@atlashub/smartstack-cli 4.75.0 → 4.79.0

package/templates/skills/apex/steps/step-03d-layer3-frontend.md

@@ -41,6 +41,108 @@ if (delegate_mode && specification_loading_plan) {
 > - **Dashboard pages**: use `screen.kpis[]` for KPI card and chart definitions
 > - **Actions**: use `screen.actions[]` for action buttons (create, export, bulk operations)
 
+### Build Per-Entity PRD Context Block (delegate mode)
+
+> **CRITICAL:** This block builds the authoritative specification that MUST be passed to `/ui-components`.
+> Without it, `/ui-components` infers columns from entity structure and misses PRD-specified fields
+> (e.g., Person Extension Pattern display fields like DisplayFirstName, DisplayLastName).
+
+When companion specs are loaded, build a `{prd_context}` map keyed by entity name:
+
+```javascript
+const prdContextMap = {};  // entityName → structured PRD block
+
+if (screensData?.sections) {
+  for (const section of screensData.sections) {
+    for (const resource of (section.resources || [])) {
+      if (!resource.entity) continue;
+      const entityName = resource.entity;
+
+      if (!prdContextMap[entityName]) {
+        prdContextMap[entityName] = { screens: [], labels: {}, permissions: [] };
+      }
+
+      // Collect screen resource specs
+      prdContextMap[entityName].screens.push({
+        sectionCode: section.code,
+        sectionType: section.sectionType,
+        resourceType: resource.type,
+        columns: resource.columns || null,
+        fields: resource.fields || null,
+        actions: resource.actions || [],
+        defaultSort: resource.defaultSort || null,
+        defaultPageSize: resource.defaultPageSize || 20
+      });
+
+      // Collect section labels (4 languages)
+      if (section.labels) {
+        prdContextMap[entityName].labels[section.code] = section.labels;
+      }
+
+      // Collect permissions
+      if (section.permission) {
+        prdContextMap[entityName].permissions.push(section.permission);
+      }
+    }
+  }
+}
+```
+
+Then, for each entity, serialize the PRD context into a text block to inject into `/ui-components`:
+
+```javascript
+function buildPrdBlock(entityName) {
+  const ctx = prdContextMap[entityName];
+  if (!ctx || ctx.screens.length === 0) return '';
+
+  let block = '\n--- PRD SPECIFICATION (AUTHORITATIVE — use these EXACT definitions) ---\n';
+
+  // SmartTable columns
+  const tableScreens = ctx.screens.filter(s => s.resourceType === 'SmartTable' && s.columns);
+  for (const screen of tableScreens) {
+    block += `\nCOLUMNS for DataTable (section: "${screen.sectionCode}") — use ALL, in this EXACT order:\n`;
+    for (const col of screen.columns) {
+      block += `  - key: "${col.field}", label_fr: "${col.label?.fr || col.field}", ` +
+               `label_en: "${col.label?.en || col.field}", format: "${col.format}", ` +
+               `sortable: ${col.sortable || false}\n`;
+    }
+    if (screen.actions.length > 0) {
+      block += `ACTIONS: ${screen.actions.join(', ')}\n`;
+    }
+    if (screen.defaultSort) {
+      block += `DEFAULT SORT: field="${screen.defaultSort.field}", direction="${screen.defaultSort.direction}"\n`;
+    }
+    block += `PAGE SIZE: ${screen.defaultPageSize}\n`;
+  }
+
+  // SmartForm fields
+  const formScreens = ctx.screens.filter(s => s.resourceType === 'SmartForm' && s.fields);
+  for (const screen of formScreens) {
+    block += `\nFORM FIELDS (section: "${screen.sectionCode}"):\n`;
+    for (const field of screen.fields) {
+      block += `  - name: "${field.name}", type: "${field.type}", required: ${field.required || false}\n`;
+    }
+  }
+
+  // Labels
+  block += '\nSECTION LABELS (use for page titles, breadcrumbs, i18n — 4 languages):\n';
+  for (const [code, labels] of Object.entries(ctx.labels)) {
+    block += `  ${code}: fr="${labels.fr}" en="${labels.en}" it="${labels.it}" de="${labels.de}"\n`;
+  }
+
+  // Permissions
+  if (ctx.permissions.length > 0) {
+    block += `\nPERMISSIONS: ${ctx.permissions.join(', ')}\n`;
+  }
+
+  block += '--- END PRD SPECIFICATION ---\n';
+  return block;
+}
+```
+
+**Usage:** When invoking `Skill("ui-components")`, append `buildPrdBlock(entityName)` to the arguments.
