@luanpdd/kit-mcp 1.28.0 → 1.30.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -21
- package/README.md +168 -168
- package/gates/agent-no-recursive-dispatch.md +82 -82
- package/kit/COMANDOS.md +138 -138
- package/kit/README.md +76 -76
- package/kit/agents/advisor-researcher.md +106 -106
- package/kit/agents/assumptions-analyzer.md +107 -107
- package/kit/agents/audit-log-implementer.md +313 -313
- package/kit/agents/auditor-consistencia-isolamento.md +413 -413
- package/kit/agents/b2b-saas-architect.md +156 -156
- package/kit/agents/cascading-failures-auditor.md +298 -298
- package/kit/agents/codebase-mapper.md +768 -768
- package/kit/agents/crm-pipeline-implementer.md +256 -256
- package/kit/agents/debugger.md +813 -813
- package/kit/agents/detector-tenant-quente.md +337 -337
- package/kit/agents/evolution-go-integrator.md +200 -200
- package/kit/agents/example-reviewer.md +21 -21
- package/kit/agents/executor.md +564 -564
- package/kit/agents/integration-checker.md +200 -200
- package/kit/agents/invite-flow-implementer.md +189 -189
- package/kit/agents/legacy-characterizer.md +368 -368
- package/kit/agents/lgpd-compliance-auditor.md +295 -295
- package/kit/agents/multi-tenant-isolation-auditor.md +253 -253
- package/kit/agents/multi-tenant-rls-writer.md +340 -340
- package/kit/agents/nyquist-auditor.md +178 -178
- package/kit/agents/observability-coverage-auditor.md +315 -315
- package/kit/agents/org-onboarding-implementer.md +223 -223
- package/kit/agents/payload-capture-instrumenter.md +273 -273
- package/kit/agents/phase-researcher.md +696 -696
- package/kit/agents/plan-checker.md +272 -272
- package/kit/agents/planner.md +922 -922
- package/kit/agents/project-researcher.md +652 -652
- package/kit/agents/refactor-safety-auditor.md +404 -404
- package/kit/agents/research-synthesizer.md +245 -245
- package/kit/agents/roadmapper.md +677 -677
- package/kit/agents/seam-finder.md +359 -359
- package/kit/agents/shotgun-surgery-detector.md +349 -349
- package/kit/agents/supabase-branching-architect.md +562 -562
- package/kit/agents/supabase-cicd-pipeline-implementer.md +777 -777
- package/kit/agents/supabase-column-privileges-writer.md +399 -399
- package/kit/agents/supabase-edge-fn-tester.md +287 -0
- package/kit/agents/supabase-edge-fn-writer.md +239 -210
- package/kit/agents/supabase-migration-writer.md +385 -385
- package/kit/agents/supabase-rbac-implementer.md +392 -392
- package/kit/agents/supabase-realtime-implementer.md +363 -267
- package/kit/agents/supabase-rls-hardener.md +521 -521
- package/kit/agents/supabase-rls-writer.md +323 -323
- package/kit/agents/supabase-roles-implementer.md +355 -355
- package/kit/agents/super-admin-implementer.md +281 -281
- package/kit/agents/ui-auditor.md +437 -437
- package/kit/agents/ui-checker.md +302 -302
- package/kit/agents/ui-researcher.md +355 -355
- package/kit/agents/user-profiler.md +175 -175
- package/kit/agents/validador-evolucao-schema.md +335 -335
- package/kit/agents/verifier.md +728 -728
- package/kit/commands/adicionar-backlog.md +75 -75
- package/kit/commands/adicionar-fase.md +42 -42
- package/kit/commands/adicionar-tarefa.md +45 -45
- package/kit/commands/adicionar-testes.md +41 -41
- package/kit/commands/ajuda.md +21 -21
- package/kit/commands/atualizar.md +37 -37
- package/kit/commands/auditar-cascading.md +111 -111
- package/kit/commands/auditar-marco.md +179 -179
- package/kit/commands/auditar-observabilidade-cobertura.md +183 -183
- package/kit/commands/auditar-refactor.md +219 -219
- package/kit/commands/auditar-release.md +109 -109
- package/kit/commands/auditar-uat.md +23 -23
- package/kit/commands/autonomo.md +40 -40
- package/kit/commands/branch-pr.md +24 -24
- package/kit/commands/burn-rate-status.md +408 -408
- package/kit/commands/capturar-payloads.md +193 -193
- package/kit/commands/caracterizar.md +212 -212
- package/kit/commands/concluir-marco.md +247 -247
- package/kit/commands/configuracoes.md +36 -36
- package/kit/commands/dados-distribuidos.md +188 -188
- package/kit/commands/definir-perfil.md +10 -10
- package/kit/commands/depurar.md +190 -190
- package/kit/commands/detectar-duplicacao.md +197 -197
- package/kit/commands/discutir-fase.md +131 -131
- package/kit/commands/encontrar-seams.md +136 -136
- package/kit/commands/entrar-discord.md +17 -17
- package/kit/commands/estatisticas.md +18 -18
- package/kit/commands/example-greeting.md +33 -33
- package/kit/commands/executar-fase.md +58 -58
- package/kit/commands/expresso.md +56 -56
- package/kit/commands/fase-ui.md +34 -34
- package/kit/commands/fazer.md +57 -57
- package/kit/commands/fio.md +125 -125
- package/kit/commands/fluxos-trabalho.md +64 -64
- package/kit/commands/forense.md +176 -176
- package/kit/commands/gerenciador.md +38 -38
- package/kit/commands/inserir-fase.md +31 -31
- package/kit/commands/legacy.md +263 -263
- package/kit/commands/limpeza.md +17 -17
- package/kit/commands/listar-hipoteses-fase.md +45 -45
- package/kit/commands/listar-workspaces.md +18 -18
- package/kit/commands/load-shedding.md +117 -117
- package/kit/commands/mapear-codebase.md +70 -70
- package/kit/commands/multi-tenant.md +163 -163
- package/kit/commands/nota.md +33 -33
- package/kit/commands/novo-marco.md +43 -43
- package/kit/commands/novo-projeto.md +41 -41
- package/kit/commands/novo-workspace.md +43 -43
- package/kit/commands/pausar-trabalho.md +37 -37
- package/kit/commands/perfil-usuario.md +45 -45
- package/kit/commands/pesquisar-fase.md +195 -195
- package/kit/commands/planejar-fase.md +67 -67
- package/kit/commands/planejar-lacunas.md +33 -33
- package/kit/commands/plantar-ideia.md +25 -25
- package/kit/commands/progresso.md +24 -24
- package/kit/commands/proximo.md +30 -30
- package/kit/commands/publicar.md +490 -490
- package/kit/commands/rapido.md +35 -35
- package/kit/commands/reaplicar-patches.md +124 -124
- package/kit/commands/refactor-seguro.md +321 -321
- package/kit/commands/relatorio-sessao.md +19 -19
- package/kit/commands/remover-fase.md +31 -31
- package/kit/commands/remover-workspace.md +26 -26
- package/kit/commands/resumo-marco.md +50 -50
- package/kit/commands/retomar-trabalho.md +40 -40
- package/kit/commands/revisar-backlog.md +60 -60
- package/kit/commands/revisar-ui.md +32 -32
- package/kit/commands/revisar.md +37 -37
- package/kit/commands/saude.md +21 -21
- package/kit/commands/setup-notion.md +93 -93
- package/kit/commands/storytelling.md +179 -179
- package/kit/commands/supabase.md +30 -7
- package/kit/commands/sync-main.md +68 -68
- package/kit/commands/validar-fase.md +35 -35
- package/kit/commands/verificar-tarefas.md +44 -44
- package/kit/commands/verificar-trabalho.md +64 -64
- package/kit/file-manifest.json +14 -8
- package/kit/framework/bin/lib/commands.cjs +959 -959
- package/kit/framework/bin/lib/config.cjs +442 -442
