conversation context for step N+1. Steps mark "do NOT re-read" to avoid duplicate reads.
 </reference_files>
@@ -148,7 +154,7 @@ Execute incremental SmartStack development using the APEX methodology. This skil
 - **Layer order** - Layer 0 (domain+infra+migration) → Layer 1 (seed data) → Layer 2 (backend+tests) → Layer 3 (frontend+tests) → Layer 4 (devdata)
 - **Parallel Agent tool** - Parallel execution for scan (step-01) and within Layer 2/3 (step-03) for multi-entity, unless economy_mode
 - **Tests inline** - Backend tests run after Layer 2, frontend tests run after Layer 3 (max 3 fix iterations each). Step-07 = final sweep (security + coverage).
-- **Exception: seed data** — The templates in core-seed-data.md and person-extension-pattern.md are generated directly because no MCP tool covers seed data creation. This is a documented exception to the "orchestrate, never generate" rule.
+- **Exception: seed data** — The templates in core-seed-data.md and person-extension-pattern.md are generated directly because no MCP tool covers seed data creation yet. This is a documented exception to the "orchestrate, never generate" rule. <!-- TODO: Remove exception when MCP scaffold_seed_data (B1) is ready -->
 - **Frontend pages: ALWAYS via Skill("ui-components")** — economy_mode affects parallelization only, NOT whether /ui-components is called. NEVER generate .tsx pages directly, even in delegate or economy mode.
 - **Save outputs** if `{save_mode}` = true
 - **Commits per layer** - Atomic commits after each execution layer

package/templates/skills/apex/_shared.md

@@ -156,7 +156,7 @@ Write back to {delegate_prd_path}
 | `scaffold_extension` | Create files manually following `smartstack-api.md` entity/service/controller patterns |
 | `suggest_migration` | Name format: `{context}_v{version}_{sequence}_{Description}` (see existing migrations for version) |
 | `generate_permissions` | Write `HasData()` code manually following `core-seed-data.md` permission section |
-| `scaffold_routes` | Create `applicationRoutes` array manually following `smartstack-frontend.md` §1 |
+| `scaffold_routes` | Create `componentRegistry.generated.ts` with `PageRegistry.register()` calls manually following `smartstack-frontend.md` §1 (or legacy `applicationRoutes` array for pre-v3.7 projects) |
 | `validate_frontend_routes` | Run POST-CHECK bash scripts from `post-checks.md` |
 | `validate_security` | Run security POST-CHECKs S1-S6 from `post-checks.md` |
 | `check_migrations` | Run `dotnet ef migrations has-pending-model-changes` manually |

package/templates/skills/apex/references/checks/architecture-checks.sh

@@ -0,0 +1,154 @@
+#!/bin/bash
+set -euo pipefail
+
+# POST-CHECK: Architecture — Clean Architecture Layer Isolation
+# A1-A8: Layer boundary enforcement, DTO usage, handoff compliance
+
+FAIL=false
+
+# POST-CHECK A1: Domain must not import other layers (BLOCKING)
+DOMAIN_FILES=$(find src/ -path "*/Domain/*" -name "*.cs" 2>/dev/null)
+if [ -n "$DOMAIN_FILES" ]; then
+  BAD_IMPORTS=$(grep -Pn 'using\s+[\w.]*\.(Application|Infrastructure|Api)[\w.]*;' $DOMAIN_FILES 2>/dev/null || true)
