npm - @luanpdd/kit-mcp - Versions diffs - 1.30.2 → 1.32.0 - Mend

@luanpdd/kit-mcp 1.30.2 → 1.32.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (365) hide show

package/LICENSE +21 -21
package/README.md +168 -168
package/gates/agent-no-recursive-dispatch.md +84 -82
package/kit/COMANDOS.md +138 -138
package/kit/COMPATIBILITY.md +5 -0
package/kit/README.md +76 -76
package/kit/agents/advisor-researcher.md +107 -106
package/kit/agents/ai-mutation-tester.md +1 -0
package/kit/agents/assumptions-analyzer.md +108 -107
package/kit/agents/audit-log-implementer.md +314 -313
package/kit/agents/auditor-consistencia-isolamento.md +414 -413
package/kit/agents/b2b-saas-architect.md +157 -156
package/kit/agents/burn-rate-forecaster.md +1 -0
package/kit/agents/cascading-failures-auditor.md +299 -298
package/kit/agents/codebase-mapper.md +769 -768
package/kit/agents/crm-pipeline-implementer.md +257 -256
package/kit/agents/debugger.md +814 -813
package/kit/agents/detector-tenant-quente.md +338 -337
package/kit/agents/evolution-go-integrator.md +201 -200
package/kit/agents/example-reviewer.md +22 -21
package/kit/agents/executor.md +565 -564
package/kit/agents/golden-signals-instrumenter.md +1 -0
package/kit/agents/incident-investigator.md +1 -0
package/kit/agents/integration-checker.md +201 -200
package/kit/agents/invite-flow-implementer.md +190 -189
package/kit/agents/legacy-characterizer.md +369 -368
package/kit/agents/lgpd-compliance-auditor.md +296 -295
package/kit/agents/load-shedding-instrumenter.md +1 -0
package/kit/agents/multi-tenant-isolation-auditor.md +254 -253
package/kit/agents/multi-tenant-rls-writer.md +341 -340
package/kit/agents/nyquist-auditor.md +179 -178
package/kit/agents/observability-coverage-auditor.md +316 -315
package/kit/agents/observability-instrumenter.md +1 -0
package/kit/agents/omm-auditor.md +1 -0
package/kit/agents/org-onboarding-implementer.md +224 -223
package/kit/agents/payload-capture-instrumenter.md +274 -273
package/kit/agents/phase-researcher.md +697 -696
package/kit/agents/plan-checker.md +273 -272
package/kit/agents/planner.md +923 -922
package/kit/agents/postmortem-writer.md +1 -0
package/kit/agents/project-researcher.md +653 -652
package/kit/agents/prr-conductor.md +1 -0
package/kit/agents/refactor-safety-auditor.md +405 -404
package/kit/agents/release-pipeline-auditor.md +1 -0
package/kit/agents/research-synthesizer.md +246 -245
package/kit/agents/roadmapper.md +678 -677
package/kit/agents/schema-checker.md +1 -0
package/kit/agents/seam-finder.md +360 -359
package/kit/agents/shotgun-surgery-detector.md +350 -349
package/kit/agents/slo-engineer.md +1 -0
package/kit/agents/storytelling-analyst.md +1 -0
package/kit/agents/supabase-architect.md +1 -0
package/kit/agents/supabase-auth-bootstrapper.md +16 -1
package/kit/agents/supabase-auth-hook-writer.md +418 -0
package/kit/agents/supabase-branching-architect.md +563 -562
package/kit/agents/supabase-cicd-pipeline-implementer.md +778 -777
package/kit/agents/supabase-column-privileges-writer.md +400 -399
package/kit/agents/supabase-edge-fn-tester.md +2 -1
package/kit/agents/supabase-edge-fn-writer.md +2 -1
package/kit/agents/supabase-mfa-implementer.md +439 -0
package/kit/agents/supabase-migration-writer.md +386 -385
package/kit/agents/supabase-oauth-server-implementer.md +507 -0
package/kit/agents/supabase-rbac-implementer.md +393 -392
package/kit/agents/supabase-realtime-implementer.md +364 -363
package/kit/agents/supabase-rls-hardener.md +522 -521
package/kit/agents/supabase-rls-writer.md +324 -323
package/kit/agents/supabase-roles-implementer.md +356 -355
package/kit/agents/supabase-social-auth-implementer.md +451 -0
package/kit/agents/supabase-sso-saml-architect.md +549 -0
package/kit/agents/supabase-storage-implementer.md +1 -0
package/kit/agents/super-admin-implementer.md +282 -281
package/kit/agents/toil-auditor.md +1 -0
package/kit/agents/ui-auditor.md +438 -437
package/kit/agents/ui-checker.md +303 -302
package/kit/agents/ui-researcher.md +356 -355
package/kit/agents/user-profiler.md +176 -175
package/kit/agents/validador-evolucao-schema.md +336 -335
package/kit/agents/verifier.md +729 -728
package/kit/commands/adicionar-backlog.md +75 -75
package/kit/commands/adicionar-fase.md +42 -42
package/kit/commands/adicionar-tarefa.md +45 -45
package/kit/commands/adicionar-testes.md +41 -41
package/kit/commands/ajuda.md +21 -21
package/kit/commands/atualizar.md +37 -37
package/kit/commands/auditar-cascading.md +111 -111
package/kit/commands/auditar-marco.md +179 -179
package/kit/commands/auditar-observabilidade-cobertura.md +183 -183
package/kit/commands/auditar-refactor.md +219 -219
package/kit/commands/auditar-release.md +109 -109
package/kit/commands/auditar-uat.md +23 -23
package/kit/commands/autonomo.md +40 -40
package/kit/commands/branch-pr.md +24 -24
package/kit/commands/burn-rate-status.md +408 -408
package/kit/commands/capturar-payloads.md +193 -193
package/kit/commands/caracterizar.md +212 -212
package/kit/commands/concluir-marco.md +247 -247
package/kit/commands/configuracoes.md +36 -36