- package/kit/framework/bin/lib/core.cjs +1230 -1230
- package/kit/framework/bin/lib/frontmatter.cjs +336 -336
- package/kit/framework/bin/lib/init.cjs +1442 -1442
- package/kit/framework/bin/lib/milestone.cjs +252 -252
- package/kit/framework/bin/lib/model-profiles.cjs +68 -68
- package/kit/framework/bin/lib/phase.cjs +888 -888
- package/kit/framework/bin/lib/profile-output.cjs +952 -952
- package/kit/framework/bin/lib/profile-pipeline.cjs +539 -539
- package/kit/framework/bin/lib/roadmap.cjs +329 -329
- package/kit/framework/bin/lib/security.cjs +382 -382
- package/kit/framework/bin/lib/state.cjs +1031 -1031
- package/kit/framework/bin/lib/template.cjs +222 -222
- package/kit/framework/bin/lib/uat.cjs +282 -282
- package/kit/framework/bin/lib/verify.cjs +888 -888
- package/kit/framework/bin/lib/workstream.cjs +491 -491
- package/kit/framework/bin/tools.cjs +918 -918
- package/kit/framework/commands/workstreams.md +63 -63
- package/kit/framework/references/checkpoints.md +778 -778
- package/kit/framework/references/continuation-format.md +249 -249
- package/kit/framework/references/decimal-phase-calculation.md +64 -64
- package/kit/framework/references/git-integration.md +295 -295
- package/kit/framework/references/git-planning-commit.md +38 -38
- package/kit/framework/references/model-profile-resolution.md +36 -36
- package/kit/framework/references/model-profiles.md +139 -139
- package/kit/framework/references/phase-argument-parsing.md +61 -61
- package/kit/framework/references/planning-config.md +202 -202
- package/kit/framework/references/questioning.md +162 -162
- package/kit/framework/references/tdd.md +263 -263
- package/kit/framework/references/ui-brand.md +160 -160
- package/kit/framework/references/user-profiling.md +657 -657
- package/kit/framework/references/verification-patterns.md +612 -612
- package/kit/framework/references/workstream-flag.md +58 -58
- package/kit/framework/templates/DEBUG.md +164 -164
- package/kit/framework/templates/UAT.md +265 -265
- package/kit/framework/templates/UI-SPEC.md +100 -100
- package/kit/framework/templates/VALIDATION.md +76 -76
- package/kit/framework/templates/claude-md.md +122 -122
- package/kit/framework/templates/codebase/architecture.md +185 -185
- package/kit/framework/templates/codebase/concerns.md +205 -205
- package/kit/framework/templates/codebase/conventions.md +204 -204
- package/kit/framework/templates/codebase/integrations.md +192 -192
- package/kit/framework/templates/codebase/stack.md +158 -158
- package/kit/framework/templates/codebase/structure.md +199 -199
- package/kit/framework/templates/codebase/testing.md +301 -301
- package/kit/framework/templates/config.json +44 -44
- package/kit/framework/templates/context.md +352 -352
- package/kit/framework/templates/continue-here.md +78 -78
- package/kit/framework/templates/copilot-instructions.md +7 -7
- package/kit/framework/templates/debug-subagent-prompt.md +91 -91
- package/kit/framework/templates/dev-preferences.md +20 -20
- package/kit/framework/templates/discovery.md +146 -146
- package/kit/framework/templates/discussion-log.md +63 -63
- package/kit/framework/templates/milestone-archive.md +123 -123
- package/kit/framework/templates/milestone.md +115 -115
- package/kit/framework/templates/phase-prompt.md +610 -610
- package/kit/framework/templates/planner-subagent-prompt.md +117 -117
- package/kit/framework/templates/project.md +186 -186
- package/kit/framework/templates/requirements.md +231 -231
- package/kit/framework/templates/research-project/ARCHITECTURE.md +204 -204
- package/kit/framework/templates/research-project/FEATURES.md +147 -147
- package/kit/framework/templates/research-project/PITFALLS.md +200 -200
- package/kit/framework/templates/research-project/STACK.md +120 -120
- package/kit/framework/templates/research-project/SUMMARY.md +170 -170
- package/kit/framework/templates/research.md +419 -419
- package/kit/framework/templates/retrospective.md +54 -54
- package/kit/framework/templates/roadmap.md +202 -202
- package/kit/framework/templates/state.md +176 -176
- package/kit/framework/templates/summary-complex.md +59 -59
- package/kit/framework/templates/summary-minimal.md +41 -41
- package/kit/framework/templates/summary-standard.md +48 -48
- package/kit/framework/templates/summary.md +209 -209
- package/kit/framework/templates/user-profile.md +146 -146
- package/kit/framework/templates/user-setup.md +256 -256
- package/kit/framework/templates/verification-report.md +258 -258
- package/kit/framework/workflows/add-phase.md +112 -112
- package/kit/framework/workflows/add-tests.md +351 -351
- package/kit/framework/workflows/add-todo.md +158 -158
- package/kit/framework/workflows/audit-milestone.md +340 -340
- package/kit/framework/workflows/audit-uat.md +109 -109
- package/kit/framework/workflows/autonomous.md +891 -891
- package/kit/framework/workflows/check-todos.md +177 -177
- package/kit/framework/workflows/cleanup.md +152 -152
- package/kit/framework/workflows/complete-milestone.md +696 -696
- package/kit/framework/workflows/diagnose-issues.md +231 -231
- package/kit/framework/workflows/discovery-phase.md +289 -289
- package/kit/framework/workflows/discuss-phase-assumptions.md +653 -653
- package/kit/framework/workflows/discuss-phase.md +784 -784
- package/kit/framework/workflows/do.md +104 -104
- package/kit/framework/workflows/execute-phase.md +838 -838
- package/kit/framework/workflows/execute-plan.md +510 -510
- package/kit/framework/workflows/fast.md +102 -102
- package/kit/framework/workflows/forensics.md +265 -265
- package/kit/framework/workflows/health.md +181 -181
- package/kit/framework/workflows/help.md +619 -619
- package/kit/framework/workflows/insert-phase.md +130 -130
- package/kit/framework/workflows/list-phase-assumptions.md +178 -178
- package/kit/framework/workflows/list-workspaces.md +56 -56
- package/kit/framework/workflows/manager.md +362 -362
- package/kit/framework/workflows/map-codebase.md +377 -377
- package/kit/framework/workflows/milestone-summary.md +223 -223
- package/kit/framework/workflows/new-milestone.md +486 -486
- package/kit/framework/workflows/new-project.md +1159 -1159
- package/kit/framework/workflows/new-workspace.md +237 -237
- package/kit/framework/workflows/next.md +97 -97
- package/kit/framework/workflows/node-repair.md +92 -92
- package/kit/framework/workflows/note.md +156 -156
- package/kit/framework/workflows/pause-work.md +176 -176
- package/kit/framework/workflows/plan-milestone-gaps.md +273 -273
- package/kit/framework/workflows/plan-phase.md +765 -765
- package/kit/framework/workflows/plant-seed.md +169 -169
- package/kit/framework/workflows/pr-branch.md +129 -129
- package/kit/framework/workflows/profile-user.md +450 -450
- package/kit/framework/workflows/progress.md +507 -507
