npm - @atlashub/smartstack-mcp - Versions diffs - 1.13.0 → 1.15.0 - Mend

@atlashub/smartstack-mcp 1.13.0 → 1.15.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.js CHANGED Viewed

@@ -82,10 +82,10 @@ import { stat, mkdir, readFile, writeFile, cp, rm } from "fs/promises";
 import path from "path";
 import { glob } from "glob";
 var FileSystemError = class extends Error {
-  constructor(message, operation, path24, cause) {
+  constructor(message, operation, path26, cause) {
     super(message);
     this.operation = operation;
-    this.path = path24;
+    this.path = path26;
     this.cause = cause;
     this.name = "FileSystemError";
   }
@@ -558,7 +558,7 @@ var ConfigSchema = z.object({
 });
 var ValidateConventionsInputSchema = z.object({
   path: z.string().optional().describe("Project path to validate (default: SmartStack.app path)"),
-  checks: z.array(z.enum(["tables", "migrations", "services", "namespaces", "entities", "tenants", "controllers", "all"])).default(["all"]).describe("Types of checks to perform")
+  checks: z.array(z.enum(["tables", "migrations", "services", "namespaces", "entities", "tenants", "controllers", "layouts", "tabs", "all"])).default(["all"]).describe("Types of checks to perform")
 });
 var CheckMigrationsInputSchema = z.object({
   projectPath: z.string().optional().describe("EF Core project path"),
@@ -648,6 +648,39 @@ var SuggestTestScenariosInputSchema = z.object({
   name: z.string().min(1).describe("Component name or file path"),
   depth: z.enum(["basic", "comprehensive", "security-focused"]).default("comprehensive").describe("Depth of analysis")
 });
+var SecurityCheckSchema = z.enum([
+  "hardcoded-secrets",
+  "sql-injection",
+  "tenant-isolation",
+  "authorization",
+  "dangerous-functions",
+  "input-validation",
+  "xss",
+  "csrf",
+  "logging-sensitive",
+  "all"
+]);
+var ValidateSecurityInputSchema = z.object({
+  path: z.string().optional().describe("Project path to validate (default: SmartStack.app path)"),
+  checks: z.array(SecurityCheckSchema).default(["all"]).describe("Security checks to run"),
+  severity: z.enum(["blocking", "all"]).optional().describe("Filter results by severity")
+});
+var QualityMetricSchema = z.enum([
+  "cognitive-complexity",
+  "cyclomatic-complexity",
+  "function-size",
+  "nesting-depth",
+  "parameter-count",
+  "code-duplication",
+  "file-size",
+  "all"
+]);
+var AnalyzeCodeQualityInputSchema = z.object({
+  path: z.string().optional().describe("Project path to analyze (default: SmartStack.app path)"),
+  metrics: z.array(QualityMetricSchema).default(["all"]).describe("Metrics to analyze"),
+  threshold: z.enum(["strict", "normal", "lenient"]).default("normal").describe("Threshold level for violations"),
+  scope: z.enum(["changed", "all"]).default("all").describe("Analyze only changed files or all")
+});
 var ScaffoldApiClientInputSchema = z.object({
   path: z.string().optional().describe("Path to SmartStack project root (defaults to configured project path)"),
   navRoute: z.string().min(1).describe('NavRoute path (e.g., "platform.administration.users")'),
@@ -914,7 +947,7 @@ var validateConventionsTool = {
         type: "array",
         items: {
           type: "string",
-          enum: ["tables", "migrations", "services", "namespaces", "entities", "tenants", "controllers", "all"]
+          enum: ["tables", "migrations", "services", "namespaces", "entities", "tenants", "controllers", "layouts", "tabs", "all"]
         },
         description: "Types of checks to perform",
         default: ["all"]
@@ -925,7 +958,7 @@ var validateConventionsTool = {
 async function handleValidateConventions(args, config) {
   const input = ValidateConventionsInputSchema.parse(args);
   const projectPath = input.path || config.smartstack.projectPath;
-  const checks = input.checks.includes("all") ? ["tables", "migrations", "services", "namespaces", "entities", "tenants", "controllers"] : input.checks;
+  const checks = input.checks.includes("all") ? ["tables", "migrations", "services", "namespaces", "entities", "tenants", "controllers", "layouts", "tabs"] : input.checks;
   logger.info("Validating conventions", { projectPath, checks });
   const result = {
     valid: true,
@@ -955,6 +988,12 @@ async function handleValidateConventions(args, config) {
   if (checks.includes("controllers")) {
     await validateControllerRoutes(structure, config, result);
   }
+  if (checks.includes("layouts")) {
+    await validateLayouts(structure, config, result);
+  }
+  if (checks.includes("tabs")) {
+    await validateTabs(structure, config, result);
+  }
   result.valid = result.errors.length === 0;
   result.summary = generateSummary(result, checks);
   return formatResult(result);
@@ -1385,6 +1424,132 @@ async function validateControllerRoutes(structure, _config, result) {
     });
   }
 }
+async function validateLayouts(structure, _config, result) {
+  if (!structure.web) {
+    result.warnings.push({
+      type: "warning",
+      category: "layouts",
+      message: "Web project not found, skipping layout validation"
+    });
+    return;
+  }
+  const layoutFiles = await findFiles("**/layouts/**/*.tsx", { cwd: structure.web });
+  if (layoutFiles.length === 0) {
+    result.warnings.push({
+      type: "warning",
+      category: "layouts",
+      message: "No layout files found in web/src/layouts/"
+    });
+    return;
+  }
+  for (const file of layoutFiles) {
+    const content = await readText(file);
+    const fileName = path6.basename(file);
+    const lines = content.split("\n");
+    let hasMaxWidth = false;
+    for (const line of lines) {
+      if (line.trim().startsWith("//") || line.trim().startsWith("*")) continue;
+      if (/className.*max-w-/.test(line)) {
+        hasMaxWidth = true;
+        break;
+      }
+    }
+    if (hasMaxWidth) {
+      result.errors.push({
+        type: "error",
+        category: "layouts",
+        message: `Layout "${fileName}" uses max-w-* constraint which limits content width`,
+        file: path6.relative(structure.root, file),
+        suggestion: "Remove max-w-* class. Content should occupy full available width."
