@atlashub/smartstack-cli 4.32.0 → 4.34.0

package/templates/skills/apex/SKILL.md

@@ -91,14 +91,19 @@ Execute incremental SmartStack development using the APEX methodology. This skil
 </entry_point>
 
 <step_files>
-**Progressive loading - only load current step:**
+**Progressive loading — only load current step. Step 03 dispatches to layer sub-steps.**
 
 | Step | File | Model | Purpose |
 |------|------|-------|---------|
 | 00 | `steps/step-00-init.md` | Sonnet | Parse flags, detect application, verify MCP, define hierarchy (4 levels), scope validation |
 | 01 | `steps/step-01-analyze.md` | Opus | Explore existing code (parallel Agent tool or sequential) |
 | 02 | `steps/step-02-plan.md` | Opus | Layer-by-layer plan with skill/MCP mapping |
-| 03 | `steps/step-03-execute.md` | Opus | Orchestrate execution via skills and MCP |
+| 03 | `steps/step-03-execute.md` | Opus | **Orchestrator** — dispatches to layer sub-steps below |
+| 03a | `steps/step-03a-layer0-domain.md` | Opus | Layer 0: Domain entities, EF configs, migration |
+| 03b | `steps/step-03b-layer1-seed.md` | Opus | Layer 1: Seed data (navigation, permissions, roles) |
+| 03c | `steps/step-03c-layer2-backend.md` | Opus | Layer 2: Services, controllers, backend tests |
+| 03d | `steps/step-03d-layer3-frontend.md` | Opus | Layer 3: Pages, i18n, routes, frontend tests |
+| 03e | `steps/step-03e-layer4-devdata.md` | Opus | Layer 4: Development test data (optional) |
 | 04 | `steps/step-04-examine.md` | Opus | eXamine: MCP validation, build, POST-CHECKs, acceptance criteria |
 | 05 | `steps/step-05-deep-review.md` | Opus | Deep Review: adversarial code review (if -x) |
 | 06 | `steps/step-06-resolve.md` | Opus | Fix BLOCKING findings (if any) |
@@ -126,15 +131,16 @@ Execute incremental SmartStack development using the APEX methodology. This skil
 
 | File | Purpose | Loaded by | Stays in context for |
 |------|---------|-----------|---------------------|
-| `references/smartstack-api.md` | BaseEntity, interfaces, entity/config/controller patterns | step-01 | step-03 L0-L2 (released after L2) |
-| `references/smartstack-layers.md` | Layer rules, skill/MCP mapping, planning templates, delegate fast path | step-02 | step-03 L0-L2 (released after L2) |
-| `references/core-seed-data.md` | Comprehensive seed data templates (navigation, permissions, roles) | step-03 Layer 1 | released after Layer 1 |
-| `references/smartstack-frontend.md` | Frontend patterns, EntityLookup, i18n (sections 1-6) | step-03 Layer 3 (deferred) | step-04 |
-| `references/smartstack-frontend-compliance.md` | Documentation, form testing, compliance gates (sections 7-9) | step-03 Layer 3 (deferred) | step-04 |
+| `references/smartstack-api.md` | BaseEntity, interfaces, entity/config/controller patterns | step-01 | step-03a/03b/03c (released after L2) |
+| `references/smartstack-layers.md` | Layer rules, skill/MCP mapping, planning templates, delegate fast path | step-02 | step-03a/03b/03c (released after L2) |
+| `references/core-seed-data.md` | Comprehensive seed data templates (navigation, permissions, roles) | step-03b (Layer 1) | released after Layer 1 |
+| `references/smartstack-frontend.md` | Frontend patterns, EntityLookup, i18n (sections 1-6) | step-03d (Layer 3, deferred) | step-04 |
+| `references/smartstack-frontend-compliance.md` | Documentation, form testing, compliance gates (sections 7-9) | step-03d (Layer 3, deferred) | step-04 |
 | `references/challenge-questions.md` | Hierarchy rules, challenge questions, delegate mode skip | step-00 | — |
 | `references/error-classification.md` | Build error diagnosis categories A-F | step-03 (build failure), step-04 | — |
-| `references/parallel-execution.md` | Agent tool launch patterns, task coordination, decision matrix | step-01, step-03 (if NOT economy_mode) | — |
-| `references/post-checks.md` | Security + convention + architecture bash checks (MCP tools run first) | step-04 | — |
+| `references/parallel-execution.md` | Agent tool launch patterns, task coordination, decision matrix | step-01, step-03c/03d (if NOT economy_mode) | — |
+| `references/post-checks.md` | Compact checklist — indexes checks in `references/checks/*.sh` | step-04 | — |
+| `references/checks/*.sh` | Bash check scripts (security, backend, frontend, seed, architecture, infrastructure) | step-04 (executed via bash) | — |
 
 **Context propagation rule:** Files loaded in step N remain in conversation context for step N+1. Steps mark "do NOT re-read" to avoid duplicate reads.
