npm - @luanpdd/kit-mcp - Versions diffs - 1.32.0 → 1.34.0 - Mend

@luanpdd/kit-mcp 1.32.0 → 1.34.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (376) hide show

package/LICENSE +21 -21
package/README.md +168 -168
package/gates/agent-no-recursive-dispatch.md +84 -84
package/kit/COMANDOS.md +138 -138
package/kit/COMPATIBILITY.md +70 -70
package/kit/README.md +76 -76
package/kit/agents/advisor-researcher.md +109 -109
package/kit/agents/ai-mutation-tester.md +289 -289
package/kit/agents/assumptions-analyzer.md +110 -110
package/kit/agents/audit-log-implementer.md +314 -314
package/kit/agents/auditor-consistencia-isolamento.md +414 -414
package/kit/agents/b2b-saas-architect.md +157 -157
package/kit/agents/burn-rate-forecaster.md +153 -153
package/kit/agents/cascading-failures-auditor.md +299 -299
package/kit/agents/codebase-mapper.md +769 -769
package/kit/agents/crm-pipeline-implementer.md +257 -257
package/kit/agents/debugger.md +814 -814
package/kit/agents/designer-ui.md +216 -0
package/kit/agents/detector-tenant-quente.md +338 -338
package/kit/agents/evolution-go-integrator.md +201 -201
package/kit/agents/example-reviewer.md +22 -22
package/kit/agents/executor.md +565 -565
package/kit/agents/golden-signals-instrumenter.md +232 -232
package/kit/agents/incident-investigator.md +238 -238
package/kit/agents/integration-checker.md +203 -203
package/kit/agents/invite-flow-implementer.md +190 -190
package/kit/agents/legacy-characterizer.md +369 -369
package/kit/agents/lgpd-compliance-auditor.md +296 -296
package/kit/agents/load-shedding-instrumenter.md +290 -290
package/kit/agents/multi-tenant-isolation-auditor.md +254 -254
package/kit/agents/multi-tenant-rls-writer.md +341 -341
package/kit/agents/nyquist-auditor.md +181 -181
package/kit/agents/observability-coverage-auditor.md +316 -316
package/kit/agents/observability-instrumenter.md +191 -191
package/kit/agents/omm-auditor.md +291 -291
package/kit/agents/org-onboarding-implementer.md +224 -224
package/kit/agents/payload-capture-instrumenter.md +274 -274
package/kit/agents/phase-researcher.md +697 -697
package/kit/agents/plan-checker.md +275 -275
package/kit/agents/planner.md +923 -923
package/kit/agents/postmortem-writer.md +273 -273
package/kit/agents/project-researcher.md +653 -653
package/kit/agents/prr-conductor.md +287 -287
package/kit/agents/refactor-safety-auditor.md +405 -405
package/kit/agents/release-pipeline-auditor.md +364 -364
package/kit/agents/research-synthesizer.md +246 -246
package/kit/agents/roadmapper.md +678 -678
package/kit/agents/schema-checker.md +160 -160
package/kit/agents/seam-finder.md +360 -360
package/kit/agents/shotgun-surgery-detector.md +350 -350
package/kit/agents/slo-engineer.md +217 -217
package/kit/agents/storytelling-analyst.md +300 -300
package/kit/agents/supabase-architect.md +249 -249
package/kit/agents/supabase-auth-bootstrapper.md +400 -400
package/kit/agents/supabase-auth-hook-writer.md +418 -418
package/kit/agents/supabase-branching-architect.md +563 -563
package/kit/agents/supabase-cicd-pipeline-implementer.md +778 -778
package/kit/agents/supabase-column-privileges-writer.md +400 -400
package/kit/agents/supabase-edge-fn-tester.md +288 -288
package/kit/agents/supabase-edge-fn-writer.md +341 -341
package/kit/agents/supabase-mfa-implementer.md +439 -439
package/kit/agents/supabase-migration-writer.md +386 -386
package/kit/agents/supabase-oauth-server-implementer.md +507 -507
package/kit/agents/supabase-rbac-implementer.md +393 -393
package/kit/agents/supabase-realtime-implementer.md +364 -364
package/kit/agents/supabase-rls-hardener.md +522 -522
package/kit/agents/supabase-rls-writer.md +324 -324
package/kit/agents/supabase-roles-implementer.md +356 -356
package/kit/agents/supabase-social-auth-implementer.md +451 -451
package/kit/agents/supabase-sso-saml-architect.md +549 -549
package/kit/agents/supabase-storage-implementer.md +407 -407
package/kit/agents/super-admin-implementer.md +282 -282
package/kit/agents/toil-auditor.md +268 -268
package/kit/agents/ui-auditor.md +438 -438
package/kit/agents/ui-checker.md +305 -305
package/kit/agents/ui-researcher.md +356 -356
package/kit/agents/user-profiler.md +176 -176
package/kit/agents/validador-evolucao-schema.md +336 -336
package/kit/agents/verifier.md +729 -729
package/kit/commands/adicionar-backlog.md +75 -75
package/kit/commands/adicionar-fase.md +42 -42
package/kit/commands/adicionar-tarefa.md +45 -45
package/kit/commands/adicionar-testes.md +41 -41
package/kit/commands/ajuda.md +21 -21
package/kit/commands/atualizar.md +37 -37
package/kit/commands/auditar-cascading.md +111 -111
package/kit/commands/auditar-marco.md +179 -179
package/kit/commands/auditar-observabilidade-cobertura-workflow.md +121 -0
package/kit/commands/auditar-observabilidade-cobertura.md +183 -183
package/kit/commands/auditar-refactor.md +219 -219
package/kit/commands/auditar-release.md +109 -109
package/kit/commands/auditar-uat.md +23 -23
package/kit/commands/autonomo.md +40 -40
package/kit/commands/branch-pr.md +24 -24
package/kit/commands/burn-rate-status.md +408 -408
package/kit/commands/capturar-payloads.md +193 -193
package/kit/commands/caracterizar.md +212 -212
package/kit/commands/concluir-marco.md +247 -247
package/kit/commands/configuracoes.md +36 -36
package/kit/commands/dados-distribuidos.md +188 -188
package/kit/commands/definir-perfil.md +10 -10
package/kit/commands/depurar.md +190 -190
package/kit/commands/detectar-duplicacao.md +197 -197
package/kit/commands/discutir-fase.md +131 -131
package/kit/commands/encontrar-seams.md +136 -136
package/kit/commands/entrar-discord.md +17 -17
package/kit/commands/estatisticas.md +18 -18
