@luanpdd/kit-mcp 1.30.2 → 1.32.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (365) hide show
  1. package/LICENSE +21 -21
  2. package/README.md +168 -168
  3. package/gates/agent-no-recursive-dispatch.md +84 -82
  4. package/kit/COMANDOS.md +138 -138
  5. package/kit/COMPATIBILITY.md +5 -0
  6. package/kit/README.md +76 -76
  7. package/kit/agents/advisor-researcher.md +107 -106
  8. package/kit/agents/ai-mutation-tester.md +1 -0
  9. package/kit/agents/assumptions-analyzer.md +108 -107
  10. package/kit/agents/audit-log-implementer.md +314 -313
  11. package/kit/agents/auditor-consistencia-isolamento.md +414 -413
  12. package/kit/agents/b2b-saas-architect.md +157 -156
  13. package/kit/agents/burn-rate-forecaster.md +1 -0
  14. package/kit/agents/cascading-failures-auditor.md +299 -298
  15. package/kit/agents/codebase-mapper.md +769 -768
  16. package/kit/agents/crm-pipeline-implementer.md +257 -256
  17. package/kit/agents/debugger.md +814 -813
  18. package/kit/agents/detector-tenant-quente.md +338 -337
  19. package/kit/agents/evolution-go-integrator.md +201 -200
  20. package/kit/agents/example-reviewer.md +22 -21
  21. package/kit/agents/executor.md +565 -564
  22. package/kit/agents/golden-signals-instrumenter.md +1 -0
  23. package/kit/agents/incident-investigator.md +1 -0
  24. package/kit/agents/integration-checker.md +201 -200
  25. package/kit/agents/invite-flow-implementer.md +190 -189
  26. package/kit/agents/legacy-characterizer.md +369 -368
  27. package/kit/agents/lgpd-compliance-auditor.md +296 -295
  28. package/kit/agents/load-shedding-instrumenter.md +1 -0
  29. package/kit/agents/multi-tenant-isolation-auditor.md +254 -253
  30. package/kit/agents/multi-tenant-rls-writer.md +341 -340
  31. package/kit/agents/nyquist-auditor.md +179 -178
  32. package/kit/agents/observability-coverage-auditor.md +316 -315
  33. package/kit/agents/observability-instrumenter.md +1 -0
  34. package/kit/agents/omm-auditor.md +1 -0
  35. package/kit/agents/org-onboarding-implementer.md +224 -223
  36. package/kit/agents/payload-capture-instrumenter.md +274 -273
  37. package/kit/agents/phase-researcher.md +697 -696
  38. package/kit/agents/plan-checker.md +273 -272
  39. package/kit/agents/planner.md +923 -922
  40. package/kit/agents/postmortem-writer.md +1 -0
  41. package/kit/agents/project-researcher.md +653 -652
  42. package/kit/agents/prr-conductor.md +1 -0
  43. package/kit/agents/refactor-safety-auditor.md +405 -404
  44. package/kit/agents/release-pipeline-auditor.md +1 -0
  45. package/kit/agents/research-synthesizer.md +246 -245
  46. package/kit/agents/roadmapper.md +678 -677
  47. package/kit/agents/schema-checker.md +1 -0
  48. package/kit/agents/seam-finder.md +360 -359
  49. package/kit/agents/shotgun-surgery-detector.md +350 -349
  50. package/kit/agents/slo-engineer.md +1 -0
  51. package/kit/agents/storytelling-analyst.md +1 -0
  52. package/kit/agents/supabase-architect.md +1 -0
  53. package/kit/agents/supabase-auth-bootstrapper.md +16 -1
  54. package/kit/agents/supabase-auth-hook-writer.md +418 -0
  55. package/kit/agents/supabase-branching-architect.md +563 -562
  56. package/kit/agents/supabase-cicd-pipeline-implementer.md +778 -777
  57. package/kit/agents/supabase-column-privileges-writer.md +400 -399
  58. package/kit/agents/supabase-edge-fn-tester.md +2 -1
  59. package/kit/agents/supabase-edge-fn-writer.md +2 -1
  60. package/kit/agents/supabase-mfa-implementer.md +439 -0
  61. package/kit/agents/supabase-migration-writer.md +386 -385
  62. package/kit/agents/supabase-oauth-server-implementer.md +507 -0
  63. package/kit/agents/supabase-rbac-implementer.md +393 -392
  64. package/kit/agents/supabase-realtime-implementer.md +364 -363
  65. package/kit/agents/supabase-rls-hardener.md +522 -521
  66. package/kit/agents/supabase-rls-writer.md +324 -323
  67. package/kit/agents/supabase-roles-implementer.md +356 -355
  68. package/kit/agents/supabase-social-auth-implementer.md +451 -0
  69. package/kit/agents/supabase-sso-saml-architect.md +549 -0
  70. package/kit/agents/supabase-storage-implementer.md +1 -0
  71. package/kit/agents/super-admin-implementer.md +282 -281
  72. package/kit/agents/toil-auditor.md +1 -0
  73. package/kit/agents/ui-auditor.md +438 -437
  74. package/kit/agents/ui-checker.md +303 -302
  75. package/kit/agents/ui-researcher.md +356 -355
  76. package/kit/agents/user-profiler.md +176 -175
  77. package/kit/agents/validador-evolucao-schema.md +336 -335
  78. package/kit/agents/verifier.md +729 -728
  79. package/kit/commands/adicionar-backlog.md +75 -75
  80. package/kit/commands/adicionar-fase.md +42 -42
  81. package/kit/commands/adicionar-tarefa.md +45 -45
  82. package/kit/commands/adicionar-testes.md +41 -41
  83. package/kit/commands/ajuda.md +21 -21
  84. package/kit/commands/atualizar.md +37 -37
  85. package/kit/commands/auditar-cascading.md +111 -111
  86. package/kit/commands/auditar-marco.md +179 -179
  87. package/kit/commands/auditar-observabilidade-cobertura.md +183 -183
  88. package/kit/commands/auditar-refactor.md +219 -219
  89. package/kit/commands/auditar-release.md +109 -109
  90. package/kit/commands/auditar-uat.md +23 -23
  91. package/kit/commands/autonomo.md +40 -40
  92. package/kit/commands/branch-pr.md +24 -24
  93. package/kit/commands/burn-rate-status.md +408 -408
  94. package/kit/commands/capturar-payloads.md +193 -193
  95. package/kit/commands/caracterizar.md +212 -212
  96. package/kit/commands/concluir-marco.md +247 -247
  97. package/kit/commands/configuracoes.md +36 -36
  98. package/kit/commands/dados-distribuidos.md +188 -188
