@luanpdd/kit-mcp 1.32.0 → 1.34.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (376) hide show
  1. package/LICENSE +21 -21
  2. package/README.md +168 -168
  3. package/gates/agent-no-recursive-dispatch.md +84 -84
  4. package/kit/COMANDOS.md +138 -138
  5. package/kit/COMPATIBILITY.md +70 -70
  6. package/kit/README.md +76 -76
  7. package/kit/agents/advisor-researcher.md +109 -109
  8. package/kit/agents/ai-mutation-tester.md +289 -289
  9. package/kit/agents/assumptions-analyzer.md +110 -110
  10. package/kit/agents/audit-log-implementer.md +314 -314
  11. package/kit/agents/auditor-consistencia-isolamento.md +414 -414
  12. package/kit/agents/b2b-saas-architect.md +157 -157
  13. package/kit/agents/burn-rate-forecaster.md +153 -153
  14. package/kit/agents/cascading-failures-auditor.md +299 -299
  15. package/kit/agents/codebase-mapper.md +769 -769
  16. package/kit/agents/crm-pipeline-implementer.md +257 -257
  17. package/kit/agents/debugger.md +814 -814
  18. package/kit/agents/designer-ui.md +216 -0
  19. package/kit/agents/detector-tenant-quente.md +338 -338
  20. package/kit/agents/evolution-go-integrator.md +201 -201
  21. package/kit/agents/example-reviewer.md +22 -22
  22. package/kit/agents/executor.md +565 -565
  23. package/kit/agents/golden-signals-instrumenter.md +232 -232
  24. package/kit/agents/incident-investigator.md +238 -238
  25. package/kit/agents/integration-checker.md +203 -203
  26. package/kit/agents/invite-flow-implementer.md +190 -190
  27. package/kit/agents/legacy-characterizer.md +369 -369
  28. package/kit/agents/lgpd-compliance-auditor.md +296 -296
  29. package/kit/agents/load-shedding-instrumenter.md +290 -290
  30. package/kit/agents/multi-tenant-isolation-auditor.md +254 -254
  31. package/kit/agents/multi-tenant-rls-writer.md +341 -341
  32. package/kit/agents/nyquist-auditor.md +181 -181
  33. package/kit/agents/observability-coverage-auditor.md +316 -316
  34. package/kit/agents/observability-instrumenter.md +191 -191
  35. package/kit/agents/omm-auditor.md +291 -291
  36. package/kit/agents/org-onboarding-implementer.md +224 -224
  37. package/kit/agents/payload-capture-instrumenter.md +274 -274
  38. package/kit/agents/phase-researcher.md +697 -697
  39. package/kit/agents/plan-checker.md +275 -275
  40. package/kit/agents/planner.md +923 -923
  41. package/kit/agents/postmortem-writer.md +273 -273
  42. package/kit/agents/project-researcher.md +653 -653
  43. package/kit/agents/prr-conductor.md +287 -287
  44. package/kit/agents/refactor-safety-auditor.md +405 -405
  45. package/kit/agents/release-pipeline-auditor.md +364 -364
  46. package/kit/agents/research-synthesizer.md +246 -246
  47. package/kit/agents/roadmapper.md +678 -678
  48. package/kit/agents/schema-checker.md +160 -160
  49. package/kit/agents/seam-finder.md +360 -360
  50. package/kit/agents/shotgun-surgery-detector.md +350 -350
  51. package/kit/agents/slo-engineer.md +217 -217
  52. package/kit/agents/storytelling-analyst.md +300 -300
  53. package/kit/agents/supabase-architect.md +249 -249
  54. package/kit/agents/supabase-auth-bootstrapper.md +400 -400
  55. package/kit/agents/supabase-auth-hook-writer.md +418 -418
  56. package/kit/agents/supabase-branching-architect.md +563 -563
  57. package/kit/agents/supabase-cicd-pipeline-implementer.md +778 -778
  58. package/kit/agents/supabase-column-privileges-writer.md +400 -400
  59. package/kit/agents/supabase-edge-fn-tester.md +288 -288
  60. package/kit/agents/supabase-edge-fn-writer.md +341 -341
  61. package/kit/agents/supabase-mfa-implementer.md +439 -439
  62. package/kit/agents/supabase-migration-writer.md +386 -386
  63. package/kit/agents/supabase-oauth-server-implementer.md +507 -507
  64. package/kit/agents/supabase-rbac-implementer.md +393 -393
  65. package/kit/agents/supabase-realtime-implementer.md +364 -364
  66. package/kit/agents/supabase-rls-hardener.md +522 -522
  67. package/kit/agents/supabase-rls-writer.md +324 -324
  68. package/kit/agents/supabase-roles-implementer.md +356 -356
  69. package/kit/agents/supabase-social-auth-implementer.md +451 -451
  70. package/kit/agents/supabase-sso-saml-architect.md +549 -549
  71. package/kit/agents/supabase-storage-implementer.md +407 -407
  72. package/kit/agents/super-admin-implementer.md +282 -282
  73. package/kit/agents/toil-auditor.md +268 -268
  74. package/kit/agents/ui-auditor.md +438 -438
  75. package/kit/agents/ui-checker.md +305 -305
  76. package/kit/agents/ui-researcher.md +356 -356
  77. package/kit/agents/user-profiler.md +176 -176
  78. package/kit/agents/validador-evolucao-schema.md +336 -336
  79. package/kit/agents/verifier.md +729 -729
  80. package/kit/commands/adicionar-backlog.md +75 -75
  81. package/kit/commands/adicionar-fase.md +42 -42
  82. package/kit/commands/adicionar-tarefa.md +45 -45
  83. package/kit/commands/adicionar-testes.md +41 -41
  84. package/kit/commands/ajuda.md +21 -21
  85. package/kit/commands/atualizar.md +37 -37
  86. package/kit/commands/auditar-cascading.md +111 -111
  87. package/kit/commands/auditar-marco.md +179 -179
  88. package/kit/commands/auditar-observabilidade-cobertura-workflow.md +121 -0
  89. package/kit/commands/auditar-observabilidade-cobertura.md +183 -183
  90. package/kit/commands/auditar-refactor.md +219 -219
  91. package/kit/commands/auditar-release.md +109 -109
  92. package/kit/commands/auditar-uat.md +23 -23
  93. package/kit/commands/autonomo.md +40 -40
  94. package/kit/commands/branch-pr.md +24 -24
  95. package/kit/commands/burn-rate-status.md +408 -408
  96. package/kit/commands/capturar-payloads.md +193 -193
  97. package/kit/commands/caracterizar.md +212 -212
  98. package/kit/commands/concluir-marco.md +247 -247
  99. package/kit/commands/configuracoes.md +36 -36
  100. package/kit/commands/dados-distribuidos.md +188 -188
  101. package/kit/commands/definir-perfil.md +10 -10
  102. package/kit/commands/depurar.md +190 -190
  103. package/kit/commands/detectar-duplicacao.md +197 -197
  104. package/kit/commands/discutir-fase.md +131 -131
  105. package/kit/commands/encontrar-seams.md +136 -136
  106. package/kit/commands/entrar-discord.md +17 -17
  107. package/kit/commands/estatisticas.md +18 -18
