npm - @luanpdd/kit-mcp - Versions diffs - 1.30.2 → 1.32.0 - Mend

@luanpdd/kit-mcp 1.30.2 → 1.32.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (365) hide show

package/LICENSE +21 -21
package/README.md +168 -168
package/gates/agent-no-recursive-dispatch.md +84 -82
package/kit/COMANDOS.md +138 -138
package/kit/COMPATIBILITY.md +5 -0
package/kit/README.md +76 -76
package/kit/agents/advisor-researcher.md +107 -106
package/kit/agents/ai-mutation-tester.md +1 -0
package/kit/agents/assumptions-analyzer.md +108 -107
package/kit/agents/audit-log-implementer.md +314 -313
package/kit/agents/auditor-consistencia-isolamento.md +414 -413
package/kit/agents/b2b-saas-architect.md +157 -156
package/kit/agents/burn-rate-forecaster.md +1 -0
package/kit/agents/cascading-failures-auditor.md +299 -298
package/kit/agents/codebase-mapper.md +769 -768
package/kit/agents/crm-pipeline-implementer.md +257 -256
package/kit/agents/debugger.md +814 -813
package/kit/agents/detector-tenant-quente.md +338 -337
package/kit/agents/evolution-go-integrator.md +201 -200
package/kit/agents/example-reviewer.md +22 -21
package/kit/agents/executor.md +565 -564
package/kit/agents/golden-signals-instrumenter.md +1 -0
package/kit/agents/incident-investigator.md +1 -0
package/kit/agents/integration-checker.md +201 -200
package/kit/agents/invite-flow-implementer.md +190 -189
package/kit/agents/legacy-characterizer.md +369 -368
package/kit/agents/lgpd-compliance-auditor.md +296 -295
package/kit/agents/load-shedding-instrumenter.md +1 -0
package/kit/agents/multi-tenant-isolation-auditor.md +254 -253
package/kit/agents/multi-tenant-rls-writer.md +341 -340
package/kit/agents/nyquist-auditor.md +179 -178
package/kit/agents/observability-coverage-auditor.md +316 -315
package/kit/agents/observability-instrumenter.md +1 -0
package/kit/agents/omm-auditor.md +1 -0
package/kit/agents/org-onboarding-implementer.md +224 -223
package/kit/agents/payload-capture-instrumenter.md +274 -273
package/kit/agents/phase-researcher.md +697 -696
package/kit/agents/plan-checker.md +273 -272
package/kit/agents/planner.md +923 -922
package/kit/agents/postmortem-writer.md +1 -0
package/kit/agents/project-researcher.md +653 -652
package/kit/agents/prr-conductor.md +1 -0
package/kit/agents/refactor-safety-auditor.md +405 -404
package/kit/agents/release-pipeline-auditor.md +1 -0
package/kit/agents/research-synthesizer.md +246 -245
package/kit/agents/roadmapper.md +678 -677
package/kit/agents/schema-checker.md +1 -0
package/kit/agents/seam-finder.md +360 -359
package/kit/agents/shotgun-surgery-detector.md +350 -349
package/kit/agents/slo-engineer.md +1 -0
package/kit/agents/storytelling-analyst.md +1 -0
package/kit/agents/supabase-architect.md +1 -0
package/kit/agents/supabase-auth-bootstrapper.md +16 -1
package/kit/agents/supabase-auth-hook-writer.md +418 -0
package/kit/agents/supabase-branching-architect.md +563 -562
package/kit/agents/supabase-cicd-pipeline-implementer.md +778 -777
package/kit/agents/supabase-column-privileges-writer.md +400 -399
package/kit/agents/supabase-edge-fn-tester.md +2 -1
package/kit/agents/supabase-edge-fn-writer.md +2 -1
package/kit/agents/supabase-mfa-implementer.md +439 -0
package/kit/agents/supabase-migration-writer.md +386 -385
package/kit/agents/supabase-oauth-server-implementer.md +507 -0
package/kit/agents/supabase-rbac-implementer.md +393 -392
package/kit/agents/supabase-realtime-implementer.md +364 -363
package/kit/agents/supabase-rls-hardener.md +522 -521
package/kit/agents/supabase-rls-writer.md +324 -323
package/kit/agents/supabase-roles-implementer.md +356 -355
package/kit/agents/supabase-social-auth-implementer.md +451 -0
package/kit/agents/supabase-sso-saml-architect.md +549 -0
package/kit/agents/supabase-storage-implementer.md +1 -0
package/kit/agents/super-admin-implementer.md +282 -281
package/kit/agents/toil-auditor.md +1 -0
package/kit/agents/ui-auditor.md +438 -437
package/kit/agents/ui-checker.md +303 -302
package/kit/agents/ui-researcher.md +356 -355
package/kit/agents/user-profiler.md +176 -175
package/kit/agents/validador-evolucao-schema.md +336 -335
package/kit/agents/verifier.md +729 -728
package/kit/commands/adicionar-backlog.md +75 -75
package/kit/commands/adicionar-fase.md +42 -42
package/kit/commands/adicionar-tarefa.md +45 -45
package/kit/commands/adicionar-testes.md +41 -41
package/kit/commands/ajuda.md +21 -21
package/kit/commands/atualizar.md +37 -37
package/kit/commands/auditar-cascading.md +111 -111
package/kit/commands/auditar-marco.md +179 -179
