@atlashub/smartstack-cli 4.35.0 → 4.37.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@atlashub/smartstack-cli",
-  "version": "4.35.0",
+  "version": "4.37.0",
   "description": "SmartStack Claude Code automation toolkit - GitFlow, EF Core migrations, prompts and more",
   "author": {
     "name": "SmartStack",

package/templates/agents/efcore/migration.md

@@ -114,6 +114,49 @@ rm Persistence/Migrations/*${OLD_NAME}*.cs
 
 > **Note:** `$MCP_NAME` is obtained via MCP call, never computed locally.
 
+## SQL Objects Post-Injection (MANDATORY after every migration creation)
+
+**This step is NON-OPTIONAL.** After EVERY `dotnet ef migrations add`, you MUST check for SQL objects and inject them into the generated migration. Skipping this step causes runtime 500 errors on ALL endpoints (TVFs like `fn_GetUserGroupHierarchy` won't exist in the database).
+
+```bash
+# Detect the generated migration file (the main .cs, not .Designer.cs)
+MIGRATION_FILE=$(find "$MIGRATIONS_DIR" -name "*${MCP_NAME}.cs" ! -name "*.Designer.cs" | head -1)
+SQL_OBJECTS_DIR="$INFRA_PROJECT_DIR/Persistence/SqlObjects"
+SQL_FILES=$(find "$SQL_OBJECTS_DIR" -name "*.sql" 2>/dev/null | wc -l)
+
+if [ "$SQL_FILES" -gt 0 ]; then
+  echo "Found $SQL_FILES SQL object(s) — injecting SqlObjectHelper.ApplyAll()..."
+
+  # Add using directive if not present
+  if ! grep -q "using SmartStack.Infrastructure.Persistence.SqlObjects;" "$MIGRATION_FILE"; then
+    sed -i '1s/^/using SmartStack.Infrastructure.Persistence.SqlObjects;\n/' "$MIGRATION_FILE"
+  fi
+
+  # Add SqlObjectHelper.ApplyAll at the end of Up() method
+  # Use Edit tool to insert before the closing brace of Up()
+  # Target: the last "        }" before "protected override void Down"
+  sed -i '/protected override void Down/i\
+\            // Apply SQL objects (TVF, Views, SP) from embedded resources\
+\            SqlObjectHelper.ApplyAll(migrationBuilder);' "$MIGRATION_FILE"
+
+  # VERIFY injection succeeded — FAIL if not
+  if ! grep -q "SqlObjectHelper.ApplyAll" "$MIGRATION_FILE"; then
+    echo "ERROR: Auto-injection failed. Use Edit tool to manually add:"
+    echo "  1. Add 'using SmartStack.Infrastructure.Persistence.SqlObjects;' at top"
+    echo "  2. Add 'SqlObjectHelper.ApplyAll(migrationBuilder);' at end of Up() method"
+    echo "  File: $MIGRATION_FILE"
+    # DO NOT CONTINUE — fix this before proceeding
+  else
+    echo "  SqlObjectHelper.ApplyAll(migrationBuilder) injected successfully"
+    find "$SQL_OBJECTS_DIR" -name "*.sql" -exec basename {} \; | while read f; do echo "  - $f"; done
+  fi
+else
+  echo "No SQL objects found in SqlObjects/ — skipping injection"
+fi
+```
+
+> **CRITICAL:** If the bash `sed` injection fails (indentation mismatch), use the **Edit tool** to manually insert the lines. NEVER skip this step — it causes cascading 500 errors at runtime.
+
 ## Context Detection
 
 If unable to auto-detect:

package/templates/agents/efcore/rebase-snapshot.md

@@ -70,6 +70,42 @@ mcp__smartstack__suggest_migration({ description: "...", context: DBCONTEXT_TYPE
 
 dotnet ef migrations add "$MIGRATION_NAME" --context "$DBCONTEXT"
 