+      });
+    }
+    let hasStandardPadding = false;
+    for (const line of lines) {
+      if (line.trim().startsWith("//") || line.trim().startsWith("*")) continue;
+      if (/className.*lg:px-10/.test(line)) {
+        hasStandardPadding = true;
+        break;
+      }
+    }
+    if (!hasStandardPadding) {
+      result.warnings.push({
+        type: "warning",
+        category: "layouts",
+        message: `Layout "${fileName}" may be missing standard horizontal padding`,
+        file: path6.relative(structure.root, file),
+        suggestion: "Use lg:px-10 for consistent horizontal padding across layouts"
+      });
+    }
+    let hasScrollPattern = false;
+    for (const line of lines) {
+      if (line.trim().startsWith("//") || line.trim().startsWith("*")) continue;
+      if (/className.*h-full/.test(line) && /className.*overflow-auto/.test(line)) {
+        hasScrollPattern = true;
+        break;
+      }
+    }
+    if (!hasScrollPattern) {
+      result.warnings.push({
+        type: "warning",
+        category: "layouts",
+        message: `Layout "${fileName}" may be missing scroll container pattern`,
+        file: path6.relative(structure.root, file),
+        suggestion: "Use h-full overflow-auto for proper internal scrolling"
+      });
+    }
+  }
+}
+async function validateTabs(structure, _config, result) {
+  if (!structure.web) {
+    result.warnings.push({
+      type: "warning",
+      category: "tabs",
+      message: "Web project not found, skipping tab validation"
+    });
+    return;
+  }
+  const pageFiles = await findFiles("**/pages/**/*.tsx", { cwd: structure.web });
+  let tabPagesCount = 0;
+  let hookUsageCount = 0;
+  for (const file of pageFiles) {
+    const content = await readText(file);
+    const fileName = path6.basename(file);
+    const lines = content.split("\n");
+    let hasTabPattern = false;
+    for (const line of lines) {
+      const trimmed = line.trim();
+      if (trimmed.startsWith("//") || trimmed.startsWith("*") || trimmed.startsWith("/*") || trimmed === "") {
+        continue;
+      }
+      if (/<Tabs|<TabList|activeTab\s*[,=})]|setActiveTab\s*[({]/.test(line)) {
+        hasTabPattern = true;
+        break;
+      }
+    }
+    if (hasTabPattern) {
+      tabPagesCount++;
+      const usesHook = content.includes("useTabNavigation");
+      if (usesHook) {
+        hookUsageCount++;
+      } else {
+        result.errors.push({
+          type: "error",
+          category: "tabs",
+          message: `Page "${fileName}" has tabs but doesn't use useTabNavigation hook`,
+          file: path6.relative(structure.root, file),
+          suggestion: "Use useTabNavigation hook to sync tab state with URL: const { activeTab, setActiveTab } = useTabNavigation(defaultTab, VALID_TABS)"
+        });
+      }
+    }
+  }
+  if (tabPagesCount > 0) {
+    result.warnings.push({
+      type: "warning",
+      category: "tabs",
+      message: `Tab summary: ${hookUsageCount}/${tabPagesCount} pages with tabs use useTabNavigation hook`
+    });
+  }
+}
 function generateSummary(result, checks) {
   const parts = [];
   parts.push(`Checks performed: ${checks.join(", ")}`);
@@ -9603,6 +9768,919 @@ function generateRecommendations3(analyzed) {
   return recommendations;
 }
+// src/tools/validate-security.ts
+import path20 from "path";
+var validateSecurityTool = {
+  name: "validate_security",
+  description: "Validate SmartStack security patterns: multi-tenant isolation, authorization, input validation, secrets exposure, injection vulnerabilities, and OWASP Top 10 compliance.",
+  inputSchema: {
+    type: "object",
+    properties: {
+      path: {
+        type: "string",
+        description: "Project path to validate (default: SmartStack.app path from config)"
+      },
+      checks: {
+        type: "array",
+        items: {
+          type: "string",
+          enum: [
+            "hardcoded-secrets",
+            "sql-injection",
+            "tenant-isolation",
+            "authorization",
+            "dangerous-functions",
+            "input-validation",
+            "xss",
+            "csrf",
+            "logging-sensitive",
+            "all"
+          ]
+        },
+        description: "Security checks to run",
+        default: ["all"]
+      },
+      severity: {
+        type: "string",
+        enum: ["blocking", "all"],
+        description: "Filter results by severity"
+      }
+    }
+  }
+};
+async function handleValidateSecurity(args, config) {
+  const input = ValidateSecurityInputSchema.parse(args);
+  const projectPath = input.path || config.smartstack.projectPath;
+  const checksToRun = input.checks.includes("all") ? [
+    "hardcoded-secrets",
+    "sql-injection",
+    "tenant-isolation",
+    "authorization",
+    "dangerous-functions",
+    "input-validation"
+  ] : input.checks;
+  logger.info("Validating security", { projectPath, checks: checksToRun });
+  const result = {
+    valid: true,
+    summary: "",
+    findings: [],
+    stats: {
+      blocking: 0,
+      critical: 0,
+      warning: 0,
+      filesScanned: 0
+    }
+  };
+  const structure = await findSmartStackStructure(projectPath);
+  if (checksToRun.includes("hardcoded-secrets")) {
+    await checkHardcodedSecrets(structure, result);
+  }
+  if (checksToRun.includes("sql-injection")) {
+    await checkSqlInjection(structure, result);
+  }
+  if (checksToRun.includes("tenant-isolation")) {
+    await checkTenantIsolation(structure, result);
+  }
+  if (checksToRun.includes("authorization")) {
+    await checkAuthorization(structure, result);
+  }
+  if (checksToRun.includes("dangerous-functions")) {
+    await checkDangerousFunctions(structure, result);
+  }
+  if (checksToRun.includes("input-validation")) {
+    await checkInputValidation(structure, result);
+  }
+  result.stats.blocking = result.findings.filter((f) => f.severity === "blocking").length;
+  result.stats.critical = result.findings.filter((f) => f.severity === "critical").length;
+  result.stats.warning = result.findings.filter((f) => f.severity === "warning").length;
+  if (input.severity === "blocking") {
+    result.findings = result.findings.filter((f) => f.severity === "blocking");
+  }
+  result.valid = result.stats.blocking === 0;
+  result.summary = result.valid ? `Security validation passed. ${result.stats.warning} warning(s) found.` : `Security validation FAILED. ${result.stats.blocking} blocking issue(s) found.`;
+  return formatSecurityReport(result);
+}
+async function checkHardcodedSecrets(structure, result) {