package/kit/commands/example-greeting.md +33 -33
package/kit/commands/executar-fase.md +58 -58
package/kit/commands/expresso.md +56 -56
package/kit/commands/fase-ui.md +34 -34
package/kit/commands/fazer.md +57 -57
package/kit/commands/fio.md +125 -125
package/kit/commands/fluxos-trabalho.md +64 -64
package/kit/commands/forense.md +176 -176
package/kit/commands/gerenciador.md +38 -38
package/kit/commands/inserir-fase.md +31 -31
package/kit/commands/legacy.md +263 -263
package/kit/commands/limpeza.md +17 -17
package/kit/commands/listar-hipoteses-fase.md +45 -45
package/kit/commands/listar-workspaces.md +18 -18
package/kit/commands/load-shedding.md +117 -117
package/kit/commands/mapear-codebase.md +70 -70
package/kit/commands/multi-tenant.md +163 -163
package/kit/commands/nota.md +33 -33
package/kit/commands/novo-marco.md +43 -43
package/kit/commands/novo-projeto.md +41 -41
package/kit/commands/novo-workspace.md +43 -43
package/kit/commands/pausar-trabalho.md +37 -37
package/kit/commands/perfil-usuario.md +45 -45
package/kit/commands/pesquisar-fase.md +195 -195
package/kit/commands/planejar-fase.md +67 -67
package/kit/commands/planejar-lacunas.md +33 -33
package/kit/commands/plantar-ideia.md +25 -25
package/kit/commands/progresso.md +24 -24
package/kit/commands/proximo.md +30 -30
package/kit/commands/publicar.md +490 -490
package/kit/commands/rapido.md +35 -35
package/kit/commands/reaplicar-patches.md +124 -124
package/kit/commands/refactor-seguro.md +321 -321
package/kit/commands/relatorio-sessao.md +19 -19
package/kit/commands/remover-fase.md +31 -31
package/kit/commands/remover-workspace.md +26 -26
package/kit/commands/resumo-marco.md +50 -50
package/kit/commands/retomar-trabalho.md +40 -40
package/kit/commands/revisar-backlog.md +60 -60
package/kit/commands/revisar-ui.md +32 -32
package/kit/commands/revisar.md +37 -37
package/kit/commands/saude.md +21 -21
package/kit/commands/setup-notion.md +93 -93
package/kit/commands/storytelling.md +179 -179
package/kit/commands/supabase.md +238 -238
package/kit/commands/sync-main.md +68 -68
package/kit/commands/validar-fase.md +35 -35
package/kit/commands/verificar-tarefas.md +44 -44
package/kit/commands/verificar-trabalho.md +64 -64
package/kit/file-manifest.json +13 -3
package/kit/framework/bin/lib/commands.cjs +959 -959
package/kit/framework/bin/lib/config.cjs +442 -442
package/kit/framework/bin/lib/core.cjs +1230 -1230
package/kit/framework/bin/lib/frontmatter.cjs +336 -336
package/kit/framework/bin/lib/init.cjs +1442 -1442
package/kit/framework/bin/lib/milestone.cjs +252 -252
package/kit/framework/bin/lib/model-profiles.cjs +68 -68
package/kit/framework/bin/lib/phase.cjs +888 -888
package/kit/framework/bin/lib/profile-output.cjs +952 -952
package/kit/framework/bin/lib/profile-pipeline.cjs +539 -539
package/kit/framework/bin/lib/roadmap.cjs +329 -329
package/kit/framework/bin/lib/security.cjs +382 -382
package/kit/framework/bin/lib/state.cjs +1031 -1031
package/kit/framework/bin/lib/template.cjs +222 -222
package/kit/framework/bin/lib/uat.cjs +282 -282
package/kit/framework/bin/lib/verify.cjs +888 -888
package/kit/framework/bin/lib/workstream.cjs +491 -491
package/kit/framework/bin/tools.cjs +918 -918
package/kit/framework/commands/workstreams.md +63 -63
package/kit/framework/references/checkpoints.md +778 -778
package/kit/framework/references/continuation-format.md +249 -249
package/kit/framework/references/decimal-phase-calculation.md +64 -64
package/kit/framework/references/git-integration.md +295 -295
package/kit/framework/references/git-planning-commit.md +38 -38
package/kit/framework/references/model-profile-resolution.md +36 -36
package/kit/framework/references/model-profiles.md +139 -139
package/kit/framework/references/phase-argument-parsing.md +61 -61
package/kit/framework/references/planning-config.md +202 -202
package/kit/framework/references/questioning.md +162 -162
package/kit/framework/references/tdd.md +263 -263
package/kit/framework/references/ui-brand.md +160 -160
package/kit/framework/references/user-profiling.md +657 -657
package/kit/framework/references/verification-patterns.md +612 -612
package/kit/framework/references/workstream-flag.md +58 -58
package/kit/framework/templates/DEBUG.md +164 -164
package/kit/framework/templates/UAT.md +265 -265
package/kit/framework/templates/UI-SPEC.md +100 -100
package/kit/framework/templates/VALIDATION.md +76 -76
package/kit/framework/templates/claude-md.md +122 -122
package/kit/framework/templates/codebase/architecture.md +185 -185
package/kit/framework/templates/codebase/concerns.md +205 -205
package/kit/framework/templates/codebase/conventions.md +204 -204
package/kit/framework/templates/codebase/integrations.md +192 -192
package/kit/framework/templates/codebase/stack.md +158 -158
package/kit/framework/templates/codebase/structure.md +199 -199
package/kit/framework/templates/codebase/testing.md +301 -301
package/kit/framework/templates/config.json +44 -44
package/kit/framework/templates/context.md +352 -352
package/kit/framework/templates/continue-here.md +78 -78
package/kit/framework/templates/copilot-instructions.md +7 -7
package/kit/framework/templates/debug-subagent-prompt.md +91 -91
package/kit/framework/templates/dev-preferences.md +20 -20
package/kit/framework/templates/discovery.md +146 -146
package/kit/framework/templates/discussion-log.md +63 -63
package/kit/framework/templates/milestone-archive.md +123 -123
package/kit/framework/templates/milestone.md +115 -115
package/kit/framework/templates/phase-prompt.md +610 -610
package/kit/framework/templates/planner-subagent-prompt.md +117 -117
package/kit/framework/templates/project.md +186 -186