  108. package/kit/commands/example-greeting.md +33 -33
  109. package/kit/commands/executar-fase.md +58 -58
  110. package/kit/commands/expresso.md +56 -56
  111. package/kit/commands/fase-ui.md +34 -34
  112. package/kit/commands/fazer.md +57 -57
  113. package/kit/commands/fio.md +125 -125
  114. package/kit/commands/fluxos-trabalho.md +64 -64
  115. package/kit/commands/forense.md +176 -176
  116. package/kit/commands/gerenciador.md +38 -38
  117. package/kit/commands/inserir-fase.md +31 -31
  118. package/kit/commands/legacy.md +263 -263
  119. package/kit/commands/limpeza.md +17 -17
  120. package/kit/commands/listar-hipoteses-fase.md +45 -45
  121. package/kit/commands/listar-workspaces.md +18 -18
  122. package/kit/commands/load-shedding.md +117 -117
  123. package/kit/commands/mapear-codebase.md +70 -70
  124. package/kit/commands/multi-tenant.md +163 -163
  125. package/kit/commands/nota.md +33 -33
  126. package/kit/commands/novo-marco.md +43 -43
  127. package/kit/commands/novo-projeto.md +41 -41
  128. package/kit/commands/novo-workspace.md +43 -43
  129. package/kit/commands/pausar-trabalho.md +37 -37
  130. package/kit/commands/perfil-usuario.md +45 -45
  131. package/kit/commands/pesquisar-fase.md +195 -195
  132. package/kit/commands/planejar-fase.md +67 -67
  133. package/kit/commands/planejar-lacunas.md +33 -33
  134. package/kit/commands/plantar-ideia.md +25 -25
  135. package/kit/commands/progresso.md +24 -24
  136. package/kit/commands/proximo.md +30 -30
  137. package/kit/commands/publicar.md +490 -490
  138. package/kit/commands/rapido.md +35 -35
  139. package/kit/commands/reaplicar-patches.md +124 -124
  140. package/kit/commands/refactor-seguro.md +321 -321
  141. package/kit/commands/relatorio-sessao.md +19 -19
  142. package/kit/commands/remover-fase.md +31 -31
  143. package/kit/commands/remover-workspace.md +26 -26
  144. package/kit/commands/resumo-marco.md +50 -50
  145. package/kit/commands/retomar-trabalho.md +40 -40
  146. package/kit/commands/revisar-backlog.md +60 -60
  147. package/kit/commands/revisar-ui.md +32 -32
  148. package/kit/commands/revisar.md +37 -37
  149. package/kit/commands/saude.md +21 -21
  150. package/kit/commands/setup-notion.md +93 -93
  151. package/kit/commands/storytelling.md +179 -179
  152. package/kit/commands/supabase.md +238 -238
  153. package/kit/commands/sync-main.md +68 -68
  154. package/kit/commands/validar-fase.md +35 -35
  155. package/kit/commands/verificar-tarefas.md +44 -44
  156. package/kit/commands/verificar-trabalho.md +64 -64
  157. package/kit/file-manifest.json +13 -3
  158. package/kit/framework/bin/lib/commands.cjs +959 -959
  159. package/kit/framework/bin/lib/config.cjs +442 -442
  160. package/kit/framework/bin/lib/core.cjs +1230 -1230
  161. package/kit/framework/bin/lib/frontmatter.cjs +336 -336
  162. package/kit/framework/bin/lib/init.cjs +1442 -1442
  163. package/kit/framework/bin/lib/milestone.cjs +252 -252
  164. package/kit/framework/bin/lib/model-profiles.cjs +68 -68
  165. package/kit/framework/bin/lib/phase.cjs +888 -888
  166. package/kit/framework/bin/lib/profile-output.cjs +952 -952
  167. package/kit/framework/bin/lib/profile-pipeline.cjs +539 -539
  168. package/kit/framework/bin/lib/roadmap.cjs +329 -329
  169. package/kit/framework/bin/lib/security.cjs +382 -382
  170. package/kit/framework/bin/lib/state.cjs +1031 -1031
  171. package/kit/framework/bin/lib/template.cjs +222 -222
  172. package/kit/framework/bin/lib/uat.cjs +282 -282
  173. package/kit/framework/bin/lib/verify.cjs +888 -888
  174. package/kit/framework/bin/lib/workstream.cjs +491 -491
  175. package/kit/framework/bin/tools.cjs +918 -918
  176. package/kit/framework/commands/workstreams.md +63 -63
  177. package/kit/framework/references/checkpoints.md +778 -778
  178. package/kit/framework/references/continuation-format.md +249 -249
  179. package/kit/framework/references/decimal-phase-calculation.md +64 -64
  180. package/kit/framework/references/git-integration.md +295 -295
  181. package/kit/framework/references/git-planning-commit.md +38 -38
  182. package/kit/framework/references/model-profile-resolution.md +36 -36
  183. package/kit/framework/references/model-profiles.md +139 -139
  184. package/kit/framework/references/phase-argument-parsing.md +61 -61
  185. package/kit/framework/references/planning-config.md +202 -202
  186. package/kit/framework/references/questioning.md +162 -162
  187. package/kit/framework/references/tdd.md +263 -263
  188. package/kit/framework/references/ui-brand.md +160 -160
  189. package/kit/framework/references/user-profiling.md +657 -657
  190. package/kit/framework/references/verification-patterns.md +612 -612
  191. package/kit/framework/references/workstream-flag.md +58 -58
  192. package/kit/framework/templates/DEBUG.md +164 -164
  193. package/kit/framework/templates/UAT.md +265 -265
  194. package/kit/framework/templates/UI-SPEC.md +100 -100
  195. package/kit/framework/templates/VALIDATION.md +76 -76
  196. package/kit/framework/templates/claude-md.md +122 -122
  197. package/kit/framework/templates/codebase/architecture.md +185 -185
  198. package/kit/framework/templates/codebase/concerns.md +205 -205
  199. package/kit/framework/templates/codebase/conventions.md +204 -204
  200. package/kit/framework/templates/codebase/integrations.md +192 -192
  201. package/kit/framework/templates/codebase/stack.md +158 -158
  202. package/kit/framework/templates/codebase/structure.md +199 -199
  203. package/kit/framework/templates/codebase/testing.md +301 -301
  204. package/kit/framework/templates/config.json +44 -44
  205. package/kit/framework/templates/context.md +352 -352
  206. package/kit/framework/templates/continue-here.md +78 -78
  207. package/kit/framework/templates/copilot-instructions.md +7 -7
  208. package/kit/framework/templates/debug-subagent-prompt.md +91 -91
  209. package/kit/framework/templates/dev-preferences.md +20 -20
  210. package/kit/framework/templates/discovery.md +146 -146
  211. package/kit/framework/templates/discussion-log.md +63 -63
  212. package/kit/framework/templates/milestone-archive.md +123 -123
  213. package/kit/framework/templates/milestone.md +115 -115