 </reference_files>
@@ -148,7 +154,7 @@ Execute incremental SmartStack development using the APEX methodology. This skil
 - **Layer order** - Layer 0 (domain+infra+migration) → Layer 1 (seed data) → Layer 2 (backend+tests) → Layer 3 (frontend+tests) → Layer 4 (devdata)
 - **Parallel Agent tool** - Parallel execution for scan (step-01) and within Layer 2/3 (step-03) for multi-entity, unless economy_mode
 - **Tests inline** - Backend tests run after Layer 2, frontend tests run after Layer 3 (max 3 fix iterations each). Step-07 = final sweep (security + coverage).
-- **Exception: seed data** — The templates in core-seed-data.md and person-extension-pattern.md are generated directly because no MCP tool covers seed data creation. This is a documented exception to the "orchestrate, never generate" rule.
+- **Exception: seed data** — The templates in core-seed-data.md and person-extension-pattern.md are generated directly because no MCP tool covers seed data creation yet. This is a documented exception to the "orchestrate, never generate" rule. <!-- TODO: Remove exception when MCP scaffold_seed_data (B1) is ready -->
 - **Frontend pages: ALWAYS via Skill("ui-components")** — economy_mode affects parallelization only, NOT whether /ui-components is called. NEVER generate .tsx pages directly, even in delegate or economy mode.
 - **Save outputs** if `{save_mode}` = true
 - **Commits per layer** - Atomic commits after each execution layer

package/templates/skills/apex/_shared.md

@@ -156,7 +156,7 @@ Write back to {delegate_prd_path}
 | `scaffold_extension` | Create files manually following `smartstack-api.md` entity/service/controller patterns |
 | `suggest_migration` | Name format: `{context}_v{version}_{sequence}_{Description}` (see existing migrations for version) |
 | `generate_permissions` | Write `HasData()` code manually following `core-seed-data.md` permission section |
-| `scaffold_routes` | Create `applicationRoutes` array manually following `smartstack-frontend.md` §1 |
+| `scaffold_routes` | Create `componentRegistry.generated.ts` with `PageRegistry.register()` calls manually following `smartstack-frontend.md` §1 (or legacy `applicationRoutes` array for pre-v3.7 projects) |
 | `validate_frontend_routes` | Run POST-CHECK bash scripts from `post-checks.md` |
 | `validate_security` | Run security POST-CHECKs S1-S6 from `post-checks.md` |
 | `check_migrations` | Run `dotnet ef migrations has-pending-model-changes` manually |

package/templates/skills/apex/references/checks/architecture-checks.sh

@@ -0,0 +1,154 @@
+#!/bin/bash
+set -euo pipefail
+
+# POST-CHECK: Architecture — Clean Architecture Layer Isolation
+# A1-A8: Layer boundary enforcement, DTO usage, handoff compliance
+
+FAIL=false
+
+# POST-CHECK A1: Domain must not import other layers (BLOCKING)
+DOMAIN_FILES=$(find src/ -path "*/Domain/*" -name "*.cs" 2>/dev/null)
+if [ -n "$DOMAIN_FILES" ]; then
+  BAD_IMPORTS=$(grep -Pn 'using\s+[\w.]*\.(Application|Infrastructure|Api)[\w.]*;' $DOMAIN_FILES 2>/dev/null || true)