+  const secretPatterns = [
+    // Credentials
+    { pattern: /(?:password|passwd|pwd)\s*[=:]\s*["'][^"']{4,}["']/gi, name: "password" },
+    { pattern: /(?:api[_-]?key|apikey)\s*[=:]\s*["'][^"']{8,}["']/gi, name: "API key" },
+    { pattern: /(?:secret|token)\s*[=:]\s*["'][^"']{8,}["']/gi, name: "secret/token" },
+    // Connection strings with embedded passwords
+    { pattern: /Server=.+;.*Password=[^;]+/gi, name: "connection string with password" },
+    { pattern: /Data Source=.+;.*Password=[^;]+/gi, name: "connection string with password" },
+    // Private keys
+    { pattern: /-----BEGIN (?:RSA |EC |DSA )?PRIVATE KEY-----/g, name: "private key" }
+  ];
+  const filesToScan = await getFilesToScan(structure, ["**/*.cs", "**/*.ts", "**/*.tsx", "**/*.json"]);
+  result.stats.filesScanned += filesToScan.length;
+  for (const file of filesToScan) {
+    if (isExcludedFile(file)) continue;
+    const content = await readText(file);
+    const lines = content.split("\n");
+    for (const { pattern, name } of secretPatterns) {
+      pattern.lastIndex = 0;
+      let match;
+      while ((match = pattern.exec(content)) !== null) {
+        const lineNumber = getLineNumber(content, match.index);
+        const lineContent = lines[lineNumber - 1]?.trim() || "";
+        if (isPlaceholderValue(lineContent)) continue;
+        result.findings.push({
+          severity: "blocking",
+          category: "hardcoded-secrets",
+          message: `Hardcoded ${name} detected`,
+          file: path20.relative(structure.root, file),
+          line: lineNumber,
+          code: truncateCode(lineContent),
+          suggestion: `Move ${name} to configuration or environment variables`,
+          cweId: "CWE-798"
+        });
+      }
+    }
+  }
+}
+async function checkSqlInjection(structure, result) {
+  const sqlInjectionPatterns = [
+    // Raw SQL with string concatenation (the most dangerous pattern)
+    { pattern: /\.(?:FromSqlRaw|ExecuteSqlRaw)\s*\([^)]*\s*\+\s*/g, name: "concatenated SQL in FromSqlRaw/ExecuteSqlRaw" },
+    // ADO.NET without parameters
+    { pattern: /new SqlCommand\s*\([^)]*\+/g, name: "concatenated SQL in SqlCommand" },
+    { pattern: /CommandText\s*=\s*[^;]*\+/g, name: "concatenated SQL in CommandText" }
+    // Note: FromSqlInterpolated with $"" is safe and not flagged
+  ];
+  const csFiles = await getFilesToScan(structure, ["**/*.cs"]);
+  result.stats.filesScanned += csFiles.length;
+  for (const file of csFiles) {
+    if (isExcludedFile(file)) continue;
+    const content = await readText(file);
+    const lines = content.split("\n");
+    for (const { pattern, name } of sqlInjectionPatterns) {
+      pattern.lastIndex = 0;
+      let match;
+      while ((match = pattern.exec(content)) !== null) {
+        const lineNumber = getLineNumber(content, match.index);
+        const lineContent = lines[lineNumber - 1]?.trim() || "";
+        result.findings.push({
+          severity: "blocking",
+          category: "sql-injection",
+          message: `Potential SQL injection: ${name}`,
+          file: path20.relative(structure.root, file),
+          line: lineNumber,
+          code: truncateCode(lineContent),
+          suggestion: 'Use parameterized queries: FromSqlRaw("SELECT * FROM x WHERE id = {0}", id) or FromSqlInterpolated',
+          cweId: "CWE-89"
+        });
+      }
+    }
+  }
+}
+async function checkTenantIsolation(structure, result) {
+  if (!structure.domain) {
+    result.findings.push({
+      severity: "warning",
+      category: "tenant-isolation",
+      message: "Domain project not found, skipping tenant isolation validation",
+      file: "",
+      suggestion: "Ensure project structure follows SmartStack conventions"
+    });
+    return;
+  }
+  const entityFiles = await findFiles("**/Entities/**/*.cs", { cwd: structure.domain });
+  const tenantEntities = [];
+  for (const file of entityFiles) {
+    const content = await readText(file);
+    if (content.includes("ITenantEntity") || content.includes(": TenantEntity")) {
+      const entityMatch = content.match(/class\s+(\w+)/);
+      if (entityMatch) {
+        tenantEntities.push(entityMatch[1]);
+      }
+    }
+    const createMethodMatches = content.matchAll(/public\s+static\s+\w+\s+Create\s*\(([^)]*)\)/g);
+    for (const match of createMethodMatches) {
+      const params = match[1];
+      if ((content.includes("ITenantEntity") || content.includes(": TenantEntity")) && !params.includes("tenantId") && !params.includes("TenantId")) {
+        const lineNumber = getLineNumber(content, match.index);
+        result.findings.push({
+          severity: "blocking",
+          category: "tenant-isolation",
+          message: "Create method missing tenantId parameter for tenant entity",
+          file: path20.relative(structure.root, file),
+          line: lineNumber,
+          code: truncateCode(match[0]),
+          suggestion: "Add Guid tenantId as first parameter: Create(Guid tenantId, ...)",
+          cweId: "CWE-639"
+        });
+      }
+    }
+  }
+  if (structure.application) {
+    const serviceFiles = await findFiles("**/*Service.cs", { cwd: structure.application });
+    for (const file of serviceFiles) {
+      const content = await readText(file);
+      const directAccessPattern = /_context\.\w+\.(?:First|Single|Find|ToList)\s*\(/g;
+      let match;
+      while ((match = directAccessPattern.exec(content)) !== null) {
+        const surroundingCode = content.substring(Math.max(0, match.index - 100), match.index + 100);
+        if (!surroundingCode.includes(".Where(") && !surroundingCode.includes("TenantId")) {
+          const lineNumber = getLineNumber(content, match.index);
+          result.findings.push({
+            severity: "critical",
+            category: "tenant-isolation",
+            message: "Direct DbContext access without tenant filtering",
+            file: path20.relative(structure.root, file),
+            line: lineNumber,
+            code: truncateCode(match[0]),
+            suggestion: "Use repository with global tenant filter or add explicit TenantId filter",
+            cweId: "CWE-639"
+          });
+        }
+      }
+    }
+  }
+}
+async function checkAuthorization(structure, result) {
+  const apiPath = structure.api || structure.apiCore;
+  if (!apiPath) {
+    result.findings.push({
+      severity: "warning",
+      category: "authorization",
+      message: "API project not found, skipping authorization validation",
+      file: "",
