@atlashub/smartstack-cli 4.74.0 → 4.75.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@atlashub/smartstack-cli",
-  "version": "4.74.0",
+  "version": "4.75.0",
   "description": "SmartStack Claude Code automation toolkit - GitFlow, EF Core migrations, prompts and more",
   "author": {
     "name": "SmartStack",

package/templates/agents/ba-reader.md

@@ -12,9 +12,10 @@ You are a business analysis reader agent specialized in extracting and synthesiz
 
 Read index.json and thematic JSON files at both application-level and module-level, and provide structured answers, context summaries, or cross-feature insights. Support discovery, documentation, and skill orchestration.
 
-**File locations:**
-- Application-level: `docs/{app}/business-analyse/v{X.Y}/index.json` + thematic files
-- Module-level: `docs/{app}/{module}/business-analyse/v{X.Y}/index.json` + thematic files
+**File locations (ba-006):**
+- Project-level: `docs/{projectSlug}/v{X.Y}/index.json` + thematic files
+- Application-level: `docs/{projectSlug}/v{X.Y}/{appKebab}/index.json` + thematic files
+- Module-level: `docs/{projectSlug}/v{X.Y}/{appKebab}/{moduleKebab}/index.json` + thematic files
 
 ## Core Operations
 
@@ -27,12 +28,12 @@ Locate a feature by ID and return its latest version path (index.json).
 - Optional: scope ("application" | "module" | "any") — default: "any"
 
 **Process:**
-1. Glob pattern: `docs/**/business-analyse/*/index.json`
+1. Glob pattern: `docs/*/v*/index.json` AND `docs/*/v*/*/*/index.json` (project + module levels)
 2. Read each index.json and check id field
 3. If scope filter provided, also check scope field
 4. If multiple versions exist, sort numerically by version
 5. Return highest matching version path
-6. If not found, check legacy `.business-analyse/` format
+6. If not found, check legacy `docs/**/business-analyse/*/index.json` format
 
 **Output:**
 - Full path to index.json
@@ -49,7 +50,7 @@ Locate the master (application-level) index.json for a given app.
 - OR featureId: FEAT-NNN
 
 **Process:**
-1. Glob: `docs/{app}/business-analyse/*/index.json`
+1. Glob: `docs/*/v*/{appKebab}/index.json` (where appKebab = toKebabCase(app))
 2. Read and verify scope = "application"
 3. Return latest version path
 
@@ -244,8 +245,8 @@ Get the highest version number for a feature or module.
 
 **Process:**
 1. Glob paths:
-   - Single feature: `docs/**/business-analyse/v*/index.json` filtered by ID
-   - Module: `docs/{app}/{module}/business-analyse/v*/index.json`
+   - Single feature: `docs/*/v*/index.json` AND `docs/*/v*/*/*/index.json` filtered by ID
+   - Module: `docs/*/v*/{appKebab}/{moduleKebab}/index.json`
 2. Extract version numbers from index.json files (v1.0, v1.5, v2.1, etc.)
 3. Sort numerically
 4. Return highest version path and number
@@ -322,14 +323,14 @@ Generate compact context for use by other skills and agents.
 
 ## Search Priority
 
-When searching for feature data:
+When searching for feature data (ba-006 paths):
 
-1. **Primary (application):** `docs/{app}/business-analyse/*/index.json` (scope: application)
-2. **Primary (module):** `docs/{app}/{module}/business-analyse/*/index.json` (scope: module)
-3. **Fallback:** `.business-analyse/` (legacy format)
-   - Read: `00-context.md` + `3-functional-specification.md`
+1. **Primary (project/app):** `docs/*/v*/index.json` (scope: project or application)
+2. **Primary (app in multi-app):** `docs/*/v*/*/index.json` (scope: application within project)
+3. **Primary (module):** `docs/*/v*/*/*/index.json` (scope: module)
+4. **Fallback:** `docs/**/business-analyse/*/index.json` (legacy pre-ba-006 format)
    - Warn user about old format
-   - Suggest migration to new format
+   - Suggest re-running /business-analyse to migrate
 
 ## Cross-Reference Resolution
 
@@ -347,9 +348,10 @@ When encountering ID references, resolve them by reading appropriate thematic fi
 
 ## Error Handling
 
+- **EISDIR (directory path passed to Read):** NEVER use the Read tool on a directory path. If a path does not end with `.json` or a known file extension, use Glob to list its contents first, then Read specific files. This is the #1 source of silent failures.
 - If featureId not found: suggest similar IDs or search for feature by keyword
 - If legacy format detected: show warning and offer to display legacy content
-- If thematic file not found: list available thematic files in the feature version directory
+- If thematic file not found: list available thematic files in the feature version directory (use Glob, NOT Read)
 - If version not found: list available versions
 - Return helpful suggestions for refinement
 

package/templates/agents/ba-writer.md

@@ -12,10 +12,10 @@ You are a business analysis writer agent specialized in managing granular JSON f
 
 Write and update granular JSON files for project-level (multi-app), application-level (master), and module-level documents. Handle progressive enrichment of features as they move through analysis phases, manage versioning for refactoring, and enforce schema consistency.
 
