npm - @luanpdd/kit-mcp - Versions diffs - 1.30.2 → 1.32.0 - Mend

@luanpdd/kit-mcp 1.30.2 → 1.32.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (365) hide show

package/LICENSE +21 -21
package/README.md +168 -168
package/gates/agent-no-recursive-dispatch.md +84 -82
package/kit/COMANDOS.md +138 -138
package/kit/COMPATIBILITY.md +5 -0
package/kit/README.md +76 -76
package/kit/agents/advisor-researcher.md +107 -106
package/kit/agents/ai-mutation-tester.md +1 -0
package/kit/agents/assumptions-analyzer.md +108 -107
package/kit/agents/audit-log-implementer.md +314 -313
package/kit/agents/auditor-consistencia-isolamento.md +414 -413
package/kit/agents/b2b-saas-architect.md +157 -156
package/kit/agents/burn-rate-forecaster.md +1 -0
package/kit/agents/cascading-failures-auditor.md +299 -298
package/kit/agents/codebase-mapper.md +769 -768
package/kit/agents/crm-pipeline-implementer.md +257 -256
package/kit/agents/debugger.md +814 -813
package/kit/agents/detector-tenant-quente.md +338 -337
package/kit/agents/evolution-go-integrator.md +201 -200
package/kit/agents/example-reviewer.md +22 -21
package/kit/agents/executor.md +565 -564
package/kit/agents/golden-signals-instrumenter.md +1 -0
package/kit/agents/incident-investigator.md +1 -0
package/kit/agents/integration-checker.md +201 -200
package/kit/agents/invite-flow-implementer.md +190 -189
package/kit/agents/legacy-characterizer.md +369 -368
package/kit/agents/lgpd-compliance-auditor.md +296 -295
package/kit/agents/load-shedding-instrumenter.md +1 -0
package/kit/agents/multi-tenant-isolation-auditor.md +254 -253
package/kit/agents/multi-tenant-rls-writer.md +341 -340
package/kit/agents/nyquist-auditor.md +179 -178
package/kit/agents/observability-coverage-auditor.md +316 -315
package/kit/agents/observability-instrumenter.md +1 -0
package/kit/agents/omm-auditor.md +1 -0
package/kit/agents/org-onboarding-implementer.md +224 -223
package/kit/agents/payload-capture-instrumenter.md +274 -273
package/kit/agents/phase-researcher.md +697 -696
package/kit/agents/plan-checker.md +273 -272
package/kit/agents/planner.md +923 -922
package/kit/agents/postmortem-writer.md +1 -0
package/kit/agents/project-researcher.md +653 -652
package/kit/agents/prr-conductor.md +1 -0
package/kit/agents/refactor-safety-auditor.md +405 -404
package/kit/agents/release-pipeline-auditor.md +1 -0
package/kit/agents/research-synthesizer.md +246 -245
package/kit/agents/roadmapper.md +678 -677
package/kit/agents/schema-checker.md +1 -0
package/kit/agents/seam-finder.md +360 -359
package/kit/agents/shotgun-surgery-detector.md +350 -349
package/kit/agents/slo-engineer.md +1 -0
package/kit/agents/storytelling-analyst.md +1 -0
package/kit/agents/supabase-architect.md +1 -0
package/kit/agents/supabase-auth-bootstrapper.md +16 -1
package/kit/agents/supabase-auth-hook-writer.md +418 -0
package/kit/agents/supabase-branching-architect.md +563 -562
package/kit/agents/supabase-cicd-pipeline-implementer.md +778 -777
package/kit/agents/supabase-column-privileges-writer.md +400 -399
package/kit/agents/supabase-edge-fn-tester.md +2 -1
package/kit/agents/supabase-edge-fn-writer.md +2 -1
package/kit/agents/supabase-mfa-implementer.md +439 -0
package/kit/agents/supabase-migration-writer.md +386 -385
package/kit/agents/supabase-oauth-server-implementer.md +507 -0
package/kit/agents/supabase-rbac-implementer.md +393 -392
package/kit/agents/supabase-realtime-implementer.md +364 -363
package/kit/agents/supabase-rls-hardener.md +522 -521
package/kit/agents/supabase-rls-writer.md +324 -323
package/kit/agents/supabase-roles-implementer.md +356 -355
package/kit/agents/supabase-social-auth-implementer.md +451 -0
package/kit/agents/supabase-sso-saml-architect.md +549 -0
package/kit/agents/supabase-storage-implementer.md +1 -0
package/kit/agents/super-admin-implementer.md +282 -281
package/kit/agents/toil-auditor.md +1 -0
package/kit/agents/ui-auditor.md +438 -437
package/kit/agents/ui-checker.md +303 -302
package/kit/agents/ui-researcher.md +356 -355
package/kit/agents/user-profiler.md +176 -175
package/kit/agents/validador-evolucao-schema.md +336 -335
package/kit/agents/verifier.md +729 -728
package/kit/commands/adicionar-backlog.md +75 -75
package/kit/commands/adicionar-fase.md +42 -42
package/kit/commands/adicionar-tarefa.md +45 -45
package/kit/commands/adicionar-testes.md +41 -41
package/kit/commands/ajuda.md +21 -21
package/kit/commands/atualizar.md +37 -37
package/kit/commands/auditar-cascading.md +111 -111
package/kit/commands/auditar-marco.md +179 -179
package/kit/commands/auditar-observabilidade-cobertura.md +183 -183
package/kit/commands/auditar-refactor.md +219 -219
package/kit/commands/auditar-release.md +109 -109
package/kit/commands/auditar-uat.md +23 -23
package/kit/commands/autonomo.md +40 -40
package/kit/commands/branch-pr.md +24 -24
package/kit/commands/burn-rate-status.md +408 -408
package/kit/commands/capturar-payloads.md +193 -193
package/kit/commands/caracterizar.md +212 -212
package/kit/commands/concluir-marco.md +247 -247
package/kit/commands/configuracoes.md +36 -36
package/kit/commands/dados-distribuidos.md +188 -188
package/kit/commands/definir-perfil.md +10 -10
package/kit/commands/depurar.md +190 -190
package/kit/commands/detectar-duplicacao.md +197 -197
package/kit/commands/discutir-fase.md +131 -131
package/kit/commands/encontrar-seams.md +136 -136
package/kit/commands/entrar-discord.md +17 -17
package/kit/commands/estatisticas.md +18 -18
package/kit/commands/example-greeting.md +33 -33
package/kit/commands/executar-fase.md +58 -58
package/kit/commands/expresso.md +56 -56
package/kit/commands/fase-ui.md +34 -34
package/kit/commands/fazer.md +57 -57
package/kit/commands/fio.md +125 -125
package/kit/commands/fluxos-trabalho.md +64 -64
package/kit/commands/forense.md +176 -176
