@atlashub/smartstack-cli 4.75.0 → 4.79.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@atlashub/smartstack-cli",
-  "version": "4.75.0",
+  "version": "4.79.0",
   "description": "SmartStack Claude Code automation toolkit - GitFlow, EF Core migrations, prompts and more",
   "author": {
     "name": "SmartStack",

package/templates/project/claude-md/root.CLAUDE.md.template

@@ -96,7 +96,7 @@ Application → Module → Section → Resource
                       Permission: myapp.orders.{action}
 ```
 
-> **Note**: Applications have an `ApplicationZone` property (enum: `Platform`, `Personal`, `Business`) used for UI layout grouping only. It does NOT appear in routes or permissions.
+> **Note (v3.46+)**: The legacy `ApplicationZone` enum has been removed. Applications now have two boolean flags : `IsPersonal` (default `false`) — when `true`, the app belongs to the user's personal scope (e.g. myspace) and bypasses tenant catalog filtering / permission checks ; `IsOpen` (default `false`) — when `true`, the app is accessible without permission checks (replaces the legacy hardcoded OPEN_APPS list in the frontend RouteGuard). Neither flag appears in routes or permission paths — they only steer access control.
 
 ### Permission Actions
 `access` | `read` | `create` | `update` | `delete` | `export` | `import` | `approve` | `reject` | `assign` | `execute`

package/templates/skills/ai-prompt/SKILL.md

@@ -58,6 +58,61 @@ Configured instance: Code, Name, SystemContext, DefaultModel, MonthlyBudgetLimit
 ### OutputSchema
 JSON Schema for validation: Code, Name, JsonSchema, DotNetType
 
+### AiAgent (R17 — v3.46+)
+Multi-step agent with reasoning modes. See [references/ai-agent-modes.md](references/ai-agent-modes.md).
+
+- **AiAgentMode** : `Sequential` (0), `ReAct` (1), `PlanAndExecute` (2), `SelfCorrection` (3)
+- **AiAgentStepRole** : `Worker` (0), `Planner` (1), `Reasoner` (2), `Critic` (3), `Synthesizer` (4)
+- **MaxIterations** (default 5, range 1-20) — protects against infinite loops
+- **QualityThreshold** (default 0.8) — used by `SelfCorrection` mode
+- **AiSkill.CacheTtlSeconds** + **AiSkillBlock.IsCacheable** — caching for idempotent outputs
+
+Default to `Sequential` ; switch to `ReAct`/`PlanAndExecute`/`SelfCorrection` only when needed (cost/latency impact).
+
+### AiTool — function calling (R2 — v3.46+)
+
+Server-side function the model can decide to invoke during a completion. Tools turn skills from one-shot prompts into agentic workflows that can read live data, call external APIs, and condition output on the result.
+
+```csharp
+class AiTool : BaseEntity, IAuditableEntity
+{
+    public string Name { get; }                  // Snake_case, presented to model: "search_database"
+    public string DisplayName { get; }           // Admin UI label
+    public string Description { get; }           // Drives model decision — short, action-oriented
+    public string ParametersSchemaJson { get; }  // JSON Schema of tool arguments
+    public string HandlerKey { get; }            // Stable key → IToolHandler dispatcher
+    public Guid ModuleId { get; }                // Module owns the tool (permissions + admin grouping)
+    public bool IsActive { get; }
+}
+```
+
+- **Many-to-many** with `AiSkill` via `AiSkillTool` (kept as own entity for future per-attachment overrides : required flag, parameter aliasing, max-call budget).
+- **HandlerKey** decouples definition from C# class name (handlers can be renamed without breaking the catalog).
+- When `IsActive = false`, the orchestrator skips the tool even if a skill still references it.
+
+**DO / DON'T:**
+- DO author tool descriptions for the model — short, action-oriented, with preconditions
+- DO snake_case the `Name` (LLM convention)
+- DON'T expose long-running or heavy tools via function calling — prefer Workflow steps
+- DON'T duplicate tool logic across skills — attach the same `AiTool` via `AiSkillTool`
+
+### AiAgentExecution — runtime tracking
+
+Each execution of an `AiAgent` is recorded via `AiAgentExecution` with:
+- `Status` : `Running` / `Completed` / `Failed` / `PartiallyCompleted` / `Cancelled`
+- `ExecutedSteps` / `TotalSteps`
+- `InputStateJson` / `FinalStateJson` (audit trail)
+- **Usage tracking** : `TotalInputTokens`, `TotalOutputTokens`, `TotalCost` (decimal), `TotalExecutionTimeMs`
+- `_stepExecutions` : per-step `AiAgentStepExecution` (with own status, tokens, cost)
+
+Service methods : `IncrementExecutedSteps()`, `MarkCompleted(json)`, `MarkFailed(msg)`, `MarkPartiallyCompleted(json, msg)`, `MarkCancelled(msg)`, `AccumulateUsage(in, out, cost, ms)`, `AddStepExecution(step)`.
