@polymorphism-tech/morph-spec 3.0.1 → 3.2.0

package/stacks/nextjs-supabase/.morph/standards/supabase-pgvector.md

@@ -0,0 +1,164 @@
+# Supabase pgvector Standard
+
+> Stack: Next.js 15 + Supabase + .NET Backend
+
+## Core Rules
+
+- ALWAYS use HNSW indexes for production (faster queries, no training required)
+- ALWAYS match dimensions to embedding model (e.g., 1536 for text-embedding-3-small)
+- NEVER store embeddings without an index -- full table scan at query time
+- Use `halfvec` for large datasets to halve storage (16-bit vs 32-bit per dimension)
+- ALWAYS use RLS on tables containing embeddings
+
+## Setup and Table Design
+
+```sql
+CREATE EXTENSION IF NOT EXISTS vector;
+
+CREATE TABLE documents (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  user_id UUID NOT NULL REFERENCES auth.users(id),
+  title TEXT NOT NULL,
+  content TEXT NOT NULL,
+  metadata JSONB DEFAULT '{}',
+  embedding vector(1536),
+  created_at TIMESTAMPTZ DEFAULT now()
+);
+
+ALTER TABLE documents ENABLE ROW LEVEL SECURITY;
+CREATE POLICY "owner_access" ON documents FOR ALL
+  USING (user_id = auth.uid()) WITH CHECK (user_id = auth.uid());
+CREATE INDEX idx_documents_user_id ON documents (user_id);
+```
+
+### halfvec Optimization
+
+| Type | Storage/dim | 1536-dim | Best for |
+|------|------------|----------|----------|
+| `vector` | 4 bytes | 6 KB | High precision, small datasets |
+| `halfvec` | 2 bytes | 3 KB | Large datasets, cost optimization |
+
+## Index Types
+
+```sql
+-- HNSW (recommended)
+CREATE INDEX idx_docs_embedding ON documents
+  USING hnsw (embedding vector_cosine_ops) WITH (m = 16, ef_construction = 64);
+
+-- IVFFlat (legacy, requires existing data)
+CREATE INDEX idx_docs_ivf ON documents
+  USING ivfflat (embedding vector_cosine_ops) WITH (lists = 100);
+```
+
+| Feature | HNSW | IVFFlat |
+|---------|------|---------|
+| Query speed | Faster | Slower |
+| Requires training | No | Yes |
+| Recall quality | Higher | Lower |
+| Recommended | Yes | Only for very large datasets |
+
+## HNSW Parameters
+
+| Parameter | Default | Tuning |
+|-----------|---------|--------|
+| `m` | 16 | Higher = better recall, more memory |
+| `ef_construction` | 64 | Higher = better index, slower build |
+| `ef_search` | 40 | `SET hnsw.ef_search = 100;` per session |
+
+## Distance Functions
+
+| Operator | Function | Index Ops | Use Case |
+|----------|----------|-----------|----------|
+| `<=>` | Cosine distance | `vector_cosine_ops` | Normalized embeddings (most common) |
+| `<->` | L2 (Euclidean) | `vector_l2_ops` | Spatial/positional data |
+| `<#>` | Inner product (neg) | `vector_ip_ops` | Pre-normalized, max similarity |
+
+## Similarity Search
+
+```sql
+CREATE OR REPLACE FUNCTION match_documents(
+  query_embedding vector(1536),
+  match_threshold float DEFAULT 0.78,
+  match_count int DEFAULT 10,
+  p_user_id uuid DEFAULT auth.uid()
+) RETURNS TABLE (id uuid, title text, content text, similarity float)
+LANGUAGE sql STABLE AS $$
+  SELECT d.id, d.title, d.content,
+    1 - (d.embedding <=> query_embedding) AS similarity
+  FROM documents d
+  WHERE d.user_id = p_user_id
+    AND 1 - (d.embedding <=> query_embedding) > match_threshold
+  ORDER BY d.embedding <=> query_embedding
+  LIMIT match_count;
+$$;
+```
+
+## Hybrid Search (Vector + Full-Text)
+
+```sql
+CREATE OR REPLACE FUNCTION hybrid_search(
+  query_text text, query_embedding vector(1536),
+  match_count int DEFAULT 10,
+  text_weight float DEFAULT 0.3, vector_weight float DEFAULT 0.7
+) RETURNS TABLE (id uuid, title text, content text, score float)