-**Directory structure (3-tier hierarchy):**
-- Project-level (multi-app only): `docs/business-analyse/v{X.Y}/index.json` + thematic files
-- Application-level: `docs/{app}/business-analyse/v{X.Y}/index.json` + thematic files
-- Module-level: `docs/{app}/{module}/business-analyse/v{X.Y}/index.json` + thematic files
+**Directory structure (ba-006, 3-tier hierarchy):**
+- Project-level (multi-app only): `docs/{projectSlug}/v{X.Y}/index.json` + thematic files
+- Application-level: `docs/{projectSlug}/v{X.Y}/{appKebab}/index.json` + thematic files
+- Module-level: `docs/{projectSlug}/v{X.Y}/{appKebab}/{moduleKebab}/index.json` + thematic files
 
 **Thematic files (v2 granular architecture):**
 - `index.json` — metadata, version, hash manifest, module registry (ALL scopes)
@@ -31,7 +31,7 @@ Write and update granular JSON files for project-level (multi-app), application-
 - `handoff.json` — complexity, file catalog, BR-to-code mapping (**MODULE ONLY**)
 - `review.json` — preserved review comments and change summary (ALL scopes)
 
-> **Backward compatibility:** If only 1 application, the project level is NOT created. The application-level index.json remains the master.
+> **Single-app mode:** If only 1 application, the project level is NOT created. The application-level index.json at `docs/{projectSlug}/v{X.Y}/index.json` remains the master.
 
 ## Core Operations
 
@@ -48,10 +48,11 @@ Create initial index.json and empty thematic files with metadata and draft statu
 **Process:**
 1. Read `.business-analyse/config.json` to get lastFeatureId (or lastProjectId for scope = "project")
 2. Increment FEAT-NNN (or PROJ-NNN) identifier
-3. Create directory structure based on scope:
-   - If scope = "project": `docs/business-analyse/v1.0/`
-   - If scope = "application": `docs/{app}/business-analyse/v1.0/`
-   - If scope = "module": `docs/{app}/{module}/business-analyse/v1.0/`
+3. Create directory structure based on scope (ba-006 paths — NO `business-analyse/` intermediate directory):
+   - If scope = "project": `docs/{projectSlug}/v1.0/`
+   - If scope = "application": `docs/{projectSlug}/v{X.Y}/{appKebab}/`
+   - If scope = "module": `docs/{projectSlug}/v{X.Y}/{appKebab}/{moduleKebab}/`
+   **IMPORTANT:** Use Bash `mkdir -p` to create directories before writing files.
 4. Generate index.json with:
    - **`$schema`**: relative path to the deployed schema file (MANDATORY — see $schema rules below)
    - id: FEAT-NNN (from config)
@@ -74,7 +75,7 @@ Create initial index.json and empty thematic files with metadata and draft statu
    a. Read master index.json (via applicationRef FEAT-NNN)
    b. Find module in modules[] where code === moduleCode
    c. Set module.indexJsonPath to the relative path of the created index.json
-      (relative from BA root, e.g. "modules/{moduleCode}/business-analyse/v{X.Y}/index.json")
+      (relative from project root, e.g. "{appKebab}/{moduleKebab}/index.json")
    d. Update master index.json with new module reference
 8. Return feature ID, path, and confirmation
 
@@ -100,9 +101,9 @@ Create a project-level index.json for multi-application analysis. Only used when
 **Process:**
 1. Read `.business-analyse/config.json` to get lastProjectId (default: 0)
 2. Increment PROJ-NNN identifier
-3. Create directory: `docs/business-analyse/v1.0/`
+3. Create directory: `docs/{projectSlug}/v1.0/` (use Bash `mkdir -p`)
 4. Generate index.json with:
-   - `$schema`: `"../schemas/project-schema.json"`
+   - `$schema`: `"schemas/project-schema.json"`
    - id: PROJ-NNN
    - version: "1.0"
    - status: "draft"
@@ -114,7 +115,7 @@ Create a project-level index.json for multi-application analysis. Only used when
 5. Create thematic files — **EXACTLY 3 files, NO OTHERS:** cadrage.json, validation.json, consolidation.json
    **FORBIDDEN at project level:** entities.json, rules.json, usecases.json, permissions.json, screens.json, handoff.json — these exist ONLY at module level.
 6. Update `.business-analyse/config.json` with new lastProjectId
-7. Deploy schemas to `docs/business-analyse/schemas/` (including project-schema.json)
+7. Deploy schemas to `docs/{projectSlug}/v{X.Y}/schemas/` (including project-schema.json)
 8. Return project ID (PROJ-NNN) and path
 