package/kit/commands/gerenciador.md +38 -38
package/kit/commands/inserir-fase.md +31 -31
package/kit/commands/legacy.md +263 -263
package/kit/commands/limpeza.md +17 -17
package/kit/commands/listar-hipoteses-fase.md +45 -45
package/kit/commands/listar-workspaces.md +18 -18
package/kit/commands/load-shedding.md +117 -117
package/kit/commands/mapear-codebase.md +70 -70
package/kit/commands/multi-tenant.md +163 -163
package/kit/commands/nota.md +33 -33
package/kit/commands/novo-marco.md +43 -43
package/kit/commands/novo-projeto.md +41 -41
package/kit/commands/novo-workspace.md +43 -43
package/kit/commands/pausar-trabalho.md +37 -37
package/kit/commands/perfil-usuario.md +45 -45
package/kit/commands/pesquisar-fase.md +195 -195
package/kit/commands/planejar-fase.md +67 -67
package/kit/commands/planejar-lacunas.md +33 -33
package/kit/commands/plantar-ideia.md +25 -25
package/kit/commands/progresso.md +24 -24
package/kit/commands/proximo.md +30 -30
package/kit/commands/publicar.md +490 -490
package/kit/commands/rapido.md +35 -35
package/kit/commands/reaplicar-patches.md +124 -124
package/kit/commands/refactor-seguro.md +321 -321
package/kit/commands/relatorio-sessao.md +19 -19
package/kit/commands/remover-fase.md +31 -31
package/kit/commands/remover-workspace.md +26 -26
package/kit/commands/resumo-marco.md +50 -50
package/kit/commands/retomar-trabalho.md +40 -40
package/kit/commands/revisar-backlog.md +60 -60
package/kit/commands/revisar-ui.md +32 -32
package/kit/commands/revisar.md +37 -37
package/kit/commands/saude.md +21 -21
package/kit/commands/setup-notion.md +93 -93
package/kit/commands/storytelling.md +179 -179
package/kit/commands/supabase.md +21 -1
package/kit/commands/sync-main.md +68 -68
package/kit/commands/validar-fase.md +35 -35
package/kit/commands/verificar-tarefas.md +44 -44
package/kit/commands/verificar-trabalho.md +64 -64
package/kit/file-manifest.json +100 -84
package/kit/framework/bin/lib/commands.cjs +959 -959
package/kit/framework/bin/lib/config.cjs +442 -442
package/kit/framework/bin/lib/core.cjs +1230 -1230
package/kit/framework/bin/lib/frontmatter.cjs +336 -336
package/kit/framework/bin/lib/init.cjs +1442 -1442
package/kit/framework/bin/lib/milestone.cjs +252 -252
package/kit/framework/bin/lib/model-profiles.cjs +68 -68
package/kit/framework/bin/lib/phase.cjs +888 -888
package/kit/framework/bin/lib/profile-output.cjs +952 -952
package/kit/framework/bin/lib/profile-pipeline.cjs +539 -539
package/kit/framework/bin/lib/roadmap.cjs +329 -329
package/kit/framework/bin/lib/security.cjs +382 -382
package/kit/framework/bin/lib/state.cjs +1031 -1031
package/kit/framework/bin/lib/template.cjs +222 -222
package/kit/framework/bin/lib/uat.cjs +282 -282
package/kit/framework/bin/lib/verify.cjs +888 -888
package/kit/framework/bin/lib/workstream.cjs +491 -491
package/kit/framework/bin/tools.cjs +918 -918
package/kit/framework/commands/workstreams.md +63 -63
package/kit/framework/references/checkpoints.md +778 -778
package/kit/framework/references/continuation-format.md +249 -249
package/kit/framework/references/decimal-phase-calculation.md +64 -64
package/kit/framework/references/git-integration.md +295 -295
package/kit/framework/references/git-planning-commit.md +38 -38
package/kit/framework/references/model-profile-resolution.md +36 -36
package/kit/framework/references/model-profiles.md +139 -139
package/kit/framework/references/phase-argument-parsing.md +61 -61
package/kit/framework/references/planning-config.md +202 -202
package/kit/framework/references/questioning.md +162 -162
package/kit/framework/references/tdd.md +263 -263
package/kit/framework/references/ui-brand.md +160 -160
package/kit/framework/references/user-profiling.md +657 -657
package/kit/framework/references/verification-patterns.md +612 -612
package/kit/framework/references/workstream-flag.md +58 -58
package/kit/framework/templates/DEBUG.md +164 -164
package/kit/framework/templates/UAT.md +265 -265
package/kit/framework/templates/UI-SPEC.md +100 -100
package/kit/framework/templates/VALIDATION.md +76 -76
package/kit/framework/templates/claude-md.md +122 -122
package/kit/framework/templates/codebase/architecture.md +185 -185
package/kit/framework/templates/codebase/concerns.md +205 -205
package/kit/framework/templates/codebase/conventions.md +204 -204
package/kit/framework/templates/codebase/integrations.md +192 -192
package/kit/framework/templates/codebase/stack.md +158 -158
package/kit/framework/templates/codebase/structure.md +199 -199
package/kit/framework/templates/codebase/testing.md +301 -301
package/kit/framework/templates/config.json +44 -44
package/kit/framework/templates/context.md +352 -352
package/kit/framework/templates/continue-here.md +78 -78
package/kit/framework/templates/copilot-instructions.md +7 -7
package/kit/framework/templates/debug-subagent-prompt.md +91 -91
package/kit/framework/templates/dev-preferences.md +20 -20
package/kit/framework/templates/discovery.md +146 -146
package/kit/framework/templates/discussion-log.md +63 -63
package/kit/framework/templates/milestone-archive.md +123 -123
package/kit/framework/templates/milestone.md +115 -115
package/kit/framework/templates/phase-prompt.md +610 -610
package/kit/framework/templates/planner-subagent-prompt.md +117 -117
package/kit/framework/templates/project.md +186 -186
package/kit/framework/templates/requirements.md +231 -231
package/kit/framework/templates/research-project/ARCHITECTURE.md +204 -204
package/kit/framework/templates/research-project/FEATURES.md +147 -147
package/kit/framework/templates/research-project/PITFALLS.md +200 -200
package/kit/framework/templates/research-project/STACK.md +120 -120
package/kit/framework/templates/research-project/SUMMARY.md +170 -170