+  if [ -n "$BAD_IMPORTS" ]; then
+    echo "BLOCKING: Domain layer imports Application/Infrastructure/Api — violates Clean Architecture"
+    echo "Domain is the core, it must not depend on any other layer"
+    echo "$BAD_IMPORTS"
+    echo "Fix: Move shared types to Domain or remove the dependency"
+    FAIL=true
+  fi
+fi
+
+# POST-CHECK A2: Application must not import Infrastructure or Api (BLOCKING)
+APP_FILES=$(find src/ -path "*/Application/*" -name "*.cs" 2>/dev/null)
+if [ -n "$APP_FILES" ]; then
+  BAD_IMPORTS=$(grep -Pn 'using\s+[\w.]*\.(Infrastructure|Api)[\w.]*;' $APP_FILES 2>/dev/null || true)
+  if [ -n "$BAD_IMPORTS" ]; then
+    echo "BLOCKING: Application layer imports Infrastructure/Api — violates Clean Architecture"
+    echo "Application defines interfaces, Infrastructure implements them"
+    echo "$BAD_IMPORTS"
+    echo "Fix: Define an interface in Application and implement it in Infrastructure"
+    FAIL=true
+  fi
+fi
+
+# POST-CHECK A3: Controllers must not inject DbContext (BLOCKING)
+CTRL_FILES=$(find src/ -path "*/Controllers/*" -name "*Controller.cs" 2>/dev/null)
+if [ -n "$CTRL_FILES" ]; then
+  BAD_DBCONTEXT=$(grep -Pn 'private\s+readonly\s+\w*DbContext|DbContext\s+\w+[,)]' $CTRL_FILES 2>/dev/null || true)
+  if [ -n "$BAD_DBCONTEXT" ]; then
+    echo "BLOCKING: Controller injects DbContext directly — violates Clean Architecture"
+    echo "Controllers must use Application services, not access the database directly"
+    echo "$BAD_DBCONTEXT"
+    echo "Fix: Create an Application service with the required business logic and inject it instead"
+    FAIL=true
+  fi
+fi
+
+# POST-CHECK A4: API must return DTOs, not Domain entities (WARNING)
+CTRL_FILES=$(find src/ -path "*/Controllers/*" -name "*Controller.cs" 2>/dev/null)
+ENTITY_FILES=$(find src/ -path "*/Domain/Entities/*" -name "*.cs" 2>/dev/null)
+if [ -n "$CTRL_FILES" ] && [ -n "$ENTITY_FILES" ]; then
+  ENTITY_NAMES=$(grep -ohP 'public\s+class\s+(\w+)\s*:' $ENTITY_FILES 2>/dev/null | grep -oP '\w+(?=\s*:)' | grep -v '^public$' | sort -u || true)
+  for ENTITY in $ENTITY_NAMES; do
+    BAD_RETURN=$(grep -Pn "ActionResult<$ENTITY>|ActionResult<IEnumerable<$ENTITY>>|ActionResult<List<$ENTITY>>" $CTRL_FILES 2>/dev/null || true)
+    if [ -n "$BAD_RETURN" ]; then
+      echo "WARNING: Controller returns Domain entity '$ENTITY' instead of a DTO"
+      echo "$BAD_RETURN"
+      echo "Fix: Return ${ENTITY}ResponseDto instead of $ENTITY"
+    fi
+  done
+fi
+
+# POST-CHECK A5: Service interfaces in Application, implementations in Infrastructure (WARNING)
+APP_SERVICES=$(find src/ -path "*/Application/*" -name "*Service.cs" ! -name "I*Service.cs" 2>/dev/null)
+if [ -n "$APP_SERVICES" ]; then
+  for f in $APP_SERVICES; do
+    if grep -q 'public class.*Service' "$f" 2>/dev/null; then
+      echo "WARNING: Service implementation found in Application layer: $f"
+      echo "Fix: Move implementation to Infrastructure/Services/. Application should only contain interfaces."