 ### enrichApplicationRegistry
@@ -521,38 +522,31 @@ Perform these structural checks before every write:
 - OPTIONAL: `indexJsonPath`
 - FORBIDDEN: missing `dependencies`/`dependents`/`sortOrder`
 
-## Directory Structure
+## Directory Structure (ba-006)
 
 ```
-docs/business-analyse/
-  v1.0/
-    index.json                          ← PROJECT metadata
+docs/{projectSlug}/
+  v{X.Y}/
+    index.json                          ← PROJECT metadata (or APPLICATION if single-app)
     cadrage.json
     validation.json
     consolidation.json
-    # NO entities/rules/usecases/permissions/screens/handoff — MODULE ONLY
-
-docs/{app}/business-analyse/
-  v1.0/
-    index.json                          ← APPLICATION metadata
-    cadrage.json
-    validation.json
-    consolidation.json
-    navigation.json                     ← (created by business-analyse-design)
-    # NO entities/rules/usecases/permissions/screens/handoff — MODULE ONLY
-
-docs/{app}/{module}/business-analyse/
-  v1.0/
-    index.json                          ← MODULE metadata
-    entities.json
-    rules.json
-    usecases.json
-    permissions.json
-    screens.json
-    validation.json
-    handoff.json
+    schemas/                            ← Deployed JSON schemas
+    {appKebab}/                         ← Application directory (kebab-case)
+      index.json                        ← APPLICATION metadata
+      {moduleKebab}/                    ← Module directory (kebab-case)
+        index.json                      ← MODULE metadata
+        entities.json
+        rules.json
+        usecases.json
+        permissions.json
+        screens.json
+        validation.json
+        handoff.json
 ```
 
+> **No `business-analyse/` intermediate directory.** All data lives directly under `docs/{projectSlug}/v{X.Y}/`.
+
 Versions are stored as separate directories. Each directory contains index.json + thematic files.
 
 ## Hash Manifest (index.json fileHashes)
@@ -639,6 +633,7 @@ Before EVERY enrichSection() call for specification or handoff sections, validat
 7. **Timestamp management** - always set metadata.updatedAt to current ISO timestamp on write
 8. **Idempotency** - calling the same operation twice with same data should produce same result
 9. **Hash updates** - calculate and store MD5 hash for every thematic file write
+10. **Directory creation** - Before writing ANY file, verify parent directory exists. If not, create it with `mkdir -p` via the Bash tool. The Write tool does NOT create parent directories automatically. This is CRITICAL — skipping this step causes silent write failures.
 
 ## File Size Management (CRITICAL)
 
@@ -677,6 +672,7 @@ if (estimatedNewSize > 500 * 1024) {  // 500KB
 
 ## Error Handling
 
+- **EISDIR prevention:** Before any Read operation, verify the path points to a FILE (ends with `.json`), not a directory. Use Glob to discover files in a directory, then Read individual files. Never pass a directory path to the Read tool.
 - Return clear validation errors with line numbers
 - Suggest fixes for schema violations
 - Prevent writing invalid JSON
@@ -686,29 +682,31 @@ if (estimatedNewSize > 500 * 1024) {  // 500KB
 ## $schema Reference Rules (MANDATORY)
 
 > **Every index.json MUST include a `$schema` field** pointing to the deployed schema file via relative path.
-> Schemas are deployed by step-00-init to: `docs/{app}/business-analyse/schemas/`
+> Schemas are deployed by step-00-init to: `docs/{projectSlug}/v{X.Y}/schemas/`
 
-**$schema paths by scope:**
+**$schema paths by scope (ba-006):**
 
 | Scope | index.json location | $schema value |
 |-------|----------------------|---------------|
-| project | `docs/business-analyse/v1.0/index.json` | `"../schemas/project-schema.json"` |
-| application | `docs/{app}/business-analyse/v1.0/index.json` | `"../schemas/application-schema.json"` |
-| module | `docs/{app}/{module}/business-analyse/v1.0/index.json` | `"../../../business-analyse/schemas/feature-schema.json"` |
+| project | `docs/{projectSlug}/v{X.Y}/index.json` | `"schemas/project-schema.json"` |
+| application (single-app) | `docs/{projectSlug}/v{X.Y}/index.json` | `"schemas/application-schema.json"` |
+| application (multi-app) | `docs/{projectSlug}/v{X.Y}/{appKebab}/index.json` | `"../schemas/application-schema.json"` |
+| module | `docs/{projectSlug}/v{X.Y}/{appKebab}/{moduleKebab}/index.json` | `"../../schemas/feature-schema.json"` |
 