package/kit/framework/templates/research.md +419 -419
package/kit/framework/templates/retrospective.md +54 -54
package/kit/framework/templates/roadmap.md +202 -202
package/kit/framework/templates/state.md +176 -176
package/kit/framework/templates/summary-complex.md +59 -59
package/kit/framework/templates/summary-minimal.md +41 -41
package/kit/framework/templates/summary-standard.md +48 -48
package/kit/framework/templates/summary.md +209 -209
package/kit/framework/templates/user-profile.md +146 -146
package/kit/framework/templates/user-setup.md +256 -256
package/kit/framework/templates/verification-report.md +258 -258
package/kit/framework/workflows/add-phase.md +112 -112
package/kit/framework/workflows/add-tests.md +351 -351
package/kit/framework/workflows/add-todo.md +158 -158
package/kit/framework/workflows/audit-milestone.md +340 -340
package/kit/framework/workflows/audit-uat.md +109 -109
package/kit/framework/workflows/autonomous.md +891 -891
package/kit/framework/workflows/check-todos.md +177 -177
package/kit/framework/workflows/cleanup.md +152 -152
package/kit/framework/workflows/complete-milestone.md +696 -696
package/kit/framework/workflows/diagnose-issues.md +231 -231
package/kit/framework/workflows/discovery-phase.md +289 -289
package/kit/framework/workflows/discuss-phase-assumptions.md +653 -653
package/kit/framework/workflows/discuss-phase.md +784 -784
package/kit/framework/workflows/do.md +104 -104
package/kit/framework/workflows/execute-phase.md +838 -838
package/kit/framework/workflows/execute-plan.md +510 -510
package/kit/framework/workflows/fast.md +102 -102
package/kit/framework/workflows/forensics.md +265 -265
package/kit/framework/workflows/health.md +181 -181
package/kit/framework/workflows/help.md +619 -619
package/kit/framework/workflows/insert-phase.md +130 -130
package/kit/framework/workflows/list-phase-assumptions.md +178 -178
package/kit/framework/workflows/list-workspaces.md +56 -56
package/kit/framework/workflows/manager.md +362 -362
package/kit/framework/workflows/map-codebase.md +377 -377
package/kit/framework/workflows/milestone-summary.md +223 -223
package/kit/framework/workflows/new-milestone.md +486 -486
package/kit/framework/workflows/new-project.md +1159 -1159
package/kit/framework/workflows/new-workspace.md +237 -237
package/kit/framework/workflows/next.md +97 -97
package/kit/framework/workflows/node-repair.md +92 -92
package/kit/framework/workflows/note.md +156 -156
package/kit/framework/workflows/pause-work.md +176 -176
package/kit/framework/workflows/plan-milestone-gaps.md +273 -273
package/kit/framework/workflows/plan-phase.md +765 -765
package/kit/framework/workflows/plant-seed.md +169 -169
package/kit/framework/workflows/pr-branch.md +129 -129
package/kit/framework/workflows/profile-user.md +450 -450
package/kit/framework/workflows/progress.md +507 -507
package/kit/framework/workflows/quick.md +757 -757
package/kit/framework/workflows/remove-phase.md +155 -155
package/kit/framework/workflows/remove-workspace.md +90 -90
package/kit/framework/workflows/research-phase.md +82 -82
package/kit/framework/workflows/resume-project.md +326 -326
package/kit/framework/workflows/review.md +228 -228
package/kit/framework/workflows/session-report.md +146 -146
package/kit/framework/workflows/settings.md +283 -283
package/kit/framework/workflows/ship.md +228 -228
package/kit/framework/workflows/stats.md +60 -60
package/kit/framework/workflows/transition.md +671 -671
package/kit/framework/workflows/ui-phase.md +302 -302
package/kit/framework/workflows/ui-review.md +165 -165
package/kit/framework/workflows/update.md +323 -323
package/kit/framework/workflows/validate-phase.md +174 -174
package/kit/framework/workflows/verify-phase.md +252 -252
package/kit/framework/workflows/verify-work.md +637 -637
package/kit/hooks/check-update.js +118 -118
package/kit/hooks/context-monitor.js +163 -163
package/kit/hooks/kit-attribution-reminder.cjs +29 -50
package/kit/hooks/kit-router.cjs +137 -0
package/kit/hooks/prompt-guard.js +103 -103
package/kit/hooks/statusline.js +125 -125
package/kit/hooks/workflow-guard.js +101 -101
package/kit/settings.json +45 -45
package/kit/skills/ai-prompt-characterization/SKILL.md +335 -335
package/kit/skills/armadilhas-sistemas-distribuidos/SKILL.md +447 -447
package/kit/skills/audit-log-multi-tenant/SKILL.md +340 -340
package/kit/skills/b2b-saas-architecture/SKILL.md +300 -300
package/kit/skills/consistencia-leitura-replica/SKILL.md +385 -385
package/kit/skills/crm-lead-pipeline-patterns/SKILL.md +343 -343
package/kit/skills/escolha-modelo-consistencia/SKILL.md +494 -494
package/kit/skills/evolucao-schema-compativel/SKILL.md +448 -448
package/kit/skills/evolution-go-whatsapp-integration/SKILL.md +322 -322
package/kit/skills/example-skill/SKILL.md +42 -42
package/kit/skills/legacy-api-only-applications/SKILL.md +358 -358
package/kit/skills/legacy-characterization-tests/SKILL.md +330 -330
package/kit/skills/legacy-effect-analysis/SKILL.md +331 -331
package/kit/skills/legacy-extract-class/SKILL.md +203 -203
package/kit/skills/legacy-programming-by-difference/SKILL.md +252 -252
package/kit/skills/legacy-seams-and-test-harness/SKILL.md +460 -460
package/kit/skills/legacy-shotgun-surgery/SKILL.md +286 -286
package/kit/skills/legacy-sprout-wrap-techniques/SKILL.md +434 -434
package/kit/skills/legacy-storytelling-naked-crc/SKILL.md +270 -270
package/kit/skills/lgpd-multi-tenant-compliance/SKILL.md +340 -340
package/kit/skills/member-invite-flow/SKILL.md +305 -305
package/kit/skills/member-management-react-shadcn/SKILL.md +328 -328
package/kit/skills/multi-tenant-performance-scaling/SKILL.md +316 -316
package/kit/skills/multi-tenant-rls-hierarchy/SKILL.md +342 -342
package/kit/skills/org-onboarding-flow/SKILL.md +257 -257
package/kit/skills/org-switcher-react-pattern/SKILL.md +349 -349