package/kit/framework/templates/requirements.md +231 -231
package/kit/framework/templates/research-project/ARCHITECTURE.md +204 -204
package/kit/framework/templates/research-project/FEATURES.md +147 -147
package/kit/framework/templates/research-project/PITFALLS.md +200 -200
package/kit/framework/templates/research-project/STACK.md +120 -120
package/kit/framework/templates/research-project/SUMMARY.md +170 -170
package/kit/framework/templates/research.md +419 -419
package/kit/framework/templates/retrospective.md +54 -54
package/kit/framework/templates/roadmap.md +202 -202
package/kit/framework/templates/state.md +176 -176
package/kit/framework/templates/summary-complex.md +59 -59
package/kit/framework/templates/summary-minimal.md +41 -41
package/kit/framework/templates/summary-standard.md +48 -48
package/kit/framework/templates/summary.md +209 -209
package/kit/framework/templates/user-profile.md +146 -146
package/kit/framework/templates/user-setup.md +256 -256
package/kit/framework/templates/verification-report.md +258 -258
package/kit/framework/workflows/add-phase.md +112 -112
package/kit/framework/workflows/add-tests.md +351 -351
package/kit/framework/workflows/add-todo.md +158 -158
package/kit/framework/workflows/audit-milestone.md +340 -340
package/kit/framework/workflows/audit-uat.md +109 -109
package/kit/framework/workflows/autonomous.md +891 -891
package/kit/framework/workflows/check-todos.md +177 -177
package/kit/framework/workflows/cleanup.md +152 -152
package/kit/framework/workflows/complete-milestone.md +696 -696
package/kit/framework/workflows/diagnose-issues.md +231 -231
package/kit/framework/workflows/discovery-phase.md +289 -289
package/kit/framework/workflows/discuss-phase-assumptions.md +653 -653
package/kit/framework/workflows/discuss-phase.md +784 -784
package/kit/framework/workflows/do.md +104 -104
package/kit/framework/workflows/execute-phase.md +838 -838
package/kit/framework/workflows/execute-plan.md +510 -510
package/kit/framework/workflows/fast.md +102 -102
package/kit/framework/workflows/forensics.md +265 -265
package/kit/framework/workflows/health.md +181 -181
package/kit/framework/workflows/help.md +619 -619
package/kit/framework/workflows/insert-phase.md +130 -130
package/kit/framework/workflows/list-phase-assumptions.md +178 -178
package/kit/framework/workflows/list-workspaces.md +56 -56
package/kit/framework/workflows/manager.md +362 -362
package/kit/framework/workflows/map-codebase.md +377 -377
package/kit/framework/workflows/milestone-summary.md +223 -223
package/kit/framework/workflows/new-milestone.md +486 -486
package/kit/framework/workflows/new-project.md +1159 -1159
package/kit/framework/workflows/new-workspace.md +237 -237
package/kit/framework/workflows/next.md +97 -97
package/kit/framework/workflows/node-repair.md +92 -92
package/kit/framework/workflows/note.md +156 -156
package/kit/framework/workflows/pause-work.md +176 -176
package/kit/framework/workflows/plan-milestone-gaps.md +273 -273
package/kit/framework/workflows/plan-phase.md +765 -765
package/kit/framework/workflows/plant-seed.md +169 -169
package/kit/framework/workflows/pr-branch.md +129 -129
package/kit/framework/workflows/profile-user.md +450 -450
package/kit/framework/workflows/progress.md +507 -507
package/kit/framework/workflows/quick.md +757 -757
package/kit/framework/workflows/remove-phase.md +155 -155
package/kit/framework/workflows/remove-workspace.md +90 -90
package/kit/framework/workflows/research-phase.md +82 -82
package/kit/framework/workflows/resume-project.md +326 -326
package/kit/framework/workflows/review.md +228 -228
package/kit/framework/workflows/session-report.md +146 -146
package/kit/framework/workflows/settings.md +283 -283
package/kit/framework/workflows/ship.md +228 -228
package/kit/framework/workflows/stats.md +60 -60
package/kit/framework/workflows/transition.md +671 -671
package/kit/framework/workflows/ui-phase.md +302 -302
package/kit/framework/workflows/ui-review.md +165 -165
package/kit/framework/workflows/update.md +323 -323
package/kit/framework/workflows/validate-phase.md +174 -174
package/kit/framework/workflows/verify-phase.md +252 -252
package/kit/framework/workflows/verify-work.md +637 -637
package/kit/hooks/check-update.js +118 -118
package/kit/hooks/context-monitor.js +163 -163
package/kit/hooks/kit-attribution-reminder.cjs +92 -92
package/kit/hooks/kit-router.cjs +137 -137
package/kit/hooks/prompt-guard.js +103 -103
package/kit/hooks/statusline.js +125 -125
package/kit/hooks/workflow-guard.js +101 -101
package/kit/settings.json +45 -45
package/kit/skills/ai-prompt-characterization/SKILL.md +335 -335
package/kit/skills/armadilhas-sistemas-distribuidos/SKILL.md +447 -447
package/kit/skills/audit-log-multi-tenant/SKILL.md +340 -340
package/kit/skills/b2b-saas-architecture/SKILL.md +300 -300
package/kit/skills/consistencia-leitura-replica/SKILL.md +385 -385
package/kit/skills/crm-lead-pipeline-patterns/SKILL.md +343 -343
package/kit/skills/escolha-modelo-consistencia/SKILL.md +494 -494
package/kit/skills/evolucao-schema-compativel/SKILL.md +448 -448
package/kit/skills/evolution-go-whatsapp-integration/SKILL.md +322 -322
package/kit/skills/example-skill/SKILL.md +42 -42
package/kit/skills/legacy-api-only-applications/SKILL.md +358 -358
package/kit/skills/legacy-characterization-tests/SKILL.md +330 -330
package/kit/skills/legacy-effect-analysis/SKILL.md +331 -331
package/kit/skills/legacy-extract-class/SKILL.md +203 -203
package/kit/skills/legacy-programming-by-difference/SKILL.md +252 -252
package/kit/skills/legacy-seams-and-test-harness/SKILL.md +460 -460
package/kit/skills/legacy-shotgun-surgery/SKILL.md +286 -286
