npm - @luanpdd/kit-mcp - Versions diffs - 1.30.2 → 1.32.0 - Mend

@luanpdd/kit-mcp 1.30.2 → 1.32.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (365) hide show

package/LICENSE +21 -21
package/README.md +168 -168
package/gates/agent-no-recursive-dispatch.md +84 -82
package/kit/COMANDOS.md +138 -138
package/kit/COMPATIBILITY.md +5 -0
package/kit/README.md +76 -76
package/kit/agents/advisor-researcher.md +107 -106
package/kit/agents/ai-mutation-tester.md +1 -0
package/kit/agents/assumptions-analyzer.md +108 -107
package/kit/agents/audit-log-implementer.md +314 -313
package/kit/agents/auditor-consistencia-isolamento.md +414 -413
package/kit/agents/b2b-saas-architect.md +157 -156
package/kit/agents/burn-rate-forecaster.md +1 -0
package/kit/agents/cascading-failures-auditor.md +299 -298
package/kit/agents/codebase-mapper.md +769 -768
package/kit/agents/crm-pipeline-implementer.md +257 -256
package/kit/agents/debugger.md +814 -813
package/kit/agents/detector-tenant-quente.md +338 -337
package/kit/agents/evolution-go-integrator.md +201 -200
package/kit/agents/example-reviewer.md +22 -21
package/kit/agents/executor.md +565 -564
package/kit/agents/golden-signals-instrumenter.md +1 -0
package/kit/agents/incident-investigator.md +1 -0
package/kit/agents/integration-checker.md +201 -200
package/kit/agents/invite-flow-implementer.md +190 -189
package/kit/agents/legacy-characterizer.md +369 -368
package/kit/agents/lgpd-compliance-auditor.md +296 -295
package/kit/agents/load-shedding-instrumenter.md +1 -0
package/kit/agents/multi-tenant-isolation-auditor.md +254 -253
package/kit/agents/multi-tenant-rls-writer.md +341 -340
package/kit/agents/nyquist-auditor.md +179 -178
package/kit/agents/observability-coverage-auditor.md +316 -315
package/kit/agents/observability-instrumenter.md +1 -0
package/kit/agents/omm-auditor.md +1 -0
package/kit/agents/org-onboarding-implementer.md +224 -223
package/kit/agents/payload-capture-instrumenter.md +274 -273
package/kit/agents/phase-researcher.md +697 -696
package/kit/agents/plan-checker.md +273 -272
package/kit/agents/planner.md +923 -922
package/kit/agents/postmortem-writer.md +1 -0
package/kit/agents/project-researcher.md +653 -652
package/kit/agents/prr-conductor.md +1 -0
package/kit/agents/refactor-safety-auditor.md +405 -404
package/kit/agents/release-pipeline-auditor.md +1 -0
package/kit/agents/research-synthesizer.md +246 -245
package/kit/agents/roadmapper.md +678 -677
package/kit/agents/schema-checker.md +1 -0
package/kit/agents/seam-finder.md +360 -359
package/kit/agents/shotgun-surgery-detector.md +350 -349
package/kit/agents/slo-engineer.md +1 -0
package/kit/agents/storytelling-analyst.md +1 -0
package/kit/agents/supabase-architect.md +1 -0
package/kit/agents/supabase-auth-bootstrapper.md +16 -1
package/kit/agents/supabase-auth-hook-writer.md +418 -0
package/kit/agents/supabase-branching-architect.md +563 -562
package/kit/agents/supabase-cicd-pipeline-implementer.md +778 -777
package/kit/agents/supabase-column-privileges-writer.md +400 -399
package/kit/agents/supabase-edge-fn-tester.md +2 -1
package/kit/agents/supabase-edge-fn-writer.md +2 -1
package/kit/agents/supabase-mfa-implementer.md +439 -0
package/kit/agents/supabase-migration-writer.md +386 -385
package/kit/agents/supabase-oauth-server-implementer.md +507 -0
package/kit/agents/supabase-rbac-implementer.md +393 -392
package/kit/agents/supabase-realtime-implementer.md +364 -363
package/kit/agents/supabase-rls-hardener.md +522 -521
package/kit/agents/supabase-rls-writer.md +324 -323
package/kit/agents/supabase-roles-implementer.md +356 -355
package/kit/agents/supabase-social-auth-implementer.md +451 -0
package/kit/agents/supabase-sso-saml-architect.md +549 -0
package/kit/agents/supabase-storage-implementer.md +1 -0
package/kit/agents/super-admin-implementer.md +282 -281
package/kit/agents/toil-auditor.md +1 -0
package/kit/agents/ui-auditor.md +438 -437
package/kit/agents/ui-checker.md +303 -302
package/kit/agents/ui-researcher.md +356 -355
package/kit/agents/user-profiler.md +176 -175
package/kit/agents/validador-evolucao-schema.md +336 -335
package/kit/agents/verifier.md +729 -728
package/kit/commands/adicionar-backlog.md +75 -75
package/kit/commands/adicionar-fase.md +42 -42
package/kit/commands/adicionar-tarefa.md +45 -45
package/kit/commands/adicionar-testes.md +41 -41
package/kit/commands/ajuda.md +21 -21
package/kit/commands/atualizar.md +37 -37
package/kit/commands/auditar-cascading.md +111 -111
package/kit/commands/auditar-marco.md +179 -179
package/kit/commands/auditar-observabilidade-cobertura.md +183 -183
package/kit/commands/auditar-refactor.md +219 -219
package/kit/commands/auditar-release.md +109 -109
package/kit/commands/auditar-uat.md +23 -23
package/kit/commands/autonomo.md +40 -40
package/kit/commands/branch-pr.md +24 -24
package/kit/commands/burn-rate-status.md +408 -408
package/kit/commands/capturar-payloads.md +193 -193
package/kit/commands/caracterizar.md +212 -212
package/kit/commands/concluir-marco.md +247 -247
package/kit/commands/configuracoes.md +36 -36
package/kit/commands/dados-distribuidos.md +188 -188
package/kit/commands/definir-perfil.md +10 -10
package/kit/commands/depurar.md +190 -190
package/kit/commands/detectar-duplicacao.md +197 -197
package/kit/commands/discutir-fase.md +131 -131
package/kit/commands/encontrar-seams.md +136 -136
package/kit/commands/entrar-discord.md +17 -17
package/kit/commands/estatisticas.md +18 -18
package/kit/commands/example-greeting.md +33 -33