+LANGUAGE sql STABLE AS $$
+  WITH vector_results AS (
+    SELECT id, title, content,
+      1 - (embedding <=> query_embedding) AS vector_score
+    FROM documents WHERE user_id = auth.uid()
+    ORDER BY embedding <=> query_embedding LIMIT match_count * 2
+  ),
+  text_results AS (
+    SELECT id, title, content,
+      ts_rank(to_tsvector('english', content), plainto_tsquery('english', query_text)) AS text_score
+    FROM documents WHERE user_id = auth.uid()
+      AND to_tsvector('english', content) @@ plainto_tsquery('english', query_text)
+    LIMIT match_count * 2
+  )
+  SELECT COALESCE(v.id, t.id), COALESCE(v.title, t.title), COALESCE(v.content, t.content),
+    (COALESCE(v.vector_score, 0) * vector_weight + COALESCE(t.text_score, 0) * text_weight)
+  FROM vector_results v FULL OUTER JOIN text_results t ON v.id = t.id
+  ORDER BY score DESC LIMIT match_count;
+$$;
+```
+
+## .NET Integration (Npgsql)
+
+```csharp
+public sealed class DocumentRepository(AppDbContext db)
+{
+    public async Task StoreEmbeddingAsync(
+        Guid documentId, float[] embedding, CancellationToken ct = default)
+    {
+        await db.Database.ExecuteSqlInterpolatedAsync(
+            $"UPDATE documents SET embedding = {new Vector(embedding)} WHERE id = {documentId}", ct);
+    }
+
+    public async Task<List<DocumentMatch>> SearchSimilarAsync(
+        float[] queryEmbedding, int limit = 10, float threshold = 0.78f,
+        CancellationToken ct = default)
+    {
+        return await db.Database.SqlQuery<DocumentMatch>($"""
+            SELECT id, title, content,
+              1 - (embedding <=> {new Vector(queryEmbedding)}::vector) AS similarity
+            FROM documents
+            WHERE 1 - (embedding <=> {new Vector(queryEmbedding)}::vector) > {threshold}
+            ORDER BY embedding <=> {new Vector(queryEmbedding)}::vector LIMIT {limit}
+            """).ToListAsync(ct);
+    }
+}
+
+// EF Core registration
+builder.Services.AddDbContext<AppDbContext>(o =>
+    o.UseNpgsql(connectionString, npg => npg.UseVector()));
+```
+
+## Common Mistakes
+
+| Wrong | Right | Why |
+|-------|-------|-----|
+| No index on embedding column | HNSW index | Full table scan, extremely slow |
+| `ORDER BY similarity DESC` | `ORDER BY embedding <=> query ASC` | Operator returns distance, not similarity |
+| Mixing embedding dimensions | Consistent dimensions per column | Dimension mismatch causes runtime errors |
+| Full-precision for millions of rows | `halfvec` for large datasets | 2x storage savings, minimal quality loss |
+| Missing RLS on embedding tables | RLS with user/tenant policies | Embeddings contain sensitive content context |

package/stacks/nextjs-supabase/.morph/standards/supabase-rls.md

@@ -0,0 +1,179 @@
+# Supabase Row Level Security Standard
+
+> Stack: Next.js 15 + Supabase + .NET Backend
+
+## Core Rules
+
+- ALWAYS enable RLS on every table: `ALTER TABLE t ENABLE ROW LEVEL SECURITY`
+- NEVER rely solely on application-level filtering — RLS is the security boundary
+- `service_role` key bypasses ALL RLS — use only on trusted backend
+- ALWAYS create at least one policy after enabling RLS — otherwise no rows are accessible
+- ALWAYS add indexes on columns used in RLS policies
+
+## Policy Syntax
+
+### USING vs WITH CHECK
+
+| Clause | Applies To | Purpose |
+|--------|-----------|---------|
+| `USING (expr)` | SELECT, UPDATE, DELETE | Filter which existing rows are visible |
+| `WITH CHECK (expr)` | INSERT, UPDATE | Validate new/modified row data |
+
+```sql
+-- SELECT: only see your own rows
+CREATE POLICY "users_select_own" ON documents
