npm - @luanpdd/kit-mcp - Versions diffs - 1.28.0 → 1.30.0 - Mend

@luanpdd/kit-mcp 1.28.0 → 1.30.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (332) hide show

package/LICENSE +21 -21
package/README.md +168 -168
package/gates/agent-no-recursive-dispatch.md +82 -82
package/kit/COMANDOS.md +138 -138
package/kit/README.md +76 -76
package/kit/agents/advisor-researcher.md +106 -106
package/kit/agents/assumptions-analyzer.md +107 -107
package/kit/agents/audit-log-implementer.md +313 -313
package/kit/agents/auditor-consistencia-isolamento.md +413 -413
package/kit/agents/b2b-saas-architect.md +156 -156
package/kit/agents/cascading-failures-auditor.md +298 -298
package/kit/agents/codebase-mapper.md +768 -768
package/kit/agents/crm-pipeline-implementer.md +256 -256
package/kit/agents/debugger.md +813 -813
package/kit/agents/detector-tenant-quente.md +337 -337
package/kit/agents/evolution-go-integrator.md +200 -200
package/kit/agents/example-reviewer.md +21 -21
package/kit/agents/executor.md +564 -564
package/kit/agents/integration-checker.md +200 -200
package/kit/agents/invite-flow-implementer.md +189 -189
package/kit/agents/legacy-characterizer.md +368 -368
package/kit/agents/lgpd-compliance-auditor.md +295 -295
package/kit/agents/multi-tenant-isolation-auditor.md +253 -253
package/kit/agents/multi-tenant-rls-writer.md +340 -340
package/kit/agents/nyquist-auditor.md +178 -178
package/kit/agents/observability-coverage-auditor.md +315 -315
package/kit/agents/org-onboarding-implementer.md +223 -223
package/kit/agents/payload-capture-instrumenter.md +273 -273
package/kit/agents/phase-researcher.md +696 -696
package/kit/agents/plan-checker.md +272 -272
package/kit/agents/planner.md +922 -922
package/kit/agents/project-researcher.md +652 -652
package/kit/agents/refactor-safety-auditor.md +404 -404
package/kit/agents/research-synthesizer.md +245 -245
package/kit/agents/roadmapper.md +677 -677
package/kit/agents/seam-finder.md +359 -359
package/kit/agents/shotgun-surgery-detector.md +349 -349
package/kit/agents/supabase-branching-architect.md +562 -562
package/kit/agents/supabase-cicd-pipeline-implementer.md +777 -777
package/kit/agents/supabase-column-privileges-writer.md +399 -399
package/kit/agents/supabase-edge-fn-tester.md +287 -0
package/kit/agents/supabase-edge-fn-writer.md +239 -210
package/kit/agents/supabase-migration-writer.md +385 -385
package/kit/agents/supabase-rbac-implementer.md +392 -392
package/kit/agents/supabase-realtime-implementer.md +363 -267
package/kit/agents/supabase-rls-hardener.md +521 -521
package/kit/agents/supabase-rls-writer.md +323 -323
package/kit/agents/supabase-roles-implementer.md +355 -355
package/kit/agents/super-admin-implementer.md +281 -281
package/kit/agents/ui-auditor.md +437 -437
package/kit/agents/ui-checker.md +302 -302
package/kit/agents/ui-researcher.md +355 -355
package/kit/agents/user-profiler.md +175 -175
package/kit/agents/validador-evolucao-schema.md +335 -335
package/kit/agents/verifier.md +728 -728
package/kit/commands/adicionar-backlog.md +75 -75
package/kit/commands/adicionar-fase.md +42 -42
package/kit/commands/adicionar-tarefa.md +45 -45
package/kit/commands/adicionar-testes.md +41 -41
package/kit/commands/ajuda.md +21 -21
package/kit/commands/atualizar.md +37 -37
package/kit/commands/auditar-cascading.md +111 -111
package/kit/commands/auditar-marco.md +179 -179
package/kit/commands/auditar-observabilidade-cobertura.md +183 -183
package/kit/commands/auditar-refactor.md +219 -219
package/kit/commands/auditar-release.md +109 -109
package/kit/commands/auditar-uat.md +23 -23
package/kit/commands/autonomo.md +40 -40
package/kit/commands/branch-pr.md +24 -24
package/kit/commands/burn-rate-status.md +408 -408
package/kit/commands/capturar-payloads.md +193 -193
package/kit/commands/caracterizar.md +212 -212
package/kit/commands/concluir-marco.md +247 -247
package/kit/commands/configuracoes.md +36 -36
package/kit/commands/dados-distribuidos.md +188 -188
package/kit/commands/definir-perfil.md +10 -10
package/kit/commands/depurar.md +190 -190
package/kit/commands/detectar-duplicacao.md +197 -197
package/kit/commands/discutir-fase.md +131 -131
package/kit/commands/encontrar-seams.md +136 -136
package/kit/commands/entrar-discord.md +17 -17
package/kit/commands/estatisticas.md +18 -18
package/kit/commands/example-greeting.md +33 -33
package/kit/commands/executar-fase.md +58 -58
package/kit/commands/expresso.md +56 -56
package/kit/commands/fase-ui.md +34 -34
package/kit/commands/fazer.md +57 -57
package/kit/commands/fio.md +125 -125
package/kit/commands/fluxos-trabalho.md +64 -64
package/kit/commands/forense.md +176 -176
package/kit/commands/gerenciador.md +38 -38
package/kit/commands/inserir-fase.md +31 -31
package/kit/commands/legacy.md +263 -263
package/kit/commands/limpeza.md +17 -17
package/kit/commands/listar-hipoteses-fase.md +45 -45
package/kit/commands/listar-workspaces.md +18 -18
package/kit/commands/load-shedding.md +117 -117
package/kit/commands/mapear-codebase.md +70 -70
package/kit/commands/multi-tenant.md +163 -163
package/kit/commands/nota.md +33 -33