+      suggestion: "Ensure project structure follows SmartStack conventions"
+    });
+    return;
+  }
+  const controllerFiles = await findFiles("**/Controllers/**/*.cs", { cwd: apiPath });
+  result.stats.filesScanned += controllerFiles.length;
+  for (const file of controllerFiles) {
+    const content = await readText(file);
+    if (content.includes("[ApiController]")) {
+      const hasClassLevelAuth = content.includes("[Authorize]") || content.includes("[NavRoute(") || content.includes("[AllowAnonymous]");
+      if (!hasClassLevelAuth) {
+        const controllerMatch = content.match(/class\s+(\w+Controller)/);
+        const controllerName = controllerMatch ? controllerMatch[1] : "Unknown";
+        const lineNumber = controllerMatch ? getLineNumber(content, controllerMatch.index) : 1;
+        result.findings.push({
+          severity: "blocking",
+          category: "authorization",
+          message: `Controller ${controllerName} missing authorization attribute`,
+          file: path20.relative(structure.root, file),
+          line: lineNumber,
+          suggestion: 'Add [NavRoute("context.application.module")] or [Authorize] attribute to the controller class',
+          cweId: "CWE-862"
+        });
+      }
+    }
+  }
+}
+async function checkDangerousFunctions(structure, result) {
+  const csharpPatterns = [
+    { pattern: /Process\.Start\s*\([^)]*(?:user|input|param|request)/gi, name: "Process.Start with user input" },
+    { pattern: /Assembly\.Load(?:From|File)?\s*\(/g, name: "Dynamic assembly loading" },
+    { pattern: /Type\.GetType\s*\([^)]*(?:user|input|param|request)/gi, name: "Type.GetType with user input" },
+    { pattern: /Activator\.CreateInstance\s*\([^)]*(?:user|input|param|request)/gi, name: "Activator.CreateInstance with user input" }
+  ];
+  const typescriptPatterns = [
+    { pattern: /\beval\s*\(/g, name: "eval() usage" },
+    { pattern: /new\s+Function\s*\(/g, name: "new Function() usage" },
+    { pattern: /child_process\.exec\s*\(/g, name: "child_process.exec usage" },
+    { pattern: /\.innerHTML\s*=/g, name: "innerHTML assignment" },
+    { pattern: /dangerouslySetInnerHTML/g, name: "dangerouslySetInnerHTML usage" }
+  ];
+  const csFiles = await getFilesToScan(structure, ["**/*.cs"]);
+  for (const file of csFiles) {
+    if (isExcludedFile(file)) continue;
+    const content = await readText(file);
+    await checkPatterns(file, content, csharpPatterns, structure, result);
+  }
+  const tsFiles = await getFilesToScan(structure, ["**/*.ts", "**/*.tsx"]);
+  for (const file of tsFiles) {
+    if (isExcludedFile(file)) continue;
+    const content = await readText(file);
+    await checkPatterns(file, content, typescriptPatterns, structure, result);
+  }
+}
+async function checkPatterns(file, content, patterns, structure, result) {
+  const lines = content.split("\n");
+  for (const { pattern, name } of patterns) {
+    pattern.lastIndex = 0;
+    let match;
+    while ((match = pattern.exec(content)) !== null) {
+      const lineNumber = getLineNumber(content, match.index);
+      const lineContent = lines[lineNumber - 1]?.trim() || "";
+      result.findings.push({
+        severity: "critical",
+        category: "dangerous-functions",
+        message: `Dangerous function: ${name}`,
+        file: path20.relative(structure.root, file),
+        line: lineNumber,
+        code: truncateCode(lineContent),
+        suggestion: "Avoid using dangerous functions with user-controlled input. Use safe alternatives.",
+        cweId: "CWE-78"
+      });
+    }
+  }
+}
+async function checkInputValidation(structure, result) {
+  if (!structure.application) {
+    return;
+  }
+  const dtoFiles = await findFiles("**/*Dto.cs", { cwd: structure.application });
+  const dtos = [];
+  for (const file of dtoFiles) {
+    const content = await readText(file);
+    const dtoMatch = content.match(/class\s+(\w+Dto)/);
+    if (dtoMatch) {
+      dtos.push(dtoMatch[1]);
+    }
+  }
+  const validatorFiles = await findFiles("**/*Validator.cs", { cwd: structure.application });
+  const validators = [];
+  for (const file of validatorFiles) {
+    const content = await readText(file);
+    const validatorMatch = content.match(/class\s+(\w+Validator)/);
+    if (validatorMatch) {
+      validators.push(validatorMatch[1]);
+    }
+  }
+  for (const dto of dtos) {
+    const expectedValidator = dto.replace(/Dto$/, "DtoValidator");
+    const hasValidator = validators.some((v) => v === expectedValidator || v === `${dto}Validator`);
+    if (!hasValidator) {
+      result.findings.push({
+        severity: "warning",
+        category: "input-validation",
+        message: `DTO ${dto} has no FluentValidation validator`,
+        file: `Application/DTOs/${dto}.cs`,
+        suggestion: `Create ${expectedValidator} class with FluentValidation rules`,
+        cweId: "CWE-20"
+      });
+    }
+  }
+}
+async function getFilesToScan(structure, patterns) {
+  const allFiles = [];
+  for (const pattern of patterns) {
+    const files = await findFiles(pattern, { cwd: structure.root });
+    for (const file of files) {
+      try {
+        validatePathSecurity(file, structure.root);
+        allFiles.push(file);
+      } catch {
+        logger.warn("Skipping file outside project root", { file });
+      }
+    }
+  }
+  return [...new Set(allFiles)];
+}
+function isExcludedFile(filePath) {
+  const exclusions = [
+    /[/\\]bin[/\\]/,
+    /[/\\]obj[/\\]/,
+    /[/\\]node_modules[/\\]/,
+    /\.example\./,
+    /\.template\./,
+    /\.test\./,
+    /\.spec\./,
+    /Tests[/\\]/,
+    /appsettings\.Development\.json$/,
+    /appsettings\.Template\.json$/
+  ];
+  return exclusions.some((pattern) => pattern.test(filePath));
+}
+function isPlaceholderValue(line) {
+  const placeholderPatterns = [
+    /\${[A-Z_][A-Z0-9_]*}/,
+    // ${VAR_NAME} - env var syntax
+    /%[A-Z_][A-Z0-9_]*%/,
+    // %VAR_NAME% - Windows env var
+    /\{\{[A-Za-z_][A-Za-z0-9_]*\}\}/,
+    // {{varName}} - template syntax
+    /["']your[_-]?(?:password|secret|key|token)["']/i,
+    // "your_password" placeholders
+    /["']changeme["']/i,
+    /["']<[A-Z_]+>["']/,
+    // "<REPLACE_ME>" syntax
+    /["']xxx+["']/i,
+    // "xxx" or "XXXX" placeholders
+    /=\s*["']["']/
+    // Empty string assignments
+  ];
+  return placeholderPatterns.some((pattern) => pattern.test(line));
+}
+function getLineNumber(content, index) {
+  const normalizedContent = content.substring(0, index).replace(/\r\n/g, "\n");
+  return normalizedContent.split("\n").length;
+}
+function truncateCode(code, maxLength = 80) {