package/kit/skills/legacy-sprout-wrap-techniques/SKILL.md +434 -434
package/kit/skills/legacy-storytelling-naked-crc/SKILL.md +270 -270
package/kit/skills/lgpd-multi-tenant-compliance/SKILL.md +340 -340
package/kit/skills/member-invite-flow/SKILL.md +305 -305
package/kit/skills/member-management-react-shadcn/SKILL.md +328 -328
package/kit/skills/multi-tenant-performance-scaling/SKILL.md +316 -316
package/kit/skills/multi-tenant-rls-hierarchy/SKILL.md +342 -342
package/kit/skills/org-onboarding-flow/SKILL.md +257 -257
package/kit/skills/org-switcher-react-pattern/SKILL.md +349 -349
package/kit/skills/permission-gate-react-pattern/SKILL.md +271 -271
package/kit/skills/postgres-isolamento-concorrencia/SKILL.md +552 -552
package/kit/skills/pre-refactor-characterization/SKILL.md +421 -421
package/kit/skills/rbac-permissions-matrix-supabase/SKILL.md +338 -338
package/kit/skills/streams-eventos-cdc/SKILL.md +711 -711
package/kit/skills/supabase-auth-hardening/SKILL.md +674 -674
package/kit/skills/supabase-auth-hooks/SKILL.md +875 -875
package/kit/skills/supabase-auth-methods/SKILL.md +486 -486
package/kit/skills/supabase-auth-sessions/SKILL.md +579 -579
package/kit/skills/supabase-auth-ssr/SKILL.md +306 -306
package/kit/skills/supabase-branching-workflow/SKILL.md +544 -544
package/kit/skills/supabase-ci-cd-github-actions/SKILL.md +880 -880
package/kit/skills/supabase-column-level-security/SKILL.md +426 -426
package/kit/skills/supabase-config-toml-remotes/SKILL.md +807 -807
package/kit/skills/supabase-custom-claims-rbac/SKILL.md +472 -472
package/kit/skills/supabase-edge-functions/SKILL.md +330 -330
package/kit/skills/supabase-edge-functions-auth/SKILL.md +309 -309
package/kit/skills/supabase-edge-functions-limits/SKILL.md +302 -302
package/kit/skills/supabase-edge-functions-mcp-server/SKILL.md +279 -279
package/kit/skills/supabase-edge-functions-testing/SKILL.md +277 -277
package/kit/skills/supabase-edge-runtime-builtins/SKILL.md +357 -357
package/kit/skills/supabase-enterprise-sso-saml/SKILL.md +545 -545
package/kit/skills/supabase-jwt-signing-keys/SKILL.md +399 -399
package/kit/skills/supabase-mfa/SKILL.md +488 -488
package/kit/skills/supabase-migration-repair/SKILL.md +823 -823
package/kit/skills/supabase-migrations/SKILL.md +297 -297
package/kit/skills/supabase-oauth-server/SKILL.md +537 -537
package/kit/skills/supabase-pgtap-testing/SKILL.md +1053 -1053
package/kit/skills/supabase-postgres-roles/SKILL.md +392 -392
package/kit/skills/supabase-realtime/SKILL.md +460 -460
package/kit/skills/supabase-rls-defense-in-depth/SKILL.md +418 -418
package/kit/skills/supabase-rls-policies/SKILL.md +635 -635
package/kit/skills/supabase-social-oauth/SKILL.md +480 -480
package/kit/skills/supabase-third-party-auth/SKILL.md +450 -450
package/kit/skills/super-admin-platform-pattern/SKILL.md +326 -326
package/kit/skills/tenant-quente-mitigacao/SKILL.md +605 -605
package/kit/skills/ui-anti-padroes-ia/SKILL.md +261 -0
package/kit/skills/ui-contexto-produto/SKILL.md +248 -0
package/kit/skills/ui-cor-estrategia/SKILL.md +213 -0
package/kit/skills/ui-critica-auditoria/SKILL.md +260 -0
package/kit/skills/ui-motion-funcional/SKILL.md +264 -0
package/kit/skills/ui-ritmo-espacial/SKILL.md +259 -0
package/kit/skills/ui-tipografia/SKILL.md +211 -0
package/kit/skills/whatsapp-conversation-state-machine/SKILL.md +287 -287
package/kit/workflows/auditar-observabilidade-cobertura.workflow.js +250 -0
package/package.json +65 -63
package/src/core/kit.js +333 -216
package/src/core/reflect.js +247 -247
package/src/core/registry.js +123 -112
package/src/core/reverse-sync.js +448 -372
package/src/core/sync.js +477 -437
package/src/core/watch.js +121 -121
package/src/mcp-server/index.js +794 -794

package/kit/skills/supabase-mfa/SKILL.md CHANGED Viewed

@@ -1,488 +1,488 @@
----
-name: supabase-mfa
-description: Use ao implementar Multi-Factor Authentication (MFA) com TOTP, Phone ou AAL no Supabase — enrollment, challenge, verify, enforce via RLS aal2.
----
-# Supabase — Multi-Factor Authentication (MFA)
-## Quando usar
-LLM carrega esta skill quando implementar **autenticação multifator (MFA)** no Supabase, incluindo TOTP por app autenticador, MFA por telefone (SMS/WhatsApp) e enforce via RLS com AAL.
-Trigger phrases:
-- "MFA Supabase", "two-factor auth", "2FA"
-- "TOTP enrollment", "auth.mfa.enroll", "AAL aal2"
-- "MFA challenge verify", "phone MFA"
-- "getAuthenticatorAssuranceLevel"
-- "como forçar MFA via RLS", "enforce MFA para todos os usuários"
-- "QR code TOTP Supabase", "app autenticador Supabase"
-## Princípio canônico
-MFA no Supabase opera em **4 etapas principais**: enrollment, unenroll, challenge no login e enforce. O mecanismo central é o **AAL (Authenticator Assurance Level)** — o JWT do usuário sobe de `aal1` (1 fator) para `aal2` (MFA verificado) após `mfa.verify()` bem-sucedido.
-**Dois fatores suportados:**
-| Fator | API | Observação |
-|-------|-----|------------|
-| App Autenticador | `factorType: 'totp'` | Gera QR code SVG + URI `otpauth://` |
-| Telefone | `factorType: 'phone'` | SMS ou WhatsApp; caveat SIM swap |
-**Quando usar MFA:**
-- ✅ Aplicações com dados sensíveis (saúde, financeiro, jurídico)
-- ✅ Usuários admin/moderator com acesso privilegiado
-- ✅ Compliance SOC 2, HIPAA, LGPD para dados críticos
-- ✅ B2B SaaS que precisa oferecer MFA por opção ou por obrigação
-**Quando NÃO enforce MFA para todos:**
-- ❌ Aplicação de baixo risco onde MFA prejudica conversão
-- ❌ Usuários já autenticam via SSO com MFA no IdP (enforce no IdP, não duplicar)
-## Fluxo de Enrollment — 3 passos
-O enrollment segue sempre a sequência: **enroll → challenge → verify**.