+    fi
+  done
+fi
+
+DOMAIN_INTERFACES=$(find src/ -path "*/Domain/*" -name "I*Service.cs" 2>/dev/null)
+API_INTERFACES=$(find src/ -path "*/Api/*" -name "I*Service.cs" 2>/dev/null)
+for f in $DOMAIN_INTERFACES $API_INTERFACES; do
+  if [ -n "$f" ] && grep -q 'public interface.*Service' "$f" 2>/dev/null; then
+    echo "WARNING: Service interface found outside Application layer: $f"
+    echo "Fix: Move to Application/Interfaces/"
+  fi
+done
+
+# POST-CHECK A6: No EF Core attributes in Domain entities (BLOCKING)
+DOMAIN_FILES=$(find src/ -path "*/Domain/*" -name "*.cs" 2>/dev/null)
+if [ -n "$DOMAIN_FILES" ]; then
+  BAD_EF=$(grep -Pn '\[Table\(|\[Column\(|\[Index\(|using\s+Microsoft\.EntityFrameworkCore' $DOMAIN_FILES 2>/dev/null || true)
+  if [ -n "$BAD_EF" ]; then
+    echo "BLOCKING: EF Core attributes or using directives found in Domain layer"
+    echo "Domain entities must be persistence-ignorant — EF configuration belongs in Infrastructure"
+    echo "$BAD_EF"
+    echo "Fix: Move [Table], [Column], [Index] to IEntityTypeConfiguration<T> in Infrastructure/Persistence/Configurations/"
+    FAIL=true
+  fi
+fi
+
+# POST-CHECK A7: No direct repository usage in controllers (WARNING)
+CTRL_FILES=$(find src/ -path "*/Controllers/*" -name "*Controller.cs" 2>/dev/null)
+if [ -n "$CTRL_FILES" ]; then
+  BAD_REPO=$(grep -Pn 'IRepository<|IGenericRepository<|private\s+readonly\s+IRepository|private\s+readonly\s+IGenericRepository' $CTRL_FILES 2>/dev/null || true)
+  if [ -n "$BAD_REPO" ]; then
+    echo "WARNING: Controller injects repository directly — should use Application services"
+    echo "$BAD_REPO"
+    echo "Fix: Controllers should depend on Application services (I*Service), not repositories"
+  fi
+fi
+
+# POST-CHECK A8: API endpoints must match handoff apiEndpointSummary (BLOCKING)
+PRD_FILE=".ralph/prd.json"
+if [ ! -f "$PRD_FILE" ]; then
+  if [ -f ".ralph/modules-queue.json" ]; then
+    PRD_FILE=$(cat .ralph/modules-queue.json | grep -o '"prdFile":"[^"]*"' | tail -1 | cut -d'"' -f4)
+  fi
+fi
+
+if [ -f "$PRD_FILE" ]; then
+  OPERATIONS=$(cat "$PRD_FILE" | grep -o '"operation"\s*:\s*"[^"]*"' | cut -d'"' -f4 2>/dev/null || true)
+
+  if [ -n "$OPERATIONS" ]; then
+    CTRL_FILES=$(find src/ -path "*/Controllers/*" -name "*Controller.cs" 2>/dev/null)
+    MISSING_OPS=""
+    TOTAL_OPS=0
+    FOUND_OPS=0
+
+    for op in $OPERATIONS; do
+      TOTAL_OPS=$((TOTAL_OPS + 1))
+      FOUND=false
+      if [ -n "$CTRL_FILES" ]; then
+        for f in $CTRL_FILES; do
+          if grep -q "$op" "$f" 2>/dev/null; then
+            FOUND=true
+            break
+          fi
+        done
+      fi
+      if [ "$FOUND" = true ]; then
+        FOUND_OPS=$((FOUND_OPS + 1))
+      else
+        MISSING_OPS="$MISSING_OPS $op"
+      fi
+    done
+
+    if [ -n "$MISSING_OPS" ]; then
+      echo "BLOCKING: API endpoints missing from controllers (handoff contract violation)"
+      echo "Found: $FOUND_OPS/$TOTAL_OPS operations"
+      echo "Missing operations:$MISSING_OPS"
+      echo "Fix: Implement missing endpoints in the appropriate Controller"