+  return code.length > maxLength ? code.substring(0, maxLength) + "..." : code;
+}
+function formatSecurityReport(result) {
+  const lines = [];
+  lines.push("# Security Validation Report");
+  lines.push("");
+  lines.push("## Summary");
+  lines.push(`- **Status**: ${result.valid ? "\u2705 PASSED" : "\u274C FAILED"}`);
+  lines.push(`- **Blocking**: ${result.stats.blocking}`);
+  lines.push(`- **Critical**: ${result.stats.critical}`);
+  lines.push(`- **Warnings**: ${result.stats.warning}`);
+  lines.push(`- **Files Scanned**: ${result.stats.filesScanned}`);
+  lines.push("");
+  if (result.findings.length === 0) {
+    lines.push("No security issues found.");
+    return lines.join("\n");
+  }
+  const blocking = result.findings.filter((f) => f.severity === "blocking");
+  const critical = result.findings.filter((f) => f.severity === "critical");
+  const warnings = result.findings.filter((f) => f.severity === "warning");
+  if (blocking.length > 0) {
+    lines.push("## Blocking Issues");
+    lines.push("");
+    for (const finding of blocking) {
+      formatFinding(finding, lines);
+    }
+  }
+  if (critical.length > 0) {
+    lines.push("## Critical Issues");
+    lines.push("");
+    for (const finding of critical) {
+      formatFinding(finding, lines);
+    }
+  }
+  if (warnings.length > 0) {
+    lines.push("## Warnings");
+    lines.push("");
+    for (const finding of warnings) {
+      formatFinding(finding, lines);
+    }
+  }
+  return lines.join("\n");
+}
+function formatFinding(finding, lines) {
+  lines.push(`### ${finding.category}: ${finding.message}`);
+  if (finding.file) {
+    lines.push(`- **File**: \`${finding.file}${finding.line ? `:${finding.line}` : ""}\``);
+  }
+  if (finding.code) {
+    lines.push(`- **Code**: \`${finding.code}\``);
+  }
+  if (finding.cweId) {
+    lines.push(`- **CWE**: ${finding.cweId}`);
+  }
+  lines.push(`- **Fix**: ${finding.suggestion}`);
+  lines.push("");
+}
+// src/tools/analyze-code-quality.ts
+import path21 from "path";
+var analyzeCodeQualityTool = {
+  name: "analyze_code_quality",
+  description: "Analyze code quality metrics for SmartStack projects: cognitive complexity, cyclomatic complexity, function size, nesting depth, and maintainability indicators.",
+  inputSchema: {
+    type: "object",
+    properties: {
+      path: {
+        type: "string",
+        description: "Project path to analyze (default: SmartStack.app path from config)"
+      },
+      metrics: {
+        type: "array",
+        items: {
+          type: "string",
+          enum: [
+            "cognitive-complexity",
+            "cyclomatic-complexity",
+            "function-size",
+            "nesting-depth",
+            "parameter-count",
+            "code-duplication",
+            "file-size",
+            "all"
+          ]
+        },
+        description: "Metrics to analyze",
+        default: ["all"]
+      },
+      threshold: {
+        type: "string",
+        enum: ["strict", "normal", "lenient"],
+        description: "Threshold level for violations",
+        default: "normal"
+      },
+      scope: {
+        type: "string",
+        enum: ["changed", "all"],
+        description: "Analyze only changed files or all",
+        default: "all"
+      }
+    }
+  }
+};
+var THRESHOLDS = {
+  strict: {
+    cognitiveComplexity: 10,
+    cyclomaticComplexity: 8,
+    functionSize: 30,
+    nestingDepth: 2,
+    parameterCount: 3,
+    fileSize: 300
+  },
+  normal: {
+    cognitiveComplexity: 15,
+    cyclomaticComplexity: 10,
+    functionSize: 50,
+    nestingDepth: 3,
+    parameterCount: 4,
+    fileSize: 500
+  },
+  lenient: {
+    cognitiveComplexity: 25,
+    cyclomaticComplexity: 15,
+    functionSize: 80,
+    nestingDepth: 4,
+    parameterCount: 5,
+    fileSize: 800
+  }
+};
+async function handleAnalyzeCodeQuality(args, config) {
+  const input = AnalyzeCodeQualityInputSchema.parse(args);
+  const projectPath = input.path || config.smartstack.projectPath;
+  const thresholdLevel = input.threshold;
+  const thresholds = THRESHOLDS[thresholdLevel];
+  logger.info("Analyzing code quality", { projectPath, threshold: thresholdLevel });
+  const structure = await findSmartStackStructure(projectPath);
+  const allFunctionMetrics = [];
+  const fileMetrics = /* @__PURE__ */ new Map();
+  const csFiles = await findFiles("**/*.cs", { cwd: structure.root });
+  const filteredCsFiles = csFiles.filter((f) => !isExcludedPath(f));
+  for (const file of filteredCsFiles) {
+    const content = await readText(file);
+    const relPath = path21.relative(structure.root, file);
+    const lineCount = content.split("\n").length;
+    const functions = extractCSharpFunctions(content, relPath);
+    allFunctionMetrics.push(...functions);
+    fileMetrics.set(relPath, { lineCount, functions: functions.length });
+  }
+  const tsFiles = await findFiles("**/*.{ts,tsx}", { cwd: structure.root });
+  const filteredTsFiles = tsFiles.filter((f) => !isExcludedPath(f));
+  for (const file of filteredTsFiles) {
+    const content = await readText(file);
+    const relPath = path21.relative(structure.root, file);
+    const lineCount = content.split("\n").length;
+    const functions = extractTypeScriptFunctions(content, relPath);
+    allFunctionMetrics.push(...functions);
+    fileMetrics.set(relPath, { lineCount, functions: functions.length });
+  }
+  const metrics = calculateMetrics(allFunctionMetrics, fileMetrics, thresholds);
+  const hotspots = identifyHotspots(allFunctionMetrics, fileMetrics, thresholds);
+  const summary = calculateSummary(allFunctionMetrics, fileMetrics, metrics, hotspots);
+  const result = {
+    summary,
+    metrics,
+    hotspots
+  };
+  return formatQualityReport(result, thresholds);
+}
+function extractCSharpFunctions(content, file) {
+  const functions = [];
+  const lines = content.split("\n");
+  const methodPattern = /\b(public|private|protected|internal)\s+(?:async\s+)?(?:static\s+)?(?:virtual\s+)?(?:override\s+)?(?:[\w<>,\s\[\]]+)\s+(\w+)\s*\(([^)]*)\)/gm;
+  let match;
+  while ((match = methodPattern.exec(content)) !== null) {
+    const methodName = match[2];
+    const params = match[3];
+    const startLine = getLineNumber2(content, match.index);
+    const endLine = findMethodEnd(lines, startLine - 1);
+    const lineCount = endLine - startLine + 1;
+    const parameterCount = params.trim() ? params.split(",").length : 0;
+    const methodBody = lines.slice(startLine - 1, endLine).join("\n");
+    const cognitiveComplexity = calculateCognitiveComplexity(methodBody);