+# ═══════════════════════════════════════════════════════════════════════════
+# MANDATORY: SQL Objects Post-Injection
+# Without this, TVFs (fn_GetUserGroupHierarchy etc.) won't exist in DB
+# and ALL endpoints will return 500 at runtime
+# ═══════════════════════════════════════════════════════════════════════════
+MIGRATION_FILE=$(find Migrations -name "*${MIGRATION_NAME}.cs" ! -name "*.Designer.cs" | head -1)
+SQL_OBJECTS_DIR="$INFRA_PROJECT_DIR/Persistence/SqlObjects"
+SQL_FILES=$(find "$SQL_OBJECTS_DIR" -name "*.sql" 2>/dev/null | wc -l)
+
+if [ "$SQL_FILES" -gt 0 ]; then
+  echo "Found $SQL_FILES SQL object(s) — injecting SqlObjectHelper.ApplyAll()..."
+
+  # Add using directive if not present
+  if ! grep -q "using SmartStack.Infrastructure.Persistence.SqlObjects;" "$MIGRATION_FILE"; then
+    sed -i '1s/^/using SmartStack.Infrastructure.Persistence.SqlObjects;\n/' "$MIGRATION_FILE"
+  fi
+
+  # Inject SqlObjectHelper.ApplyAll before Down() method
+  sed -i '/protected override void Down/i\
+\            // Apply SQL objects (TVF, Views, SP) from embedded resources\
+\            SqlObjectHelper.ApplyAll(migrationBuilder);' "$MIGRATION_FILE"
+
+  # VERIFY — FAIL if injection didn't work
+  if ! grep -q "SqlObjectHelper.ApplyAll" "$MIGRATION_FILE"; then
+    echo "ERROR: Auto-injection failed. Use Edit tool to manually add:"
+    echo "  1. 'using SmartStack.Infrastructure.Persistence.SqlObjects;' at top"
+    echo "  2. 'SqlObjectHelper.ApplyAll(migrationBuilder);' at end of Up()"
+    echo "  File: $MIGRATION_FILE"
+  else
+    echo "  SqlObjectHelper.ApplyAll(migrationBuilder) injected"
+    find "$SQL_OBJECTS_DIR" -name "*.sql" -exec basename {} \; | while read f; do echo "  - $f"; done
+  fi
+else
+  echo "No SQL objects found — skipping injection"
+fi
+
 # Validate
 dotnet build
 ```

package/templates/agents/efcore/squash.md

@@ -100,6 +100,42 @@ mcp__smartstack__suggest_migration({ description: "...", context: DBCONTEXT_TYPE
 
 dotnet ef migrations add "$MIGRATION_NAME_FROM_MCP" --context "$DBCONTEXT"
 
+# ═══════════════════════════════════════════════════════════════════════════
+# MANDATORY: SQL Objects Post-Injection
+# Without this, TVFs (fn_GetUserGroupHierarchy etc.) won't exist in DB
+# and ALL endpoints will return 500 at runtime
+# ═══════════════════════════════════════════════════════════════════════════
+MIGRATION_FILE=$(find Migrations -name "*${MIGRATION_NAME_FROM_MCP}.cs" ! -name "*.Designer.cs" | head -1)
+SQL_OBJECTS_DIR="$INFRA_PROJECT_DIR/Persistence/SqlObjects"
+SQL_FILES=$(find "$SQL_OBJECTS_DIR" -name "*.sql" 2>/dev/null | wc -l)
+
+if [ "$SQL_FILES" -gt 0 ]; then
+  echo "Found $SQL_FILES SQL object(s) — injecting SqlObjectHelper.ApplyAll()..."
+
+  # Add using directive if not present
+  if ! grep -q "using SmartStack.Infrastructure.Persistence.SqlObjects;" "$MIGRATION_FILE"; then
+    sed -i '1s/^/using SmartStack.Infrastructure.Persistence.SqlObjects;\n/' "$MIGRATION_FILE"
+  fi
+
+  # Inject SqlObjectHelper.ApplyAll before Down() method
+  sed -i '/protected override void Down/i\
+\            // Apply SQL objects (TVF, Views, SP) from embedded resources\
+\            SqlObjectHelper.ApplyAll(migrationBuilder);' "$MIGRATION_FILE"
+
+  # VERIFY — FAIL if injection didn't work
+  if ! grep -q "SqlObjectHelper.ApplyAll" "$MIGRATION_FILE"; then
+    echo "ERROR: Auto-injection failed. Use Edit tool to manually add:"
+    echo "  1. 'using SmartStack.Infrastructure.Persistence.SqlObjects;' at top"
+    echo "  2. 'SqlObjectHelper.ApplyAll(migrationBuilder);' at end of Up()"
+    echo "  File: $MIGRATION_FILE"
+  else
+    echo "  SqlObjectHelper.ApplyAll(migrationBuilder) injected"
+    find "$SQL_OBJECTS_DIR" -name "*.sql" -exec basename {} \; | while read f; do echo "  - $f"; done
+  fi
+else
+  echo "No SQL objects found — skipping injection"
+fi
+
 # Validate
 dotnet build && dotnet ef migrations script --idempotent > /dev/null
 ```

