@luanpdd/kit-mcp 1.30.2 → 1.31.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (347) hide show
  1. package/LICENSE +21 -21
  2. package/README.md +168 -168
  3. package/gates/agent-no-recursive-dispatch.md +84 -82
  4. package/kit/COMANDOS.md +138 -138
  5. package/kit/README.md +76 -76
  6. package/kit/agents/advisor-researcher.md +107 -106
  7. package/kit/agents/ai-mutation-tester.md +1 -0
  8. package/kit/agents/assumptions-analyzer.md +108 -107
  9. package/kit/agents/audit-log-implementer.md +314 -313
  10. package/kit/agents/auditor-consistencia-isolamento.md +414 -413
  11. package/kit/agents/b2b-saas-architect.md +157 -156
  12. package/kit/agents/burn-rate-forecaster.md +1 -0
  13. package/kit/agents/cascading-failures-auditor.md +299 -298
  14. package/kit/agents/codebase-mapper.md +769 -768
  15. package/kit/agents/crm-pipeline-implementer.md +257 -256
  16. package/kit/agents/debugger.md +814 -813
  17. package/kit/agents/detector-tenant-quente.md +338 -337
  18. package/kit/agents/evolution-go-integrator.md +201 -200
  19. package/kit/agents/example-reviewer.md +22 -21
  20. package/kit/agents/executor.md +565 -564
  21. package/kit/agents/golden-signals-instrumenter.md +1 -0
  22. package/kit/agents/incident-investigator.md +1 -0
  23. package/kit/agents/integration-checker.md +201 -200
  24. package/kit/agents/invite-flow-implementer.md +190 -189
  25. package/kit/agents/legacy-characterizer.md +369 -368
  26. package/kit/agents/lgpd-compliance-auditor.md +296 -295
  27. package/kit/agents/load-shedding-instrumenter.md +1 -0
  28. package/kit/agents/multi-tenant-isolation-auditor.md +254 -253
  29. package/kit/agents/multi-tenant-rls-writer.md +341 -340
  30. package/kit/agents/nyquist-auditor.md +179 -178
  31. package/kit/agents/observability-coverage-auditor.md +316 -315
  32. package/kit/agents/observability-instrumenter.md +1 -0
  33. package/kit/agents/omm-auditor.md +1 -0
  34. package/kit/agents/org-onboarding-implementer.md +224 -223
  35. package/kit/agents/payload-capture-instrumenter.md +274 -273
  36. package/kit/agents/phase-researcher.md +697 -696
  37. package/kit/agents/plan-checker.md +273 -272
  38. package/kit/agents/planner.md +923 -922
  39. package/kit/agents/postmortem-writer.md +1 -0
  40. package/kit/agents/project-researcher.md +653 -652
  41. package/kit/agents/prr-conductor.md +1 -0
  42. package/kit/agents/refactor-safety-auditor.md +405 -404
  43. package/kit/agents/release-pipeline-auditor.md +1 -0
  44. package/kit/agents/research-synthesizer.md +246 -245
  45. package/kit/agents/roadmapper.md +678 -677
  46. package/kit/agents/schema-checker.md +1 -0
  47. package/kit/agents/seam-finder.md +360 -359
  48. package/kit/agents/shotgun-surgery-detector.md +350 -349
  49. package/kit/agents/slo-engineer.md +1 -0
  50. package/kit/agents/storytelling-analyst.md +1 -0
  51. package/kit/agents/supabase-architect.md +1 -0
  52. package/kit/agents/supabase-auth-bootstrapper.md +1 -0
  53. package/kit/agents/supabase-branching-architect.md +563 -562
  54. package/kit/agents/supabase-cicd-pipeline-implementer.md +778 -777
  55. package/kit/agents/supabase-column-privileges-writer.md +400 -399
  56. package/kit/agents/supabase-edge-fn-tester.md +2 -1
  57. package/kit/agents/supabase-edge-fn-writer.md +2 -1
  58. package/kit/agents/supabase-migration-writer.md +386 -385
  59. package/kit/agents/supabase-rbac-implementer.md +393 -392
  60. package/kit/agents/supabase-realtime-implementer.md +364 -363
  61. package/kit/agents/supabase-rls-hardener.md +522 -521
  62. package/kit/agents/supabase-rls-writer.md +324 -323
  63. package/kit/agents/supabase-roles-implementer.md +356 -355
  64. package/kit/agents/supabase-storage-implementer.md +1 -0
  65. package/kit/agents/super-admin-implementer.md +282 -281
  66. package/kit/agents/toil-auditor.md +1 -0
  67. package/kit/agents/ui-auditor.md +438 -437
  68. package/kit/agents/ui-checker.md +303 -302
  69. package/kit/agents/ui-researcher.md +356 -355
  70. package/kit/agents/user-profiler.md +176 -175
  71. package/kit/agents/validador-evolucao-schema.md +336 -335
  72. package/kit/agents/verifier.md +729 -728
  73. package/kit/commands/adicionar-backlog.md +75 -75
  74. package/kit/commands/adicionar-fase.md +42 -42
  75. package/kit/commands/adicionar-tarefa.md +45 -45
  76. package/kit/commands/adicionar-testes.md +41 -41
  77. package/kit/commands/ajuda.md +21 -21
  78. package/kit/commands/atualizar.md +37 -37
  79. package/kit/commands/auditar-cascading.md +111 -111
  80. package/kit/commands/auditar-marco.md +179 -179
  81. package/kit/commands/auditar-observabilidade-cobertura.md +183 -183
  82. package/kit/commands/auditar-refactor.md +219 -219
  83. package/kit/commands/auditar-release.md +109 -109
  84. package/kit/commands/auditar-uat.md +23 -23
  85. package/kit/commands/autonomo.md +40 -40
  86. package/kit/commands/branch-pr.md +24 -24
  87. package/kit/commands/burn-rate-status.md +408 -408
  88. package/kit/commands/capturar-payloads.md +193 -193
  89. package/kit/commands/caracterizar.md +212 -212
  90. package/kit/commands/concluir-marco.md +247 -247
  91. package/kit/commands/configuracoes.md +36 -36
  92. package/kit/commands/dados-distribuidos.md +188 -188
  93. package/kit/commands/definir-perfil.md +10 -10
  94. package/kit/commands/depurar.md +190 -190
  95. package/kit/commands/detectar-duplicacao.md +197 -197
  96. package/kit/commands/discutir-fase.md +131 -131
  97. package/kit/commands/encontrar-seams.md +136 -136
  98. package/kit/commands/entrar-discord.md +17 -17
  99. package/kit/commands/estatisticas.md +18 -18
  100. package/kit/commands/example-greeting.md +33 -33
  101. package/kit/commands/executar-fase.md +58 -58
  102. package/kit/commands/expresso.md +56 -56
  103. package/kit/commands/fase-ui.md +34 -34
  104. package/kit/commands/fazer.md +57 -57
  105. package/kit/commands/fio.md +125 -125
  106. package/kit/commands/fluxos-trabalho.md +64 -64
  107. package/kit/commands/forense.md +176 -176
  108. package/kit/commands/gerenciador.md +38 -38
  109. package/kit/commands/inserir-fase.md +31 -31
  110. package/kit/commands/legacy.md +263 -263
  111. package/kit/commands/limpeza.md +17 -17
  112. package/kit/commands/listar-hipoteses-fase.md +45 -45
  113. package/kit/commands/listar-workspaces.md +18 -18
  114. package/kit/commands/load-shedding.md +117 -117
  115. package/kit/commands/mapear-codebase.md +70 -70
  116. package/kit/commands/multi-tenant.md +163 -163
  117. package/kit/commands/nota.md +33 -33
  118. package/kit/commands/novo-marco.md +43 -43
  119. package/kit/commands/novo-projeto.md +41 -41
  120. package/kit/commands/novo-workspace.md +43 -43
  121. package/kit/commands/pausar-trabalho.md +37 -37
  122. package/kit/commands/perfil-usuario.md +45 -45
  123. package/kit/commands/pesquisar-fase.md +195 -195
  124. package/kit/commands/planejar-fase.md +67 -67
  125. package/kit/commands/planejar-lacunas.md +33 -33
  126. package/kit/commands/plantar-ideia.md +25 -25
  127. package/kit/commands/progresso.md +24 -24
  128. package/kit/commands/proximo.md +30 -30