- package/kit/framework/workflows/quick.md +757 -757
- package/kit/framework/workflows/remove-phase.md +155 -155
- package/kit/framework/workflows/remove-workspace.md +90 -90
- package/kit/framework/workflows/research-phase.md +82 -82
- package/kit/framework/workflows/resume-project.md +326 -326
- package/kit/framework/workflows/review.md +228 -228
- package/kit/framework/workflows/session-report.md +146 -146
- package/kit/framework/workflows/settings.md +283 -283
- package/kit/framework/workflows/ship.md +228 -228
- package/kit/framework/workflows/stats.md +60 -60
- package/kit/framework/workflows/transition.md +671 -671
- package/kit/framework/workflows/ui-phase.md +302 -302
- package/kit/framework/workflows/ui-review.md +165 -165
- package/kit/framework/workflows/update.md +323 -323
- package/kit/framework/workflows/validate-phase.md +174 -174
- package/kit/framework/workflows/verify-phase.md +252 -252
- package/kit/framework/workflows/verify-work.md +637 -637
- package/kit/hooks/check-update.js +118 -118
- package/kit/hooks/context-monitor.js +163 -163
- package/kit/hooks/prompt-guard.js +103 -103
- package/kit/hooks/statusline.js +125 -125
- package/kit/hooks/workflow-guard.js +101 -101
- package/kit/settings.json +45 -45
- package/kit/skills/_shared-supabase/glossary.md +17 -0
- package/kit/skills/ai-prompt-characterization/SKILL.md +335 -335
- package/kit/skills/armadilhas-sistemas-distribuidos/SKILL.md +447 -447
- package/kit/skills/audit-log-multi-tenant/SKILL.md +340 -340
- package/kit/skills/b2b-saas-architecture/SKILL.md +300 -300
- package/kit/skills/consistencia-leitura-replica/SKILL.md +385 -385
- package/kit/skills/crm-lead-pipeline-patterns/SKILL.md +343 -343
- package/kit/skills/escolha-modelo-consistencia/SKILL.md +494 -494
- package/kit/skills/evolucao-schema-compativel/SKILL.md +448 -448
- package/kit/skills/evolution-go-whatsapp-integration/SKILL.md +322 -322
- package/kit/skills/example-skill/SKILL.md +42 -42
- package/kit/skills/legacy-api-only-applications/SKILL.md +358 -358
- package/kit/skills/legacy-characterization-tests/SKILL.md +330 -330
- package/kit/skills/legacy-effect-analysis/SKILL.md +331 -331
- package/kit/skills/legacy-extract-class/SKILL.md +203 -203
- package/kit/skills/legacy-programming-by-difference/SKILL.md +252 -252
- package/kit/skills/legacy-seams-and-test-harness/SKILL.md +460 -460
- package/kit/skills/legacy-shotgun-surgery/SKILL.md +286 -286
- package/kit/skills/legacy-sprout-wrap-techniques/SKILL.md +434 -434
- package/kit/skills/legacy-storytelling-naked-crc/SKILL.md +270 -270
- package/kit/skills/lgpd-multi-tenant-compliance/SKILL.md +340 -340
- package/kit/skills/member-invite-flow/SKILL.md +305 -305
- package/kit/skills/member-management-react-shadcn/SKILL.md +328 -328
- package/kit/skills/multi-tenant-performance-scaling/SKILL.md +316 -316
- package/kit/skills/multi-tenant-rls-hierarchy/SKILL.md +342 -342
- package/kit/skills/org-onboarding-flow/SKILL.md +257 -257
- package/kit/skills/org-switcher-react-pattern/SKILL.md +349 -349
- package/kit/skills/permission-gate-react-pattern/SKILL.md +271 -271
- package/kit/skills/postgres-isolamento-concorrencia/SKILL.md +552 -552
- package/kit/skills/pre-refactor-characterization/SKILL.md +421 -421
- package/kit/skills/rbac-permissions-matrix-supabase/SKILL.md +338 -338
- package/kit/skills/streams-eventos-cdc/SKILL.md +711 -711
- package/kit/skills/supabase-branching-workflow/SKILL.md +544 -544
- package/kit/skills/supabase-ci-cd-github-actions/SKILL.md +880 -880
- package/kit/skills/supabase-column-level-security/SKILL.md +426 -426
- package/kit/skills/supabase-config-toml-remotes/SKILL.md +807 -807
- package/kit/skills/supabase-custom-claims-rbac/SKILL.md +472 -472
- package/kit/skills/supabase-edge-functions/SKILL.md +229 -141
- package/kit/skills/supabase-edge-functions-auth/SKILL.md +309 -0
- package/kit/skills/supabase-edge-functions-limits/SKILL.md +302 -0
- package/kit/skills/supabase-edge-functions-mcp-server/SKILL.md +279 -0
- package/kit/skills/supabase-edge-functions-testing/SKILL.md +277 -0
- package/kit/skills/supabase-edge-runtime-builtins/SKILL.md +357 -0
- package/kit/skills/supabase-migration-repair/SKILL.md +823 -823
- package/kit/skills/supabase-migrations/SKILL.md +297 -297
- package/kit/skills/supabase-pgtap-testing/SKILL.md +1053 -1053
- package/kit/skills/supabase-postgres-roles/SKILL.md +392 -392
- package/kit/skills/supabase-realtime/SKILL.md +460 -236
- package/kit/skills/supabase-rls-defense-in-depth/SKILL.md +418 -418
- package/kit/skills/supabase-rls-policies/SKILL.md +635 -635
- package/kit/skills/super-admin-platform-pattern/SKILL.md +326 -326
- package/kit/skills/tenant-quente-mitigacao/SKILL.md +605 -605
- package/kit/skills/whatsapp-conversation-state-machine/SKILL.md +287 -287
- package/package.json +1 -1
- package/src/cli/index.js +33 -0
- package/src/core/kit.js +216 -216
- package/src/core/reflect.js +247 -247
- package/src/core/reverse-sync.js +372 -372
- package/src/core/sync.js +418 -418
- package/src/core/watch.js +121 -121
- package/src/mcp-server/index.js +693 -490
- package/src/mcp-server/roots.js +124 -0
|
@@ -1,338 +1,338 @@
|
|
|
1
|
-
---
|
|
2
|
-
name: rbac-permissions-matrix-supabase
|
|
3
|
-
description: "Use ao modelar RBAC granular em Supabase B2B — permission strings resource:action, matrix N:M roles ↔ permissions, regra \\"user só atribui roles ≤ ao próprio\\", 3 roles built-in (owner…"
|
|
4
|
-
---
|
|
5
|
-
|
|
6
|
-
# RBAC Permissions Matrix — Supabase B2B Multi-Tenant
|
|
7
|
-
|
|
8
|
-
## Quando usar
|
|
9
|
-
|
|
10
|
-
LLM carrega esta skill ao desenhar autorização granular em B2B SaaS multi-tenant. Trigger phrases:
|
|
11
|
-
|
|
12
|
-
- "RBAC granular", "permission matrix"
|
|
13
|
-
- "permission string resource:action", "leads:create", "members:invite"
|
|
14
|
-
- "custom roles", "role escalation rule"
|
|
15
|
-
- "owner admin member built-in"
|
|
16
|
-
- "role permissions table"
|
|
17
|
-
|
|
18
|
-
## Regras absolutas
|
|
19
|
-
|
|
20
|
-
**REGRA #1 (permission string format):** Permissions são strings `<resource>:<action>` em snake_case (ex: `leads:create`, `members:invite`, `org_settings:update`). Padrão convergente 2026 (Stripe, Linear, Auth0).
|
|
21
|
-
|
|
22
|
-
**REGRA #2 (3 roles built-in mínimo):** Toda org tem 3 roles built-in com `is_built_in = true`:
|
|
23
|
-
- `owner` — full control (criação org, billing, transfer ownership, delete org)
|
|
24
|
-
- `admin` — manage members, settings, all data
|
|
25
|
-
- `member` — operações standard (CRUD nos recursos da org)
|
|
26
|
-
|
|
27
|
-
**REGRA #3 (role escalation rule):** Usuário só pode **criar/atribuir roles ≤ ao próprio role**. Member não pode criar admin. Admin não pode criar owner. Owner pode tudo. Enforced via policy + frontend gate.
