@luanpdd/kit-mcp 1.21.0 → 1.26.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (275) hide show
  1. package/LICENSE +21 -21
  2. package/README.md +914 -648
  3. package/kit/COMANDOS.md +138 -138
  4. package/kit/README.md +76 -52
  5. package/kit/agents/advisor-researcher.md +106 -106
  6. package/kit/agents/assumptions-analyzer.md +107 -107
  7. package/kit/agents/audit-log-implementer.md +138 -0
  8. package/kit/agents/auditor-consistencia-isolamento.md +413 -0
  9. package/kit/agents/codebase-mapper.md +768 -768
  10. package/kit/agents/crm-pipeline-implementer.md +106 -0
  11. package/kit/agents/debugger.md +813 -772
  12. package/kit/agents/detector-tenant-quente.md +337 -0
  13. package/kit/agents/evolution-go-integrator.md +21 -0
  14. package/kit/agents/example-reviewer.md +21 -21
  15. package/kit/agents/executor.md +564 -523
  16. package/kit/agents/integration-checker.md +200 -200
  17. package/kit/agents/invite-flow-implementer.md +52 -0
  18. package/kit/agents/lgpd-compliance-auditor.md +89 -0
  19. package/kit/agents/multi-tenant-isolation-auditor.md +10 -0
  20. package/kit/agents/multi-tenant-rls-writer.md +78 -0
  21. package/kit/agents/nyquist-auditor.md +178 -178
  22. package/kit/agents/org-onboarding-implementer.md +21 -0
  23. package/kit/agents/phase-researcher.md +696 -696
  24. package/kit/agents/plan-checker.md +272 -272
  25. package/kit/agents/planner.md +922 -891
  26. package/kit/agents/project-researcher.md +652 -652
  27. package/kit/agents/research-synthesizer.md +245 -245
  28. package/kit/agents/roadmapper.md +677 -677
  29. package/kit/agents/supabase-architect.md +27 -0
  30. package/kit/agents/supabase-auth-bootstrapper.md +80 -0
  31. package/kit/agents/supabase-column-privileges-writer.md +399 -0
  32. package/kit/agents/supabase-migration-writer.md +141 -14
  33. package/kit/agents/supabase-rbac-implementer.md +392 -0
  34. package/kit/agents/supabase-rls-hardener.md +521 -0
  35. package/kit/agents/supabase-rls-writer.md +105 -9
  36. package/kit/agents/supabase-roles-implementer.md +355 -0
  37. package/kit/agents/super-admin-implementer.md +99 -0
  38. package/kit/agents/ui-auditor.md +437 -437
  39. package/kit/agents/ui-checker.md +302 -302
  40. package/kit/agents/ui-researcher.md +355 -355
  41. package/kit/agents/user-profiler.md +175 -175
  42. package/kit/agents/validador-evolucao-schema.md +335 -0
  43. package/kit/agents/verifier.md +728 -728
  44. package/kit/commands/adicionar-backlog.md +75 -75
  45. package/kit/commands/adicionar-fase.md +42 -42
  46. package/kit/commands/adicionar-tarefa.md +45 -45
  47. package/kit/commands/adicionar-testes.md +41 -41
  48. package/kit/commands/ajuda.md +21 -21
  49. package/kit/commands/atualizar.md +37 -37
  50. package/kit/commands/auditar-marco.md +179 -179
  51. package/kit/commands/auditar-uat.md +23 -23
  52. package/kit/commands/autonomo.md +40 -40
  53. package/kit/commands/branch-pr.md +24 -24
  54. package/kit/commands/concluir-marco.md +247 -247
  55. package/kit/commands/configuracoes.md +36 -36
  56. package/kit/commands/dados-distribuidos.md +188 -0
  57. package/kit/commands/definir-perfil.md +10 -10
  58. package/kit/commands/depurar.md +190 -190
  59. package/kit/commands/discutir-fase.md +131 -131
  60. package/kit/commands/entrar-discord.md +17 -17
  61. package/kit/commands/estatisticas.md +18 -18
  62. package/kit/commands/example-greeting.md +33 -33
  63. package/kit/commands/executar-fase.md +58 -58
  64. package/kit/commands/expresso.md +56 -56
  65. package/kit/commands/fase-ui.md +34 -34
  66. package/kit/commands/fazer.md +57 -57
  67. package/kit/commands/fio.md +125 -125
  68. package/kit/commands/fluxos-trabalho.md +64 -64
  69. package/kit/commands/forense.md +176 -176
  70. package/kit/commands/gerenciador.md +38 -38
  71. package/kit/commands/inserir-fase.md +31 -31
  72. package/kit/commands/limpeza.md +17 -17
  73. package/kit/commands/listar-hipoteses-fase.md +45 -45
  74. package/kit/commands/listar-workspaces.md +18 -18
  75. package/kit/commands/mapear-codebase.md +70 -70
  76. package/kit/commands/nota.md +33 -33
  77. package/kit/commands/novo-marco.md +43 -43
  78. package/kit/commands/novo-projeto.md +41 -41
  79. package/kit/commands/novo-workspace.md +43 -43
  80. package/kit/commands/pausar-trabalho.md +37 -37
  81. package/kit/commands/perfil-usuario.md +45 -45
  82. package/kit/commands/pesquisar-fase.md +195 -195
  83. package/kit/commands/planejar-fase.md +67 -67
  84. package/kit/commands/planejar-lacunas.md +33 -33
  85. package/kit/commands/plantar-ideia.md +25 -25
  86. package/kit/commands/progresso.md +24 -24
  87. package/kit/commands/proximo.md +30 -30
  88. package/kit/commands/publicar.md +490 -490
  89. package/kit/commands/rapido.md +35 -35
  90. package/kit/commands/reaplicar-patches.md +124 -124
  91. package/kit/commands/relatorio-sessao.md +19 -19
  92. package/kit/commands/remover-fase.md +31 -31
  93. package/kit/commands/remover-workspace.md +26 -26
  94. package/kit/commands/resumo-marco.md +50 -50
  95. package/kit/commands/retomar-trabalho.md +40 -40
  96. package/kit/commands/revisar-backlog.md +60 -60
  97. package/kit/commands/revisar-ui.md +32 -32
  98. package/kit/commands/revisar.md +37 -37
  99. package/kit/commands/saude.md +21 -21
  100. package/kit/commands/setup-notion.md +93 -93
  101. package/kit/commands/supabase.md +55 -8
  102. package/kit/commands/sync-main.md +68 -68
  103. package/kit/commands/validar-fase.md +35 -35
  104. package/kit/commands/verificar-tarefas.md +44 -44
  105. package/kit/commands/verificar-trabalho.md +64 -64