+The `/ui-components` skill reads free-text instructions — the structured block is parsed naturally.
+
 ### ⛔ HARD RULE — /ui-components is NON-NEGOTIABLE (read BEFORE any Layer 3 action)
 
 > **VIOLATION CHECK:** If ANY .tsx page file was created by Write tool WITHOUT
@@ -130,6 +232,15 @@ For each module:
   → Create{Section}Page.tsx (/create route)
   → Edit{Section}Page.tsx (/:id/edit route)
   "detail" is NEVER a separate section — it's the /:id route of the list section.
+- **CRUD Page Completeness (MANDATORY for every entity section with a ListPage):**
+  1. ALL 4 page types MUST exist (List, Detail, Create/Form, Edit/Form)
+  2. **Create button on ListPage (MANDATORY):** Every ListPage MUST include a "New" / "Create" button
+     in the header that calls `navigate('create')`. Without this button, users cannot access the create form.
+  3. **componentRegistry registration:** ALL page types MUST be registered via `PageRegistry.register()`.
+     After `scaffold_routes`, verify the registry contains keys for ALL pages.
+     If form pages (create/edit) are missing from registry, add them manually.
+  4. **POST-CHECK Gate PG-2b:** Grep every `*ListPage.tsx` for `navigate.*create`.
+     If absent → BLOCKING error — add the create button before proceeding.
 - Pages: **MANDATORY — INVOKE Skill("ui-components")** for ALL page generation.
   ⚠ BLOCKING REQUIREMENT: You MUST call Skill("ui-components") for EVERY page (.tsx).
   NEVER generate .tsx page code directly. NEVER write page content in Agent prompts.
@@ -245,13 +356,17 @@ IF NOT economy_mode AND entities.length > 1:
   # PHASE B — Sequential: pages via /ui-components (principal agent)
   # Snipper agents cannot call Skill() — only the principal agent can.
   For each entity (sequentially):
-    **INVOKE Skill("ui-components")** — pass entity context:
+    **INVOKE Skill("ui-components")** — pass entity context + PRD spec:
       - Entity: {EntityName}, Module: {ModuleName}, App: {AppName}
       - Page types: List, Detail, Create, Edit (+ Dashboard if applicable)
       - "CSS: Use CSS variables ONLY — bg-[var(--bg-card)], text-[var(--text-primary)]"
       - "Forms: Create/Edit are FULL PAGES with own routes (/create, /:id/edit)"
       - "FK FIELDS: EntityLookup for ALL FK Guid fields"
       - "I18n: ALL text uses t('namespace:key', 'Fallback')"
+      - {buildPrdBlock(EntityName)} — append the PRD specification block from companion specs
+      - "COLUMNS ARE AUTHORITATIVE: Do NOT infer columns from entity attributes. Use ALL columns from the PRD SPECIFICATION block above, in the EXACT order listed. Do NOT add, remove, or reorder columns."
+      - "LABELS ARE AUTHORITATIVE: Use PRD SECTION LABELS for i18n t() fallback text and page titles. Do NOT invent labels."
+      - "ACTIONS ARE AUTHORITATIVE: Implement ALL action buttons listed in the PRD SPECIFICATION (create, edit, delete, approve, reject, export, etc.)."