+  FOR SELECT USING (user_id = auth.uid());
+
+-- INSERT: can only insert rows owned by you
+CREATE POLICY "users_insert_own" ON documents
+  FOR INSERT WITH CHECK (user_id = auth.uid());
+
+-- UPDATE: can only see AND modify your own rows
+CREATE POLICY "users_update_own" ON documents
+  FOR UPDATE
+  USING (user_id = auth.uid())
+  WITH CHECK (user_id = auth.uid());
+
+-- DELETE: can only delete your own rows
+CREATE POLICY "users_delete_own" ON documents
+  FOR DELETE USING (user_id = auth.uid());
+```
+
+## Auth Functions
+
+| Function | Returns | Use Case |
+|----------|---------|----------|
+| `auth.uid()` | UUID of authenticated user | Ownership checks |
+| `auth.jwt()` | Full JWT claims as JSON | Custom claims, roles, tenant ID |
+| `auth.role()` | Current role string | Distinguish anon vs authenticated |
+
+```sql
+-- Access custom JWT claims
+auth.jwt() ->> 'tenant_id'
+auth.jwt() -> 'app_metadata' ->> 'role'
+```
+
+## Common Patterns
+
+### 1. Ownership
+
+```sql
+ALTER TABLE documents ENABLE ROW LEVEL SECURITY;
+
+CREATE POLICY "owner_all" ON documents
+  FOR ALL USING (user_id = auth.uid())
+  WITH CHECK (user_id = auth.uid());
+```
+
+### 2. Tenant Isolation
+
+```sql
+-- Requires tenant_id in JWT app_metadata
+CREATE POLICY "tenant_isolation" ON orders
+  FOR ALL
+  USING (tenant_id = (auth.jwt() -> 'app_metadata' ->> 'tenant_id')::uuid)
+  WITH CHECK (tenant_id = (auth.jwt() -> 'app_metadata' ->> 'tenant_id')::uuid);
+```
+
+### 3. Role-Based Access
+
+```sql
+-- Admins see everything, users see own
+CREATE POLICY "admin_full_access" ON documents
+  FOR ALL USING (
+    auth.jwt() -> 'app_metadata' ->> 'role' = 'admin'
+  );
+
+CREATE POLICY "user_own_access" ON documents
+  FOR ALL USING (user_id = auth.uid())
+  WITH CHECK (user_id = auth.uid());
+```
+
+### 4. Public Read, Authenticated Write
+
+```sql
+CREATE POLICY "public_read" ON posts
+  FOR SELECT USING (published = true);
+
+CREATE POLICY "auth_write" ON posts
+  FOR INSERT WITH CHECK (auth.role() = 'authenticated');
+```
+
+### 5. Team/Organization Access
+
+```sql
+CREATE POLICY "team_access" ON projects
+  FOR SELECT USING (
+    EXISTS (
+      SELECT 1 FROM team_members
+      WHERE team_members.team_id = projects.team_id
+      AND team_members.user_id = auth.uid()
+    )
+  );
+```
+
+## Index Recommendations
+
+Always index columns used in RLS policies for performance:
+
+```sql
+CREATE INDEX idx_documents_user_id ON documents (user_id);
+CREATE INDEX idx_orders_tenant_id ON orders (tenant_id);
+CREATE INDEX idx_team_members_lookup ON team_members (team_id, user_id);
+```
+
+## Testing RLS Policies
+
+### Via SQL (Supabase SQL Editor)
+
+```sql
+-- Test as a specific user
+SET request.jwt.claims = '{"sub": "user-uuid-here", "role": "authenticated",
+  "app_metadata": {"tenant_id": "tenant-uuid", "role": "admin"}}';
+SET role = 'authenticated';
+
+SELECT * FROM documents; -- should only return rows matching policy
+
+RESET role;
+RESET request.jwt.claims;
+```
+
+### Via Client (different auth contexts)
+
+```ts
+// Test with anon key (unauthenticated)
+const anonClient = createClient(url, anonKey);
+const { data } = await anonClient.from("documents").select("*");
+// Should return empty if no public policy
+
+// Test with authenticated user
+const { data: userData } = await authClient.from("documents").select("*");
+// Should return only user's rows
+```
+
+## Migration Pattern
+
+```sql
+-- migration: 001_enable_rls.sql
+ALTER TABLE documents ENABLE ROW LEVEL SECURITY;
+ALTER TABLE orders ENABLE ROW LEVEL SECURITY;