  214. package/kit/framework/templates/phase-prompt.md +610 -610
  215. package/kit/framework/templates/planner-subagent-prompt.md +117 -117
  216. package/kit/framework/templates/project.md +186 -186
  217. package/kit/framework/templates/requirements.md +231 -231
  218. package/kit/framework/templates/research-project/ARCHITECTURE.md +204 -204
  219. package/kit/framework/templates/research-project/FEATURES.md +147 -147
  220. package/kit/framework/templates/research-project/PITFALLS.md +200 -200
  221. package/kit/framework/templates/research-project/STACK.md +120 -120
  222. package/kit/framework/templates/research-project/SUMMARY.md +170 -170
  223. package/kit/framework/templates/research.md +419 -419
  224. package/kit/framework/templates/retrospective.md +54 -54
  225. package/kit/framework/templates/roadmap.md +202 -202
  226. package/kit/framework/templates/state.md +176 -176
  227. package/kit/framework/templates/summary-complex.md +59 -59
  228. package/kit/framework/templates/summary-minimal.md +41 -41
  229. package/kit/framework/templates/summary-standard.md +48 -48
  230. package/kit/framework/templates/summary.md +209 -209
  231. package/kit/framework/templates/user-profile.md +146 -146
  232. package/kit/framework/templates/user-setup.md +256 -256
  233. package/kit/framework/templates/verification-report.md +258 -258
  234. package/kit/framework/workflows/add-phase.md +112 -112
  235. package/kit/framework/workflows/add-tests.md +351 -351
  236. package/kit/framework/workflows/add-todo.md +158 -158
  237. package/kit/framework/workflows/audit-milestone.md +340 -340
  238. package/kit/framework/workflows/audit-uat.md +109 -109
  239. package/kit/framework/workflows/autonomous.md +891 -891
  240. package/kit/framework/workflows/check-todos.md +177 -177
  241. package/kit/framework/workflows/cleanup.md +152 -152
  242. package/kit/framework/workflows/complete-milestone.md +696 -696
  243. package/kit/framework/workflows/diagnose-issues.md +231 -231
  244. package/kit/framework/workflows/discovery-phase.md +289 -289
  245. package/kit/framework/workflows/discuss-phase-assumptions.md +653 -653
  246. package/kit/framework/workflows/discuss-phase.md +784 -784
  247. package/kit/framework/workflows/do.md +104 -104
  248. package/kit/framework/workflows/execute-phase.md +838 -838
  249. package/kit/framework/workflows/execute-plan.md +510 -510
  250. package/kit/framework/workflows/fast.md +102 -102
  251. package/kit/framework/workflows/forensics.md +265 -265
  252. package/kit/framework/workflows/health.md +181 -181
  253. package/kit/framework/workflows/help.md +619 -619
  254. package/kit/framework/workflows/insert-phase.md +130 -130
  255. package/kit/framework/workflows/list-phase-assumptions.md +178 -178
  256. package/kit/framework/workflows/list-workspaces.md +56 -56
  257. package/kit/framework/workflows/manager.md +362 -362
  258. package/kit/framework/workflows/map-codebase.md +377 -377
  259. package/kit/framework/workflows/milestone-summary.md +223 -223
  260. package/kit/framework/workflows/new-milestone.md +486 -486
  261. package/kit/framework/workflows/new-project.md +1159 -1159
  262. package/kit/framework/workflows/new-workspace.md +237 -237
  263. package/kit/framework/workflows/next.md +97 -97
  264. package/kit/framework/workflows/node-repair.md +92 -92
  265. package/kit/framework/workflows/note.md +156 -156
  266. package/kit/framework/workflows/pause-work.md +176 -176
  267. package/kit/framework/workflows/plan-milestone-gaps.md +273 -273
  268. package/kit/framework/workflows/plan-phase.md +765 -765
  269. package/kit/framework/workflows/plant-seed.md +169 -169
  270. package/kit/framework/workflows/pr-branch.md +129 -129
  271. package/kit/framework/workflows/profile-user.md +450 -450
  272. package/kit/framework/workflows/progress.md +507 -507
  273. package/kit/framework/workflows/quick.md +757 -757
  274. package/kit/framework/workflows/remove-phase.md +155 -155
  275. package/kit/framework/workflows/remove-workspace.md +90 -90
  276. package/kit/framework/workflows/research-phase.md +82 -82
  277. package/kit/framework/workflows/resume-project.md +326 -326
  278. package/kit/framework/workflows/review.md +228 -228
  279. package/kit/framework/workflows/session-report.md +146 -146
  280. package/kit/framework/workflows/settings.md +283 -283
  281. package/kit/framework/workflows/ship.md +228 -228
  282. package/kit/framework/workflows/stats.md +60 -60
  283. package/kit/framework/workflows/transition.md +671 -671
  284. package/kit/framework/workflows/ui-phase.md +302 -302
  285. package/kit/framework/workflows/ui-review.md +165 -165
  286. package/kit/framework/workflows/update.md +323 -323
  287. package/kit/framework/workflows/validate-phase.md +174 -174
  288. package/kit/framework/workflows/verify-phase.md +252 -252
  289. package/kit/framework/workflows/verify-work.md +637 -637
  290. package/kit/hooks/check-update.js +118 -118
  291. package/kit/hooks/context-monitor.js +163 -163
  292. package/kit/hooks/kit-attribution-reminder.cjs +92 -92
  293. package/kit/hooks/kit-router.cjs +137 -137
  294. package/kit/hooks/prompt-guard.js +103 -103
  295. package/kit/hooks/statusline.js +125 -125
  296. package/kit/hooks/workflow-guard.js +101 -101
  297. package/kit/settings.json +45 -45
  298. package/kit/skills/ai-prompt-characterization/SKILL.md +335 -335
  299. package/kit/skills/armadilhas-sistemas-distribuidos/SKILL.md +447 -447
  300. package/kit/skills/audit-log-multi-tenant/SKILL.md +340 -340
  301. package/kit/skills/b2b-saas-architecture/SKILL.md +300 -300
  302. package/kit/skills/consistencia-leitura-replica/SKILL.md +385 -385
  303. package/kit/skills/crm-lead-pipeline-patterns/SKILL.md +343 -343
  304. package/kit/skills/escolha-modelo-consistencia/SKILL.md +494 -494
  305. package/kit/skills/evolucao-schema-compativel/SKILL.md +448 -448
  306. package/kit/skills/evolution-go-whatsapp-integration/SKILL.md +322 -322
  307. package/kit/skills/example-skill/SKILL.md +42 -42
  308. package/kit/skills/legacy-api-only-applications/SKILL.md +358 -358
  309. package/kit/skills/legacy-characterization-tests/SKILL.md +330 -330
  310. package/kit/skills/legacy-effect-analysis/SKILL.md +331 -331