  129. package/kit/commands/publicar.md +490 -490
  130. package/kit/commands/rapido.md +35 -35
  131. package/kit/commands/reaplicar-patches.md +124 -124
  132. package/kit/commands/refactor-seguro.md +321 -321
  133. package/kit/commands/relatorio-sessao.md +19 -19
  134. package/kit/commands/remover-fase.md +31 -31
  135. package/kit/commands/remover-workspace.md +26 -26
  136. package/kit/commands/resumo-marco.md +50 -50
  137. package/kit/commands/retomar-trabalho.md +40 -40
  138. package/kit/commands/revisar-backlog.md +60 -60
  139. package/kit/commands/revisar-ui.md +32 -32
  140. package/kit/commands/revisar.md +37 -37
  141. package/kit/commands/saude.md +21 -21
  142. package/kit/commands/setup-notion.md +93 -93
  143. package/kit/commands/storytelling.md +179 -179
  144. package/kit/commands/sync-main.md +68 -68
  145. package/kit/commands/validar-fase.md +35 -35
  146. package/kit/commands/verificar-tarefas.md +44 -44
  147. package/kit/commands/verificar-trabalho.md +64 -64
  148. package/kit/file-manifest.json +82 -81
  149. package/kit/framework/bin/lib/commands.cjs +959 -959
  150. package/kit/framework/bin/lib/config.cjs +442 -442
  151. package/kit/framework/bin/lib/core.cjs +1230 -1230
  152. package/kit/framework/bin/lib/frontmatter.cjs +336 -336
  153. package/kit/framework/bin/lib/init.cjs +1442 -1442
  154. package/kit/framework/bin/lib/milestone.cjs +252 -252
  155. package/kit/framework/bin/lib/model-profiles.cjs +68 -68
  156. package/kit/framework/bin/lib/phase.cjs +888 -888
  157. package/kit/framework/bin/lib/profile-output.cjs +952 -952
  158. package/kit/framework/bin/lib/profile-pipeline.cjs +539 -539
  159. package/kit/framework/bin/lib/roadmap.cjs +329 -329
  160. package/kit/framework/bin/lib/security.cjs +382 -382
  161. package/kit/framework/bin/lib/state.cjs +1031 -1031
  162. package/kit/framework/bin/lib/template.cjs +222 -222
  163. package/kit/framework/bin/lib/uat.cjs +282 -282
  164. package/kit/framework/bin/lib/verify.cjs +888 -888
  165. package/kit/framework/bin/lib/workstream.cjs +491 -491
  166. package/kit/framework/bin/tools.cjs +918 -918
  167. package/kit/framework/commands/workstreams.md +63 -63
  168. package/kit/framework/references/checkpoints.md +778 -778
  169. package/kit/framework/references/continuation-format.md +249 -249
  170. package/kit/framework/references/decimal-phase-calculation.md +64 -64
  171. package/kit/framework/references/git-integration.md +295 -295
  172. package/kit/framework/references/git-planning-commit.md +38 -38
  173. package/kit/framework/references/model-profile-resolution.md +36 -36
  174. package/kit/framework/references/model-profiles.md +139 -139
  175. package/kit/framework/references/phase-argument-parsing.md +61 -61
  176. package/kit/framework/references/planning-config.md +202 -202
  177. package/kit/framework/references/questioning.md +162 -162
  178. package/kit/framework/references/tdd.md +263 -263
  179. package/kit/framework/references/ui-brand.md +160 -160
  180. package/kit/framework/references/user-profiling.md +657 -657
  181. package/kit/framework/references/verification-patterns.md +612 -612
  182. package/kit/framework/references/workstream-flag.md +58 -58
  183. package/kit/framework/templates/DEBUG.md +164 -164
  184. package/kit/framework/templates/UAT.md +265 -265
  185. package/kit/framework/templates/UI-SPEC.md +100 -100
  186. package/kit/framework/templates/VALIDATION.md +76 -76
  187. package/kit/framework/templates/claude-md.md +122 -122
  188. package/kit/framework/templates/codebase/architecture.md +185 -185
  189. package/kit/framework/templates/codebase/concerns.md +205 -205
  190. package/kit/framework/templates/codebase/conventions.md +204 -204
  191. package/kit/framework/templates/codebase/integrations.md +192 -192
  192. package/kit/framework/templates/codebase/stack.md +158 -158
  193. package/kit/framework/templates/codebase/structure.md +199 -199
  194. package/kit/framework/templates/codebase/testing.md +301 -301
  195. package/kit/framework/templates/config.json +44 -44
  196. package/kit/framework/templates/context.md +352 -352
  197. package/kit/framework/templates/continue-here.md +78 -78
  198. package/kit/framework/templates/copilot-instructions.md +7 -7
  199. package/kit/framework/templates/debug-subagent-prompt.md +91 -91
  200. package/kit/framework/templates/dev-preferences.md +20 -20
  201. package/kit/framework/templates/discovery.md +146 -146
  202. package/kit/framework/templates/discussion-log.md +63 -63
  203. package/kit/framework/templates/milestone-archive.md +123 -123
  204. package/kit/framework/templates/milestone.md +115 -115
  205. package/kit/framework/templates/phase-prompt.md +610 -610
  206. package/kit/framework/templates/planner-subagent-prompt.md +117 -117
  207. package/kit/framework/templates/project.md +186 -186
  208. package/kit/framework/templates/requirements.md +231 -231
  209. package/kit/framework/templates/research-project/ARCHITECTURE.md +204 -204
  210. package/kit/framework/templates/research-project/FEATURES.md +147 -147
  211. package/kit/framework/templates/research-project/PITFALLS.md +200 -200
  212. package/kit/framework/templates/research-project/STACK.md +120 -120
  213. package/kit/framework/templates/research-project/SUMMARY.md +170 -170
  214. package/kit/framework/templates/research.md +419 -419
  215. package/kit/framework/templates/retrospective.md +54 -54
  216. package/kit/framework/templates/roadmap.md +202 -202
  217. package/kit/framework/templates/state.md +176 -176
  218. package/kit/framework/templates/summary-complex.md +59 -59
  219. package/kit/framework/templates/summary-minimal.md +41 -41
  220. package/kit/framework/templates/summary-standard.md +48 -48
  221. package/kit/framework/templates/summary.md +209 -209
  222. package/kit/framework/templates/user-profile.md +146 -146
  223. package/kit/framework/templates/user-setup.md +256 -256
  224. package/kit/framework/templates/verification-report.md +258 -258
  225. package/kit/framework/workflows/add-phase.md +112 -112
  226. package/kit/framework/workflows/add-tests.md +351 -351
  227. package/kit/framework/workflows/add-todo.md +158 -158
  228. package/kit/framework/workflows/audit-milestone.md +340 -340
  229. package/kit/framework/workflows/audit-uat.md +109 -109
  230. package/kit/framework/workflows/autonomous.md +891 -891
  231. package/kit/framework/workflows/check-todos.md +177 -177
  232. package/kit/framework/workflows/cleanup.md +152 -152
  233. package/kit/framework/workflows/complete-milestone.md +696 -696
  234. package/kit/framework/workflows/diagnose-issues.md +231 -231
  235. package/kit/framework/workflows/discovery-phase.md +289 -289
  236. package/kit/framework/workflows/discuss-phase-assumptions.md +653 -653
  237. package/kit/framework/workflows/discuss-phase.md +784 -784
  238. package/kit/framework/workflows/do.md +104 -104
  239. package/kit/framework/workflows/execute-phase.md +838 -838
  240. package/kit/framework/workflows/execute-plan.md +510 -510
  241. package/kit/framework/workflows/fast.md +102 -102
  242. package/kit/framework/workflows/forensics.md +265 -265