package/kit/commands/auditar-observabilidade-cobertura.md +183 -183
package/kit/commands/auditar-refactor.md +219 -219
package/kit/commands/auditar-release.md +109 -109
package/kit/commands/auditar-uat.md +23 -23
package/kit/commands/autonomo.md +40 -40
package/kit/commands/branch-pr.md +24 -24
package/kit/commands/burn-rate-status.md +408 -408
package/kit/commands/capturar-payloads.md +193 -193
package/kit/commands/caracterizar.md +212 -212
package/kit/commands/concluir-marco.md +247 -247
package/kit/commands/configuracoes.md +36 -36
package/kit/commands/dados-distribuidos.md +188 -188
package/kit/commands/definir-perfil.md +10 -10
package/kit/commands/depurar.md +190 -190
package/kit/commands/detectar-duplicacao.md +197 -197
package/kit/commands/discutir-fase.md +131 -131
package/kit/commands/encontrar-seams.md +136 -136
package/kit/commands/entrar-discord.md +17 -17
package/kit/commands/estatisticas.md +18 -18
package/kit/commands/example-greeting.md +33 -33
package/kit/commands/executar-fase.md +58 -58
package/kit/commands/expresso.md +56 -56
package/kit/commands/fase-ui.md +34 -34
package/kit/commands/fazer.md +57 -57
package/kit/commands/fio.md +125 -125
package/kit/commands/fluxos-trabalho.md +64 -64
package/kit/commands/forense.md +176 -176
package/kit/commands/gerenciador.md +38 -38
package/kit/commands/inserir-fase.md +31 -31
package/kit/commands/legacy.md +263 -263
package/kit/commands/limpeza.md +17 -17
package/kit/commands/listar-hipoteses-fase.md +45 -45
package/kit/commands/listar-workspaces.md +18 -18
package/kit/commands/load-shedding.md +117 -117
package/kit/commands/mapear-codebase.md +70 -70
package/kit/commands/multi-tenant.md +163 -163
package/kit/commands/nota.md +33 -33
package/kit/commands/novo-marco.md +43 -43
package/kit/commands/novo-projeto.md +41 -41
package/kit/commands/novo-workspace.md +43 -43
package/kit/commands/pausar-trabalho.md +37 -37
package/kit/commands/perfil-usuario.md +45 -45
package/kit/commands/pesquisar-fase.md +195 -195
package/kit/commands/planejar-fase.md +67 -67
package/kit/commands/planejar-lacunas.md +33 -33
package/kit/commands/plantar-ideia.md +25 -25
package/kit/commands/progresso.md +24 -24
package/kit/commands/proximo.md +30 -30
package/kit/commands/publicar.md +490 -490
package/kit/commands/rapido.md +35 -35
package/kit/commands/reaplicar-patches.md +124 -124
package/kit/commands/refactor-seguro.md +321 -321
package/kit/commands/relatorio-sessao.md +19 -19
package/kit/commands/remover-fase.md +31 -31
package/kit/commands/remover-workspace.md +26 -26
package/kit/commands/resumo-marco.md +50 -50
package/kit/commands/retomar-trabalho.md +40 -40
package/kit/commands/revisar-backlog.md +60 -60
package/kit/commands/revisar-ui.md +32 -32
package/kit/commands/revisar.md +37 -37
package/kit/commands/saude.md +21 -21
package/kit/commands/setup-notion.md +93 -93
package/kit/commands/storytelling.md +179 -179
package/kit/commands/supabase.md +21 -1
package/kit/commands/sync-main.md +68 -68
package/kit/commands/validar-fase.md +35 -35
package/kit/commands/verificar-tarefas.md +44 -44
package/kit/commands/verificar-trabalho.md +64 -64
package/kit/file-manifest.json +100 -84
package/kit/framework/bin/lib/commands.cjs +959 -959
package/kit/framework/bin/lib/config.cjs +442 -442
package/kit/framework/bin/lib/core.cjs +1230 -1230
package/kit/framework/bin/lib/frontmatter.cjs +336 -336
package/kit/framework/bin/lib/init.cjs +1442 -1442
package/kit/framework/bin/lib/milestone.cjs +252 -252
package/kit/framework/bin/lib/model-profiles.cjs +68 -68
package/kit/framework/bin/lib/phase.cjs +888 -888
package/kit/framework/bin/lib/profile-output.cjs +952 -952
package/kit/framework/bin/lib/profile-pipeline.cjs +539 -539
package/kit/framework/bin/lib/roadmap.cjs +329 -329
package/kit/framework/bin/lib/security.cjs +382 -382
package/kit/framework/bin/lib/state.cjs +1031 -1031
package/kit/framework/bin/lib/template.cjs +222 -222
package/kit/framework/bin/lib/uat.cjs +282 -282
package/kit/framework/bin/lib/verify.cjs +888 -888
package/kit/framework/bin/lib/workstream.cjs +491 -491
package/kit/framework/bin/tools.cjs +918 -918
package/kit/framework/commands/workstreams.md +63 -63
package/kit/framework/references/checkpoints.md +778 -778
package/kit/framework/references/continuation-format.md +249 -249
package/kit/framework/references/decimal-phase-calculation.md +64 -64
package/kit/framework/references/git-integration.md +295 -295
package/kit/framework/references/git-planning-commit.md +38 -38