package/kit/commands/executar-fase.md +58 -58
package/kit/commands/expresso.md +56 -56
package/kit/commands/fase-ui.md +34 -34
package/kit/commands/fazer.md +57 -57
package/kit/commands/fio.md +125 -125
package/kit/commands/fluxos-trabalho.md +64 -64
package/kit/commands/forense.md +176 -176
package/kit/commands/gerenciador.md +38 -38
package/kit/commands/inserir-fase.md +31 -31
package/kit/commands/legacy.md +263 -263
package/kit/commands/limpeza.md +17 -17
package/kit/commands/listar-hipoteses-fase.md +45 -45
package/kit/commands/listar-workspaces.md +18 -18
package/kit/commands/load-shedding.md +117 -117
package/kit/commands/mapear-codebase.md +70 -70
package/kit/commands/multi-tenant.md +163 -163
package/kit/commands/nota.md +33 -33
package/kit/commands/novo-marco.md +43 -43
package/kit/commands/novo-projeto.md +41 -41
package/kit/commands/novo-workspace.md +43 -43
package/kit/commands/pausar-trabalho.md +37 -37
package/kit/commands/perfil-usuario.md +45 -45
package/kit/commands/pesquisar-fase.md +195 -195
package/kit/commands/planejar-fase.md +67 -67
package/kit/commands/planejar-lacunas.md +33 -33
package/kit/commands/plantar-ideia.md +25 -25
package/kit/commands/progresso.md +24 -24
package/kit/commands/proximo.md +30 -30
package/kit/commands/publicar.md +490 -490
package/kit/commands/rapido.md +35 -35
package/kit/commands/reaplicar-patches.md +124 -124
package/kit/commands/refactor-seguro.md +321 -321
package/kit/commands/relatorio-sessao.md +19 -19
package/kit/commands/remover-fase.md +31 -31
package/kit/commands/remover-workspace.md +26 -26
package/kit/commands/resumo-marco.md +50 -50
package/kit/commands/retomar-trabalho.md +40 -40
package/kit/commands/revisar-backlog.md +60 -60
package/kit/commands/revisar-ui.md +32 -32
package/kit/commands/revisar.md +37 -37
package/kit/commands/saude.md +21 -21
package/kit/commands/setup-notion.md +93 -93
package/kit/commands/storytelling.md +179 -179
package/kit/commands/supabase.md +21 -1
package/kit/commands/sync-main.md +68 -68
package/kit/commands/validar-fase.md +35 -35
package/kit/commands/verificar-tarefas.md +44 -44
package/kit/commands/verificar-trabalho.md +64 -64
package/kit/file-manifest.json +100 -84
package/kit/framework/bin/lib/commands.cjs +959 -959
package/kit/framework/bin/lib/config.cjs +442 -442
package/kit/framework/bin/lib/core.cjs +1230 -1230
package/kit/framework/bin/lib/frontmatter.cjs +336 -336
package/kit/framework/bin/lib/init.cjs +1442 -1442
package/kit/framework/bin/lib/milestone.cjs +252 -252
package/kit/framework/bin/lib/model-profiles.cjs +68 -68
package/kit/framework/bin/lib/phase.cjs +888 -888
package/kit/framework/bin/lib/profile-output.cjs +952 -952
package/kit/framework/bin/lib/profile-pipeline.cjs +539 -539
package/kit/framework/bin/lib/roadmap.cjs +329 -329
package/kit/framework/bin/lib/security.cjs +382 -382
package/kit/framework/bin/lib/state.cjs +1031 -1031
package/kit/framework/bin/lib/template.cjs +222 -222
package/kit/framework/bin/lib/uat.cjs +282 -282
package/kit/framework/bin/lib/verify.cjs +888 -888
package/kit/framework/bin/lib/workstream.cjs +491 -491
package/kit/framework/bin/tools.cjs +918 -918
package/kit/framework/commands/workstreams.md +63 -63
package/kit/framework/references/checkpoints.md +778 -778
package/kit/framework/references/continuation-format.md +249 -249
package/kit/framework/references/decimal-phase-calculation.md +64 -64
package/kit/framework/references/git-integration.md +295 -295
package/kit/framework/references/git-planning-commit.md +38 -38
package/kit/framework/references/model-profile-resolution.md +36 -36
package/kit/framework/references/model-profiles.md +139 -139
package/kit/framework/references/phase-argument-parsing.md +61 -61
package/kit/framework/references/planning-config.md +202 -202
package/kit/framework/references/questioning.md +162 -162
package/kit/framework/references/tdd.md +263 -263
package/kit/framework/references/ui-brand.md +160 -160
package/kit/framework/references/user-profiling.md +657 -657
package/kit/framework/references/verification-patterns.md +612 -612
package/kit/framework/references/workstream-flag.md +58 -58
package/kit/framework/templates/DEBUG.md +164 -164
package/kit/framework/templates/UAT.md +265 -265
package/kit/framework/templates/UI-SPEC.md +100 -100
package/kit/framework/templates/VALIDATION.md +76 -76
package/kit/framework/templates/claude-md.md +122 -122
package/kit/framework/templates/codebase/architecture.md +185 -185
package/kit/framework/templates/codebase/concerns.md +205 -205
package/kit/framework/templates/codebase/conventions.md +204 -204
package/kit/framework/templates/codebase/integrations.md +192 -192
package/kit/framework/templates/codebase/stack.md +158 -158
package/kit/framework/templates/codebase/structure.md +199 -199
package/kit/framework/templates/codebase/testing.md +301 -301
package/kit/framework/templates/config.json +44 -44
package/kit/framework/templates/context.md +352 -352
package/kit/framework/templates/continue-here.md +78 -78
package/kit/framework/templates/copilot-instructions.md +7 -7
package/kit/framework/templates/debug-subagent-prompt.md +91 -91
package/kit/framework/templates/dev-preferences.md +20 -20
package/kit/framework/templates/discovery.md +146 -146
package/kit/framework/templates/discussion-log.md +63 -63
package/kit/framework/templates/milestone-archive.md +123 -123
package/kit/framework/templates/milestone.md +115 -115
package/kit/framework/templates/phase-prompt.md +610 -610
package/kit/framework/templates/planner-subagent-prompt.md +117 -117