  243. package/kit/framework/workflows/health.md +181 -181
  244. package/kit/framework/workflows/help.md +619 -619
  245. package/kit/framework/workflows/insert-phase.md +130 -130
  246. package/kit/framework/workflows/list-phase-assumptions.md +178 -178
  247. package/kit/framework/workflows/list-workspaces.md +56 -56
  248. package/kit/framework/workflows/manager.md +362 -362
  249. package/kit/framework/workflows/map-codebase.md +377 -377
  250. package/kit/framework/workflows/milestone-summary.md +223 -223
  251. package/kit/framework/workflows/new-milestone.md +486 -486
  252. package/kit/framework/workflows/new-project.md +1159 -1159
  253. package/kit/framework/workflows/new-workspace.md +237 -237
  254. package/kit/framework/workflows/next.md +97 -97
  255. package/kit/framework/workflows/node-repair.md +92 -92
  256. package/kit/framework/workflows/note.md +156 -156
  257. package/kit/framework/workflows/pause-work.md +176 -176
  258. package/kit/framework/workflows/plan-milestone-gaps.md +273 -273
  259. package/kit/framework/workflows/plan-phase.md +765 -765
  260. package/kit/framework/workflows/plant-seed.md +169 -169
  261. package/kit/framework/workflows/pr-branch.md +129 -129
  262. package/kit/framework/workflows/profile-user.md +450 -450
  263. package/kit/framework/workflows/progress.md +507 -507
  264. package/kit/framework/workflows/quick.md +757 -757
  265. package/kit/framework/workflows/remove-phase.md +155 -155
  266. package/kit/framework/workflows/remove-workspace.md +90 -90
  267. package/kit/framework/workflows/research-phase.md +82 -82
  268. package/kit/framework/workflows/resume-project.md +326 -326
  269. package/kit/framework/workflows/review.md +228 -228
  270. package/kit/framework/workflows/session-report.md +146 -146
  271. package/kit/framework/workflows/settings.md +283 -283
  272. package/kit/framework/workflows/ship.md +228 -228
  273. package/kit/framework/workflows/stats.md +60 -60
  274. package/kit/framework/workflows/transition.md +671 -671
  275. package/kit/framework/workflows/ui-phase.md +302 -302
  276. package/kit/framework/workflows/ui-review.md +165 -165
  277. package/kit/framework/workflows/update.md +323 -323
  278. package/kit/framework/workflows/validate-phase.md +174 -174
  279. package/kit/framework/workflows/verify-phase.md +252 -252
  280. package/kit/framework/workflows/verify-work.md +637 -637
  281. package/kit/hooks/check-update.js +118 -118
  282. package/kit/hooks/context-monitor.js +163 -163
  283. package/kit/hooks/kit-attribution-reminder.cjs +29 -50
  284. package/kit/hooks/kit-router.cjs +137 -0
  285. package/kit/hooks/prompt-guard.js +103 -103
  286. package/kit/hooks/statusline.js +125 -125
  287. package/kit/hooks/workflow-guard.js +101 -101
  288. package/kit/settings.json +45 -45
  289. package/kit/skills/ai-prompt-characterization/SKILL.md +335 -335
  290. package/kit/skills/armadilhas-sistemas-distribuidos/SKILL.md +447 -447
  291. package/kit/skills/audit-log-multi-tenant/SKILL.md +340 -340
  292. package/kit/skills/b2b-saas-architecture/SKILL.md +300 -300
  293. package/kit/skills/consistencia-leitura-replica/SKILL.md +385 -385
  294. package/kit/skills/crm-lead-pipeline-patterns/SKILL.md +343 -343
  295. package/kit/skills/escolha-modelo-consistencia/SKILL.md +494 -494
  296. package/kit/skills/evolucao-schema-compativel/SKILL.md +448 -448
  297. package/kit/skills/evolution-go-whatsapp-integration/SKILL.md +322 -322
  298. package/kit/skills/example-skill/SKILL.md +42 -42
  299. package/kit/skills/legacy-api-only-applications/SKILL.md +358 -358
  300. package/kit/skills/legacy-characterization-tests/SKILL.md +330 -330
  301. package/kit/skills/legacy-effect-analysis/SKILL.md +331 -331
  302. package/kit/skills/legacy-extract-class/SKILL.md +203 -203
  303. package/kit/skills/legacy-programming-by-difference/SKILL.md +252 -252
  304. package/kit/skills/legacy-seams-and-test-harness/SKILL.md +460 -460
  305. package/kit/skills/legacy-shotgun-surgery/SKILL.md +286 -286
  306. package/kit/skills/legacy-sprout-wrap-techniques/SKILL.md +434 -434
  307. package/kit/skills/legacy-storytelling-naked-crc/SKILL.md +270 -270
  308. package/kit/skills/lgpd-multi-tenant-compliance/SKILL.md +340 -340
  309. package/kit/skills/member-invite-flow/SKILL.md +305 -305
  310. package/kit/skills/member-management-react-shadcn/SKILL.md +328 -328
  311. package/kit/skills/multi-tenant-performance-scaling/SKILL.md +316 -316
  312. package/kit/skills/multi-tenant-rls-hierarchy/SKILL.md +342 -342
  313. package/kit/skills/org-onboarding-flow/SKILL.md +257 -257
  314. package/kit/skills/org-switcher-react-pattern/SKILL.md +349 -349
  315. package/kit/skills/permission-gate-react-pattern/SKILL.md +271 -271
  316. package/kit/skills/postgres-isolamento-concorrencia/SKILL.md +552 -552
  317. package/kit/skills/pre-refactor-characterization/SKILL.md +421 -421
  318. package/kit/skills/rbac-permissions-matrix-supabase/SKILL.md +338 -338
  319. package/kit/skills/streams-eventos-cdc/SKILL.md +711 -711
  320. package/kit/skills/supabase-branching-workflow/SKILL.md +544 -544
  321. package/kit/skills/supabase-ci-cd-github-actions/SKILL.md +880 -880
  322. package/kit/skills/supabase-column-level-security/SKILL.md +426 -426
  323. package/kit/skills/supabase-config-toml-remotes/SKILL.md +807 -807
  324. package/kit/skills/supabase-custom-claims-rbac/SKILL.md +472 -472
  325. package/kit/skills/supabase-edge-functions/SKILL.md +1 -1
  326. package/kit/skills/supabase-edge-functions-auth/SKILL.md +1 -1
  327. package/kit/skills/supabase-edge-functions-limits/SKILL.md +1 -1
  328. package/kit/skills/supabase-edge-functions-mcp-server/SKILL.md +1 -1
  329. package/kit/skills/supabase-edge-functions-testing/SKILL.md +1 -1
  330. package/kit/skills/supabase-edge-runtime-builtins/SKILL.md +1 -1
  331. package/kit/skills/supabase-migration-repair/SKILL.md +823 -823
  332. package/kit/skills/supabase-migrations/SKILL.md +297 -297
  333. package/kit/skills/supabase-pgtap-testing/SKILL.md +1053 -1053
  334. package/kit/skills/supabase-postgres-roles/SKILL.md +392 -392
  335. package/kit/skills/supabase-realtime/SKILL.md +460 -460
  336. package/kit/skills/supabase-rls-defense-in-depth/SKILL.md +418 -418
  337. package/kit/skills/supabase-rls-policies/SKILL.md +635 -635
  338. package/kit/skills/super-admin-platform-pattern/SKILL.md +326 -326
  339. package/kit/skills/tenant-quente-mitigacao/SKILL.md +605 -605
  340. package/kit/skills/whatsapp-conversation-state-machine/SKILL.md +287 -287
  341. package/package.json +1 -1
  342. package/src/core/kit.js +216 -216
  343. package/src/core/reflect.js +247 -247
  344. package/src/core/reverse-sync.js +372 -372
  345. package/src/core/sync.js +437 -418
  346. package/src/core/watch.js +121 -121
  347. package/src/mcp-server/index.js +794 -746
package/kit/skills/supabase-postgres-roles/SKILL.md CHANGED
@@ -1,392 +1,392 @@
1
- ---
2
- name: supabase-postgres-roles
3
- description: Use ao gerenciar Postgres roles em Supabase — system access (cron jobs, BI tools, ETL, admin scripts). Distinção canônica vs RLS+Custom Claims (application access).