package/templates/skills/apex/references/checks/seed-checks.sh

@@ -249,7 +249,7 @@ if [ -n "$PROVIDER" ]; then
     echo "CRITICAL: Translation seed data inserts without idempotency guard in $PROVIDER"
     echo "Fix: Before each NavigationTranslations.Add block, check existence:"
     echo "  if (!await context.NavigationTranslations.AnyAsync("
-    echo "      t => t.EntityId == {Module}NavigationSeedData.{Module}ModuleId"
+    echo "      t => t.EntityId == mod1Entity.Id  // actual DB ID, NOT seed-time GUID"
     echo "           && t.EntityType == NavigationEntityType.Module, ct))"
     echo "  { foreach (var t in ...) { context.NavigationTranslations.Add(...); } }"
     echo "The unique index IX_nav_Translations_EntityType_EntityId_LanguageCode will crash on duplicates."

package/templates/skills/apex/references/core-seed-data.md

@@ -109,6 +109,7 @@ public static class NavigationApplicationSeedData
         return new NavigationApplicationSeedEntry
         {
             Id = ApplicationId,
+            Zone = ApplicationZone.Business,
             Code = "{appCode}",
             Label = "{appLabel_en}",
             Description = "{appDesc_en}",
@@ -198,6 +199,7 @@ public static class NavigationApplicationSeedData
 public class NavigationApplicationSeedEntry
 {
     public Guid Id { get; init; }
+    public ApplicationZone Zone { get; init; }
     public string Code { get; init; } = null!;
     public string Label { get; init; } = null!;
     public string? Description { get; init; }
@@ -1007,11 +1009,12 @@ public class RolePermissionSeedEntry
 
 | Rule | Description |
 |------|-------------|
-| Factory methods | `NavigationModule.Create(...)`, `Role.Create(...)`, `Permission.CreateForModule(...)`, `RolePermission.Create(...)` — do not use `new Entity()` |
+| Factory methods | `NavigationApplication.Create(zone, ...)`, `Role.Create(name, shortName, category, ...)`, `Permission.CreateForModule(...)` — NEVER `new Entity()` |
 | Idempotence | Each Seed method checks existence before inserting |
 | Execution order | Navigation → Roles → Permissions → RolePermissions (roles MUST exist before mapping) |
 | SaveChanges per group | Navigation -> save -> Roles -> save -> Permissions -> save -> RolePermissions -> save |
-| FK resolution by Code | Parent entities (modules, roles) found by `Code`, not hardcoded GUID |
+| FK resolution by Code | Parent entities (applications, modules, roles) found by `Code` from DB, not seed-time GUID |
+| Translation EntityId | ALWAYS use actual DB ID (`app.Id`, `mod1Entity.Id`, `actualSection.Id`), NEVER seed-time GUID from SeedData classes |
 | DI registration | `services.AddScoped<IClientSeedDataProvider, {AppPascalName}SeedDataProvider>()` |
 