package/kit/commands/novo-marco.md +43 -43
package/kit/commands/novo-projeto.md +41 -41
package/kit/commands/novo-workspace.md +43 -43
package/kit/commands/pausar-trabalho.md +37 -37
package/kit/commands/perfil-usuario.md +45 -45
package/kit/commands/pesquisar-fase.md +195 -195
package/kit/commands/planejar-fase.md +67 -67
package/kit/commands/planejar-lacunas.md +33 -33
package/kit/commands/plantar-ideia.md +25 -25
package/kit/commands/progresso.md +24 -24
package/kit/commands/proximo.md +30 -30
package/kit/commands/publicar.md +490 -490
package/kit/commands/rapido.md +35 -35
package/kit/commands/reaplicar-patches.md +124 -124
package/kit/commands/refactor-seguro.md +321 -321
package/kit/commands/relatorio-sessao.md +19 -19
package/kit/commands/remover-fase.md +31 -31
package/kit/commands/remover-workspace.md +26 -26
package/kit/commands/resumo-marco.md +50 -50
package/kit/commands/retomar-trabalho.md +40 -40
package/kit/commands/revisar-backlog.md +60 -60
package/kit/commands/revisar-ui.md +32 -32
package/kit/commands/revisar.md +37 -37
package/kit/commands/saude.md +21 -21
package/kit/commands/setup-notion.md +93 -93
package/kit/commands/storytelling.md +179 -179
package/kit/commands/supabase.md +30 -7
package/kit/commands/sync-main.md +68 -68
package/kit/commands/validar-fase.md +35 -35
package/kit/commands/verificar-tarefas.md +44 -44
package/kit/commands/verificar-trabalho.md +64 -64
package/kit/file-manifest.json +14 -8
package/kit/framework/bin/lib/commands.cjs +959 -959
package/kit/framework/bin/lib/config.cjs +442 -442
package/kit/framework/bin/lib/core.cjs +1230 -1230
package/kit/framework/bin/lib/frontmatter.cjs +336 -336
package/kit/framework/bin/lib/init.cjs +1442 -1442
package/kit/framework/bin/lib/milestone.cjs +252 -252
package/kit/framework/bin/lib/model-profiles.cjs +68 -68
package/kit/framework/bin/lib/phase.cjs +888 -888
package/kit/framework/bin/lib/profile-output.cjs +952 -952
package/kit/framework/bin/lib/profile-pipeline.cjs +539 -539
package/kit/framework/bin/lib/roadmap.cjs +329 -329
package/kit/framework/bin/lib/security.cjs +382 -382
package/kit/framework/bin/lib/state.cjs +1031 -1031
package/kit/framework/bin/lib/template.cjs +222 -222
package/kit/framework/bin/lib/uat.cjs +282 -282
package/kit/framework/bin/lib/verify.cjs +888 -888
package/kit/framework/bin/lib/workstream.cjs +491 -491
package/kit/framework/bin/tools.cjs +918 -918
package/kit/framework/commands/workstreams.md +63 -63
package/kit/framework/references/checkpoints.md +778 -778
package/kit/framework/references/continuation-format.md +249 -249
package/kit/framework/references/decimal-phase-calculation.md +64 -64
package/kit/framework/references/git-integration.md +295 -295
package/kit/framework/references/git-planning-commit.md +38 -38
package/kit/framework/references/model-profile-resolution.md +36 -36
package/kit/framework/references/model-profiles.md +139 -139
package/kit/framework/references/phase-argument-parsing.md +61 -61
package/kit/framework/references/planning-config.md +202 -202
package/kit/framework/references/questioning.md +162 -162
package/kit/framework/references/tdd.md +263 -263
package/kit/framework/references/ui-brand.md +160 -160
package/kit/framework/references/user-profiling.md +657 -657
package/kit/framework/references/verification-patterns.md +612 -612
package/kit/framework/references/workstream-flag.md +58 -58
package/kit/framework/templates/DEBUG.md +164 -164
package/kit/framework/templates/UAT.md +265 -265
package/kit/framework/templates/UI-SPEC.md +100 -100
package/kit/framework/templates/VALIDATION.md +76 -76
package/kit/framework/templates/claude-md.md +122 -122
package/kit/framework/templates/codebase/architecture.md +185 -185
package/kit/framework/templates/codebase/concerns.md +205 -205
package/kit/framework/templates/codebase/conventions.md +204 -204
package/kit/framework/templates/codebase/integrations.md +192 -192
package/kit/framework/templates/codebase/stack.md +158 -158
package/kit/framework/templates/codebase/structure.md +199 -199
package/kit/framework/templates/codebase/testing.md +301 -301
package/kit/framework/templates/config.json +44 -44
package/kit/framework/templates/context.md +352 -352
package/kit/framework/templates/continue-here.md +78 -78
package/kit/framework/templates/copilot-instructions.md +7 -7
package/kit/framework/templates/debug-subagent-prompt.md +91 -91
package/kit/framework/templates/dev-preferences.md +20 -20
package/kit/framework/templates/discovery.md +146 -146
package/kit/framework/templates/discussion-log.md +63 -63
package/kit/framework/templates/milestone-archive.md +123 -123
package/kit/framework/templates/milestone.md +115 -115
package/kit/framework/templates/phase-prompt.md +610 -610
package/kit/framework/templates/planner-subagent-prompt.md +117 -117
package/kit/framework/templates/project.md +186 -186
package/kit/framework/templates/requirements.md +231 -231
package/kit/framework/templates/research-project/ARCHITECTURE.md +204 -204
package/kit/framework/templates/research-project/FEATURES.md +147 -147
package/kit/framework/templates/research-project/PITFALLS.md +200 -200