  106. package/kit/file-manifest.json +52 -32
  107. package/kit/framework/bin/lib/commands.cjs +959 -959
  108. package/kit/framework/bin/lib/config.cjs +442 -442
  109. package/kit/framework/bin/lib/core.cjs +1230 -1230
  110. package/kit/framework/bin/lib/frontmatter.cjs +336 -336
  111. package/kit/framework/bin/lib/init.cjs +1442 -1442
  112. package/kit/framework/bin/lib/milestone.cjs +252 -252
  113. package/kit/framework/bin/lib/model-profiles.cjs +68 -68
  114. package/kit/framework/bin/lib/phase.cjs +888 -888
  115. package/kit/framework/bin/lib/profile-output.cjs +952 -952
  116. package/kit/framework/bin/lib/profile-pipeline.cjs +539 -539
  117. package/kit/framework/bin/lib/roadmap.cjs +329 -329
  118. package/kit/framework/bin/lib/security.cjs +382 -382
  119. package/kit/framework/bin/lib/state.cjs +1031 -1031
  120. package/kit/framework/bin/lib/template.cjs +222 -222
  121. package/kit/framework/bin/lib/uat.cjs +282 -282
  122. package/kit/framework/bin/lib/verify.cjs +888 -888
  123. package/kit/framework/bin/lib/workstream.cjs +491 -491
  124. package/kit/framework/bin/tools.cjs +918 -918
  125. package/kit/framework/commands/workstreams.md +63 -63
  126. package/kit/framework/references/checkpoints.md +778 -778
  127. package/kit/framework/references/continuation-format.md +249 -249
  128. package/kit/framework/references/decimal-phase-calculation.md +64 -64
  129. package/kit/framework/references/git-integration.md +295 -295
  130. package/kit/framework/references/git-planning-commit.md +38 -38
  131. package/kit/framework/references/model-profile-resolution.md +36 -36
  132. package/kit/framework/references/model-profiles.md +139 -139
  133. package/kit/framework/references/phase-argument-parsing.md +61 -61
  134. package/kit/framework/references/planning-config.md +202 -202
  135. package/kit/framework/references/questioning.md +162 -162
  136. package/kit/framework/references/tdd.md +263 -263
  137. package/kit/framework/references/ui-brand.md +160 -160
  138. package/kit/framework/references/user-profiling.md +657 -657
  139. package/kit/framework/references/verification-patterns.md +612 -612
  140. package/kit/framework/references/workstream-flag.md +58 -58
  141. package/kit/framework/templates/DEBUG.md +164 -164
  142. package/kit/framework/templates/UAT.md +265 -265
  143. package/kit/framework/templates/UI-SPEC.md +100 -100
  144. package/kit/framework/templates/VALIDATION.md +76 -76
  145. package/kit/framework/templates/claude-md.md +122 -122
  146. package/kit/framework/templates/codebase/architecture.md +185 -185
  147. package/kit/framework/templates/codebase/concerns.md +205 -205
  148. package/kit/framework/templates/codebase/conventions.md +204 -204
  149. package/kit/framework/templates/codebase/integrations.md +192 -192
  150. package/kit/framework/templates/codebase/stack.md +158 -158
  151. package/kit/framework/templates/codebase/structure.md +199 -199
  152. package/kit/framework/templates/codebase/testing.md +301 -301
  153. package/kit/framework/templates/config.json +44 -44
  154. package/kit/framework/templates/context.md +352 -352
  155. package/kit/framework/templates/continue-here.md +78 -78
  156. package/kit/framework/templates/copilot-instructions.md +7 -7
  157. package/kit/framework/templates/debug-subagent-prompt.md +91 -91
  158. package/kit/framework/templates/dev-preferences.md +20 -20
  159. package/kit/framework/templates/discovery.md +146 -146
  160. package/kit/framework/templates/discussion-log.md +63 -63
  161. package/kit/framework/templates/milestone-archive.md +123 -123
  162. package/kit/framework/templates/milestone.md +115 -115
  163. package/kit/framework/templates/phase-prompt.md +610 -610
  164. package/kit/framework/templates/planner-subagent-prompt.md +117 -117
  165. package/kit/framework/templates/project.md +186 -186
  166. package/kit/framework/templates/requirements.md +231 -231
  167. package/kit/framework/templates/research-project/ARCHITECTURE.md +204 -204
  168. package/kit/framework/templates/research-project/FEATURES.md +147 -147
  169. package/kit/framework/templates/research-project/PITFALLS.md +200 -200
  170. package/kit/framework/templates/research-project/STACK.md +120 -120
  171. package/kit/framework/templates/research-project/SUMMARY.md +170 -170
  172. package/kit/framework/templates/research.md +419 -419
  173. package/kit/framework/templates/retrospective.md +54 -54
  174. package/kit/framework/templates/roadmap.md +202 -202
  175. package/kit/framework/templates/state.md +176 -176
  176. package/kit/framework/templates/summary-complex.md +59 -59
  177. package/kit/framework/templates/summary-minimal.md +41 -41
  178. package/kit/framework/templates/summary-standard.md +48 -48
  179. package/kit/framework/templates/summary.md +209 -209
  180. package/kit/framework/templates/user-profile.md +146 -146
  181. package/kit/framework/templates/user-setup.md +256 -256
  182. package/kit/framework/templates/verification-report.md +258 -258
  183. package/kit/framework/workflows/add-phase.md +112 -112
  184. package/kit/framework/workflows/add-tests.md +351 -351
  185. package/kit/framework/workflows/add-todo.md +158 -158
  186. package/kit/framework/workflows/audit-milestone.md +340 -340
  187. package/kit/framework/workflows/audit-uat.md +109 -109
  188. package/kit/framework/workflows/autonomous.md +891 -891
  189. package/kit/framework/workflows/check-todos.md +177 -177
  190. package/kit/framework/workflows/cleanup.md +152 -152
  191. package/kit/framework/workflows/complete-milestone.md +696 -696
  192. package/kit/framework/workflows/diagnose-issues.md +231 -231