     Generate form tests: co-located .test.tsx for Create and Edit pages
 
 ELSE:
@@ -263,12 +378,16 @@ ELSE:
     2. MCP scaffold_routes (outputFormat: 'componentRegistry')
     3. Verify PageRegistry registration (componentRegistry.generated.ts)
        No manual App.tsx wiring needed — DynamicRouter resolves at runtime
-    4. **INVOKE Skill("ui-components")** — pass entity context:
+    4. **INVOKE Skill("ui-components")** — pass entity context + PRD spec:
        - Entity: {EntityName}, Module: {ModuleName}, App: {AppName}
        - Page types: List, Detail, Create, Edit (+ Dashboard if applicable)
        - "CSS: Use CSS variables ONLY — bg-[var(--bg-card)], text-[var(--text-primary)]"
        - "Forms: Create/Edit are FULL PAGES with own routes (/create, /:id/edit)"
        - "I18n: ALL text uses t('namespace:key', 'Fallback')"
+       - {buildPrdBlock(EntityName)} — append the PRD specification block from companion specs
+       - "COLUMNS ARE AUTHORITATIVE: Do NOT infer columns from entity attributes. Use ALL columns from the PRD SPECIFICATION block above, in the EXACT order listed."
+       - "LABELS ARE AUTHORITATIVE: Use PRD SECTION LABELS for i18n t() fallback text."
+       - "ACTIONS ARE AUTHORITATIVE: Implement ALL action buttons listed in the PRD SPECIFICATION."
     5. I18n: 4 JSON files (fr, en, it, de) + register namespace in i18n config
     6. Form tests: co-located .test.tsx for Create and Edit pages
 ```
@@ -300,6 +419,9 @@ When delegating to `/ui-components` skill, include explicit instructions:
 - "Forms: Create/Edit forms are FULL PAGES with own routes (e.g., `/create`, `/:id/edit`)."
 - "I18n: ALL text must use `t('namespace:key', 'Fallback')`. Generate JSON files in `src/i18n/locales/`."
 - "Hooks: MUST use apiClient from @/services/api — NEVER raw fetch() or direct axios import."
+- "PRD COLUMNS: If a `--- PRD SPECIFICATION ---` block is present, use its columns[] as the EXACT DataTable columns. Do NOT add, remove, or reorder. Do NOT infer columns from entity attributes — the PRD is the source of truth."
+- "PRD LABELS: If a `--- PRD SPECIFICATION ---` block is present, use its SECTION LABELS for page titles and i18n fallback text in all 4 languages."
+- "PRD ACTIONS: If a `--- PRD SPECIFICATION ---` block lists actions (approve, reject, export, etc.), generate the corresponding buttons and handlers."
 
 ### ⛔ POST-GENERATION VERIFICATION GATES (MANDATORY — run after ALL pages are created)
 

package/templates/skills/apex/steps/step-04-examine.md

@@ -168,6 +168,168 @@ for (const providerFile of providerFiles) {
 
 ---
 
+## 6d. PRD Compliance Verification (delegate mode only)
+
+> **Run ONLY when `delegate_mode` is true AND companion spec files exist.**
+> This checks that generated code matches PRD specifications — not just technical quality.
+> The PRD companion files are the AUTHORITATIVE source for columns, actions, labels, and permissions.
+
+```javascript
+if (delegate_mode) {
+  const specsDir = path.dirname(delegate_prd_path);
+  const prd = readJSON(delegate_prd_path);
+
+  const screensPath = path.join(specsDir, prd.specificationFiles?.screens);
+  const permsPath = path.join(specsDir, prd.specificationFiles?.permissions);
+  const screens = fileExists(screensPath) ? readJSON(screensPath) : null;
+  const perms = fileExists(permsPath) ? readJSON(permsPath) : null;
+
+  if (screens) {
+    // ──── PC-1 (BLOCKING): Column Completeness ────
+    // Every column defined in screens.json SmartTable resources MUST exist in the generated ListPage.
+    for (const section of screens.sections) {
+      for (const resource of (section.resources || [])) {
+        if (resource.type !== 'SmartTable' || !resource.columns) continue;
+        const entityName = resource.entity;
+        // Find the corresponding ListPage
+        const listPages = Glob(`src/pages/**/${entityName}*ListPage.tsx`);
+        if (listPages.length === 0) {
+          BLOCKING(`PC-1: No ListPage found for entity ${entityName} (section: ${section.code})`);
+          continue;
+        }
+        const pageContent = readFile(listPages[0]);
+        const missingCols = [];
+        for (const col of resource.columns) {
+          // Check for the column field name in the page content
+          if (!pageContent.includes(col.field)) {
+            missingCols.push(`${col.field} (${col.format})`);
+          }
+        }
+        if (missingCols.length > 0) {
+          BLOCKING(`PC-1: ${listPages[0]} missing ${missingCols.length}/${resource.columns.length} columns: ${missingCols.join(', ')}. ` +
+            `Fix: re-invoke Skill("ui-components") with the PRD SPECIFICATION block containing ALL columns.`);
+        }
+      }
+    }
+
+    // ──── PC-2 (BLOCKING): Action Button Completeness ────
+    // Actions defined in screens.json MUST have corresponding handlers in the generated pages.