package/kit/commands/dados-distribuidos.md +188 -188
package/kit/commands/definir-perfil.md +10 -10
package/kit/commands/depurar.md +190 -190
package/kit/commands/detectar-duplicacao.md +197 -197
package/kit/commands/discutir-fase.md +131 -131
package/kit/commands/encontrar-seams.md +136 -136
package/kit/commands/entrar-discord.md +17 -17
package/kit/commands/estatisticas.md +18 -18
package/kit/commands/example-greeting.md +33 -33
package/kit/commands/executar-fase.md +58 -58
package/kit/commands/expresso.md +56 -56
package/kit/commands/fase-ui.md +34 -34
package/kit/commands/fazer.md +57 -57
package/kit/commands/fio.md +125 -125
package/kit/commands/fluxos-trabalho.md +64 -64
package/kit/commands/forense.md +176 -176
package/kit/commands/gerenciador.md +38 -38
package/kit/commands/inserir-fase.md +31 -31
package/kit/commands/legacy.md +263 -263
package/kit/commands/limpeza.md +17 -17
package/kit/commands/listar-hipoteses-fase.md +45 -45
package/kit/commands/listar-workspaces.md +18 -18
package/kit/commands/load-shedding.md +117 -117
package/kit/commands/mapear-codebase.md +70 -70
package/kit/commands/multi-tenant.md +163 -163
package/kit/commands/nota.md +33 -33
package/kit/commands/novo-marco.md +43 -43
package/kit/commands/novo-projeto.md +41 -41
package/kit/commands/novo-workspace.md +43 -43
package/kit/commands/pausar-trabalho.md +37 -37
package/kit/commands/perfil-usuario.md +45 -45
package/kit/commands/pesquisar-fase.md +195 -195
package/kit/commands/planejar-fase.md +67 -67
package/kit/commands/planejar-lacunas.md +33 -33
package/kit/commands/plantar-ideia.md +25 -25
package/kit/commands/progresso.md +24 -24
package/kit/commands/proximo.md +30 -30
package/kit/commands/publicar.md +490 -490
package/kit/commands/rapido.md +35 -35
package/kit/commands/reaplicar-patches.md +124 -124
package/kit/commands/refactor-seguro.md +321 -321
package/kit/commands/relatorio-sessao.md +19 -19
package/kit/commands/remover-fase.md +31 -31
package/kit/commands/remover-workspace.md +26 -26
package/kit/commands/resumo-marco.md +50 -50
package/kit/commands/retomar-trabalho.md +40 -40
package/kit/commands/revisar-backlog.md +60 -60
package/kit/commands/revisar-ui.md +32 -32
package/kit/commands/revisar.md +37 -37
package/kit/commands/saude.md +21 -21
package/kit/commands/setup-notion.md +93 -93
package/kit/commands/storytelling.md +179 -179
package/kit/commands/supabase.md +21 -1
package/kit/commands/sync-main.md +68 -68
package/kit/commands/validar-fase.md +35 -35
package/kit/commands/verificar-tarefas.md +44 -44
package/kit/commands/verificar-trabalho.md +64 -64
package/kit/file-manifest.json +100 -84
package/kit/framework/bin/lib/commands.cjs +959 -959
package/kit/framework/bin/lib/config.cjs +442 -442
package/kit/framework/bin/lib/core.cjs +1230 -1230
package/kit/framework/bin/lib/frontmatter.cjs +336 -336
package/kit/framework/bin/lib/init.cjs +1442 -1442
package/kit/framework/bin/lib/milestone.cjs +252 -252
package/kit/framework/bin/lib/model-profiles.cjs +68 -68
package/kit/framework/bin/lib/phase.cjs +888 -888
package/kit/framework/bin/lib/profile-output.cjs +952 -952
package/kit/framework/bin/lib/profile-pipeline.cjs +539 -539
package/kit/framework/bin/lib/roadmap.cjs +329 -329
package/kit/framework/bin/lib/security.cjs +382 -382
package/kit/framework/bin/lib/state.cjs +1031 -1031
package/kit/framework/bin/lib/template.cjs +222 -222
package/kit/framework/bin/lib/uat.cjs +282 -282
package/kit/framework/bin/lib/verify.cjs +888 -888
package/kit/framework/bin/lib/workstream.cjs +491 -491
package/kit/framework/bin/tools.cjs +918 -918
package/kit/framework/commands/workstreams.md +63 -63
package/kit/framework/references/checkpoints.md +778 -778
package/kit/framework/references/continuation-format.md +249 -249
package/kit/framework/references/decimal-phase-calculation.md +64 -64
package/kit/framework/references/git-integration.md +295 -295
package/kit/framework/references/git-planning-commit.md +38 -38
package/kit/framework/references/model-profile-resolution.md +36 -36
package/kit/framework/references/model-profiles.md +139 -139
package/kit/framework/references/phase-argument-parsing.md +61 -61
package/kit/framework/references/planning-config.md +202 -202
package/kit/framework/references/questioning.md +162 -162
package/kit/framework/references/tdd.md +263 -263
package/kit/framework/references/ui-brand.md +160 -160
package/kit/framework/references/user-profiling.md +657 -657
package/kit/framework/references/verification-patterns.md +612 -612
package/kit/framework/references/workstream-flag.md +58 -58
package/kit/framework/templates/DEBUG.md +164 -164
package/kit/framework/templates/UAT.md +265 -265
package/kit/framework/templates/UI-SPEC.md +100 -100
package/kit/framework/templates/VALIDATION.md +76 -76
package/kit/framework/templates/claude-md.md +122 -122
package/kit/framework/templates/codebase/architecture.md +185 -185
package/kit/framework/templates/codebase/concerns.md +205 -205
package/kit/framework/templates/codebase/conventions.md +204 -204