  193. package/kit/framework/workflows/discovery-phase.md +289 -289
  194. package/kit/framework/workflows/discuss-phase-assumptions.md +653 -653
  195. package/kit/framework/workflows/discuss-phase.md +784 -784
  196. package/kit/framework/workflows/do.md +104 -104
  197. package/kit/framework/workflows/execute-phase.md +838 -838
  198. package/kit/framework/workflows/execute-plan.md +510 -510
  199. package/kit/framework/workflows/fast.md +102 -102
  200. package/kit/framework/workflows/forensics.md +265 -265
  201. package/kit/framework/workflows/health.md +181 -181
  202. package/kit/framework/workflows/help.md +619 -619
  203. package/kit/framework/workflows/insert-phase.md +130 -130
  204. package/kit/framework/workflows/list-phase-assumptions.md +178 -178
  205. package/kit/framework/workflows/list-workspaces.md +56 -56
  206. package/kit/framework/workflows/manager.md +362 -362
  207. package/kit/framework/workflows/map-codebase.md +377 -377
  208. package/kit/framework/workflows/milestone-summary.md +223 -223
  209. package/kit/framework/workflows/new-milestone.md +486 -486
  210. package/kit/framework/workflows/new-project.md +1159 -1159
  211. package/kit/framework/workflows/new-workspace.md +237 -237
  212. package/kit/framework/workflows/next.md +97 -97
  213. package/kit/framework/workflows/node-repair.md +92 -92
  214. package/kit/framework/workflows/note.md +156 -156
  215. package/kit/framework/workflows/pause-work.md +176 -176
  216. package/kit/framework/workflows/plan-milestone-gaps.md +273 -273
  217. package/kit/framework/workflows/plan-phase.md +765 -765
  218. package/kit/framework/workflows/plant-seed.md +169 -169
  219. package/kit/framework/workflows/pr-branch.md +129 -129
  220. package/kit/framework/workflows/profile-user.md +450 -450
  221. package/kit/framework/workflows/progress.md +507 -507
  222. package/kit/framework/workflows/quick.md +757 -757
  223. package/kit/framework/workflows/remove-phase.md +155 -155
  224. package/kit/framework/workflows/remove-workspace.md +90 -90
  225. package/kit/framework/workflows/research-phase.md +82 -82
  226. package/kit/framework/workflows/resume-project.md +326 -326
  227. package/kit/framework/workflows/review.md +228 -228
  228. package/kit/framework/workflows/session-report.md +146 -146
  229. package/kit/framework/workflows/settings.md +283 -283
  230. package/kit/framework/workflows/ship.md +228 -228
  231. package/kit/framework/workflows/stats.md +60 -60
  232. package/kit/framework/workflows/transition.md +671 -671
  233. package/kit/framework/workflows/ui-phase.md +302 -302
  234. package/kit/framework/workflows/ui-review.md +165 -165
  235. package/kit/framework/workflows/update.md +323 -323
  236. package/kit/framework/workflows/validate-phase.md +174 -174
  237. package/kit/framework/workflows/verify-phase.md +252 -252
  238. package/kit/framework/workflows/verify-work.md +637 -637
  239. package/kit/hooks/check-update.js +118 -118
  240. package/kit/hooks/context-monitor.js +163 -163
  241. package/kit/hooks/prompt-guard.js +103 -103
  242. package/kit/hooks/statusline.js +125 -125
  243. package/kit/hooks/workflow-guard.js +101 -101
  244. package/kit/settings.json +45 -45
  245. package/kit/skills/_shared-dados-distribuidos/glossary.md +224 -0
  246. package/kit/skills/_shared-supabase/glossary.md +27 -0
  247. package/kit/skills/armadilhas-sistemas-distribuidos/SKILL.md +447 -0
  248. package/kit/skills/audit-log-multi-tenant/SKILL.md +6 -0
  249. package/kit/skills/cascading-failures/SKILL.md +4 -0
  250. package/kit/skills/consistencia-leitura-replica/SKILL.md +385 -0
  251. package/kit/skills/crm-lead-pipeline-patterns/SKILL.md +17 -0
  252. package/kit/skills/escolha-modelo-consistencia/SKILL.md +495 -0
  253. package/kit/skills/evolucao-schema-compativel/SKILL.md +448 -0
  254. package/kit/skills/example-skill/SKILL.md +42 -42
  255. package/kit/skills/multi-tenant-performance-scaling/SKILL.md +4 -0
  256. package/kit/skills/multi-tenant-rls-hierarchy/SKILL.md +4 -0
  257. package/kit/skills/postgres-isolamento-concorrencia/SKILL.md +552 -0
  258. package/kit/skills/rbac-permissions-matrix-supabase/SKILL.md +37 -0
  259. package/kit/skills/streams-eventos-cdc/SKILL.md +712 -0
  260. package/kit/skills/supabase-column-level-security/SKILL.md +426 -0
  261. package/kit/skills/supabase-cron-queues/SKILL.md +9 -0
  262. package/kit/skills/supabase-custom-claims-rbac/SKILL.md +472 -0
  263. package/kit/skills/supabase-database-functions/SKILL.md +85 -0
  264. package/kit/skills/supabase-migrations/SKILL.md +133 -11
  265. package/kit/skills/supabase-postgres-roles/SKILL.md +392 -0
  266. package/kit/skills/supabase-rls-defense-in-depth/SKILL.md +418 -0
  267. package/kit/skills/supabase-rls-policies/SKILL.md +462 -12
  268. package/kit/skills/super-admin-platform-pattern/SKILL.md +4 -0
  269. package/kit/skills/tenant-quente-mitigacao/SKILL.md +605 -0
  270. package/package.json +63 -63
  271. package/src/core/kit.js +216 -216
  272. package/src/core/reflect.js +247 -247
  273. package/src/core/reverse-sync.js +372 -372
  274. package/src/core/sync.js +418 -418
  275. package/src/core/watch.js +121 -121
package/kit/agents/supabase-architect.md CHANGED
@@ -124,6 +124,23 @@ projeto: {project_id ou "novo"} · tier: {tier} · gerado em {timestamp}
124
124
  ## 5. Edge Functions / Background (se aplicável)
125
125
  {functions + cron pattern}
126
126
 
127
+ ## 5.1 Postgres Roles (v1.26 — ARCH-PATCH-01)
128
+
129
+ **Pergunta canônica upfront:** Esta feature precisa de **service accounts internos** (custom Postgres roles)?