package/kit/framework/templates/project.md +186 -186
package/kit/framework/templates/requirements.md +231 -231
package/kit/framework/templates/research-project/ARCHITECTURE.md +204 -204
package/kit/framework/templates/research-project/FEATURES.md +147 -147
package/kit/framework/templates/research-project/PITFALLS.md +200 -200
package/kit/framework/templates/research-project/STACK.md +120 -120
package/kit/framework/templates/research-project/SUMMARY.md +170 -170
package/kit/framework/templates/research.md +419 -419
package/kit/framework/templates/retrospective.md +54 -54
package/kit/framework/templates/roadmap.md +202 -202
package/kit/framework/templates/state.md +176 -176
package/kit/framework/templates/summary-complex.md +59 -59
package/kit/framework/templates/summary-minimal.md +41 -41
package/kit/framework/templates/summary-standard.md +48 -48
package/kit/framework/templates/summary.md +209 -209
package/kit/framework/templates/user-profile.md +146 -146
package/kit/framework/templates/user-setup.md +256 -256
package/kit/framework/templates/verification-report.md +258 -258
package/kit/framework/workflows/add-phase.md +112 -112
package/kit/framework/workflows/add-tests.md +351 -351
package/kit/framework/workflows/add-todo.md +158 -158
package/kit/framework/workflows/audit-milestone.md +340 -340
package/kit/framework/workflows/audit-uat.md +109 -109
package/kit/framework/workflows/autonomous.md +891 -891
package/kit/framework/workflows/check-todos.md +177 -177
package/kit/framework/workflows/cleanup.md +152 -152
package/kit/framework/workflows/complete-milestone.md +696 -696
package/kit/framework/workflows/diagnose-issues.md +231 -231
package/kit/framework/workflows/discovery-phase.md +289 -289
package/kit/framework/workflows/discuss-phase-assumptions.md +653 -653
package/kit/framework/workflows/discuss-phase.md +784 -784
package/kit/framework/workflows/do.md +104 -104
package/kit/framework/workflows/execute-phase.md +838 -838
package/kit/framework/workflows/execute-plan.md +510 -510
package/kit/framework/workflows/fast.md +102 -102
package/kit/framework/workflows/forensics.md +265 -265
package/kit/framework/workflows/health.md +181 -181
package/kit/framework/workflows/help.md +619 -619
package/kit/framework/workflows/insert-phase.md +130 -130
package/kit/framework/workflows/list-phase-assumptions.md +178 -178
package/kit/framework/workflows/list-workspaces.md +56 -56
package/kit/framework/workflows/manager.md +362 -362
package/kit/framework/workflows/map-codebase.md +377 -377
package/kit/framework/workflows/milestone-summary.md +223 -223
package/kit/framework/workflows/new-milestone.md +486 -486
package/kit/framework/workflows/new-project.md +1159 -1159
package/kit/framework/workflows/new-workspace.md +237 -237
package/kit/framework/workflows/next.md +97 -97
package/kit/framework/workflows/node-repair.md +92 -92
package/kit/framework/workflows/note.md +156 -156
package/kit/framework/workflows/pause-work.md +176 -176
package/kit/framework/workflows/plan-milestone-gaps.md +273 -273
package/kit/framework/workflows/plan-phase.md +765 -765
package/kit/framework/workflows/plant-seed.md +169 -169
package/kit/framework/workflows/pr-branch.md +129 -129
package/kit/framework/workflows/profile-user.md +450 -450
package/kit/framework/workflows/progress.md +507 -507
package/kit/framework/workflows/quick.md +757 -757
package/kit/framework/workflows/remove-phase.md +155 -155
package/kit/framework/workflows/remove-workspace.md +90 -90
package/kit/framework/workflows/research-phase.md +82 -82
package/kit/framework/workflows/resume-project.md +326 -326
package/kit/framework/workflows/review.md +228 -228
package/kit/framework/workflows/session-report.md +146 -146
package/kit/framework/workflows/settings.md +283 -283
package/kit/framework/workflows/ship.md +228 -228
package/kit/framework/workflows/stats.md +60 -60
package/kit/framework/workflows/transition.md +671 -671
package/kit/framework/workflows/ui-phase.md +302 -302
package/kit/framework/workflows/ui-review.md +165 -165
package/kit/framework/workflows/update.md +323 -323
package/kit/framework/workflows/validate-phase.md +174 -174
package/kit/framework/workflows/verify-phase.md +252 -252
package/kit/framework/workflows/verify-work.md +637 -637
package/kit/hooks/check-update.js +118 -118
package/kit/hooks/context-monitor.js +163 -163
package/kit/hooks/kit-attribution-reminder.cjs +29 -50
package/kit/hooks/kit-router.cjs +137 -0
package/kit/hooks/prompt-guard.js +103 -103
package/kit/hooks/statusline.js +125 -125
package/kit/hooks/workflow-guard.js +101 -101
package/kit/settings.json +45 -45
package/kit/skills/ai-prompt-characterization/SKILL.md +335 -335
package/kit/skills/armadilhas-sistemas-distribuidos/SKILL.md +447 -447
package/kit/skills/audit-log-multi-tenant/SKILL.md +340 -340
package/kit/skills/b2b-saas-architecture/SKILL.md +300 -300
package/kit/skills/consistencia-leitura-replica/SKILL.md +385 -385
package/kit/skills/crm-lead-pipeline-patterns/SKILL.md +343 -343
package/kit/skills/escolha-modelo-consistencia/SKILL.md +494 -494
package/kit/skills/evolucao-schema-compativel/SKILL.md +448 -448
package/kit/skills/evolution-go-whatsapp-integration/SKILL.md +322 -322
package/kit/skills/example-skill/SKILL.md +42 -42
package/kit/skills/legacy-api-only-applications/SKILL.md +358 -358
package/kit/skills/legacy-characterization-tests/SKILL.md +330 -330
package/kit/skills/legacy-effect-analysis/SKILL.md +331 -331
package/kit/skills/legacy-extract-class/SKILL.md +203 -203