  311. package/kit/skills/legacy-extract-class/SKILL.md +203 -203
  312. package/kit/skills/legacy-programming-by-difference/SKILL.md +252 -252
  313. package/kit/skills/legacy-seams-and-test-harness/SKILL.md +460 -460
  314. package/kit/skills/legacy-shotgun-surgery/SKILL.md +286 -286
  315. package/kit/skills/legacy-sprout-wrap-techniques/SKILL.md +434 -434
  316. package/kit/skills/legacy-storytelling-naked-crc/SKILL.md +270 -270
  317. package/kit/skills/lgpd-multi-tenant-compliance/SKILL.md +340 -340
  318. package/kit/skills/member-invite-flow/SKILL.md +305 -305
  319. package/kit/skills/member-management-react-shadcn/SKILL.md +328 -328
  320. package/kit/skills/multi-tenant-performance-scaling/SKILL.md +316 -316
  321. package/kit/skills/multi-tenant-rls-hierarchy/SKILL.md +342 -342
  322. package/kit/skills/org-onboarding-flow/SKILL.md +257 -257
  323. package/kit/skills/org-switcher-react-pattern/SKILL.md +349 -349
  324. package/kit/skills/permission-gate-react-pattern/SKILL.md +271 -271
  325. package/kit/skills/postgres-isolamento-concorrencia/SKILL.md +552 -552
  326. package/kit/skills/pre-refactor-characterization/SKILL.md +421 -421
  327. package/kit/skills/rbac-permissions-matrix-supabase/SKILL.md +338 -338
  328. package/kit/skills/streams-eventos-cdc/SKILL.md +711 -711
  329. package/kit/skills/supabase-auth-hardening/SKILL.md +674 -674
  330. package/kit/skills/supabase-auth-hooks/SKILL.md +875 -875
  331. package/kit/skills/supabase-auth-methods/SKILL.md +486 -486
  332. package/kit/skills/supabase-auth-sessions/SKILL.md +579 -579
  333. package/kit/skills/supabase-auth-ssr/SKILL.md +306 -306
  334. package/kit/skills/supabase-branching-workflow/SKILL.md +544 -544
  335. package/kit/skills/supabase-ci-cd-github-actions/SKILL.md +880 -880
  336. package/kit/skills/supabase-column-level-security/SKILL.md +426 -426
  337. package/kit/skills/supabase-config-toml-remotes/SKILL.md +807 -807
  338. package/kit/skills/supabase-custom-claims-rbac/SKILL.md +472 -472
  339. package/kit/skills/supabase-edge-functions/SKILL.md +330 -330
  340. package/kit/skills/supabase-edge-functions-auth/SKILL.md +309 -309
  341. package/kit/skills/supabase-edge-functions-limits/SKILL.md +302 -302
  342. package/kit/skills/supabase-edge-functions-mcp-server/SKILL.md +279 -279
  343. package/kit/skills/supabase-edge-functions-testing/SKILL.md +277 -277
  344. package/kit/skills/supabase-edge-runtime-builtins/SKILL.md +357 -357
  345. package/kit/skills/supabase-enterprise-sso-saml/SKILL.md +545 -545
  346. package/kit/skills/supabase-jwt-signing-keys/SKILL.md +399 -399
  347. package/kit/skills/supabase-mfa/SKILL.md +488 -488
  348. package/kit/skills/supabase-migration-repair/SKILL.md +823 -823
  349. package/kit/skills/supabase-migrations/SKILL.md +297 -297
  350. package/kit/skills/supabase-oauth-server/SKILL.md +537 -537
  351. package/kit/skills/supabase-pgtap-testing/SKILL.md +1053 -1053
  352. package/kit/skills/supabase-postgres-roles/SKILL.md +392 -392
  353. package/kit/skills/supabase-realtime/SKILL.md +460 -460
  354. package/kit/skills/supabase-rls-defense-in-depth/SKILL.md +418 -418
  355. package/kit/skills/supabase-rls-policies/SKILL.md +635 -635
  356. package/kit/skills/supabase-social-oauth/SKILL.md +480 -480
  357. package/kit/skills/supabase-third-party-auth/SKILL.md +450 -450
  358. package/kit/skills/super-admin-platform-pattern/SKILL.md +326 -326
  359. package/kit/skills/tenant-quente-mitigacao/SKILL.md +605 -605
  360. package/kit/skills/ui-anti-padroes-ia/SKILL.md +261 -0
  361. package/kit/skills/ui-contexto-produto/SKILL.md +248 -0
  362. package/kit/skills/ui-cor-estrategia/SKILL.md +213 -0
  363. package/kit/skills/ui-critica-auditoria/SKILL.md +260 -0
  364. package/kit/skills/ui-motion-funcional/SKILL.md +264 -0
  365. package/kit/skills/ui-ritmo-espacial/SKILL.md +259 -0
  366. package/kit/skills/ui-tipografia/SKILL.md +211 -0
  367. package/kit/skills/whatsapp-conversation-state-machine/SKILL.md +287 -287
  368. package/kit/workflows/auditar-observabilidade-cobertura.workflow.js +250 -0
  369. package/package.json +65 -63
  370. package/src/core/kit.js +333 -216
  371. package/src/core/reflect.js +247 -247
  372. package/src/core/registry.js +123 -112
  373. package/src/core/reverse-sync.js +448 -372
  374. package/src/core/sync.js +477 -437
  375. package/src/core/watch.js +121 -121
  376. package/src/mcp-server/index.js +794 -794
package/kit/skills/rbac-permissions-matrix-supabase/SKILL.md CHANGED
@@ -1,338 +1,338 @@
1
- ---
2
- name: rbac-permissions-matrix-supabase
3
- description: "Use ao modelar RBAC granular em Supabase B2B — permission strings resource:action, matrix N:M roles ↔ permissions, regra \\"user só atribui roles ≤ ao próprio\\", 3 roles built-in (owner…"
4
- ---
5
-
6
- # RBAC Permissions Matrix — Supabase B2B Multi-Tenant
7
-
8
- ## Quando usar
9
-
10
- LLM carrega esta skill ao desenhar autorização granular em B2B SaaS multi-tenant. Trigger phrases:
11
-
12
- - "RBAC granular", "permission matrix"
13
- - "permission string resource:action", "leads:create", "members:invite"
14
- - "custom roles", "role escalation rule"
15
- - "owner admin member built-in"
16
- - "role permissions table"
17
-
18
- ## Regras absolutas
19
-
20
- **REGRA #1 (permission string format):** Permissions são strings `<resource>:<action>` em snake_case (ex: `leads:create`, `members:invite`, `org_settings:update`). Padrão convergente 2026 (Stripe, Linear, Auth0).
21
-
22
- **REGRA #2 (3 roles built-in mínimo):** Toda org tem 3 roles built-in com `is_built_in = true`:
23
- - `owner` — full control (criação org, billing, transfer ownership, delete org)
24
- - `admin` — manage members, settings, all data
25
- - `member` — operações standard (CRUD nos recursos da org)
26
-
27
- **REGRA #3 (role escalation rule):** Usuário só pode **criar/atribuir roles ≤ ao próprio role**. Member não pode criar admin. Admin não pode criar owner. Owner pode tudo. Enforced via policy + frontend gate.
28
-
29
- **REGRA #4 (custom roles permitidos):** Custom roles via `is_built_in = false` na mesma tabela `roles`. Org-scoped (não globais). Built-in não podem ser deletados (constraint).