4
- ---
5
-
6
- # Supabase — Postgres Roles
7
-
8
- ## Quando usar (e quando NÃO usar)
9
-
10
- Postgres roles gerenciam acesso ao banco — **system access** (service accounts internos, cron jobs, BI tools, ETL, admin scripts).
11
-
12
- **Use Postgres roles APENAS para:**
13
-
14
- - ✅ Service accounts internos (cron jobs com pg_cron, BI tools como Metabase, ETL scripts)
15
- - ✅ Admin roles com BYPASSRLS (`security_admin`, `dpo_role`, `lead_manager`, `platform_admin`)
16
- - ✅ Roles para column-level GRANTs específicos (cross-ref skill `supabase-column-level-security` v1.24)
17
- - ✅ Custom roles que substituem service_role key em scripts (auditabilidade superior)
18
-
19
- **NÃO use Postgres roles para:**
20
-
21
- - ❌ "Admin vs user" application access → use **RLS + Custom Claims** (skill `supabase-custom-claims-rbac` v1.25)
22
- - ❌ Filtrar dados por linha → use **RLS row-level** (skill `supabase-rls-policies` v1.23)
23
- - ❌ Filtrar dados por coluna → use **Column-Level Privileges** (skill `supabase-column-level-security` v1.24)
24
- - ❌ Substituir auth.users (auth.users é gerenciado pelo Supabase Auth — não criar roles para end-users)
25
-
26
- Trigger phrases:
27
-
28
- - "create role Postgres", "custom Postgres role"
29
- - "role hierarchy", "INHERIT NOINHERIT"
30
- - "GRANT REVOKE Postgres"
31
- - "service account Supabase", "cron job role"
32
- - "Postgres roles vs RLS"
33
-
34
- ## Distinção canônica
35
-
36
- | | Application Access | System Access |
37
- |---|---|---|
38
- | Mecanismo | RLS + Custom Claims | Postgres Roles |
39
- | Quem é o "user" | End-user via JWT (`auth.uid()`) | Service account interno |
40
- | Identidade | JWT claim (`user_role`) | Postgres role login |
41
- | Permissions | Granular por linha/coluna | Per tabela/schema/function |
42
- | Audit trail | RLS denial logs (42501) | pg_stat_statements por role |
43
- | Example | "User admin pode deletar messages" | "Cron job pode SELECT em todas tabs para backup" |
44
-
45
- ## Princípio canônico
46
-
47
- Roles vs Users:
48
-
49
- - **Role** = entidade Postgres que pode ter permissions
50
- - **User** = role com `LOGIN` privilege (pode autenticar via senha)
51
- - **Group** = role sem `LOGIN` (usado para herança de permissions)
52
-
53
- ```sql
54
- -- group role (sem LOGIN — usado para hierarchy)
55
- create role "readonly_group";
56
-
57
- -- user role (com LOGIN — service account)
58
- create role "readonly_user" with login password 'extremely_secure_pwd';
59
-
60
- -- user role inherita do group
61
- grant readonly_group to readonly_user;
62
- -- agora readonly_user tem todas permissions do readonly_group
63
- ```
64
-
65
- ## Pattern 1: CREATE ROLE básico
66
-
67
- ### Group role (sem LOGIN)
68
-
69
- ```sql
70
- create role "billing_group";
71
- -- usado apenas como container de permissions; não pode logar
72
- ```
73
-
74
- ### User role (com LOGIN PASSWORD)
75
-
76
- ```sql
77
- create role "billing_service" with login password 'p4ss-w0rd!sup3r_s3cur3';
78
- ```
79
-
80
- **Password best practices (canônico):**
81
-
82
- 1. **12+ characters mínimo** — quanto mais longo, melhor
83
- 2. **Use password manager** para gerar (Bitwarden, 1Password, etc.)
84
- 3. **Mix upper + lower + numbers + special symbols** (`! @ # $ % &`)
85
- 4. **NÃO use dictionary words** comuns
86
- 5. **Roteie via secrets vault** — nunca hardcode em git
87
-
88
- ### Caveat — Percent-encoding em connection string
89
-
90
- Special symbols em password precisam ser **percent-encoded** quando usados em connection string:
91
-
92
- ```
93
- ANTES (raw password): p=ssword
94
- DEPOIS (em URL): p%3Dssword
95
-
96
- Connection string:
97
- postgresql://postgres.projectref:p%3Dssword@aws-0-us-east-1.pooler.supabase.com:6543/postgres
98
- ```
99
-
100
- Tabela de encoding canônica:
101
-
102
- | Char | Encoded |
103
- |------|---------|
104
- | `=` | `%3D` |
105
- | `&` | `%26` |
106
- | `+` | `%2B` |
107
- | `#` | `%23` |
108
- | `:` | `%3A` |
109
- | `/` | `%2F` |
110
- | `@` | `%40` |
111
- | `space` | `%20` |
112
-
113
- ## Pattern 2: GRANT / REVOKE permissions
114
-
115
- GRANT canônico:
116
-
117
- ```sql
118
- -- permission em schema completo
119
- grant usage on schema public to billing_service;
120
- grant select on all tables in schema public to billing_service;
121
-
122
- -- permission em tabela específica
123
- grant select, insert on table public.invoices to billing_service;
124
-
125
- -- permission em função específica
126
- grant execute on function public.calculate_total(uuid) to billing_service;
127
-
128
- -- permission em sequence (necessário para INSERT em tabelas com SERIAL/BIGSERIAL)
129
- grant usage on sequence public.invoices_id_seq to billing_service;
130
- ```
131
-
132
- REVOKE canônico:
133
-
134
- ```sql
135
- revoke select on table public.invoices from billing_service;
136
- revoke execute on function public.calculate_total(uuid) from billing_service;
137
- ```
138
-
139
- **Caveat — Default privileges para novos objetos:**
140
-
141
- GRANT em "all tables" só cobre tabelas **existentes**. Para tabelas futuras criadas no schema, use `ALTER DEFAULT PRIVILEGES`:
142
-
143
- ```sql
144
- -- todas tabelas futuras criadas em public terão SELECT GRANT para billing_service
145
- alter default privileges in schema public
146
- grant select on tables to billing_service;
147
- ```
148
-
149
- ## Pattern 3: Role Hierarchy (INHERIT / NOINHERIT)
150
-
151
- INHERIT (default): child role herda permissions do parent.