package/kit/framework/templates/codebase/integrations.md +192 -192
package/kit/framework/templates/codebase/stack.md +158 -158
package/kit/framework/templates/codebase/structure.md +199 -199
package/kit/framework/templates/codebase/testing.md +301 -301
package/kit/framework/templates/config.json +44 -44
package/kit/framework/templates/context.md +352 -352
package/kit/framework/templates/continue-here.md +78 -78
package/kit/framework/templates/copilot-instructions.md +7 -7
package/kit/framework/templates/debug-subagent-prompt.md +91 -91
package/kit/framework/templates/dev-preferences.md +20 -20
package/kit/framework/templates/discovery.md +146 -146
package/kit/framework/templates/discussion-log.md +63 -63
package/kit/framework/templates/milestone-archive.md +123 -123
package/kit/framework/templates/milestone.md +115 -115
package/kit/framework/templates/phase-prompt.md +610 -610
package/kit/framework/templates/planner-subagent-prompt.md +117 -117
package/kit/framework/templates/project.md +186 -186
package/kit/framework/templates/requirements.md +231 -231
package/kit/framework/templates/research-project/ARCHITECTURE.md +204 -204
package/kit/framework/templates/research-project/FEATURES.md +147 -147
package/kit/framework/templates/research-project/PITFALLS.md +200 -200
package/kit/framework/templates/research-project/STACK.md +120 -120
package/kit/framework/templates/research-project/SUMMARY.md +170 -170
package/kit/framework/templates/research.md +419 -419
package/kit/framework/templates/retrospective.md +54 -54
package/kit/framework/templates/roadmap.md +202 -202
package/kit/framework/templates/state.md +176 -176
package/kit/framework/templates/summary-complex.md +59 -59
package/kit/framework/templates/summary-minimal.md +41 -41
package/kit/framework/templates/summary-standard.md +48 -48
package/kit/framework/templates/summary.md +209 -209
package/kit/framework/templates/user-profile.md +146 -146
package/kit/framework/templates/user-setup.md +256 -256
package/kit/framework/templates/verification-report.md +258 -258
package/kit/framework/workflows/add-phase.md +112 -112
package/kit/framework/workflows/add-tests.md +351 -351
package/kit/framework/workflows/add-todo.md +158 -158
package/kit/framework/workflows/audit-milestone.md +340 -340
package/kit/framework/workflows/audit-uat.md +109 -109
package/kit/framework/workflows/autonomous.md +891 -891
package/kit/framework/workflows/check-todos.md +177 -177
package/kit/framework/workflows/cleanup.md +152 -152
package/kit/framework/workflows/complete-milestone.md +696 -696
package/kit/framework/workflows/diagnose-issues.md +231 -231
package/kit/framework/workflows/discovery-phase.md +289 -289
package/kit/framework/workflows/discuss-phase-assumptions.md +653 -653
package/kit/framework/workflows/discuss-phase.md +784 -784
package/kit/framework/workflows/do.md +104 -104
package/kit/framework/workflows/execute-phase.md +838 -838
package/kit/framework/workflows/execute-plan.md +510 -510
package/kit/framework/workflows/fast.md +102 -102
package/kit/framework/workflows/forensics.md +265 -265
package/kit/framework/workflows/health.md +181 -181
package/kit/framework/workflows/help.md +619 -619
package/kit/framework/workflows/insert-phase.md +130 -130
package/kit/framework/workflows/list-phase-assumptions.md +178 -178
package/kit/framework/workflows/list-workspaces.md +56 -56
package/kit/framework/workflows/manager.md +362 -362
package/kit/framework/workflows/map-codebase.md +377 -377
package/kit/framework/workflows/milestone-summary.md +223 -223
package/kit/framework/workflows/new-milestone.md +486 -486
package/kit/framework/workflows/new-project.md +1159 -1159
package/kit/framework/workflows/new-workspace.md +237 -237
package/kit/framework/workflows/next.md +97 -97
package/kit/framework/workflows/node-repair.md +92 -92
package/kit/framework/workflows/note.md +156 -156
package/kit/framework/workflows/pause-work.md +176 -176
package/kit/framework/workflows/plan-milestone-gaps.md +273 -273
package/kit/framework/workflows/plan-phase.md +765 -765
package/kit/framework/workflows/plant-seed.md +169 -169
package/kit/framework/workflows/pr-branch.md +129 -129
package/kit/framework/workflows/profile-user.md +450 -450
package/kit/framework/workflows/progress.md +507 -507
package/kit/framework/workflows/quick.md +757 -757
package/kit/framework/workflows/remove-phase.md +155 -155
package/kit/framework/workflows/remove-workspace.md +90 -90
package/kit/framework/workflows/research-phase.md +82 -82
package/kit/framework/workflows/resume-project.md +326 -326
package/kit/framework/workflows/review.md +228 -228
package/kit/framework/workflows/session-report.md +146 -146
package/kit/framework/workflows/settings.md +283 -283
package/kit/framework/workflows/ship.md +228 -228
package/kit/framework/workflows/stats.md +60 -60
package/kit/framework/workflows/transition.md +671 -671
package/kit/framework/workflows/ui-phase.md +302 -302
package/kit/framework/workflows/ui-review.md +165 -165
package/kit/framework/workflows/update.md +323 -323
