@luanpdd/kit-mcp 1.28.0 → 1.30.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (332) hide show
  1. package/LICENSE +21 -21
  2. package/README.md +168 -168
  3. package/gates/agent-no-recursive-dispatch.md +82 -82
  4. package/kit/COMANDOS.md +138 -138
  5. package/kit/README.md +76 -76
  6. package/kit/agents/advisor-researcher.md +106 -106
  7. package/kit/agents/assumptions-analyzer.md +107 -107
  8. package/kit/agents/audit-log-implementer.md +313 -313
  9. package/kit/agents/auditor-consistencia-isolamento.md +413 -413
  10. package/kit/agents/b2b-saas-architect.md +156 -156
  11. package/kit/agents/cascading-failures-auditor.md +298 -298
  12. package/kit/agents/codebase-mapper.md +768 -768
  13. package/kit/agents/crm-pipeline-implementer.md +256 -256
  14. package/kit/agents/debugger.md +813 -813
  15. package/kit/agents/detector-tenant-quente.md +337 -337
  16. package/kit/agents/evolution-go-integrator.md +200 -200
  17. package/kit/agents/example-reviewer.md +21 -21
  18. package/kit/agents/executor.md +564 -564
  19. package/kit/agents/integration-checker.md +200 -200
  20. package/kit/agents/invite-flow-implementer.md +189 -189
  21. package/kit/agents/legacy-characterizer.md +368 -368
  22. package/kit/agents/lgpd-compliance-auditor.md +295 -295
  23. package/kit/agents/multi-tenant-isolation-auditor.md +253 -253
  24. package/kit/agents/multi-tenant-rls-writer.md +340 -340
  25. package/kit/agents/nyquist-auditor.md +178 -178
  26. package/kit/agents/observability-coverage-auditor.md +315 -315
  27. package/kit/agents/org-onboarding-implementer.md +223 -223
  28. package/kit/agents/payload-capture-instrumenter.md +273 -273
  29. package/kit/agents/phase-researcher.md +696 -696
  30. package/kit/agents/plan-checker.md +272 -272
  31. package/kit/agents/planner.md +922 -922
  32. package/kit/agents/project-researcher.md +652 -652
  33. package/kit/agents/refactor-safety-auditor.md +404 -404
  34. package/kit/agents/research-synthesizer.md +245 -245
  35. package/kit/agents/roadmapper.md +677 -677
  36. package/kit/agents/seam-finder.md +359 -359
  37. package/kit/agents/shotgun-surgery-detector.md +349 -349
  38. package/kit/agents/supabase-branching-architect.md +562 -562
  39. package/kit/agents/supabase-cicd-pipeline-implementer.md +777 -777
  40. package/kit/agents/supabase-column-privileges-writer.md +399 -399
  41. package/kit/agents/supabase-edge-fn-tester.md +287 -0
  42. package/kit/agents/supabase-edge-fn-writer.md +239 -210
  43. package/kit/agents/supabase-migration-writer.md +385 -385
  44. package/kit/agents/supabase-rbac-implementer.md +392 -392
  45. package/kit/agents/supabase-realtime-implementer.md +363 -267
  46. package/kit/agents/supabase-rls-hardener.md +521 -521
  47. package/kit/agents/supabase-rls-writer.md +323 -323
  48. package/kit/agents/supabase-roles-implementer.md +355 -355
  49. package/kit/agents/super-admin-implementer.md +281 -281
  50. package/kit/agents/ui-auditor.md +437 -437
  51. package/kit/agents/ui-checker.md +302 -302
  52. package/kit/agents/ui-researcher.md +355 -355
  53. package/kit/agents/user-profiler.md +175 -175
  54. package/kit/agents/validador-evolucao-schema.md +335 -335
  55. package/kit/agents/verifier.md +728 -728
  56. package/kit/commands/adicionar-backlog.md +75 -75
  57. package/kit/commands/adicionar-fase.md +42 -42
  58. package/kit/commands/adicionar-tarefa.md +45 -45
  59. package/kit/commands/adicionar-testes.md +41 -41
  60. package/kit/commands/ajuda.md +21 -21
  61. package/kit/commands/atualizar.md +37 -37
  62. package/kit/commands/auditar-cascading.md +111 -111
  63. package/kit/commands/auditar-marco.md +179 -179
  64. package/kit/commands/auditar-observabilidade-cobertura.md +183 -183
  65. package/kit/commands/auditar-refactor.md +219 -219
  66. package/kit/commands/auditar-release.md +109 -109
  67. package/kit/commands/auditar-uat.md +23 -23
  68. package/kit/commands/autonomo.md +40 -40
  69. package/kit/commands/branch-pr.md +24 -24
  70. package/kit/commands/burn-rate-status.md +408 -408
  71. package/kit/commands/capturar-payloads.md +193 -193
  72. package/kit/commands/caracterizar.md +212 -212
  73. package/kit/commands/concluir-marco.md +247 -247
  74. package/kit/commands/configuracoes.md +36 -36
  75. package/kit/commands/dados-distribuidos.md +188 -188
  76. package/kit/commands/definir-perfil.md +10 -10
  77. package/kit/commands/depurar.md +190 -190
  78. package/kit/commands/detectar-duplicacao.md +197 -197
  79. package/kit/commands/discutir-fase.md +131 -131
  80. package/kit/commands/encontrar-seams.md +136 -136
  81. package/kit/commands/entrar-discord.md +17 -17
  82. package/kit/commands/estatisticas.md +18 -18
  83. package/kit/commands/example-greeting.md +33 -33
  84. package/kit/commands/executar-fase.md +58 -58
  85. package/kit/commands/expresso.md +56 -56
  86. package/kit/commands/fase-ui.md +34 -34
  87. package/kit/commands/fazer.md +57 -57
  88. package/kit/commands/fio.md +125 -125
  89. package/kit/commands/fluxos-trabalho.md +64 -64
  90. package/kit/commands/forense.md +176 -176
  91. package/kit/commands/gerenciador.md +38 -38
  92. package/kit/commands/inserir-fase.md +31 -31
  93. package/kit/commands/legacy.md +263 -263
  94. package/kit/commands/limpeza.md +17 -17