 **Rules:**
 - `$schema` is ALWAYS the FIRST field in index.json (before `id`)
-- Path is RELATIVE from the index.json file to the schemas directory
-- For application scope: go up 1 level (v1.0/) → into schemas/
-- For module scope: go up 3 levels (v1.0/ → business-analyse/ → {module}/) → into business-analyse/schemas/
+- Path is RELATIVE from the index.json file to the schemas directory at `docs/{projectSlug}/v{X.Y}/schemas/`
+- For project/single-app: schemas/ is in the same directory
+- For multi-app application: go up 1 level ({appKebab}/) → schemas/
+- For module: go up 2 levels ({moduleKebab}/ → {appKebab}/) → schemas/
 - If schemas directory not found → WARNING (schemas may not have been deployed by step-00)
 
 ## Example index.json Structure
 
-**Module-level:**
+**Module-level:** (`docs/{projectSlug}/v{X.Y}/{appKebab}/{moduleKebab}/index.json`)
 ```json
 {
-  "$schema": "../../../business-analyse/schemas/feature-schema.json",
+  "$schema": "../../schemas/feature-schema.json",
   "id": "FEAT-001",
   "version": "1.0",
   "status": "draft",
@@ -743,7 +741,7 @@ if (estimatedNewSize > 500 * 1024) {  // 500KB
 }
 ```
 
-**Application-level:**
+**Application-level:** (`docs/{projectSlug}/v{X.Y}/{appKebab}/index.json` or `docs/{projectSlug}/v{X.Y}/index.json` for single-app)
 ```json
 {
   "$schema": "../schemas/application-schema.json",
@@ -778,10 +776,10 @@ if (estimatedNewSize > 500 * 1024) {  // 500KB
 }
 ```
 