|
|
28
|
-
|
|
29
|
-
**REGRA #4 (custom roles permitidos):** Custom roles via `is_built_in = false` na mesma tabela `roles`. Org-scoped (não globais). Built-in não podem ser deletados (constraint).
|
|
30
|
-
|
|
31
|
-
**REGRA #5 (NUNCA permission string em frontend hard-coded para enforce):** Permission gate React (skill [`permission-gate-react-pattern`](../permission-gate-react-pattern/SKILL.md)) é UX apenas. Server-side enforcement obrigatório via RLS + `private.has_permission`.
|
|
32
|
-
|
|
33
|
-
## Patterns canônicos
|
|
34
|
-
|
|
35
|
-
### Permission catalog — eventos canônicos
|
|
36
|
-
|
|
37
|
-
```sql
|
|
38
|
-
-- Catálogo global (compartilhado entre orgs)
|
|
39
|
-
insert into public.permissions (action, resource, description) values
|
|
40
|
-
-- Members
|
|
41
|
-
('invite', 'members', 'Convidar novos membros via email'),
|
|
42
|
-
('remove', 'members', 'Remover membros existentes'),
|
|
43
|
-
('update', 'members', 'Atualizar role/status de membros'),
|
|
44
|
-
('list', 'members', 'Listar membros da org'),
|
|
45
|
-
|
|
46
|
-
-- Org settings
|
|
47
|
-
('update', 'org_settings', 'Atualizar configurações gerais da org'),
|
|
48
|
-
('update', 'org_billing', 'Acessar/alterar billing (Stripe)'),
|
|
49
|
-
|
|
50
|
-
-- Departments
|
|
51
|
-
('create', 'departments', 'Criar departamentos'),
|
|
52
|
-
('update', 'departments', 'Atualizar departamentos'),
|
|
53
|
-
('delete', 'departments', 'Deletar departamentos'),
|
|
54
|
-
|
|
55
|
-
-- Roles + Permissions
|
|
56
|
-
('create', 'roles', 'Criar custom roles'),
|
|
57
|
-
('update', 'roles', 'Atualizar role permissions'),
|
|
58
|
-
('delete', 'roles', 'Deletar custom roles (built-in protegidos)'),
|
|
59
|
-
|
|
60
|
-
-- Domain example: leads (CRM)
|
|
61
|
-
('create', 'leads', 'Criar leads'),
|
|
62
|
-
('update', 'leads', 'Atualizar leads'),
|
|
63
|
-
('delete', 'leads', 'Deletar leads'),
|
|
64
|
-
('export', 'leads', 'Exportar leads (CSV/JSON)'),
|
|
65
|
-
|
|
66
|
-
-- Audit
|
|
67
|
-
('view', 'audit_logs', 'Ver audit logs'),
|
|
68
|
-
('export', 'audit_logs', 'Exportar audit logs'),
|
|
69
|
-
|
|
70
|
-
-- LGPD
|
|
71
|
-
('process', 'dsr_requests', 'Processar Data Subject Requests'),
|
|
72
|
-
|
|
73
|
-
on conflict (action, resource) do nothing;
|
|
74
|
-
```
|
|
75
|
-
|
|
76
|
-
### 3 roles built-in com permissions default
|
|
77
|
-
|
|
78
|
-
```sql
|
|
79
|
-
-- Para cada nova org (idealmente em RPC create_organization), criar built-in roles
|
|
80
|
-
-- com permissions atribuídas.
|
|
81
|
-
|
|
82
|
-
-- OWNER — todas permissions
|
|
83
|
-
insert into public.role_permissions (role_id, permission_id)
|
|
84
|
-
select
|
|
85
|
-
r.id,
|
|
86
|
-
p.id
|
|
87
|
-
from public.roles r
|
|
88
|
-
cross join public.permissions p
|
|
89
|
-
where r.org_id = '<org_id>'
|
|
90
|
-
and r.name = 'owner';
|
|
91
|
-
|
|
92
|
-
-- ADMIN — tudo exceto org_billing + delete org
|
|
93
|
-
insert into public.role_permissions (role_id, permission_id)
|
|
94
|
-
select
|
|
95
|
-
r.id,
|
|
96
|
-
p.id
|
|
97
|
-
from public.roles r
|
|
98
|
-
cross join public.permissions p
|
|
99
|
-
where r.org_id = '<org_id>'
|
|
100
|
-
and r.name = 'admin'
|
|
101
|
-
and not (p.action = 'update' and p.resource = 'org_billing');
|
|
102
|
-
|
|
103
|
-
-- MEMBER — operações CRUD em domínio (sem members management)
|
|
104
|
-
insert into public.role_permissions (role_id, permission_id)
|
|
105
|
-
select
|
|
106
|
-
r.id,
|
|
107
|
-
p.id
|
|
108
|
-
from public.roles r
|
|
109
|
-
cross join public.permissions p
|
|
110
|
-
where r.org_id = '<org_id>'
|
|
111
|
-
and r.name = 'member'
|
|
112
|
-
and p.resource in ('leads', 'departments')
|
|
113
|
-
and p.action in ('create', 'update', 'list');
|
|
114
|
-
```
|
|
115
|
-
|
|
116
|
-
### Role escalation rule — enforcement via RPC + RLS
|
|
117
|
-
|
|
118
|
-
```sql
|
|
119
|
-
-- Função que retorna o "rank" de uma role (owner=3, admin=2, member=1, custom=0)
|
|
120
|
-
create or replace function private.role_rank(p_role_name text)
|
|
121
|
-
returns int
|
|
122
|
-
language sql
|
|
123
|
-
stable
|
|
124
|
-
security invoker
|
|
125
|
-
set search_path = ''
|
|
126
|
-
as $$
|
|
127
|
-
select case p_role_name
|
|
128
|
-
when 'owner' then 3
|
|
129
|
-
when 'admin' then 2
|
|
130
|
-
when 'member' then 1
|
|
131
|
-
else 0 -- custom roles têm rank 0 (não comparáveis)
|
|
132
|
-
end;
|
|
133
|
-
$$;
|
|
134
|
-
|
|
135
|
-
-- RPC que assign role a um membro — só permite role ≤ ao próprio
|
|
136
|
-
create or replace function public.assign_role(
|
|
137
|
-
p_org_id uuid,
|
|
138
|
-
p_target_user_id uuid,
|
|
139
|
-
p_role_id uuid
|
|
140
|
-
)
|
|
141
|
-
returns void
|
|
142
|
-
language plpgsql
|
|
143
|
-
security invoker
|
|
144
|
-
set search_path = ''
|
|
145
|
-
as $$
|
|
146
|
-
declare
|
|
147
|
-
caller_role_name text;
|
|
148
|
-
target_role_name text;
|
|
149
|
-
begin
|
|
150
|
-
-- 1. Buscar role do caller na org
|
|
151
|
-
select r.name into caller_role_name
|
|
152
|
-
from public.organization_members om
|
|
153
|
-
join public.roles r on r.id = om.role_id
|
|
154
|
-
where om.org_id = p_org_id
|
|
155
|
-
and om.user_id = (select auth.uid())
|
|
156
|
-
and om.status = 'active';
|
|
157
|
-
|
|
158
|
-
if caller_role_name is null then
|
|
159
|
-
raise exception 'caller is not member of org';
|
|
160
|
-
end if;
|
|
161
|
-
|
|
162
|
-
-- 2. Buscar role alvo
|
|
163
|
-
select r.name into target_role_name
|
|
164
|
-
from public.roles r
|
|
165
|
-
where r.id = p_role_id and r.org_id = p_org_id;
|
|
166
|
-
|
|
167
|
-
if target_role_name is null then
|
|
168
|
-
raise exception 'role does not exist in org';
|
|
169
|
-
end if;
|
|
170
|
-
|
|
171
|
-
-- 3. REGRA #3: caller role rank >= target role rank