  95. package/kit/commands/listar-hipoteses-fase.md +45 -45
  96. package/kit/commands/listar-workspaces.md +18 -18
  97. package/kit/commands/load-shedding.md +117 -117
  98. package/kit/commands/mapear-codebase.md +70 -70
  99. package/kit/commands/multi-tenant.md +163 -163
  100. package/kit/commands/nota.md +33 -33
  101. package/kit/commands/novo-marco.md +43 -43
  102. package/kit/commands/novo-projeto.md +41 -41
  103. package/kit/commands/novo-workspace.md +43 -43
  104. package/kit/commands/pausar-trabalho.md +37 -37
  105. package/kit/commands/perfil-usuario.md +45 -45
  106. package/kit/commands/pesquisar-fase.md +195 -195
  107. package/kit/commands/planejar-fase.md +67 -67
  108. package/kit/commands/planejar-lacunas.md +33 -33
  109. package/kit/commands/plantar-ideia.md +25 -25
  110. package/kit/commands/progresso.md +24 -24
  111. package/kit/commands/proximo.md +30 -30
  112. package/kit/commands/publicar.md +490 -490
  113. package/kit/commands/rapido.md +35 -35
  114. package/kit/commands/reaplicar-patches.md +124 -124
  115. package/kit/commands/refactor-seguro.md +321 -321
  116. package/kit/commands/relatorio-sessao.md +19 -19
  117. package/kit/commands/remover-fase.md +31 -31
  118. package/kit/commands/remover-workspace.md +26 -26
  119. package/kit/commands/resumo-marco.md +50 -50
  120. package/kit/commands/retomar-trabalho.md +40 -40
  121. package/kit/commands/revisar-backlog.md +60 -60
  122. package/kit/commands/revisar-ui.md +32 -32
  123. package/kit/commands/revisar.md +37 -37
  124. package/kit/commands/saude.md +21 -21
  125. package/kit/commands/setup-notion.md +93 -93
  126. package/kit/commands/storytelling.md +179 -179
  127. package/kit/commands/supabase.md +30 -7
  128. package/kit/commands/sync-main.md +68 -68
  129. package/kit/commands/validar-fase.md +35 -35
  130. package/kit/commands/verificar-tarefas.md +44 -44
  131. package/kit/commands/verificar-trabalho.md +64 -64
  132. package/kit/file-manifest.json +14 -8
  133. package/kit/framework/bin/lib/commands.cjs +959 -959
  134. package/kit/framework/bin/lib/config.cjs +442 -442
  135. package/kit/framework/bin/lib/core.cjs +1230 -1230
  136. package/kit/framework/bin/lib/frontmatter.cjs +336 -336
  137. package/kit/framework/bin/lib/init.cjs +1442 -1442
  138. package/kit/framework/bin/lib/milestone.cjs +252 -252
  139. package/kit/framework/bin/lib/model-profiles.cjs +68 -68
  140. package/kit/framework/bin/lib/phase.cjs +888 -888
  141. package/kit/framework/bin/lib/profile-output.cjs +952 -952
  142. package/kit/framework/bin/lib/profile-pipeline.cjs +539 -539
  143. package/kit/framework/bin/lib/roadmap.cjs +329 -329
  144. package/kit/framework/bin/lib/security.cjs +382 -382
  145. package/kit/framework/bin/lib/state.cjs +1031 -1031
  146. package/kit/framework/bin/lib/template.cjs +222 -222
  147. package/kit/framework/bin/lib/uat.cjs +282 -282
  148. package/kit/framework/bin/lib/verify.cjs +888 -888
  149. package/kit/framework/bin/lib/workstream.cjs +491 -491
  150. package/kit/framework/bin/tools.cjs +918 -918
  151. package/kit/framework/commands/workstreams.md +63 -63
  152. package/kit/framework/references/checkpoints.md +778 -778
  153. package/kit/framework/references/continuation-format.md +249 -249
  154. package/kit/framework/references/decimal-phase-calculation.md +64 -64
  155. package/kit/framework/references/git-integration.md +295 -295
  156. package/kit/framework/references/git-planning-commit.md +38 -38
  157. package/kit/framework/references/model-profile-resolution.md +36 -36
  158. package/kit/framework/references/model-profiles.md +139 -139
  159. package/kit/framework/references/phase-argument-parsing.md +61 -61
  160. package/kit/framework/references/planning-config.md +202 -202
  161. package/kit/framework/references/questioning.md +162 -162
  162. package/kit/framework/references/tdd.md +263 -263
  163. package/kit/framework/references/ui-brand.md +160 -160
  164. package/kit/framework/references/user-profiling.md +657 -657
  165. package/kit/framework/references/verification-patterns.md +612 -612
  166. package/kit/framework/references/workstream-flag.md +58 -58
  167. package/kit/framework/templates/DEBUG.md +164 -164
  168. package/kit/framework/templates/UAT.md +265 -265
  169. package/kit/framework/templates/UI-SPEC.md +100 -100
  170. package/kit/framework/templates/VALIDATION.md +76 -76
  171. package/kit/framework/templates/claude-md.md +122 -122
  172. package/kit/framework/templates/codebase/architecture.md +185 -185
  173. package/kit/framework/templates/codebase/concerns.md +205 -205
  174. package/kit/framework/templates/codebase/conventions.md +204 -204
  175. package/kit/framework/templates/codebase/integrations.md +192 -192
  176. package/kit/framework/templates/codebase/stack.md +158 -158
  177. package/kit/framework/templates/codebase/structure.md +199 -199
  178. package/kit/framework/templates/codebase/testing.md +301 -301
  179. package/kit/framework/templates/config.json +44 -44
  180. package/kit/framework/templates/context.md +352 -352
  181. package/kit/framework/templates/continue-here.md +78 -78
  182. package/kit/framework/templates/copilot-instructions.md +7 -7
  183. package/kit/framework/templates/debug-subagent-prompt.md +91 -91