+      FAIL=true
+    fi
+  fi
+fi
+
+if [ "$FAIL" = true ]; then
+  exit 1
+fi

package/templates/skills/apex/references/checks/backend-checks.sh

@@ -0,0 +1,194 @@
+#!/bin/bash
+set -euo pipefail
+
+# POST-CHECK: Backend — Entity, Service & Controller Checks
+# V1-V2, C8, C12, C14, C28-C31, C54: Entity validation, API contracts, pagination, code generation
+
+FAIL=false
+
+# POST-CHECK V1: Controllers with POST/PUT must have corresponding Validators (BLOCKING)
+CTRL_FILES=$(find src/ -path "*/Controllers/*" -name "*Controller.cs" 2>/dev/null)
+if [ -n "$CTRL_FILES" ]; then
+  for f in $CTRL_FILES; do
+    HAS_WRITE=$(grep -cE "\[Http(Post|Put)\]" "$f")
+    if [ "$HAS_WRITE" -gt 0 ]; then
+      DTOS=$(grep -oP '(?:Create|Update)\w+Dto' "$f" | sort -u)
+      for DTO in $DTOS; do
+        VALIDATOR_NAME=$(echo "$DTO" | sed 's/Dto$/Validator/')
+        VALIDATOR_FILE=$(find src/ -path "*/Validators/*" -name "${VALIDATOR_NAME}.cs" 2>/dev/null)
+        if [ -z "$VALIDATOR_FILE" ]; then
+          echo "BLOCKING: Controller $f uses $DTO but no ${VALIDATOR_NAME}.cs found"
+          echo "Fix: Create Validator with FluentValidation rules from business rules"
+          FAIL=true
+        fi
+      done
+    fi
+  done
+fi
+
+# POST-CHECK V2: Validators must be registered in DI (WARNING)
+VALIDATOR_FILES=$(find src/ -path "*/Validators/*" -name "*Validator.cs" 2>/dev/null)
+if [ -n "$VALIDATOR_FILES" ]; then
+  DI_FILE=$(find src/ -name "DependencyInjection.cs" -o -name "ServiceCollectionExtensions.cs" 2>/dev/null | head -1)
+  if [ -n "$DI_FILE" ]; then
+    for f in $VALIDATOR_FILES; do
+      VALIDATOR_NAME=$(basename "$f" .cs)
+      if ! grep -q "$VALIDATOR_NAME" "$DI_FILE"; then
+        echo "WARNING: Validator $VALIDATOR_NAME not registered in DI: $DI_FILE"
+      fi
+    done
+  fi
+fi
+
+# POST-CHECK C8: Backend APIs must support search parameter for EntityLookup (BLOCKING)
+CTRL_FILES=$(find src/ -path "*/Controllers/*" -name "*Controller.cs" 2>/dev/null)
+if [ -n "$CTRL_FILES" ]; then
+  for f in $CTRL_FILES; do
+    if grep -q "\[HttpGet\]" "$f" && grep -q "GetAll" "$f"; then
+      if ! grep -q "search" "$f"; then
+        echo "BLOCKING: Controller missing search parameter on GetAll: $f"
+        echo "GetAll endpoints must accept ?search= to enable EntityLookup on frontend"
+        echo "Fix: Add [FromQuery] string? search parameter to GetAll action"
+        FAIL=true
+      fi
+    fi
+  done
+fi
+
+WEB_DIR=$(find . -name "vitest.config.ts" -o -name "vite.config.ts" 2>/dev/null | head -1 | xargs dirname 2>/dev/null)
+if [ -n "$WEB_DIR" ]; then
+  LOOKUP_FILES=$(grep -rl "EntityLookup" "$WEB_DIR/src/pages/" "$WEB_DIR/src/components/" 2>/dev/null | grep -v node_modules | grep -v "\.test\." || true)
+  if [ -n "$LOOKUP_FILES" ]; then
+    for f in $LOOKUP_FILES; do
+      ENDPOINTS=$(grep -oP "apiEndpoint=['\"]([^'\"]+)['\"]" "$f" 2>/dev/null | grep -oP "['\"]([^'\"]+)['\"]" | tr -d "'" | tr -d '"' || true)
+      for ep in $ENDPOINTS; do
+        ENTITY=$(echo "$ep" | sed 's|.*/||' | sed 's/.*/\u&/')