+
+**Use** : surface in admin UI (run history, cost dashboard, debug trace). Each agent run produces one `AiAgentExecution` + N `AiAgentStepExecution`.
+
+### AI Evaluation Framework (R10)
+
+For benchmarking skills against expected outputs, see [references/eval-framework.md](references/eval-framework.md). Pattern: `AiEvalDataset` (test cases) + `AiEvaluation` (one run) + `AiEvalResult` (per-item outcome). Provider/model agnostic — same dataset can compare 2 versions of the same skill code.
+
 ## Implementation
 
 Start with [steps/step-00-init.md](steps/step-00-init.md) to gather requirements, then proceed to [steps/step-01-implementation.md](steps/step-01-implementation.md) for:
@@ -95,7 +150,16 @@ Start with [steps/step-00-init.md](steps/step-00-init.md) to gather requirements
 | `Domain/AI/Prompts/Prompt.cs` | Prompt entity |
 | `Domain/AI/Schemas/OutputSchema.cs` | Schema validation |
 | `Domain/AI/AiProviderInstance.cs` | Configured instance |
+| `Domain/AI/Agents/AiAgent.cs` | Multi-step agent (R17 — v3.46+) |
+| `Domain/AI/Agents/AiAgentStep.cs` | Agent step with `Role` (Worker/Planner/Reasoner/Critic/Synthesizer) |
+| `Domain/AI/Agents/AiAgentExecution.cs` | Run tracking (status, tokens, cost, step executions) |
+| `Domain/AI/Skills/AiSkill.cs` | Reusable skill (`CacheTtlSeconds` for cache hint) |
+| `Domain/AI/Tools/AiTool.cs` | Function-calling tool (R2 — v3.46+) |
+| `Domain/AI/Tools/AiSkillTool.cs` | Many-to-many AiSkill ↔ AiTool |
+| `Domain/AI/Evaluations/AiEvalDataset.cs` | Eval dataset (R10 — v3.46+) |
+| `Domain/AI/Evaluations/AiEvaluation.cs` | Eval run with rollup stats |
 | `Application/Common/Interfaces/IAiCompletionService.cs` | Service interface |
+| `Application/Common/Interfaces/IToolHandler.cs` | Tool handler interface (resolved via HandlerKey) |
 | `Infrastructure/Services/AI/AiCompletionService.cs` | Implementation |
 | `web/src/services/api/aiApi.ts` | Frontend API |
 

package/templates/skills/ai-prompt/references/ai-agent-modes.md

@@ -0,0 +1,89 @@
+# AI Agent Modes & Step Roles (R17 — v3.46)
+
+> **Reference for `ai-prompt` skill** — how to choose `AiAgentMode` and `AiAgentStepRole` when scaffolding multi-step AI agents.
+
+## When This Reference Applies
+
+- You create an `AiAgent` with more than one step
+- You need a non-Sequential reasoning mode (loop, plan-then-execute, self-correct)
+- The user asks "how do I make the agent retry", "how do I make it plan first", "what is ReAct"
+
+For single-prompt skills, the basic `Prompt + Block + OutputSchema` pattern is enough — no agent, no mode.
+
+---
+
+## `AiAgentMode` (4 values)
+
+| Mode | Value | Use case | Latency | Cost |
+|---|---|---|---|---|
+| `Sequential` | 0 | Known DAG fan-out / fan-in (analyze → summarize → email) | Low | Low |
+| `ReAct` | 1 | Reasoning + tool loop, plan unknown ahead of time | High | High |
+| `PlanAndExecute` | 2 | Task that can be planned upfront then executed | Medium | Medium |
+| `SelfCorrection` | 3 | Output that can be critiqued and replayed | Medium | Medium-High |
+
+### Recommended configuration
+
+| Field | Default | Range |
+|---|---|---|
+| `MaxIterations` | 5 | [1..20] — protects against infinite loops |
+| `QualityThreshold` | 0.8 | [0..1] — used by `SelfCorrection` to decide replay |
+
+---
+
+## `AiAgentStepRole` (5 values)
+
+| Role | Value | Expected output schema |
+|---|---|---|
+| `Worker` | 0 | Standard skill output (used in `Sequential` mode) |
+| `Planner` | 1 | `{ plan: [{ skillCode, label }] }` — produces the plan in `PlanAndExecute` |
+| `Reasoner` | 2 | `{ action, input }` or `{ final_answer }` — used in `ReAct` |
+| `Critic` | 3 | `{ score: 0..1, feedback?: string }` — used in `SelfCorrection` |
+| `Synthesizer` | 4 | Final aggregated output (`PlanAndExecute` after parallel workers) |
+
+---
+
+## Cache hint (R-cache)
+
+| Field | Type | Purpose |
+|---|---|---|
+| `AiSkill.CacheTtlSeconds` | `int?` | TTL for caching this skill's output (per input hash). Null = no cache. |
+| `AiSkillBlock.IsCacheable` | `bool` | Marks an idempotent block whose output can be reused across executions. |
+
+Only mark a skill / block cacheable when the output is **deterministic for a given input** — otherwise stale answers will be served.