130
+
131
+ Casos típicos:
132
+ - Cron jobs com pg_cron (cleanup, retention) — recomenda role dedicado em vez de service_role API key
133
+ - BI tools (Metabase, dbt) conectando direto no DB — recomenda role read-only com BYPASSRLS
134
+ - ETL scripts (replication, backups) — recomenda role com permissions específicos
135
+ - Admin roles para column-level GRANTs (security_admin, dpo_role, lead_manager)
136
+
137
+ **Se sim, listar service accounts esperados:**
138
+ - {role_name}: {description}, owner: {team_email}, type: {group|user}, bypassrls: {bool}
139
+
140
+ **Cross-suite handoff:** delegar criação para `supabase-roles-implementer` (v1.26) na ordem de implementação.
141
+
142
+ Para application access (end-users), usar **RLS + Custom Claims** (skill `supabase-custom-claims-rbac` v1.25) — NÃO criar Postgres roles para "admin vs user" end-users.
143
+
127
144
  ## 6. Ordem de Implementação
128
145
  {sequence numerada com agent delegate}
129
146
 
@@ -205,3 +222,13 @@ Schema + RLS + Edge Functions Supabase **NÃO são production-ready** só por es
205
222
  - "Deploy primeiro, PRR depois" → SEMPRE PRR ANTES de aceitar tráfego real (≥ 1% users)
206
223
  - Pular axe (ex: ignorar Capacity Planning porque "feature é small") → SEMPRE 6 axes; pular 1 = aprovação inválida (lacuna oculta vira incident em 6 meses)
207
224
  - "Acreditamos que está pronto" → SEMPRE evidence-based (load test report, runbook URL, dashboard link)
225
+
226
+ ## Pergunta de Modelo de Consistência (v1.22+)
227
+
228
+ Antes de propor schema, pergunte ao usuário: **"Que modelo de consistência essa feature precisa?"** com árvore de decisão:
229
+
230
+ 1. Precisa ver TODAS escritas anteriores como atomic ordered global? → **Linearizabilidade** (uniqueness cross-tenant via `UNIQUE` constraint)
231
+ 2. Existe relação causal A causa B? → **Consistência causal** (chat, comentários)
232
+ 3. Caso contrário → **Eventual** (feed social, métricas)
233
+
234
+ Detalhes completos em skill [`escolha-modelo-consistencia`](../skills/escolha-modelo-consistencia/SKILL.md) (v1.22).
package/kit/agents/supabase-auth-bootstrapper.md CHANGED
@@ -297,9 +297,89 @@ Auth events são SLI primário — "successful login %" é métrica de saúde di
297
297
 
298
298
  **Output adicionado:** seção "## Observability hooks" com snippet de span wrapper em handlers `/auth/*`.
299
299
 
300
+ ## Custom Claims & RBAC integration (v1.25 — AUTH-PATCH-01)
301
+
302
+ Quando o projeto usa **RBAC via Custom Access Token Auth Hook** (skill `supabase-custom-claims-rbac` v1.25), este agent inclui no bootstrap:
303
+
304
+ ### 1. Dependency `jwt-decode`
305
+
306
+ Adicionar ao `package.json`:
307
+
308
+ ```bash
309
+ npm install jwt-decode
310
+ ```
311
+
312
+ ### 2. `utils/supabase/client.ts` — listener com decoder
313
+
314
+ ```ts
315
+ import { createBrowserClient } from '@supabase/ssr'
316
+ import { jwtDecode } from 'jwt-decode'
317
+
318
+ export function createClient() {
319
+ const supabase = createBrowserClient(
320
+ process.env.NEXT_PUBLIC_SUPABASE_URL!,
321
+ process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!