+        CTRL=$(find src/ -path "*/Controllers/*${ENTITY}*Controller.cs" 2>/dev/null | head -1)
+        if [ -n "$CTRL" ] && ! grep -q "search" "$CTRL"; then
+          echo "BLOCKING: EntityLookup in $f calls $ep, but controller $CTRL does not support ?search="
+          echo "Fix: Add [FromQuery] string? search parameter to GetAll in $CTRL"
+          FAIL=true
+        fi
+      done
+    done
+  fi
+fi
+
+# POST-CHECK C12: GetAll methods must return PaginatedResult<T>
+SERVICE_FILES=$(find src/ -path "*/Services/*" -name "*Service.cs" ! -name "I*Service.cs" 2>/dev/null)
+if [ -n "$SERVICE_FILES" ]; then
+  BAD_RETURNS=$(grep -Pn '(Task<\s*(?:List|IEnumerable|IList|ICollection|IReadOnlyList|IReadOnlyCollection)<).*GetAll' $SERVICE_FILES 2>/dev/null)
+  if [ -n "$BAD_RETURNS" ]; then
+    echo "WARNING: GetAll methods must return PaginatedResult<T>, not List/IEnumerable"
+    echo "$BAD_RETURNS"
+    echo "Fix: Change return type to Task<PaginatedResult<{Entity}ResponseDto>>"
+  fi
+fi
+
+# POST-CHECK C14: Entities must implement IAuditableEntity + Validators must have Create/Update pairs
+ENTITY_FILES=$(find src/ -path "*/Domain/Entities/*" -name "*.cs" 2>/dev/null)
+if [ -n "$ENTITY_FILES" ]; then
+  for f in $ENTITY_FILES; do
+    if grep -q "ITenantEntity" "$f" && ! grep -q "IAuditableEntity" "$f"; then
+      echo "WARNING: Entity implements ITenantEntity but NOT IAuditableEntity: $f"
+      echo "Pattern: public class Entity : BaseEntity, ITenantEntity, IAuditableEntity"
+    fi
+  done
+fi
+
+CREATE_VALIDATORS=$(find src/ -path "*/Validators/*" -name "Create*Validator.cs" 2>/dev/null)
+if [ -n "$CREATE_VALIDATORS" ]; then
+  for f in $CREATE_VALIDATORS; do
+    VALIDATOR_DIR=$(dirname "$f")
+    ENTITY_NAME=$(basename "$f" | sed 's/^Create\(.*\)Validator\.cs$/\1/')
+    if [ ! -f "$VALIDATOR_DIR/Update${ENTITY_NAME}Validator.cs" ]; then
+      echo "WARNING: Create${ENTITY_NAME}Validator exists but Update${ENTITY_NAME}Validator is missing"
+      echo "  Found: $f"
+      echo "  Expected: $VALIDATOR_DIR/Update${ENTITY_NAME}Validator.cs"
+    fi
+  done
+fi
+
+# POST-CHECK C28: Pagination type must be PaginatedResult<T> — no aliases (WARNING)
+SERVICE_FILES=$(find src/ -path "*/Services/*" -name "*Service.cs" ! -name "I*Service.cs" 2>/dev/null)
+CTRL_FILES=$(find src/ -path "*/Controllers/*" -name "*Controller.cs" 2>/dev/null)
+ALL_FILES="$SERVICE_FILES $CTRL_FILES"
+if [ -n "$(echo $ALL_FILES | tr -d ' ')" ]; then
+  BAD_NAMES=$(grep -Pn 'PagedResult<|PaginatedResultDto<|PaginatedResponse<|PageResultDto<' $ALL_FILES 2>/dev/null || true)
+  if [ -n "$BAD_NAMES" ]; then
+    echo "WARNING: Pagination type must be PaginatedResult<T> — found non-canonical names"
+    echo "$BAD_NAMES"
+    echo "FORBIDDEN type names: PagedResult, PaginatedResultDto, PaginatedResponse, PageResultDto"
+    echo "Fix: Use PaginatedResult<T> from SmartStack.Application.Common.Models everywhere"
+  fi
+fi
+
+# POST-CHECK C29: Code generation — ICodeGenerator must be registered for auto-generated entities (BLOCKING)
+FEATURE_FILES=$(find docs/ -name "feature.json" 2>/dev/null)