+
+---
+
+## Choosing a mode (decision tree)
+
+```
+Question: do I know the steps in advance?
+  Yes → Sequential
+  No  → Question: can the LLM decide the steps once, then execute?
+          Yes → PlanAndExecute
+          No  → Question: must I let the LLM iterate with tools?
+                  Yes → ReAct
+                  No  → SelfCorrection (single attempt + critique loop)
+```
+
+---
+
+## DO / DON'T
+
+| ✅ DO | ❌ DON'T |
+|---|---|
+| Start with `Sequential` — switch to other modes only when needed | Default to `ReAct` (expensive, hard to debug) |
+| Cap `MaxIterations` at the smallest number that satisfies your case | Leave the default 5 for `ReAct` on long-running tasks (set 10-15) |
+| Set `QualityThreshold` based on prompt evaluation results | Pick `0.8` blindly — measure on your eval dataset |
+| Use `Critic` role with a structured output schema | Let the critic return free-form text |
+| Cache only deterministic, idempotent skills | Cache anything that uses `now()` or randomness |
+
+---
+
+## Reference source files (read-only)
+
+- `D:\01 - projets\SmartStack.app\features\IA-Workflow\src\SmartStack.Domain\AI\Agents\AiAgent.cs`
+- `D:\01 - projets\SmartStack.app\features\IA-Workflow\src\SmartStack.Domain\AI\Agents\AiAgentMode.cs`
+- `D:\01 - projets\SmartStack.app\features\IA-Workflow\src\SmartStack.Domain\AI\Agents\AiAgentStep.cs`
+- `D:\01 - projets\SmartStack.app\features\IA-Workflow\src\SmartStack.Domain\AI\Agents\AiAgentStepRole.cs`
+- `D:\01 - projets\SmartStack.app\features\IA-Workflow\src\SmartStack.Domain\AI\Skills\AiSkill.cs` (CacheTtlSeconds)
+- `D:\01 - projets\SmartStack.app\features\IA-Workflow\src\SmartStack.Domain\AI\Skills\AiSkillBlock.cs` (IsCacheable)

package/templates/skills/ai-prompt/references/eval-framework.md

@@ -0,0 +1,129 @@
+# AI Evaluation Framework (R10 — v3.46+)
+
+> **Reference for `ai-prompt` skill** — how to evaluate AI skills against expected outputs.
+
+## When This Reference Applies
+
+- You are about to ship a new prompt or change an existing one
+- You need to compare two versions of the same skill (`v1.0.0` vs `v1.1.0`)
+- You want to benchmark the same prompt across providers/models (OpenAI vs Claude vs Gemini)
+- The user asks "how do I test my prompt", "how do I prevent regression", "how do I A/B prompts"
+
+For one-shot manual testing during development, the eval framework is overkill — call the skill directly. Use this framework when you want **reproducible, scored, auditable** runs.
+
+---
+
+## The 4 entities
+
+### `AiEvalDataset` — collection of test cases
+
+```csharp
+class AiEvalDataset : BaseEntity, IAuditableEntity
+{
+    public string Code { get; }                  // kebab-case stable id, e.g. "support-classification-v1"
+    public string Name { get; }
+    public string? Description { get; }
+    public IReadOnlyCollection<AiEvalDatasetItem> Items { get; }
+}
+```
+
+**Provider/model agnostic** : the same dataset can be replayed against multiple skills, providers and models to compare quality and cost.
+
+### `AiEvalDatasetItem` — one test case
+
+```csharp
+class AiEvalDatasetItem
+{
+    public Guid DatasetId { get; }
+    public string Label { get; }                 // Human-readable name for the case
+    public string VariablesJson { get; }         // Inputs to feed into the skill
+    public string ExpectedOutputJson { get; }    // Expected result (for grading)
+}
+```
+
+### `AiEvaluation` — one run
+
+```csharp
+class AiEvaluation : BaseEntity, IAuditableEntity
+{
+    public Guid SkillId { get; }                 // Which skill was tested
+    public Guid DatasetId { get; }               // Which dataset was replayed
+    public AiEvaluationStatus Status { get; }    // Running / Completed / Failed
+    public DateTime StartedAt { get; }
+    public DateTime? CompletedAt { get; }
+    public int ProcessedItems { get; }
+    public int TotalItems { get; }
+    public int PassedItems { get; }              // Items whose actual output matched expected
+    public double? AverageScore { get; }         // [0..1], null while in progress
+    public IReadOnlyCollection<AiEvalResult> Results { get; }
+}
+
+enum AiEvaluationStatus { Running = 0, Completed = 1, Failed = 2 }
+```
+
+Service methods : `RecordResult(AiEvalResult)`, `MarkCompleted()`, `MarkFailed(reason)`. The aggregate computes `AverageScore` from the per-item `Score` values when completed.