  184. package/kit/framework/templates/dev-preferences.md +20 -20
  185. package/kit/framework/templates/discovery.md +146 -146
  186. package/kit/framework/templates/discussion-log.md +63 -63
  187. package/kit/framework/templates/milestone-archive.md +123 -123
  188. package/kit/framework/templates/milestone.md +115 -115
  189. package/kit/framework/templates/phase-prompt.md +610 -610
  190. package/kit/framework/templates/planner-subagent-prompt.md +117 -117
  191. package/kit/framework/templates/project.md +186 -186
  192. package/kit/framework/templates/requirements.md +231 -231
  193. package/kit/framework/templates/research-project/ARCHITECTURE.md +204 -204
  194. package/kit/framework/templates/research-project/FEATURES.md +147 -147
  195. package/kit/framework/templates/research-project/PITFALLS.md +200 -200
  196. package/kit/framework/templates/research-project/STACK.md +120 -120
  197. package/kit/framework/templates/research-project/SUMMARY.md +170 -170
  198. package/kit/framework/templates/research.md +419 -419
  199. package/kit/framework/templates/retrospective.md +54 -54
  200. package/kit/framework/templates/roadmap.md +202 -202
  201. package/kit/framework/templates/state.md +176 -176
  202. package/kit/framework/templates/summary-complex.md +59 -59
  203. package/kit/framework/templates/summary-minimal.md +41 -41
  204. package/kit/framework/templates/summary-standard.md +48 -48
  205. package/kit/framework/templates/summary.md +209 -209
  206. package/kit/framework/templates/user-profile.md +146 -146
  207. package/kit/framework/templates/user-setup.md +256 -256
  208. package/kit/framework/templates/verification-report.md +258 -258
  209. package/kit/framework/workflows/add-phase.md +112 -112
  210. package/kit/framework/workflows/add-tests.md +351 -351
  211. package/kit/framework/workflows/add-todo.md +158 -158
  212. package/kit/framework/workflows/audit-milestone.md +340 -340
  213. package/kit/framework/workflows/audit-uat.md +109 -109
  214. package/kit/framework/workflows/autonomous.md +891 -891
  215. package/kit/framework/workflows/check-todos.md +177 -177
  216. package/kit/framework/workflows/cleanup.md +152 -152
  217. package/kit/framework/workflows/complete-milestone.md +696 -696
  218. package/kit/framework/workflows/diagnose-issues.md +231 -231
  219. package/kit/framework/workflows/discovery-phase.md +289 -289
  220. package/kit/framework/workflows/discuss-phase-assumptions.md +653 -653
  221. package/kit/framework/workflows/discuss-phase.md +784 -784
  222. package/kit/framework/workflows/do.md +104 -104
  223. package/kit/framework/workflows/execute-phase.md +838 -838
  224. package/kit/framework/workflows/execute-plan.md +510 -510
  225. package/kit/framework/workflows/fast.md +102 -102
  226. package/kit/framework/workflows/forensics.md +265 -265
  227. package/kit/framework/workflows/health.md +181 -181
  228. package/kit/framework/workflows/help.md +619 -619
  229. package/kit/framework/workflows/insert-phase.md +130 -130
  230. package/kit/framework/workflows/list-phase-assumptions.md +178 -178
  231. package/kit/framework/workflows/list-workspaces.md +56 -56
  232. package/kit/framework/workflows/manager.md +362 -362
  233. package/kit/framework/workflows/map-codebase.md +377 -377
  234. package/kit/framework/workflows/milestone-summary.md +223 -223
  235. package/kit/framework/workflows/new-milestone.md +486 -486
  236. package/kit/framework/workflows/new-project.md +1159 -1159
  237. package/kit/framework/workflows/new-workspace.md +237 -237
  238. package/kit/framework/workflows/next.md +97 -97
  239. package/kit/framework/workflows/node-repair.md +92 -92
  240. package/kit/framework/workflows/note.md +156 -156
  241. package/kit/framework/workflows/pause-work.md +176 -176
  242. package/kit/framework/workflows/plan-milestone-gaps.md +273 -273
  243. package/kit/framework/workflows/plan-phase.md +765 -765
  244. package/kit/framework/workflows/plant-seed.md +169 -169
  245. package/kit/framework/workflows/pr-branch.md +129 -129
  246. package/kit/framework/workflows/profile-user.md +450 -450
  247. package/kit/framework/workflows/progress.md +507 -507
  248. package/kit/framework/workflows/quick.md +757 -757
  249. package/kit/framework/workflows/remove-phase.md +155 -155
  250. package/kit/framework/workflows/remove-workspace.md +90 -90
  251. package/kit/framework/workflows/research-phase.md +82 -82
  252. package/kit/framework/workflows/resume-project.md +326 -326
  253. package/kit/framework/workflows/review.md +228 -228
  254. package/kit/framework/workflows/session-report.md +146 -146
  255. package/kit/framework/workflows/settings.md +283 -283
  256. package/kit/framework/workflows/ship.md +228 -228
  257. package/kit/framework/workflows/stats.md +60 -60
  258. package/kit/framework/workflows/transition.md +671 -671
  259. package/kit/framework/workflows/ui-phase.md +302 -302
  260. package/kit/framework/workflows/ui-review.md +165 -165
  261. package/kit/framework/workflows/update.md +323 -323
  262. package/kit/framework/workflows/validate-phase.md +174 -174
  263. package/kit/framework/workflows/verify-phase.md +252 -252
  264. package/kit/framework/workflows/verify-work.md +637 -637
  265. package/kit/hooks/check-update.js +118 -118
  266. package/kit/hooks/context-monitor.js +163 -163