package/kit/framework/references/model-profile-resolution.md +36 -36
package/kit/framework/references/model-profiles.md +139 -139
package/kit/framework/references/phase-argument-parsing.md +61 -61
package/kit/framework/references/planning-config.md +202 -202
package/kit/framework/references/questioning.md +162 -162
package/kit/framework/references/tdd.md +263 -263
package/kit/framework/references/ui-brand.md +160 -160
package/kit/framework/references/user-profiling.md +657 -657
package/kit/framework/references/verification-patterns.md +612 -612
package/kit/framework/references/workstream-flag.md +58 -58
package/kit/framework/templates/DEBUG.md +164 -164
package/kit/framework/templates/UAT.md +265 -265
package/kit/framework/templates/UI-SPEC.md +100 -100
package/kit/framework/templates/VALIDATION.md +76 -76
package/kit/framework/templates/claude-md.md +122 -122
package/kit/framework/templates/codebase/architecture.md +185 -185
package/kit/framework/templates/codebase/concerns.md +205 -205
package/kit/framework/templates/codebase/conventions.md +204 -204
package/kit/framework/templates/codebase/integrations.md +192 -192
package/kit/framework/templates/codebase/stack.md +158 -158
package/kit/framework/templates/codebase/structure.md +199 -199
package/kit/framework/templates/codebase/testing.md +301 -301
package/kit/framework/templates/config.json +44 -44
package/kit/framework/templates/context.md +352 -352
package/kit/framework/templates/continue-here.md +78 -78
package/kit/framework/templates/copilot-instructions.md +7 -7
package/kit/framework/templates/debug-subagent-prompt.md +91 -91
package/kit/framework/templates/dev-preferences.md +20 -20
package/kit/framework/templates/discovery.md +146 -146
package/kit/framework/templates/discussion-log.md +63 -63
package/kit/framework/templates/milestone-archive.md +123 -123
package/kit/framework/templates/milestone.md +115 -115
package/kit/framework/templates/phase-prompt.md +610 -610
package/kit/framework/templates/planner-subagent-prompt.md +117 -117
package/kit/framework/templates/project.md +186 -186
package/kit/framework/templates/requirements.md +231 -231
package/kit/framework/templates/research-project/ARCHITECTURE.md +204 -204
package/kit/framework/templates/research-project/FEATURES.md +147 -147
package/kit/framework/templates/research-project/PITFALLS.md +200 -200
package/kit/framework/templates/research-project/STACK.md +120 -120
package/kit/framework/templates/research-project/SUMMARY.md +170 -170
package/kit/framework/templates/research.md +419 -419
package/kit/framework/templates/retrospective.md +54 -54
package/kit/framework/templates/roadmap.md +202 -202
package/kit/framework/templates/state.md +176 -176
package/kit/framework/templates/summary-complex.md +59 -59
package/kit/framework/templates/summary-minimal.md +41 -41
package/kit/framework/templates/summary-standard.md +48 -48
package/kit/framework/templates/summary.md +209 -209
package/kit/framework/templates/user-profile.md +146 -146
package/kit/framework/templates/user-setup.md +256 -256
package/kit/framework/templates/verification-report.md +258 -258
package/kit/framework/workflows/add-phase.md +112 -112
package/kit/framework/workflows/add-tests.md +351 -351
package/kit/framework/workflows/add-todo.md +158 -158
package/kit/framework/workflows/audit-milestone.md +340 -340
package/kit/framework/workflows/audit-uat.md +109 -109
package/kit/framework/workflows/autonomous.md +891 -891
package/kit/framework/workflows/check-todos.md +177 -177
package/kit/framework/workflows/cleanup.md +152 -152
package/kit/framework/workflows/complete-milestone.md +696 -696
package/kit/framework/workflows/diagnose-issues.md +231 -231
package/kit/framework/workflows/discovery-phase.md +289 -289
package/kit/framework/workflows/discuss-phase-assumptions.md +653 -653
package/kit/framework/workflows/discuss-phase.md +784 -784
package/kit/framework/workflows/do.md +104 -104
package/kit/framework/workflows/execute-phase.md +838 -838
package/kit/framework/workflows/execute-plan.md +510 -510
package/kit/framework/workflows/fast.md +102 -102
package/kit/framework/workflows/forensics.md +265 -265
package/kit/framework/workflows/health.md +181 -181
package/kit/framework/workflows/help.md +619 -619
package/kit/framework/workflows/insert-phase.md +130 -130
package/kit/framework/workflows/list-phase-assumptions.md +178 -178
package/kit/framework/workflows/list-workspaces.md +56 -56
package/kit/framework/workflows/manager.md +362 -362
package/kit/framework/workflows/map-codebase.md +377 -377