package/kit/skills/permission-gate-react-pattern/SKILL.md +271 -271
package/kit/skills/postgres-isolamento-concorrencia/SKILL.md +552 -552
package/kit/skills/pre-refactor-characterization/SKILL.md +421 -421
package/kit/skills/rbac-permissions-matrix-supabase/SKILL.md +338 -338
package/kit/skills/streams-eventos-cdc/SKILL.md +711 -711
package/kit/skills/supabase-auth-hardening/SKILL.md +674 -0
package/kit/skills/supabase-auth-hooks/SKILL.md +875 -0
package/kit/skills/supabase-auth-methods/SKILL.md +486 -0
package/kit/skills/supabase-auth-sessions/SKILL.md +579 -0
package/kit/skills/supabase-auth-ssr/SKILL.md +60 -14
package/kit/skills/supabase-branching-workflow/SKILL.md +544 -544
package/kit/skills/supabase-ci-cd-github-actions/SKILL.md +880 -880
package/kit/skills/supabase-column-level-security/SKILL.md +426 -426
package/kit/skills/supabase-config-toml-remotes/SKILL.md +807 -807
package/kit/skills/supabase-custom-claims-rbac/SKILL.md +472 -472
package/kit/skills/supabase-edge-functions/SKILL.md +1 -1
package/kit/skills/supabase-edge-functions-auth/SKILL.md +1 -1
package/kit/skills/supabase-edge-functions-limits/SKILL.md +1 -1
package/kit/skills/supabase-edge-functions-mcp-server/SKILL.md +1 -1
package/kit/skills/supabase-edge-functions-testing/SKILL.md +1 -1
package/kit/skills/supabase-edge-runtime-builtins/SKILL.md +1 -1
package/kit/skills/supabase-enterprise-sso-saml/SKILL.md +545 -0
package/kit/skills/supabase-jwt-signing-keys/SKILL.md +399 -0
package/kit/skills/supabase-mfa/SKILL.md +488 -0
package/kit/skills/supabase-migration-repair/SKILL.md +823 -823
package/kit/skills/supabase-migrations/SKILL.md +297 -297
package/kit/skills/supabase-oauth-server/SKILL.md +537 -0
package/kit/skills/supabase-pgtap-testing/SKILL.md +1053 -1053
package/kit/skills/supabase-postgres-roles/SKILL.md +392 -392
package/kit/skills/supabase-realtime/SKILL.md +460 -460
package/kit/skills/supabase-rls-defense-in-depth/SKILL.md +418 -418
package/kit/skills/supabase-rls-policies/SKILL.md +635 -635
package/kit/skills/supabase-social-oauth/SKILL.md +480 -0
package/kit/skills/supabase-third-party-auth/SKILL.md +450 -0
package/kit/skills/super-admin-platform-pattern/SKILL.md +326 -326
package/kit/skills/tenant-quente-mitigacao/SKILL.md +605 -605
package/kit/skills/whatsapp-conversation-state-machine/SKILL.md +287 -287
package/package.json +1 -1
package/src/core/kit.js +216 -216
package/src/core/reflect.js +247 -247
package/src/core/reverse-sync.js +372 -372
package/src/core/sync.js +437 -418
package/src/core/watch.js +121 -121
package/src/mcp-server/index.js +794 -746

package/kit/skills/supabase-postgres-roles/SKILL.md CHANGED Viewed

@@ -1,392 +1,392 @@
----
-name: supabase-postgres-roles
-description: Use ao gerenciar Postgres roles em Supabase — system access (cron jobs, BI tools, ETL, admin scripts). Distinção canônica vs RLS+Custom Claims (application access).
----
-# Supabase — Postgres Roles
-## Quando usar (e quando NÃO usar)
-Postgres roles gerenciam acesso ao banco — **system access** (service accounts internos, cron jobs, BI tools, ETL, admin scripts).
-**Use Postgres roles APENAS para:**
-- ✅ Service accounts internos (cron jobs com pg_cron, BI tools como Metabase, ETL scripts)
-- ✅ Admin roles com BYPASSRLS (`security_admin`, `dpo_role`, `lead_manager`, `platform_admin`)
-- ✅ Roles para column-level GRANTs específicos (cross-ref skill `supabase-column-level-security` v1.24)
-- ✅ Custom roles que substituem service_role key em scripts (auditabilidade superior)
-**NÃO use Postgres roles para:**
-- ❌ "Admin vs user" application access → use **RLS + Custom Claims** (skill `supabase-custom-claims-rbac` v1.25)
-- ❌ Filtrar dados por linha → use **RLS row-level** (skill `supabase-rls-policies` v1.23)
-- ❌ Filtrar dados por coluna → use **Column-Level Privileges** (skill `supabase-column-level-security` v1.24)
-- ❌ Substituir auth.users (auth.users é gerenciado pelo Supabase Auth — não criar roles para end-users)
-Trigger phrases:
-- "create role Postgres", "custom Postgres role"
-- "role hierarchy", "INHERIT NOINHERIT"
-- "GRANT REVOKE Postgres"
-- "service account Supabase", "cron job role"
-- "Postgres roles vs RLS"
-## Distinção canônica
-| | Application Access | System Access |
-|---|---|---|
-| Mecanismo | RLS + Custom Claims | Postgres Roles |
-| Quem é o "user" | End-user via JWT (`auth.uid()`) | Service account interno |
-| Identidade | JWT claim (`user_role`) | Postgres role login |
-| Permissions | Granular por linha/coluna | Per tabela/schema/function |
-| Audit trail | RLS denial logs (42501) | pg_stat_statements por role |
-| Example | "User admin pode deletar messages" | "Cron job pode SELECT em todas tabs para backup" |
-## Princípio canônico
-Roles vs Users:
-- **Role** = entidade Postgres que pode ter permissions
-- **User** = role com `LOGIN` privilege (pode autenticar via senha)
-- **Group** = role sem `LOGIN` (usado para herança de permissions)
-```sql
--- group role (sem LOGIN — usado para hierarchy)
-create role "readonly_group";
--- user role (com LOGIN — service account)
-create role "readonly_user" with login password 'extremely_secure_pwd';
--- user role inherita do group
-grant readonly_group to readonly_user;
--- agora readonly_user tem todas permissions do readonly_group
-```
-## Pattern 1: CREATE ROLE básico
-### Group role (sem LOGIN)
-```sql
-create role "billing_group";
--- usado apenas como container de permissions; não pode logar
-```
-### User role (com LOGIN PASSWORD)
-```sql
-create role "billing_service" with login password 'p4ss-w0rd!sup3r_s3cur3';
-```
-**Password best practices (canônico):**
-1. **12+ characters mínimo** — quanto mais longo, melhor
-2. **Use password manager** para gerar (Bitwarden, 1Password, etc.)