package/kit/framework/templates/research-project/STACK.md +120 -120
package/kit/framework/templates/research-project/SUMMARY.md +170 -170
package/kit/framework/templates/research.md +419 -419
package/kit/framework/templates/retrospective.md +54 -54
package/kit/framework/templates/roadmap.md +202 -202
package/kit/framework/templates/state.md +176 -176
package/kit/framework/templates/summary-complex.md +59 -59
package/kit/framework/templates/summary-minimal.md +41 -41
package/kit/framework/templates/summary-standard.md +48 -48
package/kit/framework/templates/summary.md +209 -209
package/kit/framework/templates/user-profile.md +146 -146
package/kit/framework/templates/user-setup.md +256 -256
package/kit/framework/templates/verification-report.md +258 -258
package/kit/framework/workflows/add-phase.md +112 -112
package/kit/framework/workflows/add-tests.md +351 -351
package/kit/framework/workflows/add-todo.md +158 -158
package/kit/framework/workflows/audit-milestone.md +340 -340
package/kit/framework/workflows/audit-uat.md +109 -109
package/kit/framework/workflows/autonomous.md +891 -891
package/kit/framework/workflows/check-todos.md +177 -177
package/kit/framework/workflows/cleanup.md +152 -152
package/kit/framework/workflows/complete-milestone.md +696 -696
package/kit/framework/workflows/diagnose-issues.md +231 -231
package/kit/framework/workflows/discovery-phase.md +289 -289
package/kit/framework/workflows/discuss-phase-assumptions.md +653 -653
package/kit/framework/workflows/discuss-phase.md +784 -784
package/kit/framework/workflows/do.md +104 -104
package/kit/framework/workflows/execute-phase.md +838 -838
package/kit/framework/workflows/execute-plan.md +510 -510
package/kit/framework/workflows/fast.md +102 -102
package/kit/framework/workflows/forensics.md +265 -265
package/kit/framework/workflows/health.md +181 -181
package/kit/framework/workflows/help.md +619 -619
package/kit/framework/workflows/insert-phase.md +130 -130
package/kit/framework/workflows/list-phase-assumptions.md +178 -178
package/kit/framework/workflows/list-workspaces.md +56 -56
package/kit/framework/workflows/manager.md +362 -362
package/kit/framework/workflows/map-codebase.md +377 -377
package/kit/framework/workflows/milestone-summary.md +223 -223
package/kit/framework/workflows/new-milestone.md +486 -486
package/kit/framework/workflows/new-project.md +1159 -1159
package/kit/framework/workflows/new-workspace.md +237 -237
package/kit/framework/workflows/next.md +97 -97
package/kit/framework/workflows/node-repair.md +92 -92
package/kit/framework/workflows/note.md +156 -156
package/kit/framework/workflows/pause-work.md +176 -176
package/kit/framework/workflows/plan-milestone-gaps.md +273 -273
package/kit/framework/workflows/plan-phase.md +765 -765
package/kit/framework/workflows/plant-seed.md +169 -169
package/kit/framework/workflows/pr-branch.md +129 -129
package/kit/framework/workflows/profile-user.md +450 -450
package/kit/framework/workflows/progress.md +507 -507
package/kit/framework/workflows/quick.md +757 -757
package/kit/framework/workflows/remove-phase.md +155 -155
package/kit/framework/workflows/remove-workspace.md +90 -90
package/kit/framework/workflows/research-phase.md +82 -82
package/kit/framework/workflows/resume-project.md +326 -326
package/kit/framework/workflows/review.md +228 -228
package/kit/framework/workflows/session-report.md +146 -146
package/kit/framework/workflows/settings.md +283 -283
package/kit/framework/workflows/ship.md +228 -228
package/kit/framework/workflows/stats.md +60 -60
package/kit/framework/workflows/transition.md +671 -671
package/kit/framework/workflows/ui-phase.md +302 -302
package/kit/framework/workflows/ui-review.md +165 -165
package/kit/framework/workflows/update.md +323 -323
package/kit/framework/workflows/validate-phase.md +174 -174
package/kit/framework/workflows/verify-phase.md +252 -252
package/kit/framework/workflows/verify-work.md +637 -637
package/kit/hooks/check-update.js +118 -118
package/kit/hooks/context-monitor.js +163 -163
package/kit/hooks/prompt-guard.js +103 -103
package/kit/hooks/statusline.js +125 -125
package/kit/hooks/workflow-guard.js +101 -101
package/kit/settings.json +45 -45
package/kit/skills/_shared-supabase/glossary.md +17 -0
package/kit/skills/ai-prompt-characterization/SKILL.md +335 -335
package/kit/skills/armadilhas-sistemas-distribuidos/SKILL.md +447 -447
package/kit/skills/audit-log-multi-tenant/SKILL.md +340 -340
package/kit/skills/b2b-saas-architecture/SKILL.md +300 -300
package/kit/skills/consistencia-leitura-replica/SKILL.md +385 -385
package/kit/skills/crm-lead-pipeline-patterns/SKILL.md +343 -343
package/kit/skills/escolha-modelo-consistencia/SKILL.md +494 -494
package/kit/skills/evolucao-schema-compativel/SKILL.md +448 -448
package/kit/skills/evolution-go-whatsapp-integration/SKILL.md +322 -322
package/kit/skills/example-skill/SKILL.md +42 -42
package/kit/skills/legacy-api-only-applications/SKILL.md +358 -358
package/kit/skills/legacy-characterization-tests/SKILL.md +330 -330
package/kit/skills/legacy-effect-analysis/SKILL.md +331 -331