 ### Template
@@ -1054,7 +1057,7 @@ public class {AppPascalName}SeedDataProvider : IClientSeedDataProvider
         else
         {
             app = NavigationApplication.Create(
-                appEntry.Code, appEntry.Label,
+                appEntry.Zone, appEntry.Code, appEntry.Label,
                 appEntry.Description, appEntry.Icon, appEntry.IconType,
                 appEntry.Route, appEntry.DisplayOrder);
             context.NavigationApplications.Add(app);
@@ -1064,7 +1067,7 @@ public class {AppPascalName}SeedDataProvider : IClientSeedDataProvider
             foreach (var t in NavigationApplicationSeedData.GetTranslationEntries())
             {
                 context.NavigationTranslations.Add(
-                    NavigationTranslation.Create(t.EntityType, t.EntityId, t.LanguageCode, t.Label, t.Description));
+                    NavigationTranslation.Create(t.EntityType, app.Id, t.LanguageCode, t.Label, t.Description));
             }
             await ((DbContext)context).SaveChangesAsync(ct);
         }
@@ -1097,14 +1100,15 @@ public class {AppPascalName}SeedDataProvider : IClientSeedDataProvider
         // --- Module translations (idempotent — unique index IX_nav_Translations_EntityType_EntityId_LanguageCode) ---
         // Always check existence before inserting translations to avoid duplicate key errors
         // on re-runs, partial failures, or DB reset scenarios.
+        // CRITICAL: Use mod1Entity.Id (actual DB ID), NOT seed-time GUID from SeedData class.
         if (!await context.NavigationTranslations.AnyAsync(
-            t => t.EntityId == {Module1Pascal}NavigationSeedData.{Module1Pascal}ModuleId
+            t => t.EntityId == mod1Entity.Id
                  && t.EntityType == NavigationEntityType.Module, ct))
         {
             foreach (var t in {Module1Pascal}NavigationSeedData.GetTranslationEntries())
             {
                 context.NavigationTranslations.Add(
-                    NavigationTranslation.Create(t.EntityType, t.EntityId, t.LanguageCode, t.Label, t.Description));
+                    NavigationTranslation.Create(t.EntityType, mod1Entity.Id, t.LanguageCode, t.Label, t.Description));
             }
         }
         // Repeat for each module...
@@ -1129,16 +1133,21 @@ public class {AppPascalName}SeedDataProvider : IClientSeedDataProvider
         await ((DbContext)context).SaveChangesAsync(ct);
 
         // --- Section translations (idempotent — check before inserting) ---
+        // CRITICAL: secEntry.Id is a seed-time GUID ≠ actual DB ID.
+        // Resolve actual section from DB by Code+ModuleId to get the real ID.
         foreach (var secEntry in {Module1Pascal}NavigationSeedData.GetSectionEntries(mod1Entity.Id))
         {
+            var actualSection = await context.NavigationSections
+                .FirstAsync(s => s.Code == secEntry.Code && s.ModuleId == mod1Entity.Id, ct);
+
             if (!await context.NavigationTranslations.AnyAsync(
-                t => t.EntityId == secEntry.Id && t.EntityType == NavigationEntityType.Section, ct))
+                t => t.EntityId == actualSection.Id && t.EntityType == NavigationEntityType.Section, ct))
             {
                 foreach (var t in {Module1Pascal}NavigationSeedData.GetSectionTranslationEntries()
                     .Where(st => st.EntityId == secEntry.Id))
                 {
                     context.NavigationTranslations.Add(
-                        NavigationTranslation.Create(t.EntityType, t.EntityId, t.LanguageCode, t.Label, t.Description));
+                        NavigationTranslation.Create(t.EntityType, actualSection.Id, t.LanguageCode, t.Label, t.Description));
                 }
             }
         }
@@ -1174,10 +1183,13 @@ public class {AppPascalName}SeedDataProvider : IClientSeedDataProvider
 
     public async Task SeedRolesAsync(ICoreDbContext context, CancellationToken ct)
     {
-        // Check idempotence — verify by Code (roles may already exist from SmartStack core)
-        // Scope by ApplicationId — without this, roles from OTHER apps cause false positives
+        // Resolve application from DB by Code — NOT seed-time GUID
+        var app = await context.NavigationApplications
+            .FirstAsync(a => a.Code == "{appCode}", ct);
+
+        // Check idempotence — verify by Code, scoped by actual DB ApplicationId
         var existingRoleCodes = await context.Roles
-            .Where(r => r.ApplicationId == ApplicationRolesSeedData.ApplicationId
+            .Where(r => r.ApplicationId == app.Id
                 && (r.Code == "admin" || r.Code == "manager" || r.Code == "contributor" || r.Code == "viewer"))
             .Select(r => r.Code)
             .ToListAsync(ct);
@@ -1188,11 +1200,13 @@ public class {AppPascalName}SeedDataProvider : IClientSeedDataProvider
             if (existingRoleCodes.Contains(entry.Code)) continue; // Skip if already exists
 