+  if [ -n "$BAD_IMPORTS" ]; then
+    echo "BLOCKING: Domain layer imports Application/Infrastructure/Api — violates Clean Architecture"
+    echo "Domain is the core, it must not depend on any other layer"
+    echo "$BAD_IMPORTS"
+    echo "Fix: Move shared types to Domain or remove the dependency"
+    FAIL=true
+  fi
+fi
+
+# POST-CHECK A2: Application must not import Infrastructure or Api (BLOCKING)
+APP_FILES=$(find src/ -path "*/Application/*" -name "*.cs" 2>/dev/null)
+if [ -n "$APP_FILES" ]; then
+  BAD_IMPORTS=$(grep -Pn 'using\s+[\w.]*\.(Infrastructure|Api)[\w.]*;' $APP_FILES 2>/dev/null || true)
+  if [ -n "$BAD_IMPORTS" ]; then
+    echo "BLOCKING: Application layer imports Infrastructure/Api — violates Clean Architecture"
+    echo "Application defines interfaces, Infrastructure implements them"
+    echo "$BAD_IMPORTS"
+    echo "Fix: Define an interface in Application and implement it in Infrastructure"
+    FAIL=true
+  fi
+fi
+
+# POST-CHECK A3: Controllers must not inject DbContext (BLOCKING)
+CTRL_FILES=$(find src/ -path "*/Controllers/*" -name "*Controller.cs" 2>/dev/null)
+if [ -n "$CTRL_FILES" ]; then
+  BAD_DBCONTEXT=$(grep -Pn 'private\s+readonly\s+\w*DbContext|DbContext\s+\w+[,)]' $CTRL_FILES 2>/dev/null || true)
+  if [ -n "$BAD_DBCONTEXT" ]; then
+    echo "BLOCKING: Controller injects DbContext directly — violates Clean Architecture"
+    echo "Controllers must use Application services, not access the database directly"
+    echo "$BAD_DBCONTEXT"
+    echo "Fix: Create an Application service with the required business logic and inject it instead"
+    FAIL=true
+  fi
+fi
+
+# POST-CHECK A4: API must return DTOs, not Domain entities (WARNING)
+CTRL_FILES=$(find src/ -path "*/Controllers/*" -name "*Controller.cs" 2>/dev/null)
+ENTITY_FILES=$(find src/ -path "*/Domain/Entities/*" -name "*.cs" 2>/dev/null)
+if [ -n "$CTRL_FILES" ] && [ -n "$ENTITY_FILES" ]; then
+  ENTITY_NAMES=$(grep -ohP 'public\s+class\s+(\w+)\s*:' $ENTITY_FILES 2>/dev/null | grep -oP '\w+(?=\s*:)' | grep -v '^public$' | sort -u || true)
+  for ENTITY in $ENTITY_NAMES; do
+    BAD_RETURN=$(grep -Pn "ActionResult<$ENTITY>|ActionResult<IEnumerable<$ENTITY>>|ActionResult<List<$ENTITY>>" $CTRL_FILES 2>/dev/null || true)
+    if [ -n "$BAD_RETURN" ]; then
+      echo "WARNING: Controller returns Domain entity '$ENTITY' instead of a DTO"
+      echo "$BAD_RETURN"
+      echo "Fix: Return ${ENTITY}ResponseDto instead of $ENTITY"
+    fi
+  done
+fi
+
+# POST-CHECK A5: Service interfaces in Application, implementations in Infrastructure (WARNING)
+APP_SERVICES=$(find src/ -path "*/Application/*" -name "*Service.cs" ! -name "I*Service.cs" 2>/dev/null)
+if [ -n "$APP_SERVICES" ]; then
+  for f in $APP_SERVICES; do
+    if grep -q 'public class.*Service' "$f" 2>/dev/null; then
+      echo "WARNING: Service implementation found in Application layer: $f"
+      echo "Fix: Move implementation to Infrastructure/Services/. Application should only contain interfaces."