+
+### `AiEvalResult` — per-item outcome
+
+Records actual output vs expected, the score (0..1), pass/fail flag, and any tokens/cost incurred.
+
+---
+
+## Workflow
+
+```
+1. Curate dataset
+   └─ AiEvalDataset.Create("support-classification-v1", "Support classification — 50 cases")
+      └─ AddItem("simple billing question", { "ticket": "..." }, { "category": "billing" })
+      └─ AddItem("urgent outage report",   { "ticket": "..." }, { "category": "incident" })
+      └─ … 48 more items
+
+2. Run evaluation against current skill version
+   └─ AiEvaluation.Create(skillId, datasetId, totalItems: 50)
+      └─ For each item: invoke skill, grade output, RecordResult(actual, expected, score)
+      └─ MarkCompleted()
+      └─ Stored AverageScore = 0.86 (43/50 passed)
+
+3. Iterate — change prompt / blocks / model
+   └─ New AiEvaluation against same dataset
+   └─ Compare AverageScore : 0.86 → 0.92 (+0.06)
+
+4. Decide
+   └─ If new score significantly higher : promote prompt version
+   └─ If equal or lower : revert
+```
+
+---
+
+## DO / DON'T
+
+| ✅ DO | ❌ DON'T |
+|---|---|
+| Build datasets from real production examples (anonymised) | Use synthetic / hallucinated test cases as the only ones |
+| Stabilise dataset.Code — never rename, only add new datasets | Mutate dataset items after first run (compromises history) |
+| Grade with structured comparison (JSON match, key fields, semantic distance) | Grade with substring search / regex |
+| Track cost per evaluation — reject prompt changes that 3× cost for marginal score | Optimise for score alone |
+| Run evals as part of the prompt-change PR review | Ship prompt changes without an eval baseline |
+| Keep `AverageScore` as the single headline metric | Multiply scoring criteria — pick one and stick to it |
+
+---
+
+## Wiring into a release pipeline
+
+A prompt change should run the relevant evaluation as part of CI:
+
+1. PR opens with a new prompt version (`v1.1.0`).
+2. CI invokes a Command that creates an `AiEvaluation(skillId, datasetId, totalItems)` against `v1.1.0`.
+3. CI compares `AverageScore` of `v1.1.0` vs the latest passing eval of `v1.0.0`.
+4. PR is annotated with the delta. Score regression > 5% → PR blocked.
+
+---
+
+## Reference source files (read-only)
+
+- `D:\01 - projets\SmartStack.app\features\IA-Workflow\src\SmartStack.Domain\AI\Evaluations\AiEvalDataset.cs`
+- `D:\01 - projets\SmartStack.app\features\IA-Workflow\src\SmartStack.Domain\AI\Evaluations\AiEvalDatasetItem.cs`
+- `D:\01 - projets\SmartStack.app\features\IA-Workflow\src\SmartStack.Domain\AI\Evaluations\AiEvaluation.cs`
+- `D:\01 - projets\SmartStack.app\features\IA-Workflow\src\SmartStack.Domain\AI\Evaluations\AiEvalResult.cs`
+
+See also [ai-agent-modes.md](ai-agent-modes.md) for `MaxIterations` / `QualityThreshold` (used by `SelfCorrection` mode in conjunction with eval scores).

package/templates/skills/apex/SKILL.md

@@ -26,8 +26,8 @@ Execute incremental SmartStack development using the APEX methodology. This skil
 /apex -e add status field to Project entity          # Economy (no agents)
 /apex -r                                             # Resume previous
 
-# From /sketch (vague idea → precise command):
-/sketch une app RH avec employés et absences         # → generates /apex command
+# From /business-analyse-quick (vague idea → Mini-PRD):
+/business-analyse-quick une app RH avec employés     # → generates PRD for /apex -d
 
 # From /business-analyse-develop (automated multi-module):
 # /business-analyse-develop delegates to /apex -d automatically

package/templates/skills/apex/references/checks/frontend-checks.sh

@@ -191,28 +191,74 @@ if [ -n "$ALL_PAGES" ]; then
   fi
 fi
 
-# POST-CHECK C9: No hardcoded Tailwind colors in generated pages (WARNING)
+# POST-CHECK C9: No hardcoded Tailwind colors in generated pages (BLOCKING)
+# v3.46+ : tightened enforcement. Theme system via CSS variables is mandatory.
