@luanpdd/kit-mcp 1.22.0 → 1.27.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (41) hide show
  1. package/README.md +267 -1
  2. package/kit/agents/audit-log-implementer.md +138 -0
  3. package/kit/agents/auditor-consistencia-isolamento.md +33 -0
  4. package/kit/agents/crm-pipeline-implementer.md +89 -0
  5. package/kit/agents/debugger.md +41 -0
  6. package/kit/agents/evolution-go-integrator.md +21 -0
  7. package/kit/agents/executor.md +41 -0
  8. package/kit/agents/invite-flow-implementer.md +52 -0
  9. package/kit/agents/lgpd-compliance-auditor.md +89 -0
  10. package/kit/agents/multi-tenant-rls-writer.md +78 -0
  11. package/kit/agents/org-onboarding-implementer.md +21 -0
  12. package/kit/agents/planner.md +31 -0
  13. package/kit/agents/release-pipeline-auditor.md +11 -0
  14. package/kit/agents/supabase-architect.md +31 -0
  15. package/kit/agents/supabase-auth-bootstrapper.md +80 -0
  16. package/kit/agents/supabase-branching-architect.md +562 -0
  17. package/kit/agents/supabase-cicd-pipeline-implementer.md +777 -0
  18. package/kit/agents/supabase-column-privileges-writer.md +399 -0
  19. package/kit/agents/supabase-migration-writer.md +141 -14
  20. package/kit/agents/supabase-rbac-implementer.md +392 -0
  21. package/kit/agents/supabase-rls-hardener.md +521 -0
  22. package/kit/agents/supabase-rls-writer.md +105 -9
  23. package/kit/agents/supabase-roles-implementer.md +355 -0
  24. package/kit/agents/super-admin-implementer.md +99 -0
  25. package/kit/commands/supabase.md +55 -8
  26. package/kit/file-manifest.json +40 -25
  27. package/kit/skills/_shared-supabase/glossary.md +37 -0
  28. package/kit/skills/rbac-permissions-matrix-supabase/SKILL.md +37 -0
  29. package/kit/skills/supabase-branching-workflow/SKILL.md +544 -0
  30. package/kit/skills/supabase-ci-cd-github-actions/SKILL.md +880 -0
  31. package/kit/skills/supabase-column-level-security/SKILL.md +426 -0
  32. package/kit/skills/supabase-config-toml-remotes/SKILL.md +807 -0
  33. package/kit/skills/supabase-custom-claims-rbac/SKILL.md +472 -0
  34. package/kit/skills/supabase-database-functions/SKILL.md +85 -0
  35. package/kit/skills/supabase-migration-repair/SKILL.md +823 -0
  36. package/kit/skills/supabase-migrations/SKILL.md +123 -11
  37. package/kit/skills/supabase-pgtap-testing/SKILL.md +1053 -0
  38. package/kit/skills/supabase-postgres-roles/SKILL.md +392 -0
  39. package/kit/skills/supabase-rls-defense-in-depth/SKILL.md +418 -0
  40. package/kit/skills/supabase-rls-policies/SKILL.md +462 -12
  41. package/package.json +1 -1
package/kit/skills/supabase-migrations/SKILL.md CHANGED
@@ -1,6 +1,6 @@
1
1
  ---
2
2
  name: supabase-migrations
3
- description: Use ao criar arquivos de migration Supabase — naming YYYYMMDDHHmmss_short.sql, header de metadados, RLS obrigatório em toda nova tabela, granular policies.
3
+ description: Use ao criar arquivos de migration Supabase — naming YYYYMMDDHHmmss_short.sql, header de metadados, GRANT antes de ENABLE RLS, RLS obrigatório em toda nova tabela, granular policies, indices em colunas RLS. Template canônico v1.23 com 5 blocos obrigatórios para CREATE TABLE.
4
4
  ---
5
5
 