|
|
172
|
-
if private.role_rank(caller_role_name) < private.role_rank(target_role_name) then
|
|
173
|
-
raise exception
|
|
174
|
-
'role escalation forbidden: caller is %, cannot assign %',
|
|
175
|
-
caller_role_name, target_role_name;
|
|
176
|
-
end if;
|
|
177
|
-
|
|
178
|
-
-- 4. Assign
|
|
179
|
-
update public.organization_members
|
|
180
|
-
set role_id = p_role_id
|
|
181
|
-
where org_id = p_org_id and user_id = p_target_user_id;
|
|
182
|
-
end;
|
|
183
|
-
$$;
|
|
184
|
-
|
|
185
|
-
grant execute on function public.assign_role(uuid, uuid, uuid) to authenticated;
|
|
186
|
-
```
|
|
187
|
-
|
|
188
|
-
### Frontend — listar roles que user pode atribuir
|
|
189
|
-
|
|
190
|
-
```typescript
|
|
191
|
-
// Buscar roles que current user pode atribuir (rank ≤ próprio)
|
|
192
|
-
const { data: assignableRoles } = await supabase
|
|
193
|
-
.from('roles')
|
|
194
|
-
.select('id, name, description')
|
|
195
|
-
.eq('org_id', orgId)
|
|
196
|
-
// RPC retorna apenas roles que caller pode atribuir
|
|
197
|
-
.rpc('list_assignable_roles', { p_org_id: orgId })
|
|
198
|
-
```
|
|
199
|
-
|
|
200
|
-
### RLS policy usando `private.has_permission`
|
|
201
|
-
|
|
202
|
-
```sql
|
|
203
|
-
-- Tabela leads — INSERT requer permission leads:create
|
|
204
|
-
create policy "leads_insert_with_permission"
|
|
205
|
-
on public.leads
|
|
206
|
-
for insert
|
|
207
|
-
to authenticated
|
|
208
|
-
with check (
|
|
209
|
-
private.has_permission('create', 'leads', org_id)
|
|
210
|
-
);
|
|
211
|
-
|
|
212
|
-
-- Tabela members management — UPDATE role requer permission members:update
|
|
213
|
-
create policy "members_update_role_with_permission"
|
|
214
|
-
on public.organization_members
|
|
215
|
-
for update
|
|
216
|
-
to authenticated
|
|
217
|
-
using (
|
|
218
|
-
private.has_permission('update', 'members', org_id)
|
|
219
|
-
)
|
|
220
|
-
with check (
|
|
221
|
-
private.has_permission('update', 'members', org_id)
|
|
222
|
-
);
|
|
223
|
-
```
|
|
224
|
-
|
|
225
|
-
## Mecanismo de delivery dos claims (v1.25 update)
|
|
226
|
-
|
|
227
|
-
Os patterns acima usam **helper function PG STABLE** (`private.has_permission(action, resource, org_id)`) que faz JOIN em `role_permissions` table dentro de cada policy evaluation. Funciona bem para casos multi-tenant complexos (role depende de org context) mas adiciona JOIN custoso em policies hot.
|
|
228
|
-
|
|
229
|
-
A partir de **v1.25**, kit-mcp adiciona alternativa moderna via **Custom Access Token Auth Hook** (skill [`supabase-custom-claims-rbac`](../supabase-custom-claims-rbac/SKILL.md)) que injeta `user_role` direto no JWT — RLS policies leem o claim via `authorize(permission)` sem JOIN.
|
|
230
|
-
|
|
231
|
-
**Comparação canônica (v1.25):**
|
|
232
|
-
|
|
233
|
-
| | Helper function STABLE (v1.21) | Custom Claim via Auth Hook (v1.25) |
|
|
234
|
-
|---|---|---|
|
|
235
|
-
| Performance | JOIN em role_permissions por query | Zero-JOIN — claim no JWT |
|
|
236
|
-
| Multi-tenant context | ✅ `has_permission('update', 'members', org_id)` — context-aware | ❌ Claim é per-user, não per-org-context |
|
|
237
|
-
| Mudança em real-time | ✅ Imediata (UPDATE em role_permissions reflete) | ⚠ Eventually consistent (TTL refresh 1h) |
|
|
238
|
-
| Type safety | String permission `'update:members'` | Enum `app_permission` |
|
|
239
|
-
| Setup complexity | Média (helper function + RLS) | Alta (auth hook + auth_admin grants + jwt-decode cliente) |
|
|
240
|
-
|
|
241
|
-
**Recomendação canônica v1.25 para B2B multi-tenant:**
|
|
242
|
-
|
|
243
|
-
**Combine ambos:**
|
|
244
|
-
- **Custom claim** para role global (`super_admin`, `org_owner`) — zero-JOIN, fácil consulta cliente
|
|
245
|
-
- **Helper function STABLE** para context-aware (`has_permission(action, resource, org_id)`) — quando role muda por org
|
|
246
|
-
|
|
247
|
-
Exemplo de policy combinada:
|
|
248
|
-
|
|
249
|
-
```sql
|
|
250
|
-
create policy "members_select" on public.members for select
|
|
251
|
-
to authenticated
|
|
252
|
-
using (
|
|
253
|
-
-- claim no JWT (zero-JOIN, fast path)
|
|
254
|
-
(SELECT authorize('members:read'))
|
|
255
|
-
-- OU helper function PG (context-aware, slow path)
|
|
256
|
-
or private.has_permission('read', 'members', org_id)
|
|
257
|
-
);
|
|
258
|
-
```
|
|
259
|
-
|
|
260
|
-
Pattern detalhado em [`supabase-custom-claims-rbac`](../supabase-custom-claims-rbac/SKILL.md) (v1.25) section "Cross-suite integration".
|
|
261
|
-
|
|
262
|
-
## Anti-patterns
|
|
263
|
-
|
|
264
|
-
### Anti-pattern 1: Permission string sem padrão
|
|
265
|
-
|
|
266
|
-
**Errado:**
|
|
267
|
-
```sql
|
|
268
|
-
-- Mistura formats
|
|
269
|
-
'canCreateLeads', 'leads.create', 'CREATE_LEAD', 'leads:write'
|
|
270
|
-
```
|
|
271
|
-
|
|
272
|
-
**Por quê:** inconsistência confunde devs (qual é a forma certa?), quebra autocomplete, dificulta migração.
|
|
273
|
-
|
|
274
|
-
**Certo:** sempre `<resource>:<action>` em snake_case (REGRA #1). Pode usar enum em TypeScript:
|
|
275
|
-
```typescript
|
|
276
|
-
type Permission = `${Resource}:${Action}`
|
|
277
|
-
```
|
|
278
|
-
|
|
279
|
-
### Anti-pattern 2: Hard-coded role check em vez de permission
|
|
280
|
-
|
|
281
|
-
**Errado:**
|
|
282
|
-
```typescript
|
|
283
|
-
// Permission gate frontend
|
|
284
|
-
{ user.role === 'admin' && <Button>Convidar</Button> }
|
|
285
|
-
```
|
|
286
|
-
|
|
287
|
-
**Por quê:** custom roles quebram (custom role com permission `members:invite` não passa no check). Acopla UI a roles built-in.
|
|
288
|
-
|
|
289
|
-
**Certo:**
|
|
290
|
-
```typescript
|
|
291
|
-
{ usePermission('invite', 'members') && <Button>Convidar</Button> }
|
|
292
|
-
```
|
|
293
|
-
|
|
294
|
-
E server-side: RLS com `private.has_permission`.