-3. **Mix upper + lower + numbers + special symbols** (`! @ # $ % &`)
-4. **NÃO use dictionary words** comuns
-5. **Roteie via secrets vault** — nunca hardcode em git
-### Caveat — Percent-encoding em connection string
-Special symbols em password precisam ser **percent-encoded** quando usados em connection string:
-```
-ANTES (raw password): p=ssword
-DEPOIS (em URL):     p%3Dssword
-Connection string:
-postgresql://postgres.projectref:p%3Dssword@aws-0-us-east-1.pooler.supabase.com:6543/postgres
-```
-Tabela de encoding canônica:
-| Char | Encoded |
-|------|---------|
-| `=`  | `%3D` |
-| `&`  | `%26` |
-| `+`  | `%2B` |
-| `#`  | `%23` |
-| `:`  | `%3A` |
-| `/`  | `%2F` |
-| `@`  | `%40` |
-| `space` | `%20` |
-## Pattern 2: GRANT / REVOKE permissions
-GRANT canônico:
-```sql
--- permission em schema completo
-grant usage on schema public to billing_service;
-grant select on all tables in schema public to billing_service;
--- permission em tabela específica
-grant select, insert on table public.invoices to billing_service;
--- permission em função específica
-grant execute on function public.calculate_total(uuid) to billing_service;
--- permission em sequence (necessário para INSERT em tabelas com SERIAL/BIGSERIAL)
-grant usage on sequence public.invoices_id_seq to billing_service;
-```
-REVOKE canônico:
-```sql
-revoke select on table public.invoices from billing_service;
-revoke execute on function public.calculate_total(uuid) from billing_service;
-```
-**Caveat — Default privileges para novos objetos:**
-GRANT em "all tables" só cobre tabelas **existentes**. Para tabelas futuras criadas no schema, use `ALTER DEFAULT PRIVILEGES`:
-```sql
--- todas tabelas futuras criadas em public terão SELECT GRANT para billing_service
-alter default privileges in schema public
-  grant select on tables to billing_service;
-```
-## Pattern 3: Role Hierarchy (INHERIT / NOINHERIT)
-INHERIT (default): child role herda permissions do parent.
-```sql
--- group com permissions base
-create role "readers";
-grant select on all tables in schema public to readers;
--- user inherita
-create role "alice" with login password 'pwd1';
-grant readers to alice;
--- alice agora tem SELECT em todas tabelas public (via readers)
--- multi-level hierarchy
-create role "admins";
-grant readers to admins;  -- admins inherita de readers
-grant insert, update, delete on all tables in schema public to admins;
-create role "bob" with login password 'pwd2';
-grant admins to bob;
--- bob inherita de admins (que inherita de readers) — full CRUD em public
-```
-NOINHERIT: child role tem que **explicitamente** assumir parent role para usar permissions.
-```sql
-create role "superuser_proxy" noinherit;
-grant postgres to superuser_proxy;
--- Para usar permissions de postgres, superuser_proxy precisa SET ROLE:
-set role postgres;
--- agora opera como postgres
-reset role;
-```
-**Quando usar NOINHERIT:**
-- Roles superuser (postgres) — exigir SET ROLE explícito como guard
-- Audit trail mais claro (queries mostram a role ativa)
-- Princípio canônico: opt-in explícito em vez de implícito
-## 10 Predefined Supabase Roles (documentação)
-Supabase configura 10 roles automaticamente em todo projeto. **Não criar substitutos** — documentar e usar conforme apropriado.
-### `postgres`
-**Tipo:** Admin/superuser. **Quando usar:** scripts de admin via dashboard ou psql direto.
-**NUNCA:** dar password ao third-party ou expor.
-### `anon`
-**Tipo:** Public unauthenticated. **Quando usar:** requests sem JWT (cliente deslogado).
-**Caveat:** `anon` Postgres role ≠ anonymous Auth user (cross-ref skill `supabase-rls-policies` v1.23).
-### `authenticator`
-**Tipo:** PostgREST switch role. **Quando usar:** internal — PostgREST recebe JWT, valida, e switches para `anon` ou `authenticated` baseado em claims.
-**Caveat:** acesso muito limitado — apenas SWITCH ROLE.
-### `authenticated`
-**Tipo:** Logged-in users. **Quando usar:** requests com JWT válido (autenticado).
-### `service_role`
-**Tipo:** Bypass RLS. **Quando usar:** backend tasks (Edge Functions, scripts admin).
-**NUNCA:** expor ao cliente — vazamento = acesso total ao DB.
-### `supabase_auth_admin`
-**Tipo:** Auth middleware. **Quando usar:** internal — Supabase Auth service.
-**Caveat:** GRANT EXECUTE em Custom Access Token Auth Hook (cross-ref skill `supabase-custom-claims-rbac` v1.25); scope `auth` schema.
-### `supabase_storage_admin`
-**Tipo:** Storage middleware. **Quando usar:** internal — Supabase Storage service. Scope `storage` schema.
-### `supabase_etl_admin`
-**Tipo:** Replication. **Quando usar:** internal — Replication powered by Supabase ETL. Read-all + bypass RLS + write `etl` schema.
-### `dashboard_user`
-**Tipo:** Supabase UI. **Quando usar:** internal — commands via Supabase dashboard.
-### `supabase_admin`
-**Tipo:** Internal admin. **Quando usar:** internal — upgrades + automations.
-## Pattern 4: Custom service account roles
-Caso canônico — criar role dedicado em vez de service_role API key:
-```sql
--- 1. role para cron job (sem LOGIN — usado via pg_cron)
-create role "cron_job_role" noinherit;
--- bypass RLS para acessar todas orgs
-alter role "cron_job_role" with bypassrls;
--- 2. GRANTs específicos
-grant usage on schema public to cron_job_role;
-grant select, insert, delete on table public.audit_log to cron_job_role;
--- 3. pg_cron usa este role
-select cron.schedule(
-  'cleanup_old_logs',
-  '0 3 * * *',
-  $$ delete from public.audit_log where created_at < now() - interval '90 days' $$
-);
--- pg_cron executa as queries com este role; auditabilidade superior vs service_role API key
-```
-```sql
--- role para BI tool (Metabase) — read-only com login
-create role "metabase_reader" with login password 'percent-encode-this!';
-alter role "metabase_reader" with bypassrls;  -- BI precisa ver todas linhas
-grant usage on schema public to metabase_reader;
-grant select on all tables in schema public to metabase_reader;
-alter default privileges in schema public
-  grant select on tables to metabase_reader;
-```
-## Changing postgres password
-Mudar password do `postgres` role:
-1. **Dashboard:** Database Settings page → "Database password" → enter new
-2. **Sem downtime:** serviços internos (PostgREST, PgBouncer, etc.) auto-update
-3. **External services com hardcoded credentials:** manual update necessário (revisar deploy configs)
-**NÃO:** dar password do `postgres` role para third-party — crie role dedicado.
-## Auditoria — pg_stat_statements por role
-Cada role tem queries rastreáveis em `pg_stat_statements`:
-```sql
-select
-  rolname,
-  count(*) as query_count,
-  sum(total_exec_time)::numeric(10,2) as total_time_ms
-from pg_stat_statements s
-join pg_roles r on s.userid = r.oid
-where rolname not in ('postgres', 'authenticator')  -- filtrar admin
-group by rolname
-order by total_time_ms desc;
-```
-Identificar qual service account está consumindo mais — útil para debug + capacity planning.