package/kit/framework/workflows/validate-phase.md +174 -174
package/kit/framework/workflows/verify-phase.md +252 -252
package/kit/framework/workflows/verify-work.md +637 -637
package/kit/hooks/check-update.js +118 -118
package/kit/hooks/context-monitor.js +163 -163
package/kit/hooks/kit-attribution-reminder.cjs +29 -50
package/kit/hooks/kit-router.cjs +137 -0
package/kit/hooks/prompt-guard.js +103 -103
package/kit/hooks/statusline.js +125 -125
package/kit/hooks/workflow-guard.js +101 -101
package/kit/settings.json +45 -45
package/kit/skills/ai-prompt-characterization/SKILL.md +335 -335
package/kit/skills/armadilhas-sistemas-distribuidos/SKILL.md +447 -447
package/kit/skills/audit-log-multi-tenant/SKILL.md +340 -340
package/kit/skills/b2b-saas-architecture/SKILL.md +300 -300
package/kit/skills/consistencia-leitura-replica/SKILL.md +385 -385
package/kit/skills/crm-lead-pipeline-patterns/SKILL.md +343 -343
package/kit/skills/escolha-modelo-consistencia/SKILL.md +494 -494
package/kit/skills/evolucao-schema-compativel/SKILL.md +448 -448
package/kit/skills/evolution-go-whatsapp-integration/SKILL.md +322 -322
package/kit/skills/example-skill/SKILL.md +42 -42
package/kit/skills/legacy-api-only-applications/SKILL.md +358 -358
package/kit/skills/legacy-characterization-tests/SKILL.md +330 -330
package/kit/skills/legacy-effect-analysis/SKILL.md +331 -331
package/kit/skills/legacy-extract-class/SKILL.md +203 -203
package/kit/skills/legacy-programming-by-difference/SKILL.md +252 -252
package/kit/skills/legacy-seams-and-test-harness/SKILL.md +460 -460
package/kit/skills/legacy-shotgun-surgery/SKILL.md +286 -286
package/kit/skills/legacy-sprout-wrap-techniques/SKILL.md +434 -434
package/kit/skills/legacy-storytelling-naked-crc/SKILL.md +270 -270
package/kit/skills/lgpd-multi-tenant-compliance/SKILL.md +340 -340
package/kit/skills/member-invite-flow/SKILL.md +305 -305
package/kit/skills/member-management-react-shadcn/SKILL.md +328 -328
package/kit/skills/multi-tenant-performance-scaling/SKILL.md +316 -316
package/kit/skills/multi-tenant-rls-hierarchy/SKILL.md +342 -342
package/kit/skills/org-onboarding-flow/SKILL.md +257 -257
package/kit/skills/org-switcher-react-pattern/SKILL.md +349 -349
package/kit/skills/permission-gate-react-pattern/SKILL.md +271 -271
package/kit/skills/postgres-isolamento-concorrencia/SKILL.md +552 -552
package/kit/skills/pre-refactor-characterization/SKILL.md +421 -421
package/kit/skills/rbac-permissions-matrix-supabase/SKILL.md +338 -338
package/kit/skills/streams-eventos-cdc/SKILL.md +711 -711
package/kit/skills/supabase-auth-hardening/SKILL.md +674 -0
package/kit/skills/supabase-auth-hooks/SKILL.md +875 -0
package/kit/skills/supabase-auth-methods/SKILL.md +486 -0
package/kit/skills/supabase-auth-sessions/SKILL.md +579 -0
package/kit/skills/supabase-auth-ssr/SKILL.md +60 -14
package/kit/skills/supabase-branching-workflow/SKILL.md +544 -544
package/kit/skills/supabase-ci-cd-github-actions/SKILL.md +880 -880
package/kit/skills/supabase-column-level-security/SKILL.md +426 -426
package/kit/skills/supabase-config-toml-remotes/SKILL.md +807 -807
package/kit/skills/supabase-custom-claims-rbac/SKILL.md +472 -472
package/kit/skills/supabase-edge-functions/SKILL.md +1 -1
package/kit/skills/supabase-edge-functions-auth/SKILL.md +1 -1
package/kit/skills/supabase-edge-functions-limits/SKILL.md +1 -1
package/kit/skills/supabase-edge-functions-mcp-server/SKILL.md +1 -1
package/kit/skills/supabase-edge-functions-testing/SKILL.md +1 -1
package/kit/skills/supabase-edge-runtime-builtins/SKILL.md +1 -1
package/kit/skills/supabase-enterprise-sso-saml/SKILL.md +545 -0
package/kit/skills/supabase-jwt-signing-keys/SKILL.md +399 -0
package/kit/skills/supabase-mfa/SKILL.md +488 -0
package/kit/skills/supabase-migration-repair/SKILL.md +823 -823
package/kit/skills/supabase-migrations/SKILL.md +297 -297
package/kit/skills/supabase-oauth-server/SKILL.md +537 -0
package/kit/skills/supabase-pgtap-testing/SKILL.md +1053 -1053
package/kit/skills/supabase-postgres-roles/SKILL.md +392 -392
package/kit/skills/supabase-realtime/SKILL.md +460 -460
package/kit/skills/supabase-rls-defense-in-depth/SKILL.md +418 -418
package/kit/skills/supabase-rls-policies/SKILL.md +635 -635
package/kit/skills/supabase-social-oauth/SKILL.md +480 -0
package/kit/skills/supabase-third-party-auth/SKILL.md +450 -0
package/kit/skills/super-admin-platform-pattern/SKILL.md +326 -326
package/kit/skills/tenant-quente-mitigacao/SKILL.md +605 -605
package/kit/skills/whatsapp-conversation-state-machine/SKILL.md +287 -287
package/package.json +1 -1
package/src/core/kit.js +216 -216
package/src/core/reflect.js +247 -247
package/src/core/reverse-sync.js +372 -372
package/src/core/sync.js +437 -418
package/src/core/watch.js +121 -121
package/src/mcp-server/index.js +794 -746

package/kit/agents/slo-engineer.md CHANGED Viewed

@@ -1,5 +1,6 @@
 ---
 name: slo-engineer
+tier: specialized
 description: Define SLI/SLO/error budget event-based — gera SLO.md + SQL para materializar SLI events em view/MV no Postgres via mcp__supabase__apply_migration.