 ALL_PAGES=$(find src/pages/ src/components/ -name "*.tsx" 2>/dev/null | grep -v node_modules | grep -v "\.test\." || true)
 if [ -n "$ALL_PAGES" ]; then
-  HARDCODED=$(grep -Pn '(bg|text|border)-(?!\[)(red|blue|green|gray|white|black|slate|zinc|neutral|stone)-' $ALL_PAGES 2>/dev/null || true)
+  # Extended palette: catches Tailwind 22 named colors + white/black
+  # Excludes status `text-white`/`text-black` ONLY when used as foreground over a CSS-var background (rare)
+  HARDCODED=$(grep -Pn '(bg|text|border)-(?!\[)(red|blue|green|gray|white|black|slate|zinc|neutral|stone|amber|yellow|orange|purple|indigo|violet|cyan|pink|emerald|rose|sky|teal|lime|fuchsia)-' $ALL_PAGES 2>/dev/null || true)
   if [ -n "$HARDCODED" ]; then
-    echo "WARNING: Pages MUST use CSS variables instead of hardcoded Tailwind colors"
-    echo "SmartStack uses a theme system — hardcoded colors break dark mode and custom themes"
+    echo "BLOCKING (C9): Pages MUST use CSS variables instead of hardcoded Tailwind colors."
+    echo "SmartStack uses a theme system — hardcoded colors break dark mode and custom themes."
     echo ""
-    echo "Fix mapping:"
+    echo "Fix mapping (canonical SmartStack tokens):"
     echo "  bg-white         → bg-[var(--bg-card)]"
     echo "  bg-gray-50       → bg-[var(--bg-primary)]"
+    echo "  bg-gray-100      → bg-[var(--bg-secondary)]"
+    echo "  bg-gray-200      → bg-[var(--bg-tertiary)]"
     echo "  text-gray-900    → text-[var(--text-primary)]"
-    echo "  text-gray-500    → text-[var(--text-secondary)]"
+    echo "  text-gray-700    → text-[var(--text-secondary)]"
+    echo "  text-gray-500    → text-[var(--text-tertiary)]"
+    echo "  text-gray-400    → text-[var(--text-muted)]"
     echo "  border-gray-200  → border-[var(--border-color)]"
-    echo "  bg-blue-600      → bg-[var(--color-accent-500)]"
-    echo "  text-blue-600    → text-[var(--color-accent-500)]"
-    echo "  text-red-500     → text-[var(--error-text)]"
-    echo "  bg-green-500     → bg-[var(--success-bg)]"
+    echo "  border-gray-100  → border-[var(--border-subtle)]"
+    echo "  bg-blue-*        → bg-[var(--info-bg)]   (semantic info)"
+    echo "  bg-blue-600      → bg-[var(--color-accent-600)] (action button)"
+    echo "  text-blue-600    → text-[var(--color-accent-600)]"
+    echo "  text-red-*       → text-[var(--error-text)]"
+    echo "  bg-red-500/10    → bg-[var(--error-bg)]"
+    echo "  text-yellow-*    → text-[var(--warning-text)]"
+    echo "  bg-amber-500/10  → bg-[var(--warning-bg)]"
+    echo "  bg-green-*       → bg-[var(--success-bg)]"
+    echo "  text-green-*     → text-[var(--success-text)]"
     echo ""
-    echo "See references/smartstack-frontend.md section 4 for full variable reference"
+    echo "Status badges → use the 4 status token sets : --success-*, --warning-*, --error-*, --info-*"
+    echo "  Example: 'bg-[var(--info-bg)] text-[var(--info-text)] border border-[var(--info-border)]'"
+    echo ""
+    echo "Avoid Tailwind \`dark:\` prefix — SmartStack toggles a \`.dark\` class on <html> and CSS vars adapt automatically."
+    echo ""
+    echo "References:"
+    echo "  - templates/skills/application/references/themes-db-driven.md (full token list)"
+    echo "  - templates/skills/ui-components/style-guide.md (DO/DON'T)"
     echo ""
     echo "$HARDCODED"
+    FAIL=true
+  fi
+fi
+
+# POST-CHECK C9b: Avoid Tailwind dark: prefix — SmartStack uses .dark class on root (BLOCKING)
+ALL_PAGES=$(find src/pages/ src/components/ -name "*.tsx" 2>/dev/null | grep -v node_modules | grep -v "\.test\." || true)
+if [ -n "$ALL_PAGES" ]; then
+  DARK_PREFIX=$(grep -PnH '\bdark:(bg|text|border)-' $ALL_PAGES 2>/dev/null || true)
+  if [ -n "$DARK_PREFIX" ]; then
+    echo "BLOCKING (C9b): Tailwind 'dark:' prefix detected — incompatible with SmartStack theme system."
+    echo "SmartStack toggles a '.dark' class on <html> ; CSS vars (var(--bg-*), var(--text-*)) adapt automatically."
+    echo "Fix: remove 'dark:' prefix and rely on CSS vars instead."