-## Anti-patterns
-### Anti-pattern 1: Usar service_role API key para tudo
-**Errado:**
-```bash
-# .env do cron job
-SUPABASE_KEY=eyJ...service_role_key...
-```
-**Por quê:** sem auditabilidade — todas queries logam como `service_role`; difícil identificar qual script fez o quê.
-**Certo:** criar role dedicado por service account:
-```sql
-create role "cron_billing_role" noinherit;
-alter role "cron_billing_role" with bypassrls;
--- GRANTs específicos
--- pg_cron usa este role; queries logam com identidade clara
-```
-### Anti-pattern 2: Custom role para "admin vs user" application access
-**Errado:**
-```sql
--- criar role "admin" Postgres para gerenciar quem é admin no app
-create role "app_admin";
--- ... add users to this role ...
-```
-**Por quê:** Postgres roles não são designed para application access — não dinâmico, não auditável, mistura system + application concerns.
-**Certo:** use RLS + Custom Claims (skill `supabase-custom-claims-rbac` v1.25) — `user_role: 'admin'` no JWT via auth hook, consultado por `authorize()`.
-### Anti-pattern 3: Password sem percent-encoding em URL
-**Errado:**
-```
-postgresql://user:p=ssword@host/db
-```
-**Por quê:** `=` é parseado como query string separator — conexão falha.
-**Certo:**
-```
-postgresql://user:p%3Dssword@host/db
-```
-### Anti-pattern 4: INHERIT em superuser-like role
-**Errado:**
-```sql
-create role "dba_role" inherit;  -- inherit default em todos roles
-grant postgres to dba_role;
--- dba_role agora tem postgres privileges implicitly
-```
-**Por quê:** sem audit trail explícito de quando privileges admin são usados.
-**Certo:** NOINHERIT + SET ROLE explícito:
-```sql
-create role "dba_role" noinherit;
-grant postgres to dba_role;
--- usuário precisa: set role postgres; ...; reset role;
--- queries logam com identidade postgres durante operação
-```
-### Anti-pattern 5: Criar role sem documentação
-**Errado:**
-```sql
-create role "xyz" with login password 'pwd';
--- 6 meses depois, ninguém sabe pra que serve
-```
-**Por quê:** sem documentação, próximo dev assume é abandoned + remove ou mantém indefinidamente.
-**Certo:** sempre comment no migration + entry em README:
-```sql
--- role para Metabase BI conectar em produção (read-only)
--- Owner: data-team@company.com
--- Created: 2026-05-11 v1.26
-create role "metabase_reader" with login password '<from-vault>';
-comment on role "metabase_reader" is 'BI tool service account — read-only. Owner: data-team@company.com';
-```
-## Cross-suite integration (v1.26)
-Esta skill é base para agent novo `supabase-roles-implementer` (Phase 145) — recebe spec via `Task()` e materializa CREATE ROLE + GRANT/REVOKE + hierarchy. Pattern de handoff cooperativo herdado de v1.23-v1.25.
-Para column-level GRANTs específicos por role, **combine** com skill `supabase-column-level-security` (v1.24). Para custom claims que entregam `user_role` no JWT, use skill `supabase-custom-claims-rbac` (v1.25) — Postgres roles são para system access; custom claims são para application access.
-## Ver também
-- [supabase-roles-implementer](../../agents/supabase-roles-implementer.md) (v1.26) — canonical materializer
-- [supabase-rls-policies](../supabase-rls-policies/SKILL.md) (v1.23) — section "Postgres Roles vs RLS — quando usar qual" (v1.26)
-- [supabase-rls-defense-in-depth](../supabase-rls-defense-in-depth/SKILL.md) (v1.23) — Camada 10 (Postgres Roles Hierarchy) v1.26
-- [supabase-database-functions](../supabase-database-functions/SKILL.md) — GRANT EXECUTE patterns
-- [supabase-column-level-security](../supabase-column-level-security/SKILL.md) (v1.24) — combinar com column-level GRANTs por role
-- [supabase-custom-claims-rbac](../supabase-custom-claims-rbac/SKILL.md) (v1.25) — distinção canônica system access vs application access
-- [glossário compartilhado](../_shared-supabase/glossary.md) — termos Postgres roles, INHERIT/NOINHERIT, LOGIN PASSWORD, GRANT/REVOKE syntax, role hierarchy, predefined Supabase roles, role switching authenticator, percent-encoding password
-- Doc oficial Postgres: [Database Roles](https://www.postgresql.org/docs/current/database-roles.html), [Role Membership](https://www.postgresql.org/docs/current/role-membership.html), [Function Permissions](https://www.postgresql.org/docs/current/perm-functions.html)
+---
+name: supabase-postgres-roles
+description: Use ao gerenciar Postgres roles em Supabase — system access (cron jobs, BI tools, ETL, admin scripts). Distinção canônica vs RLS+Custom Claims (application access).
+---
+# Supabase — Postgres Roles
+## Quando usar (e quando NÃO usar)
+Postgres roles gerenciam acesso ao banco — **system access** (service accounts internos, cron jobs, BI tools, ETL, admin scripts).
+**Use Postgres roles APENAS para:**
+- ✅ Service accounts internos (cron jobs com pg_cron, BI tools como Metabase, ETL scripts)
+- ✅ Admin roles com BYPASSRLS (`security_admin`, `dpo_role`, `lead_manager`, `platform_admin`)
+- ✅ Roles para column-level GRANTs específicos (cross-ref skill `supabase-column-level-security` v1.24)
+- ✅ Custom roles que substituem service_role key em scripts (auditabilidade superior)
+**NÃO use Postgres roles para:**
+- ❌ "Admin vs user" application access → use **RLS + Custom Claims** (skill `supabase-custom-claims-rbac` v1.25)
+- ❌ Filtrar dados por linha → use **RLS row-level** (skill `supabase-rls-policies` v1.23)
+- ❌ Filtrar dados por coluna → use **Column-Level Privileges** (skill `supabase-column-level-security` v1.24)
+- ❌ Substituir auth.users (auth.users é gerenciado pelo Supabase Auth — não criar roles para end-users)
+Trigger phrases:
+- "create role Postgres", "custom Postgres role"
+- "role hierarchy", "INHERIT NOINHERIT"
+- "GRANT REVOKE Postgres"
+- "service account Supabase", "cron job role"
+- "Postgres roles vs RLS"
+## Distinção canônica
+| | Application Access | System Access |
+|---|---|---|
+| Mecanismo | RLS + Custom Claims | Postgres Roles |
+| Quem é o "user" | End-user via JWT (`auth.uid()`) | Service account interno |
+| Identidade | JWT claim (`user_role`) | Postgres role login |
+| Permissions | Granular por linha/coluna | Per tabela/schema/function |
+| Audit trail | RLS denial logs (42501) | pg_stat_statements por role |
+| Example | "User admin pode deletar messages" | "Cron job pode SELECT em todas tabs para backup" |
+## Princípio canônico
+Roles vs Users:
+- **Role** = entidade Postgres que pode ter permissions
+- **User** = role com `LOGIN` privilege (pode autenticar via senha)
+- **Group** = role sem `LOGIN` (usado para herança de permissions)
+```sql
+-- group role (sem LOGIN — usado para hierarchy)
+create role "readonly_group";
+-- user role (com LOGIN — service account)
+create role "readonly_user" with login password 'extremely_secure_pwd';
+-- user role inherita do group
+grant readonly_group to readonly_user;
+-- agora readonly_user tem todas permissions do readonly_group
+```
+## Pattern 1: CREATE ROLE básico
+### Group role (sem LOGIN)
+```sql
+create role "billing_group";
+-- usado apenas como container de permissions; não pode logar
+```
+### User role (com LOGIN PASSWORD)
+```sql
+create role "billing_service" with login password 'p4ss-w0rd!sup3r_s3cur3';
+```
+**Password best practices (canônico):**
+1. **12+ characters mínimo** — quanto mais longo, melhor
+2. **Use password manager** para gerar (Bitwarden, 1Password, etc.)