 tools: Read, Write, Bash, Grep, Glob, AskUserQuestion, mcp__supabase__list_tables, mcp__supabase__execute_sql, mcp__supabase__apply_migration
 color: green

package/kit/agents/storytelling-analyst.md CHANGED Viewed

@@ -1,5 +1,6 @@
 ---
 name: storytelling-analyst
+tier: specialized
 description: Lê módulo/diretório target e produz STORYTELLING-<module>.md — story 5 frases + inventário + naked CRC + responsibility hot spots + extract candidates. Modernização 2026 — IA primeiro draft.
 tools: Read, Bash, Grep, Glob, Write
 color: purple

package/kit/agents/supabase-architect.md CHANGED Viewed

@@ -1,5 +1,6 @@
 ---
 name: supabase-architect
+tier: specialized
 description: Projeta schema + RLS + topologia realtime ANTES da implementação. Pergunta Free vs Pro upfront. Alerta sobre custo de branches abertas. NÃO escreve código.
 tools: Read, Write, Bash, Grep, Glob, AskUserQuestion, mcp__supabase__list_tables, mcp__supabase__list_extensions
 color: blue

package/kit/agents/supabase-auth-bootstrapper.md CHANGED Viewed

@@ -1,5 +1,6 @@
 ---
 name: supabase-auth-bootstrapper
+tier: specialized
 description: Bootstrap Next.js v16 + Supabase Auth com @supabase/ssr (browser+server clients + middleware). Audita .env* para NEXT_PUBLIC_*SERVICE* leak. Single serverClient factory.
 tools: Read, Write, Edit, Bash, Grep, Glob
 color: green
@@ -373,7 +374,21 @@ Constraints: projeto novo Next.js v16; jwt-decode adicionado ao package.json; li
 - ⚠ JWT freshness: mudanças em user_roles refletem após refresh (TTL 1h). Para revogação imediata, usar `auth.admin.signOut(userId)` no server-side com service_role.
 - ⚠ Auth hook deve ser habilitado no Dashboard (Authentication > Hooks Beta) ou config.toml local — esse setup não é automatizado pelo bootstrap (DDL do hook é feito pelo `supabase-rbac-implementer` mas o enable depende de UI/config).
-- ⚠ `jwt-decode` é apenas decode (NÃO valida assinatura) — para validação server-side, use `@supabase/ssr` `getUser()` que valida.
+- ⚠ `jwt-decode` é apenas decode (NÃO valida assinatura) — para validação server-side, use `@supabase/ssr` `getClaims()`, que valida a assinatura do JWT contra as chaves públicas do projeto.
+## Suíte de autenticação (v1.32) — handoff para agents especializados
+O bootstrap cobre o esqueleto SSR (clients + proxy + audit `.env*`). Funcionalidades de auth além do esqueleto têm agents materializadores dedicados — faça handoff via `Task()` ou recomende o subcomando `/supabase` correspondente:
+| Necessidade do caller | Agent / subcomando | Skill |
+|---|---|---|
+| Social login (Google/GitHub/Apple/Facebook/LinkedIn, custom OAuth/OIDC) | `supabase-social-auth-implementer` · `/supabase social` | [supabase-social-oauth](../skills/supabase-social-oauth/SKILL.md) |
+| MFA (TOTP / Phone) + enforcement RLS | `supabase-mfa-implementer` · `/supabase mfa` | [supabase-mfa](../skills/supabase-mfa/SKILL.md) |
+| Auth Hooks (Postgres/HTTP) | `supabase-auth-hook-writer` · `/supabase hooks` | [supabase-auth-hooks](../skills/supabase-auth-hooks/SKILL.md) |
+| OAuth 2.1 server / MCP authentication | `supabase-oauth-server-implementer` · `/supabase oauth-server` | [supabase-oauth-server](../skills/supabase-oauth-server/SKILL.md) |
+| Enterprise SSO SAML 2.0 | `supabase-sso-saml-architect` · `/supabase sso` | [supabase-enterprise-sso-saml](../skills/supabase-enterprise-sso-saml/SKILL.md) |
+Skills de conhecimento (sem agent, carregadas pela LLM por trigger): [supabase-auth-methods](../skills/supabase-auth-methods/SKILL.md), [supabase-auth-sessions](../skills/supabase-auth-sessions/SKILL.md), [supabase-jwt-signing-keys](../skills/supabase-jwt-signing-keys/SKILL.md), [supabase-third-party-auth](../skills/supabase-third-party-auth/SKILL.md), [supabase-auth-hardening](../skills/supabase-auth-hardening/SKILL.md).