  99. package/kit/commands/definir-perfil.md +10 -10
  100. package/kit/commands/depurar.md +190 -190
  101. package/kit/commands/detectar-duplicacao.md +197 -197
  102. package/kit/commands/discutir-fase.md +131 -131
  103. package/kit/commands/encontrar-seams.md +136 -136
  104. package/kit/commands/entrar-discord.md +17 -17
  105. package/kit/commands/estatisticas.md +18 -18
  106. package/kit/commands/example-greeting.md +33 -33
  107. package/kit/commands/executar-fase.md +58 -58
  108. package/kit/commands/expresso.md +56 -56
  109. package/kit/commands/fase-ui.md +34 -34
  110. package/kit/commands/fazer.md +57 -57
  111. package/kit/commands/fio.md +125 -125
  112. package/kit/commands/fluxos-trabalho.md +64 -64
  113. package/kit/commands/forense.md +176 -176
  114. package/kit/commands/gerenciador.md +38 -38
  115. package/kit/commands/inserir-fase.md +31 -31
  116. package/kit/commands/legacy.md +263 -263
  117. package/kit/commands/limpeza.md +17 -17
  118. package/kit/commands/listar-hipoteses-fase.md +45 -45
  119. package/kit/commands/listar-workspaces.md +18 -18
  120. package/kit/commands/load-shedding.md +117 -117
  121. package/kit/commands/mapear-codebase.md +70 -70
  122. package/kit/commands/multi-tenant.md +163 -163
  123. package/kit/commands/nota.md +33 -33
  124. package/kit/commands/novo-marco.md +43 -43
  125. package/kit/commands/novo-projeto.md +41 -41
  126. package/kit/commands/novo-workspace.md +43 -43
  127. package/kit/commands/pausar-trabalho.md +37 -37
  128. package/kit/commands/perfil-usuario.md +45 -45
  129. package/kit/commands/pesquisar-fase.md +195 -195
  130. package/kit/commands/planejar-fase.md +67 -67
  131. package/kit/commands/planejar-lacunas.md +33 -33
  132. package/kit/commands/plantar-ideia.md +25 -25
  133. package/kit/commands/progresso.md +24 -24
  134. package/kit/commands/proximo.md +30 -30
  135. package/kit/commands/publicar.md +490 -490
  136. package/kit/commands/rapido.md +35 -35
  137. package/kit/commands/reaplicar-patches.md +124 -124
  138. package/kit/commands/refactor-seguro.md +321 -321
  139. package/kit/commands/relatorio-sessao.md +19 -19
  140. package/kit/commands/remover-fase.md +31 -31
  141. package/kit/commands/remover-workspace.md +26 -26
  142. package/kit/commands/resumo-marco.md +50 -50
  143. package/kit/commands/retomar-trabalho.md +40 -40
  144. package/kit/commands/revisar-backlog.md +60 -60
  145. package/kit/commands/revisar-ui.md +32 -32
  146. package/kit/commands/revisar.md +37 -37
  147. package/kit/commands/saude.md +21 -21
  148. package/kit/commands/setup-notion.md +93 -93
  149. package/kit/commands/storytelling.md +179 -179
  150. package/kit/commands/supabase.md +21 -1
  151. package/kit/commands/sync-main.md +68 -68
  152. package/kit/commands/validar-fase.md +35 -35
  153. package/kit/commands/verificar-tarefas.md +44 -44
  154. package/kit/commands/verificar-trabalho.md +64 -64
  155. package/kit/file-manifest.json +100 -84
  156. package/kit/framework/bin/lib/commands.cjs +959 -959
  157. package/kit/framework/bin/lib/config.cjs +442 -442
  158. package/kit/framework/bin/lib/core.cjs +1230 -1230
  159. package/kit/framework/bin/lib/frontmatter.cjs +336 -336
  160. package/kit/framework/bin/lib/init.cjs +1442 -1442
  161. package/kit/framework/bin/lib/milestone.cjs +252 -252
  162. package/kit/framework/bin/lib/model-profiles.cjs +68 -68
  163. package/kit/framework/bin/lib/phase.cjs +888 -888
  164. package/kit/framework/bin/lib/profile-output.cjs +952 -952
  165. package/kit/framework/bin/lib/profile-pipeline.cjs +539 -539
  166. package/kit/framework/bin/lib/roadmap.cjs +329 -329
  167. package/kit/framework/bin/lib/security.cjs +382 -382
  168. package/kit/framework/bin/lib/state.cjs +1031 -1031
  169. package/kit/framework/bin/lib/template.cjs +222 -222
  170. package/kit/framework/bin/lib/uat.cjs +282 -282
  171. package/kit/framework/bin/lib/verify.cjs +888 -888
  172. package/kit/framework/bin/lib/workstream.cjs +491 -491
  173. package/kit/framework/bin/tools.cjs +918 -918
  174. package/kit/framework/commands/workstreams.md +63 -63
  175. package/kit/framework/references/checkpoints.md +778 -778
  176. package/kit/framework/references/continuation-format.md +249 -249
  177. package/kit/framework/references/decimal-phase-calculation.md +64 -64
  178. package/kit/framework/references/git-integration.md +295 -295
  179. package/kit/framework/references/git-planning-commit.md +38 -38
  180. package/kit/framework/references/model-profile-resolution.md +36 -36
  181. package/kit/framework/references/model-profiles.md +139 -139
  182. package/kit/framework/references/phase-argument-parsing.md +61 -61
  183. package/kit/framework/references/planning-config.md +202 -202
  184. package/kit/framework/references/questioning.md +162 -162
  185. package/kit/framework/references/tdd.md +263 -263
  186. package/kit/framework/references/ui-brand.md +160 -160
  187. package/kit/framework/references/user-profiling.md +657 -657
  188. package/kit/framework/references/verification-patterns.md +612 -612
  189. package/kit/framework/references/workstream-flag.md +58 -58
  190. package/kit/framework/templates/DEBUG.md +164 -164
  191. package/kit/framework/templates/UAT.md +265 -265
  192. package/kit/framework/templates/UI-SPEC.md +100 -100
  193. package/kit/framework/templates/VALIDATION.md +76 -76
  194. package/kit/framework/templates/claude-md.md +122 -122
  195. package/kit/framework/templates/codebase/architecture.md +185 -185
  196. package/kit/framework/templates/codebase/concerns.md +205 -205
  197. package/kit/framework/templates/codebase/conventions.md +204 -204