package/kit/skills/legacy-extract-class/SKILL.md +203 -203
package/kit/skills/legacy-programming-by-difference/SKILL.md +252 -252
package/kit/skills/legacy-seams-and-test-harness/SKILL.md +460 -460
package/kit/skills/legacy-shotgun-surgery/SKILL.md +286 -286
package/kit/skills/legacy-sprout-wrap-techniques/SKILL.md +434 -434
package/kit/skills/legacy-storytelling-naked-crc/SKILL.md +270 -270
package/kit/skills/lgpd-multi-tenant-compliance/SKILL.md +340 -340
package/kit/skills/member-invite-flow/SKILL.md +305 -305
package/kit/skills/member-management-react-shadcn/SKILL.md +328 -328
package/kit/skills/multi-tenant-performance-scaling/SKILL.md +316 -316
package/kit/skills/multi-tenant-rls-hierarchy/SKILL.md +342 -342
package/kit/skills/org-onboarding-flow/SKILL.md +257 -257
package/kit/skills/org-switcher-react-pattern/SKILL.md +349 -349
package/kit/skills/permission-gate-react-pattern/SKILL.md +271 -271
package/kit/skills/postgres-isolamento-concorrencia/SKILL.md +552 -552
package/kit/skills/pre-refactor-characterization/SKILL.md +421 -421
package/kit/skills/rbac-permissions-matrix-supabase/SKILL.md +338 -338
package/kit/skills/streams-eventos-cdc/SKILL.md +711 -711
package/kit/skills/supabase-branching-workflow/SKILL.md +544 -544
package/kit/skills/supabase-ci-cd-github-actions/SKILL.md +880 -880
package/kit/skills/supabase-column-level-security/SKILL.md +426 -426
package/kit/skills/supabase-config-toml-remotes/SKILL.md +807 -807
package/kit/skills/supabase-custom-claims-rbac/SKILL.md +472 -472
package/kit/skills/supabase-edge-functions/SKILL.md +229 -141
package/kit/skills/supabase-edge-functions-auth/SKILL.md +309 -0
package/kit/skills/supabase-edge-functions-limits/SKILL.md +302 -0
package/kit/skills/supabase-edge-functions-mcp-server/SKILL.md +279 -0
package/kit/skills/supabase-edge-functions-testing/SKILL.md +277 -0
package/kit/skills/supabase-edge-runtime-builtins/SKILL.md +357 -0
package/kit/skills/supabase-migration-repair/SKILL.md +823 -823
package/kit/skills/supabase-migrations/SKILL.md +297 -297
package/kit/skills/supabase-pgtap-testing/SKILL.md +1053 -1053
package/kit/skills/supabase-postgres-roles/SKILL.md +392 -392
package/kit/skills/supabase-realtime/SKILL.md +460 -236
package/kit/skills/supabase-rls-defense-in-depth/SKILL.md +418 -418
package/kit/skills/supabase-rls-policies/SKILL.md +635 -635
package/kit/skills/super-admin-platform-pattern/SKILL.md +326 -326
package/kit/skills/tenant-quente-mitigacao/SKILL.md +605 -605
package/kit/skills/whatsapp-conversation-state-machine/SKILL.md +287 -287
package/package.json +1 -1
package/src/cli/index.js +33 -0
package/src/core/kit.js +216 -216
package/src/core/reflect.js +247 -247
package/src/core/reverse-sync.js +372 -372
package/src/core/sync.js +418 -418
package/src/core/watch.js +121 -121
package/src/mcp-server/index.js +693 -490
package/src/mcp-server/roots.js +124 -0

package/kit/skills/lgpd-multi-tenant-compliance/SKILL.md CHANGED Viewed

@@ -1,340 +1,340 @@
----
-name: lgpd-multi-tenant-compliance
-description: Use ao implementar compliance LGPD (Lei 13.709/2018) per-tenant em B2B SaaS Supabase — 9 direitos Art. 18 com workflow per-org, DSR SLA 15 dias Art.
----
-# LGPD Multi-Tenant Compliance — Lei 13.709/2018
-## Quando usar
-LLM carrega esta skill ao implementar compliance LGPD em B2B SaaS Brasil. Trigger phrases:
-- "LGPD compliance", "Lei 13.709"
-- "DSR data subject request"
-- "consent management granular"
-- "erasure anonymization LGPD"
-- "cross-border data transfer Brazil"
-- "ANPD adequacy decision"
-## Regras absolutas
-**REGRA #1 (DSR SLA 15 dias — Art. 19):** Toda DSR (Data Subject Request) deve ser processada em **15 dias corridos** (Art. 19 LGPD). Tabela `data_subject_requests` com `deadline_at = created_at + 15 days`. Pg_cron D-3 alerta requests próximas do prazo.
-**REGRA #2 (consent default opt-out — Art. 8 §5):** Consentimento LGPD deve ser **livre, informado, inequívoco**. Default opt-in é **ilegal** (Art. 8 §5). UI deve apresentar checkboxes desmarcados por default. Multa: até R$50M ou 2% faturamento.
-**REGRA #3 (consent granular):** Consentimento separado por **finalidade** — analytics ≠ marketing ≠ third-party-share ≠ profiling. User pode aceitar uma e rejeitar outra. Consent bundling (uma checkbox para tudo) é vedado.
-**REGRA #4 (erasure via anonymization):** Direito à eliminação (Art. 18 VI) implementado via **anonymization**: preservar UUID (chave opaca), apagar PII (`name → NULL`, `email → SHA-256 hash`, `phone → NULL`). Hard delete destrói audit trail necessário para outras compliance obrigations.
-**REGRA #5 (cross-border config):** Para apps com clientes brasileiros, Vercel deploy region `gru1` (São Paulo) + Supabase project region `sa-east-1` mantêm dados em repouso no Brasil. Adequacy decision Brasil-UE estabelecida em janeiro/2026 permite EU regions sem SCCs adicionais.
-**REGRA #6 (per-tenant — não global):** Cada org tem sua própria política de retention/consent. App é controlador de dados em alguns casos, operador em outros (Art. 5). Per-tenant implementação respeita esta diversidade.