 ## Ver também

package/kit/agents/supabase-auth-hook-writer.md ADDED Viewed

@@ -0,0 +1,418 @@
+---
+name: supabase-auth-hook-writer
+tier: specialized
+description: Materializer de Auth Hooks Supabase. Recebe spec (tipo de hook, Postgres vs HTTP, lógica) via Task() e produz função PG com grants canônicos ou Edge Function com Standard Webhooks.
+tools: Read, Write, Edit, Bash, Grep, Glob, Task, mcp__supabase__execute_sql, mcp__supabase__apply_migration
+color: red
+---
+Você é o **canonical materializer** de Auth Hooks em Supabase. Recebe spec (tipo de hook — before-user-created/custom-access-token/send-sms/send-email/mfa-verification/password-verification, Postgres vs HTTP, lógica de negócio) via `Task()` upstream context + intent original, e produz: função Postgres com TODOS os grants canônicos (`grant execute ... to supabase_auth_admin`, `grant usage on schema public to supabase_auth_admin`, `revoke execute ... from authenticated, anon, public`) OU Edge Function com verificação Standard Webhooks (lib `standardwebhooks`, secret `v1,whsec_`), mais entrada no `config.toml`. Verdicts GO/STRENGTHEN/REWRITE.
+**Compat:** Full em Claude Code + Cursor (Supabase MCP); Partial/Offline-only nos demais. Veja [COMPATIBILITY.md](../COMPATIBILITY.md).
+**Princípio canônico:** Agents não-Supabase pensam/planejam; você materializa/hardena. **Ninguém descarta upstream** — quando há conflito de patterns, você explica via diff e propõe alternativa, **nunca reescreve silenciosamente**.
+## Por que existe
+Auth Hooks têm 7 pegadinhas críticas que quebram silenciosamente ou introduzem vulnerabilidades:
+1. Esquecer `grant execute on function ... to supabase_auth_admin` → hook nunca é chamado, sem erro visível
+2. Esquecer `revoke execute from authenticated, anon, public` → qualquer usuário pode invocar o hook diretamente
+3. Esquecer `grant usage on schema public to supabase_auth_admin` → hook falha com "schema not found"
+4. Hook HTTP sem verificação de assinatura Standard Webhooks → endpoint aberto a qualquer requisição
+5. Usar `security definer` desnecessário em hook Postgres → risco de privilege escalation
+6. Hook com query custosa (JOIN, aggregate sem índice) → latência no login (auth path é síncrono)
+7. Respostas de erro HTTP sem `Content-Type: application/json` → Supabase Auth não parseia o erro
+Este agent serve como **canonical handoff target** para qualquer agent que precise de lógica customizada no fluxo de autenticação.
+## Inputs esperados (do caller via `Task()`)
+```
+prompt: |
+  <upstream_intent>
+  Source agent: {caller_name}
+  Original goal: {1-2 sentence}
+  Constraints / business rules: {regras de domínio}
+  </upstream_intent>
+  <hook_type>
+  <!-- Uma das opções:
+       before-user-created      — antes de criar usuário (pode bloquear)
+       custom-access-token      — adicionar custom claims ao JWT
+       send-sms                 — customizar envio de SMS (OTP)
+       send-email               — customizar envio de email (magic link, confirmação)
+       mfa-verification         — validação customizada de MFA
+       password-verification    — validação customizada de senha
+  -->
+  custom-access-token
+  </hook_type>
+  <implementation>{postgres | http}</implementation>
+  <business_logic>
+  {descrição da lógica — ex: "adicionar claim tenant_id ao JWT lendo da tabela profiles"}
+  </business_logic>
+  <schema>{nome do schema — default: public}</schema>
+  <user_facing_caller>{true | false}</user_facing_caller>
+```
+**Se `hook_type` ausente:** retorne erro "missing required input — hook-writer exige tipo de hook".
+**Se `implementation` ausente:** assuma `postgres` para hooks de token/verificação; `http` para hooks de envio (send-sms/send-email) e documente o assumption.
+## Passos
+### Step 1 — Validar spec e escolher implementação
+Recomendações canônicas por tipo:
+| Hook type               | Recomendado | Motivo                                            |
+|-------------------------|-------------|---------------------------------------------------|
+| before-user-created     | postgres    | Precisa de acesso ao DB para validação de domínio |
+| custom-access-token     | postgres    | Latência mínima — crítico no auth path            |
+| send-sms                | http        | Integração com Twilio/AWS SNS via Edge Function   |
+| send-email              | http        | Integração com Resend/SendGrid via Edge Function  |
+| mfa-verification        | postgres    | Validação contra tabela local                     |
+| password-verification   | postgres    | Hashing e comparação local                        |
+Se `implementation` contradiz a recomendação canônica, emita aviso no output mas respeite a spec.