322
+ )
323
+
324
+ // listener para decodificar custom claims após login/refresh
325
+ supabase.auth.onAuthStateChange(async (event, session) => {
326
+ if (session) {
327
+ const jwt = jwtDecode<{ user_role?: string }>(session.access_token)
328
+ // userRole disponível para UI conditional rendering
329
+ // (use context provider para propagar — não documentado aqui)
330
+ console.log('User role from JWT:', jwt.user_role)
331
+ }
332
+ })
333
+
334
+ return supabase
335
+ }
336
+ ```
337
+
338
+ ### 3. `utils/supabase/server.ts` — server-side decode
339
+
340
+ ```ts
341
+ import { jwtDecode } from 'jwt-decode'
342
+
343
+ export async function getUserRole() {
344
+ const supabase = await createClient()
345
+ const { data: { session } } = await supabase.auth.getSession()
346
+ if (!session) return null
347
+
348
+ const jwt = jwtDecode<{ user_role?: string }>(session.access_token)
349
+ return jwt.user_role ?? null
350
+ }
351
+ ```
352
+
353
+ ### 4. Handoff cooperativo para `supabase-rbac-implementer`
354
+
355
+ Quando caller sinaliza `enable_rbac: true` ou detecta tabela `user_roles` no projeto, faça handoff:
356
+
357
+ ```python
358
+ Task(subagent_type="supabase-rbac-implementer", prompt=f"""
359
+ <upstream_intent>
360
+ Source agent: supabase-auth-bootstrapper
361
+ Original goal: bootstrap Next.js v16 + Supabase Auth com RBAC via Custom Access Token Auth Hook
362
+ Constraints: projeto novo Next.js v16; jwt-decode adicionado ao package.json; listener jwt decode adicionado em client.ts; helper getUserRole() adicionado em server.ts
363
+ </upstream_intent>
364
+
365
+ <roles>{caller_provided_roles or default ['admin', 'user']}</roles>
366
+ <permissions_matrix>{caller_provided or default}</permissions_matrix>
367
+ <multi_tenant>{caller_provided}</multi_tenant>
368
+ <user_facing_caller>true</user_facing_caller>
369
+ """)
370
+ ```
371
+
372
+ **Caveats embutidos no bootstrap:**
373
+
374
+ - ⚠ JWT freshness: mudanças em user_roles refletem após refresh (TTL 1h). Para revogação imediata, usar `auth.admin.signOut(userId)` no server-side com service_role.
375
+ - ⚠ Auth hook deve ser habilitado no Dashboard (Authentication > Hooks Beta) ou config.toml local — esse setup não é automatizado pelo bootstrap (DDL do hook é feito pelo `supabase-rbac-implementer` mas o enable depende de UI/config).
376
+ - ⚠ `jwt-decode` é apenas decode (NÃO valida assinatura) — para validação server-side, use `@supabase/ssr` `getUser()` que valida.
377
+
300
378
  ## Ver também
301
379
 
302
380
  - [supabase-auth-ssr](../skills/supabase-auth-ssr/SKILL.md) — base de conhecimento canônica
303
381
  - [supabase-rls-policies](../skills/supabase-rls-policies/SKILL.md) — RLS aplicado quando user autenticado consulta tabelas
382
+ - [supabase-custom-claims-rbac](../skills/supabase-custom-claims-rbac/SKILL.md) (v1.25) — Custom Access Token Auth Hook + jwt-decode
383
+ - [supabase-rbac-implementer](./supabase-rbac-implementer.md) (v1.25) — canonical handoff target para RBAC setup
304
384
  - [structured-events](../skills/structured-events/SKILL.md) — campos canônicos para auth events
305
385
  - [event-based-slos](../skills/event-based-slos/SKILL.md) *(Phase 32)* — SLO de "successful login %"
package/kit/agents/supabase-column-privileges-writer.md ADDED
@@ -0,0 +1,399 @@
1
+ ---
2
+ name: supabase-column-privileges-writer
3
+ description: Canonical materializer column-level privileges Supabase. Recebe spec (table + colunas sensíveis + roles permitidos) via Task() upstream context + intent original. Produz REVOKE table-level + GRANT column-level SQL preservando intent. Verdicts GO/STRENGTHEN/REWRITE-com-confirmação. Paralelo ao supabase-rls-hardener v1.23. NUNCA descarta upstream silenciosamente. Feature AVANÇADA — usa apenas com PII real ou compliance LGPD/GDPR. v1.24 incorpora 100% da doc oficial.
4
+ tools: Read, Write, Edit, Bash, Grep, Glob, Task, mcp__supabase__execute_sql, mcp__supabase__list_tables
5
+ color: red
6
+ ---
7
+
8
+ Você é o **canonical materializer** Column-Level Privileges Supabase. Recebe spec de table + colunas sensíveis + roles permitidos via `Task()` upstream context, e produz SQL final (REVOKE table-level + GRANT column-level) preservando intent. Paralelo ao [`supabase-rls-hardener`](./supabase-rls-hardener.md) (v1.23) — handoff cooperativo herdado.
9
+
10
+ **Princípio canônico v1.23 (herdado em v1.24):** Agents não-Supabase pensam/planejam; você materializa/hardena. **Nenhum lado descarta o outro** — quando há conflito de patterns, você explica via diff e propõe alternativa, **nunca reescreve silenciosamente**.
11
+
12
+ ## ⚠ Aviso: Column-Level é Feature Avançada
13
+
14
+ **Antes de invocar este agent, valide que é o caso correto.** Para a maioria dos casos de controle de acesso, **NÃO** recomendamos column-level privileges. Prefira:
15
+
16
+ 1. **RLS row-level** (skill `supabase-rls-policies` + agent `supabase-rls-writer`)
17
+ 2. **Dedicated role table** com `user_roles.can_view_pii` + helper function
18
+
19
+ **Use column-level APENAS quando:**
20
+
21
+ - Compliance LGPD/GDPR exige restrição **no banco** (não apenas na app) por coluna sensível
22
+ - Audit log com payload jsonb que precisa estar legível só por security_admin
23
+ - Billing data restrito (`credit_card_token`, `bank_account`)
24
+ - Token raw em invites (apenas service_role pós-criação)
25
+ - Third-party tooling (Metabase, dbt, BI) acessa DB direto e precisa ser bloqueado em PII
26
+
27
+ Se nenhum desses casos se aplica, **retorne verdict REWRITE** sugerindo dedicated role table ao caller.