+ALTER TABLE team_members ENABLE ROW LEVEL SECURITY;
+
+-- Always pair with policies
+CREATE POLICY "documents_owner" ON documents
+  FOR ALL USING (user_id = auth.uid())
+  WITH CHECK (user_id = auth.uid());
+```
+
+## Common Mistakes
+
+| Wrong | Right | Why |
+|-------|-------|-----|
+| Enable RLS without policies | Enable RLS + create policies | No policies = no access at all |
+| `FOR ALL USING (true)` | Specific conditions per operation | Grants unrestricted access, defeats RLS |
+| UPDATE with only USING | UPDATE with USING + WITH CHECK | User could change user_id to another user |
+| Complex subqueries in policies | Simple conditions + indexed columns | Subqueries in policies cause N+1 perf issues |
+| Using `anon` key as service_role | Separate keys, service_role only on backend | anon key respects RLS (correct), don't confuse |
+| RLS on some tables but not others | RLS on ALL tables with user data | Attackers target unprotected tables |
+| `auth.uid()` without null check | `auth.uid() IS NOT NULL AND user_id = auth.uid()` | Prevents anon access when policy is permissive |
+| Forgetting junction table RLS | RLS on junction tables too | team_members without RLS leaks membership |

package/stacks/nextjs-supabase/.morph/standards/supabase-storage.md

@@ -0,0 +1,148 @@
+# Supabase Storage Standard
+
+> Stack: Next.js 15 + Supabase + .NET Backend
+
+## Core Rules
+
+- ALWAYS use RLS policies on storage.objects for access control
+- NEVER serve private files without signed URLs
+- ALWAYS validate file type and size before upload
+- Public buckets: anyone can read, still need auth for write
+- Private buckets: require signed URLs or authenticated access
+
+## Bucket Configuration
+
+```sql
+-- Public bucket (avatars, logos)
+INSERT INTO storage.buckets (id, name, public, file_size_limit, allowed_mime_types)
+VALUES ('avatars', 'avatars', true, 2097152, ARRAY['image/jpeg','image/png','image/webp']);
+
+-- Private bucket (documents, reports)
+INSERT INTO storage.buckets (id, name, public, file_size_limit, allowed_mime_types)
+VALUES ('documents', 'documents', false, 10485760, ARRAY['application/pdf','image/jpeg','image/png']);
+```
+
+| Setting | Public Bucket | Private Bucket |
+|---------|--------------|----------------|
+| Read access | Anyone via URL | Signed URL or auth required |
+| Write access | RLS policy required | RLS policy required |
+| Use case | Avatars, public images | Documents, reports |
+
+## Storage RLS Policies
+
+```sql
+-- Users upload/view/delete in their own folder
+CREATE POLICY "user_upload" ON storage.objects FOR INSERT
+  WITH CHECK (bucket_id = 'documents' AND (storage.foldername(name))[1] = auth.uid()::text);
+
+CREATE POLICY "user_select" ON storage.objects FOR SELECT
+  USING (bucket_id = 'documents' AND (storage.foldername(name))[1] = auth.uid()::text);
+
+CREATE POLICY "user_delete" ON storage.objects FOR DELETE
+  USING (bucket_id = 'documents' AND (storage.foldername(name))[1] = auth.uid()::text);
+
+-- Public bucket: anyone reads, auth users upload to own folder
+CREATE POLICY "public_read" ON storage.objects FOR SELECT
+  USING (bucket_id = 'avatars');
+
+CREATE POLICY "auth_upload_avatar" ON storage.objects FOR INSERT
+  WITH CHECK (bucket_id = 'avatars' AND (storage.foldername(name))[1] = auth.uid()::text);
+```
+
+## Path Naming Convention
+
+```
+{bucket}/{user_id}/{category}/{filename}
+avatars/{user_id}/profile.webp
+documents/{user_id}/invoices/2026-01-invoice.pdf
+```
+
+First folder segment = user_id (enables simple RLS). Use lowercase, hyphens, include extension.