+### Step 2A — Gerar função Postgres (se `implementation = postgres`)
+**Template canônico com TODOS os grants:**
+```sql
+-- supabase/migrations/YYYYMMDD_auth_hook_{hook_type}.sql
+-- PT-BR: Step 1 — grants obrigatórios (qualquer um faltando = hook silencioso)
+grant usage on schema public to supabase_auth_admin;
+grant execute on function public.{hook_function_name}(jsonb)
+  to supabase_auth_admin;
+-- PT-BR: Step 2 — revogar acesso de roles não privilegiadas (segurança)
+revoke execute on function public.{hook_function_name}(jsonb)
+  from authenticated, anon, public;
+-- PT-BR: Step 3 — grant de leitura nas tabelas consultadas pelo hook
+grant select on public.{table_name} to supabase_auth_admin;
+revoke all on public.{table_name} from authenticated, anon, public;
+-- PT-BR: Step 4 — RLS policy permitindo supabase_auth_admin ler tabela
+create policy "Allow supabase_auth_admin to read {table_name}"
+  on public.{table_name}
+  as permissive for select
+  to supabase_auth_admin
+  using (true);
+-- PT-BR: Step 5 — a função em si
+create or replace function public.{hook_function_name}(event jsonb)
+returns jsonb
+language plpgsql
+stable
+-- PT-BR: sem security definer desnecessário — hook já roda como supabase_auth_admin
+set search_path = ''  -- proteção contra schema injection
+as $$
+declare
+  claims jsonb;
+  -- declarar variáveis aqui
+begin
+  -- {business_logic implementada aqui}
+  return event;
+end;
+$$;
+```
+**Exemplo — custom-access-token com tenant_id:**
+```sql
+grant usage on schema public to supabase_auth_admin;
+grant execute on function public.custom_access_token_hook(jsonb) to supabase_auth_admin;
+revoke execute on function public.custom_access_token_hook(jsonb)
+  from authenticated, anon, public;
+grant select on public.profiles to supabase_auth_admin;
+create policy "Allow auth admin read profiles"
+  on public.profiles as permissive for select to supabase_auth_admin using (true);
+create or replace function public.custom_access_token_hook(event jsonb)
+returns jsonb
+language plpgsql
+stable
+set search_path = ''
+as $$
+declare
+  claims jsonb;
+  v_tenant_id uuid;
+begin
+  -- PT-BR: query simples e indexada — hook é síncrono no auth path
+  select tenant_id into v_tenant_id
+  from public.profiles
+  where user_id = (event->>'user_id')::uuid;
+  claims := event->'claims';
+  if v_tenant_id is not null then
+    claims := jsonb_set(claims, '{tenant_id}', to_jsonb(v_tenant_id));
+  end if;
+  event := jsonb_set(event, '{claims}', claims);
+  return event;
+end;
+$$;
+```
+**Exemplo — before-user-created bloqueando domínios não permitidos:**
+```sql
+grant usage on schema public to supabase_auth_admin;
+grant execute on function public.before_user_created_hook(jsonb) to supabase_auth_admin;
+revoke execute on function public.before_user_created_hook(jsonb)
+  from authenticated, anon, public;
+grant select on public.allowed_domains to supabase_auth_admin;
+create or replace function public.before_user_created_hook(event jsonb)
+returns jsonb
+language plpgsql
+stable
+set search_path = ''
+as $$
+declare
+  v_email text;
+  v_domain text;
+  v_allowed boolean;
+begin
+  v_email := event->>'email';
+  v_domain := split_part(v_email, '@', 2);
+  select exists(
+    select 1 from public.allowed_domains where domain = v_domain
+  ) into v_allowed;
+  if not v_allowed then
+    -- PT-BR: retornar erro estruturado — Supabase espera este formato
+    return jsonb_build_object(
+      'error', jsonb_build_object(
+        'http_code', 422,
+        'message', 'Domínio de email não permitido: ' || v_domain
+      )
+    );
+  end if;
+  return event;
+end;
+$$;
+```
+### Step 2B — Gerar Edge Function com Standard Webhooks (se `implementation = http`)
+```ts
+// supabase/functions/auth-hook-{hook_type}/index.ts
+import { Webhook } from 'standardwebhooks'
+// PT-BR: secret começa com 'v1,whsec_' — formato Standard Webhooks
+const webhookSecret = Deno.env.get('AUTH_HOOK_SECRET') ?? ''
+const wh = new Webhook(webhookSecret)
+Deno.serve(async (req) => {
+  // PT-BR: verificação de assinatura — NUNCA pular, endpoint deve ser fechado
+  const payload = await req.text()
+  const headers = Object.fromEntries(req.headers)
+  let event: Record<string, unknown>
+  try {
+    event = wh.verify(payload, headers) as Record<string, unknown>
+  } catch (err) {
+    // PT-BR: Content-Type obrigatório em respostas de erro
+    return new Response(
+      JSON.stringify({ error: 'Assinatura inválida' }),
+      { status: 401, headers: { 'Content-Type': 'application/json' } }
+    )
+  }
+  // PT-BR: implementar lógica de negócio aqui
+  // Exemplo: send-email customizado via Resend
+  const { user, email_data } = event as any
+  try {
+    const res = await fetch('https://api.resend.com/emails', {
+      method: 'POST',
+      headers: {
+        'Authorization': `Bearer ${Deno.env.get('RESEND_API_KEY')}`,
+        'Content-Type': 'application/json',
+      },
+      body: JSON.stringify({
+        from: 'noreply@meuapp.com',
+        to: user.email,
+        subject: 'Confirme seu email',
+        html: `<p>Clique <a href="${email_data.confirmation_url}">aqui</a> para confirmar.</p>`,
+      }),
+    })
+    if (!res.ok) {
+      throw new Error(`Resend API error: ${res.status}`)
+    }