152
-
153
- ```sql
154
- -- group com permissions base
155
- create role "readers";
156
- grant select on all tables in schema public to readers;
157
-
158
- -- user inherita
159
- create role "alice" with login password 'pwd1';
160
- grant readers to alice;
161
- -- alice agora tem SELECT em todas tabelas public (via readers)
162
-
163
- -- multi-level hierarchy
164
- create role "admins";
165
- grant readers to admins; -- admins inherita de readers
166
- grant insert, update, delete on all tables in schema public to admins;
167
-
168
- create role "bob" with login password 'pwd2';
169
- grant admins to bob;
170
- -- bob inherita de admins (que inherita de readers) — full CRUD em public
171
- ```
172
-
173
- NOINHERIT: child role tem que **explicitamente** assumir parent role para usar permissions.
174
-
175
- ```sql
176
- create role "superuser_proxy" noinherit;
177
- grant postgres to superuser_proxy;
178
-
179
- -- Para usar permissions de postgres, superuser_proxy precisa SET ROLE:
180
- set role postgres;
181
- -- agora opera como postgres
182
- reset role;
183
- ```
184
-
185
- **Quando usar NOINHERIT:**
186
-
187
- - Roles superuser (postgres) — exigir SET ROLE explícito como guard
188
- - Audit trail mais claro (queries mostram a role ativa)
189
- - Princípio canônico: opt-in explícito em vez de implícito
190
-
191
- ## 10 Predefined Supabase Roles (documentação)
192
-
193
- Supabase configura 10 roles automaticamente em todo projeto. **Não criar substitutos** — documentar e usar conforme apropriado.
194
-
195
- ### `postgres`
196
- **Tipo:** Admin/superuser. **Quando usar:** scripts de admin via dashboard ou psql direto.
197
- **NUNCA:** dar password ao third-party ou expor.
198
-
199
- ### `anon`
200
- **Tipo:** Public unauthenticated. **Quando usar:** requests sem JWT (cliente deslogado).
201
- **Caveat:** `anon` Postgres role ≠ anonymous Auth user (cross-ref skill `supabase-rls-policies` v1.23).
202
-
203
- ### `authenticator`
204
- **Tipo:** PostgREST switch role. **Quando usar:** internal — PostgREST recebe JWT, valida, e switches para `anon` ou `authenticated` baseado em claims.
205
- **Caveat:** acesso muito limitado — apenas SWITCH ROLE.
206
-
207
- ### `authenticated`
208
- **Tipo:** Logged-in users. **Quando usar:** requests com JWT válido (autenticado).
209
-
210
- ### `service_role`
211
- **Tipo:** Bypass RLS. **Quando usar:** backend tasks (Edge Functions, scripts admin).
212
- **NUNCA:** expor ao cliente — vazamento = acesso total ao DB.
213
-
214
- ### `supabase_auth_admin`
215
- **Tipo:** Auth middleware. **Quando usar:** internal — Supabase Auth service.
216
- **Caveat:** GRANT EXECUTE em Custom Access Token Auth Hook (cross-ref skill `supabase-custom-claims-rbac` v1.25); scope `auth` schema.
217
-
218
- ### `supabase_storage_admin`
219
- **Tipo:** Storage middleware. **Quando usar:** internal — Supabase Storage service. Scope `storage` schema.
220
-
221
- ### `supabase_etl_admin`
222
- **Tipo:** Replication. **Quando usar:** internal — Replication powered by Supabase ETL. Read-all + bypass RLS + write `etl` schema.
223
-
224
- ### `dashboard_user`
225
- **Tipo:** Supabase UI. **Quando usar:** internal — commands via Supabase dashboard.
226
-
227
- ### `supabase_admin`
228
- **Tipo:** Internal admin. **Quando usar:** internal — upgrades + automations.
229
-
230
- ## Pattern 4: Custom service account roles
231
-
232
- Caso canônico — criar role dedicado em vez de service_role API key:
233
-
234
- ```sql
235
- -- 1. role para cron job (sem LOGIN — usado via pg_cron)
236
- create role "cron_job_role" noinherit;
237
- -- bypass RLS para acessar todas orgs
238
- alter role "cron_job_role" with bypassrls;
239
-
240
- -- 2. GRANTs específicos
241
- grant usage on schema public to cron_job_role;
242
- grant select, insert, delete on table public.audit_log to cron_job_role;
243
-
244
- -- 3. pg_cron usa este role
245
- select cron.schedule(
246
- 'cleanup_old_logs',
247
- '0 3 * * *',
248
- $$ delete from public.audit_log where created_at < now() - interval '90 days' $$
249
- );
250
- -- pg_cron executa as queries com este role; auditabilidade superior vs service_role API key
251
- ```
252
-
253
- ```sql
254
- -- role para BI tool (Metabase) — read-only com login
255
- create role "metabase_reader" with login password 'percent-encode-this!';
256
- alter role "metabase_reader" with bypassrls; -- BI precisa ver todas linhas
257
-
258
- grant usage on schema public to metabase_reader;
259
- grant select on all tables in schema public to metabase_reader;
260
- alter default privileges in schema public
261
- grant select on tables to metabase_reader;
262
- ```
263
-
264
- ## Changing postgres password
265
-
266
- Mudar password do `postgres` role:
267
-
268
- 1. **Dashboard:** Database Settings page → "Database password" → enter new
269
- 2. **Sem downtime:** serviços internos (PostgREST, PgBouncer, etc.) auto-update
270
- 3. **External services com hardcoded credentials:** manual update necessário (revisar deploy configs)
271
-
272
- **NÃO:** dar password do `postgres` role para third-party — crie role dedicado.
273
-
274
- ## Auditoria — pg_stat_statements por role
275
-
276
- Cada role tem queries rastreáveis em `pg_stat_statements`:
277
-
278
- ```sql
279
- select
280
- rolname,
281
- count(*) as query_count,
282
- sum(total_exec_time)::numeric(10,2) as total_time_ms
283
- from pg_stat_statements s
284
- join pg_roles r on s.userid = r.oid
285
- where rolname not in ('postgres', 'authenticator') -- filtrar admin
286
- group by rolname
287
- order by total_time_ms desc;
288
- ```
289
-
290
- Identificar qual service account está consumindo mais — útil para debug + capacity planning.
291
-
292
- ## Anti-patterns
293
-
294
- ### Anti-pattern 1: Usar service_role API key para tudo
295
-
296
- **Errado:**
297
- ```bash
298
- # .env do cron job
299
- SUPABASE_KEY=eyJ...service_role_key...
300
- ```
301
-
302
- **Por quê:** sem auditabilidade — todas queries logam como `service_role`; difícil identificar qual script fez o quê.
303
-
304
- **Certo:** criar role dedicado por service account:
305
- ```sql
306
- create role "cron_billing_role" noinherit;
307
- alter role "cron_billing_role" with bypassrls;
308
- -- GRANTs específicos
309
- -- pg_cron usa este role; queries logam com identidade clara
310
- ```
311
-
312
- ### Anti-pattern 2: Custom role para "admin vs user" application access
313
-
314
- **Errado:**
315
- ```sql
316
- -- criar role "admin" Postgres para gerenciar quem é admin no app
317
- create role "app_admin";
318
- -- ... add users to this role ...
319
- ```
320
-
321
- **Por quê:** Postgres roles não são designed para application access — não dinâmico, não auditável, mistura system + application concerns.
322
-
323
- **Certo:** use RLS + Custom Claims (skill `supabase-custom-claims-rbac` v1.25) — `user_role: 'admin'` no JWT via auth hook, consultado por `authorize()`.