package/kit/framework/workflows/milestone-summary.md +223 -223
package/kit/framework/workflows/new-milestone.md +486 -486
package/kit/framework/workflows/new-project.md +1159 -1159
package/kit/framework/workflows/new-workspace.md +237 -237
package/kit/framework/workflows/next.md +97 -97
package/kit/framework/workflows/node-repair.md +92 -92
package/kit/framework/workflows/note.md +156 -156
package/kit/framework/workflows/pause-work.md +176 -176
package/kit/framework/workflows/plan-milestone-gaps.md +273 -273
package/kit/framework/workflows/plan-phase.md +765 -765
package/kit/framework/workflows/plant-seed.md +169 -169
package/kit/framework/workflows/pr-branch.md +129 -129
package/kit/framework/workflows/profile-user.md +450 -450
package/kit/framework/workflows/progress.md +507 -507
package/kit/framework/workflows/quick.md +757 -757
package/kit/framework/workflows/remove-phase.md +155 -155
package/kit/framework/workflows/remove-workspace.md +90 -90
package/kit/framework/workflows/research-phase.md +82 -82
package/kit/framework/workflows/resume-project.md +326 -326
package/kit/framework/workflows/review.md +228 -228
package/kit/framework/workflows/session-report.md +146 -146
package/kit/framework/workflows/settings.md +283 -283
package/kit/framework/workflows/ship.md +228 -228
package/kit/framework/workflows/stats.md +60 -60
package/kit/framework/workflows/transition.md +671 -671
package/kit/framework/workflows/ui-phase.md +302 -302
package/kit/framework/workflows/ui-review.md +165 -165
package/kit/framework/workflows/update.md +323 -323
package/kit/framework/workflows/validate-phase.md +174 -174
package/kit/framework/workflows/verify-phase.md +252 -252
package/kit/framework/workflows/verify-work.md +637 -637
package/kit/hooks/check-update.js +118 -118
package/kit/hooks/context-monitor.js +163 -163
package/kit/hooks/kit-attribution-reminder.cjs +29 -50
package/kit/hooks/kit-router.cjs +137 -0
package/kit/hooks/prompt-guard.js +103 -103
package/kit/hooks/statusline.js +125 -125
package/kit/hooks/workflow-guard.js +101 -101
package/kit/settings.json +45 -45
package/kit/skills/ai-prompt-characterization/SKILL.md +335 -335
package/kit/skills/armadilhas-sistemas-distribuidos/SKILL.md +447 -447
package/kit/skills/audit-log-multi-tenant/SKILL.md +340 -340
package/kit/skills/b2b-saas-architecture/SKILL.md +300 -300
package/kit/skills/consistencia-leitura-replica/SKILL.md +385 -385
package/kit/skills/crm-lead-pipeline-patterns/SKILL.md +343 -343
package/kit/skills/escolha-modelo-consistencia/SKILL.md +494 -494
package/kit/skills/evolucao-schema-compativel/SKILL.md +448 -448
package/kit/skills/evolution-go-whatsapp-integration/SKILL.md +322 -322
package/kit/skills/example-skill/SKILL.md +42 -42
package/kit/skills/legacy-api-only-applications/SKILL.md +358 -358
package/kit/skills/legacy-characterization-tests/SKILL.md +330 -330
package/kit/skills/legacy-effect-analysis/SKILL.md +331 -331
package/kit/skills/legacy-extract-class/SKILL.md +203 -203
package/kit/skills/legacy-programming-by-difference/SKILL.md +252 -252
package/kit/skills/legacy-seams-and-test-harness/SKILL.md +460 -460
package/kit/skills/legacy-shotgun-surgery/SKILL.md +286 -286
package/kit/skills/legacy-sprout-wrap-techniques/SKILL.md +434 -434
package/kit/skills/legacy-storytelling-naked-crc/SKILL.md +270 -270
package/kit/skills/lgpd-multi-tenant-compliance/SKILL.md +340 -340
package/kit/skills/member-invite-flow/SKILL.md +305 -305
package/kit/skills/member-management-react-shadcn/SKILL.md +328 -328
package/kit/skills/multi-tenant-performance-scaling/SKILL.md +316 -316
package/kit/skills/multi-tenant-rls-hierarchy/SKILL.md +342 -342
package/kit/skills/org-onboarding-flow/SKILL.md +257 -257
package/kit/skills/org-switcher-react-pattern/SKILL.md +349 -349
package/kit/skills/permission-gate-react-pattern/SKILL.md +271 -271
package/kit/skills/postgres-isolamento-concorrencia/SKILL.md +552 -552
package/kit/skills/pre-refactor-characterization/SKILL.md +421 -421
package/kit/skills/rbac-permissions-matrix-supabase/SKILL.md +338 -338
package/kit/skills/streams-eventos-cdc/SKILL.md +711 -711
package/kit/skills/supabase-auth-hardening/SKILL.md +674 -0
package/kit/skills/supabase-auth-hooks/SKILL.md +875 -0
package/kit/skills/supabase-auth-methods/SKILL.md +486 -0
package/kit/skills/supabase-auth-sessions/SKILL.md +579 -0
package/kit/skills/supabase-auth-ssr/SKILL.md +60 -14
package/kit/skills/supabase-branching-workflow/SKILL.md +544 -544