-**Project-level (multi-app only):**
+**Project-level (multi-app only):** (`docs/{projectSlug}/v{X.Y}/index.json`)
 ```json
 {
-  "$schema": "../schemas/project-schema.json",
+  "$schema": "schemas/project-schema.json",
   "id": "PROJ-001",
   "version": "1.0",
   "status": "draft",

package/templates/skills/apex/_shared.md

@@ -156,7 +156,7 @@ Write back to {delegate_prd_path}
 | `scaffold_extension` | Create files manually following `smartstack-api.md` entity/service/controller patterns |
 | `suggest_migration` | Name format: `{context}_v{version}_{sequence}_{Description}` (see existing migrations for version) |
 | `generate_permissions` | Write `HasData()` code manually following `core-seed-data.md` permission section |
-| `scaffold_routes` | Create `componentRegistry.generated.ts` with `PageRegistry.register()` calls manually following `smartstack-frontend.md` §1 (or legacy `applicationRoutes` array for pre-v3.7 projects) |
+| `scaffold_routes` | Create `componentRegistry.generated.ts` manually. Keys MUST use DOT notation: `PageRegistry.register('{app_code}.{module_code}.{section_code}', lazy(...))`. Example: `PageRegistry.register('rh.employes.list', lazy(() => import('../pages/Rh/Employes/EmployeesListPage')));` — NEVER use hyphens as hierarchy separator. For client projects: `import { PageRegistry } from '@atlashub/smartstack';`. For SmartStack core: `import { PageRegistry } from '@/extensions/PageRegistry';`. See `frontend-route-wiring-app-tsx.md` §Client SDK |
 | `validate_frontend_routes` | Run POST-CHECK bash scripts from `post-checks.md` |
 | `validate_security` | Run security POST-CHECKs S1-S6 from `post-checks.md` |
 | `check_migrations` | Run `dotnet ef migrations has-pending-model-changes` manually |

package/templates/skills/apex/references/checks/backend-checks.sh

@@ -2,7 +2,7 @@
 set -euo pipefail
 
 # POST-CHECK: Backend — Entity, Service & Controller Checks
-# V1-V2, C8, C12, C14, C28-C31, C54: Entity validation, API contracts, pagination, code generation
+# V1-V2, C8, C12, C14, C28-C31, C54, C62: Entity validation, API contracts, pagination, code generation, tenant exceptions
 
 FAIL=false
 
@@ -10,9 +10,9 @@ FAIL=false
 CTRL_FILES=$(find src/ -path "*/Controllers/*" -name "*Controller.cs" 2>/dev/null)
 if [ -n "$CTRL_FILES" ]; then
   for f in $CTRL_FILES; do
-    HAS_WRITE=$(grep -cE "\[Http(Post|Put)\]" "$f")
+    HAS_WRITE=$(grep -cE "\[Http(Post|Put)\]" "$f" || true)
     if [ "$HAS_WRITE" -gt 0 ]; then
-      DTOS=$(grep -oP '(?:Create|Update)\w+Dto' "$f" | sort -u)
+      DTOS=$(grep -oE '(Create|Update)[A-Za-z0-9_]+Dto' "$f" | sort -u || true)
       for DTO in $DTOS; do
         VALIDATOR_NAME=$(echo "$DTO" | sed 's/Dto$/Validator/')
         VALIDATOR_FILE=$(find src/ -path "*/Validators/*" -name "${VALIDATOR_NAME}.cs" 2>/dev/null)
@@ -60,7 +60,7 @@ if [ -n "$WEB_DIR" ]; then
   LOOKUP_FILES=$(grep -rl "EntityLookup" "$WEB_DIR/src/pages/" "$WEB_DIR/src/components/" 2>/dev/null | grep -v node_modules | grep -v "\.test\." || true)
   if [ -n "$LOOKUP_FILES" ]; then
     for f in $LOOKUP_FILES; do
-      ENDPOINTS=$(grep -oP "apiEndpoint=['\"]([^'\"]+)['\"]" "$f" 2>/dev/null | grep -oP "['\"]([^'\"]+)['\"]" | tr -d "'" | tr -d '"' || true)
+      ENDPOINTS=$(grep -oE "apiEndpoint=['\"][^'\"]+['\"]" "$f" 2>/dev/null | sed "s/apiEndpoint=//;s/['\"]//g" || true)
       for ep in $ENDPOINTS; do
         ENTITY=$(echo "$ep" | sed 's|.*/||' | sed 's/.*/\u&/')
         CTRL=$(find src/ -path "*/Controllers/*${ENTITY}*Controller.cs" 2>/dev/null | head -1)
@@ -77,7 +77,7 @@ fi
 # POST-CHECK C12: GetAll methods must return PaginatedResult<T>
 SERVICE_FILES=$(find src/ -path "*/Services/*" -name "*Service.cs" ! -name "I*Service.cs" 2>/dev/null)
 if [ -n "$SERVICE_FILES" ]; then
-  BAD_RETURNS=$(grep -Pn '(Task<\s*(?:List|IEnumerable|IList|ICollection|IReadOnlyList|IReadOnlyCollection)<).*GetAll' $SERVICE_FILES 2>/dev/null)
+  BAD_RETURNS=$(grep -nE 'Task<\s*(List|IEnumerable|IList|ICollection|IReadOnlyList|IReadOnlyCollection)<.*GetAll' $SERVICE_FILES 2>/dev/null || true)
   if [ -n "$BAD_RETURNS" ]; then
     echo "WARNING: GetAll methods must return PaginatedResult<T>, not List/IEnumerable"
     echo "$BAD_RETURNS"
@@ -114,7 +114,7 @@ SERVICE_FILES=$(find src/ -path "*/Services/*" -name "*Service.cs" ! -name "I*Se
 CTRL_FILES=$(find src/ -path "*/Controllers/*" -name "*Controller.cs" 2>/dev/null)
 ALL_FILES="$SERVICE_FILES $CTRL_FILES"
 if [ -n "$(echo $ALL_FILES | tr -d ' ')" ]; then