+
+## Upload Patterns
+
+### Browser Upload (Next.js)
+
+```ts
+async function uploadFile(file: File, userId: string) {
+  if (file.size > 10 * 1024 * 1024) throw new Error("File too large");
+  const allowedTypes = ["application/pdf", "image/jpeg", "image/png"];
+  if (!allowedTypes.includes(file.type)) throw new Error("Invalid type");
+
+  const path = `${userId}/uploads/${Date.now()}-${file.name}`;
+  const { data, error } = await supabase.storage
+    .from("documents")
+    .upload(path, file, { cacheControl: "3600", upsert: false, contentType: file.type });
+  if (error) throw error;
+  return data.path;
+}
+```
+
+### Server Upload (.NET)
+
+```csharp
+public sealed class StorageService(Supabase.Client client, ILogger<StorageService> logger)
+{
+    private static readonly string[] AllowedTypes = ["application/pdf", "image/jpeg", "image/png"];
+
+    public async Task<string> UploadAsync(
+        string bucket, string path, Stream stream,
+        string contentType, CancellationToken ct = default)
+    {
+        if (!AllowedTypes.Contains(contentType))
+            throw new ValidationException($"Invalid content type: {contentType}");
+        var response = await client.Storage.From(bucket)
+            .Upload(stream, path, new FileOptions { ContentType = contentType, Upsert = false });
+        return response;
+    }
+}
+```
+
+## Download and Signed URLs
+
+```ts
+// Public bucket: direct URL
+const { data } = supabase.storage.from("avatars").getPublicUrl("user-id/profile.webp");
+
+// Private bucket: signed URL (time-limited)
+const { data } = await supabase.storage
+  .from("documents").createSignedUrl("user-id/report.pdf", 3600); // 1 hour
+
+// Download file content (returns Blob)
+const { data } = await supabase.storage.from("documents").download("user-id/report.pdf");
+```
+
+## Image Transformations
+
+```ts
+const { data } = supabase.storage.from("avatars").getPublicUrl("user-id/photo.jpg", {
+  transform: { width: 200, height: 200, resize: "cover", quality: 80 },
+});
+```
+
+| Parameter | Options | Default |
+|-----------|---------|---------|
+| `width` / `height` | 1-2500 px | original |
+| `resize` | cover, contain, fill | cover |
+| `quality` | 20-100 | 80 |
+| `format` | origin, avif, webp | origin |
+
+## File Validation
+
+| Check | Client-Side | Server-Side | Bucket Config |
+|-------|------------|-------------|---------------|
+| File size | `file.size` | Stream length | `file_size_limit` |
+| MIME type | `file.type` | Content-Type | `allowed_mime_types` |
+| Extension | File name | File name | -- |
+
+Always validate at all three levels. Client-side can be bypassed.
+
+## Common Mistakes
+
+| Wrong | Right | Why |
+|-------|-------|-----|
+| No RLS on storage.objects | Policies for each bucket | Anyone can read/write without policies |
+| Private files via public URL | `createSignedUrl()` | Private bucket returns 403 without auth |
+| User-provided filename as-is | Sanitize + timestamp prefix | Path traversal attacks, collisions |
+| `upsert: true` by default | `upsert: false` | Prevents accidental file overwrites |
+| Files without user folder | `{user_id}/...` path pattern | Cannot write simple RLS policies |

package/stacks/nextjs-supabase/.morph/templates/contracts.cs

@@ -0,0 +1,173 @@
+// ============================================================
+// CONTRACTS: {{FEATURE_NAME_TITLE}}
+// Stack: Next.js + Supabase + .NET API
+// Generated by MORPH Framework
+// Date: {{DATE}}
+// ============================================================
+
+#region Usings
+
+using System;
+using System.Collections.Generic;
+using System.Threading;
+using System.Threading.Tasks;
+
+#endregion
+
+namespace {{NAMESPACE}}.Application.Features.{{FEATURE_NAME_PASCAL}};
+
+#region Configuration
+
+/// <summary>
+/// Supabase configuration options.
+/// Bind from appsettings.json "Supabase" section.
+/// </summary>
+public sealed record SupabaseConfig
+{
+    public required string Url { get; init; }
+    public required string AnonKey { get; init; }
+    public required string ServiceRoleKey { get; init; }
+    public required string JwtSecret { get; init; }
+}
+
+#endregion
+
+#region Pagination
+
+/// <summary>
+/// Pagination query parameters. Use with [AsParameters] in Minimal API.
+/// </summary>
+public sealed record PaginationQuery(
+    int Page = 1,
+    int PageSize = 20)
+{
+    public int Offset => (Page - 1) * PageSize;
+}
+
+/// <summary>
+/// Paginated result wrapper.