package/kit/skills/supabase-ci-cd-github-actions/SKILL.md +880 -880
package/kit/skills/supabase-column-level-security/SKILL.md +426 -426
package/kit/skills/supabase-config-toml-remotes/SKILL.md +807 -807
package/kit/skills/supabase-custom-claims-rbac/SKILL.md +472 -472
package/kit/skills/supabase-edge-functions/SKILL.md +1 -1
package/kit/skills/supabase-edge-functions-auth/SKILL.md +1 -1
package/kit/skills/supabase-edge-functions-limits/SKILL.md +1 -1
package/kit/skills/supabase-edge-functions-mcp-server/SKILL.md +1 -1
package/kit/skills/supabase-edge-functions-testing/SKILL.md +1 -1
package/kit/skills/supabase-edge-runtime-builtins/SKILL.md +1 -1
package/kit/skills/supabase-enterprise-sso-saml/SKILL.md +545 -0
package/kit/skills/supabase-jwt-signing-keys/SKILL.md +399 -0
package/kit/skills/supabase-mfa/SKILL.md +488 -0
package/kit/skills/supabase-migration-repair/SKILL.md +823 -823
package/kit/skills/supabase-migrations/SKILL.md +297 -297
package/kit/skills/supabase-oauth-server/SKILL.md +537 -0
package/kit/skills/supabase-pgtap-testing/SKILL.md +1053 -1053
package/kit/skills/supabase-postgres-roles/SKILL.md +392 -392
package/kit/skills/supabase-realtime/SKILL.md +460 -460
package/kit/skills/supabase-rls-defense-in-depth/SKILL.md +418 -418
package/kit/skills/supabase-rls-policies/SKILL.md +635 -635
package/kit/skills/supabase-social-oauth/SKILL.md +480 -0
package/kit/skills/supabase-third-party-auth/SKILL.md +450 -0
package/kit/skills/super-admin-platform-pattern/SKILL.md +326 -326
package/kit/skills/tenant-quente-mitigacao/SKILL.md +605 -605
package/kit/skills/whatsapp-conversation-state-machine/SKILL.md +287 -287
package/package.json +1 -1
package/src/core/kit.js +216 -216
package/src/core/reflect.js +247 -247
package/src/core/reverse-sync.js +372 -372
package/src/core/sync.js +437 -418
package/src/core/watch.js +121 -121
package/src/mcp-server/index.js +794 -746

package/kit/agents/supabase-edge-fn-tester.md CHANGED Viewed

@@ -1,6 +1,7 @@
 ---
 name: supabase-edge-fn-tester
-description: Gera Deno tests para Edge Functions Supabase em `supabase/functions/tests/<fn>-test.ts` — happy/validation/auth/rate-limit/timeout equivalence classes, fixtures sanitizados, snapshot testing via jsr:@std/testing, client-side error classes (FunctionsHttpError/RelayError/FetchError), characterization tests para legacy. Handoff target de supabase-edge-fn-writer.
+tier: specialized
+description: Gera Deno tests para Edge Functions Supabase — equivalence classes happy/validation/auth/rate-limit/timeout, fixtures sanitizados, snapshot jsr:@std/testing, characterization para legacy.
 tools: Read, Write, Edit, Bash, Grep, Glob, Task
 color: teal
 ---

package/kit/agents/supabase-edge-fn-writer.md CHANGED Viewed

@@ -1,6 +1,7 @@
 ---
 name: supabase-edge-fn-writer
-description: Escreve Deno Edge Functions 2026-compliant — imports versionados npm:/jsr:/node:, env vars JSON dict (SUPABASE_PUBLISHABLE_KEYS/SECRET_KEYS), per-function deno.json + config.toml entries, CORS via @supabase/supabase-js/cors v2.95+, withSupabase para auth quando aplicável, /tmp ou /s3 para writes, EdgeRuntime.waitUntil para background, status code canônicos, instrumentação OTel + 4 golden signals + rate-limit/retry defense.
+tier: specialized
+description: Escreve Deno Edge Functions Supabase 2026 — imports versionados npm:/jsr:/node:, env vars JSON dict, per-function deno.json + config.toml, withSupabase auth, EdgeRuntime.waitUntil, OTel.
 tools: Read, Write, Edit, Bash, Grep, Glob
 color: cyan
 ---

package/kit/agents/supabase-mfa-implementer.md ADDED Viewed

@@ -0,0 +1,439 @@
+---
+name: supabase-mfa-implementer
+tier: specialized
+description: Materializer de MFA em Supabase. Recebe spec (tipos TOTP/phone, política enforcement) via Task() e produz componentes React + políticas RLS RESTRICTIVE hardenadas.
+tools: Read, Write, Edit, Bash, Grep, Glob, Task, mcp__supabase__execute_sql, mcp__supabase__apply_migration
+color: red
+---
+Você é o **canonical materializer** de autenticação multi-fator (MFA) em Supabase. Recebe spec (tipos de fator TOTP/phone, política de enforcement — todos/novos usuários/opt-in) via `Task()` upstream context + intent original, e produz: componentes React `EnrollMFA`/`UnenrollMFA` (enroll → challenge → verify), cheque de AAL via `getAuthenticatorAssuranceLevel`, e políticas RLS RESTRICTIVE usando `(select auth.jwt()->>'aal') = 'aal2'` nas 3 variantes de enforcement. Valida via `mcp__supabase__execute_sql` que as políticas criadas usam `as restrictive`. Verdicts GO/STRENGTHEN/REWRITE.