+    echo "$DARK_PREFIX"
+    FAIL=true
+  fi
+fi
+
+# POST-CHECK C9c: No hex colors in className (BLOCKING)
+ALL_PAGES=$(find src/pages/ src/components/ -name "*.tsx" 2>/dev/null | grep -v node_modules | grep -v "\.test\." || true)
+if [ -n "$ALL_PAGES" ]; then
+  HEX_CN=$(grep -PnH 'className=[^>]*\[(#[0-9a-fA-F]{3,8})\]' $ALL_PAGES 2>/dev/null || true)
+  if [ -n "$HEX_CN" ]; then
+    echo "BLOCKING (C9c): Hex colors in className detected — must use CSS vars."
+    echo "Fix: replace #xxxxxx by var(--xxx) from the SmartStack token set."
+    echo "$HEX_CN"
+    FAIL=true
   fi
 fi
 
@@ -324,6 +370,46 @@ if [ -n "$TSX_PAGES" ] && [ -z "$DOC_DATA" ]; then
   echo "The DocToggleButton in page headers will link to this documentation"
 fi
 
+# POST-CHECK C28: i18n namespace consistency across the 4 languages (BLOCKING)
+# Each language directory must have the same set of JSON namespaces.
+# Reference language is the one with the most files (usually fr or en).
+I18N_BASE=$(find src/i18n/locales -maxdepth 1 -type d 2>/dev/null | grep -E "/(fr|en|it|de)$" || true)
+if [ -n "$I18N_BASE" ]; then
+  # Build sorted file lists per language (basename only, .json suffix)
+  FR_FILES=$(find src/i18n/locales/fr -maxdepth 1 -name "*.json" -exec basename {} \; 2>/dev/null | sort -u || true)
+  EN_FILES=$(find src/i18n/locales/en -maxdepth 1 -name "*.json" -exec basename {} \; 2>/dev/null | sort -u || true)
+  IT_FILES=$(find src/i18n/locales/it -maxdepth 1 -name "*.json" -exec basename {} \; 2>/dev/null | sort -u || true)
+  DE_FILES=$(find src/i18n/locales/de -maxdepth 1 -name "*.json" -exec basename {} \; 2>/dev/null | sort -u || true)
+
+  # Pick the largest set as the canonical reference (excludes *_tmp.json which is intentionally orphan)
+  REF_FILES=$(echo -e "$FR_FILES\n$EN_FILES\n$IT_FILES\n$DE_FILES" | grep -v "_tmp\." | sort -u)
+
+  if [ -n "$REF_FILES" ]; then
+    FAIL_C28=false
+    for LANG in fr en it de; do
+      LANG_FILES=$(find src/i18n/locales/$LANG -maxdepth 1 -name "*.json" -exec basename {} \; 2>/dev/null | grep -v "_tmp\." | sort -u || true)
+      MISSING=$(comm -23 <(echo "$REF_FILES") <(echo "$LANG_FILES") || true)
+      if [ -n "$MISSING" ]; then
+        echo "BLOCKING (C28): i18n language '$LANG' is missing namespaces present in other languages:"
+        echo "$MISSING" | sed 's/^/  - /'
+        echo "  Fix: create the missing JSON file(s) in src/i18n/locales/$LANG/ — even a stub {} is better than the runtime crash on a missing namespace."
+        FAIL_C28=true
+      fi
+    done
+
+    # Detect orphan _tmp.json files (intentional but should be cleaned up)
+    ORPHAN=$(find src/i18n/locales -name "*_tmp.json" 2>/dev/null || true)
+    if [ -n "$ORPHAN" ]; then
+      echo "WARNING (C28): orphan *_tmp.json file(s) detected — clean up after migration:"
+      echo "$ORPHAN" | sed 's/^/  - /'
+    fi
+
+    if [ "$FAIL_C28" = true ]; then
+      FAIL=true
+    fi
+  fi
+fi
+
 # POST-CHECK C36: Frontend navigate() calls must have matching route definitions (CRITICAL)
 PAGE_FILES=$(find web/ -name "*.tsx" -path "*/pages/*" ! -name "*.test.tsx" 2>/dev/null || true)
 if [ -n "$PAGE_FILES" ]; then
@@ -443,6 +529,32 @@ if [ -n "$APP_TSX" ]; then
   fi
 fi
 
+# POST-CHECK C64: ListPages must have Create/New button (BLOCKING)
+# Every ListPage must contain a navigate('create') or Link to="create" for the New button.
+# Without it, users cannot access the create form (broken CRUD workflow).
+# Note: C5 catches dead links (navigate exists but page missing). C64 catches missing buttons entirely.