-```ts
-import { createClient } from '@supabase/supabase-js'
-const supabase = createClient(SUPABASE_URL, SUPABASE_PUBLISHABLE_KEY)
-// Passo 1: iniciar enrollment
-const { data: enrollData, error: enrollError } = await supabase.auth.mfa.enroll({
-  factorType: 'totp',
-  friendlyName: 'App Autenticador',  // opcional — exibido na lista de fatores
-})
-// enrollData.id          → factorId (salvar para challenge/unenroll)
-// enrollData.totp.qr_code  → SVG do QR code (renderizar no img src)
-// enrollData.totp.uri      → URI otpauth:// (para deep link)
-// enrollData.totp.secret   → segredo manual (se user não conseguir escanear)
-// Passo 2: criar challenge
-const { data: challengeData, error: challengeError } = await supabase.auth.mfa.challenge({
-  factorId: enrollData.id,
-})
-// challengeData.id → challengeId (usar no verify)
-// Passo 3: verificar código TOTP digitado pelo usuário
-const { data: verifyData, error: verifyError } = await supabase.auth.mfa.verify({
-  factorId: enrollData.id,
-  challengeId: challengeData.id,
-  code: userInputCode,  // código de 6 dígitos digitado pelo usuário
-})
-// após verify bem-sucedido: JWT atualiza para aal2
-```
-**Importante:** código TOTP é válido por intervalos de **30 segundos**. Se o usuário demorar, o challenge expira e precisa de novo `mfa.challenge()`.
-## TOTP — Componente React `EnrollMFA`
-```tsx
-import { useState } from 'react'
-import { createClient } from '@supabase/supabase-js'
-const supabase = createClient(
-  process.env.NEXT_PUBLIC_SUPABASE_URL!,
-  process.env.NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY!
-)
-interface EnrollMFAProps {
-  onEnrolled: () => void
-  onCancelled: () => void
-}
-export function EnrollMFA({ onEnrolled, onCancelled }: EnrollMFAProps) {
-  const [factorId, setFactorId] = useState('')
-  const [challengeId, setChallengeId] = useState('')
-  const [qrCode, setQrCode] = useState('')
-  const [verifyCode, setVerifyCode] = useState('')
-  const [step, setStep] = useState<'enroll' | 'verify'>('enroll')
-  const [error, setError] = useState('')
-  const iniciarEnrollment = async () => {
-    setError('')
-    const { data, error } = await supabase.auth.mfa.enroll({
-      factorType: 'totp',
-      friendlyName: 'App Autenticador',
-    })
-    if (error) { setError(error.message); return }
-    setFactorId(data.id)
-    setQrCode(data.totp.qr_code)  // SVG
-    // criar challenge já
-    const { data: challengeData, error: challengeError } =
-      await supabase.auth.mfa.challenge({ factorId: data.id })
-    if (challengeError) { setError(challengeError.message); return }
-    setChallengeId(challengeData.id)
-    setStep('verify')
-  }
-  const verificarCodigo = async () => {
-    setError('')
-    const { error } = await supabase.auth.mfa.verify({
-      factorId,
-      challengeId,
-      code: verifyCode,
-    })
-    if (error) { setError(error.message); return }
-    onEnrolled()
-  }
-  if (step === 'enroll') {
-    return (
-      <div>
-        <p>Configure seu app autenticador (Google Authenticator, Authy, etc.).</p>
-        <button onClick={iniciarEnrollment}>Começar configuração</button>
-        <button onClick={onCancelled}>Cancelar</button>
-      </div>
-    )
-  }
-  return (
-    <div>
-      {/* QR code: data.totp.qr_code é SVG inline */}
-      <img src={qrCode} alt="QR Code MFA" />
-      <p>Escaneie o QR code com seu app autenticador e digite o código de 6 dígitos:</p>
-      <input
-        type="text"
-        inputMode="numeric"
-        maxLength={6}
-        value={verifyCode}
-        onChange={(e) => setVerifyCode(e.target.value)}
-        placeholder="000000"
-      />
-      {error && <p style={{ color: 'red' }}>{error}</p>}
-      <button onClick={verificarCodigo}>Verificar</button>
-    </div>
-  )
-}
-```
-## Phone MFA
-```ts
-// Enrollment — Phone MFA (SMS ou WhatsApp)
-const { data: enrollData, error } = await supabase.auth.mfa.enroll({
-  factorType: 'phone',
-  phone: '+5511999999999',   // formato E.164
-})
-// enrollData.id → factorId para challenge/verify
-// Challenge — dispara OTP via SMS/WhatsApp
-const { data: challengeData, error: challengeError } =
-  await supabase.auth.mfa.challenge({ factorId: enrollData.id })
-// OTP válido por 5 minutos
-// Verify
-const { error: verifyError } = await supabase.auth.mfa.verify({
-  factorId: enrollData.id,
-  challengeId: challengeData.id,
-  code: smsCode,   // código recebido por SMS
-})
-```
-**Caveat ataque SIM swap:** Phone MFA é mais fraco que TOTP porque número de telefone pode ser sequestrado via SIM swap (atacante convence operadora a transferir número). Para aplicações de alto risco, **prefira TOTP** ou exija TOTP como fator adicional. Se usar Phone MFA, eduque usuários sobre o risco.
-## AAL — Authenticator Assurance Level
-`getAuthenticatorAssuranceLevel()` retorna o nível atual e o próximo nível possível:
-```ts
-const { data, error } = await supabase.auth.mfa.getAuthenticatorAssuranceLevel()
-// data.currentLevel  → 'aal1' | 'aal2'
-// data.nextLevel     → 'aal1' | 'aal2'
-// data.currentAuthenticationMethods → array de métodos usados
-```
-**Tabela de estados AAL:**
-| `currentLevel` | `nextLevel` | Significado |
-|----------------|-------------|-------------|
-| `aal1` | `aal1` | Usuário sem MFA enrollado — 1 fator só |
-| `aal1` | `aal2` | MFA enrollado mas não verificado na sessão atual |
-| `aal2` | `aal2` | MFA verificado — sessão totalmente autenticada |
-| `aal2` | `aal1` | MFA foi removido (unenroll) mas JWT ainda não foi atualizado |
-**Fluxo canônico no login:**
-```ts
-// após supabase.auth.signInWithPassword(...)