  267. package/kit/hooks/prompt-guard.js +103 -103
  268. package/kit/hooks/statusline.js +125 -125
  269. package/kit/hooks/workflow-guard.js +101 -101
  270. package/kit/settings.json +45 -45
  271. package/kit/skills/_shared-supabase/glossary.md +17 -0
  272. package/kit/skills/ai-prompt-characterization/SKILL.md +335 -335
  273. package/kit/skills/armadilhas-sistemas-distribuidos/SKILL.md +447 -447
  274. package/kit/skills/audit-log-multi-tenant/SKILL.md +340 -340
  275. package/kit/skills/b2b-saas-architecture/SKILL.md +300 -300
  276. package/kit/skills/consistencia-leitura-replica/SKILL.md +385 -385
  277. package/kit/skills/crm-lead-pipeline-patterns/SKILL.md +343 -343
  278. package/kit/skills/escolha-modelo-consistencia/SKILL.md +494 -494
  279. package/kit/skills/evolucao-schema-compativel/SKILL.md +448 -448
  280. package/kit/skills/evolution-go-whatsapp-integration/SKILL.md +322 -322
  281. package/kit/skills/example-skill/SKILL.md +42 -42
  282. package/kit/skills/legacy-api-only-applications/SKILL.md +358 -358
  283. package/kit/skills/legacy-characterization-tests/SKILL.md +330 -330
  284. package/kit/skills/legacy-effect-analysis/SKILL.md +331 -331
  285. package/kit/skills/legacy-extract-class/SKILL.md +203 -203
  286. package/kit/skills/legacy-programming-by-difference/SKILL.md +252 -252
  287. package/kit/skills/legacy-seams-and-test-harness/SKILL.md +460 -460
  288. package/kit/skills/legacy-shotgun-surgery/SKILL.md +286 -286
  289. package/kit/skills/legacy-sprout-wrap-techniques/SKILL.md +434 -434
  290. package/kit/skills/legacy-storytelling-naked-crc/SKILL.md +270 -270
  291. package/kit/skills/lgpd-multi-tenant-compliance/SKILL.md +340 -340
  292. package/kit/skills/member-invite-flow/SKILL.md +305 -305
  293. package/kit/skills/member-management-react-shadcn/SKILL.md +328 -328
  294. package/kit/skills/multi-tenant-performance-scaling/SKILL.md +316 -316
  295. package/kit/skills/multi-tenant-rls-hierarchy/SKILL.md +342 -342
  296. package/kit/skills/org-onboarding-flow/SKILL.md +257 -257
  297. package/kit/skills/org-switcher-react-pattern/SKILL.md +349 -349
  298. package/kit/skills/permission-gate-react-pattern/SKILL.md +271 -271
  299. package/kit/skills/postgres-isolamento-concorrencia/SKILL.md +552 -552
  300. package/kit/skills/pre-refactor-characterization/SKILL.md +421 -421
  301. package/kit/skills/rbac-permissions-matrix-supabase/SKILL.md +338 -338
  302. package/kit/skills/streams-eventos-cdc/SKILL.md +711 -711
  303. package/kit/skills/supabase-branching-workflow/SKILL.md +544 -544
  304. package/kit/skills/supabase-ci-cd-github-actions/SKILL.md +880 -880
  305. package/kit/skills/supabase-column-level-security/SKILL.md +426 -426
  306. package/kit/skills/supabase-config-toml-remotes/SKILL.md +807 -807
  307. package/kit/skills/supabase-custom-claims-rbac/SKILL.md +472 -472
  308. package/kit/skills/supabase-edge-functions/SKILL.md +229 -141
  309. package/kit/skills/supabase-edge-functions-auth/SKILL.md +309 -0
  310. package/kit/skills/supabase-edge-functions-limits/SKILL.md +302 -0
  311. package/kit/skills/supabase-edge-functions-mcp-server/SKILL.md +279 -0
  312. package/kit/skills/supabase-edge-functions-testing/SKILL.md +277 -0
  313. package/kit/skills/supabase-edge-runtime-builtins/SKILL.md +357 -0
  314. package/kit/skills/supabase-migration-repair/SKILL.md +823 -823
  315. package/kit/skills/supabase-migrations/SKILL.md +297 -297
  316. package/kit/skills/supabase-pgtap-testing/SKILL.md +1053 -1053
  317. package/kit/skills/supabase-postgres-roles/SKILL.md +392 -392
  318. package/kit/skills/supabase-realtime/SKILL.md +460 -236
  319. package/kit/skills/supabase-rls-defense-in-depth/SKILL.md +418 -418
  320. package/kit/skills/supabase-rls-policies/SKILL.md +635 -635
  321. package/kit/skills/super-admin-platform-pattern/SKILL.md +326 -326
  322. package/kit/skills/tenant-quente-mitigacao/SKILL.md +605 -605
  323. package/kit/skills/whatsapp-conversation-state-machine/SKILL.md +287 -287
  324. package/package.json +1 -1
  325. package/src/cli/index.js +33 -0
  326. package/src/core/kit.js +216 -216
  327. package/src/core/reflect.js +247 -247
  328. package/src/core/reverse-sync.js +372 -372
  329. package/src/core/sync.js +418 -418
  330. package/src/core/watch.js +121 -121
  331. package/src/mcp-server/index.js +693 -490
  332. package/src/mcp-server/roots.js +124 -0
package/kit/skills/permission-gate-react-pattern/SKILL.md CHANGED
@@ -1,271 +1,271 @@
1
- ---
2
- name: permission-gate-react-pattern
3
- description: "Use ao implementar permission gates React em B2B SaaS multi-tenant…"
4
- ---
5
-
6
- # Permission Gate — React Pattern (CASL)
7
-
8
- ## Quando usar
9
-
10
- LLM carrega esta skill ao implementar gates de permissão UI em React. Trigger phrases:
11
-
12
- - "permission gate React", "PermissionGate component"
13
- - "CASL React permissions", "@casl/ability"
14
- - "usePermission hook", "ability check React"
15
- - "RBAC frontend gate"
16
- - "client-side permission anti-pattern"
17
-
18
- ## Regras absolutas
19
-
20
- **REGRA #1 (UX-only, NUNCA segurança):** Permission gate React é **UX apenas**. Esconde botão para evitar erro 403 visível ao user. **Server-side enforcement obrigatório** via RLS (Phase 108) + `private.has_permission`.