+    for (const section of screens.sections) {
+      for (const resource of (section.resources || [])) {
+        if (!resource.actions || resource.actions.length === 0) continue;
+        const entityName = resource.entity;
+        const pages = Glob(`src/pages/**/${entityName}*Page.tsx`);
+        const allContent = pages.map(p => readFile(p)).join('\n');
+
+        for (const action of resource.actions) {
+          let found = false;
+          switch (action) {
+            case 'create': found = allContent.includes('navigate') && allContent.includes('create'); break;
+            case 'edit':    found = allContent.includes('edit') || allContent.includes('Edit'); break;
+            case 'delete':  found = allContent.includes('delete') || allContent.includes('Delete'); break;
+            case 'approve': found = allContent.includes('approve') || allContent.includes('Approve'); break;
+            case 'reject':  found = allContent.includes('reject') || allContent.includes('Reject'); break;
+            case 'export':  found = allContent.includes('export') || allContent.includes('Export'); break;
+            default:        found = allContent.toLowerCase().includes(action.toLowerCase());
+          }
+          if (!found) {
+            BLOCKING(`PC-2: ${entityName} pages missing action handler for '${action}' (section: ${section.code}). ` +
+              `Fix: add ${action} button/handler to the relevant page.`);
+          }
+        }
+      }
+    }
+
+    // ──── PC-3 (WARNING): I18n Label Accent Accuracy ────
+    // French/German/Italian labels MUST have proper UTF-8 accents.
+    const ACCENT_PATTERNS_FR = {
+      'Employes': 'Employés', 'Departement': 'Département', 'Departements': 'Départements',
+      'Prenom': 'Prénom', 'Numero': 'Numéro', 'Societe': 'Société',
+      'Categorie': 'Catégorie', 'Securite': 'Sécurité', 'Conge': 'Congé', 'Conges': 'Congés',
+      'Generalites': 'Généralités', 'Resume': 'Résumé', 'Echeance': 'Échéance'
+    };
+    const i18nFiles = Glob(`src/**/i18n/locales/fr/*.json`);
+    for (const file of i18nFiles) {
+      const content = readFile(file);
+      for (const [ascii, accented] of Object.entries(ACCENT_PATTERNS_FR)) {
+        if (content.includes(`"${ascii}"`) || content.includes(`"${ascii} `)) {
+          WARNING(`PC-3: ${file} contains ASCII-only '${ascii}' — should be '${accented}'. Fix the accent.`);
+        }
+      }
+    }
+
+    // ──── PC-5 (WARNING): Section Page Completeness ────
+    // Every primary/functional section in screens.json should have a corresponding page.
+    for (const section of screens.sections) {
+      if (!['primary', 'functional'].includes(section.sectionType)) continue;
+      const sectionCode = section.code;
+      const resources = section.resources || [];
+      const entityNames = resources.map(r => r.entity).filter(Boolean);
+
+      // Check if any page exists for this section's entities
+      let pageFound = false;
+      for (const entity of entityNames) {
+        const pages = Glob(`src/pages/**/${entity}*Page.tsx`);
+        if (pages.length > 0) { pageFound = true; break; }
+      }
+      // Also check by section code (e.g., CalendarPage, ApprovePage)
+      if (!pageFound) {
+        const sectionPages = Glob(`src/pages/**/*${sectionCode}*Page.tsx`);
+        pageFound = sectionPages.length > 0;
+      }
+      if (!pageFound) {
+        WARNING(`PC-5: Section '${sectionCode}' (${section.sectionType}) defined in screens.json ` +
+          `but no corresponding page found. Consider generating it.`);
+      }
+    }
+  }
+
+  if (perms) {
+    // ──── PC-4 (BLOCKING): Permission Seed Data Completeness ────
+    // All permissionPaths from permissions.json MUST be seeded in PermissionsSeedData.