+    fi
+  done
+fi
+
+DOMAIN_INTERFACES=$(find src/ -path "*/Domain/*" -name "I*Service.cs" 2>/dev/null)
+API_INTERFACES=$(find src/ -path "*/Api/*" -name "I*Service.cs" 2>/dev/null)
+for f in $DOMAIN_INTERFACES $API_INTERFACES; do
+  if [ -n "$f" ] && grep -q 'public interface.*Service' "$f" 2>/dev/null; then
+    echo "WARNING: Service interface found outside Application layer: $f"
+    echo "Fix: Move to Application/Interfaces/"
+  fi
+done
+
+# POST-CHECK A6: No EF Core attributes in Domain entities (BLOCKING)
+DOMAIN_FILES=$(find src/ -path "*/Domain/*" -name "*.cs" 2>/dev/null)
+if [ -n "$DOMAIN_FILES" ]; then
+  BAD_EF=$(grep -Pn '\[Table\(|\[Column\(|\[Index\(|using\s+Microsoft\.EntityFrameworkCore' $DOMAIN_FILES 2>/dev/null || true)
+  if [ -n "$BAD_EF" ]; then
+    echo "BLOCKING: EF Core attributes or using directives found in Domain layer"
+    echo "Domain entities must be persistence-ignorant — EF configuration belongs in Infrastructure"
+    echo "$BAD_EF"
+    echo "Fix: Move [Table], [Column], [Index] to IEntityTypeConfiguration<T> in Infrastructure/Persistence/Configurations/"
+    FAIL=true
+  fi
+fi
+
+# POST-CHECK A7: No direct repository usage in controllers (WARNING)
+CTRL_FILES=$(find src/ -path "*/Controllers/*" -name "*Controller.cs" 2>/dev/null)
+if [ -n "$CTRL_FILES" ]; then
+  BAD_REPO=$(grep -Pn 'IRepository<|IGenericRepository<|private\s+readonly\s+IRepository|private\s+readonly\s+IGenericRepository' $CTRL_FILES 2>/dev/null || true)
+  if [ -n "$BAD_REPO" ]; then
+    echo "WARNING: Controller injects repository directly — should use Application services"
+    echo "$BAD_REPO"
+    echo "Fix: Controllers should depend on Application services (I*Service), not repositories"
+  fi
+fi
+
+# POST-CHECK A8: API endpoints must match handoff apiEndpointSummary (BLOCKING)
+PRD_FILE=".ralph/prd.json"
+if [ ! -f "$PRD_FILE" ]; then
+  if [ -f ".ralph/modules-queue.json" ]; then
+    PRD_FILE=$(cat .ralph/modules-queue.json | grep -o '"prdFile":"[^"]*"' | tail -1 | cut -d'"' -f4)
+  fi
+fi
+
+if [ -f "$PRD_FILE" ]; then
+  OPERATIONS=$(cat "$PRD_FILE" | grep -o '"operation"\s*:\s*"[^"]*"' | cut -d'"' -f4 2>/dev/null || true)
+
+  if [ -n "$OPERATIONS" ]; then
+    CTRL_FILES=$(find src/ -path "*/Controllers/*" -name "*Controller.cs" 2>/dev/null)
+    MISSING_OPS=""
+    TOTAL_OPS=0
+    FOUND_OPS=0
+
+    for op in $OPERATIONS; do
+      TOTAL_OPS=$((TOTAL_OPS + 1))
+      FOUND=false
+      if [ -n "$CTRL_FILES" ]; then
+        for f in $CTRL_FILES; do
+          if grep -q "$op" "$f" 2>/dev/null; then
+            FOUND=true
+            break
+          fi
+        done
+      fi
+      if [ "$FOUND" = true ]; then
+        FOUND_OPS=$((FOUND_OPS + 1))
+      else
+        MISSING_OPS="$MISSING_OPS $op"
+      fi
+    done
+
+    if [ -n "$MISSING_OPS" ]; then
+      echo "BLOCKING: API endpoints missing from controllers (handoff contract violation)"
+      echo "Found: $FOUND_OPS/$TOTAL_OPS operations"
+      echo "Missing operations:$MISSING_OPS"
+      echo "Fix: Implement missing endpoints in the appropriate Controller"
+      FAIL=true
+    fi
+  fi
+fi
+
+if [ "$FAIL" = true ]; then
+  exit 1
+fi