+    const cyclomaticComplexity = calculateCyclomaticComplexity(methodBody);
+    const maxNestingDepth = calculateNestingDepth(methodBody);
+    functions.push({
+      name: methodName,
+      file,
+      startLine,
+      endLine,
+      lineCount,
+      parameterCount,
+      maxNestingDepth,
+      cognitiveComplexity,
+      cyclomaticComplexity
+    });
+  }
+  return functions;
+}
+function extractTypeScriptFunctions(content, file) {
+  const functions = [];
+  const lines = content.split("\n");
+  const processedFunctions = /* @__PURE__ */ new Set();
+  const patterns = [
+    // Arrow functions assigned to const/let
+    /(?:const|let)\s+(\w+)\s*=\s*(?:async\s+)?\([^)]*\)\s*(?::\s*\w+)?\s*=>/g,
+    // Function declarations
+    /(?:async\s+)?function\s+(\w+)\s*\(([^)]*)\)/g,
+    // Class methods (removed ^ anchor for consistency)
+    /\b(?:async\s+)?(\w+)\s*\(([^)]*)\)\s*(?::\s*[\w<>,\s\[\]]+)?\s*\{/gm
+  ];
+  for (const pattern of patterns) {
+    pattern.lastIndex = 0;
+    let match;
+    while ((match = pattern.exec(content)) !== null) {
+      const funcName = match[1];
+      const params = match[2] || "";
+      const startLine = getLineNumber2(content, match.index);
+      if (["if", "for", "while", "switch", "catch", "constructor"].includes(funcName)) continue;
+      const funcKey = `${file}:${startLine}:${funcName}`;
+      if (processedFunctions.has(funcKey)) continue;
+      processedFunctions.add(funcKey);
+      const endLine = findMethodEnd(lines, startLine - 1);
+      const lineCount = endLine - startLine + 1;
+      const parameterCount = params.trim() ? params.split(",").length : 0;
+      const methodBody = lines.slice(startLine - 1, endLine).join("\n");
+      const cognitiveComplexity = calculateCognitiveComplexity(methodBody);
+      const cyclomaticComplexity = calculateCyclomaticComplexity(methodBody);
+      const maxNestingDepth = calculateNestingDepth(methodBody);
+      functions.push({
+        name: funcName,
+        file,
+        startLine,
+        endLine,
+        lineCount,
+        parameterCount,
+        maxNestingDepth,
+        cognitiveComplexity,
+        cyclomaticComplexity
+      });
+    }
+  }
+  return functions;
+}
+function findMethodEnd(lines, startIndex) {
+  let braceCount = 0;
+  let foundFirstBrace = false;
+  for (let i = startIndex; i < lines.length; i++) {
+    const line = stripStringsAndComments(lines[i]);
+    for (const char of line) {
+      if (char === "{") {
+        braceCount++;
+        foundFirstBrace = true;
+      } else if (char === "}") {
+        braceCount--;
+        if (foundFirstBrace && braceCount === 0) {
+          return i + 1;
+        }
+      }
+    }
+  }
+  return startIndex + 1;
+}
+function stripStringsAndComments(line) {
+  let result = line.replace(/\/\/.*$/, "");
+  result = result.replace(/"(?:[^"\\]|\\.)*"/g, '""');
+  result = result.replace(/'(?:[^'\\]|\\.)*'/g, "''");
+  result = result.replace(/`(?:[^`\\]|\\.)*`/g, "``");
+  return result;
+}
+function calculateCognitiveComplexity(code) {
+  let complexity = 0;
+  let nestingLevel = 0;
+  const lines = code.split("\n");
+  for (const line of lines) {
+    const trimmed = line.trim();
+    const controlFlowPatterns = [
+      /\bif\s*\(/g,
+      /\belse\s+if\s*\(/g,
+      /\bfor\s*\(/g,
+      /\bforeach\s*\(/g,
+      /\bwhile\s*\(/g,
+      /\bdo\s*\{/g,
+      /\bswitch\s*\(/g,
+      /\bcatch\s*\(/g
+    ];
+    for (const pattern of controlFlowPatterns) {
+      const matches = trimmed.match(pattern) || [];
+      complexity += matches.length * (1 + nestingLevel);
+    }
+    const logicalPatterns = [/&&/g, /\|\|/g, /\?\?/g, /\?\./g];
+    for (const pattern of logicalPatterns) {
+      const matches = trimmed.match(pattern) || [];
+      complexity += matches.length;
+    }
+    const ternaryMatches = trimmed.match(/\?[^?:]+:/g) || [];
+    complexity += ternaryMatches.length;
+    const openBraces = (trimmed.match(/\{/g) || []).length;
+    const closeBraces = (trimmed.match(/\}/g) || []).length;
+    nestingLevel += openBraces - closeBraces;
+    nestingLevel = Math.max(0, nestingLevel);
+  }
+  return complexity;
+}
+function calculateCyclomaticComplexity(code) {
+  let complexity = 1;
+  const patterns = [
+    /\bif\b/g,
+    /\belse\s+if\b/g,
+    /\bwhile\b/g,
+    /\bfor\b/g,
+    /\bforeach\b/g,
+    /\bcase\b/g,
+    /\bcatch\b/g,
+    /\?\?/g,
+    /\?\./g,
+    /&&/g,
+    /\|\|/g
+  ];
+  for (const pattern of patterns) {
+    const matches = code.match(pattern) || [];
+    complexity += matches.length;
+  }
+  return complexity;
+}
+function calculateNestingDepth(code) {
+  let maxDepth = 0;
+  let currentDepth = 0;
+  for (const char of code) {
+    if (char === "{") {
+      currentDepth++;
+      maxDepth = Math.max(maxDepth, currentDepth);
+    } else if (char === "}") {
+      currentDepth = Math.max(0, currentDepth - 1);
+    }
+  }
+  return maxDepth;
+}
+function calculateMetrics(functions, fileMetrics, thresholds) {
+  const createStat = (values, threshold) => {
+    const filtered = values.filter((v) => v > 0);
+    const avg = filtered.length > 0 ? filtered.reduce((a, b) => a + b, 0) / filtered.length : 0;
+    const max = filtered.length > 0 ? Math.max(...filtered) : 0;
+    const violations = filtered.filter((v) => v > threshold).length;
+    return {
+      average: Math.round(avg * 10) / 10,
+      max,
+      threshold,
+      violations
+    };
+  };
+  const fileSizes = Array.from(fileMetrics.values()).map((f) => f.lineCount);
+  return {
+    cognitiveComplexity: createStat(
+      functions.map((f) => f.cognitiveComplexity),
+      thresholds.cognitiveComplexity
+    ),
+    cyclomaticComplexity: createStat(
+      functions.map((f) => f.cyclomaticComplexity),
+      thresholds.cyclomaticComplexity
+    ),
+    functionSize: createStat(
+      functions.map((f) => f.lineCount),
+      thresholds.functionSize
+    ),
+    nestingDepth: createStat(
+      functions.map((f) => f.maxNestingDepth),
+      thresholds.nestingDepth
+    ),
+    fileSize: createStat(fileSizes, thresholds.fileSize)
+  };
+}
+function identifyHotspots(functions, fileMetrics, thresholds) {
+  const hotspots = [];
+  for (const func of functions) {
+    const issues = [];
+    if (func.cognitiveComplexity > thresholds.cognitiveComplexity) {
+      issues.push(`Cognitive complexity: ${func.cognitiveComplexity} (threshold: ${thresholds.cognitiveComplexity})`);
+    }
+    if (func.cyclomaticComplexity > thresholds.cyclomaticComplexity) {