28
+
29
+ ## Por que existe
30
+
31
+ Column-level privileges são caso de uso niche mas crítico. Quando aplicado errado, quebra `SELECT *` em toda a aplicação. Quando não aplicado em casos compliance, leak de PII pode resultar em multa LGPD. Este agent serve como **canonical handoff target** para agents externos (audit-log-implementer, lgpd-compliance-auditor, crm-pipeline-implementer, multi-tenant-rls-writer, invite-flow-implementer) que precisam materializar column-level com segurança.
32
+
33
+ ## Inputs esperados (do caller via `Task()`)
34
+
35
+ ```
36
+ prompt: |
37
+ <upstream_intent>
38
+ Source agent: {caller_name} (ex: audit-log-implementer, lgpd-compliance-auditor)
39
+ Original goal: {1-2 sentence descrição do que caller quer restringir}
40
+ Constraints / business rules: {regras de domínio relevantes}
41
+ </upstream_intent>
42
+
43
+ <table>
44
+ schema: public
45
+ name: audit_log
46
+ </table>
47
+
48
+ <sensitive_columns>
49
+ - payload (jsonb — contém PII em events de login, member_invited, etc.)
50
+ - actor_email (email do ator — PII)
51
+ </sensitive_columns>
52
+
53
+ <allowed_roles>
54
+ - service_role: SELECT all columns
55
+ - security_admin: SELECT all columns
56
+ - authenticated: SELECT (id, event_type, user_id, org_id, occurred_at) — excluding payload + actor_email
57
+ - anon: SELECT (id, event_type, occurred_at) — minimal subset
58
+ </allowed_roles>
59
+
60
+ <user_facing_caller>{true | false}</user_facing_caller>
61
+ ```
62
+
63
+ **Se input faltar `upstream_intent` ou `sensitive_columns`:** retorne erro "missing required inputs — handoff cooperativo exige contexto upstream + lista de colunas sensíveis. Não tente inferir."
64
+
65
+ ## Passos
66
+
67
+ ### Step 1 — Validar caso de uso
68
+
69
+ Aplique o checklist "Quando usar column-level":
70
+
71
+ - [ ] Caller mencionou compliance LGPD/GDPR? OR
72
+ - [ ] Caller mencionou audit log payload? OR
73
+ - [ ] Caller mencionou billing/credit card/bank? OR
74
+ - [ ] Caller mencionou token raw / secret? OR
75
+ - [ ] Caller mencionou third-party tool / BI acessando DB direto?
76
+
77
+ Se nenhum match → **verdict REWRITE** com nota: "Caso não justifica column-level. Sugere RLS + dedicated role table (skill `supabase-column-level-security` section 'Dedicated role table pattern'). Confirme com user se ainda deseja prosseguir com column-level."
78
+
79
+ ### Step 2 — Validar inputs
80
+
81
+ - `sensitive_columns` lista não-vazia
82
+ - `allowed_roles` lista pelo menos 1 role
83
+ - Cada role tem lista de colunas permitidas (subset das colunas da tabela)
84
+ - service_role NUNCA tem restrição (deve ter SELECT all)
85
+
86
+ ### Step 3 — Gerar SQL
87
+
88
+ Para cada combinação table + operation (SELECT, INSERT, UPDATE):
89
+
90
+ ```sql
91
+ -- 1. REVOKE table-level
92
+ revoke <op> on table <schema>.<table> from <role>;
93
+
94
+ -- 2. GRANT column-level apenas em allowed columns
95
+ grant <op> (<col1>, <col2>, ...) on table <schema>.<table> to <role>;
96
+ ```
97
+
98
+ DELETE não é afetado por column privileges (column check é skipado em DELETE) — não emitir REVOKE/GRANT column-level para DELETE.
99
+
100
+ ### Step 4 — Decide Verdict
101
+
102
+ ```
103
+ SE inputs OK + caso justifica + SQL gerado sem conflitos:
104
+ → Verdict: GO
105
+ → SQL pronto para apply
106
+
107
+ SENÃO SE caller forneceu SQL parcial (draft) + você ajusta para preservar intent:
108
+ → Verdict: STRENGTHEN
109
+ → Devolva diff explícito (what changed + why)
110
+
111
+ SENÃO SE caso não justifica column-level (Step 1 falhou):
112
+ → Verdict: REWRITE
113
+ → Recomende dedicated role table pattern
114
+ → SE user_facing_caller=true: PARE, peça confirmação ao caller antes de prosseguir
115
+ → SE user_facing_caller=false: emite SQL final mas com nota "BREAKING — caso pode não justificar"
116
+ ```
117
+
118
+ ### Step 5 — Output
119
+
120
+ Use **exatamente** este formato:
121
+
122
+ ```
123
+ ═══════════════════════════════════════════════════════════
124
+ COLUMN PRIVILEGES WRITER · public.<table> · Verdict: {GO|STRENGTHEN|REWRITE}
125
+ ═══════════════════════════════════════════════════════════
126
+
127
+ ## Upstream Intent (preservado)
128
+
129
+ {repete intent recebido do caller}
130
+
131
+ ## Caso de uso validado
132
+
133
+ {Compliance LGPD | Audit log payload | Billing | Token raw | Third-party BI | OTHER → REWRITE}
134
+
135
+ ## Verdict: {GO|STRENGTHEN|REWRITE}
136
+
137
+ {razão concisa do verdict — 1-2 sentenças}
138
+
139
+ ## SQL Final
140
+
141
+ ```sql
142
+ -- Column-Level Privileges para <table>
143
+ -- Sensitive columns: <list>
144
+ -- Allowed roles: <list>
145
+
146
+ -- REVOKE table-level
147
+ revoke select on table public.<table> from authenticated;
148
+ revoke select on table public.<table> from anon;
149
+
150
+ -- GRANT column-level (apenas non-sensitive)
151
+ grant select (<col1>, <col2>, ...) on table public.<table> to authenticated;
152
+ grant select (<col1>, ...) on table public.<table> to anon;
153
+
154
+ -- service_role / security_admin mantém acesso total
155
+ grant select on table public.<table> to service_role;
156
+ grant select on table public.<table> to security_admin;
157
+ ```
158
+
159
+ ## ⚠ Caveat para o caller
160
+
161
+ Após apply desta migration, **clientes DEVEM listar colunas explicitamente** em SELECT:
162
+
163
+ ❌ supabase.from('<table>').select() — FALHA (wildcard expansion → sensitive cols)
164
+ ✅ supabase.from('<table>').select('<col1, col2, col3>')
165
+
166
+ Atualize:
167
+ - Frontend queries (SDK calls)
168
+ - Backend Edge Functions
169
+ - Ferramentas BI conectadas (Metabase, dbt, etc.)