324
-
325
- ### Anti-pattern 3: Password sem percent-encoding em URL
326
-
327
- **Errado:**
328
- ```
329
- postgresql://user:p=ssword@host/db
330
- ```
331
-
332
- **Por quê:** `=` é parseado como query string separator — conexão falha.
333
-
334
- **Certo:**
335
- ```
336
- postgresql://user:p%3Dssword@host/db
337
- ```
338
-
339
- ### Anti-pattern 4: INHERIT em superuser-like role
340
-
341
- **Errado:**
342
- ```sql
343
- create role "dba_role" inherit; -- inherit default em todos roles
344
- grant postgres to dba_role;
345
- -- dba_role agora tem postgres privileges implicitly
346
- ```
347
-
348
- **Por quê:** sem audit trail explícito de quando privileges admin são usados.
349
-
350
- **Certo:** NOINHERIT + SET ROLE explícito:
351
- ```sql
352
- create role "dba_role" noinherit;
353
- grant postgres to dba_role;
354
- -- usuário precisa: set role postgres; ...; reset role;
355
- -- queries logam com identidade postgres durante operação
356
- ```
357
-
358
- ### Anti-pattern 5: Criar role sem documentação
359
-
360
- **Errado:**
361
- ```sql
362
- create role "xyz" with login password 'pwd';
363
- -- 6 meses depois, ninguém sabe pra que serve
364
- ```
365
-
366
- **Por quê:** sem documentação, próximo dev assume é abandoned + remove ou mantém indefinidamente.
367
-
368
- **Certo:** sempre comment no migration + entry em README:
369
- ```sql
370
- -- role para Metabase BI conectar em produção (read-only)
371
- -- Owner: data-team@company.com
372
- -- Created: 2026-05-11 v1.26
373
- create role "metabase_reader" with login password '<from-vault>';
374
- comment on role "metabase_reader" is 'BI tool service account — read-only. Owner: data-team@company.com';
375
- ```
376
-
377
- ## Cross-suite integration (v1.26)
378
-
379
- Esta skill é base para agent novo `supabase-roles-implementer` (Phase 145) — recebe spec via `Task()` e materializa CREATE ROLE + GRANT/REVOKE + hierarchy. Pattern de handoff cooperativo herdado de v1.23-v1.25.
380
-
381
- Para column-level GRANTs específicos por role, **combine** com skill `supabase-column-level-security` (v1.24). Para custom claims que entregam `user_role` no JWT, use skill `supabase-custom-claims-rbac` (v1.25) — Postgres roles são para system access; custom claims são para application access.
382
-
383
- ## Ver também
384
-
385
- - [supabase-roles-implementer](../../agents/supabase-roles-implementer.md) (v1.26) — canonical materializer
386
- - [supabase-rls-policies](../supabase-rls-policies/SKILL.md) (v1.23) — section "Postgres Roles vs RLS — quando usar qual" (v1.26)
387
- - [supabase-rls-defense-in-depth](../supabase-rls-defense-in-depth/SKILL.md) (v1.23) — Camada 10 (Postgres Roles Hierarchy) v1.26
388
- - [supabase-database-functions](../supabase-database-functions/SKILL.md) — GRANT EXECUTE patterns
389
- - [supabase-column-level-security](../supabase-column-level-security/SKILL.md) (v1.24) — combinar com column-level GRANTs por role
390
- - [supabase-custom-claims-rbac](../supabase-custom-claims-rbac/SKILL.md) (v1.25) — distinção canônica system access vs application access
391
- - [glossário compartilhado](../_shared-supabase/glossary.md) — termos Postgres roles, INHERIT/NOINHERIT, LOGIN PASSWORD, GRANT/REVOKE syntax, role hierarchy, predefined Supabase roles, role switching authenticator, percent-encoding password
392
- - Doc oficial Postgres: [Database Roles](https://www.postgresql.org/docs/current/database-roles.html), [Role Membership](https://www.postgresql.org/docs/current/role-membership.html), [Function Permissions](https://www.postgresql.org/docs/current/perm-functions.html)
1
+ ---
2
+ name: supabase-postgres-roles
3
+ description: Use ao gerenciar Postgres roles em Supabase — system access (cron jobs, BI tools, ETL, admin scripts). Distinção canônica vs RLS+Custom Claims (application access).
4
+ ---
5
+
6
+ # Supabase — Postgres Roles
7
+
8
+ ## Quando usar (e quando NÃO usar)
9
+
10
+ Postgres roles gerenciam acesso ao banco — **system access** (service accounts internos, cron jobs, BI tools, ETL, admin scripts).
11
+
12
+ **Use Postgres roles APENAS para:**
13
+
14
+ - ✅ Service accounts internos (cron jobs com pg_cron, BI tools como Metabase, ETL scripts)
15
+ - ✅ Admin roles com BYPASSRLS (`security_admin`, `dpo_role`, `lead_manager`, `platform_admin`)
16
+ - ✅ Roles para column-level GRANTs específicos (cross-ref skill `supabase-column-level-security` v1.24)
17
+ - ✅ Custom roles que substituem service_role key em scripts (auditabilidade superior)
18
+
19
+ **NÃO use Postgres roles para:**
20
+
21
+ - ❌ "Admin vs user" application access → use **RLS + Custom Claims** (skill `supabase-custom-claims-rbac` v1.25)
22
+ - ❌ Filtrar dados por linha → use **RLS row-level** (skill `supabase-rls-policies` v1.23)
23
+ - ❌ Filtrar dados por coluna → use **Column-Level Privileges** (skill `supabase-column-level-security` v1.24)
24
+ - ❌ Substituir auth.users (auth.users é gerenciado pelo Supabase Auth — não criar roles para end-users)
25
+
26
+ Trigger phrases:
27
+
28
+ - "create role Postgres", "custom Postgres role"
29
+ - "role hierarchy", "INHERIT NOINHERIT"
30
+ - "GRANT REVOKE Postgres"
31
+ - "service account Supabase", "cron job role"
32
+ - "Postgres roles vs RLS"
33
+
34
+ ## Distinção canônica
35
+
36
+ | | Application Access | System Access |
37
+ |---|---|---|
38
+ | Mecanismo | RLS + Custom Claims | Postgres Roles |
39
+ | Quem é o "user" | End-user via JWT (`auth.uid()`) | Service account interno |
40
+ | Identidade | JWT claim (`user_role`) | Postgres role login |
41
+ | Permissions | Granular por linha/coluna | Per tabela/schema/function |
42
+ | Audit trail | RLS denial logs (42501) | pg_stat_statements por role |
43
+ | Example | "User admin pode deletar messages" | "Cron job pode SELECT em todas tabs para backup" |
44
+
45
+ ## Princípio canônico
46
+
47
+ Roles vs Users:
48
+
49
+ - **Role** = entidade Postgres que pode ter permissions
50
+ - **User** = role com `LOGIN` privilege (pode autenticar via senha)
51
+ - **Group** = role sem `LOGIN` (usado para herança de permissions)
52
+
53
+ ```sql
54
+ -- group role (sem LOGIN — usado para hierarchy)
55
+ create role "readonly_group";
56
+
57
+ -- user role (com LOGIN — service account)
58
+ create role "readonly_user" with login password 'extremely_secure_pwd';
59
+
60
+ -- user role inherita do group
61
+ grant readonly_group to readonly_user;
62
+ -- agora readonly_user tem todas permissions do readonly_group
63
+ ```
64
+
65
+ ## Pattern 1: CREATE ROLE básico
66
+
67
+ ### Group role (sem LOGIN)
68
+
69
+ ```sql
70
+ create role "billing_group";
71
+ -- usado apenas como container de permissions; não pode logar
72
+ ```
73
+
74
+ ### User role (com LOGIN PASSWORD)
75
+
76
+ ```sql
77
+ create role "billing_service" with login password 'p4ss-w0rd!sup3r_s3cur3';
78
+ ```
79
+
80
+ **Password best practices (canônico):**
81
+
82
+ 1. **12+ characters mínimo** — quanto mais longo, melhor
83
+ 2. **Use password manager** para gerar (Bitwarden, 1Password, etc.)