+    const permSeedFiles = Glob(`**/PermissionsSeedData.cs`);
+    const permClassFiles = Glob(`**/Permissions.cs`);
+    const allPermContent = [...permSeedFiles, ...permClassFiles].map(f => readFile(f)).join('\n');
+
+    for (const path of perms.permissionPaths) {
+      // Check for the permission path (may be stored as kebab-case or segments)
+      const segments = path.split('.');
+      const lastSegment = segments[segments.length - 1].toLowerCase();
+      if (!allPermContent.toLowerCase().includes(lastSegment)) {
+        BLOCKING(`PC-4: Permission path '${path}' not found in seed data. ` +
+          `Fix: add to PermissionsSeedData.cs and Permissions.cs constants.`);
+      }
+    }
+
+    // Verify roles from permissions.json exist in RolesSeedData
+    const roleSeedFiles = Glob(`**/RolesSeedData.cs`);
+    const allRoleContent = roleSeedFiles.map(f => readFile(f)).join('\n');
+    for (const role of perms.roles) {
+      if (!allRoleContent.includes(role.role)) {
+        WARNING(`PC-4b: Role '${role.role}' from permissions.json not found in RolesSeedData.cs.`);
+      }
+    }
+  }
+
+  // ──── PC-6 (WARNING): I18n Namespace Registration ────
+  // This overlaps with GATE PG-4 but cross-checks against screens.json sections.
+  const i18nConfig = Glob(`src/**/i18n/config.ts`)[0] || Glob(`src/**/i18n/index.ts`)[0];
+  if (i18nConfig && screens) {
+    const configContent = readFile(i18nConfig);
+    const moduleCode = prd.project?.module;
+    if (moduleCode && !configContent.includes(moduleCode)) {
+      WARNING(`PC-6: Module namespace '${moduleCode}' not registered in ${i18nConfig}. ` +
+        `Translation keys will render as raw strings.`);
+    }
+  }
+}
+```
+
+> **If ANY BLOCKING check fails:** Return to step-03d to fix the specific issue, then re-run section 6d.
+> BLOCKING failures indicate the generated code does NOT match the PRD specification.
+
+---
+
 ## 7. Acceptance Criteria POST-CHECK
 
 For each AC from step-01:
@@ -210,6 +372,7 @@ AC1: {criterion} → PASS / FAIL (evidence)
 | Navigation translations (4 langs) | PASS / N/A |
 | Inline tests | PASS / N/A |
 | POST-CHECKs | PASS / N/A |
+| PRD Compliance (delegate) | PASS / N/A |
 | Acceptance criteria | {X}/{Y} PASS |
 
 ---

package/templates/skills/apex-verify/SKILL.md

@@ -0,0 +1,110 @@
+---
+name: apex-verify
+description: |
+  Audit a generated SmartStack APEX application for common generation issues.
+  Use this skill when:
+  - Verifying a generated app has no missing CRUD pages or buttons
+  - Checking navigation seed data for reserved section codes in menu
+  - Auditing permission coverage (controllers vs Permissions.cs vs seed data)
+  - Validating route alignment (frontend vs backend vs seed)
+  - After /apex or /business-analyse-develop completes
+argument-hint: "[--scope=all|nav|crud|perm|route] [--fix]"
+model: sonnet
+allowed-tools: "Read, Grep, Glob, Bash, ToolSearch"
+entry_point: steps/step-00-init.md
+---
+
+<objective>
+Audit a SmartStack application generated by /apex or /business-analyse-develop for common post-generation issues:
+
+1. **Navigation** — Reserved section codes (detail, create, edit) seeded as visible menu items
+2. **CRUD** — Missing page types, missing "New" buttons on list pages, incomplete componentRegistry
+3. **Permissions** — Cross-reference controllers, Permissions.cs, PermissionsSeedData, RolesSeedData
+4. **Routes** — Alignment between seed data routes, PageRegistry keys, and controller NavRoutes
+
+The audit is **read-only** by default. Use `--fix` to display actionable fix commands.