package/kit/skills/legacy-programming-by-difference/SKILL.md +252 -252
package/kit/skills/legacy-seams-and-test-harness/SKILL.md +460 -460
package/kit/skills/legacy-shotgun-surgery/SKILL.md +286 -286
package/kit/skills/legacy-sprout-wrap-techniques/SKILL.md +434 -434
package/kit/skills/legacy-storytelling-naked-crc/SKILL.md +270 -270
package/kit/skills/lgpd-multi-tenant-compliance/SKILL.md +340 -340
package/kit/skills/member-invite-flow/SKILL.md +305 -305
package/kit/skills/member-management-react-shadcn/SKILL.md +328 -328
package/kit/skills/multi-tenant-performance-scaling/SKILL.md +316 -316
package/kit/skills/multi-tenant-rls-hierarchy/SKILL.md +342 -342
package/kit/skills/org-onboarding-flow/SKILL.md +257 -257
package/kit/skills/org-switcher-react-pattern/SKILL.md +349 -349
package/kit/skills/permission-gate-react-pattern/SKILL.md +271 -271
package/kit/skills/postgres-isolamento-concorrencia/SKILL.md +552 -552
package/kit/skills/pre-refactor-characterization/SKILL.md +421 -421
package/kit/skills/rbac-permissions-matrix-supabase/SKILL.md +338 -338
package/kit/skills/streams-eventos-cdc/SKILL.md +711 -711
package/kit/skills/supabase-auth-hardening/SKILL.md +674 -0
package/kit/skills/supabase-auth-hooks/SKILL.md +875 -0
package/kit/skills/supabase-auth-methods/SKILL.md +486 -0
package/kit/skills/supabase-auth-sessions/SKILL.md +579 -0
package/kit/skills/supabase-auth-ssr/SKILL.md +60 -14
package/kit/skills/supabase-branching-workflow/SKILL.md +544 -544
package/kit/skills/supabase-ci-cd-github-actions/SKILL.md +880 -880
package/kit/skills/supabase-column-level-security/SKILL.md +426 -426
package/kit/skills/supabase-config-toml-remotes/SKILL.md +807 -807
package/kit/skills/supabase-custom-claims-rbac/SKILL.md +472 -472
package/kit/skills/supabase-edge-functions/SKILL.md +1 -1
package/kit/skills/supabase-edge-functions-auth/SKILL.md +1 -1
package/kit/skills/supabase-edge-functions-limits/SKILL.md +1 -1
package/kit/skills/supabase-edge-functions-mcp-server/SKILL.md +1 -1
package/kit/skills/supabase-edge-functions-testing/SKILL.md +1 -1
package/kit/skills/supabase-edge-runtime-builtins/SKILL.md +1 -1
package/kit/skills/supabase-enterprise-sso-saml/SKILL.md +545 -0
package/kit/skills/supabase-jwt-signing-keys/SKILL.md +399 -0
package/kit/skills/supabase-mfa/SKILL.md +488 -0
package/kit/skills/supabase-migration-repair/SKILL.md +823 -823
package/kit/skills/supabase-migrations/SKILL.md +297 -297
package/kit/skills/supabase-oauth-server/SKILL.md +537 -0
package/kit/skills/supabase-pgtap-testing/SKILL.md +1053 -1053
package/kit/skills/supabase-postgres-roles/SKILL.md +392 -392
package/kit/skills/supabase-realtime/SKILL.md +460 -460
package/kit/skills/supabase-rls-defense-in-depth/SKILL.md +418 -418
package/kit/skills/supabase-rls-policies/SKILL.md +635 -635
package/kit/skills/supabase-social-oauth/SKILL.md +480 -0
package/kit/skills/supabase-third-party-auth/SKILL.md +450 -0
package/kit/skills/super-admin-platform-pattern/SKILL.md +326 -326
package/kit/skills/tenant-quente-mitigacao/SKILL.md +605 -605
package/kit/skills/whatsapp-conversation-state-machine/SKILL.md +287 -287
package/package.json +1 -1
package/src/core/kit.js +216 -216
package/src/core/reflect.js +247 -247
package/src/core/reverse-sync.js +372 -372
package/src/core/sync.js +437 -418
package/src/core/watch.js +121 -121
package/src/mcp-server/index.js +794 -746

package/kit/skills/b2b-saas-architecture/SKILL.md CHANGED Viewed

@@ -1,300 +1,300 @@
----
-name: b2b-saas-architecture
-description: Use ao desenhar app B2B multi-tenant (org→department→leader→collaborator) com Supabase + React…
----
-# B2B SaaS Multi-Tenant — Arquitetura Canônica
-## Quando usar
-LLM carrega esta skill ao desenhar arquitetura de app B2B SaaS multi-tenant em Supabase. Trigger phrases:
-- "B2B SaaS multi-tenant", "arquitetura multi-tenant", "isolation strategy"
-- "single schema vs schema-per-tenant"
-- "schema canônico organizations", "departments table", "members"
-- "JWT claims multi-tenant", "app_metadata orgs"
-- "slug org imutável", "tenant routing"
-Esta skill define o **schema canônico** que `multi-tenant-rls-writer` (Phase 108), `org-onboarding-implementer` (Phase 107), `super-admin-implementer` (Phase 111), `audit-log-implementer` (Phase 109), e demais agents da suíte v1.21 consomem como entrada.
-## Regras absolutas
-**REGRA #1 (estratégia default):** **Single Schema + `org_id` + RLS** é o caminho canônico para 90% dos B2B SaaS. Schema-per-tenant é justificado apenas em compliance extremo (saúde/jurídico com auditoria isolacional). Database-per-tenant é inviável economicamente fora de contratos enterprise.
-**REGRA #2 (JWT minimal):** **APENAS** `super_admin: bool` em `app_metadata`. Lista de orgs no JWT é anti-pattern — bloat linear no token + stale de 1h após mudança de role. O banco (helper functions PG) é fonte de verdade.
-**REGRA #3 (slug imutável):** `organizations.slug` é **append-only** após criação. Mutação requer tabela `slug_history` + redirect 301 em rotas afetadas. Quebra silenciosa de bookmarks/webhooks/OAuth callbacks é o pior bug que cliente B2B encontra.
-**REGRA #4 (super_admin via service_role):** `app_metadata.super_admin = true` é setado **APENAS** via `auth.admin.updateUserById()` (service role). Cliente NUNCA consegue mutá-lo (≠ `user_metadata` que é editável).
-**REGRA #5 (FKs com CASCADE explícito):** Todas as FKs têm `ON DELETE` explícito (CASCADE para entidades dependentes da org, RESTRICT para evitar deleção acidental). Sem default — força decisão consciente.