-## Patterns canônicos
-### Tabela `consent_records`
-```sql
-create table public.consent_records (
-  id uuid primary key default gen_random_uuid(),
-  org_id uuid not null references public.organizations(id) on delete cascade,
-  user_id uuid not null references auth.users(id) on delete cascade,
-  purpose text not null
-    check (purpose in (
-      'analytics',           -- analytics próprio (PostHog, Mixpanel)
-      'marketing_email',     -- envio email marketing
-      'marketing_whatsapp',  -- envio WhatsApp marketing
-      'third_party_share',   -- compartilhamento com parceiros
-      'profiling',           -- perfilamento comportamental
-      'cookies_optional'     -- cookies não-essenciais
-    ) or purpose like 'custom\_%'),
-  granted boolean not null,
-  granted_at timestamptz not null default now(),
-  revoked_at timestamptz,
-  source text not null default 'app_settings'
-    check (source in ('app_settings', 'cookie_banner', 'signup_form', 'api')),
-  ip_address inet,
-  user_agent text,
-  unique (org_id, user_id, purpose, granted_at)  -- histórico audited
-);
-create index consent_records_org_user_purpose_idx
-  on public.consent_records (org_id, user_id, purpose, granted_at desc);
-alter table public.consent_records enable row level security;
-create policy "consent_records_select_own" on public.consent_records
-  for select to authenticated
-  using (user_id = (select auth.uid()));
-create policy "consent_records_insert_own" on public.consent_records
-  for insert to authenticated
-  with check (user_id = (select auth.uid()));
-create policy "consent_records_admin_view" on public.consent_records
-  for select to authenticated
-  using (private.has_permission('process', 'dsr_requests', org_id));
-```
-### Helper `current_consent`
-```sql
-create or replace function private.current_consent(p_org_id uuid, p_user_id uuid, p_purpose text)
-returns boolean
-language sql
-stable
-security invoker
-set search_path = ''
-as $$
-  select coalesce(
-    (select granted from public.consent_records
-     where org_id = p_org_id and user_id = p_user_id and purpose = p_purpose
-     order by granted_at desc limit 1),
-    false  -- REGRA #2: default opt-out se não houver registro
-  );
-$$;
-```
-### Tabela `data_subject_requests`
-```sql
-create table public.data_subject_requests (
-  id uuid primary key default gen_random_uuid(),
-  org_id uuid not null references public.organizations(id) on delete cascade,
-  requester_user_id uuid references auth.users(id) on delete set null,
-  requester_email text not null,
-  request_type text not null
-    check (request_type in (
-      'confirmation',     -- Art. 18 I — confirmação da existência de tratamento
-      'access',           -- Art. 18 II — acesso aos dados
-      'correction',       -- Art. 18 III — correção
-      'anonymization',    -- Art. 18 IV — anonimização/bloqueio/eliminação parcial
-      'portability',      -- Art. 18 V — portabilidade
-      'erasure',          -- Art. 18 VI — eliminação completa
-      'sharing_info',     -- Art. 18 VII — informação sobre compartilhamento
-      'consent_revoke',   -- Art. 18 IX — revogação consentimento
-      'automated_review'  -- Art. 18 — revisão decisão automatizada
-    )),
-  description text,
-  status text not null default 'pending'
-    check (status in ('pending', 'in_progress', 'completed', 'rejected', 'expired')),
-  deadline_at timestamptz not null default (now() + interval '15 days'),  -- REGRA #1 Art. 19
-  completed_at timestamptz,
-  rejected_reason text,
-  result jsonb,                                                            -- payload de resposta (export, etc.)
-  created_at timestamptz not null default now()
-);
-create index dsr_org_status_deadline_idx on public.data_subject_requests (org_id, status, deadline_at);
-alter table public.data_subject_requests enable row level security;
--- Apenas users com permission process:dsr_requests
-create policy "dsr_select_with_permission" on public.data_subject_requests
-  for select to authenticated
-  using (private.has_permission('process', 'dsr_requests', org_id));
--- Insert: qualquer authenticated pode criar request para si próprio
-create policy "dsr_insert_self" on public.data_subject_requests
-  for insert to authenticated
-  with check (
-    requester_user_id = (select auth.uid())
-    or requester_email = (select email from auth.users where id = (select auth.uid()))
-  );
-create policy "dsr_super_admin" on public.data_subject_requests
-  as permissive for all to authenticated
-  using (private.is_super_admin())
-  with check (private.is_super_admin());
-```
-### Cron alert D-3 (3 dias antes do prazo)
-```sql
-select cron.schedule(
-  'dsr-deadline-alert-d3',
-  '0 9 * * *',  -- diário 9:00 UTC
-  $$
-    -- Notificar admin (via Edge Function notification) sobre DSRs próximas do prazo
-    insert into public.notifications (org_id, type, payload)
-    select
-      org_id,
-      'dsr_deadline_warning',
-      jsonb_build_object(
-        'request_id', id,
-        'days_remaining', extract(day from deadline_at - now()),
-        'request_type', request_type
-      )
-    from public.data_subject_requests
-    where status in ('pending', 'in_progress')
-      and deadline_at < now() + interval '3 days'
-      and deadline_at >= now()
-      and id not in (
-        select (payload->>'request_id')::uuid from public.notifications
-        where type = 'dsr_deadline_warning'
-          and created_at > now() - interval '24 hours'
-      );
-  $$
-);
-```
-### Erasure via anonymization (REGRA #4)
-```sql
--- RPC chamada quando admin processa DSR de erasure
-create or replace function public.process_erasure_request(p_dsr_id uuid)
-returns void
-language plpgsql
-security invoker
-set search_path = ''
-as $$
-declare
-  v_dsr record;
-  v_user_id uuid;
-begin
-  -- Validar permission
-  select * into v_dsr from public.data_subject_requests where id = p_dsr_id;
-  if v_dsr is null then raise exception 'dsr_not_found'; end if;
-  if not private.has_permission('process', 'dsr_requests', v_dsr.org_id) then
-    raise exception 'forbidden';
-  end if;
-  v_user_id := v_dsr.requester_user_id;
-  if v_user_id is null then
-    raise exception 'erasure_requires_user_id';
-  end if;
-  -- Anonymize across all tenant tables (preservar UUID)
-  -- 1. organization_members
-  update public.organization_members
-  set status = 'left'
-  where user_id = v_user_id and org_id = v_dsr.org_id;
-  -- 2. leads (owner_id e contact data)
-  update public.leads
-  set
-    owner_id = null,                                        -- preserva FK opcional
-    contact_email = encode(digest(coalesce(contact_email, ''), 'sha256'), 'hex'),
-    contact_phone = null,
-    contact_name = '[anonymized]'
-  where org_id = v_dsr.org_id
-    and (owner_id = v_user_id);  -- leads owned por este user
-  -- 3. audit_logs — preservar (REGRA #4: não destruir trail), apenas anonimizar
-  update public.audit_logs
-  set
-    actor_id = null,
-    actor_email_hash = '[anonymized]',
-    payload = payload - 'actor_email' - 'ip_address'
-  where actor_id = v_user_id and tenant_id = v_dsr.org_id;
-  -- 4. (em audit_logs com legal_hold = true não anonimizar — preservar evidence)
-  -- (já filtrado pelo update acima — apenas tocá-lo após legal hold ser liberado)
-  -- 5. Marcar DSR como completed
-  update public.data_subject_requests
-  set status = 'completed', completed_at = now(), result = jsonb_build_object('anonymized', true)
-  where id = p_dsr_id;
-  -- 6. Audit
-  perform private.audit_log(
-    'data_exported',
-    v_dsr.org_id,
-    v_user_id, 'user', v_dsr.requester_email,
-    jsonb_build_object('action', 'erasure_completed', 'dsr_id', p_dsr_id)
-  );
-end;
-$$;
-grant execute on function public.process_erasure_request(uuid) to authenticated;
-```
-### Cross-border config (REGRA #5)
-```typescript
-// next.config.js (Vercel)
-module.exports = {
-  // Edge Functions só rodam em São Paulo
-  experimental: {
-    serverActions: {
-      allowedOrigins: ['*.vercel.app']
-    }
-  },
-  // Force region para Edge runtime
-  runtime: 'edge',
-  regions: ['gru1']  // São Paulo
-}
-// Supabase project criado em sa-east-1 (São Paulo) — escolher na criação
-```
-## Anti-patterns
-### Anti-pattern 1: Hard delete em erasure flow
-**Errado:**
-```sql
-delete from auth.users where id = '<user>' cascade;
--- audit_logs cascade deletado, evidence destroyed
-```
-**Por quê:** destrói audit trail necessário para outras obrigações compliance (investigação fraudulenta, anti-money-laundering, registros fiscais 5 anos).