  198. package/kit/framework/templates/codebase/integrations.md +192 -192
  199. package/kit/framework/templates/codebase/stack.md +158 -158
  200. package/kit/framework/templates/codebase/structure.md +199 -199
  201. package/kit/framework/templates/codebase/testing.md +301 -301
  202. package/kit/framework/templates/config.json +44 -44
  203. package/kit/framework/templates/context.md +352 -352
  204. package/kit/framework/templates/continue-here.md +78 -78
  205. package/kit/framework/templates/copilot-instructions.md +7 -7
  206. package/kit/framework/templates/debug-subagent-prompt.md +91 -91
  207. package/kit/framework/templates/dev-preferences.md +20 -20
  208. package/kit/framework/templates/discovery.md +146 -146
  209. package/kit/framework/templates/discussion-log.md +63 -63
  210. package/kit/framework/templates/milestone-archive.md +123 -123
  211. package/kit/framework/templates/milestone.md +115 -115
  212. package/kit/framework/templates/phase-prompt.md +610 -610
  213. package/kit/framework/templates/planner-subagent-prompt.md +117 -117
  214. package/kit/framework/templates/project.md +186 -186
  215. package/kit/framework/templates/requirements.md +231 -231
  216. package/kit/framework/templates/research-project/ARCHITECTURE.md +204 -204
  217. package/kit/framework/templates/research-project/FEATURES.md +147 -147
  218. package/kit/framework/templates/research-project/PITFALLS.md +200 -200
  219. package/kit/framework/templates/research-project/STACK.md +120 -120
  220. package/kit/framework/templates/research-project/SUMMARY.md +170 -170
  221. package/kit/framework/templates/research.md +419 -419
  222. package/kit/framework/templates/retrospective.md +54 -54
  223. package/kit/framework/templates/roadmap.md +202 -202
  224. package/kit/framework/templates/state.md +176 -176
  225. package/kit/framework/templates/summary-complex.md +59 -59
  226. package/kit/framework/templates/summary-minimal.md +41 -41
  227. package/kit/framework/templates/summary-standard.md +48 -48
  228. package/kit/framework/templates/summary.md +209 -209
  229. package/kit/framework/templates/user-profile.md +146 -146
  230. package/kit/framework/templates/user-setup.md +256 -256
  231. package/kit/framework/templates/verification-report.md +258 -258
  232. package/kit/framework/workflows/add-phase.md +112 -112
  233. package/kit/framework/workflows/add-tests.md +351 -351
  234. package/kit/framework/workflows/add-todo.md +158 -158
  235. package/kit/framework/workflows/audit-milestone.md +340 -340
  236. package/kit/framework/workflows/audit-uat.md +109 -109
  237. package/kit/framework/workflows/autonomous.md +891 -891
  238. package/kit/framework/workflows/check-todos.md +177 -177
  239. package/kit/framework/workflows/cleanup.md +152 -152
  240. package/kit/framework/workflows/complete-milestone.md +696 -696
  241. package/kit/framework/workflows/diagnose-issues.md +231 -231
  242. package/kit/framework/workflows/discovery-phase.md +289 -289
  243. package/kit/framework/workflows/discuss-phase-assumptions.md +653 -653
  244. package/kit/framework/workflows/discuss-phase.md +784 -784
  245. package/kit/framework/workflows/do.md +104 -104
  246. package/kit/framework/workflows/execute-phase.md +838 -838
  247. package/kit/framework/workflows/execute-plan.md +510 -510
  248. package/kit/framework/workflows/fast.md +102 -102
  249. package/kit/framework/workflows/forensics.md +265 -265
  250. package/kit/framework/workflows/health.md +181 -181
  251. package/kit/framework/workflows/help.md +619 -619
  252. package/kit/framework/workflows/insert-phase.md +130 -130
  253. package/kit/framework/workflows/list-phase-assumptions.md +178 -178
  254. package/kit/framework/workflows/list-workspaces.md +56 -56
  255. package/kit/framework/workflows/manager.md +362 -362
  256. package/kit/framework/workflows/map-codebase.md +377 -377
  257. package/kit/framework/workflows/milestone-summary.md +223 -223
  258. package/kit/framework/workflows/new-milestone.md +486 -486
  259. package/kit/framework/workflows/new-project.md +1159 -1159
  260. package/kit/framework/workflows/new-workspace.md +237 -237
  261. package/kit/framework/workflows/next.md +97 -97
  262. package/kit/framework/workflows/node-repair.md +92 -92
  263. package/kit/framework/workflows/note.md +156 -156
  264. package/kit/framework/workflows/pause-work.md +176 -176
  265. package/kit/framework/workflows/plan-milestone-gaps.md +273 -273
  266. package/kit/framework/workflows/plan-phase.md +765 -765
  267. package/kit/framework/workflows/plant-seed.md +169 -169
  268. package/kit/framework/workflows/pr-branch.md +129 -129
  269. package/kit/framework/workflows/profile-user.md +450 -450
  270. package/kit/framework/workflows/progress.md +507 -507
  271. package/kit/framework/workflows/quick.md +757 -757
  272. package/kit/framework/workflows/remove-phase.md +155 -155
  273. package/kit/framework/workflows/remove-workspace.md +90 -90
  274. package/kit/framework/workflows/research-phase.md +82 -82
  275. package/kit/framework/workflows/resume-project.md +326 -326
  276. package/kit/framework/workflows/review.md +228 -228
  277. package/kit/framework/workflows/session-report.md +146 -146
  278. package/kit/framework/workflows/settings.md +283 -283
  279. package/kit/framework/workflows/ship.md +228 -228
  280. package/kit/framework/workflows/stats.md +60 -60
  281. package/kit/framework/workflows/transition.md +671 -671
  282. package/kit/framework/workflows/ui-phase.md +302 -302
  283. package/kit/framework/workflows/ui-review.md +165 -165
  284. package/kit/framework/workflows/update.md +323 -323