-## Patterns canônicos
-### Estratégia de isolation — tabela comparativa
-| Estratégia | Isolation | Custo ops | Compliance | Quando usar |
-|---|---|---|---|---|
-| **Single Schema + `org_id` + RLS** ⭐ | Lógico (RLS) | Baixo | Padrão B2B SaaS | **DEFAULT 90% dos casos** — Stripe, Linear, Vercel, Notion |
-| Schema-per-tenant | Físico (PG schemas) | Médio (N migrations) | Compliance auditável | Saúde/jurídico/governo com requisito explícito de isolamento |
-| Database-per-tenant | Físico (DB separadas) | Alto (N projects Supabase) | Compliance extremo | Apenas contratos enterprise com SLA de isolamento físico |
-**Recomendação:** comece sempre com Single Schema. Migração para schema-per-tenant é viável (script de fan-out por org_id). Migração reversa não é.
-### Schema canônico — 7 tabelas (DDL completo)
-```sql
--- Ordem de criação respeita dependências FK
--- 1. organizations (root tenant)
-create table public.organizations (
-  id uuid primary key default gen_random_uuid(),
-  name text not null,
-  slug text unique not null check (slug ~ '^[a-z0-9-]+$' and length(slug) between 2 and 60),
-  owner_id uuid not null references auth.users(id) on delete restrict,
-  plan text not null default 'free' check (plan in ('free', 'pro', 'enterprise')),
-  status text not null default 'active' check (status in ('active', 'suspended', 'archived')),
-  metadata jsonb not null default '{}'::jsonb,
-  created_at timestamptz not null default now(),
-  updated_at timestamptz not null default now()
-);
--- 2. departments (sub-tenant opcional)
-create table public.departments (
-  id uuid primary key default gen_random_uuid(),
-  org_id uuid not null references public.organizations(id) on delete cascade,
-  parent_id uuid references public.departments(id) on delete set null,
-  name text not null,
-  slug text not null check (slug ~ '^[a-z0-9-]+$'),
-  metadata jsonb not null default '{}'::jsonb,
-  created_at timestamptz not null default now(),
-  updated_at timestamptz not null default now(),
-  unique (org_id, slug)
-);
--- 3. roles (org-scoped, custom roles permitidos)
-create table public.roles (
-  id uuid primary key default gen_random_uuid(),
-  org_id uuid not null references public.organizations(id) on delete cascade,
-  name text not null check (name ~ '^[a-z_]+$'),
-  description text,
-  is_built_in boolean not null default false,
-  created_at timestamptz not null default now(),
-  unique (org_id, name)
-);
--- 4. permissions (catálogo global)
-create table public.permissions (
-  id uuid primary key default gen_random_uuid(),
-  action text not null check (action ~ '^[a-z_]+$'),
-  resource text not null check (resource ~ '^[a-z_]+$'),
-  description text,
-  created_at timestamptz not null default now(),
-  unique (action, resource)
-);
--- 5. role_permissions (M:N — roles ganham permissions)
-create table public.role_permissions (
-  role_id uuid not null references public.roles(id) on delete cascade,
-  permission_id uuid not null references public.permissions(id) on delete restrict,
-  created_at timestamptz not null default now(),
-  primary key (role_id, permission_id)
-);
--- 6. organization_members (user ↔ org com role)
-create table public.organization_members (
-  id uuid primary key default gen_random_uuid(),
-  org_id uuid not null references public.organizations(id) on delete cascade,
-  user_id uuid not null references auth.users(id) on delete cascade,
-  role_id uuid not null references public.roles(id) on delete restrict,
-  status text not null default 'active' check (status in ('active', 'suspended', 'left')),
-  joined_at timestamptz not null default now(),
-  unique (org_id, user_id)
-);
--- 7. department_members (user ↔ dept com role override opcional)
-create table public.department_members (
-  id uuid primary key default gen_random_uuid(),
-  dept_id uuid not null references public.departments(id) on delete cascade,
-  user_id uuid not null references auth.users(id) on delete cascade,
-  role_id uuid references public.roles(id) on delete set null, -- NULL herda do organization_members
-  is_leader boolean not null default false,
-  joined_at timestamptz not null default now(),
-  unique (dept_id, user_id)
-);
--- Slug history (suporte a redirect 301 quando slug é mutado)
-create table public.organization_slug_history (
-  id uuid primary key default gen_random_uuid(),
-  org_id uuid not null references public.organizations(id) on delete cascade,
-  old_slug text not null,
-  new_slug text not null,
-  changed_at timestamptz not null default now(),
-  unique (old_slug)
-);
-```
-### JWT claims minimal — Custom Access Token Hook
-```sql
--- Hook chamado pelo Supabase Auth a cada token emit
--- Injeta apenas super_admin no app_metadata
-create or replace function public.custom_access_token_hook(event jsonb)
-returns jsonb
-language plpgsql
-security definer
-set search_path = ''
-as $$
-declare
-  claims jsonb;
-  is_super boolean;
-begin
-  -- Buscar super_admin do app_metadata atual
-  select coalesce((raw_app_meta_data->>'super_admin')::boolean, false)
-  into is_super
-  from auth.users
-  where id = (event->>'user_id')::uuid;
-  claims := event->'claims';
-  claims := jsonb_set(claims, '{app_metadata}', coalesce(claims->'app_metadata', '{}'::jsonb));
-  claims := jsonb_set(claims, '{app_metadata,super_admin}', to_jsonb(is_super));
-  event := jsonb_set(event, '{claims}', claims);
-  return event;
-end;
-$$;
--- Registrar como hook em supabase/config.toml:
--- [auth.hook.custom_access_token]
--- enabled = true
--- uri = "pg-functions://postgres/public/custom_access_token_hook"
-```
-### Set super_admin via service_role apenas
-```typescript
-// Edge Function ou backend admin com service_role key
-import { createClient } from 'jsr:@supabase/supabase-js@2'
-const admin = createClient(
-  Deno.env.get('SUPABASE_URL')!,
-  Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')!  // service role — nunca expor ao client
-)
-// Promover usuário a super_admin
-await admin.auth.admin.updateUserById(userId, {
-  app_metadata: { super_admin: true }
-})
-// IMPORTANTE: usar updateUserById com app_metadata (não user_metadata)
-```
-### Slug com redirect trail
-```sql
--- Trigger que registra mudança de slug em organization_slug_history
-create or replace function public.track_org_slug_change()
-returns trigger
-language plpgsql
-security invoker
-set search_path = ''
-as $$
-begin
-  if old.slug is distinct from new.slug then
-    insert into public.organization_slug_history (org_id, old_slug, new_slug)
-    values (new.id, old.slug, new.slug);
-  end if;
-  return new;
-end;
-$$;
-create trigger track_org_slug_change_trigger
-  after update of slug on public.organizations
-  for each row execute function public.track_org_slug_change();
-```
-App side (Next.js middleware): se `slug` em URL não existe em `organizations`, consulta `organization_slug_history.old_slug` → 301 para `/orgs/{new_slug}/`.