21
-
22
- **REGRA #2 (CASL canônico 2026):** `@casl/ability` v6.8+ + `@casl/react` v4.x é a biblioteca canônica para React. Isomorfica (frontend + backend), bundle pequeno (~5KB), API declarativa.
23
-
24
- **REGRA #3 (build ability do JWT):** Construir `Ability` instance **uma vez** após login a partir das permissions do user (fetched via RPC). Re-build apenas após role change.
25
-
26
- **REGRA #4 (Hook `usePermission` + componente `<PermissionGate>`):** Padrões canônicos:
27
- - `usePermission(action, resource)` para condicionais inline
28
- - `<PermissionGate permission="leads:create">{children}</PermissionGate>` para wrap declarativo
29
-
30
- **REGRA #5 (sync com server após role change):** Após `assign_role` RPC, re-fetch permissions + rebuild Ability + update store. Sem isso, UI mostra cached state stale.
31
-
32
- ## Patterns canônicos
33
-
34
- ### Setup CASL — definir Ability
35
-
36
- ```typescript
37
- // lib/abilities/build-ability.ts
38
- import { AbilityBuilder, Ability } from '@casl/ability'
39
-
40
- export type Action = 'create' | 'read' | 'update' | 'delete' | 'invite' | 'remove' | 'export' | 'view' | 'process'
41
- export type Subject = 'leads' | 'members' | 'org_settings' | 'audit_logs' | 'departments' | 'roles' | 'permissions' | 'dsr_requests' | 'all'
42
-
43
- export type AppAbility = Ability<[Action, Subject]>
44
-
45
- interface UserPermissions {
46
- permissions: Array<{ action: Action; resource: Subject }>
47
- isSuperAdmin: boolean
48
- }
49
-
50
- export function buildAbility({ permissions, isSuperAdmin }: UserPermissions): AppAbility {
51
- const { can, build } = new AbilityBuilder<AppAbility>(Ability)
52
-
53
- if (isSuperAdmin) {
54
- can('manage' as any, 'all')
55
- return build()
56
- }
57
-
58
- for (const p of permissions) {
59
- can(p.action, p.resource)
60
- }
61
-
62
- return build()
63
- }
64
- ```
65
-
66
- ### Buscar permissions do user (RPC)
67
-
68
- ```sql
69
- -- supabase RPC chamada após login
70
- create or replace function public.get_user_permissions(p_org_id uuid)
71
- returns table(action text, resource text)
72
- language sql
73
- stable
74
- security invoker
75
- set search_path = ''
76
- as $$
77
- select p.action, p.resource
78
- from public.organization_members om
79
- join public.role_permissions rp on rp.role_id = om.role_id
80
- join public.permissions p on p.id = rp.permission_id
81
- where om.org_id = p_org_id
82
- and om.user_id = (select auth.uid())
83
- and om.status = 'active';
84
- $$;
85
-
86
- grant execute on function public.get_user_permissions(uuid) to authenticated;
87
- ```
88
-
89
- ### Provider — Ability disponível em toda app
90
-
91
- ```typescript
92
- // app/providers/AbilityProvider.tsx
93
- 'use client'
94
-
95
- import { createContext, useEffect, useState } from 'react'
96
- import { AppAbility, buildAbility } from '@/lib/abilities/build-ability'
97
- import { useOrgStore } from '@/lib/stores/org-store'
98
- import { supabase } from '@/lib/supabase'
99
-
100
- export const AbilityContext = createContext<AppAbility | null>(null)
101
-
102
- export function AbilityProvider({ children }: { children: React.ReactNode }) {
103
- const [ability, setAbility] = useState<AppAbility | null>(null)
104
- const activeOrgId = useOrgStore(s => s.activeOrgId)
105
-
106
- useEffect(() => {
107
- if (!activeOrgId) return
108
-
109
- async function load() {
110
- // REGRA #3: build ability do server data
111
- const { data: { user } } = await supabase.auth.getUser()
112
- const isSuperAdmin = user?.app_metadata.super_admin === true
113
-
114
- const { data: permissions } = await supabase
115
- .rpc('get_user_permissions', { p_org_id: activeOrgId })
116
-
117
- setAbility(buildAbility({ permissions: permissions || [], isSuperAdmin }))
118
- }
119
- load()
120
- }, [activeOrgId])
121
-
122
- return <AbilityContext.Provider value={ability}>{children}</AbilityContext.Provider>
123
- }
124
-
125
- // Hook para acessar ability
126
- import { useContext } from 'react'
127
- export function useAbility() {
128
- const ability = useContext(AbilityContext)
129
- if (!ability) throw new Error('useAbility must be inside AbilityProvider')
130
- return ability
131
- }
132
- ```
133
-
134
- ### Hook `usePermission` (REGRA #4)
135
-
136
- ```typescript
137
- // lib/hooks/use-permission.ts
138
- import { useAbility } from '@/app/providers/AbilityProvider'
139
- import { Action, Subject } from '@/lib/abilities/build-ability'
140
-
141
- export function usePermission(action: Action, resource: Subject): boolean {
142
- const ability = useAbility()
143
- return ability.can(action, resource)
144
- }
145
-
146
- // Usage:
147
- function LeadsPage() {
148
- const canCreateLead = usePermission('create', 'leads')
149
- return (
150
- <div>
151
- <h1>Leads</h1>
152
- {canCreateLead && <Button onClick={openCreateModal}>+ Novo Lead</Button>}
153
- </div>
154
- )
155
- }
156
- ```
157
-
158
- ### Componente `<PermissionGate>` (REGRA #4)
159
-
160
- ```typescript
161
- // components/PermissionGate.tsx
162