30
-
31
- **REGRA #5 (NUNCA permission string em frontend hard-coded para enforce):** Permission gate React (skill [`permission-gate-react-pattern`](../permission-gate-react-pattern/SKILL.md)) é UX apenas. Server-side enforcement obrigatório via RLS + `private.has_permission`.
32
-
33
- ## Patterns canônicos
34
-
35
- ### Permission catalog — eventos canônicos
36
-
37
- ```sql
38
- -- Catálogo global (compartilhado entre orgs)
39
- insert into public.permissions (action, resource, description) values
40
- -- Members
41
- ('invite', 'members', 'Convidar novos membros via email'),
42
- ('remove', 'members', 'Remover membros existentes'),
43
- ('update', 'members', 'Atualizar role/status de membros'),
44
- ('list', 'members', 'Listar membros da org'),
45
-
46
- -- Org settings
47
- ('update', 'org_settings', 'Atualizar configurações gerais da org'),
48
- ('update', 'org_billing', 'Acessar/alterar billing (Stripe)'),
49
-
50
- -- Departments
51
- ('create', 'departments', 'Criar departamentos'),
52
- ('update', 'departments', 'Atualizar departamentos'),
53
- ('delete', 'departments', 'Deletar departamentos'),
54
-
55
- -- Roles + Permissions
56
- ('create', 'roles', 'Criar custom roles'),
57
- ('update', 'roles', 'Atualizar role permissions'),
58
- ('delete', 'roles', 'Deletar custom roles (built-in protegidos)'),
59
-
60
- -- Domain example: leads (CRM)
61
- ('create', 'leads', 'Criar leads'),
62
- ('update', 'leads', 'Atualizar leads'),
63
- ('delete', 'leads', 'Deletar leads'),
64
- ('export', 'leads', 'Exportar leads (CSV/JSON)'),
65
-
66
- -- Audit
67
- ('view', 'audit_logs', 'Ver audit logs'),
68
- ('export', 'audit_logs', 'Exportar audit logs'),
69
-
70
- -- LGPD
71
- ('process', 'dsr_requests', 'Processar Data Subject Requests'),
72
-
73
- on conflict (action, resource) do nothing;
74
- ```
75
-
76
- ### 3 roles built-in com permissions default
77
-
78
- ```sql
79
- -- Para cada nova org (idealmente em RPC create_organization), criar built-in roles
80
- -- com permissions atribuídas.
81
-
82
- -- OWNER — todas permissions
83
- insert into public.role_permissions (role_id, permission_id)
84
- select
85
- r.id,
86
- p.id
87
- from public.roles r
88
- cross join public.permissions p
89
- where r.org_id = '<org_id>'
90
- and r.name = 'owner';
91
-
92
- -- ADMIN — tudo exceto org_billing + delete org
93
- insert into public.role_permissions (role_id, permission_id)
94
- select
95
- r.id,
96
- p.id
97
- from public.roles r
98
- cross join public.permissions p
99
- where r.org_id = '<org_id>'
100
- and r.name = 'admin'
101
- and not (p.action = 'update' and p.resource = 'org_billing');
102
-
103
- -- MEMBER — operações CRUD em domínio (sem members management)
104
- insert into public.role_permissions (role_id, permission_id)
105
- select
106
- r.id,
107
- p.id
108
- from public.roles r
109
- cross join public.permissions p
110
- where r.org_id = '<org_id>'
111
- and r.name = 'member'
112
- and p.resource in ('leads', 'departments')
113
- and p.action in ('create', 'update', 'list');
114
- ```
115
-
116
- ### Role escalation rule — enforcement via RPC + RLS
117
-
118
- ```sql
119
- -- Função que retorna o "rank" de uma role (owner=3, admin=2, member=1, custom=0)
120
- create or replace function private.role_rank(p_role_name text)
121
- returns int
122
- language sql
123
- stable
124
- security invoker
125
- set search_path = ''
126
- as $$
127
- select case p_role_name
128
- when 'owner' then 3
129
- when 'admin' then 2
130
- when 'member' then 1
131
- else 0 -- custom roles têm rank 0 (não comparáveis)
132
- end;
133
- $$;
134
-
135
- -- RPC que assign role a um membro — só permite role ≤ ao próprio
136
- create or replace function public.assign_role(
137
- p_org_id uuid,
138
- p_target_user_id uuid,
139
- p_role_id uuid
140
- )
141
- returns void
142
- language plpgsql
143
- security invoker
144
- set search_path = ''
145
- as $$
146
- declare
147
- caller_role_name text;
148
- target_role_name text;
149
- begin
150
- -- 1. Buscar role do caller na org
151
- select r.name into caller_role_name
152
- from public.organization_members om
153
- join public.roles r on r.id = om.role_id
154
- where om.org_id = p_org_id
155
- and om.user_id = (select auth.uid())
156
- and om.status = 'active';
157
-
158
- if caller_role_name is null then
159
- raise exception 'caller is not member of org';
160
- end if;
161
-
162
- -- 2. Buscar role alvo
163
- select r.name into target_role_name
164
- from public.roles r
165
- where r.id = p_role_id and r.org_id = p_org_id;
166
-
167
- if target_role_name is null then
168
- raise exception 'role does not exist in org';
169
- end if;
170
-
171
- -- 3. REGRA #3: caller role rank >= target role rank
172
- if private.role_rank(caller_role_name) < private.role_rank(target_role_name) then
173
- raise exception
174
- 'role escalation forbidden: caller is %, cannot assign %',
175
- caller_role_name, target_role_name;
176
- end if;
177
-
178
- -- 4. Assign
179
- update public.organization_members
180
- set role_id = p_role_id
181
- where org_id = p_org_id and user_id = p_target_user_id;
182
- end;
183
- $$;
184
-
185
- grant execute on function public.assign_role(uuid, uuid, uuid) to authenticated;
186
- ```
187
-
188
- ### Frontend — listar roles que user pode atribuir
189
-
190
- ```typescript
191
- // Buscar roles que current user pode atribuir (rank ≤ próprio)
192
- const { data: assignableRoles } = await supabase
193
- .from('roles')
194
- .select('id, name, description')
195
- .eq('org_id', orgId)
196
- // RPC retorna apenas roles que caller pode atribuir
197
- .rpc('list_assignable_roles', { p_org_id: orgId })
198
- ```
199
-
200
- ### RLS policy usando `private.has_permission`
201
-
202
- ```sql
203
- -- Tabela leads — INSERT requer permission leads:create
204
- create policy "leads_insert_with_permission"
205
- on public.leads
206
- for insert
207
- to authenticated
208
- with check (
209
- private.has_permission('create', 'leads', org_id)
210
- );
211
-
212
- -- Tabela members management — UPDATE role requer permission members:update
213
- create policy "members_update_role_with_permission"
214
- on public.organization_members
215
- for update
216
- to authenticated
217
- using (
218
- private.has_permission('update', 'members', org_id)
219
- )
220
- with check (
221
- private.has_permission('update', 'members', org_id)
222
- );
223
- ```
224
-
225
- ## Mecanismo de delivery dos claims (v1.25 update)
226
-
227
- Os patterns acima usam **helper function PG STABLE** (`private.has_permission(action, resource, org_id)`) que faz JOIN em `role_permissions` table dentro de cada policy evaluation. Funciona bem para casos multi-tenant complexos (role depende de org context) mas adiciona JOIN custoso em policies hot.