-**Certo:** REGRA #4 — anonymization. UUID preservado, PII apagada.
-### Anti-pattern 2: Consent default opt-in
-**Errado:**
-```html
-<input type="checkbox" name="marketing" checked>  <!-- pre-marked -->
-<label>Aceito receber emails de marketing</label>
-```
-**Por quê:** Art. 8 §5 LGPD: consentimento deve ser livre, informado, inequívoco. Pre-checked = bundle implícito = ilegal.
-**Certo:** REGRA #2 — checkbox unchecked, user precisa clicar explicitamente.
-### Anti-pattern 3: Consent bundling
-**Errado:**
-```html
-<input type="checkbox" name="all_consents">
-<label>Aceito termos, privacy policy, marketing, analytics e third-party share</label>
-```
-**Por quê:** REGRA #3 — consentimentos devem ser separados por finalidade. User não pode "aceitar tudo" via 1 checkbox.
-**Certo:** N checkboxes individuais para cada `consent_records.purpose`.
-### Anti-pattern 4: DSR sem deadline tracking
-**Errado:**
-```sql
--- Tabela sem deadline_at
--- Admin esquece request, prazo 15 dias passa, ANPD multa
-```
-**Por quê:** Art. 19 prazo legal — descumprimento = multa.
-**Certo:** REGRA #1 — `deadline_at` automático + pg_cron alert D-3.
-### Anti-pattern 5: PII em audit_logs raw
-**Errado:**
-```sql
-insert into audit_logs (actor_email, payload) values ('user@email.com', '{"phone":"+5511999"}');
-```
-**Por quê:** quando user solicita erasure, audit_logs também precisa anonimizar. Mas hash = não há referência à PII original.
-**Certo:** já desde início, hash actor_email + sanitize payload (cross-ref Phase 109 audit-log-multi-tenant REGRA #4).
-## Ver também
-- [audit-log-multi-tenant](../audit-log-multi-tenant/SKILL.md) — Phase 109, PII sanitization + legal_hold flag
-- [b2b-saas-architecture](../b2b-saas-architecture/SKILL.md) — schema base
-- [supabase-cron-queues](../supabase-cron-queues/SKILL.md) — pg_cron pattern para alert D-3
-- [super-admin-platform-pattern](../super-admin-platform-pattern/SKILL.md) — Phase 111, super_admin process DSR
-- [_shared-multi-tenant/glossary.md](../_shared-multi-tenant/glossary.md) — `LGPD`, `DSR`, `9 direitos LGPD`, `anonymization`, `consent grain`, `adequacy decision`
-- [LGPD — Lei 13.709/2018](https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm)
-- [ANPD — International Data Transfers](https://www.gov.br/anpd/)
+---
+name: lgpd-multi-tenant-compliance
+description: Use ao implementar compliance LGPD (Lei 13.709/2018) per-tenant em B2B SaaS Supabase — 9 direitos Art. 18 com workflow per-org, DSR SLA 15 dias Art.
+---
+# LGPD Multi-Tenant Compliance — Lei 13.709/2018
+## Quando usar
+LLM carrega esta skill ao implementar compliance LGPD em B2B SaaS Brasil. Trigger phrases:
+- "LGPD compliance", "Lei 13.709"
+- "DSR data subject request"
+- "consent management granular"
+- "erasure anonymization LGPD"
+- "cross-border data transfer Brazil"
+- "ANPD adequacy decision"
+## Regras absolutas
+**REGRA #1 (DSR SLA 15 dias — Art. 19):** Toda DSR (Data Subject Request) deve ser processada em **15 dias corridos** (Art. 19 LGPD). Tabela `data_subject_requests` com `deadline_at = created_at + 15 days`. Pg_cron D-3 alerta requests próximas do prazo.
+**REGRA #2 (consent default opt-out — Art. 8 §5):** Consentimento LGPD deve ser **livre, informado, inequívoco**. Default opt-in é **ilegal** (Art. 8 §5). UI deve apresentar checkboxes desmarcados por default. Multa: até R$50M ou 2% faturamento.
+**REGRA #3 (consent granular):** Consentimento separado por **finalidade** — analytics ≠ marketing ≠ third-party-share ≠ profiling. User pode aceitar uma e rejeitar outra. Consent bundling (uma checkbox para tudo) é vedado.
+**REGRA #4 (erasure via anonymization):** Direito à eliminação (Art. 18 VI) implementado via **anonymization**: preservar UUID (chave opaca), apagar PII (`name → NULL`, `email → SHA-256 hash`, `phone → NULL`). Hard delete destrói audit trail necessário para outras compliance obrigations.