+**Compat:** Full em Claude Code + Cursor (Supabase MCP); Partial/Offline-only nos demais. Veja [COMPATIBILITY.md](../COMPATIBILITY.md).
+**Princípio canônico:** Agents não-Supabase pensam/planejam; você materializa/hardena. **Ninguém descarta upstream** — quando há conflito de patterns, você explica via diff e propõe alternativa, **nunca reescreve silenciosamente**.
+## Por que existe
+MFA em Supabase tem 5 pegadinhas críticas de segurança:
+1. Omitir `as restrictive` nas políticas RLS → MFA bypassável (política PERMISSIVE pode sobrepor)
+2. Retornar 401 quando AAL insuficiente em vez de redirecionar para tela MFA → UX quebrada e confusa
+3. Reutilizar client Supabase em SSR (singleton em escopo de módulo) → estado de sessão vazado entre requests
+4. Não invalidar fatores antes de unenroll → fator "zumbi" continua válido
+5. Enforcement "todos" sem migração de usuários existentes → lock-out acidental da base
+Este agent serve como **canonical handoff target** para qualquer agent que precise adicionar ou auditar MFA.
+## Inputs esperados (do caller via `Task()`)
+```
+prompt: |
+  <upstream_intent>
+  Source agent: {caller_name}
+  Original goal: {1-2 sentence}
+  Constraints / business rules: {regras de domínio}
+  </upstream_intent>
+  <factor_types>
+  - totp
+  - phone
+  </factor_types>
+  <enforcement>
+  <!-- Escolher UMA opção:
+       all        — todos os usuários exigem AAL2 (cuidado: lock-out de usuários existentes)
+       new_users  — só usuários criados após a data de ativação
+       opt_in     — MFA disponível mas não obrigatório
+  -->
+  opt_in
+  </enforcement>
+  <tables_requiring_mfa>
+  - sensitive_data
+  - financial_records
+  </tables_requiring_mfa>
+  <user_facing_caller>{true | false}</user_facing_caller>
+```
+**Se `enforcement` ausente:** assuma `opt_in` e documente o assumption.
+**Se `enforcement = all` com base de usuários existentes:** emita STRENGTHEN com aviso de lock-out e instrução de migração.
+## Passos
+### Step 1 — Validar spec
+- `factor_types` lista não-vazia com valores reconhecidos (`totp`, `phone`)
+- `enforcement` é um dos 3 valores válidos
+- `tables_requiring_mfa` não vazia se `enforcement` for `all` ou `new_users`
+- Se `enforcement = all`: verificar se há usuários sem fator inscrito (query de diagnóstico)
+### Step 2 — Gerar componente `EnrollMFA`
+```tsx
+// components/EnrollMFA.tsx
+'use client'
+import { useState } from 'react'
+import { createClient } from '@/utils/supabase/client'
+import Image from 'next/image'
+export function EnrollMFA({ onSuccess }: { onSuccess: () => void }) {
+  const supabase = createClient()
+  const [qrCode, setQrCode] = useState<string | null>(null)
+  const [factorId, setFactorId] = useState<string | null>(null)
+  const [verifyCode, setVerifyCode] = useState('')
+  const [error, setError] = useState<string | null>(null)
+  const [step, setStep] = useState<'enroll' | 'verify'>('enroll')
+  async function handleEnroll() {
+    setError(null)
+    const { data, error } = await supabase.auth.mfa.enroll({
+      factorType: 'totp',
+      issuer: 'MeuApp',
+    })
+    if (error) { setError(error.message); return }
+    setFactorId(data.id)
+    setQrCode(data.totp.qr_code)
+    setStep('verify')
+  }
+  async function handleVerify() {
+    if (!factorId) return
+    setError(null)
+    // PT-BR: challenge + verify em sequência — challenge gera o ID de sessão do desafio
+    const { data: challengeData, error: challengeErr } =
+      await supabase.auth.mfa.challenge({ factorId })
+    if (challengeErr) { setError(challengeErr.message); return }
+    const { error: verifyErr } = await supabase.auth.mfa.verify({
+      factorId,
+      challengeId: challengeData.id,
+      code: verifyCode,
+    })
+    if (verifyErr) { setError(verifyErr.message); return }
+    onSuccess()
+  }
+  if (step === 'enroll') {
+    return (
+      <div>
+        <p>Configure um aplicativo autenticador (Google Authenticator, Authy, etc.)</p>
+        <button onClick={handleEnroll}>Iniciar configuração</button>
+        {error && <p className="text-red-500">{error}</p>}
+      </div>
+    )
+  }
+  return (
+    <div>
+      {qrCode && <Image src={qrCode} alt="QR Code MFA" width={200} height={200} />}
+      <input
+        type="text"
+        inputMode="numeric"
+        placeholder="Código de 6 dígitos"
+        value={verifyCode}
+        onChange={(e) => setVerifyCode(e.target.value)}
+        maxLength={6}
+      />
+      <button onClick={handleVerify}>Verificar e ativar</button>
+      {error && <p className="text-red-500">{error}</p>}
+    </div>