+3. **Mix upper + lower + numbers + special symbols** (`! @ # $ % &`)
+4. **NÃO use dictionary words** comuns
+5. **Roteie via secrets vault** — nunca hardcode em git
+### Caveat — Percent-encoding em connection string
+Special symbols em password precisam ser **percent-encoded** quando usados em connection string:
+```
+ANTES (raw password): p=ssword
+DEPOIS (em URL):     p%3Dssword
+Connection string:
+postgresql://postgres.projectref:p%3Dssword@aws-0-us-east-1.pooler.supabase.com:6543/postgres
+```
+Tabela de encoding canônica:
+| Char | Encoded |
+|------|---------|
+| `=`  | `%3D` |
+| `&`  | `%26` |
+| `+`  | `%2B` |
+| `#`  | `%23` |
+| `:`  | `%3A` |
+| `/`  | `%2F` |
+| `@`  | `%40` |
+| `space` | `%20` |
+## Pattern 2: GRANT / REVOKE permissions
+GRANT canônico:
+```sql
+-- permission em schema completo
+grant usage on schema public to billing_service;
+grant select on all tables in schema public to billing_service;
+-- permission em tabela específica
+grant select, insert on table public.invoices to billing_service;
+-- permission em função específica
+grant execute on function public.calculate_total(uuid) to billing_service;
+-- permission em sequence (necessário para INSERT em tabelas com SERIAL/BIGSERIAL)
+grant usage on sequence public.invoices_id_seq to billing_service;
+```
+REVOKE canônico:
+```sql
+revoke select on table public.invoices from billing_service;
+revoke execute on function public.calculate_total(uuid) from billing_service;
+```
+**Caveat — Default privileges para novos objetos:**
+GRANT em "all tables" só cobre tabelas **existentes**. Para tabelas futuras criadas no schema, use `ALTER DEFAULT PRIVILEGES`:
+```sql
+-- todas tabelas futuras criadas em public terão SELECT GRANT para billing_service
+alter default privileges in schema public
+  grant select on tables to billing_service;
+```
+## Pattern 3: Role Hierarchy (INHERIT / NOINHERIT)
+INHERIT (default): child role herda permissions do parent.
+```sql
+-- group com permissions base
+create role "readers";
+grant select on all tables in schema public to readers;
+-- user inherita
+create role "alice" with login password 'pwd1';
+grant readers to alice;
+-- alice agora tem SELECT em todas tabelas public (via readers)
+-- multi-level hierarchy
+create role "admins";
+grant readers to admins;  -- admins inherita de readers
+grant insert, update, delete on all tables in schema public to admins;
+create role "bob" with login password 'pwd2';
+grant admins to bob;
+-- bob inherita de admins (que inherita de readers) — full CRUD em public
+```
+NOINHERIT: child role tem que **explicitamente** assumir parent role para usar permissions.
+```sql
+create role "superuser_proxy" noinherit;
+grant postgres to superuser_proxy;
+-- Para usar permissions de postgres, superuser_proxy precisa SET ROLE:
+set role postgres;
+-- agora opera como postgres
+reset role;
+```
+**Quando usar NOINHERIT:**
+- Roles superuser (postgres) — exigir SET ROLE explícito como guard
+- Audit trail mais claro (queries mostram a role ativa)
+- Princípio canônico: opt-in explícito em vez de implícito
+## 10 Predefined Supabase Roles (documentação)
+Supabase configura 10 roles automaticamente em todo projeto. **Não criar substitutos** — documentar e usar conforme apropriado.
+### `postgres`
+**Tipo:** Admin/superuser. **Quando usar:** scripts de admin via dashboard ou psql direto.
+**NUNCA:** dar password ao third-party ou expor.
+### `anon`
+**Tipo:** Public unauthenticated. **Quando usar:** requests sem JWT (cliente deslogado).
+**Caveat:** `anon` Postgres role ≠ anonymous Auth user (cross-ref skill `supabase-rls-policies` v1.23).
+### `authenticator`
+**Tipo:** PostgREST switch role. **Quando usar:** internal — PostgREST recebe JWT, valida, e switches para `anon` ou `authenticated` baseado em claims.
+**Caveat:** acesso muito limitado — apenas SWITCH ROLE.
+### `authenticated`
+**Tipo:** Logged-in users. **Quando usar:** requests com JWT válido (autenticado).
+### `service_role`
+**Tipo:** Bypass RLS. **Quando usar:** backend tasks (Edge Functions, scripts admin).
+**NUNCA:** expor ao cliente — vazamento = acesso total ao DB.
+### `supabase_auth_admin`
+**Tipo:** Auth middleware. **Quando usar:** internal — Supabase Auth service.
+**Caveat:** GRANT EXECUTE em Custom Access Token Auth Hook (cross-ref skill `supabase-custom-claims-rbac` v1.25); scope `auth` schema.
+### `supabase_storage_admin`
+**Tipo:** Storage middleware. **Quando usar:** internal — Supabase Storage service. Scope `storage` schema.
+### `supabase_etl_admin`
+**Tipo:** Replication. **Quando usar:** internal — Replication powered by Supabase ETL. Read-all + bypass RLS + write `etl` schema.
+### `dashboard_user`
+**Tipo:** Supabase UI. **Quando usar:** internal — commands via Supabase dashboard.
+### `supabase_admin`
+**Tipo:** Internal admin. **Quando usar:** internal — upgrades + automations.