6
6
  # Supabase — Migrations
@@ -21,25 +21,112 @@ LLM carrega esta skill quando criar/editar arquivos em `supabase/migrations/`. T
21
21
  - **Header de metadados** no topo de cada migration (block comment) descrevendo Migration / Created / Purpose / Affects.
22
22
  - **lowercase em todo SQL** (alinhado com `supabase-postgres-style`).
23
23
  - **Comentários copiosos** em comandos destrutivos: `drop table`, `drop column`, `alter table ... drop column`, `truncate`, `delete from` em massa. Comentário explica o porquê + impacto.
24
+ - **`GRANT` antes de `ENABLE RLS`** (v1.23) — sempre conceda privilégios necessários aos roles `anon`/`authenticated`/`service_role` ANTES de habilitar RLS. Sem GRANT, mesmo policies "permissive" falham porque o role não tem permissão de tabela.
24
25
  - **`RLS` obrigatório em toda nova tabela** — `alter table public.<name> enable row level security;` no mesmo arquivo da criação.
25
26
  - **`granular policies`** — uma `for select`, uma `for insert`, uma `for update`, uma `for delete`. **Nunca** `for all`.
26
27
  - **`(select auth.uid())`** sempre wrapped (REGRA #1 de RLS).
28
+ - **`IS NOT NULL AND` em policies de auth** (v1.23) — `(select auth.uid()) is not null and (select auth.uid()) = user_id` para evitar silent-fail em usuários não-logados.
27
29
  - **Index nas colunas referenciadas por RLS:** `create index on public.<table> (user_id);` no mesmo arquivo.
28
30
  - Idempotência onde possível: `create table if not exists`, `create index if not exists`. Migrations rodam em ordem mas tooling pode re-executar.
29
31
  - Migrations são **append-only**. Para reverter, criar nova migration que desfaz — nunca editar migration já aplicada.
30
32
 
33
+ ## Template canônico v1.23 — CREATE TABLE com 5 blocos obrigatórios
34
+
35
+ Toda migration que cria tabela em schema exposto (`public`) deve conter os 5 blocos abaixo em ordem. Nenhum bloco é opcional. Bloco ausente = migration BLOCK pelo `supabase-rls-hardener` (v1.23).
36
+
37
+ ```sql
38
+ /*
39
+ Migration: create_<table_name>
40
+ Created: <YYYY-MM-DD>
41
+ Purpose: <one-line description>
42
+ Affects: public.<table> (new), public.<table> policies (new — 4), public.<table> index (new)
43
+ */
44
+
45
+ -- BLOCO 1: CREATE TABLE
46
+ create table if not exists public.<table> (
47
+ id uuid primary key default gen_random_uuid(),
48
+ user_id uuid not null references auth.users (id) on delete cascade,
49
+ -- ... outras colunas
50
+ created_at timestamptz not null default now(),
51
+ updated_at timestamptz not null default now()
52
+ );
53
+
54
+ -- BLOCO 2: GRANTs por role (ANTES de ENABLE RLS — v1.23)
55
+ grant select on public.<table> to anon;
56
+ grant select, insert, update, delete on public.<table> to authenticated;
57
+ grant select, insert, update, delete on public.<table> to service_role;
58
+
59
+ -- BLOCO 3: ENABLE RLS
60
+ alter table public.<table> enable row level security;
61
+
62
+ -- BLOCO 4: 4 policies granulares (uma por operação)
63
+ create policy "<table>_select_own"
64
+ on public.<table> for select to authenticated
65
+ using (
66
+ (select auth.uid()) is not null
67
+ and (select auth.uid()) = user_id
68
+ );
69
+
70
+ create policy "<table>_insert_own"
71
+ on public.<table> for insert to authenticated
72
+ with check (
73
+ (select auth.uid()) is not null
74
+ and (select auth.uid()) = user_id
75
+ );
76
+
77
+ create policy "<table>_update_own"
78
+ on public.<table> for update to authenticated
79
+ using (
80
+ (select auth.uid()) is not null
81
+ and (select auth.uid()) = user_id
82
+ )
83
+ with check (
84
+ (select auth.uid()) is not null
85
+ and (select auth.uid()) = user_id
86
+ );
87
+
88
+ create policy "<table>_delete_own"
89
+ on public.<table> for delete to authenticated
90
+ using (
91
+ (select auth.uid()) is not null
92
+ and (select auth.uid()) = user_id
93
+ );
94
+
95
+ -- BLOCO 5: Index obrigatório em colunas referenciadas pelas policies
96
+ create index if not exists <table>_user_id_idx on public.<table> (user_id);
97
+
98
+ -- BLOCO 6 (v1.24, OPCIONAL): Column-Level Privileges
99
+ -- ⚠ Adicionar APENAS se há colunas sensíveis (PII, billing, audit payload, tokens raw)
100
+ -- Para casos comuns, prefira RLS + dedicated role table (skill supabase-column-level-security)
101
+ -- Exemplo: tabela posts com coluna admin_notes visível apenas para service_role
102
+ -- revoke select on table public.<table> from authenticated;
103
+ -- grant select (id, user_id, title, content, created_at) on table public.<table> to authenticated;
104
+ -- (service_role mantém acesso total — não precisa GRANT extra)
105
+
106
+ -- BLOCO 7 (v1.26, OPCIONAL): CREATE ROLE para custom service accounts
107
+ -- ⚠ Adicionar APENAS se há service accounts internos (cron jobs, BI tools, ETL, admin scripts)
108
+ -- Para application access (end-users), prefira RLS + Custom Claims (skill supabase-custom-claims-rbac v1.25)
109
+ -- Exemplo: role dedicado para cron job de cleanup
110
+ -- create role "cron_cleanup_role" noinherit;
111
+ -- alter role "cron_cleanup_role" with bypassrls;
112
+ -- grant usage on schema public to cron_cleanup_role;
113
+ -- grant delete on public.<table> to cron_cleanup_role;
114
+ -- comment on role "cron_cleanup_role" is 'Service account para cron job de cleanup. Owner: team@company.com';
115
+ ```
116
+
31
117
  ## Patterns canônicos
32
118
 