-## Anti-patterns
-### Anti-pattern 1: Lista de orgs no JWT (claims bloat + stale)
-**Errado:**
-```sql
--- Hook injeta lista de orgs do user no JWT
--- claims.app_metadata.orgs = [{id, role}, {id, role}, ...]
-```
-**Por quê:**
-- JWT tem limite ~4KB — usuário em 50 orgs estoura
-- JWT cacheado por 1h — mudança de role demora até 1h pra propagar
-- Cada Edge Function paga overhead de parsing de claims grandes
-**Certo:** JWT só com `super_admin: bool`. Helper functions PG (`private.is_member_of`, `private.has_role`) consultam o banco — fonte de verdade sem stale.
-### Anti-pattern 2: Slug mutável sem redirect trail
-**Errado:**
-```sql
-update public.organizations set slug = 'new-name' where id = '...';
--- Sem entry em organization_slug_history
-```
-**Por quê:** bookmarks externos, webhooks Stripe/Slack, OAuth callbacks, Twitter cards, sitemaps — todos quebram silenciosamente. Cliente B2B descobre semanas depois quando recebe email "seu link parou de funcionar".
-**Certo:** trigger `track_org_slug_change` automático + middleware redirect 301 em rotas com slug.
-### Anti-pattern 3: Schema-per-tenant sem justificativa de compliance
-**Errado:**
-```sql
--- Pra cada nova org, criar schema próprio
-create schema "org_acme";
-create table org_acme.members (...);
--- ...repetir migration por org
-```
-**Por quê:** N migrations por nova org, provisioning lento, queries cross-tenant impossíveis sem UNION manual, monitoring complexo. Sem ganho real para SaaS comum (RLS bem feita já isola).
-**Certo:** Single Schema + `org_id` + RLS. Schema-per-tenant só quando regulatório exige.
-### Anti-pattern 4: `user_metadata` para super_admin
-**Errado:**
-```sql
--- Policy lê super_admin de user_metadata
-using ((auth.jwt()->'user_metadata'->>'super_admin')::boolean = true)
-```
-**Por quê:** `user_metadata` é editável pelo cliente via `auth.updateUser({ data: { super_admin: true } })`. Privilege escalation imediato — qualquer usuário se torna super_admin. Documentado em [Supabase Splinter 0015](https://supabase.github.io/splinter/0015_rls_references_user_metadata/).
-**Certo:** `app_metadata.super_admin` (set apenas via service_role).
-### Anti-pattern 5: FKs sem CASCADE/RESTRICT explícito
-**Errado:**
-```sql
-references public.organizations(id)  -- default ON DELETE NO ACTION
-```
-**Por quê:** decisão importante (deletar org com 100k rows? bloquear?) fica implícita. NO ACTION pode falhar deleção sem mensagem clara. Comportamento varia por engine.
-**Certo:**
-```sql
-references public.organizations(id) on delete cascade   -- entidade dependente
-references auth.users(id) on delete restrict            -- prevenir orfão
-references public.roles(id) on delete set null          -- preservar histórico
-```
-## Ver também
-- [supabase-rls-policies](../supabase-rls-policies/SKILL.md) — anti-patterns RLS herdados (`(select auth.uid())` wrapper, no `user_metadata` em authz)
-- [supabase-database-functions](../supabase-database-functions/SKILL.md) — padrões PG functions (security invoker, search_path = '')
-- [supabase-postgres-style](../supabase-postgres-style/SKILL.md) — naming snake_case, lowercase reserved
-- [multi-tenant-rls-hierarchy](../multi-tenant-rls-hierarchy/SKILL.md) — 4 helper functions PG canônicas + policies hierárquicas (Phase 108)
-- [multi-tenant-performance-scaling](../multi-tenant-performance-scaling/SKILL.md) — Supavisor pooling + partitioning por `org_id` + MVs per-tenant (skill irmã)
-- [rbac-permissions-matrix-supabase](../rbac-permissions-matrix-supabase/SKILL.md) — modelagem permissions action × resource × scope (Phase 108)
-- [_shared-supabase/glossary.md](../_shared-supabase/glossary.md) — termos canônicos `app_metadata`, `service_role`
-- [_shared-multi-tenant/glossary.md](../_shared-multi-tenant/glossary.md) — termos novos `tenant`, `org_id`, `super_admin`, `RBAC`
-- [Supabase RLS Best Practices](https://makerkit.dev/blog/tutorials/supabase-rls-best-practices) — fonte external canônica
-- [Custom Access Token Hook — Supabase Docs](https://supabase.com/docs/guides/auth/auth-hooks/custom-access-token-hook)
+---
+name: b2b-saas-architecture
+description: Use ao desenhar app B2B multi-tenant (org→department→leader→collaborator) com Supabase + React…
+---
+# B2B SaaS Multi-Tenant — Arquitetura Canônica
+## Quando usar
+LLM carrega esta skill ao desenhar arquitetura de app B2B SaaS multi-tenant em Supabase. Trigger phrases:
+- "B2B SaaS multi-tenant", "arquitetura multi-tenant", "isolation strategy"
+- "single schema vs schema-per-tenant"
+- "schema canônico organizations", "departments table", "members"
+- "JWT claims multi-tenant", "app_metadata orgs"
+- "slug org imutável", "tenant routing"
+Esta skill define o **schema canônico** que `multi-tenant-rls-writer` (Phase 108), `org-onboarding-implementer` (Phase 107), `super-admin-implementer` (Phase 111), `audit-log-implementer` (Phase 109), e demais agents da suíte v1.21 consomem como entrada.
+## Regras absolutas
+**REGRA #1 (estratégia default):** **Single Schema + `org_id` + RLS** é o caminho canônico para 90% dos B2B SaaS. Schema-per-tenant é justificado apenas em compliance extremo (saúde/jurídico com auditoria isolacional). Database-per-tenant é inviável economicamente fora de contratos enterprise.