+LIST_PAGES=$(find web/ src/pages/ -name "*ListPage.tsx" 2>/dev/null | grep -v node_modules | grep -v "\.test\." | grep -v "\.spec\." || true)
+if [ -n "$LIST_PAGES" ]; then
+  FAIL_C64=false
+  for LP in $LIST_PAGES; do
+    # Skip dashboard-like list pages (no CRUD expected)
+    if echo "$LP" | grep -qiP "dashboard|calendar|approve|balance"; then
+      continue
+    fi
+    HAS_CREATE_NAV=$(grep -P "navigate\(.*['\"\`]create['\"\`]|navigate\(.*['\"\`].*\/create['\"\`]|to=['\"\`]create['\"\`]|to=\{.*create.*\}" "$LP" 2>/dev/null || true)
+    if [ -z "$HAS_CREATE_NAV" ]; then
+      echo "BLOCKING: ListPage missing Create/New button: $LP"
+      echo "  Every ListPage MUST have a 'New' button with navigate('create') in the page header."
+      echo "  Without it, users cannot access the create form — CRUD workflow is broken."
+      echo "  Fix: Add to page header: <button onClick={() => navigate('create')}>New</button>"
+      FAIL_C64=true
+    fi
+  done
+  if [ "$FAIL_C64" = true ]; then
+    FAIL=true
+  fi
+fi
+
 if [ "$FAIL" = true ]; then
   exit 1
 fi

package/templates/skills/apex/references/checks/seed-checks.sh

@@ -41,9 +41,6 @@ if [ -n "$APP_TSX" ] && [ -n "$SEED_ROUTES" ]; then
       SEED_NORM=$(echo "$SEED_SUFFIX" | tr '[:upper:]' '[:lower:]' | tr -d '-')
       MATCH_FOUND=false
       for FE_PATH in $FRONTEND_PATHS; do
-        if echo "$FE_PATH" | grep -qP '/list$'; then
-          echo "WARNING: Frontend route ends with /list — should use index route instead: $FE_PATH"
-        fi
         FE_BASE=$(echo "$FE_PATH" | sed 's|/list$||;s|/new$||;s|/:id.*||;s|/create$||')
         FE_NORM=$(echo "$FE_BASE" | tr '[:upper:]' '[:lower:]' | tr -d '-')
         if [ "$SEED_NORM" = "$FE_NORM" ]; then
@@ -174,14 +171,13 @@ if [ -n "$SECTION_SEED_FILES" ] && [ -n "$PERM_FILE" ]; then
   done
 fi
 
-# POST-CHECK C21: FORBIDDEN route patterns — /list and /detail/:id (WARNING)
+# POST-CHECK C21: FORBIDDEN route patterns — /detail/:id (WARNING)
 SEED_NAV_FILES=$(find src/ -path "*/Seeding/Data/*" -name "*NavigationSeedData.cs" -o -name "*NavigationSectionSeedData.cs" 2>/dev/null)
 if [ -n "$SEED_NAV_FILES" ]; then
-  BAD_ROUTES=$(grep -Pn 'Route\s*=\s*.*"[^"]*/(list|detail)["/]' $SEED_NAV_FILES 2>/dev/null | grep -v '//.*Route' || true)
+  BAD_ROUTES=$(grep -Pn 'Route\s*=\s*.*"[^"]*/(detail)["/]' $SEED_NAV_FILES 2>/dev/null | grep -v '//.*Route' || true)
   if [ -n "$BAD_ROUTES" ]; then
     echo "WARNING: FORBIDDEN route pattern in seed data"
-    echo "  - 'list' section route = module route (NO /list suffix)"
-    echo "  - 'detail' section route = module route + /:id (NOT /detail/:id)"
+    echo "  - 'detail' is an implicit route — do NOT use /detail/:id as section route"
     echo "$BAD_ROUTES"
   fi
 fi
@@ -531,6 +527,84 @@ if [ "$HAS_GLOBAL_CONVERTER" = false ]; then
   fi
 fi
 
+# POST-CHECK C63: Reserved section codes must NOT be seeded as visible menu items (BLOCKING)
+# Reserved codes: detail, create, edit, *-detail
+# These are internal route targets resolved by DynamicRouter convention, NOT sidebar menu items.
+SEED_NAV_FILES=$(find src/ -path "*/Seeding/Data/*" \( -name "*NavigationSeedData.cs" -o -name "*NavigationModuleSeedData.cs" \) 2>/dev/null)
+if [ -n "$SEED_NAV_FILES" ]; then
+  for f in $SEED_NAV_FILES; do
+    for RESERVED in detail create edit; do
+      # Pattern A: SectionData record — new("detail", ...)
+      MATCHES=$(grep -Pn "new\s*\(\s*\"${RESERVED}\"" "$f" 2>/dev/null || true)
+      if [ -n "$MATCHES" ]; then
+        echo "BLOCKING: Reserved section code '${RESERVED}' seeded as menu item in $f"
+        echo "$MATCHES"
+        echo "  Reserved codes (detail, create, edit) are internal route targets, NOT sidebar menu items."
+        echo "  Fix: Remove this section entry. DynamicRouter resolves /:id, /create, /:id/edit by convention."