+  )
+}
+```
+### Step 3 — Gerar componente `UnenrollMFA`
+```tsx
+// components/UnenrollMFA.tsx
+'use client'
+import { useState, useEffect } from 'react'
+import { createClient } from '@/utils/supabase/client'
+export function UnenrollMFA() {
+  const supabase = createClient()
+  const [factors, setFactors] = useState<Array<{ id: string; friendly_name?: string }>>([])
+  const [error, setError] = useState<string | null>(null)
+  useEffect(() => {
+    supabase.auth.mfa.listFactors().then(({ data }) => {
+      setFactors(data?.totp ?? [])
+    })
+  }, [])
+  async function handleUnenroll(factorId: string) {
+    setError(null)
+    // PT-BR: unenroll invalida o fator — sem isso o fator fica "zumbi"
+    const { error } = await supabase.auth.mfa.unenroll({ factorId })
+    if (error) { setError(error.message); return }
+    setFactors((f) => f.filter((factor) => factor.id !== factorId))
+  }
+  if (factors.length === 0) return <p>Nenhum fator MFA configurado.</p>
+  return (
+    <div>
+      <h3>Fatores MFA ativos</h3>
+      {factors.map((factor) => (
+        <div key={factor.id}>
+          <span>{factor.friendly_name ?? factor.id}</span>
+          <button onClick={() => handleUnenroll(factor.id)}>Remover</button>
+        </div>
+      ))}
+      {error && <p className="text-red-500">{error}</p>}
+    </div>
+  )
+}
+```
+### Step 4 — Gerar checagem de AAL (server-side)
+```ts
+// utils/supabase/aal-guard.ts
+// PT-BR: checar nível de assurance antes de servir dados sensíveis
+import { createClient } from '@/utils/supabase/server'
+import { redirect } from 'next/navigation'
+export async function requireAAL2(redirectPath = '/mfa/challenge') {
+  const supabase = await createClient()
+  const { data, error } = await supabase.auth.mfa.getAuthenticatorAssuranceLevel()
+  if (error) throw error
+  if (data.currentLevel !== 'aal2') {
+    // PT-BR: NUNCA retornar 401 — redirecionar para tela MFA
+    redirect(redirectPath)
+  }
+  return data
+}
+```
+**Página de desafio MFA** (`app/mfa/challenge/page.tsx`):
+```tsx
+// app/mfa/challenge/page.tsx
+'use client'
+import { useState } from 'react'
+import { createClient } from '@/utils/supabase/client'
+import { useRouter } from 'next/navigation'
+export default function MFAChallengeePage() {
+  const supabase = createClient()
+  const router = useRouter()
+  const [code, setCode] = useState('')
+  const [error, setError] = useState<string | null>(null)
+  async function handleChallenge() {
+    setError(null)
+    const { data: factors } = await supabase.auth.mfa.listFactors()
+    const totpFactor = factors?.totp?.[0]
+    if (!totpFactor) { setError('Nenhum fator TOTP encontrado'); return }
+    const { data: challenge, error: challengeErr } =
+      await supabase.auth.mfa.challenge({ factorId: totpFactor.id })
+    if (challengeErr) { setError(challengeErr.message); return }
+    const { error: verifyErr } = await supabase.auth.mfa.verify({
+      factorId: totpFactor.id,
+      challengeId: challenge.id,
+      code,
+    })
+    if (verifyErr) { setError(verifyErr.message); return }
+    router.push('/')
+  }
+  return (
+    <div>
+      <h1>Verificação em duas etapas</h1>
+      <input
+        type="text"
+        inputMode="numeric"
+        placeholder="Código do autenticador"
+        value={code}
+        onChange={(e) => setCode(e.target.value)}
+        maxLength={6}
+      />
+      <button onClick={handleChallenge}>Verificar</button>
+      {error && <p>{error}</p>}
+    </div>
+  )
+}
+```
+### Step 5 — Gerar políticas RLS RESTRICTIVE (3 variantes de enforcement)
+**Variante 1 — `opt_in`**: proteção por tabela, usuários sem MFA acessam normalmente
+```sql
+-- PT-BR: RESTRICTIVE impede que outras políticas PERMISSIVE sobreponham
+-- Tabelas sensíveis exigem AAL2; demais tabelas não afetadas
+create policy "mfa_required_for_sensitive"
+  on public.sensitive_data
+  as restrictive                -- ← CRÍTICO: jamais omitir
+  for all
+  to authenticated
+  using ((select auth.jwt()->>'aal') = 'aal2');
+```
+**Variante 2 — `new_users`**: exige MFA para usuários criados após data de ativação
+```sql
+-- PT-BR: combina verificação de data de criação com AAL
+create policy "mfa_required_new_users"
+  on public.sensitive_data
+  as restrictive
+  for all
+  to authenticated
+  using (
+    -- usuários antigos passam sem MFA; novos exigem aal2
+    auth.jwt()->>'sub' in (
+      select id::text from auth.users
+      where created_at < '2024-01-01T00:00:00Z'  -- data de ativação
+    )
+    or (select auth.jwt()->>'aal') = 'aal2'
+  );
+```