+**REGRA #2 (JWT minimal):** **APENAS** `super_admin: bool` em `app_metadata`. Lista de orgs no JWT é anti-pattern — bloat linear no token + stale de 1h após mudança de role. O banco (helper functions PG) é fonte de verdade.
+**REGRA #3 (slug imutável):** `organizations.slug` é **append-only** após criação. Mutação requer tabela `slug_history` + redirect 301 em rotas afetadas. Quebra silenciosa de bookmarks/webhooks/OAuth callbacks é o pior bug que cliente B2B encontra.
+**REGRA #4 (super_admin via service_role):** `app_metadata.super_admin = true` é setado **APENAS** via `auth.admin.updateUserById()` (service role). Cliente NUNCA consegue mutá-lo (≠ `user_metadata` que é editável).
+**REGRA #5 (FKs com CASCADE explícito):** Todas as FKs têm `ON DELETE` explícito (CASCADE para entidades dependentes da org, RESTRICT para evitar deleção acidental). Sem default — força decisão consciente.
+## Patterns canônicos
+### Estratégia de isolation — tabela comparativa
+| Estratégia | Isolation | Custo ops | Compliance | Quando usar |
+|---|---|---|---|---|
+| **Single Schema + `org_id` + RLS** ⭐ | Lógico (RLS) | Baixo | Padrão B2B SaaS | **DEFAULT 90% dos casos** — Stripe, Linear, Vercel, Notion |
+| Schema-per-tenant | Físico (PG schemas) | Médio (N migrations) | Compliance auditável | Saúde/jurídico/governo com requisito explícito de isolamento |
+| Database-per-tenant | Físico (DB separadas) | Alto (N projects Supabase) | Compliance extremo | Apenas contratos enterprise com SLA de isolamento físico |
+**Recomendação:** comece sempre com Single Schema. Migração para schema-per-tenant é viável (script de fan-out por org_id). Migração reversa não é.
+### Schema canônico — 7 tabelas (DDL completo)
+```sql
+-- Ordem de criação respeita dependências FK
+-- 1. organizations (root tenant)
+create table public.organizations (
+  id uuid primary key default gen_random_uuid(),
+  name text not null,
+  slug text unique not null check (slug ~ '^[a-z0-9-]+$' and length(slug) between 2 and 60),
+  owner_id uuid not null references auth.users(id) on delete restrict,
+  plan text not null default 'free' check (plan in ('free', 'pro', 'enterprise')),
+  status text not null default 'active' check (status in ('active', 'suspended', 'archived')),
+  metadata jsonb not null default '{}'::jsonb,
+  created_at timestamptz not null default now(),
+  updated_at timestamptz not null default now()
+);
+-- 2. departments (sub-tenant opcional)
+create table public.departments (
+  id uuid primary key default gen_random_uuid(),
+  org_id uuid not null references public.organizations(id) on delete cascade,
+  parent_id uuid references public.departments(id) on delete set null,
+  name text not null,
+  slug text not null check (slug ~ '^[a-z0-9-]+$'),
+  metadata jsonb not null default '{}'::jsonb,
+  created_at timestamptz not null default now(),
+  updated_at timestamptz not null default now(),
+  unique (org_id, slug)
+);
+-- 3. roles (org-scoped, custom roles permitidos)
+create table public.roles (
+  id uuid primary key default gen_random_uuid(),
+  org_id uuid not null references public.organizations(id) on delete cascade,
+  name text not null check (name ~ '^[a-z_]+$'),
+  description text,
+  is_built_in boolean not null default false,
+  created_at timestamptz not null default now(),
+  unique (org_id, name)
+);
+-- 4. permissions (catálogo global)
+create table public.permissions (
+  id uuid primary key default gen_random_uuid(),
+  action text not null check (action ~ '^[a-z_]+$'),
+  resource text not null check (resource ~ '^[a-z_]+$'),
+  description text,
+  created_at timestamptz not null default now(),
+  unique (action, resource)
+);
+-- 5. role_permissions (M:N — roles ganham permissions)
+create table public.role_permissions (
+  role_id uuid not null references public.roles(id) on delete cascade,
+  permission_id uuid not null references public.permissions(id) on delete restrict,
+  created_at timestamptz not null default now(),
+  primary key (role_id, permission_id)
+);
+-- 6. organization_members (user ↔ org com role)
+create table public.organization_members (
+  id uuid primary key default gen_random_uuid(),
+  org_id uuid not null references public.organizations(id) on delete cascade,
+  user_id uuid not null references auth.users(id) on delete cascade,
+  role_id uuid not null references public.roles(id) on delete restrict,
+  status text not null default 'active' check (status in ('active', 'suspended', 'left')),
+  joined_at timestamptz not null default now(),
+  unique (org_id, user_id)
+);
+-- 7. department_members (user ↔ dept com role override opcional)
+create table public.department_members (
+  id uuid primary key default gen_random_uuid(),
+  dept_id uuid not null references public.departments(id) on delete cascade,
+  user_id uuid not null references auth.users(id) on delete cascade,
+  role_id uuid references public.roles(id) on delete set null, -- NULL herda do organization_members
+  is_leader boolean not null default false,
+  joined_at timestamptz not null default now(),
+  unique (dept_id, user_id)
+);
+-- Slug history (suporte a redirect 301 quando slug é mutado)
+create table public.organization_slug_history (
+  id uuid primary key default gen_random_uuid(),
+  org_id uuid not null references public.organizations(id) on delete cascade,
+  old_slug text not null,
+  new_slug text not null,
+  changed_at timestamptz not null default now(),
+  unique (old_slug)
+);
+```
+### JWT claims minimal — Custom Access Token Hook
+```sql
+-- Hook chamado pelo Supabase Auth a cada token emit
+-- Injeta apenas super_admin no app_metadata
+create or replace function public.custom_access_token_hook(event jsonb)
+returns jsonb
+language plpgsql
+security definer
+set search_path = ''
+as $$
+declare
+  claims jsonb;
+  is_super boolean;
+begin
+  -- Buscar super_admin do app_metadata atual
+  select coalesce((raw_app_meta_data->>'super_admin')::boolean, false)
+  into is_super
+  from auth.users
+  where id = (event->>'user_id')::uuid;
+  claims := event->'claims';
+  claims := jsonb_set(claims, '{app_metadata}', coalesce(claims->'app_metadata', '{}'::jsonb));
+  claims := jsonb_set(claims, '{app_metadata,super_admin}', to_jsonb(is_super));
+  event := jsonb_set(event, '{claims}', claims);
+  return event;
+end;
+$$;
+-- Registrar como hook em supabase/config.toml:
+-- [auth.hook.custom_access_token]
+-- enabled = true
+-- uri = "pg-functions://postgres/public/custom_access_token_hook"
+```
+### Set super_admin via service_role apenas
+```typescript
+// Edge Function ou backend admin com service_role key
+import { createClient } from 'jsr:@supabase/supabase-js@2'
+const admin = createClient(
+  Deno.env.get('SUPABASE_URL')!,
+  Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')!  // service role — nunca expor ao client
+)
+// Promover usuário a super_admin
+await admin.auth.admin.updateUserById(userId, {
+  app_metadata: { super_admin: true }
+})
+// IMPORTANTE: usar updateUserById com app_metadata (não user_metadata)
+```
+### Slug com redirect trail
+```sql
+-- Trigger que registra mudança de slug em organization_slug_history
+create or replace function public.track_org_slug_change()
+returns trigger
+language plpgsql
+security invoker
+set search_path = ''
+as $$
+begin
+  if old.slug is distinct from new.slug then
+    insert into public.organization_slug_history (org_id, old_slug, new_slug)
+    values (new.id, old.slug, new.slug);
+  end if;
+  return new;
+end;
+$$;
+create trigger track_org_slug_change_trigger
+  after update of slug on public.organizations
+  for each row execute function public.track_org_slug_change();
+```
+App side (Next.js middleware): se `slug` em URL não existe em `organizations`, consulta `organization_slug_history.old_slug` → 301 para `/orgs/{new_slug}/`.