+        FAIL=true
+      fi
+      # Pattern B: NavigationSectionSeedEntry — Code = "detail"
+      MATCHES=$(grep -Pn "Code\s*=\s*\"${RESERVED}\"" "$f" 2>/dev/null || true)
+      if [ -n "$MATCHES" ]; then
+        # Check if IsActive = false is nearby (acceptable)
+        HAS_INACTIVE=$(grep -A 10 "Code\s*=\s*\"${RESERVED}\"" "$f" | grep -P "IsActive\s*=\s*false" 2>/dev/null || true)
+        if [ -z "$HAS_INACTIVE" ]; then
+          echo "BLOCKING: Reserved section code '${RESERVED}' seeded with IsActive=true in $f"
+          echo "$MATCHES"
+          echo "  Fix: Remove this section, or set IsActive = false."
+          FAIL=true
+        fi
+      fi
+    done
+    # Check for *-detail codes (e.g., department-detail)
+    DETAIL_SUFFIX=$(grep -Pn "new\s*\(\s*\"[a-z]+-detail\"" "$f" 2>/dev/null || true)
+    if [ -z "$DETAIL_SUFFIX" ]; then
+      DETAIL_SUFFIX=$(grep -Pn "Code\s*=\s*\"[a-z]+-detail\"" "$f" 2>/dev/null || true)
+    fi
+    if [ -n "$DETAIL_SUFFIX" ]; then
+      echo "BLOCKING: Section code with '-detail' suffix seeded as menu item in $f"
+      echo "$DETAIL_SUFFIX"
+      echo "  Detail routes are the /:id route of their parent section."
+      echo "  Fix: Remove this section entry. Use parent section's /:id route instead."
+      FAIL=true
+    fi
+  done
+fi
+
+# POST-CHECK C66: ApplicationZone enum removed in v3.46 (BLOCKING)
+# Detects any leftover reference to the removed ApplicationZone enum or Zone column.
+SEED_FILES=$(find src/ -path "*/Seeding/Data/*" -name "*.cs" 2>/dev/null)
+DOMAIN_FILES=$(find src/ -path "*/Domain/Navigation/*" -name "*.cs" 2>/dev/null)
+INFRA_FILES=$(find src/ -path "*/Infrastructure/Persistence/Configurations/Navigation/*" -name "*.cs" 2>/dev/null)
+APP_FILES=$(find src/ -path "*/Application/Navigation/*" -name "*.cs" 2>/dev/null)
+ALL_NAV_FILES="$SEED_FILES $DOMAIN_FILES $INFRA_FILES $APP_FILES"
+if [ -n "$ALL_NAV_FILES" ]; then
+  BAD_ZONE=$(grep -Pn 'ApplicationZone\.\w+|public\s+ApplicationZone\s+Zone|HasColumnName\("Zone"\)|Zone\s*=\s*ApplicationZone' $ALL_NAV_FILES 2>/dev/null || true)
+  if [ -n "$BAD_ZONE" ]; then
+    echo "BLOCKING (C66): ApplicationZone enum has been removed in SmartStack v3.46."
+    echo "Replace by IsPersonal (bool, true => myspace scope) and/or IsOpen (bool, true => bypass permissions)."
+    echo "$BAD_ZONE"
+    echo "Fix: NavigationApplication.Create(code, label, ..., isOpen: false, isPersonal: false)"
+    echo "Reference: templates/skills/apex/references/core-seed-data.md (v3.46+ section)"
+    FAIL=true
+  fi
+fi
+
+# POST-CHECK C67: Legacy domain-specific layouts removed in v3.46 (BLOCKING)
+# AdminLayout / BusinessLayout / UserLayout / HRLayout / SalesLayout no longer exist.
+TSX_FILES=$(find web/ -name "*.tsx" -not -path "*/node_modules/*" 2>/dev/null; find src/ -name "*.tsx" -not -path "*/node_modules/*" 2>/dev/null)
+if [ -n "$TSX_FILES" ]; then
+  BAD_LAYOUT=$(grep -PnH '<\s*(AdminLayout|BusinessLayout|UserLayout|HRLayout|SalesLayout)\b|from\s+["'\''][^"'\'']*\/(AdminLayout|BusinessLayout|UserLayout|HRLayout|SalesLayout)["'\'']' $TSX_FILES 2>/dev/null || true)
+  if [ -n "$BAD_LAYOUT" ]; then
+    echo "BLOCKING (C67): Legacy layouts (AdminLayout/BusinessLayout/UserLayout/HRLayout/SalesLayout) have been removed in v3.46."
+    echo "Use AppLayout — the sole shell for authenticated application routes."
+    echo "$BAD_LAYOUT"
+    echo "Fix: Replace by <AppLayout /> (no domain-specific shell anymore)."
+    echo "Reference: templates/skills/application/references/frontend-route-naming.md"
+    FAIL=true
+  fi
+fi
+
 if [ "$FAIL" = true ]; then
   exit 1
 fi