+DI_FILE=$(find src/ -name "DependencyInjection.cs" -path "*/Infrastructure/*" 2>/dev/null | head -1)
+if [ -n "$FEATURE_FILES" ] && [ -n "$DI_FILE" ]; then
+  for FEATURE in $FEATURE_FILES; do
+    ENTITIES_WITH_CODE=$(python3 -c "
+import json, sys
+try:
+  with open('$FEATURE') as f:
+    data = json.load(f)
+  for e in data.get('analysis', {}).get('entities', []):
+    cp = e.get('codePattern', {})
+    if cp.get('strategy', 'manual') != 'manual':
+      print(e['name'])
+except: pass
+" 2>/dev/null || true)
+    for ENTITY in $ENTITIES_WITH_CODE; do
+      if ! grep -q "ICodeGenerator<$ENTITY>" "$DI_FILE" 2>/dev/null; then
+        echo "BLOCKING: Entity $ENTITY has auto-generated code pattern but ICodeGenerator<$ENTITY> is not registered in DI"
+        echo "Fix: Add CodeGenerator<$ENTITY> registration in DependencyInjection.cs — see references/code-generation.md"
+        FAIL=true
+      fi
+    done
+  done
+fi
+
+# POST-CHECK C30: Code regex must support hyphens (BLOCKING)
+VALIDATOR_FILES=$(find src/ -path "*/Validators/*" -name "*Validator.cs" 2>/dev/null)
+if [ -n "$VALIDATOR_FILES" ]; then
+  OLD_REGEX=$(grep -rn '\^\\[a-z0-9_\\]+\$' $VALIDATOR_FILES 2>/dev/null | grep -v '\-' || true)
+  if [ -n "$OLD_REGEX" ]; then
+    echo "BLOCKING: Code validator uses old regex without hyphen support"
+    echo "$OLD_REGEX"
+    echo "Fix: Update regex to ^[a-z0-9_-]+$ to support auto-generated codes with hyphens"
+    FAIL=true
+  fi
+fi
+
+# POST-CHECK C31: CreateDto must NOT have Code field when service uses ICodeGenerator (WARNING)
+SERVICE_FILES=$(find src/ -path "*/Services/*" -name "*Service.cs" ! -name "I*Service.cs" 2>/dev/null)
+if [ -n "$SERVICE_FILES" ]; then
+  for f in $SERVICE_FILES; do
+    if grep -q "ICodeGenerator" "$f"; then
+      ENTITY=$(basename "$f" | sed 's/Service\.cs$//')
+      DTO_FILE=$(find src/ -path "*/DTOs/*" -name "Create${ENTITY}Dto.cs" 2>/dev/null | head -1)
+      if [ -n "$DTO_FILE" ] && grep -q "public string Code" "$DTO_FILE"; then
+        echo "WARNING: Create${ENTITY}Dto has Code field but service uses ICodeGenerator (code is auto-generated)"
+        echo "Fix: Remove Code from Create${ENTITY}Dto — it is auto-generated by ICodeGenerator<${ENTITY}>"
+      fi
+    fi
+  done
+fi
+
+# POST-CHECK C54: No helper method calls inside .Select() on IQueryable (BLOCKING)
+SERVICE_FILES=$(find src/ -path "*/Services/*" -name "*Service.cs" ! -name "I*Service.cs" 2>/dev/null)
+if [ -n "$SERVICE_FILES" ]; then
+  BAD_SELECT=$(grep -Pn '\.Select\(\s*\w+\s*=>\s*(?!new\s)[A-Z]\w+\(|\.Select\(\s*(?!x\s*=>)[A-Z]\w+\s*\)' $SERVICE_FILES 2>/dev/null || true)
+  if [ -n "$BAD_SELECT" ]; then
+    echo "BLOCKING: Helper method call inside .Select() on IQueryable — EF Core cannot translate to SQL"
+    echo "$BAD_SELECT"
+    echo "Fix: Use inline DTO construction: .Select(x => new ResponseDto(x.Id, x.Name, x.FK.Code))"
+    echo "  Helper methods (MapToDto, ToDto) are only safe AFTER materialization (ToListAsync, FirstAsync)"
+    FAIL=true
+  fi
+fi
+
+if [ "$FAIL" = true ]; then
+  exit 1
+fi