-const { data: aalData } = await supabase.auth.mfa.getAuthenticatorAssuranceLevel()
-if (aalData.nextLevel === 'aal2' && aalData.nextLevel !== aalData.currentLevel) {
-  // redirecionar para tela de MFA challenge
-  router.push('/auth/mfa-challenge')
-}
-```
-**Em SSR (Next.js):** verificar AAL no middleware ou Server Component, não retornar 401 — sempre redirecionar:
-```ts
-// middleware.ts ou Server Component
-import { createServerClient } from '@supabase/ssr'
-// criar novo client por request (NUNCA reutilizar)
-const supabase = createServerClient(
-  process.env.NEXT_PUBLIC_SUPABASE_URL!,
-  process.env.NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY!,
-  { cookies: { getAll: () => request.cookies.getAll(), setAll: ... } }
-)
-const { data: aalData } = await supabase.auth.mfa.getAuthenticatorAssuranceLevel()
-if (aalData.nextLevel === 'aal2' && aalData.currentLevel !== 'aal2') {
-  // NUNCA retornar 401 em SSR — sempre redirecionar para tela de MFA
-  return NextResponse.redirect(new URL('/auth/mfa-challenge', request.url))
-}
-```
-## Enforce MFA via RLS
-Políticas de enforce MFA **DEVEM** usar `as restrictive` — sem isso, outra política permissiva pode contornar o MFA. Uma política RESTRICTIVE sozinha (sem nenhuma permissiva) bloqueia tudo; combine com política permissiva para o CRUD normal.
-### Variante 1 — Todos os usuários devem ter aal2
-```sql
--- política RESTRICTIVE bloqueia se não for aal2
-create policy "Requer aal2 para acesso" on public.documentos
-  as restrictive
-  for all
-  to authenticated
-  using ((select auth.jwt()->>'aal') = 'aal2');
--- política permissiva para SELECT normal
-create policy "Usuários autenticados veem seus documentos" on public.documentos
-  as permissive
-  for select
-  to authenticated
-  using (auth.uid() = user_id);
-```
-### Variante 2 — Só exige aal2 para usuários criados após determinada data (roll-out gradual)
-```sql
--- exige aal2 apenas para novos usuários (criados a partir de 2025-01-01)
-create policy "Novos usuários precisam de aal2" on public.documentos
-  as restrictive
-  for all
-  to authenticated
-  using (
-    (select auth.jwt()->>'aal') = 'aal2'
-    or
-    -- usuários antigos ficam isentos até migração
-    (select (auth.jwt()->'user_metadata'->>'created_at')::timestamptz
-      < '2025-01-01'::timestamptz)
-  );
-```
-### Variante 3 — Só exige aal2 para quem optou por MFA (opt-in)
-```sql
--- exige aal2 apenas se o usuário já tem um fator MFA enrollado e verificado
-create policy "Requer aal2 se MFA enrollado" on public.documentos
-  as restrictive
-  for all
-  to authenticated
-  using (
-    -- se não tem fator enrollado: aal1 é ok
-    not exists (
-      select 1 from auth.mfa_factors
-      where user_id = auth.uid()
-        and status = 'verified'
-    )
-    or
-    -- se tem fator enrollado: exige aal2
-    (select auth.jwt()->>'aal') = 'aal2'
-  );
-```
-## Unenroll — Componente `UnenrollMFA`
-```ts
-// listar fatores enrollados
-const { data: factorsData } = await supabase.auth.mfa.listFactors()
-// factorsData.totp   → array de fatores TOTP
-// factorsData.phone  → array de fatores Phone
-// unenroll um fator específico
-const { error } = await supabase.auth.mfa.unenroll({ factorId: 'fator-id-aqui' })
-```
-```tsx
-export function UnenrollMFA() {
-  const [factors, setFactors] = useState<any[]>([])
-  const [error, setError] = useState('')
-  useEffect(() => {
-    supabase.auth.mfa.listFactors().then(({ data }) => {
-      if (data) setFactors([...data.totp, ...data.phone])
-    })
-  }, [])
-  const removerFator = async (factorId: string) => {
-    const { error } = await supabase.auth.mfa.unenroll({ factorId })
-    if (error) { setError(error.message); return }
-    setFactors((prev) => prev.filter((f) => f.id !== factorId))
-  }
-  return (
-    <div>
-      <h3>Fatores MFA cadastrados</h3>
-      {factors.map((fator) => (
-        <div key={fator.id}>
-          <span>{fator.friendly_name || fator.factor_type} ({fator.status})</span>
-          <button onClick={() => removerFator(fator.id)}>Remover</button>
-        </div>
-      ))}
-      {error && <p style={{ color: 'red' }}>{error}</p>}
-    </div>
-  )
-}
-```
-## claim `amr` — verificar método e timestamp
-O claim `amr` (Authentication Methods References) em `auth.jwt()` registra quais métodos foram usados e quando:
-```sql
--- checar se MFA TOTP foi usado (jsonb_path_query)
-select
-  jsonb_path_query(
-    auth.jwt(),
-    '$.amr[*] ? (@.method == "totp")'
-  ) as mfa_totp_info;
--- resultado: {"method": "totp", "timestamp": 1704067200}
--- policy: rejeitar sessões MFA antigas (exige re-verificação a cada 24h)
-create policy "MFA verificado nas últimas 24h" on public.dados_sensiveis
-  as restrictive
-  for all
-  to authenticated
-  using (
-    (select auth.jwt()->>'aal') = 'aal2'
-    and exists (
-      select 1
-      from jsonb_array_elements(auth.jwt()->'amr') as m
-      where (m->>'method') = 'totp'
-        and (m->>'timestamp')::bigint > extract(epoch from now() - interval '24 hours')
-    )
-  );
-```
-## Regras absolutas
-1. **`as restrictive` é OBRIGATÓRIO** em políticas RLS de enforce MFA — sem ele, política permissiva existente contorna o MFA completamente.
-2. **SSR: criar novo client por request** — nunca reutilizar instância `supabase` entre requests (vazamento de sessão entre usuários).
-3. **Sempre checar `getAuthenticatorAssuranceLevel()` após login** — não assumir que o login sozinho garante aal2.