+## Pattern 4: Custom service account roles
+Caso canônico — criar role dedicado em vez de service_role API key:
+```sql
+-- 1. role para cron job (sem LOGIN — usado via pg_cron)
+create role "cron_job_role" noinherit;
+-- bypass RLS para acessar todas orgs
+alter role "cron_job_role" with bypassrls;
+-- 2. GRANTs específicos
+grant usage on schema public to cron_job_role;
+grant select, insert, delete on table public.audit_log to cron_job_role;
+-- 3. pg_cron usa este role
+select cron.schedule(
+  'cleanup_old_logs',
+  '0 3 * * *',
+  $$ delete from public.audit_log where created_at < now() - interval '90 days' $$
+);
+-- pg_cron executa as queries com este role; auditabilidade superior vs service_role API key
+```
+```sql
+-- role para BI tool (Metabase) — read-only com login
+create role "metabase_reader" with login password 'percent-encode-this!';
+alter role "metabase_reader" with bypassrls;  -- BI precisa ver todas linhas
+grant usage on schema public to metabase_reader;
+grant select on all tables in schema public to metabase_reader;
+alter default privileges in schema public
+  grant select on tables to metabase_reader;
+```
+## Changing postgres password
+Mudar password do `postgres` role:
+1. **Dashboard:** Database Settings page → "Database password" → enter new
+2. **Sem downtime:** serviços internos (PostgREST, PgBouncer, etc.) auto-update
+3. **External services com hardcoded credentials:** manual update necessário (revisar deploy configs)
+**NÃO:** dar password do `postgres` role para third-party — crie role dedicado.
+## Auditoria — pg_stat_statements por role
+Cada role tem queries rastreáveis em `pg_stat_statements`:
+```sql
+select
+  rolname,
+  count(*) as query_count,
+  sum(total_exec_time)::numeric(10,2) as total_time_ms
+from pg_stat_statements s
+join pg_roles r on s.userid = r.oid
+where rolname not in ('postgres', 'authenticator')  -- filtrar admin
+group by rolname
+order by total_time_ms desc;
+```
+Identificar qual service account está consumindo mais — útil para debug + capacity planning.
+## Anti-patterns
+### Anti-pattern 1: Usar service_role API key para tudo
+**Errado:**
+```bash
+# .env do cron job
+SUPABASE_KEY=eyJ...service_role_key...
+```
+**Por quê:** sem auditabilidade — todas queries logam como `service_role`; difícil identificar qual script fez o quê.
+**Certo:** criar role dedicado por service account:
+```sql
+create role "cron_billing_role" noinherit;
+alter role "cron_billing_role" with bypassrls;
+-- GRANTs específicos
+-- pg_cron usa este role; queries logam com identidade clara
+```
+### Anti-pattern 2: Custom role para "admin vs user" application access
+**Errado:**
+```sql
+-- criar role "admin" Postgres para gerenciar quem é admin no app
+create role "app_admin";
+-- ... add users to this role ...
+```
+**Por quê:** Postgres roles não são designed para application access — não dinâmico, não auditável, mistura system + application concerns.
+**Certo:** use RLS + Custom Claims (skill `supabase-custom-claims-rbac` v1.25) — `user_role: 'admin'` no JWT via auth hook, consultado por `authorize()`.
+### Anti-pattern 3: Password sem percent-encoding em URL
+**Errado:**
+```
+postgresql://user:p=ssword@host/db
+```
+**Por quê:** `=` é parseado como query string separator — conexão falha.
+**Certo:**
+```
+postgresql://user:p%3Dssword@host/db
+```
+### Anti-pattern 4: INHERIT em superuser-like role
+**Errado:**
+```sql
+create role "dba_role" inherit;  -- inherit default em todos roles
+grant postgres to dba_role;
+-- dba_role agora tem postgres privileges implicitly
+```
+**Por quê:** sem audit trail explícito de quando privileges admin são usados.
+**Certo:** NOINHERIT + SET ROLE explícito:
+```sql
+create role "dba_role" noinherit;
+grant postgres to dba_role;
+-- usuário precisa: set role postgres; ...; reset role;
+-- queries logam com identidade postgres durante operação
+```
+### Anti-pattern 5: Criar role sem documentação
+**Errado:**
+```sql
+create role "xyz" with login password 'pwd';
+-- 6 meses depois, ninguém sabe pra que serve
+```
+**Por quê:** sem documentação, próximo dev assume é abandoned + remove ou mantém indefinidamente.
+**Certo:** sempre comment no migration + entry em README:
+```sql
+-- role para Metabase BI conectar em produção (read-only)
+-- Owner: data-team@company.com
+-- Created: 2026-05-11 v1.26
+create role "metabase_reader" with login password '<from-vault>';
+comment on role "metabase_reader" is 'BI tool service account — read-only. Owner: data-team@company.com';
+```
+## Cross-suite integration (v1.26)
+Esta skill é base para agent novo `supabase-roles-implementer` (Phase 145) — recebe spec via `Task()` e materializa CREATE ROLE + GRANT/REVOKE + hierarchy. Pattern de handoff cooperativo herdado de v1.23-v1.25.
+Para column-level GRANTs específicos por role, **combine** com skill `supabase-column-level-security` (v1.24). Para custom claims que entregam `user_role` no JWT, use skill `supabase-custom-claims-rbac` (v1.25) — Postgres roles são para system access; custom claims são para application access.
+## Ver também
+- [supabase-roles-implementer](../../agents/supabase-roles-implementer.md) (v1.26) — canonical materializer
+- [supabase-rls-policies](../supabase-rls-policies/SKILL.md) (v1.23) — section "Postgres Roles vs RLS — quando usar qual" (v1.26)
+- [supabase-rls-defense-in-depth](../supabase-rls-defense-in-depth/SKILL.md) (v1.23) — Camada 10 (Postgres Roles Hierarchy) v1.26
+- [supabase-database-functions](../supabase-database-functions/SKILL.md) — GRANT EXECUTE patterns
+- [supabase-column-level-security](../supabase-column-level-security/SKILL.md) (v1.24) — combinar com column-level GRANTs por role
+- [supabase-custom-claims-rbac](../supabase-custom-claims-rbac/SKILL.md) (v1.25) — distinção canônica system access vs application access
+- [glossário compartilhado](../_shared-supabase/glossary.md) — termos Postgres roles, INHERIT/NOINHERIT, LOGIN PASSWORD, GRANT/REVOKE syntax, role hierarchy, predefined Supabase roles, role switching authenticator, percent-encoding password
+- Doc oficial Postgres: [Database Roles](https://www.postgresql.org/docs/current/database-roles.html), [Role Membership](https://www.postgresql.org/docs/current/role-membership.html), [Function Permissions](https://www.postgresql.org/docs/current/perm-functions.html)