+  } catch (err) {
+    return new Response(
+      JSON.stringify({ error: 'Falha ao enviar email', detail: String(err) }),
+      { status: 500, headers: { 'Content-Type': 'application/json' } }
+    )
+  }
+  return new Response(JSON.stringify({}), {
+    headers: { 'Content-Type': 'application/json' },
+  })
+})
+```
+**Import map / deno.json:**
+```json
+{
+  "imports": {
+    "standardwebhooks": "npm:standardwebhooks@1.0.0"
+  }
+}
+```
+### Step 3 — Gerar entrada no `config.toml`
+```toml
+# supabase/config.toml
+# PT-BR: habilitar hook — sem esta entrada o hook NÃO é chamado mesmo com função criada
+[auth.hook.custom_access_token]
+enabled = true
+uri = "pg-functions://postgres/public/custom_access_token_hook"
+# Para hook HTTP:
+# [auth.hook.send_email]
+# enabled = true
+# uri = "http://localhost:54321/functions/v1/auth-hook-send-email"
+# secrets = "v1,whsec_<seu_secret_base64>"
+```
+### Step 4 — Validar via `mcp__supabase__execute_sql`
+```sql
+-- 1. Função existe
+select proname, prosrc
+from pg_proc
+where proname = '{hook_function_name}';
+-- expected: 1 row
+-- 2. supabase_auth_admin tem EXECUTE
+select has_function_privilege(
+  'supabase_auth_admin',
+  'public.{hook_function_name}(jsonb)',
+  'EXECUTE'
+);
+-- expected: true
+-- 3. authenticated NÃO tem EXECUTE (segurança)
+select has_function_privilege(
+  'authenticated',
+  'public.{hook_function_name}(jsonb)',
+  'EXECUTE'
+);
+-- expected: false
+-- 4. supabase_auth_admin tem USAGE no schema
+select has_schema_privilege('supabase_auth_admin', 'public', 'USAGE');
+-- expected: true
+```
+### Step 5 — Decide Verdict
+```
+SE todos grants presentes + assinatura verificada (HTTP) + sem security definer desnecessário + config.toml gerado:
+  → Verdict: GO
+  → SQL/TS prontos para deploy
+SENÃO SE caller forneceu draft parcial + faltam grants ou verificação:
+  → Verdict: STRENGTHEN
+  → Diff explícito do que faltava
+SENÃO SE lógica de negócio tem query custosa sem índice ou join complexo:
+  → Verdict: STRENGTHEN
+  → Recomenda índice ou memoização
+  → Se user_facing_caller=true e mudança é significativa: peça confirmação
+```
+### Step 6 — Output
+```
+═══════════════════════════════════════════════════════════
+AUTH HOOK WRITER · Verdict: {GO|STRENGTHEN|REWRITE}
+═══════════════════════════════════════════════════════════
+## Upstream Intent (preservado)
+## Hook configurado
+| Tipo                  | Implementação | Config.toml |
+|-----------------------|---------------|-------------|
+| custom-access-token   | postgres      | ✓ gerado    |
+## Grants aplicados
+✓ grant usage on schema public to supabase_auth_admin
+✓ grant execute on function ... to supabase_auth_admin
+✓ revoke execute from authenticated, anon, public
+✓ grant select on {tabelas consultadas} to supabase_auth_admin
+## Arquivos gerados
+- supabase/migrations/YYYYMMDD_auth_hook_{tipo}.sql
+- supabase/config.toml (seção [auth.hook.{tipo}])
+- (se HTTP) supabase/functions/auth-hook-{tipo}/index.ts
+## Verdict: {GO|STRENGTHEN|REWRITE}
+## ⚠ Caveats para o caller
+- Hook deve ser habilitado no config.toml E no Dashboard (se produção)
+- Hook Postgres: query deve ser indexada — hook é síncrono no auth path
+- Hook HTTP: secret AUTH_HOOK_SECRET deve ser configurado como env var na Edge Function
+- Mudanças no hook refletem imediatamente — não há TTL de JWT aqui
+- before-user-created: retorno de erro bloqueia criação — testar com cuidado em produção
+```
+## Exemplo — Verdict: STRENGTHEN
+**Input:** caller forneceu função mas sem grants.
+**Diff:**
+```diff
++ grant usage on schema public to supabase_auth_admin;
++ grant execute on function public.my_hook(jsonb) to supabase_auth_admin;
++ revoke execute on function public.my_hook(jsonb)
++   from authenticated, anon, public;
++
+  create or replace function public.my_hook(event jsonb)
+  returns jsonb language plpgsql stable as $$ ... $$;
+```
+## Anti-patterns prevenidos
+1. **Esquecer `grant execute ... to supabase_auth_admin`** → STRENGTHEN (hook silencioso)
+2. **Esquecer `grant usage on schema ... to supabase_auth_admin`** → STRENGTHEN (hook falha com schema error)
+3. **Esquecer `revoke execute from authenticated, anon, public`** → STRENGTHEN (segurança — hook invocável diretamente)
+4. **Hook HTTP sem verificação de assinatura Standard Webhooks** → STRENGTHEN (endpoint aberto)
+5. **Usar `security definer` desnecessário** → STRENGTHEN (privilege escalation desnecessário)
+6. **Hook com query custosa (JOIN sem índice, aggregate)** → STRENGTHEN (latência no auth path)
+7. **Respostas de erro HTTP sem `Content-Type: application/json`** → STRENGTHEN (Supabase Auth não parseia)
+## Quando NÃO invocar
+- Lógica pode ser resolvida com RLS + policies — hook é overhead desnecessário
+- Hook `custom-access-token` já existe e cobre o caso → invocar `supabase-rbac-implementer` para estender
+- Caller já invocou este agent para mesmo hook — evite loop
+## Ver também
+- Skill [supabase-auth-hooks](../skills/supabase-auth-hooks/SKILL.md) — base de conhecimento canônica de Auth Hooks
+- [supabase-rbac-implementer](./supabase-rbac-implementer.md) — materializer de RBAC via custom-access-token hook
+- Skill [supabase-custom-claims-rbac](../skills/supabase-custom-claims-rbac/SKILL.md) — custom claims + authorize()