+</objective>
+
+<quick_start>
+
+```bash
+/apex-verify                    # Full audit (all 4 categories)
+/apex-verify --scope=nav        # Navigation menu audit only
+/apex-verify --scope=crud       # CRUD completeness audit only
+/apex-verify --scope=perm       # Permission cross-reference only
+/apex-verify --scope=route      # Route alignment only
+/apex-verify --fix              # Full audit + fix suggestions
+```
+
+</quick_start>
+
+<parameters>
+
+<flags>
+| Flag | Description |
+|------|-------------|
+| `--scope=all` | Audit all 4 categories (default) |
+| `--scope=nav` | Navigation audit only (reserved section codes) |
+| `--scope=crud` | CRUD completeness only (pages, buttons, registry) |
+| `--scope=perm` | Permission cross-reference only |
+| `--scope=route` | Route alignment only |
+| `--fix` | Display actionable fix commands for each finding |
+</flags>
+</parameters>
+
+<workflow>
+1. **Initialize** — Detect project structure, locate seed data, controllers, pages
+2. **Navigation Audit** — Check for reserved section codes seeded as menu items
+3. **CRUD Audit** — Verify 4 page types per section, create buttons, componentRegistry
+4. **Permission Audit** — Cross-reference controllers, Permissions.cs, seed data, roles
+5. **Route Audit** — Verify frontend/backend/seed alignment
+6. **Report** — Consolidated findings with severity and fix suggestions
+</workflow>
+
+<state_variables>
+| Variable | Type | Description |
+|----------|------|-------------|
+| `{scope}` | string | all, nav, crud, perm, route |
+| `{fix_mode}` | boolean | Display fix commands |
+| `{api_root}` | string | Path to backend src/ |
+| `{web_root}` | string | Path to frontend web/ |
+| `{seed_files}` | string[] | All *NavigationSeedData.cs files |
+| `{controller_files}` | string[] | All *Controller.cs files |
+| `{page_files}` | string[] | All *.tsx page files |
+| `{registry_file}` | string | componentRegistry.generated.ts path |
+| `{permissions_file}` | string | Permissions.cs path |
+| `{findings}` | object[] | All findings with ID, severity, message, fix |
+</state_variables>
+
+<entry_point>
+
+**FIRST ACTION:** Load `steps/step-00-init.md`
+
+</entry_point>
+
+<step_files>
+| Step | File | Purpose |
+|------|------|---------|
+| 00 | `steps/step-00-init.md` | Parse flags, detect project structure, resolve paths |
+| 01 | `steps/step-01-nav-audit.md` | Audit navigation seed data for reserved section codes |
+| 02 | `steps/step-02-crud-audit.md` | Audit CRUD completeness (pages, buttons, registry) |
+| 03 | `steps/step-03-perm-audit.md` | Audit permissions cross-reference |
+| 04 | `steps/step-04-route-audit.md` | Audit route alignment |
+| 05 | `steps/step-05-report.md` | Generate consolidated report |
+</step_files>
+
+<execution_rules>
+- **Read-only** — This skill NEVER modifies code (unless --fix is used, and even then only displays commands)
+- **Evidence-based** — Every finding must reference a specific file:line
+- **Comprehensive** — Check ALL files, not a sample
+- **Actionable** — Every finding must include a fix suggestion
+- **Scoped** — Only run audits matching {scope}
+- **SmartStack-aware** — Respect SmartStack conventions (PageRegistry, DynamicRouter, NavRoute, SeedData patterns)
+</execution_rules>
+
+<success_criteria>
+- All applicable audits completed with zero false positives
+- Each finding has: ID, severity (BLOCKING/CRITICAL/WARNING), file:line, description, fix
+- Consolidated report with category totals
+- Executive summary with pass/fail per category
+</success_criteria>

package/templates/skills/apex-verify/references/audit-rules.md

@@ -0,0 +1,50 @@
+# Audit Rules Reference
+
+> Complete codification of all audit rules used by /apex-verify.
+> Each rule has a unique ID, severity, description, detection method, and fix pattern.