             var role = Role.Create(
-                entry.Code,
-                entry.Name,
-                entry.Description,
-                entry.ApplicationId,
-                entry.IsSystem);
+                name: entry.Name,
+                shortName: entry.Code,
+                category: RoleCategory.Application,
+                description: entry.Description,
+                isSystem: entry.IsSystem,
+                applicationId: app.Id,
+                code: entry.Code);
             context.Roles.Add(role);
         }
         await ((DbContext)context).SaveChangesAsync(ct);
@@ -1231,13 +1245,17 @@ public class {AppPascalName}SeedDataProvider : IClientSeedDataProvider
             .AnyAsync(rp => rp.Permission!.Path.StartsWith("{appCode}."), ct);
         if (exists) return;
 
+        // Resolve application from DB by Code — NOT seed-time GUID
+        var app = await context.NavigationApplications
+            .FirstAsync(a => a.Code == "{appCode}", ct);
+
         // Resolve roles by Code from DB — do not use hardcoded GUIDs.
         // Application-scoped roles (admin, manager, contributor, viewer) are created by
         // SeedRolesAsync() above. System roles use their own IDs that do not match
         // DeterministicGuid("role:admin").
         // Load THIS application's roles + system roles only
         var roles = await context.Roles
-            .Where(r => r.ApplicationId == ApplicationRolesSeedData.ApplicationId || r.IsSystem)
+            .Where(r => r.ApplicationId == app.Id || r.IsSystem)
             .ToListAsync(ct);
 
         // Resolve permissions
@@ -1333,11 +1351,11 @@ Before marking the task as completed, verify ALL:
 
 **Application-Level (FIRST — before modules):**
 - [ ] `NavigationApplicationSeedData.cs` created (once per application, at `Infrastructure/Persistence/Seeding/Data/`)
-- [ ] Application GUID is deterministic (SHA256 of `"navigation-application-{appCode}"`)
-- [ ] GetApplicationEntry() takes no parameters (no contextId)
-- [ ] Application translations created (4 languages: fr, en, it, de, EntityType = Application)
+- [ ] Application GUID is random (`Guid.NewGuid()`) — FK resolution is by Code lookup, not fixed ID
+- [ ] GetApplicationEntry() takes no parameters (no contextId), includes `Zone = ApplicationZone.Business`
+- [ ] Application translations created (4 languages: fr, en, it, de, EntityType = Application), using `app.Id` (actual DB ID) for EntityId
 - [ ] `IClientSeedDataProvider.SeedNavigationAsync()` uses `NavigationApplicationSeedData` (NO hardcoded `{appLabel_en}` / `{appIcon}` placeholders)
-- [ ] `ApplicationRolesSeedData.ApplicationId` references `NavigationApplicationSeedData.ApplicationId` (NO `{ApplicationGuid}` placeholder)
+- [ ] `ApplicationRolesSeedData.ApplicationId` references `NavigationApplicationSeedData.ApplicationId` (DTO only — provider code resolves from DB by Code)
 