|
|
295
|
-
|
|
296
|
-
### Anti-pattern 3: Built-in role pode ser deletada
|
|
297
|
-
|
|
298
|
-
**Errado:**
|
|
299
|
-
```sql
|
|
300
|
-
-- Sem proteção
|
|
301
|
-
delete from public.roles where name = 'owner' and org_id = '...';
|
|
302
|
-
-- Org fica sem owner, ninguém consegue fazer nada
|
|
303
|
-
```
|
|
304
|
-
|
|
305
|
-
**Por quê:** org sem owner é unrecoverable sem service_role intervention. Compromete recovery.
|
|
306
|
-
|
|
307
|
-
**Certo:** policy DELETE em `roles` que rejeita built-in:
|
|
308
|
-
```sql
|
|
309
|
-
create policy "roles_delete_custom_only"
|
|
310
|
-
on public.roles
|
|
311
|
-
for delete
|
|
312
|
-
to authenticated
|
|
313
|
-
using (
|
|
314
|
-
not is_built_in
|
|
315
|
-
and private.has_permission('delete', 'roles', org_id)
|
|
316
|
-
);
|
|
317
|
-
```
|
|
318
|
-
|
|
319
|
-
### Anti-pattern 4: Frontend permission gate sem server-side enforce
|
|
320
|
-
|
|
321
|
-
**Errado:**
|
|
322
|
-
```typescript
|
|
323
|
-
// Esconder botão UI = "segurança"
|
|
324
|
-
{ usePermission('delete', 'leads') && <DeleteButton /> }
|
|
325
|
-
// Mas API endpoint /leads/{id} aceita DELETE sem checar permission
|
|
326
|
-
```
|
|
327
|
-
|
|
328
|
-
**Por quê:** atacante chama API direto via curl — ignora gate frontend. Permission gate React é **UX**, não segurança.
|
|
329
|
-
|
|
330
|
-
**Certo:** REGRA #5. Server-side via RLS + `private.has_permission` é enforcement real.
|
|
331
|
-
|
|
332
|
-
## Ver também
|
|
333
|
-
|
|
334
|
-
- [multi-tenant-rls-hierarchy](../multi-tenant-rls-hierarchy/SKILL.md) — `private.has_permission` é a função canônica usada em policies
|
|
335
|
-
- [b2b-saas-architecture](../b2b-saas-architecture/SKILL.md) — schema das tabelas `roles`, `permissions`, `role_permissions`
|
|
336
|
-
- [permission-gate-react-pattern](../permission-gate-react-pattern/SKILL.md) — Phase 115, permission gate UX em React
|
|
337
|
-
- [super-admin-platform-pattern](../super-admin-platform-pattern/SKILL.md) — Phase 111, super_admin bypassa RBAC normal
|
|
338
|
-
- [_shared-multi-tenant/glossary.md](../_shared-multi-tenant/glossary.md) — termos `RBAC`, `permission matrix`, `role escalation rule`
|
|
1
|
+
---
|
|
2
|
+
name: rbac-permissions-matrix-supabase
|
|
3
|
+
description: "Use ao modelar RBAC granular em Supabase B2B — permission strings resource:action, matrix N:M roles ↔ permissions, regra \\"user só atribui roles ≤ ao próprio\\", 3 roles built-in (owner…"
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# RBAC Permissions Matrix — Supabase B2B Multi-Tenant
|
|
7
|
+
|
|
8
|
+
## Quando usar
|
|
9
|
+
|
|
10
|
+
LLM carrega esta skill ao desenhar autorização granular em B2B SaaS multi-tenant. Trigger phrases:
|
|
11
|
+
|
|
12
|
+
- "RBAC granular", "permission matrix"
|
|
13
|
+
- "permission string resource:action", "leads:create", "members:invite"
|
|
14
|
+
- "custom roles", "role escalation rule"
|
|
15
|
+
- "owner admin member built-in"
|
|
16
|
+
- "role permissions table"
|
|
17
|
+
|
|
18
|
+
## Regras absolutas
|
|
19
|
+
|
|
20
|
+
**REGRA #1 (permission string format):** Permissions são strings `<resource>:<action>` em snake_case (ex: `leads:create`, `members:invite`, `org_settings:update`). Padrão convergente 2026 (Stripe, Linear, Auth0).
|
|
21
|
+
|
|
22
|
+
**REGRA #2 (3 roles built-in mínimo):** Toda org tem 3 roles built-in com `is_built_in = true`:
|
|
23
|
+
- `owner` — full control (criação org, billing, transfer ownership, delete org)
|
|
24
|
+
- `admin` — manage members, settings, all data
|
|
25
|
+
- `member` — operações standard (CRUD nos recursos da org)
|
|
26
|
+
|
|
27
|
+
**REGRA #3 (role escalation rule):** Usuário só pode **criar/atribuir roles ≤ ao próprio role**. Member não pode criar admin. Admin não pode criar owner. Owner pode tudo. Enforced via policy + frontend gate.
|
|
28
|
+
|
|
29
|
+
**REGRA #4 (custom roles permitidos):** Custom roles via `is_built_in = false` na mesma tabela `roles`. Org-scoped (não globais). Built-in não podem ser deletados (constraint).
|
|
30
|
+
|
|
31
|
+
**REGRA #5 (NUNCA permission string em frontend hard-coded para enforce):** Permission gate React (skill [`permission-gate-react-pattern`](../permission-gate-react-pattern/SKILL.md)) é UX apenas. Server-side enforcement obrigatório via RLS + `private.has_permission`.
|
|
32
|
+
|
|
33
|
+
## Patterns canônicos
|
|
34
|
+
|
|
35
|
+
### Permission catalog — eventos canônicos
|
|
36
|
+
|
|
37
|
+
```sql
|
|
38
|
+
-- Catálogo global (compartilhado entre orgs)
|
|
39
|
+
insert into public.permissions (action, resource, description) values
|
|
40
|
+
-- Members
|
|
41
|
+
('invite', 'members', 'Convidar novos membros via email'),
|
|
42
|
+
('remove', 'members', 'Remover membros existentes'),
|
|
43
|
+
('update', 'members', 'Atualizar role/status de membros'),
|
|
44
|
+
('list', 'members', 'Listar membros da org'),
|
|
45
|
+
|
|
46
|
+
-- Org settings
|
|
47
|
+
('update', 'org_settings', 'Atualizar configurações gerais da org'),
|
|
48
|
+
('update', 'org_billing', 'Acessar/alterar billing (Stripe)'),
|
|
49
|
+
|
|
50
|
+
-- Departments
|
|
51
|
+
('create', 'departments', 'Criar departamentos'),
|
|
52
|
+
('update', 'departments', 'Atualizar departamentos'),
|
|
53
|
+
('delete', 'departments', 'Deletar departamentos'),
|
|
54
|
+
|
|
55
|
+
-- Roles + Permissions
|
|
56
|
+
('create', 'roles', 'Criar custom roles'),
|
|
57
|
+
('update', 'roles', 'Atualizar role permissions'),
|
|
58
|
+
('delete', 'roles', 'Deletar custom roles (built-in protegidos)'),
|
|
59
|
+
|
|
60
|
+
-- Domain example: leads (CRM)
|
|
61
|
+
('create', 'leads', 'Criar leads'),
|
|
62
|
+
('update', 'leads', 'Atualizar leads'),
|
|
63
|
+
('delete', 'leads', 'Deletar leads'),
|
|
64
|
+
('export', 'leads', 'Exportar leads (CSV/JSON)'),
|
|
65
|
+
|
|
66
|
+
-- Audit
|
|
67
|
+
('view', 'audit_logs', 'Ver audit logs'),
|
|
68
|
+
('export', 'audit_logs', 'Exportar audit logs'),
|
|
69
|
+
|
|
70
|
+
-- LGPD
|
|
71
|
+
('process', 'dsr_requests', 'Processar Data Subject Requests'),
|
|
72
|
+
|
|
73
|
+
on conflict (action, resource) do nothing;
|
|
74
|
+
```
|
|
75
|
+
|
|
76
|
+
### 3 roles built-in com permissions default
|
|
77
|
+
|
|
78
|
+
```sql
|
|
79
|
+
-- Para cada nova org (idealmente em RPC create_organization), criar built-in roles
|
|
80
|
+
-- com permissions atribuídas.