- import { useAbility } from '@/app/providers/AbilityProvider'
163
- import type { Action, Subject } from '@/lib/abilities/build-ability'
164
-
165
- interface Props {
166
- permission: `${Action}:${Subject}`
167
- fallback?: React.ReactNode
168
- children: React.ReactNode
169
- }
170
-
171
- export function PermissionGate({ permission, fallback = null, children }: Props) {
172
- const ability = useAbility()
173
- const [action, subject] = permission.split(':') as [Action, Subject]
174
-
175
- if (ability.can(action, subject)) {
176
- return <>{children}</>
177
- }
178
- return <>{fallback}</>
179
- }
180
-
181
- // Usage:
182
- <PermissionGate permission="leads:create">
183
- <Button onClick={openCreateModal}>+ Novo Lead</Button>
184
- </PermissionGate>
185
-
186
- <PermissionGate
187
- permission="org_settings:update"
188
- fallback={<p>Você não tem permissão para alterar configurações.</p>}
189
- >
190
- <SettingsForm />
191
- </PermissionGate>
192
- ```
193
-
194
- ### Refresh ability após role change (REGRA #5)
195
-
196
- ```typescript
197
- // Em algum lugar após mudança de role (admin UI)
198
- async function changeRole(targetUserId: string, newRoleId: string) {
199
- await supabase.rpc('assign_role', { ... })
200
- await supabase.auth.refreshSession() // JWT (cross-ref org-switcher)
201
-
202
- // REGRA #5: re-fetch + rebuild ability
203
- // Trigger AbilityProvider re-fetch via mudança em activeOrgId timestamp
204
- // (use store version increment)
205
- useOrgStore.getState().bumpVersion()
206
- }
207
- ```
208
-
209
- ## Anti-patterns
210
-
211
- ### Anti-pattern 1: Permission check SÓ frontend (sem RLS)
212
-
213
- **Errado:**
214
- ```typescript
215
- { ability.can('delete', 'leads') && <DeleteButton onClick={() => api.delete(`/leads/${id}`)} /> }
216
- // Mas API endpoint não checa permission server-side
217
- ```
218
-
219
- **Por quê:** REGRA #1 — atacante chama `curl -X DELETE /leads/...` direto, ignora gate React. Frontend gate é segurança teatro.
220
-
221
- **Certo:** RLS no Supabase com `private.has_permission` (Phase 108) + frontend gate como UX redundância.
222
-
223
- ### Anti-pattern 2: Hard-coded role check em vez de permission
224
-
225
- **Errado:**
226
- ```typescript
227
- { user.role === 'admin' && <Button>Convidar</Button> }
228
- ```
229
-
230
- **Por quê:** custom roles quebram. Custom role com permission `members:invite` deveria mostrar botão, mas não passa no check `=== 'admin'`. Acopla UI a role names.
231
-
232
- **Certo:** `usePermission('invite', 'members')` — funciona com qualquer role que tenha a permission.
233
-
234
- ### Anti-pattern 3: Re-fetch permissions a cada render
235
-
236
- **Errado:**
237
- ```typescript
238
- function MyComponent() {
239
- const [perms, setPerms] = useState([])
240
- useEffect(() => {
241
- supabase.rpc('get_user_permissions', { ... }).then(setPerms)
242
- }) // sem deps array — re-fetch infinito
243
- }
244
- ```
245
-
246
- **Por quê:** N requests/min para Supabase, performance terrível.
247
-
248
- **Certo:** REGRA #3 — build Ability uma vez no Provider, consume via `useAbility()` hook.
249
-
250
- ### Anti-pattern 4: Esquecer fallback em PermissionGate
251
-
252
- **Errado:**
253
- ```typescript
254
- <PermissionGate permission="org_settings:update">
255
- <SettingsForm />
256
- </PermissionGate>
257
- // User sem permission vê página vazia, sem feedback
258
- ```
259
-
260
- **Por quê:** UX confusa — user não entende por que página é em branco.
261
-
262
- **Certo:** sempre passar `fallback` com mensagem clara ("Você não tem permissão...").
263
-
264
- ## Ver também
265
-
266
- - [org-switcher-react-pattern](../org-switcher-react-pattern/SKILL.md) — sibling, OrgProvider + zustand store
267
- - [member-management-react-shadcn](../member-management-react-shadcn/SKILL.md) — sibling, usa PermissionGate
268
- - [rbac-permissions-matrix-supabase](../rbac-permissions-matrix-supabase/SKILL.md) — Phase 108, modelagem permissions
269
- - [multi-tenant-rls-hierarchy](../multi-tenant-rls-hierarchy/SKILL.md) — Phase 108, server-side RLS enforcement
270
- - [_shared-multi-tenant/glossary.md](../_shared-multi-tenant/glossary.md) — `permission gate`, `CASL`, `JWT stale`
271
- - [CASL Documentation](https://casl.js.org/)
1
+ ---
2
+ name: permission-gate-react-pattern
3
+ description: "Use ao implementar permission gates React em B2B SaaS multi-tenant…"
4
+ ---
5
+
6
+ # Permission Gate — React Pattern (CASL)
7
+
8
+ ## Quando usar
9
+
10
+ LLM carrega esta skill ao implementar gates de permissão UI em React. Trigger phrases:
11
+
12
+ - "permission gate React", "PermissionGate component"
13
+ - "CASL React permissions", "@casl/ability"
14
+ - "usePermission hook", "ability check React"
15
+ - "RBAC frontend gate"
16
+ - "client-side permission anti-pattern"
17
+
18
+ ## Regras absolutas
19
+
20
+ **REGRA #1 (UX-only, NUNCA segurança):** Permission gate React é **UX apenas**. Esconde botão para evitar erro 403 visível ao user. **Server-side enforcement obrigatório** via RLS (Phase 108) + `private.has_permission`.