 **Module-Level:**
 - [ ] Random GUIDs via `Guid.NewGuid()` (no deterministic/sequential/fixed values)

package/templates/skills/application/references/application-roles-template.md

@@ -147,20 +147,26 @@ Add a new method `SeedRolesAsync()` to the provider:
 ```csharp
 public async Task SeedRolesAsync(ICoreDbContext context, CancellationToken ct)
 {
-    // Check idempotence
+    // Resolve application from DB by Code — NOT seed-time GUID
+    var app = await context.NavigationApplications
+        .FirstAsync(a => a.Code == "{app_code}", ct);
+
+    // Check idempotence — scoped by actual DB ApplicationId
     var exists = await context.Roles
-        .AnyAsync(r => r.ApplicationId == ApplicationRolesSeedData.ApplicationId, ct);
+        .AnyAsync(r => r.ApplicationId == app.Id, ct);
     if (exists) return;
 
     // Create application-scoped roles using factory method
     foreach (var entry in ApplicationRolesSeedData.GetRoleEntries())
     {
         var role = Role.Create(
-            entry.Code,
-            entry.Name,
-            entry.Description,
-            entry.ApplicationId,
-            entry.IsSystem);
+            name: entry.Name,
+            shortName: entry.Code,
+            category: RoleCategory.Application,
+            description: entry.Description,
+            isSystem: entry.IsSystem,
+            applicationId: app.Id,
+            code: entry.Code);
 
         context.Roles.Add(role);
     }
@@ -205,7 +211,7 @@ Before marking the task as completed, verify:
 ## Notes
 
 - **Application ID source:** Read from the navigation application created in `SeedNavigationAsync()` or from `{AppPascal}NavigationSeedData.cs`
-- **Role factory method:** Use `Role.Create(code, name, description, applicationId, isSystem)` from SmartStack.Domain
+- **Role factory method:** Use `Role.Create(name, shortName, category, description, isSystem, applicationId: ..., code: ...)` from SmartStack.Domain
 - **Code uniqueness:** Role codes must be unique within the application scope
 - **System roles:** These are NOT system roles (IsSystem = false) - they are application-scoped roles
 - **Tenant isolation:** Application-scoped roles are automatically tenant-isolated via the Core authorization system

package/templates/skills/application/references/provider-template.md

@@ -43,7 +43,7 @@ public class {AppPascalName}SeedDataProvider : IClientSeedDataProvider
         else
         {
             app = NavigationApplication.Create(
-                appEntry.Code, appEntry.Label,
+                ApplicationZone.Business, appEntry.Code, appEntry.Label,
                 appEntry.Description, appEntry.Icon, appEntry.IconType,
                 appEntry.Route, appEntry.DisplayOrder);
             context.NavigationApplications.Add(app);
@@ -53,7 +53,7 @@ public class {AppPascalName}SeedDataProvider : IClientSeedDataProvider
             foreach (var t in NavigationApplicationSeedData.GetTranslationEntries())
             {
                 context.NavigationTranslations.Add(
-                    NavigationTranslation.Create(t.EntityType, t.EntityId, t.LanguageCode, t.Label, t.Description));
+                    NavigationTranslation.Create(t.EntityType, app.Id, t.LanguageCode, t.Label, t.Description));
             }
             await ((DbContext)context).SaveChangesAsync(ct);
         }
@@ -72,18 +72,24 @@ public class {AppPascalName}SeedDataProvider : IClientSeedDataProvider
         // --- Module translations (IDEMPOTENT — check before inserting) ---
         // CRITICAL: nav_Translations has unique index IX_nav_Translations_EntityType_EntityId_LanguageCode
         // Always guard with AnyAsync to prevent duplicate key errors on re-runs.
+        // CRITICAL: Use modEntity.Id (actual DB ID), NOT seed-time GUID from SeedData class.
         // if (!await context.NavigationTranslations.AnyAsync(
-        //     t => t.EntityId == {Module}NavigationSeedData.{Module}ModuleId
+        //     t => t.EntityId == mod1Entity.Id
         //          && t.EntityType == NavigationEntityType.Module, ct))
-        // { foreach (var t in {Module}NavigationSeedData.GetTranslationEntries()) { ... } }
+        // { foreach (var t in {Module}NavigationSeedData.GetTranslationEntries())
+        //   { context.NavigationTranslations.Add(
+        //       NavigationTranslation.Create(t.EntityType, mod1Entity.Id, t.LanguageCode, t.Label, t.Description)); } }
         await ((DbContext)context).SaveChangesAsync(ct);
 
         // --- Sections (idempotent per-section) ---
         // Check each section before inserting: AnyAsync(s => s.Code == secEntry.Code && s.ModuleId == ...)
 
         // --- Section translations (IDEMPOTENT — same guard pattern as module translations) ---