-4. **Redirecionar para tela MFA em SSR, nunca retornar 401** — 401 em middleware SSR quebra a UX e não orienta o usuário.
-5. **TOTP exige challenge antes de verify** — `mfa.verify()` sem `mfa.challenge()` prévio falha.
-6. **Usar `@supabase/ssr`, nunca `auth-helpers-nextjs`** — pacote legado descontinuado.
-## Anti-patterns
-### Anti-pattern 1: Omitir `as restrictive` na política de enforce
-**Errado:**
-```sql
--- política SEM as restrictive
-create policy "Requer MFA" on public.documentos
-  for all to authenticated
-  using ((select auth.jwt()->>'aal') = 'aal2');
--- outra política permissiva existente pode contornar esta!
-```
-**Por quê:** sem `as restrictive`, a avaliação de RLS é `(policy_permissiva OR policy_mfa)`. Se qualquer política permissiva retornar verdadeiro, o acesso é liberado independente do MFA.
-**Certo:**
-```sql
-create policy "Requer MFA" on public.documentos
-  as restrictive   -- ← OBRIGATÓRIO
-  for all to authenticated
-  using ((select auth.jwt()->>'aal') = 'aal2');
-```
-### Anti-pattern 2: Retornar 401 em SSR ao invés de redirecionar
-**Errado:**
-```ts
-// middleware.ts
-if (aalData.currentLevel !== 'aal2') {
-  return new Response('Unauthorized', { status: 401 })
-}
-```
-**Por quê:** usuário recebe erro genérico sem saber o que fazer. Em Next.js, um 401 no middleware pode causar loop ou tela branca.
-**Certo:**
-```ts
-if (aalData.nextLevel === 'aal2' && aalData.currentLevel !== 'aal2') {
-  return NextResponse.redirect(new URL('/auth/mfa-challenge', request.url))
-}
-```
-### Anti-pattern 3: Reutilizar client Supabase em SSR entre requests
-**Errado:**
-```ts
-// lib/supabase.ts — singleton compartilhado (ERRADO para SSR)
-export const supabase = createServerClient(URL, KEY, { cookies: globalCookies })
-// múltiplos requests compartilham o mesmo client → sessões vazam
-```
-**Por quê:** em ambiente serverless, o mesmo módulo pode ser reusado entre requests de usuários diferentes. O client guarda estado de sessão — vazamento de sessão entre usuários.
-**Certo:** criar novo client a cada invocação de Server Component ou middleware:
-```ts
-// app/page.tsx (Server Component)
-import { createServerClient } from '@supabase/ssr'
-import { cookies } from 'next/headers'
-export default async function Page() {
-  const cookieStore = await cookies()
-  const supabase = createServerClient(URL, KEY, {
-    cookies: {
-      getAll: () => cookieStore.getAll(),
-      setAll: (cookiesToSet) => { /* ... */ },
-    },
-  })
-  // ...
-}
-```
-### Anti-pattern 4: Chamar `mfa.verify()` sem `mfa.challenge()` prévio
-**Errado:**
-```ts
-// tentando verificar sem challenge
-await supabase.auth.mfa.verify({
-  factorId: 'fator-id',
-  challengeId: 'id-inventado',
-  code: userCode,
-})
-```
-**Por quê:** `challengeId` é gerado pelo servidor e tem TTL. IDs inválidos causam erro `invalid_challenge`.
-**Certo:** sempre `challenge()` → `verify()` em sequência, e lidar com expiração:
-```ts
-const { data: ch } = await supabase.auth.mfa.challenge({ factorId })
-if (!ch) return // tratar erro
-const { error } = await supabase.auth.mfa.verify({
-  factorId,
-  challengeId: ch.id,
-  code: userCode,
-})
-```
-## Ver também
-- [supabase-auth-methods](../supabase-auth-methods/SKILL.md) — providers de login (email, OAuth, magic link)
-- [supabase-auth-hooks](../supabase-auth-hooks/SKILL.md) — MFA Verification Hook (Teams/Enterprise) para rate-limit customizado
-- [supabase-rls-policies](../supabase-rls-policies/SKILL.md) — fundamentos de RLS e políticas RESTRICTIVE vs PERMISSIVE
-- [supabase-auth-ssr](../supabase-auth-ssr/SKILL.md) — padrão `@supabase/ssr` com Next.js
-- [supabase-custom-claims-rbac](../supabase-custom-claims-rbac/SKILL.md) — combinar MFA (aal2) com RBAC via custom claims
-- [supabase-mfa-implementer](../../agents/supabase-mfa-implementer.md) — agente que materializa setup completo de MFA
+---
+name: supabase-mfa
+description: Use ao implementar Multi-Factor Authentication (MFA) com TOTP, Phone ou AAL no Supabase — enrollment, challenge, verify, enforce via RLS aal2.
+---
+# Supabase — Multi-Factor Authentication (MFA)
+## Quando usar
+LLM carrega esta skill quando implementar **autenticação multifator (MFA)** no Supabase, incluindo TOTP por app autenticador, MFA por telefone (SMS/WhatsApp) e enforce via RLS com AAL.
+Trigger phrases:
+- "MFA Supabase", "two-factor auth", "2FA"
+- "TOTP enrollment", "auth.mfa.enroll", "AAL aal2"
+- "MFA challenge verify", "phone MFA"
+- "getAuthenticatorAssuranceLevel"
+- "como forçar MFA via RLS", "enforce MFA para todos os usuários"
+- "QR code TOTP Supabase", "app autenticador Supabase"
+## Princípio canônico
+MFA no Supabase opera em **4 etapas principais**: enrollment, unenroll, challenge no login e enforce. O mecanismo central é o **AAL (Authenticator Assurance Level)** — o JWT do usuário sobe de `aal1` (1 fator) para `aal2` (MFA verificado) após `mfa.verify()` bem-sucedido.
+**Dois fatores suportados:**
+| Fator | API | Observação |
+|-------|-----|------------|
+| App Autenticador | `factorType: 'totp'` | Gera QR code SVG + URI `otpauth://` |
+| Telefone | `factorType: 'phone'` | SMS ou WhatsApp; caveat SIM swap |
+**Quando usar MFA:**
+- ✅ Aplicações com dados sensíveis (saúde, financeiro, jurídico)
+- ✅ Usuários admin/moderator com acesso privilegiado
+- ✅ Compliance SOC 2, HIPAA, LGPD para dados críticos
+- ✅ B2B SaaS que precisa oferecer MFA por opção ou por obrigação
+**Quando NÃO enforce MFA para todos:**
+- ❌ Aplicação de baixo risco onde MFA prejudica conversão
+- ❌ Usuários já autenticam via SSO com MFA no IdP (enforce no IdP, não duplicar)
+## Fluxo de Enrollment — 3 passos
+O enrollment segue sempre a sequência: **enroll → challenge → verify**.