|
|
81
|
+
|
|
82
|
+
-- OWNER — todas permissions
|
|
83
|
+
insert into public.role_permissions (role_id, permission_id)
|
|
84
|
+
select
|
|
85
|
+
r.id,
|
|
86
|
+
p.id
|
|
87
|
+
from public.roles r
|
|
88
|
+
cross join public.permissions p
|
|
89
|
+
where r.org_id = '<org_id>'
|
|
90
|
+
and r.name = 'owner';
|
|
91
|
+
|
|
92
|
+
-- ADMIN — tudo exceto org_billing + delete org
|
|
93
|
+
insert into public.role_permissions (role_id, permission_id)
|
|
94
|
+
select
|
|
95
|
+
r.id,
|
|
96
|
+
p.id
|
|
97
|
+
from public.roles r
|
|
98
|
+
cross join public.permissions p
|
|
99
|
+
where r.org_id = '<org_id>'
|
|
100
|
+
and r.name = 'admin'
|
|
101
|
+
and not (p.action = 'update' and p.resource = 'org_billing');
|
|
102
|
+
|
|
103
|
+
-- MEMBER — operações CRUD em domínio (sem members management)
|
|
104
|
+
insert into public.role_permissions (role_id, permission_id)
|
|
105
|
+
select
|
|
106
|
+
r.id,
|
|
107
|
+
p.id
|
|
108
|
+
from public.roles r
|
|
109
|
+
cross join public.permissions p
|
|
110
|
+
where r.org_id = '<org_id>'
|
|
111
|
+
and r.name = 'member'
|
|
112
|
+
and p.resource in ('leads', 'departments')
|
|
113
|
+
and p.action in ('create', 'update', 'list');
|
|
114
|
+
```
|
|
115
|
+
|
|
116
|
+
### Role escalation rule — enforcement via RPC + RLS
|
|
117
|
+
|
|
118
|
+
```sql
|
|
119
|
+
-- Função que retorna o "rank" de uma role (owner=3, admin=2, member=1, custom=0)
|
|
120
|
+
create or replace function private.role_rank(p_role_name text)
|
|
121
|
+
returns int
|
|
122
|
+
language sql
|
|
123
|
+
stable
|
|
124
|
+
security invoker
|
|
125
|
+
set search_path = ''
|
|
126
|
+
as $$
|
|
127
|
+
select case p_role_name
|
|
128
|
+
when 'owner' then 3
|
|
129
|
+
when 'admin' then 2
|
|
130
|
+
when 'member' then 1
|
|
131
|
+
else 0 -- custom roles têm rank 0 (não comparáveis)
|
|
132
|
+
end;
|
|
133
|
+
$$;
|
|
134
|
+
|
|
135
|
+
-- RPC que assign role a um membro — só permite role ≤ ao próprio
|
|
136
|
+
create or replace function public.assign_role(
|
|
137
|
+
p_org_id uuid,
|
|
138
|
+
p_target_user_id uuid,
|
|
139
|
+
p_role_id uuid
|
|
140
|
+
)
|
|
141
|
+
returns void
|
|
142
|
+
language plpgsql
|
|
143
|
+
security invoker
|
|
144
|
+
set search_path = ''
|
|
145
|
+
as $$
|
|
146
|
+
declare
|
|
147
|
+
caller_role_name text;
|
|
148
|
+
target_role_name text;
|
|
149
|
+
begin
|
|
150
|
+
-- 1. Buscar role do caller na org
|
|
151
|
+
select r.name into caller_role_name
|
|
152
|
+
from public.organization_members om
|
|
153
|
+
join public.roles r on r.id = om.role_id
|
|
154
|
+
where om.org_id = p_org_id
|
|
155
|
+
and om.user_id = (select auth.uid())
|
|
156
|
+
and om.status = 'active';
|
|
157
|
+
|
|
158
|
+
if caller_role_name is null then
|
|
159
|
+
raise exception 'caller is not member of org';
|
|
160
|
+
end if;
|
|
161
|
+
|
|
162
|
+
-- 2. Buscar role alvo
|
|
163
|
+
select r.name into target_role_name
|
|
164
|
+
from public.roles r
|
|
165
|
+
where r.id = p_role_id and r.org_id = p_org_id;
|
|
166
|
+
|
|
167
|
+
if target_role_name is null then
|
|
168
|
+
raise exception 'role does not exist in org';
|
|
169
|
+
end if;
|
|
170
|
+
|
|
171
|
+
-- 3. REGRA #3: caller role rank >= target role rank
|
|
172
|
+
if private.role_rank(caller_role_name) < private.role_rank(target_role_name) then
|
|
173
|
+
raise exception
|
|
174
|
+
'role escalation forbidden: caller is %, cannot assign %',
|
|
175
|
+
caller_role_name, target_role_name;
|
|
176
|
+
end if;
|
|
177
|
+
|
|
178
|
+
-- 4. Assign
|
|
179
|
+
update public.organization_members
|
|
180
|
+
set role_id = p_role_id
|
|
181
|
+
where org_id = p_org_id and user_id = p_target_user_id;
|
|
182
|
+
end;
|
|
183
|
+
$$;
|
|
184
|
+
|
|
185
|
+
grant execute on function public.assign_role(uuid, uuid, uuid) to authenticated;
|
|
186
|
+
```
|
|
187
|
+
|
|
188
|
+
### Frontend — listar roles que user pode atribuir
|
|
189
|
+
|
|
190
|
+
```typescript
|
|
191
|
+
// Buscar roles que current user pode atribuir (rank ≤ próprio)
|
|
192
|
+
const { data: assignableRoles } = await supabase
|
|
193
|
+
.from('roles')
|
|
194
|
+
.select('id, name, description')
|
|
195
|
+
.eq('org_id', orgId)
|
|
196
|
+
// RPC retorna apenas roles que caller pode atribuir
|
|
197
|
+
.rpc('list_assignable_roles', { p_org_id: orgId })
|
|
198
|
+
```
|
|
199
|
+
|
|
200
|
+
### RLS policy usando `private.has_permission`
|
|
201
|
+
|
|
202
|
+
```sql
|
|
203
|
+
-- Tabela leads — INSERT requer permission leads:create
|
|
204
|
+
create policy "leads_insert_with_permission"
|
|
205
|
+
on public.leads
|
|
206
|
+
for insert
|
|
207
|
+
to authenticated
|
|
208
|
+
with check (
|
|
209
|
+
private.has_permission('create', 'leads', org_id)
|
|
210
|
+
);
|
|
211
|
+
|
|
212
|
+
-- Tabela members management — UPDATE role requer permission members:update
|
|
213
|
+
create policy "members_update_role_with_permission"
|
|
214
|
+
on public.organization_members
|
|
215
|
+
for update
|
|
216
|
+
to authenticated
|
|
217
|
+
using (
|
|
218
|
+
private.has_permission('update', 'members', org_id)
|
|
219
|
+
)
|
|
220
|
+
with check (
|
|
221
|
+
private.has_permission('update', 'members', org_id)
|
|
222
|
+
);
|
|
223
|
+
```
|
|
224
|
+
|
|
225
|
+
## Mecanismo de delivery dos claims (v1.25 update)
|
|
226
|
+
|
|
227
|
+
Os patterns acima usam **helper function PG STABLE** (`private.has_permission(action, resource, org_id)`) que faz JOIN em `role_permissions` table dentro de cada policy evaluation. Funciona bem para casos multi-tenant complexos (role depende de org context) mas adiciona JOIN custoso em policies hot.