+        // CRITICAL: secEntry.Id is a seed-time GUID ≠ actual DB ID.
+        // Resolve actual section from DB: var actualSection = await context.NavigationSections
+        //     .FirstAsync(s => s.Code == secEntry.Code && s.ModuleId == modEntity.Id, ct);
         // if (!await context.NavigationTranslations.AnyAsync(
-        //     t => t.EntityId == secEntry.Id && t.EntityType == NavigationEntityType.Section, ct))
+        //     t => t.EntityId == actualSection.Id && t.EntityType == NavigationEntityType.Section, ct))
 
         // --- Resources (idempotent — use ACTUAL section IDs from DB) ---
         // CRITICAL: NavigationSection.Create() generates its own random ID.
@@ -95,10 +101,13 @@ public class {AppPascalName}SeedDataProvider : IClientSeedDataProvider
 
     public async Task SeedRolesAsync(ICoreDbContext context, CancellationToken ct)
     {
-        // Check idempotence
-        var applicationId = ApplicationRolesSeedData.ApplicationId;
+        // Resolve application from DB by Code — NOT seed-time GUID
+        var app = await context.NavigationApplications
+            .FirstAsync(a => a.Code == "{app_code}", ct);
+
+        // Check idempotence — scoped by actual DB ApplicationId
         var exists = await context.Roles
-            .AnyAsync(r => r.ApplicationId == applicationId, ct);
+            .AnyAsync(r => r.ApplicationId == app.Id, ct);
         if (exists) return;
 
         // Create application-scoped roles (Admin, Manager, Contributor, Viewer)
@@ -106,11 +115,13 @@ public class {AppPascalName}SeedDataProvider : IClientSeedDataProvider
         foreach (var entry in ApplicationRolesSeedData.GetRoleEntries())
         {
             var role = Role.Create(
-                entry.Code,
-                entry.Name,
-                entry.Description,
-                entry.ApplicationId,
-                entry.IsSystem);
+                name: entry.Name,
+                shortName: entry.Code,
+                category: RoleCategory.Application,
+                description: entry.Description,
+                isSystem: entry.IsSystem,
+                applicationId: app.Id,
+                code: entry.Code);
             context.Roles.Add(role);
         }
         await ((DbContext)context).SaveChangesAsync(ct);
@@ -167,11 +178,12 @@ services.AddScoped<IClientSeedDataProvider, {AppPascalName}SeedDataProvider>();
 
 ## Critical Rules
 
-1. **Factory methods mandatory**: `NavigationModule.Create(...)`, `Role.Create(...)`, `Permission.CreateForModule(...)`, `RolePermission.Create(...)` — NEVER `new Entity()`
+1. **Factory methods mandatory**: `NavigationApplication.Create(zone, ...)`, `NavigationModule.Create(...)`, `Role.Create(name, shortName, category, ...)`, `Permission.CreateForModule(...)`, `RolePermission.Create(...)` — NEVER `new Entity()`
 2. **Idempotence**: Each Seed method checks existence before inserting. **Translations require explicit `AnyAsync` guard** — unique index `IX_nav_Translations_EntityType_EntityId_LanguageCode` causes crashes on duplicate inserts
-3. **Translation guard pattern**: `if (!await context.NavigationTranslations.AnyAsync(t => t.EntityId == {id} && t.EntityType == ..., ct))` — MANDATORY before every translation batch insert
-4. **SaveChangesAsync per group**: Navigation → save → Roles → save → Permissions → save → RolePermissions → save
-4. **Execution order**: `SeedRolesAsync()` MUST be called BEFORE `SeedRolePermissionsAsync()` (roles must exist before mapping)
-5. **Random GUIDs**: ALWAYS use `Guid.NewGuid()` — resolve FKs by Code lookup, not fixed IDs
-6. **Resolve FK by Code**: Parent modules and roles are found by `Code`, not hardcoded GUID
-7. **Order property**: Use `100` as default. If multiple providers exist, they run in Order sequence
+3. **Translation EntityId**: ALWAYS use actual DB ID (e.g. `app.Id`, `mod1Entity.Id`, `actualSection.Id`), NEVER seed-time GUID from SeedData classes
+4. **Translation guard pattern**: `if (!await context.NavigationTranslations.AnyAsync(t => t.EntityId == {actualDbId} && t.EntityType == ..., ct))` — MANDATORY before every translation batch insert
+5. **SaveChangesAsync per group**: Navigation → save → Roles → save → Permissions → save → RolePermissions → save
+6. **Execution order**: `SeedRolesAsync()` MUST be called BEFORE `SeedRolePermissionsAsync()` (roles must exist before mapping)
+7. **Random GUIDs**: ALWAYS use `Guid.NewGuid()` — resolve FKs by Code lookup, not fixed IDs
+8. **Resolve FK by Code**: Parent entities (applications, modules, roles) are found by `Code` from DB, not by seed-time GUID
+9. **Order property**: Use `100` as default. If multiple providers exist, they run in Order sequence