  285. package/kit/framework/workflows/validate-phase.md +174 -174
  286. package/kit/framework/workflows/verify-phase.md +252 -252
  287. package/kit/framework/workflows/verify-work.md +637 -637
  288. package/kit/hooks/check-update.js +118 -118
  289. package/kit/hooks/context-monitor.js +163 -163
  290. package/kit/hooks/kit-attribution-reminder.cjs +29 -50
  291. package/kit/hooks/kit-router.cjs +137 -0
  292. package/kit/hooks/prompt-guard.js +103 -103
  293. package/kit/hooks/statusline.js +125 -125
  294. package/kit/hooks/workflow-guard.js +101 -101
  295. package/kit/settings.json +45 -45
  296. package/kit/skills/ai-prompt-characterization/SKILL.md +335 -335
  297. package/kit/skills/armadilhas-sistemas-distribuidos/SKILL.md +447 -447
  298. package/kit/skills/audit-log-multi-tenant/SKILL.md +340 -340
  299. package/kit/skills/b2b-saas-architecture/SKILL.md +300 -300
  300. package/kit/skills/consistencia-leitura-replica/SKILL.md +385 -385
  301. package/kit/skills/crm-lead-pipeline-patterns/SKILL.md +343 -343
  302. package/kit/skills/escolha-modelo-consistencia/SKILL.md +494 -494
  303. package/kit/skills/evolucao-schema-compativel/SKILL.md +448 -448
  304. package/kit/skills/evolution-go-whatsapp-integration/SKILL.md +322 -322
  305. package/kit/skills/example-skill/SKILL.md +42 -42
  306. package/kit/skills/legacy-api-only-applications/SKILL.md +358 -358
  307. package/kit/skills/legacy-characterization-tests/SKILL.md +330 -330
  308. package/kit/skills/legacy-effect-analysis/SKILL.md +331 -331
  309. package/kit/skills/legacy-extract-class/SKILL.md +203 -203
  310. package/kit/skills/legacy-programming-by-difference/SKILL.md +252 -252
  311. package/kit/skills/legacy-seams-and-test-harness/SKILL.md +460 -460
  312. package/kit/skills/legacy-shotgun-surgery/SKILL.md +286 -286
  313. package/kit/skills/legacy-sprout-wrap-techniques/SKILL.md +434 -434
  314. package/kit/skills/legacy-storytelling-naked-crc/SKILL.md +270 -270
  315. package/kit/skills/lgpd-multi-tenant-compliance/SKILL.md +340 -340
  316. package/kit/skills/member-invite-flow/SKILL.md +305 -305
  317. package/kit/skills/member-management-react-shadcn/SKILL.md +328 -328
  318. package/kit/skills/multi-tenant-performance-scaling/SKILL.md +316 -316
  319. package/kit/skills/multi-tenant-rls-hierarchy/SKILL.md +342 -342
  320. package/kit/skills/org-onboarding-flow/SKILL.md +257 -257
  321. package/kit/skills/org-switcher-react-pattern/SKILL.md +349 -349
  322. package/kit/skills/permission-gate-react-pattern/SKILL.md +271 -271
  323. package/kit/skills/postgres-isolamento-concorrencia/SKILL.md +552 -552
  324. package/kit/skills/pre-refactor-characterization/SKILL.md +421 -421
  325. package/kit/skills/rbac-permissions-matrix-supabase/SKILL.md +338 -338
  326. package/kit/skills/streams-eventos-cdc/SKILL.md +711 -711
  327. package/kit/skills/supabase-auth-hardening/SKILL.md +674 -0
  328. package/kit/skills/supabase-auth-hooks/SKILL.md +875 -0
  329. package/kit/skills/supabase-auth-methods/SKILL.md +486 -0
  330. package/kit/skills/supabase-auth-sessions/SKILL.md +579 -0
  331. package/kit/skills/supabase-auth-ssr/SKILL.md +60 -14
  332. package/kit/skills/supabase-branching-workflow/SKILL.md +544 -544
  333. package/kit/skills/supabase-ci-cd-github-actions/SKILL.md +880 -880
  334. package/kit/skills/supabase-column-level-security/SKILL.md +426 -426
  335. package/kit/skills/supabase-config-toml-remotes/SKILL.md +807 -807
  336. package/kit/skills/supabase-custom-claims-rbac/SKILL.md +472 -472
  337. package/kit/skills/supabase-edge-functions/SKILL.md +1 -1
  338. package/kit/skills/supabase-edge-functions-auth/SKILL.md +1 -1
  339. package/kit/skills/supabase-edge-functions-limits/SKILL.md +1 -1
  340. package/kit/skills/supabase-edge-functions-mcp-server/SKILL.md +1 -1
  341. package/kit/skills/supabase-edge-functions-testing/SKILL.md +1 -1
  342. package/kit/skills/supabase-edge-runtime-builtins/SKILL.md +1 -1
  343. package/kit/skills/supabase-enterprise-sso-saml/SKILL.md +545 -0
  344. package/kit/skills/supabase-jwt-signing-keys/SKILL.md +399 -0
  345. package/kit/skills/supabase-mfa/SKILL.md +488 -0
  346. package/kit/skills/supabase-migration-repair/SKILL.md +823 -823
  347. package/kit/skills/supabase-migrations/SKILL.md +297 -297
  348. package/kit/skills/supabase-oauth-server/SKILL.md +537 -0
  349. package/kit/skills/supabase-pgtap-testing/SKILL.md +1053 -1053
  350. package/kit/skills/supabase-postgres-roles/SKILL.md +392 -392
  351. package/kit/skills/supabase-realtime/SKILL.md +460 -460
  352. package/kit/skills/supabase-rls-defense-in-depth/SKILL.md +418 -418
  353. package/kit/skills/supabase-rls-policies/SKILL.md +635 -635
  354. package/kit/skills/supabase-social-oauth/SKILL.md +480 -0
  355. package/kit/skills/supabase-third-party-auth/SKILL.md +450 -0
  356. package/kit/skills/super-admin-platform-pattern/SKILL.md +326 -326
  357. package/kit/skills/tenant-quente-mitigacao/SKILL.md +605 -605
  358. package/kit/skills/whatsapp-conversation-state-machine/SKILL.md +287 -287
  359. package/package.json +1 -1
  360. package/src/core/kit.js +216 -216
  361. package/src/core/reflect.js +247 -247
  362. package/src/core/reverse-sync.js +372 -372
  363. package/src/core/sync.js +437 -418
  364. package/src/core/watch.js +121 -121
  365. package/src/mcp-server/index.js +794 -746
package/kit/skills/supabase-auth-methods/SKILL.md ADDED
@@ -0,0 +1,486 @@
1
+ ---
2
+ name: supabase-auth-methods
3
+ description: Use ao implementar fluxos de autenticação de usuário final no Supabase — senha, magic link, OTP, anônimo, Web3 e identity linking.