33
- ### Criar tabela com RLS + policies granulares + index
119
+ ### Criar tabela com 5 blocos obrigatórios (v1.23) example concreto
34
120
 
35
121
  ```sql
36
122
  /*
37
123
  Migration: create_tasks
38
124
  Created: 2026-05-06
39
- Purpose: Cria tabela tasks com RLS habilitado e policies granulares por operação.
40
- Affects: public.tasks (new), public.tasks policies (new — 4 policies)
125
+ Purpose: Cria tabela tasks com GRANT + RLS habilitado + policies granulares por operação + index.
126
+ Affects: public.tasks (new), public.tasks policies (new — 4 policies), public.tasks index (new)
41
127
  */
42
128
 
129
+ -- BLOCO 1: CREATE TABLE
43
130
  create table if not exists public.tasks (
44
131
  id uuid primary key default gen_random_uuid(),
45
132
  user_id uuid not null references auth.users (id) on delete cascade,
@@ -49,28 +136,53 @@ create table if not exists public.tasks (
49
136
  updated_at timestamptz not null default now()
50
137
  );
51
138
 
139
+ -- BLOCO 2: GRANTs por role (v1.23 — antes de ENABLE RLS)
140
+ grant select on public.tasks to anon;
141
+ grant select, insert, update, delete on public.tasks to authenticated;
142
+ grant select, insert, update, delete on public.tasks to service_role;
143
+
144
+ -- BLOCO 3: ENABLE RLS
52
145
  alter table public.tasks enable row level security;
53
146
 
54
- -- granular policies: uma por operação por role
147
+ -- BLOCO 4: granular policies (uma por operação) com IS NOT NULL anti silent-fail
55
148
  create policy "users_select_own_tasks"
56
149
  on public.tasks for select to authenticated
57
- using ((select auth.uid()) = user_id);
150
+ using (
151
+ (select auth.uid()) is not null
152
+ and (select auth.uid()) = user_id
153
+ );
58
154
 
59
155
  create policy "users_insert_own_tasks"
60
156
  on public.tasks for insert to authenticated
61
- with check ((select auth.uid()) = user_id);
157
+ with check (
158
+ (select auth.uid()) is not null
159
+ and (select auth.uid()) = user_id
160
+ );
62
161
 
63
162
  create policy "users_update_own_tasks"
64
163
  on public.tasks for update to authenticated
65
- using ((select auth.uid()) = user_id)
66
- with check ((select auth.uid()) = user_id);
164
+ using (
165
+ (select auth.uid()) is not null
166
+ and (select auth.uid()) = user_id
167
+ )
168
+ with check (
169
+ (select auth.uid()) is not null
170
+ and (select auth.uid()) = user_id
171
+ );
67
172
 
68
173
  create policy "users_delete_own_tasks"
69
174
  on public.tasks for delete to authenticated
70
- using ((select auth.uid()) = user_id);
175
+ using (
176
+ (select auth.uid()) is not null
177
+ and (select auth.uid()) = user_id
178
+ );
71
179
 
72
- -- index obrigatório nas colunas usadas pela policy
180
+ -- BLOCO 5: index obrigatório nas colunas usadas pela policy
73
181
  create index if not exists tasks_user_id_idx on public.tasks (user_id);
182
+
183
+ -- BLOCO 6 (v1.24, OPCIONAL): Column-Level Privileges
184
+ -- Não aplicável neste exemplo — tasks não tem colunas sensíveis
185
+ -- Ver skill supabase-column-level-security para casos com PII / audit log / billing
74
186
  ```
75
187
 
76
188
  ### Adicionar coluna a tabela existente