+## Anti-patterns
+### Anti-pattern 1: Lista de orgs no JWT (claims bloat + stale)
+**Errado:**
+```sql
+-- Hook injeta lista de orgs do user no JWT
+-- claims.app_metadata.orgs = [{id, role}, {id, role}, ...]
+```
+**Por quê:**
+- JWT tem limite ~4KB — usuário em 50 orgs estoura
+- JWT cacheado por 1h — mudança de role demora até 1h pra propagar
+- Cada Edge Function paga overhead de parsing de claims grandes
+**Certo:** JWT só com `super_admin: bool`. Helper functions PG (`private.is_member_of`, `private.has_role`) consultam o banco — fonte de verdade sem stale.
+### Anti-pattern 2: Slug mutável sem redirect trail
+**Errado:**
+```sql
+update public.organizations set slug = 'new-name' where id = '...';
+-- Sem entry em organization_slug_history
+```
+**Por quê:** bookmarks externos, webhooks Stripe/Slack, OAuth callbacks, Twitter cards, sitemaps — todos quebram silenciosamente. Cliente B2B descobre semanas depois quando recebe email "seu link parou de funcionar".
+**Certo:** trigger `track_org_slug_change` automático + middleware redirect 301 em rotas com slug.
+### Anti-pattern 3: Schema-per-tenant sem justificativa de compliance
+**Errado:**
+```sql
+-- Pra cada nova org, criar schema próprio
+create schema "org_acme";
+create table org_acme.members (...);
+-- ...repetir migration por org
+```
+**Por quê:** N migrations por nova org, provisioning lento, queries cross-tenant impossíveis sem UNION manual, monitoring complexo. Sem ganho real para SaaS comum (RLS bem feita já isola).
+**Certo:** Single Schema + `org_id` + RLS. Schema-per-tenant só quando regulatório exige.
+### Anti-pattern 4: `user_metadata` para super_admin
+**Errado:**
+```sql
+-- Policy lê super_admin de user_metadata
+using ((auth.jwt()->'user_metadata'->>'super_admin')::boolean = true)
+```
+**Por quê:** `user_metadata` é editável pelo cliente via `auth.updateUser({ data: { super_admin: true } })`. Privilege escalation imediato — qualquer usuário se torna super_admin. Documentado em [Supabase Splinter 0015](https://supabase.github.io/splinter/0015_rls_references_user_metadata/).
+**Certo:** `app_metadata.super_admin` (set apenas via service_role).
+### Anti-pattern 5: FKs sem CASCADE/RESTRICT explícito
+**Errado:**
+```sql
+references public.organizations(id)  -- default ON DELETE NO ACTION
+```
+**Por quê:** decisão importante (deletar org com 100k rows? bloquear?) fica implícita. NO ACTION pode falhar deleção sem mensagem clara. Comportamento varia por engine.
+**Certo:**
+```sql
+references public.organizations(id) on delete cascade   -- entidade dependente
+references auth.users(id) on delete restrict            -- prevenir orfão
+references public.roles(id) on delete set null          -- preservar histórico
+```
+## Ver também
+- [supabase-rls-policies](../supabase-rls-policies/SKILL.md) — anti-patterns RLS herdados (`(select auth.uid())` wrapper, no `user_metadata` em authz)
+- [supabase-database-functions](../supabase-database-functions/SKILL.md) — padrões PG functions (security invoker, search_path = '')
+- [supabase-postgres-style](../supabase-postgres-style/SKILL.md) — naming snake_case, lowercase reserved
+- [multi-tenant-rls-hierarchy](../multi-tenant-rls-hierarchy/SKILL.md) — 4 helper functions PG canônicas + policies hierárquicas (Phase 108)
+- [multi-tenant-performance-scaling](../multi-tenant-performance-scaling/SKILL.md) — Supavisor pooling + partitioning por `org_id` + MVs per-tenant (skill irmã)
+- [rbac-permissions-matrix-supabase](../rbac-permissions-matrix-supabase/SKILL.md) — modelagem permissions action × resource × scope (Phase 108)
+- [_shared-supabase/glossary.md](../_shared-supabase/glossary.md) — termos canônicos `app_metadata`, `service_role`
+- [_shared-multi-tenant/glossary.md](../_shared-multi-tenant/glossary.md) — termos novos `tenant`, `org_id`, `super_admin`, `RBAC`
+- [Supabase RLS Best Practices](https://makerkit.dev/blog/tutorials/supabase-rls-best-practices) — fonte external canônica
+- [Custom Access Token Hook — Supabase Docs](https://supabase.com/docs/guides/auth/auth-hooks/custom-access-token-hook)