4
+ ---
5
+
6
+ # Supabase — Métodos de Autenticação
7
+
8
+ ## Quando usar
9
+
10
+ LLM carrega esta skill quando implementar **métodos de autenticação de usuário final** no Supabase — qualquer fluxo que o usuário final use para criar conta ou fazer login.
11
+
12
+ Trigger phrases:
13
+
14
+ - "sign up Supabase", "signInWithPassword", "signUp email"
15
+ - "magic link", "signInWithOtp", "OTP email"
16
+ - "phone login", "OTP SMS", "phone OTP"
17
+ - "anonymous sign in", "signInAnonymously", "usuário anônimo"
18
+ - "Web3 login Supabase", "signInWithWeb3", "wallet login"
19
+ - "identity linking", "linkIdentity", "unlinkIdentity"
20
+ - "reset password", "resetPasswordForEmail", "updateUser password"
21
+ - "signOut", "logout Supabase"
22
+ - "verifyOtp", "confirmar código OTP"
23
+ - "is_anonymous claim", "getClaims Supabase"
24
+
25
+ ## Regras absolutas
26
+
27
+ 1. **SSR sempre usa PKCE.** Todo fluxo de confirmação/callback no servidor deve ir por `/auth/confirm` com `verifyOtp({ type, token_hash })`, nunca com token de URL fragment.
28
+ 2. **Validar sessão no servidor com `getClaims()`**, não com `getSession()`. `getClaims()` valida a assinatura do JWT; `getSession()` não valida contra o servidor.
29
+ 3. **Usuário anônimo exige política RLS RESTRICTIVE** checando `(auth.jwt()->>'is_anonymous')::boolean`. Política só PERMISSIVE não basta — um anônimo pode ter acesso a dados de outros anônimos.
30
+ 4. **Nunca expor `sb_secret_`/`service_role`** no cliente. Chaves de servidor ficam exclusivamente em variáveis de ambiente server-side.
31
+ 5. **`@supabase/ssr` sempre, `@supabase/auth-helpers-nextjs` nunca.** O pacote `auth-helpers-nextjs` está deprecated.
32
+ 6. **Nunca confiar em `user_metadata`** em RLS policies — o usuário pode escrever nesse campo. Use `app_metadata` (via admin API) ou claims customizados.
33
+ 7. **Telefone como identificador de senha é desencorajado** — números de telefone são reciclados pelas operadoras. Se usar, exija MFA obrigatório.
34
+
35
+ ## Autenticação por Senha (email / telefone)
36
+
37
+ ### Cadastro com email
38
+
39
+ ```ts
40
+ import { createClient } from '@supabase/ssr'
41
+
42
+ const supabase = createClient(
43
+ process.env.NEXT_PUBLIC_SUPABASE_URL!,
44
+ process.env.NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY! // sb_publishable_...
45
+ )
46
+
47
+ const { data, error } = await supabase.auth.signUp({
48
+ email: 'usuario@exemplo.com',
49
+ password: 'senha-segura',
50
+ options: {
51
+ emailRedirectTo: 'https://meuapp.com/auth/confirm',
52
+ data: {
53
+ nome_completo: 'Maria Silva', // user_metadata — só dados não-privilegiados
54
+ },
55
+ },
56
+ })
57
+ ```
58
+
59
+ O Supabase envia email de confirmação. O link de confirmação redireciona para `emailRedirectTo` com `?token_hash=...&type=signup` (fluxo PKCE).