+**REGRA #5 (cross-border config):** Para apps com clientes brasileiros, Vercel deploy region `gru1` (São Paulo) + Supabase project region `sa-east-1` mantêm dados em repouso no Brasil. Adequacy decision Brasil-UE estabelecida em janeiro/2026 permite EU regions sem SCCs adicionais.
+**REGRA #6 (per-tenant — não global):** Cada org tem sua própria política de retention/consent. App é controlador de dados em alguns casos, operador em outros (Art. 5). Per-tenant implementação respeita esta diversidade.
+## Patterns canônicos
+### Tabela `consent_records`
+```sql
+create table public.consent_records (
+  id uuid primary key default gen_random_uuid(),
+  org_id uuid not null references public.organizations(id) on delete cascade,
+  user_id uuid not null references auth.users(id) on delete cascade,
+  purpose text not null
+    check (purpose in (
+      'analytics',           -- analytics próprio (PostHog, Mixpanel)
+      'marketing_email',     -- envio email marketing
+      'marketing_whatsapp',  -- envio WhatsApp marketing
+      'third_party_share',   -- compartilhamento com parceiros
+      'profiling',           -- perfilamento comportamental
+      'cookies_optional'     -- cookies não-essenciais
+    ) or purpose like 'custom\_%'),
+  granted boolean not null,
+  granted_at timestamptz not null default now(),
+  revoked_at timestamptz,
+  source text not null default 'app_settings'
+    check (source in ('app_settings', 'cookie_banner', 'signup_form', 'api')),
+  ip_address inet,
+  user_agent text,
+  unique (org_id, user_id, purpose, granted_at)  -- histórico audited
+);
+create index consent_records_org_user_purpose_idx
+  on public.consent_records (org_id, user_id, purpose, granted_at desc);
+alter table public.consent_records enable row level security;
+create policy "consent_records_select_own" on public.consent_records
+  for select to authenticated
+  using (user_id = (select auth.uid()));
+create policy "consent_records_insert_own" on public.consent_records
+  for insert to authenticated
+  with check (user_id = (select auth.uid()));
+create policy "consent_records_admin_view" on public.consent_records
+  for select to authenticated
+  using (private.has_permission('process', 'dsr_requests', org_id));
+```
+### Helper `current_consent`
+```sql
+create or replace function private.current_consent(p_org_id uuid, p_user_id uuid, p_purpose text)
+returns boolean
+language sql
+stable
+security invoker
+set search_path = ''
+as $$
+  select coalesce(
+    (select granted from public.consent_records
+     where org_id = p_org_id and user_id = p_user_id and purpose = p_purpose
+     order by granted_at desc limit 1),
+    false  -- REGRA #2: default opt-out se não houver registro
+  );
+$$;
+```
+### Tabela `data_subject_requests`
+```sql
+create table public.data_subject_requests (
+  id uuid primary key default gen_random_uuid(),
+  org_id uuid not null references public.organizations(id) on delete cascade,
+  requester_user_id uuid references auth.users(id) on delete set null,
+  requester_email text not null,
+  request_type text not null
+    check (request_type in (
+      'confirmation',     -- Art. 18 I — confirmação da existência de tratamento
+      'access',           -- Art. 18 II — acesso aos dados
+      'correction',       -- Art. 18 III — correção
+      'anonymization',    -- Art. 18 IV — anonimização/bloqueio/eliminação parcial
+      'portability',      -- Art. 18 V — portabilidade
+      'erasure',          -- Art. 18 VI — eliminação completa
+      'sharing_info',     -- Art. 18 VII — informação sobre compartilhamento
+      'consent_revoke',   -- Art. 18 IX — revogação consentimento
+      'automated_review'  -- Art. 18 — revisão decisão automatizada
+    )),
+  description text,
+  status text not null default 'pending'
+    check (status in ('pending', 'in_progress', 'completed', 'rejected', 'expired')),
+  deadline_at timestamptz not null default (now() + interval '15 days'),  -- REGRA #1 Art. 19
+  completed_at timestamptz,
+  rejected_reason text,
+  result jsonb,                                                            -- payload de resposta (export, etc.)
+  created_at timestamptz not null default now()
+);
+create index dsr_org_status_deadline_idx on public.data_subject_requests (org_id, status, deadline_at);
+alter table public.data_subject_requests enable row level security;
+-- Apenas users com permission process:dsr_requests
+create policy "dsr_select_with_permission" on public.data_subject_requests
+  for select to authenticated
+  using (private.has_permission('process', 'dsr_requests', org_id));
+-- Insert: qualquer authenticated pode criar request para si próprio
+create policy "dsr_insert_self" on public.data_subject_requests
+  for insert to authenticated
+  with check (
+    requester_user_id = (select auth.uid())
+    or requester_email = (select email from auth.users where id = (select auth.uid()))
+  );
+create policy "dsr_super_admin" on public.data_subject_requests
+  as permissive for all to authenticated
+  using (private.is_super_admin())
+  with check (private.is_super_admin());
+```
+### Cron alert D-3 (3 dias antes do prazo)
+```sql
+select cron.schedule(
+  'dsr-deadline-alert-d3',
+  '0 9 * * *',  -- diário 9:00 UTC
+  $$
+    -- Notificar admin (via Edge Function notification) sobre DSRs próximas do prazo
+    insert into public.notifications (org_id, type, payload)
+    select
+      org_id,
+      'dsr_deadline_warning',
+      jsonb_build_object(
+        'request_id', id,
+        'days_remaining', extract(day from deadline_at - now()),
+        'request_type', request_type
+      )
+    from public.data_subject_requests