-  BAD_NAMES=$(grep -Pn 'PagedResult<|PaginatedResultDto<|PaginatedResponse<|PageResultDto<' $ALL_FILES 2>/dev/null || true)
+  BAD_NAMES=$(grep -nE 'PagedResult<|PaginatedResultDto<|PaginatedResponse<|PageResultDto<' $ALL_FILES 2>/dev/null || true)
   if [ -n "$BAD_NAMES" ]; then
     echo "WARNING: Pagination type must be PaginatedResult<T> — found non-canonical names"
     echo "$BAD_NAMES"
@@ -179,7 +179,7 @@ fi
 # POST-CHECK C54: No helper method calls inside .Select() on IQueryable (BLOCKING)
 SERVICE_FILES=$(find src/ -path "*/Services/*" -name "*Service.cs" ! -name "I*Service.cs" 2>/dev/null)
 if [ -n "$SERVICE_FILES" ]; then
-  BAD_SELECT=$(grep -Pn '\.Select\(\s*\w+\s*=>\s*(?!new\s)[A-Z]\w+\(|\.Select\(\s*(?!x\s*=>)[A-Z]\w+\s*\)' $SERVICE_FILES 2>/dev/null || true)
+  BAD_SELECT=$(grep -nE '\.Select\([[:space:]]*[a-z]+[[:space:]]*=>[[:space:]]*[A-Z][A-Za-z0-9_]+\(' $SERVICE_FILES 2>/dev/null | grep -v '=>\s*new\s' || true)
   if [ -n "$BAD_SELECT" ]; then
     echo "BLOCKING: Helper method call inside .Select() on IQueryable — EF Core cannot translate to SQL"
     echo "$BAD_SELECT"
@@ -189,6 +189,20 @@ if [ -n "$SERVICE_FILES" ]; then
   fi
 fi
 
+# POST-CHECK C62: Services must use TenantContextRequiredException, NOT InvalidOperationException for tenant (WARNING)
+SERVICE_FILES=$(find src/ -path "*/Services/*" -name "*Service.cs" ! -name "I*Service.cs" 2>/dev/null)
+if [ -n "$SERVICE_FILES" ]; then
+  for f in $SERVICE_FILES; do
+    BAD_TENANT=$(grep -nE 'throw new InvalidOperationException.*[Tt]enant' "$f" 2>/dev/null || true)
+    if [ -n "$BAD_TENANT" ]; then
+      echo "WARNING: Service uses InvalidOperationException for tenant check (returns 500 instead of 400): $f"
+      echo "  $BAD_TENANT"
+      echo "  Fix: Use 'throw new TenantContextRequiredException()' instead"
+      echo "  TenantContextRequiredException returns 400 via GlobalExceptionHandlerMiddleware"
+    fi
+  done
+fi
+
 if [ "$FAIL" = true ]; then
   exit 1
 fi

package/templates/skills/apex/references/checks/infrastructure-checks.sh

@@ -2,7 +2,7 @@
 set -euo pipefail
 
 # POST-CHECK: Infrastructure — Migration & Build
-# C13, C38-C43, C50-C51, C56: Database migrations, DI registration, routing uniqueness
+# C13, C38-C43, C50-C51, C56, C60-C61: Database migrations, DI registration, routing uniqueness, MCP compliance
 
 FAIL=false
 
@@ -27,10 +27,10 @@ fi
 SNAPSHOT=$(find src/ -name "*ModelSnapshot.cs" -path "*/Migrations/*" 2>/dev/null | head -1)
 DBCONTEXT=$(find src/ -name "*DbContext.cs" -path "*/Persistence/*" ! -name "*DesignTime*" 2>/dev/null | head -1)
 if [ -n "$SNAPSHOT" ] && [ -n "$DBCONTEXT" ]; then
-  DBSET_ENTITIES=$(grep -oP 'DbSet<(\w+)>' "$DBCONTEXT" 2>/dev/null | grep -oP '<\K\w+(?=>)' | sort -u || true)
+  DBSET_ENTITIES=$(grep -o 'DbSet<[A-Za-z0-9_]*>' "$DBCONTEXT" 2>/dev/null | sed 's/DbSet<//;s/>//' | sort -u || true)
   FAIL_C38=false
   for ENTITY in $DBSET_ENTITIES; do
-    if echo "$ENTITY" | grep -qP '^(Navigation|Tenant|User|Role|Permission|AuditLog|ApplicationTracking)'; then
+    if echo "$ENTITY" | grep -qE '^(Navigation|Tenant|User|Role|Permission|AuditLog|ApplicationTracking)'; then
       continue
     fi
     if ! grep -q "Entity<$ENTITY>" "$SNAPSHOT" 2>/dev/null; then
@@ -103,7 +103,7 @@ DTO_FILES=$(find src/ -name "*Dto.cs" -path "*/DTOs/*" 2>/dev/null)
 if [ -n "$DTO_FILES" ]; then
   FAIL_C41=false
   for f in $DTO_FILES; do
-    BAD_DATES=$(grep -Pn 'string\??\s+\w*[Dd]ate\w*\s*[{;,]' "$f" 2>/dev/null | grep -vi "Updated\|Created\|format\|pattern\|string\|parse" || true)
+    BAD_DATES=$(grep -nE 'string\??\s+[A-Za-z0-9_]*[Dd]ate[A-Za-z0-9_]*\s*[{;,]' "$f" 2>/dev/null | grep -vi "Updated\|Created\|format\|pattern\|string\|parse" || true)
     if [ -n "$BAD_DATES" ]; then
       echo "WARNING: DTO has string type for date field — must use DateOnly: $f"
       echo "$BAD_DATES"
@@ -114,7 +114,7 @@ if [ -n "$DTO_FILES" ]; then
 fi
 
 # POST-CHECK C42: Every module with entities must have a migration covering them (BLOCKING)
-ENTITY_FILES=$(find src/ -path "*/Domain/Entities/*" -name "*.cs" 2>/dev/null | grep -v test)
+ENTITY_FILES=$(find src/ -path "*/Domain/Entities/*" -name "*.cs" 2>/dev/null | grep -v test || true)
 MIGRATION_DIR=$(find src/ -path "*/Migrations" -type d 2>/dev/null | head -1)
 if [ -n "$ENTITY_FILES" ] && [ -n "$MIGRATION_DIR" ]; then
   MIGRATION_FILES=$(find "$MIGRATION_DIR" -name "*.cs" ! -name "*ModelSnapshot*" ! -name "*DesignTime*" 2>/dev/null)
@@ -125,7 +125,7 @@ if [ -n "$ENTITY_FILES" ] && [ -n "$MIGRATION_DIR" ]; then
     FAIL_C42=false