60
+
61
+ ### Route handler `/auth/confirm` — confirmação PKCE
62
+
63
+ ```ts
64
+ // app/auth/confirm/route.ts (Next.js App Router)
65
+ import { type EmailOtpType } from '@supabase/supabase-js'
66
+ import { type NextRequest, NextResponse } from 'next/server'
67
+ import { createClient } from '@/lib/supabase/server'
68
+
69
+ export async function GET(request: NextRequest) {
70
+ const { searchParams, origin } = new URL(request.url)
71
+ const token_hash = searchParams.get('token_hash')
72
+ const type = searchParams.get('type') as EmailOtpType | null
73
+ const next = searchParams.get('next') ?? '/'
74
+
75
+ if (token_hash && type) {
76
+ const supabase = await createClient()
77
+ const { error } = await supabase.auth.verifyOtp({ type, token_hash })
78
+
79
+ if (!error) {
80
+ // Redireciona para a página de destino após confirmação
81
+ return NextResponse.redirect(`${origin}${next}`)
82
+ }
83
+ }
84
+
85
+ // Redireciona para página de erro caso falhe
86
+ return NextResponse.redirect(`${origin}/auth/error`)
87
+ }
88
+ ```
89
+
90
+ ### Login com senha
91
+
92
+ ```ts
93
+ const { data, error } = await supabase.auth.signInWithPassword({
94
+ email: 'usuario@exemplo.com',
95
+ password: 'senha-segura',
96
+ })
97
+
98
+ // Alternativa com telefone (desencorajado — ver Regra 7)
99
+ const { data, error } = await supabase.auth.signInWithPassword({
100
+ phone: '+5511999990000',
101
+ password: 'senha-segura',
102
+ })
103
+ ```
104
+
105
+ ### Fluxo de reset de senha (PKCE completo)
106
+
107
+ ```ts
108
+ // 1. Solicitar reset — envia email com link
109
+ const { error } = await supabase.auth.resetPasswordForEmail(
110
+ 'usuario@exemplo.com',
111
+ { redirectTo: 'https://meuapp.com/auth/confirm?next=/conta/nova-senha' }
112
+ )
113
+
114
+ // 2. Route handler /auth/confirm processa token_hash com type='recovery'
115
+ // (mesmo código acima — verifyOtp com type='recovery')
116
+
117
+ // 3. Após redirect, na página /conta/nova-senha — atualizar senha
118
+ const { error } = await supabase.auth.updateUser({
119
+ password: 'nova-senha-segura',
120
+ })
121
+
122
+ // 4. Verificar senha atual antes de trocar (segurança extra)
123
+ const { error } = await supabase.auth.updateUser({
124
+ password: 'nova-senha-segura',
125
+ // currentPassword disponível dependendo de configuração do projeto
126
+ })
127
+ ```
128
+
129
+ ## Magic Link e OTP por Email
130
+
131
+ ### Magic link (padrão)
132
+
133
+ ```ts
134
+ // Envia magic link por padrão (link clicável no email)
135
+ const { error } = await supabase.auth.signInWithOtp({
136
+ email: 'usuario@exemplo.com',
137
+ options: {
138
+ emailRedirectTo: 'https://meuapp.com/auth/confirm',
139
+ shouldCreateUser: true, // false = só login, não cria conta nova
140
+ },
141
+ })
142
+ ```
143
+
144
+ ### OTP de 6 dígitos por email
145
+
146
+ Para ativar OTP numérico em vez de magic link: edite o template de email no Dashboard (`Authentication > Email Templates`) incluindo `{{ .Token }}` no corpo — a presença do token muda o comportamento para OTP.
147
+
148
+ ```ts
149
+ // Verificar OTP de 6 dígitos enviado por email
150
+ const { data, error } = await supabase.auth.verifyOtp({
151
+ email: 'usuario@exemplo.com',
152
+ token: '123456', // código digitado pelo usuário
153
+ type: 'email',
154
+ })
155
+ ```
156
+
157
+ ## OTP por Telefone (SMS / WhatsApp)
158
+
159
+ ### Enviar OTP por SMS
160
+
161
+ ```ts
162
+ const { error } = await supabase.auth.signInWithOtp({
163
+ phone: '+5511999990000',
164
+ options: {
165
+ channel: 'sms', // 'sms' (padrão) | 'whatsapp'
166
+ shouldCreateUser: true,
167
+ },
168
+ })
169
+ ```
170
+
171
+ ### Verificar OTP por telefone
172
+
173
+ ```ts
174
+ const { data, error } = await supabase.auth.verifyOtp({
175
+ phone: '+5511999990000',
176
+ token: '123456',
177
+ type: 'sms', // 'sms' | 'whatsapp'
178
+ })
179
+ ```
180
+
181
+ ### Atualizar telefone do usuário autenticado
182
+
183
+ ```ts
184
+ // 1. Solicita a mudança — envia OTP para novo número
185
+ const { error } = await supabase.auth.updateUser({
186
+ phone: '+5521888880000',
187
+ })
188
+
189
+ // 2. Verificar OTP enviado ao novo número
190
+ const { error } = await supabase.auth.verifyOtp({
191
+ phone: '+5521888880000',
192
+ token: '654321',
193
+ type: 'phone_change', // type específico para troca de telefone
194
+ })
195
+ ```
196
+
197
+ **Atenção:** configure um provider SMS no Dashboard (`Authentication > Phone`) antes de usar — Twilio, MessageBird, Vonage, ou Textlocal.