+    where status in ('pending', 'in_progress')
+      and deadline_at < now() + interval '3 days'
+      and deadline_at >= now()
+      and id not in (
+        select (payload->>'request_id')::uuid from public.notifications
+        where type = 'dsr_deadline_warning'
+          and created_at > now() - interval '24 hours'
+      );
+  $$
+);
+```
+### Erasure via anonymization (REGRA #4)
+```sql
+-- RPC chamada quando admin processa DSR de erasure
+create or replace function public.process_erasure_request(p_dsr_id uuid)
+returns void
+language plpgsql
+security invoker
+set search_path = ''
+as $$
+declare
+  v_dsr record;
+  v_user_id uuid;
+begin
+  -- Validar permission
+  select * into v_dsr from public.data_subject_requests where id = p_dsr_id;
+  if v_dsr is null then raise exception 'dsr_not_found'; end if;
+  if not private.has_permission('process', 'dsr_requests', v_dsr.org_id) then
+    raise exception 'forbidden';
+  end if;
+  v_user_id := v_dsr.requester_user_id;
+  if v_user_id is null then
+    raise exception 'erasure_requires_user_id';
+  end if;
+  -- Anonymize across all tenant tables (preservar UUID)
+  -- 1. organization_members
+  update public.organization_members
+  set status = 'left'
+  where user_id = v_user_id and org_id = v_dsr.org_id;
+  -- 2. leads (owner_id e contact data)
+  update public.leads
+  set
+    owner_id = null,                                        -- preserva FK opcional
+    contact_email = encode(digest(coalesce(contact_email, ''), 'sha256'), 'hex'),
+    contact_phone = null,
+    contact_name = '[anonymized]'
+  where org_id = v_dsr.org_id
+    and (owner_id = v_user_id);  -- leads owned por este user
+  -- 3. audit_logs — preservar (REGRA #4: não destruir trail), apenas anonimizar
+  update public.audit_logs
+  set
+    actor_id = null,
+    actor_email_hash = '[anonymized]',
+    payload = payload - 'actor_email' - 'ip_address'
+  where actor_id = v_user_id and tenant_id = v_dsr.org_id;
+  -- 4. (em audit_logs com legal_hold = true não anonimizar — preservar evidence)
+  -- (já filtrado pelo update acima — apenas tocá-lo após legal hold ser liberado)
+  -- 5. Marcar DSR como completed
+  update public.data_subject_requests
+  set status = 'completed', completed_at = now(), result = jsonb_build_object('anonymized', true)
+  where id = p_dsr_id;
+  -- 6. Audit
+  perform private.audit_log(
+    'data_exported',
+    v_dsr.org_id,
+    v_user_id, 'user', v_dsr.requester_email,
+    jsonb_build_object('action', 'erasure_completed', 'dsr_id', p_dsr_id)
+  );
+end;
+$$;
+grant execute on function public.process_erasure_request(uuid) to authenticated;
+```
+### Cross-border config (REGRA #5)
+```typescript
+// next.config.js (Vercel)
+module.exports = {
+  // Edge Functions só rodam em São Paulo
+  experimental: {
+    serverActions: {
+      allowedOrigins: ['*.vercel.app']
+    }
+  },
+  // Force region para Edge runtime
+  runtime: 'edge',
+  regions: ['gru1']  // São Paulo
+}
+// Supabase project criado em sa-east-1 (São Paulo) — escolher na criação
+```
+## Anti-patterns
+### Anti-pattern 1: Hard delete em erasure flow
+**Errado:**
+```sql
+delete from auth.users where id = '<user>' cascade;
+-- audit_logs cascade deletado, evidence destroyed
+```
+**Por quê:** destrói audit trail necessário para outras obrigações compliance (investigação fraudulenta, anti-money-laundering, registros fiscais 5 anos).
+**Certo:** REGRA #4 — anonymization. UUID preservado, PII apagada.
+### Anti-pattern 2: Consent default opt-in
+**Errado:**
+```html
+<input type="checkbox" name="marketing" checked>  <!-- pre-marked -->
+<label>Aceito receber emails de marketing</label>
+```
+**Por quê:** Art. 8 §5 LGPD: consentimento deve ser livre, informado, inequívoco. Pre-checked = bundle implícito = ilegal.
+**Certo:** REGRA #2 — checkbox unchecked, user precisa clicar explicitamente.
+### Anti-pattern 3: Consent bundling
+**Errado:**
+```html
+<input type="checkbox" name="all_consents">
+<label>Aceito termos, privacy policy, marketing, analytics e third-party share</label>
+```
+**Por quê:** REGRA #3 — consentimentos devem ser separados por finalidade. User não pode "aceitar tudo" via 1 checkbox.
+**Certo:** N checkboxes individuais para cada `consent_records.purpose`.
+### Anti-pattern 4: DSR sem deadline tracking
+**Errado:**
+```sql
+-- Tabela sem deadline_at
+-- Admin esquece request, prazo 15 dias passa, ANPD multa
+```
+**Por quê:** Art. 19 prazo legal — descumprimento = multa.
+**Certo:** REGRA #1 — `deadline_at` automático + pg_cron alert D-3.
+### Anti-pattern 5: PII em audit_logs raw
+**Errado:**
+```sql
+insert into audit_logs (actor_email, payload) values ('user@email.com', '{"phone":"+5511999"}');
+```
+**Por quê:** quando user solicita erasure, audit_logs também precisa anonimizar. Mas hash = não há referência à PII original.
+**Certo:** já desde início, hash actor_email + sanitize payload (cross-ref Phase 109 audit-log-multi-tenant REGRA #4).
+## Ver também
+- [audit-log-multi-tenant](../audit-log-multi-tenant/SKILL.md) — Phase 109, PII sanitization + legal_hold flag
+- [b2b-saas-architecture](../b2b-saas-architecture/SKILL.md) — schema base
+- [supabase-cron-queues](../supabase-cron-queues/SKILL.md) — pg_cron pattern para alert D-3
+- [super-admin-platform-pattern](../super-admin-platform-pattern/SKILL.md) — Phase 111, super_admin process DSR
+- [_shared-multi-tenant/glossary.md](../_shared-multi-tenant/glossary.md) — `LGPD`, `DSR`, `9 direitos LGPD`, `anonymization`, `consent grain`, `adequacy decision`
+- [LGPD — Lei 13.709/2018](https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm)
+- [ANPD — International Data Transfers](https://www.gov.br/anpd/)