21
+
22
+ **REGRA #2 (CASL canônico 2026):** `@casl/ability` v6.8+ + `@casl/react` v4.x é a biblioteca canônica para React. Isomorfica (frontend + backend), bundle pequeno (~5KB), API declarativa.
23
+
24
+ **REGRA #3 (build ability do JWT):** Construir `Ability` instance **uma vez** após login a partir das permissions do user (fetched via RPC). Re-build apenas após role change.
25
+
26
+ **REGRA #4 (Hook `usePermission` + componente `<PermissionGate>`):** Padrões canônicos:
27
+ - `usePermission(action, resource)` para condicionais inline
28
+ - `<PermissionGate permission="leads:create">{children}</PermissionGate>` para wrap declarativo
29
+
30
+ **REGRA #5 (sync com server após role change):** Após `assign_role` RPC, re-fetch permissions + rebuild Ability + update store. Sem isso, UI mostra cached state stale.
31
+
32
+ ## Patterns canônicos
33
+
34
+ ### Setup CASL — definir Ability
35
+
36
+ ```typescript
37
+ // lib/abilities/build-ability.ts
38
+ import { AbilityBuilder, Ability } from '@casl/ability'
39
+
40
+ export type Action = 'create' | 'read' | 'update' | 'delete' | 'invite' | 'remove' | 'export' | 'view' | 'process'
41
+ export type Subject = 'leads' | 'members' | 'org_settings' | 'audit_logs' | 'departments' | 'roles' | 'permissions' | 'dsr_requests' | 'all'
42
+
43
+ export type AppAbility = Ability<[Action, Subject]>
44
+
45
+ interface UserPermissions {
46
+ permissions: Array<{ action: Action; resource: Subject }>
47
+ isSuperAdmin: boolean
48
+ }
49
+
50
+ export function buildAbility({ permissions, isSuperAdmin }: UserPermissions): AppAbility {
51
+ const { can, build } = new AbilityBuilder<AppAbility>(Ability)
52
+
53
+ if (isSuperAdmin) {
54
+ can('manage' as any, 'all')
55
+ return build()
56
+ }
57
+
58
+ for (const p of permissions) {
59
+ can(p.action, p.resource)
60
+ }
61
+
62
+ return build()
63
+ }
64
+ ```
65
+
66
+ ### Buscar permissions do user (RPC)
67
+
68
+ ```sql
69
+ -- supabase RPC chamada após login
70
+ create or replace function public.get_user_permissions(p_org_id uuid)
71
+ returns table(action text, resource text)
72
+ language sql
73
+ stable
74
+ security invoker
75
+ set search_path = ''
76
+ as $$
77
+ select p.action, p.resource
78
+ from public.organization_members om
79
+ join public.role_permissions rp on rp.role_id = om.role_id
80
+ join public.permissions p on p.id = rp.permission_id
81
+ where om.org_id = p_org_id
82
+ and om.user_id = (select auth.uid())
83
+ and om.status = 'active';
84
+ $$;
85
+
86
+ grant execute on function public.get_user_permissions(uuid) to authenticated;
87
+ ```
88
+
89
+ ### Provider — Ability disponível em toda app
90
+
91
+ ```typescript
92
+ // app/providers/AbilityProvider.tsx
93
+ 'use client'
94
+
95
+ import { createContext, useEffect, useState } from 'react'
96
+ import { AppAbility, buildAbility } from '@/lib/abilities/build-ability'
97
+ import { useOrgStore } from '@/lib/stores/org-store'
98
+ import { supabase } from '@/lib/supabase'
99
+
100
+ export const AbilityContext = createContext<AppAbility | null>(null)
101
+
102
+ export function AbilityProvider({ children }: { children: React.ReactNode }) {
103
+ const [ability, setAbility] = useState<AppAbility | null>(null)
104
+ const activeOrgId = useOrgStore(s => s.activeOrgId)
105
+
106
+ useEffect(() => {
107
+ if (!activeOrgId) return
108
+
109
+ async function load() {
110
+ // REGRA #3: build ability do server data
111
+ const { data: { user } } = await supabase.auth.getUser()
112
+ const isSuperAdmin = user?.app_metadata.super_admin === true
113
+
114
+ const { data: permissions } = await supabase
115
+ .rpc('get_user_permissions', { p_org_id: activeOrgId })
116
+
117
+ setAbility(buildAbility({ permissions: permissions || [], isSuperAdmin }))
118
+ }
119
+ load()
120
+ }, [activeOrgId])
121
+
122
+ return <AbilityContext.Provider value={ability}>{children}</AbilityContext.Provider>
123
+ }
124
+
125
+ // Hook para acessar ability
126
+ import { useContext } from 'react'
127
+ export function useAbility() {
128
+ const ability = useContext(AbilityContext)
129
+ if (!ability) throw new Error('useAbility must be inside AbilityProvider')
130
+ return ability
131
+ }
132
+ ```
133
+
134
+ ### Hook `usePermission` (REGRA #4)
135
+
136
+ ```typescript
137
+ // lib/hooks/use-permission.ts
138
+ import { useAbility } from '@/app/providers/AbilityProvider'
139
+ import { Action, Subject } from '@/lib/abilities/build-ability'
140
+
141
+ export function usePermission(action: Action, resource: Subject): boolean {
142
+ const ability = useAbility()
143
+ return ability.can(action, resource)
144
+ }
145
+
146
+ // Usage:
147
+ function LeadsPage() {
148
+ const canCreateLead = usePermission('create', 'leads')
149
+ return (
150
+ <div>
151
+ <h1>Leads</h1>
152
+ {canCreateLead && <Button onClick={openCreateModal}>+ Novo Lead</Button>}
153
+ </div>
154
+ )
155
+ }
156
+ ```
157
+
158
+ ### Componente `<PermissionGate>` (REGRA #4)
159
+
160
+ ```typescript
161
+ // components/PermissionGate.tsx
162
+ import { useAbility } from '@/app/providers/AbilityProvider'
163
+ import type { Action, Subject } from '@/lib/abilities/build-ability'
164
+
165
+ interface Props {
166
+ permission: `${Action}:${Subject}`
167
+ fallback?: React.ReactNode
168
+ children: React.ReactNode
169
+ }
170
+
171
+ export function PermissionGate({ permission, fallback = null, children }: Props) {
172
+ const ability = useAbility()
173
+ const [action, subject] = permission.split(':') as [Action, Subject]
174
+
175
+ if (ability.can(action, subject)) {
176
+ return <>{children}</>
177
+ }
178
+ return <>{fallback}</>
179
+ }
180
+
181
+ // Usage:
182
+ <PermissionGate permission="leads:create">
183
+ <Button onClick={openCreateModal}>+ Novo Lead</Button>
184
+ </PermissionGate>
185
+
186
+ <PermissionGate
187
+ permission="org_settings:update"
188
+ fallback={<p>Você não tem permissão para alterar configurações.</p>}
189
+ >
190
+ <SettingsForm />
191
+ </PermissionGate>
192
+ ```
193
+
194
+ ### Refresh ability após role change (REGRA #5)
195
+
196
+ ```typescript
197
+ // Em algum lugar após mudança de role (admin UI)
198
+ async function changeRole(targetUserId: string, newRoleId: string) {
199
+ await supabase.rpc('assign_role', { ... })
200
+ await supabase.auth.refreshSession() // JWT (cross-ref org-switcher)
201
+
202
+ // REGRA #5: re-fetch + rebuild ability
203
+ // Trigger AbilityProvider re-fetch via mudança em activeOrgId timestamp
204
+ // (use store version increment)
205
+ useOrgStore.getState().bumpVersion()
206
+ }
207
+ ```
208
+
209
+ ## Anti-patterns
210
+
211
+ ### Anti-pattern 1: Permission check SÓ frontend (sem RLS)
212
+
213
+ **Errado:**
214
+ ```typescript
215
+ { ability.can('delete', 'leads') && <DeleteButton onClick={() => api.delete(`/leads/${id}`)} /> }
216
+ // Mas API endpoint não checa permission server-side
217
+ ```
218
+
219
+ **Por quê:** REGRA #1 — atacante chama `curl -X DELETE /leads/...` direto, ignora gate React. Frontend gate é segurança teatro.
220
+
221
+ **Certo:** RLS no Supabase com `private.has_permission` (Phase 108) + frontend gate como UX redundância.
222
+
223
+ ### Anti-pattern 2: Hard-coded role check em vez de permission
224
+
225
+ **Errado:**
226
+ ```typescript
227
+ { user.role === 'admin' && <Button>Convidar</Button> }
228
+ ```
229
+
230
+ **Por quê:** custom roles quebram. Custom role com permission `members:invite` deveria mostrar botão, mas não passa no check `=== 'admin'`. Acopla UI a role names.
231
+
232
+ **Certo:** `usePermission('invite', 'members')` — funciona com qualquer role que tenha a permission.
233
+
234
+ ### Anti-pattern 3: Re-fetch permissions a cada render
235
+
236
+ **Errado:**
237
+ ```typescript
238
+ function MyComponent() {
239
+ const [perms, setPerms] = useState([])
240
+ useEffect(() => {
241
+ supabase.rpc('get_user_permissions', { ... }).then(setPerms)
242
+ }) // sem deps array — re-fetch infinito
243
+ }
244
+ ```
245
+
246
+ **Por quê:** N requests/min para Supabase, performance terrível.
247
+
248
+ **Certo:** REGRA #3 — build Ability uma vez no Provider, consume via `useAbility()` hook.
249
+
250
+ ### Anti-pattern 4: Esquecer fallback em PermissionGate
251
+
252
+ **Errado:**
253
+ ```typescript
254
+ <PermissionGate permission="org_settings:update">
255
+ <SettingsForm />
256
+ </PermissionGate>
257
+ // User sem permission vê página vazia, sem feedback
258
+ ```
259
+
260
+ **Por quê:** UX confusa — user não entende por que página é em branco.
261
+
262
+ **Certo:** sempre passar `fallback` com mensagem clara ("Você não tem permissão...").
263
+
264
+ ## Ver também
265
+
266
+ - [org-switcher-react-pattern](../org-switcher-react-pattern/SKILL.md) — sibling, OrgProvider + zustand store
267
+ - [member-management-react-shadcn](../member-management-react-shadcn/SKILL.md) — sibling, usa PermissionGate
268
+ - [rbac-permissions-matrix-supabase](../rbac-permissions-matrix-supabase/SKILL.md) — Phase 108, modelagem permissions
269
+ - [multi-tenant-rls-hierarchy](../multi-tenant-rls-hierarchy/SKILL.md) — Phase 108, server-side RLS enforcement
270
+ - [_shared-multi-tenant/glossary.md](../_shared-multi-tenant/glossary.md) — `permission gate`, `CASL`, `JWT stale`
271
+ - [CASL Documentation](https://casl.js.org/)