198
+
199
+ ## Login Anônimo
200
+
201
+ ### Sign in anônimo
202
+
203
+ ```ts
204
+ const { data, error } = await supabase.auth.signInAnonymously()
205
+
206
+ // O usuário anônimo recebe um JWT com:
207
+ // - role: 'authenticated' (igual a usuário normal — importante para RLS)
208
+ // - is_anonymous: true (claim para distinguir no JWT)
209
+ ```
210
+
211
+ ### RLS para dados de usuários anônimos
212
+
213
+ **Obrigatório: política RESTRICTIVE checando `is_anonymous`**
214
+
215
+ ```sql
216
+ -- Política RESTRICTIVE: nega acesso mesmo se outras permitem
217
+ -- Impede que usuários anônimos vejam dados de outros usuários
218
+ create policy "Anônimos só acessam os próprios dados" on public.rascunhos
219
+ as restrictive -- RESTRICTIVE, não permissive
220
+ for all
221
+ to authenticated
222
+ using (
223
+ auth.uid() = user_id
224
+ and not (auth.jwt()->>'is_anonymous')::boolean -- bloqueia anônimos de dados compartilhados
225
+ );
226
+
227
+ -- Política PERMISSIVE complementar: anônimo pode criar/ler próprios rascunhos
228
+ create policy "Anônimos criam rascunhos" on public.rascunhos
229
+ as permissive
230
+ for all
231
+ to authenticated
232
+ using (auth.uid() = user_id)
233
+ with check (auth.uid() = user_id);
234
+ ```
235
+
236
+ ### Converter conta anônima em permanente
237
+
238
+ ```ts
239
+ // Opção 1: vincular email/senha
240
+ const { error } = await supabase.auth.updateUser({
241
+ email: 'usuario@exemplo.com',
242
+ password: 'senha-nova',
243
+ })
244
+ // Supabase envia email de confirmação; ao confirmar, conta deixa de ser anônima
245
+
246
+ // Opção 2: vincular via OAuth (linkIdentity)
247
+ const { error } = await supabase.auth.linkIdentity({
248
+ provider: 'google',
249
+ options: { redirectTo: 'https://meuapp.com/auth/confirm' },
250
+ })
251
+ ```
252
+
253
+ ### Prevenção de abuso de contas anônimas
254
+
255
+ ```ts
256
+ // Adicionar CAPTCHA ao signInAnonymously (requer Turnstile/hCaptcha configurado)
257
+ const { error } = await supabase.auth.signInAnonymously({
258
+ options: { captchaToken: tokenDoTurnstile },
259
+ })
260
+ ```
261
+
262
+ ```sql
263
+ -- Cleanup de contas anônimas antigas (executar via cron/pg_cron)
264
+ delete from auth.users
265
+ where is_anonymous is true
266
+ and created_at < now() - interval '30 days';
267
+ ```
268
+
269
+ **Configurações recomendadas no Dashboard:**
270
+ - Habilitar CAPTCHA em `Authentication > Sign In / Up > CAPTCHA protection`
271
+ - Rate limit: padrão 30 sign-ins anônimos/hora por IP — mantenha esse limite
272
+
273
+ ## Login com Web3
274
+
275
+ ```ts
276
+ // Suporte a Ethereum (EIP-4361 / Sign-In with Ethereum) e Solana
277
+ const { data, error } = await supabase.auth.signInWithWeb3({
278
+ chain: 'ethereum', // 'ethereum' | 'solana'
279
+ // statement: mensagem customizada exibida na wallet (opcional)
280
+ statement: 'Entre no MeuApp com sua carteira',
281
+ })
282
+ ```
283
+
284
+ **Pré-requisitos:**
285
+ - URL do app deve estar na allowlist de Redirect URLs no Dashboard (`Authentication > URL Configuration`)
286
+ - Habilitar CAPTCHA para evitar abuso de contas Web3
287
+ - Rate limit específico Web3 (configurável no Dashboard)
288
+
289
+ **Fluxo técnico (EIP-4361):**
290
+ 1. Supabase gera mensagem SIWE (Sign-In with Ethereum) com nonce
291
+ 2. Usuário assina com wallet (MetaMask, WalletConnect etc.)
292
+ 3. `signInWithWeb3` verifica a assinatura e emite sessão
293
+
294
+ ## Identity Linking (Vincular Identidades)
295
+
296
+ ### Linking automático vs manual
297
+
298
+ **Linking automático:** se o provider externo retorna o mesmo email já cadastrado, o Supabase vincula automaticamente as identidades (comportamento padrão, configurável).
299
+
300
+ **Linking manual:** o usuário autenticado pode vincular uma nova identidade OAuth explicitamente.
301
+
302
+ ```ts
303
+ // Habilitar no Dashboard: Authentication > Sign In Methods > Linked Identities
304
+
305
+ // Vincular nova identidade OAuth ao usuário já autenticado
306
+ const { data, error } = await supabase.auth.linkIdentity({
307
+ provider: 'google',
308
+ options: { redirectTo: 'https://meuapp.com/auth/confirm' },
309
+ })
310
+
311
+ // Listar todas as identidades vinculadas
312
+ const { data: { identities } } = await supabase.auth.getUserIdentities()
313
+ // identities: Array<{ id, user_id, identity_data, provider, created_at }>
314
+
315
+ // Desvincular uma identidade (usuário deve ter ao menos uma outra forma de login)
316
+ const identity = identities[0]
317
+ const { error } = await supabase.auth.unlinkIdentity(identity)
318
+ ```
319
+
320
+ ### Resolver conflitos de identidade
321
+
322
+ ```ts
323
+ // Ao vincular, o provider pode retornar uma identidade que já existe em outra conta
324
+ // O Supabase lança AuthError com código 'identity_already_exists'
325
+
326
+ const { error } = await supabase.auth.linkIdentity({ provider: 'github' })
327
+
328
+ if (error?.code === 'identity_already_exists') {
329
+ // Orientar o usuário a fazer login pela conta original e desvincular de lá,
330
+ // ou exibir mensagem explicativa
331
+ console.error('Essa identidade já está vinculada a outra conta.')
332
+ }
333
+ ```
334
+
335
+ ## Sign Out
336
+
337
+ ```ts
338
+ // Encerrar somente a sessão atual (dispositivo atual)
339
+ await supabase.auth.signOut({ scope: 'local' })
340
+
341
+ // Encerrar TODAS as sessões em todos os dispositivos
342
+ await supabase.auth.signOut({ scope: 'global' })
343
+
344
+ // Encerrar todas as OUTRAS sessões, mantendo a atual ativa
345
+ await supabase.auth.signOut({ scope: 'others' })
346
+ ```
347
+
348
+ ## Validação de sessão no servidor com `getClaims()`
349
+
350
+ ```ts
351
+ // lib/supabase/server.ts — sempre use getClaims() para validar no servidor
352
+ import { createServerClient } from '@supabase/ssr'
353
+ import { cookies } from 'next/headers'
354
+
355
+ export async function getAuthenticatedUser() {
356
+ const cookieStore = await cookies()
357
+ const supabase = createServerClient(
358
+ process.env.NEXT_PUBLIC_SUPABASE_URL!,
359
+ process.env.NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY!,
360
+ {
361
+ cookies: {
362
+ getAll() { return cookieStore.getAll() },
363
+ setAll(cookiesToSet) {
364
+ cookiesToSet.forEach(({ name, value, options }) =>
365
+ cookieStore.set(name, value, options)
366
+ )
367
+ },
368
+ },
369
+ }
370
+ )
371
+
372
+ // getClaims() valida assinatura do JWT — use sempre no servidor
373
+ const { data: { claims }, error } = await supabase.auth.getClaims()
374
+
375
+ if (error || !claims) return null
376
+
377
+ return {
378
+ userId: claims.sub,
379
+ email: claims.email,
380
+ isAnonymous: claims.is_anonymous === true,
381
+ role: claims.user_role, // custom claim via auth hook (ver skill supabase-custom-claims-rbac)
382
+ }
383
+ }
384
+ ```
385
+
386
+ ## Anti-patterns
387
+
388
+ ### 1. Usar `getSession()` para validar no servidor
389
+
390
+ **Errado:**
391
+ ```ts
392
+ // NÃO faça isso em Server Components ou Route Handlers
393
+ const { data: { session } } = await supabase.auth.getSession()
394
+ if (!session) return redirect('/login')
395
+ const userId = session.user.id // INSEGURO — sessão pode estar adulterada
396
+ ```
397
+
398
+ **Por quê:** `getSession()` lê cookies locais sem validar a assinatura do JWT. Um cookie adulterado passa despercebido.