|
|
228
|
+
|
|
229
|
+
A partir de **v1.25**, kit-mcp adiciona alternativa moderna via **Custom Access Token Auth Hook** (skill [`supabase-custom-claims-rbac`](../supabase-custom-claims-rbac/SKILL.md)) que injeta `user_role` direto no JWT — RLS policies leem o claim via `authorize(permission)` sem JOIN.
|
|
230
|
+
|
|
231
|
+
**Comparação canônica (v1.25):**
|
|
232
|
+
|
|
233
|
+
| | Helper function STABLE (v1.21) | Custom Claim via Auth Hook (v1.25) |
|
|
234
|
+
|---|---|---|
|
|
235
|
+
| Performance | JOIN em role_permissions por query | Zero-JOIN — claim no JWT |
|
|
236
|
+
| Multi-tenant context | ✅ `has_permission('update', 'members', org_id)` — context-aware | ❌ Claim é per-user, não per-org-context |
|
|
237
|
+
| Mudança em real-time | ✅ Imediata (UPDATE em role_permissions reflete) | ⚠ Eventually consistent (TTL refresh 1h) |
|
|
238
|
+
| Type safety | String permission `'update:members'` | Enum `app_permission` |
|
|
239
|
+
| Setup complexity | Média (helper function + RLS) | Alta (auth hook + auth_admin grants + jwt-decode cliente) |
|
|
240
|
+
|
|
241
|
+
**Recomendação canônica v1.25 para B2B multi-tenant:**
|
|
242
|
+
|
|
243
|
+
**Combine ambos:**
|
|
244
|
+
- **Custom claim** para role global (`super_admin`, `org_owner`) — zero-JOIN, fácil consulta cliente
|
|
245
|
+
- **Helper function STABLE** para context-aware (`has_permission(action, resource, org_id)`) — quando role muda por org
|
|
246
|
+
|
|
247
|
+
Exemplo de policy combinada:
|
|
248
|
+
|
|
249
|
+
```sql
|
|
250
|
+
create policy "members_select" on public.members for select
|
|
251
|
+
to authenticated
|
|
252
|
+
using (
|
|
253
|
+
-- claim no JWT (zero-JOIN, fast path)
|
|
254
|
+
(SELECT authorize('members:read'))
|
|
255
|
+
-- OU helper function PG (context-aware, slow path)
|
|
256
|
+
or private.has_permission('read', 'members', org_id)
|
|
257
|
+
);
|
|
258
|
+
```
|
|
259
|
+
|
|
260
|
+
Pattern detalhado em [`supabase-custom-claims-rbac`](../supabase-custom-claims-rbac/SKILL.md) (v1.25) section "Cross-suite integration".
|
|
261
|
+
|
|
262
|
+
## Anti-patterns
|
|
263
|
+
|
|
264
|
+
### Anti-pattern 1: Permission string sem padrão
|
|
265
|
+
|
|
266
|
+
**Errado:**
|
|
267
|
+
```sql
|
|
268
|
+
-- Mistura formats
|
|
269
|
+
'canCreateLeads', 'leads.create', 'CREATE_LEAD', 'leads:write'
|
|
270
|
+
```
|
|
271
|
+
|
|
272
|
+
**Por quê:** inconsistência confunde devs (qual é a forma certa?), quebra autocomplete, dificulta migração.
|
|
273
|
+
|
|
274
|
+
**Certo:** sempre `<resource>:<action>` em snake_case (REGRA #1). Pode usar enum em TypeScript:
|
|
275
|
+
```typescript
|
|
276
|
+
type Permission = `${Resource}:${Action}`
|
|
277
|
+
```
|
|
278
|
+
|
|
279
|
+
### Anti-pattern 2: Hard-coded role check em vez de permission
|
|
280
|
+
|
|
281
|
+
**Errado:**
|
|
282
|
+
```typescript
|
|
283
|
+
// Permission gate frontend
|
|
284
|
+
{ user.role === 'admin' && <Button>Convidar</Button> }
|
|
285
|
+
```
|
|
286
|
+
|
|
287
|
+
**Por quê:** custom roles quebram (custom role com permission `members:invite` não passa no check). Acopla UI a roles built-in.
|
|
288
|
+
|
|
289
|
+
**Certo:**
|
|
290
|
+
```typescript
|
|
291
|
+
{ usePermission('invite', 'members') && <Button>Convidar</Button> }
|
|
292
|
+
```
|
|
293
|
+
|
|
294
|
+
E server-side: RLS com `private.has_permission`.
|
|
295
|
+
|
|
296
|
+
### Anti-pattern 3: Built-in role pode ser deletada
|
|
297
|
+
|
|
298
|
+
**Errado:**
|
|
299
|
+
```sql
|
|
300
|
+
-- Sem proteção
|
|
301
|
+
delete from public.roles where name = 'owner' and org_id = '...';
|
|
302
|
+
-- Org fica sem owner, ninguém consegue fazer nada
|
|
303
|
+
```
|
|
304
|
+
|
|
305
|
+
**Por quê:** org sem owner é unrecoverable sem service_role intervention. Compromete recovery.
|
|
306
|
+
|
|
307
|
+
**Certo:** policy DELETE em `roles` que rejeita built-in:
|
|
308
|
+
```sql
|
|
309
|
+
create policy "roles_delete_custom_only"
|
|
310
|
+
on public.roles
|
|
311
|
+
for delete
|
|
312
|
+
to authenticated
|
|
313
|
+
using (
|
|
314
|
+
not is_built_in
|
|
315
|
+
and private.has_permission('delete', 'roles', org_id)
|
|
316
|
+
);
|
|
317
|
+
```
|
|
318
|
+
|
|
319
|
+
### Anti-pattern 4: Frontend permission gate sem server-side enforce
|
|
320
|
+
|
|
321
|
+
**Errado:**
|
|
322
|
+
```typescript
|
|
323
|
+
// Esconder botão UI = "segurança"
|
|
324
|
+
{ usePermission('delete', 'leads') && <DeleteButton /> }
|
|
325
|
+
// Mas API endpoint /leads/{id} aceita DELETE sem checar permission
|
|
326
|
+
```
|
|
327
|
+
|
|
328
|
+
**Por quê:** atacante chama API direto via curl — ignora gate frontend. Permission gate React é **UX**, não segurança.
|
|
329
|
+
|
|
330
|
+
**Certo:** REGRA #5. Server-side via RLS + `private.has_permission` é enforcement real.
|
|
331
|
+
|
|
332
|
+
## Ver também
|
|
333
|
+
|
|
334
|
+
- [multi-tenant-rls-hierarchy](../multi-tenant-rls-hierarchy/SKILL.md) — `private.has_permission` é a função canônica usada em policies
|
|
335
|
+
- [b2b-saas-architecture](../b2b-saas-architecture/SKILL.md) — schema das tabelas `roles`, `permissions`, `role_permissions`
|
|
336
|
+
- [permission-gate-react-pattern](../permission-gate-react-pattern/SKILL.md) — Phase 115, permission gate UX em React
|
|
337
|
+
- [super-admin-platform-pattern](../super-admin-platform-pattern/SKILL.md) — Phase 111, super_admin bypassa RBAC normal
|
|
338
|
+
- [_shared-multi-tenant/glossary.md](../_shared-multi-tenant/glossary.md) — termos `RBAC`, `permission matrix`, `role escalation rule`
|