+      issues.push(`Cyclomatic complexity: ${func.cyclomaticComplexity} (threshold: ${thresholds.cyclomaticComplexity})`);
+    }
+    if (func.lineCount > thresholds.functionSize) {
+      issues.push(`Lines: ${func.lineCount} (threshold: ${thresholds.functionSize})`);
+    }
+    if (func.maxNestingDepth > thresholds.nestingDepth) {
+      issues.push(`Nesting depth: ${func.maxNestingDepth} (threshold: ${thresholds.nestingDepth})`);
+    }
+    if (issues.length > 0) {
+      const severity = issues.length >= 3 ? "high" : issues.length === 2 ? "medium" : "low";
+      hotspots.push({
+        file: func.file,
+        function: func.name,
+        issues,
+        severity,
+        metrics: {
+          cognitiveComplexity: func.cognitiveComplexity,
+          cyclomaticComplexity: func.cyclomaticComplexity,
+          lineCount: func.lineCount,
+          nestingDepth: func.maxNestingDepth
+        }
+      });
+    }
+  }
+  for (const [file, metrics] of fileMetrics) {
+    if (metrics.lineCount > thresholds.fileSize) {
+      hotspots.push({
+        file,
+        issues: [`File size: ${metrics.lineCount} lines (threshold: ${thresholds.fileSize})`],
+        severity: "medium",
+        metrics: {
+          lineCount: metrics.lineCount
+        }
+      });
+    }
+  }
+  const severityOrder = { high: 0, medium: 1, low: 2 };
+  hotspots.sort((a, b) => severityOrder[a.severity] - severityOrder[b.severity]);
+  return hotspots.slice(0, 20);
+}
+function calculateSummary(functions, fileMetrics, metrics, hotspots) {
+  const totalViolations = metrics.cognitiveComplexity.violations + metrics.cyclomaticComplexity.violations + metrics.functionSize.violations + metrics.nestingDepth.violations + metrics.fileSize.violations;
+  const totalFunctions = functions.length;
+  const totalFiles = fileMetrics.size;
+  const violationRate = totalFunctions > 0 ? totalViolations / totalFunctions : 0;
+  const score = Math.max(0, Math.round(100 - violationRate * 100));
+  let grade;
+  if (score >= 90) grade = "A";
+  else if (score >= 80) grade = "B";
+  else if (score >= 70) grade = "C";
+  else if (score >= 60) grade = "D";
+  else grade = "F";
+  return {
+    score,
+    grade,
+    filesAnalyzed: totalFiles,
+    functionsAnalyzed: totalFunctions,
+    issuesFound: hotspots.length
+  };
+}
+function isExcludedPath(filePath) {
+  const exclusions = [
+    /[/\\]bin[/\\]/,
+    /[/\\]obj[/\\]/,
+    /[/\\]node_modules[/\\]/,
+    /[/\\]Migrations[/\\]/,
+    /\.test\./,
+    /\.spec\./,
+    /Tests[/\\]/,
+    /\.d\.ts$/,
+    /\.min\./
+  ];
+  return exclusions.some((pattern) => pattern.test(filePath));
+}
+function getLineNumber2(content, index) {
+  const normalizedContent = content.substring(0, index).replace(/\r\n/g, "\n");
+  return normalizedContent.split("\n").length;
+}
+function formatQualityReport(result, thresholds) {
+  const lines = [];
+  lines.push("# Code Quality Report");
+  lines.push("");
+  lines.push("## Summary");
+  lines.push(`- **Score**: ${result.summary.score}/100 (Grade: ${result.summary.grade})`);
+  lines.push(`- **Files analyzed**: ${result.summary.filesAnalyzed}`);
+  lines.push(`- **Functions analyzed**: ${result.summary.functionsAnalyzed}`);
+  lines.push(`- **Issues found**: ${result.summary.issuesFound}`);
+  lines.push("");
+  lines.push("## Metrics Overview");
+  lines.push("");
+  lines.push("| Metric | Average | Max | Threshold | Status |");
+  lines.push("|--------|---------|-----|-----------|--------|");
+  const formatMetricRow = (name, stat2) => {
+    const status = stat2.violations > 0 ? `${stat2.violations} violations` : "\u2705 OK";
+    return `| ${name} | ${stat2.average} | ${stat2.max} | ${stat2.threshold} | ${status} |`;
+  };
+  lines.push(formatMetricRow("Cognitive Complexity", result.metrics.cognitiveComplexity));
+  lines.push(formatMetricRow("Cyclomatic Complexity", result.metrics.cyclomaticComplexity));
+  lines.push(formatMetricRow("Function Size", result.metrics.functionSize));
+  lines.push(formatMetricRow("Nesting Depth", result.metrics.nestingDepth));
+  lines.push(formatMetricRow("File Size", result.metrics.fileSize));
+  lines.push("");
+  if (result.hotspots.length > 0) {
+    lines.push("## Hotspots (Needs Attention)");
+    lines.push("");
+    for (const hotspot of result.hotspots) {
+      const severityEmoji = hotspot.severity === "high" ? "\u{1F534}" : hotspot.severity === "medium" ? "\u{1F7E1}" : "\u{1F7E2}";
+      const location = hotspot.function ? `\`${hotspot.function}\` (${hotspot.file})` : `\`${hotspot.file}\``;
+      lines.push(`### ${severityEmoji} ${hotspot.severity.toUpperCase()}: ${location}`);
+      for (const issue of hotspot.issues) {
+        lines.push(`- ${issue}`);
+      }
+      if (hotspot.function) {
+        if (hotspot.metrics.cognitiveComplexity && hotspot.metrics.cognitiveComplexity > thresholds.cognitiveComplexity) {
+          lines.push(`- **Recommendation**: Extract logic into smaller, focused methods`);
+        } else if (hotspot.metrics.lineCount && hotspot.metrics.lineCount > thresholds.functionSize) {
+          lines.push(`- **Recommendation**: Split into multiple functions with single responsibilities`);
+        }
+      } else {
+        lines.push(`- **Recommendation**: Consider splitting this file into smaller modules`);
+      }
+      lines.push("");
+    }
+  } else {
+    lines.push("No hotspots found. Code quality is within acceptable thresholds.");
+  }
+  return lines.join("\n");
+}
 // src/resources/conventions.ts
 var conventionsResourceTemplate = {
   uri: "smartstack://conventions",
@@ -10468,6 +11546,76 @@ All tenant-related tables use the \`tenant_\` prefix:
 ---
+## 10. Frontend Conventions
+### Layout Standards
+All context layouts MUST follow the AdminLayout pattern for consistent user experience.
+#### Standard Structure
+\`\`\`tsx
+<main className={\`pt-16 transition-all duration-300 \${
+  showSidebar ? (isCollapsed ? 'lg:pl-16' : 'lg:pl-64') : ''
+}\`}>
+  <div className="p-4 sm:p-6 lg:px-10 h-full overflow-auto">
+    <Outlet />
+  </div>
+</main>
+\`\`\`
+#### Layout Rules
+| Rule | Description |
+|------|-------------|
+| No \`max-w-*\` | Content MUST occupy full available width |
+| Horizontal padding | Use \`lg:px-10\` for consistent padding |
+| Scroll container | Use \`h-full overflow-auto\` for internal scrolling |
+| Sidebar conditional | \`showSidebar = !!currentAppCode\` |
+### Tab Navigation with URL
+Pages with tabs MUST synchronize tab state with URL for shareable links and browser navigation.