     for EF in $ENTITY_FILES; do
       ENTITY_NAME=$(basename "$EF" .cs)
-      if grep -qP '^\s*(public\s+)?(abstract|interface)\s' "$EF" 2>/dev/null; then continue; fi
+      if grep -qE '^\s*(public\s+)?(abstract|interface)\s' "$EF" 2>/dev/null; then continue; fi
       FOUND=$(grep -l "$ENTITY_NAME" $MIGRATION_FILES 2>/dev/null || true)
       if [ -z "$FOUND" ]; then
         echo "BLOCKING: Entity '$ENTITY_NAME' ($EF) not found in any migration file"
@@ -148,8 +148,8 @@ if [ -n "$CTRL_FILES" ]; then
     HAS_NAVROUTE=$(grep -c '\[NavRoute(' "$f" 2>/dev/null || true)
     HAS_ROUTE=$(grep -c '\[Route(' "$f" 2>/dev/null || true)
     if [ "$HAS_NAVROUTE" -gt 0 ] && [ "$HAS_ROUTE" -gt 0 ]; then
-      NAVROUTE_VAL=$(grep -oP 'NavRoute\("([^"]+)"' "$f" 2>/dev/null | head -1)
-      ROUTE_VAL=$(grep -oP 'Route\("([^"]+)"' "$f" 2>/dev/null | head -1)
+      NAVROUTE_VAL=$(grep -o 'NavRoute("[^"]*"' "$f" 2>/dev/null | head -1 || true)
+      ROUTE_VAL=$(grep -o 'Route("[^"]*"' "$f" 2>/dev/null | head -1 || true)
       echo "BLOCKING: Controller has BOTH [Route] and [NavRoute] — remove [Route]: $f"
       echo "  Found: [$ROUTE_VAL] + [$NAVROUTE_VAL]"
       echo "  In SmartStack, [NavRoute] resolves routes dynamically from the database."
@@ -166,7 +166,7 @@ fi
 # POST-CHECK C50: NavRoute Uniqueness — no duplicate NavRoute values (BLOCKING)
 CTRL_FILES=$(find src/ -path "*/Controllers/*" -name "*Controller.cs" 2>/dev/null)
 if [ -n "$CTRL_FILES" ]; then
-  NAVROUTES=$(grep -Pn '\[NavRoute\("([^"]+)"\)' $CTRL_FILES 2>/dev/null | sed 's/.*\[NavRoute("\([^"]*\)").*/\1/' | sort || true)
+  NAVROUTES=$(grep -n '\[NavRoute("' $CTRL_FILES 2>/dev/null | sed 's/.*\[NavRoute("\([^"]*\)".*/\1/' | sort || true)
   DUPLICATES=$(echo "$NAVROUTES" | uniq -d || true)
   if [ -n "$DUPLICATES" ]; then
     echo "BLOCKING: Duplicate NavRoute values detected:"
@@ -185,7 +185,7 @@ fi
 CTRL_FILES=$(find src/ -path "*/Controllers/*" -name "*Controller.cs" 2>/dev/null)
 if [ -n "$CTRL_FILES" ]; then
   for f in $CTRL_FILES; do
-    NAVROUTE=$(grep -oP '\[NavRoute\("\K[^"]+' "$f")
+    NAVROUTE=$(grep -o 'NavRoute("[^"]*"' "$f" 2>/dev/null | sed 's/NavRoute("//;s/"//' | head -1 || true)
     if [ -z "$NAVROUTE" ]; then continue; fi
 
     DOTS=$(echo "$NAVROUTE" | tr -cd '.' | wc -c)
@@ -250,6 +250,43 @@ if [ -n "${ENTITIES:-}" ] && [ -n "${SECTIONS:-}" ]; then
   fi
 fi
 
+# POST-CHECK C60: Controllers must inject ISender _mediator, NOT direct business services (BLOCKING)
+CTRL_FILES=$(find src/ -path "*/Controllers/*" -name "*Controller.cs" 2>/dev/null)
+if [ -n "$CTRL_FILES" ]; then
+  FAIL_C60=false
+  for f in $CTRL_FILES; do
+    # Detect direct business service injection (I{Entity}Service pattern)
+    # Exclude infrastructure services: ICurrentTenantService, ICurrentUserService, IStringLocalizer
+    DIRECT_SVC=$(grep -E 'private readonly I[A-Za-z0-9_]+Service ' "$f" 2>/dev/null | grep -v 'ICurrentTenantService\|ICurrentUserService\|IStringLocalizer' || true)
+    if [ -n "$DIRECT_SVC" ] && ! grep -q 'ISender' "$f"; then
+      echo "BLOCKING: Controller injects business service directly instead of ISender _mediator: $f"
+      echo "  Found: $(echo "$DIRECT_SVC" | head -1 | xargs)"
+      echo "  SmartStack convention: Controllers use MediatR (ISender) for CQRS dispatch"
+      echo "  Fix: Regenerate via mcp__smartstack__scaffold_extension(type: 'controller')"
+      FAIL_C60=true
+    fi
+  done
+  if [ "$FAIL_C60" = true ]; then
+    FAIL=true
+  fi
+fi
+
+# POST-CHECK C61: Controllers with [NavRoute] must have [Authorize] attribute (BLOCKING)
+CTRL_FILES=$(find src/ -path "*/Controllers/*" -name "*Controller.cs" 2>/dev/null)
+if [ -n "$CTRL_FILES" ]; then
+  FAIL_C61=false
+  for f in $CTRL_FILES; do
+    if grep -q '\[NavRoute' "$f" && ! grep -q '\[.*Authorize\]' "$f"; then
+      echo "BLOCKING: Controller with [NavRoute] missing [Authorize]: $f"
+      echo "  Fix: Add [Microsoft.AspNetCore.Authorization.Authorize] on class"
+      FAIL_C61=true
+    fi
+  done
+  if [ "$FAIL_C61" = true ]; then
+    FAIL=true
+  fi
+fi
+
 if [ "$FAIL" = true ]; then
   exit 1
 fi

package/templates/skills/apex/references/frontend-route-wiring-app-tsx.md

@@ -48,6 +48,9 @@ import './extensions/componentRegistry.generated';
 
 ## For Client SDK Pages
 
+> **CRITICAL:** Keys use DOT notation (`rh.employes.list`), NEVER hyphens (`rh-employes-list`).
+> Dots are hierarchy separators matching `NavigationService.ComponentKey` computation at runtime.
+
 Clients register their own pages directly:
 