84
+ 3. **Mix upper + lower + numbers + special symbols** (`! @ # $ % &`)
85
+ 4. **NÃO use dictionary words** comuns
86
+ 5. **Roteie via secrets vault** — nunca hardcode em git
87
+
88
+ ### Caveat — Percent-encoding em connection string
89
+
90
+ Special symbols em password precisam ser **percent-encoded** quando usados em connection string:
91
+
92
+ ```
93
+ ANTES (raw password): p=ssword
94
+ DEPOIS (em URL): p%3Dssword
95
+
96
+ Connection string:
97
+ postgresql://postgres.projectref:p%3Dssword@aws-0-us-east-1.pooler.supabase.com:6543/postgres
98
+ ```
99
+
100
+ Tabela de encoding canônica:
101
+
102
+ | Char | Encoded |
103
+ |------|---------|
104
+ | `=` | `%3D` |
105
+ | `&` | `%26` |
106
+ | `+` | `%2B` |
107
+ | `#` | `%23` |
108
+ | `:` | `%3A` |
109
+ | `/` | `%2F` |
110
+ | `@` | `%40` |
111
+ | `space` | `%20` |
112
+
113
+ ## Pattern 2: GRANT / REVOKE permissions
114
+
115
+ GRANT canônico:
116
+
117
+ ```sql
118
+ -- permission em schema completo
119
+ grant usage on schema public to billing_service;
120
+ grant select on all tables in schema public to billing_service;
121
+
122
+ -- permission em tabela específica
123
+ grant select, insert on table public.invoices to billing_service;
124
+
125
+ -- permission em função específica
126
+ grant execute on function public.calculate_total(uuid) to billing_service;
127
+
128
+ -- permission em sequence (necessário para INSERT em tabelas com SERIAL/BIGSERIAL)
129
+ grant usage on sequence public.invoices_id_seq to billing_service;
130
+ ```
131
+
132
+ REVOKE canônico:
133
+
134
+ ```sql
135
+ revoke select on table public.invoices from billing_service;
136
+ revoke execute on function public.calculate_total(uuid) from billing_service;
137
+ ```
138
+
139
+ **Caveat — Default privileges para novos objetos:**
140
+
141
+ GRANT em "all tables" só cobre tabelas **existentes**. Para tabelas futuras criadas no schema, use `ALTER DEFAULT PRIVILEGES`:
142
+
143
+ ```sql
144
+ -- todas tabelas futuras criadas em public terão SELECT GRANT para billing_service
145
+ alter default privileges in schema public
146
+ grant select on tables to billing_service;
147
+ ```
148
+
149
+ ## Pattern 3: Role Hierarchy (INHERIT / NOINHERIT)
150
+
151
+ INHERIT (default): child role herda permissions do parent.
152
+
153
+ ```sql
154
+ -- group com permissions base
155
+ create role "readers";
156
+ grant select on all tables in schema public to readers;
157
+
158
+ -- user inherita
159
+ create role "alice" with login password 'pwd1';
160
+ grant readers to alice;
161
+ -- alice agora tem SELECT em todas tabelas public (via readers)
162
+
163
+ -- multi-level hierarchy
164
+ create role "admins";
165
+ grant readers to admins; -- admins inherita de readers
166
+ grant insert, update, delete on all tables in schema public to admins;
167
+
168
+ create role "bob" with login password 'pwd2';
169
+ grant admins to bob;
170
+ -- bob inherita de admins (que inherita de readers) — full CRUD em public
171
+ ```
172
+
173
+ NOINHERIT: child role tem que **explicitamente** assumir parent role para usar permissions.
174
+
175
+ ```sql
176
+ create role "superuser_proxy" noinherit;
177
+ grant postgres to superuser_proxy;
178
+
179
+ -- Para usar permissions de postgres, superuser_proxy precisa SET ROLE:
180
+ set role postgres;
181
+ -- agora opera como postgres
182
+ reset role;
183
+ ```
184
+
185
+ **Quando usar NOINHERIT:**
186
+
187
+ - Roles superuser (postgres) — exigir SET ROLE explícito como guard
188
+ - Audit trail mais claro (queries mostram a role ativa)
189
+ - Princípio canônico: opt-in explícito em vez de implícito
190
+
191
+ ## 10 Predefined Supabase Roles (documentação)
192
+
193
+ Supabase configura 10 roles automaticamente em todo projeto. **Não criar substitutos** — documentar e usar conforme apropriado.
194
+
195
+ ### `postgres`
196
+ **Tipo:** Admin/superuser. **Quando usar:** scripts de admin via dashboard ou psql direto.
197
+ **NUNCA:** dar password ao third-party ou expor.
198
+
199
+ ### `anon`
200
+ **Tipo:** Public unauthenticated. **Quando usar:** requests sem JWT (cliente deslogado).
201
+ **Caveat:** `anon` Postgres role ≠ anonymous Auth user (cross-ref skill `supabase-rls-policies` v1.23).
202
+
203
+ ### `authenticator`
204
+ **Tipo:** PostgREST switch role. **Quando usar:** internal — PostgREST recebe JWT, valida, e switches para `anon` ou `authenticated` baseado em claims.
205
+ **Caveat:** acesso muito limitado — apenas SWITCH ROLE.
206
+
207
+ ### `authenticated`
208
+ **Tipo:** Logged-in users. **Quando usar:** requests com JWT válido (autenticado).
209
+
210
+ ### `service_role`
211
+ **Tipo:** Bypass RLS. **Quando usar:** backend tasks (Edge Functions, scripts admin).
212
+ **NUNCA:** expor ao cliente — vazamento = acesso total ao DB.
213
+
214
+ ### `supabase_auth_admin`
215
+ **Tipo:** Auth middleware. **Quando usar:** internal — Supabase Auth service.
216
+ **Caveat:** GRANT EXECUTE em Custom Access Token Auth Hook (cross-ref skill `supabase-custom-claims-rbac` v1.25); scope `auth` schema.
217
+
218
+ ### `supabase_storage_admin`
219
+ **Tipo:** Storage middleware. **Quando usar:** internal — Supabase Storage service. Scope `storage` schema.
220
+
221
+ ### `supabase_etl_admin`
222
+ **Tipo:** Replication. **Quando usar:** internal — Replication powered by Supabase ETL. Read-all + bypass RLS + write `etl` schema.
223
+
224
+ ### `dashboard_user`
225
+ **Tipo:** Supabase UI. **Quando usar:** internal — commands via Supabase dashboard.
226
+
227
+ ### `supabase_admin`
228
+ **Tipo:** Internal admin. **Quando usar:** internal — upgrades + automations.