+#### useTabNavigation Hook
+\`\`\`tsx
+import { useTabNavigation } from '@/hooks/useTabNavigation';
+// 1. Define valid tabs
+const VALID_TABS = ['info', 'settings', 'permissions'] as const;
+type TabId = typeof VALID_TABS[number];
+// 2. Use the hook
+const { activeTab, setActiveTab } = useTabNavigation<TabId>('info', VALID_TABS);
+// 3. Use in JSX
+<button onClick={() => setActiveTab('settings')}>Settings</button>
+\`\`\`
+#### URL Behavior
+| URL | Active Tab |
+|-----|------------|
+| \`/page\` | Default tab (e.g., \`info\`) |
+| \`/page?tab=settings\` | \`settings\` |
+| \`/page?tab=invalid\` | Default tab (fallback) |
+#### Hook Characteristics
+- URL is clean for default tab (no \`?tab=\` parameter)
+- Invalid tabs fallback to default
+- Uses \`replace: true\` to avoid polluting browser history
+### Frontend Validation Checks
+| Check | Description |
+|-------|-------------|
+| \`layouts\` | Verify no \`max-w-*\` in content wrapper, standard padding present |
+| \`tabs\` | Verify \`useTabNavigation\` hook usage for pages with tabs |
+---
 ## Quick Reference
 | Category | Convention | Example |
@@ -10500,6 +11648,10 @@ All tenant-related tables use the \`tenant_\` prefix:
 | Validation | \`withValidation: true\` | FluentValidation validators |
 | Repository | \`withRepository: true\` | Interface + Implementation |
 | Migration naming | \`suggest_migration\` | {context}_v{version}_{seq}_{Desc} |
+| Layout wrapper | No \`max-w-*\` | Content fills available width |
+| Layout padding | \`lg:px-10\` | Standard horizontal padding |
+| Tab navigation | \`useTabNavigation\` hook | Sync tabs with URL |
+| Tab URL | \`?tab=name\` | Shareable deep links to tabs |
 ---
@@ -10664,7 +11816,7 @@ Run specific or all checks:
 }
 // src/resources/project-info.ts
-import path20 from "path";
+import path22 from "path";
 var projectInfoResourceTemplate = {
   uri: "smartstack://project",
   name: "SmartStack Project Info",
@@ -10701,16 +11853,16 @@ async function getProjectInfoResource(config) {
   lines.push("```");
   lines.push(`${projectInfo.name}/`);
   if (structure.domain) {
-    lines.push(`\u251C\u2500\u2500 ${path20.basename(structure.domain)}/          # Domain layer (entities)`);
+    lines.push(`\u251C\u2500\u2500 ${path22.basename(structure.domain)}/          # Domain layer (entities)`);
   }
   if (structure.application) {
-    lines.push(`\u251C\u2500\u2500 ${path20.basename(structure.application)}/     # Application layer (services)`);
+    lines.push(`\u251C\u2500\u2500 ${path22.basename(structure.application)}/     # Application layer (services)`);
   }
   if (structure.infrastructure) {
-    lines.push(`\u251C\u2500\u2500 ${path20.basename(structure.infrastructure)}/  # Infrastructure (EF Core)`);
+    lines.push(`\u251C\u2500\u2500 ${path22.basename(structure.infrastructure)}/  # Infrastructure (EF Core)`);
   }
   if (structure.api) {
-    lines.push(`\u251C\u2500\u2500 ${path20.basename(structure.api)}/             # API layer (controllers)`);
+    lines.push(`\u251C\u2500\u2500 ${path22.basename(structure.api)}/             # API layer (controllers)`);
   }
   if (structure.web) {
     lines.push(`\u2514\u2500\u2500 web/smartstack-web/      # React frontend`);
@@ -10723,8 +11875,8 @@ async function getProjectInfoResource(config) {
     lines.push("| Project | Path |");
     lines.push("|---------|------|");
     for (const csproj of projectInfo.csprojFiles) {
-      const name = path20.basename(csproj, ".csproj");
-      const relativePath = path20.relative(projectPath, csproj);
+      const name = path22.basename(csproj, ".csproj");
+      const relativePath = path22.relative(projectPath, csproj);
       lines.push(`| ${name} | \`${relativePath}\` |`);
     }
     lines.push("");
@@ -10734,10 +11886,10 @@ async function getProjectInfoResource(config) {
       cwd: structure.migrations,
       ignore: ["*.Designer.cs"]
     });
-    const migrations = migrationFiles.map((f) => path20.basename(f)).filter((f) => !f.includes("ModelSnapshot") && !f.includes(".Designer.")).sort();
+    const migrations = migrationFiles.map((f) => path22.basename(f)).filter((f) => !f.includes("ModelSnapshot") && !f.includes(".Designer.")).sort();
     lines.push("## EF Core Migrations");
     lines.push("");
-    lines.push(`**Location**: \`${path20.relative(projectPath, structure.migrations)}\``);
+    lines.push(`**Location**: \`${path22.relative(projectPath, structure.migrations)}\``);
     lines.push(`**Total Migrations**: ${migrations.length}`);
     lines.push("");
     if (migrations.length > 0) {
@@ -10772,11 +11924,11 @@ async function getProjectInfoResource(config) {
   lines.push("dotnet build");
   lines.push("");
   lines.push("# Run API");
-  lines.push(`cd ${structure.api ? path20.relative(projectPath, structure.api) : "src/Api"}`);
+  lines.push(`cd ${structure.api ? path22.relative(projectPath, structure.api) : "src/Api"}`);
   lines.push("dotnet run");
   lines.push("");
   lines.push("# Run frontend");
-  lines.push(`cd ${structure.web ? path20.relative(projectPath, structure.web) : "web"}`);
+  lines.push(`cd ${structure.web ? path22.relative(projectPath, structure.web) : "web"}`);
   lines.push("npm run dev");
   lines.push("");
   lines.push("# Create migration");
@@ -10799,7 +11951,7 @@ async function getProjectInfoResource(config) {
 }
 // src/resources/api-endpoints.ts
-import path21 from "path";
+import path23 from "path";
 var apiEndpointsResourceTemplate = {
   uri: "smartstack://api/",
   name: "SmartStack API Endpoints",
@@ -10824,7 +11976,7 @@ async function getApiEndpointsResource(config, endpointFilter) {
 }
 async function parseController(filePath, _rootPath) {
   const content = await readText(filePath);
-  const fileName = path21.basename(filePath, ".cs");
+  const fileName = path23.basename(filePath, ".cs");
   const controllerName = fileName.replace("Controller", "");
   const endpoints = [];
   const routeMatch = content.match(/\[Route\s*\(\s*"([^"]+)"\s*\)\]/);
@@ -10971,7 +12123,7 @@ function getMethodEmoji(method) {
 }
 // src/resources/db-schema.ts
-import path22 from "path";
+import path24 from "path";
 var dbSchemaResourceTemplate = {
   uri: "smartstack://schema/",
   name: "SmartStack Database Schema",
@@ -11061,7 +12213,7 @@ async function parseEntity(filePath, rootPath, _config) {
     tableName,
     properties,
     relationships,
-    file: path22.relative(rootPath, filePath)
+    file: path24.relative(rootPath, filePath)
   };
 }
 async function enrichFromConfigurations(entities, infrastructurePath, _config) {
@@ -11207,7 +12359,7 @@ function formatSchema(entities, filter, _config) {
 }
 // src/resources/entities.ts
-import path23 from "path";
+import path25 from "path";
 var entitiesResourceTemplate = {
   uri: "smartstack://entities/",
   name: "SmartStack Entities",
@@ -11267,7 +12419,7 @@ async function parseEntitySummary(filePath, rootPath, config) {
     hasSoftDelete,
     hasRowVersion,
     file: filePath,
-    relativePath: path23.relative(rootPath, filePath)
+    relativePath: path25.relative(rootPath, filePath)
   };
 }
 function inferTableInfo(entityName, config) {
@@ -11467,7 +12619,10 @@ async function createServer() {
         validateFrontendRoutesTool,
         // Frontend Extension Tools
         scaffoldFrontendExtensionTool,
-        analyzeExtensionPointsTool
+        analyzeExtensionPointsTool,
+        // Security & Code Quality Tools
+        validateSecurityTool,
+        analyzeCodeQualityTool
       ]
     };
   });
@@ -11526,6 +12681,13 @@ async function createServer() {
         case "analyze_extension_points":
           result = await handleAnalyzeExtensionPoints(args ?? {}, config);
           break;
+        // Security & Code Quality Tools
+        case "validate_security":
+          result = await handleValidateSecurity(args ?? {}, config);
+          break;
+        case "analyze_code_quality":
+          result = await handleAnalyzeCodeQuality(args ?? {}, config);
+          break;
         default:
           throw new Error(`Unknown tool: ${name}`);
       }