228
-
229
- A partir de **v1.25**, kit-mcp adiciona alternativa moderna via **Custom Access Token Auth Hook** (skill [`supabase-custom-claims-rbac`](../supabase-custom-claims-rbac/SKILL.md)) que injeta `user_role` direto no JWT — RLS policies leem o claim via `authorize(permission)` sem JOIN.
230
-
231
- **Comparação canônica (v1.25):**
232
-
233
- | | Helper function STABLE (v1.21) | Custom Claim via Auth Hook (v1.25) |
234
- |---|---|---|
235
- | Performance | JOIN em role_permissions por query | Zero-JOIN — claim no JWT |
236
- | Multi-tenant context | ✅ `has_permission('update', 'members', org_id)` — context-aware | ❌ Claim é per-user, não per-org-context |
237
- | Mudança em real-time | ✅ Imediata (UPDATE em role_permissions reflete) | ⚠ Eventually consistent (TTL refresh 1h) |
238
- | Type safety | String permission `'update:members'` | Enum `app_permission` |
239
- | Setup complexity | Média (helper function + RLS) | Alta (auth hook + auth_admin grants + jwt-decode cliente) |
240
-
241
- **Recomendação canônica v1.25 para B2B multi-tenant:**
242
-
243
- **Combine ambos:**
244
- - **Custom claim** para role global (`super_admin`, `org_owner`) — zero-JOIN, fácil consulta cliente
245
- - **Helper function STABLE** para context-aware (`has_permission(action, resource, org_id)`) — quando role muda por org
246
-
247
- Exemplo de policy combinada:
248
-
249
- ```sql
250
- create policy "members_select" on public.members for select
251
- to authenticated
252
- using (
253
- -- claim no JWT (zero-JOIN, fast path)
254
- (SELECT authorize('members:read'))
255
- -- OU helper function PG (context-aware, slow path)
256
- or private.has_permission('read', 'members', org_id)
257
- );
258
- ```
259
-
260
- Pattern detalhado em [`supabase-custom-claims-rbac`](../supabase-custom-claims-rbac/SKILL.md) (v1.25) section "Cross-suite integration".
261
-
262
- ## Anti-patterns
263
-
264
- ### Anti-pattern 1: Permission string sem padrão
265
-
266
- **Errado:**
267
- ```sql
268
- -- Mistura formats
269
- 'canCreateLeads', 'leads.create', 'CREATE_LEAD', 'leads:write'
270
- ```
271
-
272
- **Por quê:** inconsistência confunde devs (qual é a forma certa?), quebra autocomplete, dificulta migração.
273
-
274
- **Certo:** sempre `<resource>:<action>` em snake_case (REGRA #1). Pode usar enum em TypeScript:
275
- ```typescript
276
- type Permission = `${Resource}:${Action}`
277
- ```
278
-
279
- ### Anti-pattern 2: Hard-coded role check em vez de permission
280
-
281
- **Errado:**
282
- ```typescript
283
- // Permission gate frontend
284
- { user.role === 'admin' && <Button>Convidar</Button> }
285
- ```
286
-
287
- **Por quê:** custom roles quebram (custom role com permission `members:invite` não passa no check). Acopla UI a roles built-in.
288
-
289
- **Certo:**
290
- ```typescript
291
- { usePermission('invite', 'members') && <Button>Convidar</Button> }
292
- ```
293
-
294
- E server-side: RLS com `private.has_permission`.
295
-
296
- ### Anti-pattern 3: Built-in role pode ser deletada
297
-
298
- **Errado:**
299
- ```sql
300
- -- Sem proteção
301
- delete from public.roles where name = 'owner' and org_id = '...';
302
- -- Org fica sem owner, ninguém consegue fazer nada
303
- ```
304
-
305
- **Por quê:** org sem owner é unrecoverable sem service_role intervention. Compromete recovery.
306
-
307
- **Certo:** policy DELETE em `roles` que rejeita built-in:
308
- ```sql
309
- create policy "roles_delete_custom_only"
310
- on public.roles
311
- for delete
312
- to authenticated
313
- using (
314
- not is_built_in
315
- and private.has_permission('delete', 'roles', org_id)
316
- );
317
- ```
318
-
319
- ### Anti-pattern 4: Frontend permission gate sem server-side enforce
320
-
321
- **Errado:**
322
- ```typescript
323
- // Esconder botão UI = "segurança"
324
- { usePermission('delete', 'leads') && <DeleteButton /> }
325
- // Mas API endpoint /leads/{id} aceita DELETE sem checar permission
326
- ```
327
-
328
- **Por quê:** atacante chama API direto via curl — ignora gate frontend. Permission gate React é **UX**, não segurança.
329
-
330
- **Certo:** REGRA #5. Server-side via RLS + `private.has_permission` é enforcement real.
331
-
332
- ## Ver também
333
-
334
- - [multi-tenant-rls-hierarchy](../multi-tenant-rls-hierarchy/SKILL.md) — `private.has_permission` é a função canônica usada em policies
335
- - [b2b-saas-architecture](../b2b-saas-architecture/SKILL.md) — schema das tabelas `roles`, `permissions`, `role_permissions`
336
- - [permission-gate-react-pattern](../permission-gate-react-pattern/SKILL.md) — Phase 115, permission gate UX em React
337
- - [super-admin-platform-pattern](../super-admin-platform-pattern/SKILL.md) — Phase 111, super_admin bypassa RBAC normal
338
- - [_shared-multi-tenant/glossary.md](../_shared-multi-tenant/glossary.md) — termos `RBAC`, `permission matrix`, `role escalation rule`
1
+ ---
2
+ name: rbac-permissions-matrix-supabase
3
+ description: "Use ao modelar RBAC granular em Supabase B2B — permission strings resource:action, matrix N:M roles ↔ permissions, regra \\"user só atribui roles ≤ ao próprio\\", 3 roles built-in (owner…"
4
+ ---
5
+
6
+ # RBAC Permissions Matrix — Supabase B2B Multi-Tenant
7
+
8
+ ## Quando usar
9
+
10
+ LLM carrega esta skill ao desenhar autorização granular em B2B SaaS multi-tenant. Trigger phrases:
11
+
12
+ - "RBAC granular", "permission matrix"
13
+ - "permission string resource:action", "leads:create", "members:invite"
14
+ - "custom roles", "role escalation rule"
15
+ - "owner admin member built-in"
16
+ - "role permissions table"
17
+
18
+ ## Regras absolutas
19
+
20
+ **REGRA #1 (permission string format):** Permissions são strings `<resource>:<action>` em snake_case (ex: `leads:create`, `members:invite`, `org_settings:update`). Padrão convergente 2026 (Stripe, Linear, Auth0).