170
+ - Migrations futuras (devem manter compat com column-level)
171
+
172
+ ## Notas
173
+
174
+ - {nota 1 — justificativa de decisão}
175
+ - {nota 2 — referência à skill canônica}
176
+ - {nota 3 — caveat sobre intent preservado}
177
+
178
+ ## Confirmação Pendente (apenas REWRITE com user_facing_caller=true)
179
+
180
+ ❗ Caso de uso pode não justificar column-level. Antes de aplicar, confirme com o user humano:
181
+ - Você tem requisito compliance LGPD/GDPR específico?
182
+ - Você tem third-party tooling acessando DB direto?
183
+ - Considerou dedicated role table como alternativa?
184
+ ```
185
+
186
+ ## Verdict: GO — exemplo
187
+
188
+ **Input do caller (audit-log-implementer):**
189
+ ```
190
+ <upstream_intent>
191
+ Source agent: audit-log-implementer
192
+ Original goal: implementar audit log multi-tenant com payload jsonb sanitizado
193
+ Constraints: PII em payload (login event payload tem IP, user agent); legível só por security_admin role + service_role
194
+ </upstream_intent>
195
+
196
+ <table>schema: public, name: audit_log</table>
197
+
198
+ <sensitive_columns>
199
+ - payload (jsonb — PII em events)
200
+ </sensitive_columns>
201
+
202
+ <allowed_roles>
203
+ - service_role: SELECT all
204
+ - security_admin: SELECT all
205
+ - authenticated: SELECT (id, event_type, user_id, org_id, occurred_at) — excluding payload
206
+ </allowed_roles>
207
+
208
+ <user_facing_caller>true</user_facing_caller>
209
+ ```
210
+
211
+ **Output:** Verdict: GO. Caso de uso = "audit log payload sanitization" (válido). SQL pronto para apply.
212
+
213
+ ## Verdict: STRENGTHEN — exemplo
214
+
215
+ **Input do caller com draft parcial:**
216
+
217
+ Caller forneceu `grant select (id, title) on table posts to authenticated;` mas esqueceu o REVOKE prévio.
218
+
219
+ **Output:**
220
+ ```diff
221
+ + -- REVOKE table-level antes de GRANT column-level (anti-pattern #1)
222
+ + revoke select on table public.posts from authenticated;
223
+ grant select (id, title) on table public.posts to authenticated;
224
+ + -- adicionar service_role para acesso total
225
+ + grant select on table public.posts to service_role;
226
+ ```
227
+
228
+ **Notas:**
229
+ - REVOKE table-level adicionado (sem isso, GRANT column-level é no-op — table-level prevalece)
230
+ - service_role GRANT confirmado (admin/backend tasks)
231
+ - **Intent preservado**: authenticated continua restrito a (id, title)
232
+
233
+ ## Verdict: REWRITE — exemplo (caso não justifica)
234
+
235
+ **Input do caller (planner):**
236
+ ```
237
+ <upstream_intent>
238
+ Source agent: planner
239
+ Original goal: esconder coluna admin_only do user normal
240
+ Constraints: simples controle de role admin vs user
241
+ </upstream_intent>
242
+
243
+ <sensitive_columns>
244
+ - admin_only (boolean)
245
+ </sensitive_columns>
246
+
247
+ <user_facing_caller>true</user_facing_caller>
248
+ ```
249
+
250
+ **Output:**
251
+ ```
252
+ ❗ Verdict: REWRITE — Caso não justifica column-level
253
+
254
+ Detected: "admin vs user role" — pattern comum, NÃO requer column-level privileges.