229
+
230
+ ## Pattern 4: Custom service account roles
231
+
232
+ Caso canônico — criar role dedicado em vez de service_role API key:
233
+
234
+ ```sql
235
+ -- 1. role para cron job (sem LOGIN — usado via pg_cron)
236
+ create role "cron_job_role" noinherit;
237
+ -- bypass RLS para acessar todas orgs
238
+ alter role "cron_job_role" with bypassrls;
239
+
240
+ -- 2. GRANTs específicos
241
+ grant usage on schema public to cron_job_role;
242
+ grant select, insert, delete on table public.audit_log to cron_job_role;
243
+
244
+ -- 3. pg_cron usa este role
245
+ select cron.schedule(
246
+ 'cleanup_old_logs',
247
+ '0 3 * * *',
248
+ $$ delete from public.audit_log where created_at < now() - interval '90 days' $$
249
+ );
250
+ -- pg_cron executa as queries com este role; auditabilidade superior vs service_role API key
251
+ ```
252
+
253
+ ```sql
254
+ -- role para BI tool (Metabase) — read-only com login
255
+ create role "metabase_reader" with login password 'percent-encode-this!';
256
+ alter role "metabase_reader" with bypassrls; -- BI precisa ver todas linhas
257
+
258
+ grant usage on schema public to metabase_reader;
259
+ grant select on all tables in schema public to metabase_reader;
260
+ alter default privileges in schema public
261
+ grant select on tables to metabase_reader;
262
+ ```
263
+
264
+ ## Changing postgres password
265
+
266
+ Mudar password do `postgres` role:
267
+
268
+ 1. **Dashboard:** Database Settings page → "Database password" → enter new
269
+ 2. **Sem downtime:** serviços internos (PostgREST, PgBouncer, etc.) auto-update
270
+ 3. **External services com hardcoded credentials:** manual update necessário (revisar deploy configs)
271
+
272
+ **NÃO:** dar password do `postgres` role para third-party — crie role dedicado.
273
+
274
+ ## Auditoria — pg_stat_statements por role
275
+
276
+ Cada role tem queries rastreáveis em `pg_stat_statements`:
277
+
278
+ ```sql
279
+ select
280
+ rolname,
281
+ count(*) as query_count,
282
+ sum(total_exec_time)::numeric(10,2) as total_time_ms
283
+ from pg_stat_statements s
284
+ join pg_roles r on s.userid = r.oid
285
+ where rolname not in ('postgres', 'authenticator') -- filtrar admin
286
+ group by rolname
287
+ order by total_time_ms desc;
288
+ ```
289
+
290
+ Identificar qual service account está consumindo mais — útil para debug + capacity planning.
291
+
292
+ ## Anti-patterns
293
+
294
+ ### Anti-pattern 1: Usar service_role API key para tudo
295
+
296
+ **Errado:**
297
+ ```bash
298
+ # .env do cron job
299
+ SUPABASE_KEY=eyJ...service_role_key...
300
+ ```
301
+
302
+ **Por quê:** sem auditabilidade — todas queries logam como `service_role`; difícil identificar qual script fez o quê.
303
+
304
+ **Certo:** criar role dedicado por service account:
305
+ ```sql
306
+ create role "cron_billing_role" noinherit;
307
+ alter role "cron_billing_role" with bypassrls;
308
+ -- GRANTs específicos
309
+ -- pg_cron usa este role; queries logam com identidade clara
310
+ ```
311
+
312
+ ### Anti-pattern 2: Custom role para "admin vs user" application access
313
+
314
+ **Errado:**
315
+ ```sql
316
+ -- criar role "admin" Postgres para gerenciar quem é admin no app
317
+ create role "app_admin";
318
+ -- ... add users to this role ...
319
+ ```
320
+
321
+ **Por quê:** Postgres roles não são designed para application access — não dinâmico, não auditável, mistura system + application concerns.
322
+
323
+ **Certo:** use RLS + Custom Claims (skill `supabase-custom-claims-rbac` v1.25) — `user_role: 'admin'` no JWT via auth hook, consultado por `authorize()`.
324
+
325
+ ### Anti-pattern 3: Password sem percent-encoding em URL
326
+
327
+ **Errado:**
328
+ ```
329
+ postgresql://user:p=ssword@host/db
330
+ ```
331
+
332
+ **Por quê:** `=` é parseado como query string separator — conexão falha.
333
+
334
+ **Certo:**
335
+ ```
336
+ postgresql://user:p%3Dssword@host/db
337
+ ```
338
+
339
+ ### Anti-pattern 4: INHERIT em superuser-like role
340
+
341
+ **Errado:**
342
+ ```sql
343
+ create role "dba_role" inherit; -- inherit default em todos roles
344
+ grant postgres to dba_role;
345
+ -- dba_role agora tem postgres privileges implicitly
346
+ ```
347
+
348
+ **Por quê:** sem audit trail explícito de quando privileges admin são usados.
349
+
350
+ **Certo:** NOINHERIT + SET ROLE explícito:
351
+ ```sql
352
+ create role "dba_role" noinherit;
353
+ grant postgres to dba_role;
354
+ -- usuário precisa: set role postgres; ...; reset role;
355
+ -- queries logam com identidade postgres durante operação
356
+ ```
357
+
358
+ ### Anti-pattern 5: Criar role sem documentação
359
+
360
+ **Errado:**
361
+ ```sql
362
+ create role "xyz" with login password 'pwd';
363
+ -- 6 meses depois, ninguém sabe pra que serve
364
+ ```
365
+
366
+ **Por quê:** sem documentação, próximo dev assume é abandoned + remove ou mantém indefinidamente.
367
+
368
+ **Certo:** sempre comment no migration + entry em README:
369
+ ```sql
370
+ -- role para Metabase BI conectar em produção (read-only)
371
+ -- Owner: data-team@company.com
372
+ -- Created: 2026-05-11 v1.26
373
+ create role "metabase_reader" with login password '<from-vault>';
374
+ comment on role "metabase_reader" is 'BI tool service account — read-only. Owner: data-team@company.com';
375
+ ```
376
+
377
+ ## Cross-suite integration (v1.26)
378
+
379
+ Esta skill é base para agent novo `supabase-roles-implementer` (Phase 145) — recebe spec via `Task()` e materializa CREATE ROLE + GRANT/REVOKE + hierarchy. Pattern de handoff cooperativo herdado de v1.23-v1.25.
380
+
381
+ Para column-level GRANTs específicos por role, **combine** com skill `supabase-column-level-security` (v1.24). Para custom claims que entregam `user_role` no JWT, use skill `supabase-custom-claims-rbac` (v1.25) — Postgres roles são para system access; custom claims são para application access.
382
+
383
+ ## Ver também
384
+
385
+ - [supabase-roles-implementer](../../agents/supabase-roles-implementer.md) (v1.26) — canonical materializer
386
+ - [supabase-rls-policies](../supabase-rls-policies/SKILL.md) (v1.23) — section "Postgres Roles vs RLS — quando usar qual" (v1.26)
387
+ - [supabase-rls-defense-in-depth](../supabase-rls-defense-in-depth/SKILL.md) (v1.23) — Camada 10 (Postgres Roles Hierarchy) v1.26
388
+ - [supabase-database-functions](../supabase-database-functions/SKILL.md) — GRANT EXECUTE patterns
389
+ - [supabase-column-level-security](../supabase-column-level-security/SKILL.md) (v1.24) — combinar com column-level GRANTs por role
390
+ - [supabase-custom-claims-rbac](../supabase-custom-claims-rbac/SKILL.md) (v1.25) — distinção canônica system access vs application access
391
+ - [glossário compartilhado](../_shared-supabase/glossary.md) — termos Postgres roles, INHERIT/NOINHERIT, LOGIN PASSWORD, GRANT/REVOKE syntax, role hierarchy, predefined Supabase roles, role switching authenticator, percent-encoding password
392
+ - Doc oficial Postgres: [Database Roles](https://www.postgresql.org/docs/current/database-roles.html), [Role Membership](https://www.postgresql.org/docs/current/role-membership.html), [Function Permissions](https://www.postgresql.org/docs/current/perm-functions.html)