21
+
22
+ **REGRA #2 (3 roles built-in mínimo):** Toda org tem 3 roles built-in com `is_built_in = true`:
23
+ - `owner` — full control (criação org, billing, transfer ownership, delete org)
24
+ - `admin` — manage members, settings, all data
25
+ - `member` — operações standard (CRUD nos recursos da org)
26
+
27
+ **REGRA #3 (role escalation rule):** Usuário só pode **criar/atribuir roles ≤ ao próprio role**. Member não pode criar admin. Admin não pode criar owner. Owner pode tudo. Enforced via policy + frontend gate.
28
+
29
+ **REGRA #4 (custom roles permitidos):** Custom roles via `is_built_in = false` na mesma tabela `roles`. Org-scoped (não globais). Built-in não podem ser deletados (constraint).
30
+
31
+ **REGRA #5 (NUNCA permission string em frontend hard-coded para enforce):** Permission gate React (skill [`permission-gate-react-pattern`](../permission-gate-react-pattern/SKILL.md)) é UX apenas. Server-side enforcement obrigatório via RLS + `private.has_permission`.
32
+
33
+ ## Patterns canônicos
34
+
35
+ ### Permission catalog — eventos canônicos
36
+
37
+ ```sql
38
+ -- Catálogo global (compartilhado entre orgs)
39
+ insert into public.permissions (action, resource, description) values
40
+ -- Members
41
+ ('invite', 'members', 'Convidar novos membros via email'),
42
+ ('remove', 'members', 'Remover membros existentes'),
43
+ ('update', 'members', 'Atualizar role/status de membros'),
44
+ ('list', 'members', 'Listar membros da org'),
45
+
46
+ -- Org settings
47
+ ('update', 'org_settings', 'Atualizar configurações gerais da org'),
48
+ ('update', 'org_billing', 'Acessar/alterar billing (Stripe)'),
49
+
50
+ -- Departments
51
+ ('create', 'departments', 'Criar departamentos'),
52
+ ('update', 'departments', 'Atualizar departamentos'),
53
+ ('delete', 'departments', 'Deletar departamentos'),
54
+
55
+ -- Roles + Permissions
56
+ ('create', 'roles', 'Criar custom roles'),
57
+ ('update', 'roles', 'Atualizar role permissions'),
58
+ ('delete', 'roles', 'Deletar custom roles (built-in protegidos)'),
59
+
60
+ -- Domain example: leads (CRM)
61
+ ('create', 'leads', 'Criar leads'),
62
+ ('update', 'leads', 'Atualizar leads'),
63
+ ('delete', 'leads', 'Deletar leads'),
64
+ ('export', 'leads', 'Exportar leads (CSV/JSON)'),
65
+
66
+ -- Audit
67
+ ('view', 'audit_logs', 'Ver audit logs'),
68
+ ('export', 'audit_logs', 'Exportar audit logs'),
69
+
70
+ -- LGPD
71
+ ('process', 'dsr_requests', 'Processar Data Subject Requests'),
72
+
73
+ on conflict (action, resource) do nothing;
74
+ ```
75
+
76
+ ### 3 roles built-in com permissions default
77
+
78
+ ```sql
79
+ -- Para cada nova org (idealmente em RPC create_organization), criar built-in roles
80
+ -- com permissions atribuídas.
81
+
82
+ -- OWNER — todas permissions
83
+ insert into public.role_permissions (role_id, permission_id)
84
+ select
85
+ r.id,
86
+ p.id
87
+ from public.roles r
88
+ cross join public.permissions p
89
+ where r.org_id = '<org_id>'
90
+ and r.name = 'owner';
91
+
92
+ -- ADMIN — tudo exceto org_billing + delete org
93
+ insert into public.role_permissions (role_id, permission_id)
94
+ select
95
+ r.id,
96
+ p.id
97
+ from public.roles r
98
+ cross join public.permissions p
99
+ where r.org_id = '<org_id>'
100
+ and r.name = 'admin'
101
+ and not (p.action = 'update' and p.resource = 'org_billing');
102
+
103
+ -- MEMBER — operações CRUD em domínio (sem members management)
104
+ insert into public.role_permissions (role_id, permission_id)
105
+ select
106
+ r.id,
107
+ p.id
108
+ from public.roles r
109
+ cross join public.permissions p
110
+ where r.org_id = '<org_id>'
111
+ and r.name = 'member'
112
+ and p.resource in ('leads', 'departments')
113
+ and p.action in ('create', 'update', 'list');
114
+ ```
115
+
116
+ ### Role escalation rule — enforcement via RPC + RLS
117
+
118
+ ```sql
119
+ -- Função que retorna o "rank" de uma role (owner=3, admin=2, member=1, custom=0)
120
+ create or replace function private.role_rank(p_role_name text)
121
+ returns int
122
+ language sql
123
+ stable
124
+ security invoker
125
+ set search_path = ''
126
+ as $$
127
+ select case p_role_name
128
+ when 'owner' then 3
129
+ when 'admin' then 2
130
+ when 'member' then 1
131
+ else 0 -- custom roles têm rank 0 (não comparáveis)
132
+ end;
133
+ $$;
134
+
135
+ -- RPC que assign role a um membro — só permite role ≤ ao próprio
136
+ create or replace function public.assign_role(
137
+ p_org_id uuid,
138
+ p_target_user_id uuid,
139
+ p_role_id uuid
140
+ )
141
+ returns void
142
+ language plpgsql
143
+ security invoker
144
+ set search_path = ''
145
+ as $$
146
+ declare
147
+ caller_role_name text;
148
+ target_role_name text;
149
+ begin
150
+ -- 1. Buscar role do caller na org
151
+ select r.name into caller_role_name
152
+ from public.organization_members om
153
+ join public.roles r on r.id = om.role_id
154
+ where om.org_id = p_org_id
155
+ and om.user_id = (select auth.uid())
156
+ and om.status = 'active';
157
+
158
+ if caller_role_name is null then
159
+ raise exception 'caller is not member of org';
160
+ end if;
161
+
162
+ -- 2. Buscar role alvo
163
+ select r.name into target_role_name
164
+ from public.roles r
165
+ where r.id = p_role_id and r.org_id = p_org_id;
166
+
167
+ if target_role_name is null then
168
+ raise exception 'role does not exist in org';
169
+ end if;
170
+
171
+ -- 3. REGRA #3: caller role rank >= target role rank
172
+ if private.role_rank(caller_role_name) < private.role_rank(target_role_name) then
173
+ raise exception
174
+ 'role escalation forbidden: caller is %, cannot assign %',
175
+ caller_role_name, target_role_name;
176
+ end if;
177
+
178
+ -- 4. Assign
179
+ update public.organization_members
180
+ set role_id = p_role_id
181
+ where org_id = p_org_id and user_id = p_target_user_id;
182
+ end;
183
+ $$;
184
+
185
+ grant execute on function public.assign_role(uuid, uuid, uuid) to authenticated;
186
+ ```
187
+
188
+ ### Frontend — listar roles que user pode atribuir
189
+
190
+ ```typescript
191
+ // Buscar roles que current user pode atribuir (rank ≤ próprio)
192
+ const { data: assignableRoles } = await supabase
193
+ .from('roles')
194
+ .select('id, name, description')
195
+ .eq('org_id', orgId)
196
+ // RPC retorna apenas roles que caller pode atribuir
197
+ .rpc('list_assignable_roles', { p_org_id: orgId })
198
+ ```
199
+
200
+ ### RLS policy usando `private.has_permission`
201
+
202
+ ```sql
203
+ -- Tabela leads — INSERT requer permission leads:create
204
+ create policy "leads_insert_with_permission"
205
+ on public.leads
206
+ for insert
207
+ to authenticated
208
+ with check (
209
+ private.has_permission('create', 'leads', org_id)
210
+ );
211
+
212
+ -- Tabela members management — UPDATE role requer permission members:update
213
+ create policy "members_update_role_with_permission"
214
+ on public.organization_members
215
+ for update
216
+ to authenticated
217
+ using (
218
+ private.has_permission('update', 'members', org_id)
219
+ )
220
+ with check (
221
+ private.has_permission('update', 'members', org_id)
222
+ );
223
+ ```
224
+
225
+ ## Mecanismo de delivery dos claims (v1.25 update)
226
+
227
+ Os patterns acima usam **helper function PG STABLE** (`private.has_permission(action, resource, org_id)`) que faz JOIN em `role_permissions` table dentro de cada policy evaluation. Funciona bem para casos multi-tenant complexos (role depende de org context) mas adiciona JOIN custoso em policies hot.