+
+---
+
+## Navigation Rules (NAV-xxx)
+
+| ID | Severity | Description | Detection | Fix |
+|----|----------|-------------|-----------|-----|
+| NAV-001 | BLOCKING | Reserved section code (detail/create/edit) seeded as visible menu item | Grep NavigationSeedData for `Code = "detail"` / `"create"` / `"edit"` without `IsActive = false` | Remove section from seed data, or set `IsActive = false` |
+| NAV-002 | BLOCKING | Section code contains "-detail" seeded as menu item | Grep for codes matching `*-detail` pattern | Remove section entry — detail is resolved as /:id under parent section |
+| NAV-003 | BLOCKING | Route contains forbidden segment (/detail/, /create/, /edit/) | Grep seed data routes for `/detail/`, `/create/`, `/edit/` segments | Use convention routes: /:id, /create, /:id/edit (no explicit segments) |
+| NAV-004 | WARNING | Reserved section code with IsActive = false | Code is reserved but hidden from menu | Acceptable — remove if unnecessary |
+| NAV-005 | WARNING | Section code not in kebab-case | Regex check: `^[a-z][a-z0-9]*(-[a-z0-9]+)*$` | Rename to kebab-case |
+
+## CRUD Rules (CRUD-xxx)
+
+| ID | Severity | Description | Detection | Fix |
+|----|----------|-------------|-----------|-----|
+| CRUD-001 | BLOCKING | ListPage missing for entity | Glob for `*ListPage.tsx` matching entity | Generate via `/ui-components` |
+| CRUD-002 | BLOCKING | DetailPage missing for entity | Glob for `*DetailPage.tsx` matching entity | Generate via `/ui-components` |
+| CRUD-003 | BLOCKING | Create/Edit page missing for entity | Glob for `*CreatePage.tsx`, `*EditPage.tsx`, `*FormPage.tsx` | Generate via `/ui-components` |
+| CRUD-004 | BLOCKING | ListPage has no Create/New button | Grep for `navigate.*create` or `Link.*create` | Add navigate('create') button in page header |
+| CRUD-005 | BLOCKING | Page exists but not registered in componentRegistry | Read registry, check for matching key | Add `PageRegistry.register()` call or run `scaffold_routes` |
+| CRUD-006 | WARNING | Registry entry has no matching page file | Read registry, check file existence | Remove orphan registry entry or create the page |
+| CRUD-007 | WARNING | Form page has no submit handler | Grep for `onSubmit`, `handleSubmit`, `api.create`, `api.post` | Implement form submission logic |
+
+## Permission Rules (PERM-xxx)
+
+| ID | Severity | Description | Detection | Fix |
+|----|----------|-------------|-----------|-----|
+| PERM-001 | BLOCKING | Controller uses permission not defined in Permissions.cs | Cross-ref `[RequirePermission]` vs `Permissions.cs` | Add missing constant to Permissions.cs |
+| PERM-002 | BLOCKING | Permissions.cs constant not seeded in PermissionsSeedData | Cross-ref Permissions.cs paths vs seed data | Add `HasData()` entry in PermissionsSeedData |
+| PERM-003 | CRITICAL | Seeded permission has no role mapping | Cross-ref seed data vs RolesSeedData | Add role-permission mapping in RolesSeedData |
+| PERM-004 | CRITICAL | Admin role missing wildcard for module | Check admin role has `*.module.*` wildcard | Add wildcard permission for admin role |
+| PERM-005 | WARNING | Permission path segments not in kebab-case | Regex check on permission paths | Rename to kebab-case |
+| PERM-006 | WARNING | Viewer role has write permission | Check viewer role permissions | Remove write permissions from viewer role |
+| PERM-007 | WARNING | Permission defined but unused by any controller | Cross-ref Permissions.cs vs controllers | Remove dead permission or add controller usage |
+
+## Route Rules (ROUTE-xxx)
+
+| ID | Severity | Description | Detection | Fix |
+|----|----------|-------------|-----------|-----|
+| ROUTE-001 | BLOCKING | Seed data route has no matching PageRegistry entry | Cross-ref seed routes vs registry keys | Add PageRegistry.register() or run scaffold_routes |
+| ROUTE-002 | WARNING | Controller NavRoute has no matching seed data entry | Cross-ref NavRoute attrs vs seed routes | Add navigation seed data entry |
+| ROUTE-003 | BLOCKING | PageRegistry references non-existent page file | Read registry imports, check file existence | Create page or fix import path |
+| ROUTE-004 | WARNING | Orphan page — exists on disk but not registered | Cross-ref page files vs registry | Register page or delete orphan |
+| ROUTE-005 | WARNING | Implicit route (detail/create/edit) not resolvable | Check registry + DynamicRouter conventions | Register in componentRegistry |

package/templates/skills/apex-verify/steps/step-00-init.md

@@ -0,0 +1,119 @@
+---
+name: step-00-init
+description: Parse flags, detect project structure, resolve paths for APEX verification
+next_step: steps/step-01-nav-audit.md
+---
+
+# Step 0: Initialization
+
+## MANDATORY EXECUTION RULES:
+- NEVER skip project detection
+- ALWAYS resolve actual filesystem paths before proceeding
+- YOU ARE AN INITIALIZER, not a scanner
+
+## YOUR TASK:
+Parse the flags, detect the SmartStack project structure, and locate all files needed for auditing.