 ```tsx

package/templates/skills/apex/references/post-checks.md

@@ -39,7 +39,7 @@ bash references/checks/infrastructure-checks.sh
 | S8 | BLOCKING | Write endpoints must NOT use Read permissions | security-checks.sh |
 | S9 | BLOCKING | FK relationships must enforce tenant isolation | security-checks.sh |
 
-### Backend — Entity, Service & Controller Checks (V1-V2, C8, C12, C14, C28-C31, C54)
+### Backend — Entity, Service & Controller Checks (V1-V2, C8, C12, C14, C28-C31, C54, C62)
 
 | ID | Severity | Description | Script |
 |----|----------|-------------|--------|
@@ -53,6 +53,7 @@ bash references/checks/infrastructure-checks.sh
 | C30 | BLOCKING | Code regex must support hyphens | backend-checks.sh |
 | C31 | WARNING | CreateDto must NOT have Code field when service uses ICodeGenerator | backend-checks.sh |
 | C54 | BLOCKING | No helper method calls inside .Select() on IQueryable | backend-checks.sh |
+| C62 | WARNING | Services must use TenantContextRequiredException for tenant check, NOT InvalidOperationException | backend-checks.sh |
 
 ### Frontend — CSS, Forms, Components, I18n (C3a, C3-C7, C9, C11, C24-C27, C36-C37, C49, C52)
 
@@ -117,7 +118,7 @@ bash references/checks/infrastructure-checks.sh
 | A7 | WARNING | No direct repository usage in controllers | architecture-checks.sh |
 | A8 | BLOCKING | API endpoints must match handoff apiEndpointSummary | architecture-checks.sh |
 
-### Infrastructure — Migration & Build (C13, C38-C43, C50-C51, C56)
+### Infrastructure — Migration & Build (C13, C38-C43, C50-C51, C56, C60-C61)
 
 | ID | Severity | Description | Script |
 |----|----------|-------------|--------|
@@ -131,6 +132,8 @@ bash references/checks/infrastructure-checks.sh
 | C50 | BLOCKING | NavRoute Uniqueness — no duplicate NavRoute values | infrastructure-checks.sh |
 | C51 | WARNING | NavRoute Segments vs Controller Hierarchy (depth matching) | infrastructure-checks.sh |
 | C56 | BLOCKING | Hierarchy Artifact Completeness — current run only (entities + sections) | infrastructure-checks.sh |
+| C60 | BLOCKING | Controllers must inject ISender _mediator, NOT direct business services | infrastructure-checks.sh |
+| C61 | BLOCKING | Controllers with [NavRoute] must have [Authorize] attribute | infrastructure-checks.sh |
 
 ---