399
+
400
+ **Certo:**
401
+ ```ts
402
+ const { data: { claims }, error } = await supabase.auth.getClaims()
403
+ if (error || !claims) return redirect('/login')
404
+ const userId = claims.sub
405
+ ```
406
+
407
+ ### 2. Usar `auth-helpers-nextjs`
408
+
409
+ **Errado:**
410
+ ```ts
411
+ import { createServerComponentClient } from '@supabase/auth-helpers-nextjs'
412
+ ```
413
+
414
+ **Por quê:** `@supabase/auth-helpers-nextjs` está deprecated e usa `getAll`/`setAll` de forma incompatível com o runtime mais recente do Next.js.
415
+
416
+ **Certo:**
417
+ ```ts
418
+ import { createServerClient } from '@supabase/ssr'
419
+ ```
420
+
421
+ ### 3. Confiar em `user_metadata` em RLS
422
+
423
+ **Errado:**
424
+ ```sql
425
+ -- user_metadata é editável pelo próprio usuário via updateUser({ data: {...} })
426
+ create policy "Admin pode tudo" on public.pedidos
427
+ using ((auth.jwt()->'user_metadata'->>'role') = 'admin'); -- VULNERÁVEL
428
+ ```
429
+
430
+ **Por quê:** qualquer usuário pode chamar `supabase.auth.updateUser({ data: { role: 'admin' } })` e escalar privilégios.
431
+
432
+ **Certo:** use `app_metadata` (somente editável via admin API / service_role) ou custom claims via Auth Hook (ver [supabase-custom-claims-rbac](../supabase-custom-claims-rbac/SKILL.md)).
433
+
434
+ ### 4. Política só PERMISSIVE para usuários anônimos
435
+
436
+ **Errado:**
437
+ ```sql
438
+ -- Uma única política PERMISSIVE não impede cross-user data leak para anônimos
439
+ create policy "Usuário acessa próprios dados" on public.sessoes
440
+ as permissive for select to authenticated
441
+ using (auth.uid() = user_id);
442
+ ```
443
+
444
+ **Por quê:** um anônimo com `user_id` correto passa na policy permissiva, mas não há barreira para impedir que anônimos cruzem dados com `service_role` injetado.
445
+
446
+ **Certo:** adicione política RESTRICTIVE explícita que cheque `is_anonymous`:
447
+ ```sql
448
+ create policy "Bloqueia anônimos de dados sensíveis" on public.pagamentos
449
+ as restrictive for all to authenticated
450
+ using (not (auth.jwt()->>'is_anonymous')::boolean);
451
+ ```
452
+
453
+ ### 5. Expor `sb_secret_` no cliente
454
+
455
+ **Errado:**
456
+ ```ts
457
+ // NUNCA — expõe chave com privilégios de service_role ao navegador
458
+ const supabase = createClient(URL, process.env.SUPABASE_SECRET_KEY!)
459
+ ```
460
+
461
+ **Por quê:** a chave `sb_secret_` (ou `service_role`) bypassa RLS completamente. Qualquer pessoa com DevTools tem acesso irrestrito ao banco.
462
+
463
+ **Certo:** use apenas `sb_publishable_` (ou `anon`) no cliente. Operações privilegiadas ficam em route handlers/server actions com `sb_secret_`.
464
+
465
+ ### 6. Ignorar conflitos de identidade ao vincular
466
+
467
+ **Errado:**
468
+ ```ts
469
+ await supabase.auth.linkIdentity({ provider: 'github' })
470
+ // sem tratamento de erro
471
+ ```
472
+
473
+ **Por quê:** se a identidade GitHub já existe em outra conta, o linking falha silenciosamente ou cria inconsistências.
474
+
475
+ **Certo:** trate `error?.code === 'identity_already_exists'` e informe o usuário com instrução clara de como resolver.
476
+
477
+ ## Ver também
478
+
479
+ - [supabase-social-oauth](../supabase-social-oauth/SKILL.md) — fluxos OAuth com providers sociais (Google, GitHub, Apple etc.)
480
+ - [supabase-auth-sessions](../supabase-auth-sessions/SKILL.md) — PKCE vs implicit flow, lifetime de sessão, refresh token
481
+ - [supabase-auth-ssr](../supabase-auth-ssr/SKILL.md) — configuração de cliente SSR com `@supabase/ssr` no Next.js
482
+ - [supabase-custom-claims-rbac](../supabase-custom-claims-rbac/SKILL.md) — RBAC via Custom Access Token Auth Hook
483
+ - [supabase-rls-policies](../supabase-rls-policies/SKILL.md) — RLS policies canônicas, caching, SECURITY DEFINER
484
+ - [supabase-rls-defense-in-depth](../supabase-rls-defense-in-depth/SKILL.md) — defesa em profundidade com múltiplas camadas de RLS
485
+ - [supabase-mfa](../supabase-mfa/SKILL.md) — autenticação multifator (TOTP, SMS)
486
+ - [supabase-jwt-signing-keys](../supabase-jwt-signing-keys/SKILL.md) — rotação de chaves JWT, validação de assinatura