+
+---
+
+## EXECUTION SEQUENCE:
+
+### 1. Parse Input
+
+```
+Arguments from $ARGUMENTS:
+  --scope=nav       -> {scope} = "nav"
+  --scope=crud      -> {scope} = "crud"
+  --scope=perm      -> {scope} = "perm"
+  --scope=route     -> {scope} = "route"
+  --scope=all       -> {scope} = "all" (default)
+  --fix             -> {fix_mode} = true (default: false)
+
+No arguments -> {scope} = "all", {fix_mode} = false
+```
+
+### 2. Detect Project Structure
+
+Use Glob to locate all required files:
+
+```
+Backend paths:
+  {api_root} = src/*/Api/ or src/*.Api/
+  Verify: *.sln exists at project root
+
+Frontend paths:
+  {web_root} = web/*/src/ or web/*-web/src/
+  Verify: package.json exists in web/*/
+
+Key files to locate:
+  {seed_files}:
+    Glob "**/Seeding/Data/**/*NavigationSeedData.cs"
+    Glob "**/Seeding/Data/**/*NavigationModuleSeedData.cs"
+
+  {controller_files}:
+    Glob "**/Controllers/**/*Controller.cs"
+
+  {page_files}:
+    Glob "web/**/src/pages/**/*Page.tsx"
+
+  {registry_file}:
+    Glob "**/componentRegistry.generated.ts" or "**/componentRegistry*.ts"
+
+  {permissions_file}:
+    Glob "**/Authorization/Permissions.cs" or "**/Common/Authorization/Permissions.cs"
+
+  {perm_seed_files}:
+    Glob "**/Seeding/Data/**/*PermissionsSeedData.cs"
+    Glob "**/Seeding/Data/**/*SeedDataProvider.cs"
+
+  {role_seed_files}:
+    Glob "**/Seeding/Data/**/*RolesSeedData.cs"
+```
+
+### 3. Validate Paths
+
+For each required file set:
+- If empty: record as CRITICAL warning (cannot audit that category)
+- If found: record paths for next steps
+
+### 4. Show Summary and Proceed
+
+Display:
+
+```
+APEX Verification — Initialization
+====================================
+
+| Setting | Value |
+|---------|-------|
+| Scope | {scope} |
+| Fix mode | {fix_mode} |
+
+Project Structure:
+| Category | Files Found |
+|----------|-------------|
+| Navigation seed data | {count} files |
+| Controllers | {count} files |
+| Frontend pages | {count} files |
+| Component registry | {found/MISSING} |
+| Permissions.cs | {found/MISSING} |
+| Permission seed data | {count} files |
+| Role seed data | {count} files |
+
+-> Proceeding to audits...
+```
+
+---
+
+## SUCCESS METRICS:
+- Scope and flags correctly parsed
+- All filesystem paths resolved and validated
+- Summary displayed with file counts
+- Ready for audit steps
+
+## NEXT STEP:
+Based on {scope}:
+- `all` or `nav` → proceed to `./step-01-nav-audit.md`
+- `crud` → skip to `./step-02-crud-audit.md`
+- `perm` → skip to `./step-03-perm-audit.md`
+- `route` → skip to `./step-04-route-audit.md`