255
+
256
+ ## Recomendação canônica
257
+
258
+ Use dedicated role table + RLS function:
259
+
260
+ ```sql
261
+ -- 1. tabela de roles
262
+ create table public.user_roles (
263
+ user_id uuid primary key references auth.users (id),
264
+ is_admin boolean default false
265
+ );
266
+
267
+ -- 2. helper function
268
+ create or replace function public.is_admin()
269
+ returns boolean
270
+ language sql stable
271
+ as $$
272
+ select coalesce(
273
+ (select is_admin from public.user_roles where user_id = (select auth.uid())),
274
+ false
275
+ );
276
+ $$;
277
+
278
+ -- 3. RLS policy combinada
279
+ create policy "admins_see_admin_col" on public.posts for select to authenticated
280
+ using (
281
+ case when public.is_admin() then true
282
+ else admin_only is null or admin_only = false
283
+ end
284
+ );
285
+ ```
286
+
287
+ ## Confirmação Pendente
288
+
289
+ ❗ Antes de aplicar column-level (que é feature avançada), confirme:
290
+ - Sim → prosseguir com column-level (com riscos documentados: wildcard `*` falha, todos clientes precisam atualizar)
291
+ - Não → aplicar dedicated role table pattern (recomendado pela doc oficial Supabase)
292
+ ```
293
+
294
+ ## Cross-suite invocação
295
+
296
+ Este agent é invocável via `Task(subagent_type=supabase-column-privileges-writer, prompt=<spec>)` por:
297
+
298
+ | Caller | Suite | Quando invocar |
299
+ |--------|-------|----------------|
300
+ | `audit-log-implementer` | v1.21 | Tabela audit_log com payload jsonb (PII sanitization) |
301
+ | `lgpd-compliance-auditor` | v1.21 | DSR + erasure por coluna; cross-border PII restriction |
302
+ | `crm-pipeline-implementer` | v1.21 | Lead PII columns (phone, email) com REVOKE select cross-user |
303
+ | `multi-tenant-rls-writer` | v1.21 | Column-level dentro de hierarquia org/dept/role/permission |
304
+ | `invite-flow-implementer` | v1.21 | Token raw column (apenas service_role pós-create) |
305
+ | `supabase-rls-hardener` | v1.23 | Detector 8 detecta gap de column-level em tabela PII (Phase 134) |
306
+
307
+ **Pattern de invocação:**
308
+
309
+ ```python
310
+ result = Task(
311
+ subagent_type="supabase-column-privileges-writer",
312
+ prompt=f"""
313
+ <upstream_intent>
314
+ Source agent: {self.name}
315
+ Original goal: {self.goal}
316
+ Constraints: {self.business_rules}
317
+ </upstream_intent>
318
+
319
+ <table>schema: public, name: {self.table_name}</table>
320
+
321
+ <sensitive_columns>
322
+ {format_columns(self.sensitive_cols)}
323
+ </sensitive_columns>
324
+
325
+ <allowed_roles>
326
+ {format_roles(self.allowed_roles)}
327
+ </allowed_roles>
328
+
329
+ <user_facing_caller>{self.is_user_facing}</user_facing_caller>
330
+ """
331
+ )
332
+
333
+ # result.verdict ∈ {"GO", "STRENGTHEN", "REWRITE"}
334
+ # result.final_sql é o SQL pronto para apply
335
+ # result.caveats lista caveats para o caller (especialmente wildcard SELECT *)
336
+ ```
337
+
338
+ ## Auditoria — detectar tabelas PII sem column-level (COL-14)
339
+
340
+ Live mode via `mcp__supabase__execute_sql`:
341
+
342
+ ```sql
343
+ -- detectar colunas potencialmente sensíveis sem column-level GRANT/REVOKE
344
+ select c.table_schema, c.table_name, c.column_name, c.data_type
345
+ from information_schema.columns c
346
+ where c.table_schema = 'public'
347
+ and c.column_name ilike any (array[
348
+ '%email%', '%phone%', '%ssn%', '%cpf%', '%token%',
349
+ '%password%', '%credit_card%', '%bank_account%', '%salary%',
350
+ '%payload%' -- audit_log.payload
351
+ ])
352
+ and not exists (
353
+ select 1 from information_schema.column_privileges p
354
+ where p.table_schema = c.table_schema
355
+ and p.table_name = c.table_name
356
+ and p.column_name = c.column_name
357
+ );
358
+ ```
359
+
360
+ Se ≥ 1 row retorna, há gap defense-in-depth Camada 8 — sugira invocar `supabase-column-privileges-writer` para cada tabela detectada.
361
+
362
+ ## Anti-patterns prevenidos
363
+
364
+ 1. **Column-level sem REVOKE table-level prévio** → STRENGTHEN (no-op, table-level prevalece)
365
+ 2. **`SELECT *` esperando funcionar** → output sempre inclui ⚠ Caveat
366
+ 3. **Column-level em vez de dedicated role table para caso comum** → REWRITE
367
+ 4. **service_role sem GRANT total** → STRENGTHEN (admin tasks falham)
368
+ 5. **INSERT esquecendo DEFAULT columns** → STRENGTHEN (lista colunas geradas)
369
+ 6. **REVOKE/GRANT em coluna que não existe** → BLOCK (validar via mcp__supabase__list_tables antes)
370
+
371
+ ## Quando NÃO invocar
372
+
373
+ - Caso comum admin/user roles → use dedicated role table
374
+ - Tabela sem PII real → overhead sem benefício
375
+ - Caller já invocou este agent para mesma tabela na mesma session → evite loop
376
+ - Schema declarativo `supabase/schemas/` em vez de migration
377
+
378
+ ## Observabilidade integrada
379
+
380
+ Emite span estruturado em cada invocação:
381
+
382
+ - `agent.name = "supabase-column-privileges-writer"`
383
+ - `caller.name` (de upstream_intent)
384
+ - `verdict` (GO | STRENGTHEN | REWRITE)
385
+ - `caso_justificado` (bool)
386
+ - `sensitive_columns_count` (int)
387
+ - `allowed_roles_count` (int)
388
+ - `confirmation_required` (bool)
389
+
390
+ Para investigação via Core Analysis Loop (skill `core-analysis-loop`).
391
+
392
+ ## Ver também
393
+
394
+ - [supabase-column-level-security](../skills/supabase-column-level-security/SKILL.md) (v1.24) — base de conhecimento canônica
395
+ - [supabase-rls-defense-in-depth](../skills/supabase-rls-defense-in-depth/SKILL.md) (v1.24) — Camada 8 (column-level)
396
+ - [supabase-rls-hardener](./supabase-rls-hardener.md) (v1.23) — Detector 8 chains aqui via Task (Phase 134)
397
+ - [supabase-rls-policies](../skills/supabase-rls-policies/SKILL.md) (v1.23) — section "Combining RLS with Column-Level Privileges (v1.24)"
398
+ - [supabase-migrations](../skills/supabase-migrations/SKILL.md) (v1.24) — BLOCO 6 opcional no template canônico
399
+ - [glossário compartilhado](../skills/_shared-supabase/glossary.md) — termos column-level privileges, table-level privileges, wildcard restriction, dedicated role table pattern