+/// </summary>
+public sealed record PagedResult<T>(
+    List<T> Items,
+    int TotalCount,
+    int Page,
+    int PageSize)
+{
+    public int TotalPages => (int)Math.Ceiling(TotalCount / (double)PageSize);
+    public bool HasNext => Page < TotalPages;
+    public bool HasPrevious => Page > 1;
+}
+
+#endregion
+
+#region Repository Interfaces
+
+/// <summary>
+/// Generic repository interface for Supabase/PostgreSQL data access via Dapper.
+/// </summary>
+public interface IRepository<T, TId>
+{
+    Task<T?> GetByIdAsync(TId id, CancellationToken cancellationToken = default);
+    Task<List<T>> GetAllAsync(CancellationToken cancellationToken = default);
+    Task<PagedResult<T>> GetPagedAsync(PaginationQuery query, CancellationToken cancellationToken = default);
+    Task<TId> CreateAsync(T entity, CancellationToken cancellationToken = default);
+    Task UpdateAsync(T entity, CancellationToken cancellationToken = default);
+    Task DeleteAsync(TId id, CancellationToken cancellationToken = default);
+}
+
+#endregion
+
+#region Service Interfaces
+
+/// <summary>
+/// Service for managing {{FEATURE_NAME_PASCAL}} operations.
+/// </summary>
+public interface I{{FEATURE_NAME_PASCAL}}Service
+{
+    /// <summary>
+    /// Gets a {{FEATURE_NAME_PASCAL}} by its identifier.
+    /// </summary>
+    Task<{{FEATURE_NAME_PASCAL}}Dto?> GetByIdAsync(Guid id, CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Gets paginated list of {{FEATURE_NAME_PASCAL}} items.
+    /// </summary>
+    Task<PagedResult<{{FEATURE_NAME_PASCAL}}Dto>> GetPagedAsync(PaginationQuery query, Guid userId, CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Creates a new {{FEATURE_NAME_PASCAL}}.
+    /// </summary>
+    Task<{{FEATURE_NAME_PASCAL}}Dto> CreateAsync(Create{{FEATURE_NAME_PASCAL}}Request request, Guid userId, CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Updates an existing {{FEATURE_NAME_PASCAL}}.
+    /// </summary>
+    Task UpdateAsync(Guid id, Update{{FEATURE_NAME_PASCAL}}Request request, Guid userId, CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Deletes a {{FEATURE_NAME_PASCAL}}.
+    /// </summary>
+    Task DeleteAsync(Guid id, Guid userId, CancellationToken cancellationToken = default);
+}
+
+#endregion
+
+#region DTOs
+
+/// <summary>
+/// Data transfer object for {{FEATURE_NAME_PASCAL}}.
+/// </summary>
+public sealed record {{FEATURE_NAME_PASCAL}}Dto(
+    Guid Id,
+    string Name,
+    Guid UserId,
+    {{FEATURE_NAME_PASCAL}}Status Status,
+    DateTime CreatedAt,
+    DateTime? UpdatedAt
+);
+
+/// <summary>
+/// Request to create a new {{FEATURE_NAME_PASCAL}}.
+/// </summary>
+public sealed record Create{{FEATURE_NAME_PASCAL}}Request(
+    string Name
+    // Add other required fields
+);
+
+/// <summary>
+/// Request to update an existing {{FEATURE_NAME_PASCAL}}.
+/// </summary>
+public sealed record Update{{FEATURE_NAME_PASCAL}}Request(
+    string Name
+    // Add other updatable fields
+);
+
+#endregion
+
+#region Enums
+
+/// <summary>
+/// Status of a {{FEATURE_NAME_PASCAL}}.
+/// </summary>
+public enum {{FEATURE_NAME_PASCAL}}Status
+{
+    Draft = 0,
+    Active = 1,
+    Completed = 2,
+    Archived = 3,
+    // Error states
+    Failed = 100,
+    Cancelled = 101
+}
+
+#endregion
+
+#region Exceptions
+
+public sealed class {{FEATURE_NAME_PASCAL}}NotFoundException(Guid id)
+    : Exception($"{{FEATURE_NAME_PASCAL}} with ID {id} was not found.");
+
+public sealed class {{FEATURE_NAME_PASCAL}}AccessDeniedException(Guid id, Guid userId)
+    : Exception($"User {userId} does not have access to {{FEATURE_NAME_PASCAL}} {id}.");
+
+#endregion