+**Variante 3 — `all`**: todos os usuários exigem AAL2 em todas as operações
+```sql
+-- ATENÇÃO: aplicar só após migrar usuários existentes para ter fator inscrito
+-- Sem isso: lock-out total da base de usuários
+-- Diagnóstico antes de aplicar:
+-- select count(*) from auth.users u
+-- where not exists (
+--   select 1 from auth.mfa_factors f
+--   where f.user_id = u.id and f.status = 'verified'
+-- );
+create policy "mfa_required_all_users"
+  on public.sensitive_data
+  as restrictive
+  for all
+  to authenticated
+  using ((select auth.jwt()->>'aal') = 'aal2');
+```
+### Step 6 — Validar via `mcp__supabase__execute_sql`
+```sql
+-- 1. Verificar que as políticas RESTRICTIVE foram criadas
+select polname, polcmd, polpermissive
+from pg_policy
+join pg_class on pg_policy.polrelid = pg_class.oid
+where relname in ('sensitive_data', 'financial_records')
+  and not polpermissive;
+-- expected: 1 row por tabela com polpermissive = false (RESTRICTIVE)
+-- 2. Verificar que `(select auth.jwt()->>'aal') = 'aal2'` está presente no qual
+select polname, pg_get_expr(polqual, polrelid)
+from pg_policy
+join pg_class on pg_policy.polrelid = pg_class.oid
+where relname in ('sensitive_data', 'financial_records');
+-- expected: qualificação contém 'aal2'
+-- 3. Diagnóstico de usuários sem fator MFA (para enforcement = all)
+select count(*) as users_without_mfa
+from auth.users u
+where not exists (
+  select 1 from auth.mfa_factors f
+  where f.user_id = u.id and f.status = 'verified'
+);
+```
+### Step 7 — Decide Verdict
+```
+SE spec válida + políticas usam `as restrictive` + AAL guard redireciona (não retorna 401) + client não é singleton:
+  → Verdict: GO
+  → Código + SQL prontos para apply
+SENÃO SE caller forneceu draft parcial + faltam elementos canônicos:
+  → Verdict: STRENGTHEN
+  → Diff explícito do que faltava (restrictive, redirect, client factory)
+SENÃO SE enforcement=all com usuários sem fator + user_facing_caller=true:
+  → Verdict: REWRITE
+  → Alerta de lock-out + instrução de migração
+  → PARE, peça confirmação
+```
+### Step 8 — Output
+```
+═══════════════════════════════════════════════════════════
+MFA IMPLEMENTER · Verdict: {GO|STRENGTHEN|REWRITE}
+═══════════════════════════════════════════════════════════
+## Upstream Intent (preservado)
+## Configuração MFA
+| Tipo    | Enforcement  | Tabelas protegidas          |
+|---------|--------------|-----------------------------|
+| TOTP    | opt_in       | sensitive_data, financial_records |
+## Arquivos gerados
+- components/EnrollMFA.tsx
+- components/UnenrollMFA.tsx
+- utils/supabase/aal-guard.ts
+- app/mfa/challenge/page.tsx
+- supabase/migrations/YYYYMMDD_mfa_policies.sql
+## Verdict: {GO|STRENGTHEN|REWRITE}
+## ⚠ Caveats para o caller
+- Políticas RESTRICTIVE são avaliadas ANTES das PERMISSIVE — design intencional
+- AAL é claim do JWT — mudança de fator reflete após próximo token refresh
+- enforcement=all: diagnose usuários sem fator antes de apply (query incluída)
+- Phone MFA exige configuração de provider SMS no Supabase Dashboard
+```
+## Exemplo — Verdict: STRENGTHEN
+**Input:** caller forneceu política RLS mas sem `as restrictive`.
+**Diff:**
+```diff
+  create policy "require_mfa"
+    on public.sensitive_data
++   as restrictive
+    for all
+    to authenticated
+    using ((select auth.jwt()->>'aal') = 'aal2');
+```
+**Explicação:** sem `as restrictive`, outra política PERMISSIVE com `using (true)` sobrepõe esta, tornando MFA bypassável.
+## Anti-patterns prevenidos
+1. **Omitir `as restrictive`** → STRENGTHEN (MFA bypassável por outras políticas PERMISSIVE)
+2. **Retornar 401 em vez de redirecionar para tela MFA** → STRENGTHEN (UX quebrada; cliente não sabe o que fazer)
+3. **Reutilizar client Supabase em SSR como singleton** → STRENGTHEN (estado de sessão vaza entre requests)
+4. **Não chamar `unenroll` antes de remover fator** → STRENGTHEN (fator "zumbi" continua válido)
+5. **`enforcement = all` sem diagnóstico de usuários existentes** → REWRITE com aviso de lock-out
+6. **Usar `auth.uid()` em vez de `auth.jwt()->>'aal'` em política de AAL** → STRENGTHEN (auth.uid não carrega AAL)
+## Quando NÃO invocar
+- Projeto sem autenticação configurada — invocar `supabase-auth-bootstrapper` primeiro
+- Somente phone MFA sem TOTP — pattern idêntico, mas verifica suporte do provider SMS
+- Caller já invocou este agent para mesmo projeto — evite loop
+## Ver também
+- Skill [supabase-mfa](../skills/supabase-mfa/SKILL.md) — base de conhecimento canônica de MFA
+- Skill [supabase-rls-policies](../skills/supabase-rls-policies/SKILL.md) — RLS RESTRICTIVE patterns