228
+
229
+ A partir de **v1.25**, kit-mcp adiciona alternativa moderna via **Custom Access Token Auth Hook** (skill [`supabase-custom-claims-rbac`](../supabase-custom-claims-rbac/SKILL.md)) que injeta `user_role` direto no JWT — RLS policies leem o claim via `authorize(permission)` sem JOIN.
230
+
231
+ **Comparação canônica (v1.25):**
232
+
233
+ | | Helper function STABLE (v1.21) | Custom Claim via Auth Hook (v1.25) |
234
+ |---|---|---|
235
+ | Performance | JOIN em role_permissions por query | Zero-JOIN — claim no JWT |
236
+ | Multi-tenant context | ✅ `has_permission('update', 'members', org_id)` — context-aware | ❌ Claim é per-user, não per-org-context |
237
+ | Mudança em real-time | ✅ Imediata (UPDATE em role_permissions reflete) | ⚠ Eventually consistent (TTL refresh 1h) |
238
+ | Type safety | String permission `'update:members'` | Enum `app_permission` |
239
+ | Setup complexity | Média (helper function + RLS) | Alta (auth hook + auth_admin grants + jwt-decode cliente) |
240
+
241
+ **Recomendação canônica v1.25 para B2B multi-tenant:**
242
+
243
+ **Combine ambos:**
244
+ - **Custom claim** para role global (`super_admin`, `org_owner`) — zero-JOIN, fácil consulta cliente
245
+ - **Helper function STABLE** para context-aware (`has_permission(action, resource, org_id)`) — quando role muda por org
246
+
247
+ Exemplo de policy combinada:
248
+
249
+ ```sql
250
+ create policy "members_select" on public.members for select
251
+ to authenticated
252
+ using (
253
+ -- claim no JWT (zero-JOIN, fast path)
254
+ (SELECT authorize('members:read'))
255
+ -- OU helper function PG (context-aware, slow path)
256
+ or private.has_permission('read', 'members', org_id)
257
+ );
258
+ ```
259
+
260
+ Pattern detalhado em [`supabase-custom-claims-rbac`](../supabase-custom-claims-rbac/SKILL.md) (v1.25) section "Cross-suite integration".
261
+
262
+ ## Anti-patterns
263
+
264
+ ### Anti-pattern 1: Permission string sem padrão
265
+
266
+ **Errado:**
267
+ ```sql
268
+ -- Mistura formats
269
+ 'canCreateLeads', 'leads.create', 'CREATE_LEAD', 'leads:write'
270
+ ```
271
+
272
+ **Por quê:** inconsistência confunde devs (qual é a forma certa?), quebra autocomplete, dificulta migração.
273
+
274
+ **Certo:** sempre `<resource>:<action>` em snake_case (REGRA #1). Pode usar enum em TypeScript:
275
+ ```typescript
276
+ type Permission = `${Resource}:${Action}`
277
+ ```
278
+
279
+ ### Anti-pattern 2: Hard-coded role check em vez de permission
280
+
281
+ **Errado:**
282
+ ```typescript
283
+ // Permission gate frontend
284
+ { user.role === 'admin' && <Button>Convidar</Button> }
285
+ ```
286
+
287
+ **Por quê:** custom roles quebram (custom role com permission `members:invite` não passa no check). Acopla UI a roles built-in.
288
+
289
+ **Certo:**
290
+ ```typescript
291
+ { usePermission('invite', 'members') && <Button>Convidar</Button> }
292
+ ```
293
+
294
+ E server-side: RLS com `private.has_permission`.
295
+
296
+ ### Anti-pattern 3: Built-in role pode ser deletada
297
+
298
+ **Errado:**
299
+ ```sql
300
+ -- Sem proteção
301
+ delete from public.roles where name = 'owner' and org_id = '...';
302
+ -- Org fica sem owner, ninguém consegue fazer nada
303
+ ```
304
+
305
+ **Por quê:** org sem owner é unrecoverable sem service_role intervention. Compromete recovery.
306
+
307
+ **Certo:** policy DELETE em `roles` que rejeita built-in:
308
+ ```sql
309
+ create policy "roles_delete_custom_only"
310
+ on public.roles
311
+ for delete
312
+ to authenticated
313
+ using (
314
+ not is_built_in
315
+ and private.has_permission('delete', 'roles', org_id)
316
+ );
317
+ ```
318
+
319
+ ### Anti-pattern 4: Frontend permission gate sem server-side enforce
320
+
321
+ **Errado:**
322
+ ```typescript
323
+ // Esconder botão UI = "segurança"
324
+ { usePermission('delete', 'leads') && <DeleteButton /> }
325
+ // Mas API endpoint /leads/{id} aceita DELETE sem checar permission
326
+ ```
327
+
328
+ **Por quê:** atacante chama API direto via curl — ignora gate frontend. Permission gate React é **UX**, não segurança.
329
+
330
+ **Certo:** REGRA #5. Server-side via RLS + `private.has_permission` é enforcement real.
331
+
332
+ ## Ver também
333
+
334
+ - [multi-tenant-rls-hierarchy](../multi-tenant-rls-hierarchy/SKILL.md) — `private.has_permission` é a função canônica usada em policies
335
+ - [b2b-saas-architecture](../b2b-saas-architecture/SKILL.md) — schema das tabelas `roles`, `permissions`, `role_permissions`
336
+ - [permission-gate-react-pattern](../permission-gate-react-pattern/SKILL.md) — Phase 115, permission gate UX em React
337
+ - [super-admin-platform-pattern](../super-admin-platform-pattern/SKILL.md) — Phase 111, super_admin bypassa RBAC normal
338
+ - [_shared-multi-tenant/glossary.md](../_shared-multi-tenant/glossary.md) — termos `RBAC`, `permission matrix`, `role escalation rule`