+```ts
+import { createClient } from '@supabase/supabase-js'
+const supabase = createClient(SUPABASE_URL, SUPABASE_PUBLISHABLE_KEY)
+// Passo 1: iniciar enrollment
+const { data: enrollData, error: enrollError } = await supabase.auth.mfa.enroll({
+  factorType: 'totp',
+  friendlyName: 'App Autenticador',  // opcional — exibido na lista de fatores
+})
+// enrollData.id          → factorId (salvar para challenge/unenroll)
+// enrollData.totp.qr_code  → SVG do QR code (renderizar no img src)
+// enrollData.totp.uri      → URI otpauth:// (para deep link)
+// enrollData.totp.secret   → segredo manual (se user não conseguir escanear)
+// Passo 2: criar challenge
+const { data: challengeData, error: challengeError } = await supabase.auth.mfa.challenge({
+  factorId: enrollData.id,
+})
+// challengeData.id → challengeId (usar no verify)
+// Passo 3: verificar código TOTP digitado pelo usuário
+const { data: verifyData, error: verifyError } = await supabase.auth.mfa.verify({
+  factorId: enrollData.id,
+  challengeId: challengeData.id,
+  code: userInputCode,  // código de 6 dígitos digitado pelo usuário
+})
+// após verify bem-sucedido: JWT atualiza para aal2
+```
+**Importante:** código TOTP é válido por intervalos de **30 segundos**. Se o usuário demorar, o challenge expira e precisa de novo `mfa.challenge()`.
+## TOTP — Componente React `EnrollMFA`
+```tsx
+import { useState } from 'react'
+import { createClient } from '@supabase/supabase-js'
+const supabase = createClient(
+  process.env.NEXT_PUBLIC_SUPABASE_URL!,
+  process.env.NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY!
+)
+interface EnrollMFAProps {
+  onEnrolled: () => void
+  onCancelled: () => void
+}
+export function EnrollMFA({ onEnrolled, onCancelled }: EnrollMFAProps) {
+  const [factorId, setFactorId] = useState('')
+  const [challengeId, setChallengeId] = useState('')
+  const [qrCode, setQrCode] = useState('')
+  const [verifyCode, setVerifyCode] = useState('')
+  const [step, setStep] = useState<'enroll' | 'verify'>('enroll')
+  const [error, setError] = useState('')
+  const iniciarEnrollment = async () => {
+    setError('')
+    const { data, error } = await supabase.auth.mfa.enroll({
+      factorType: 'totp',
+      friendlyName: 'App Autenticador',
+    })
+    if (error) { setError(error.message); return }
+    setFactorId(data.id)
+    setQrCode(data.totp.qr_code)  // SVG
+    // criar challenge já
+    const { data: challengeData, error: challengeError } =
+      await supabase.auth.mfa.challenge({ factorId: data.id })
+    if (challengeError) { setError(challengeError.message); return }
+    setChallengeId(challengeData.id)
+    setStep('verify')
+  }
+  const verificarCodigo = async () => {
+    setError('')
+    const { error } = await supabase.auth.mfa.verify({
+      factorId,
+      challengeId,
+      code: verifyCode,
+    })
+    if (error) { setError(error.message); return }
+    onEnrolled()
+  }
+  if (step === 'enroll') {
+    return (
+      <div>
+        <p>Configure seu app autenticador (Google Authenticator, Authy, etc.).</p>
+        <button onClick={iniciarEnrollment}>Começar configuração</button>
+        <button onClick={onCancelled}>Cancelar</button>
+      </div>
+    )
+  }
+  return (
+    <div>
+      {/* QR code: data.totp.qr_code é SVG inline */}
+      <img src={qrCode} alt="QR Code MFA" />
+      <p>Escaneie o QR code com seu app autenticador e digite o código de 6 dígitos:</p>
+      <input
+        type="text"
+        inputMode="numeric"
+        maxLength={6}
+        value={verifyCode}
+        onChange={(e) => setVerifyCode(e.target.value)}
+        placeholder="000000"
+      />
+      {error && <p style={{ color: 'red' }}>{error}</p>}
+      <button onClick={verificarCodigo}>Verificar</button>
+    </div>
+  )
+}
+```
+## Phone MFA
+```ts
+// Enrollment — Phone MFA (SMS ou WhatsApp)
+const { data: enrollData, error } = await supabase.auth.mfa.enroll({
+  factorType: 'phone',
+  phone: '+5511999999999',   // formato E.164
+})
+// enrollData.id → factorId para challenge/verify
+// Challenge — dispara OTP via SMS/WhatsApp
+const { data: challengeData, error: challengeError } =
+  await supabase.auth.mfa.challenge({ factorId: enrollData.id })
+// OTP válido por 5 minutos
+// Verify
+const { error: verifyError } = await supabase.auth.mfa.verify({
+  factorId: enrollData.id,
+  challengeId: challengeData.id,
+  code: smsCode,   // código recebido por SMS
+})
+```
+**Caveat ataque SIM swap:** Phone MFA é mais fraco que TOTP porque número de telefone pode ser sequestrado via SIM swap (atacante convence operadora a transferir número). Para aplicações de alto risco, **prefira TOTP** ou exija TOTP como fator adicional. Se usar Phone MFA, eduque usuários sobre o risco.
+## AAL — Authenticator Assurance Level
+`getAuthenticatorAssuranceLevel()` retorna o nível atual e o próximo nível possível:
+```ts
+const { data, error } = await supabase.auth.mfa.getAuthenticatorAssuranceLevel()
+// data.currentLevel  → 'aal1' | 'aal2'
+// data.nextLevel     → 'aal1' | 'aal2'
+// data.currentAuthenticationMethods → array de métodos usados
+```
+**Tabela de estados AAL:**
+| `currentLevel` | `nextLevel` | Significado |
+|----------------|-------------|-------------|
+| `aal1` | `aal1` | Usuário sem MFA enrollado — 1 fator só |
+| `aal1` | `aal2` | MFA enrollado mas não verificado na sessão atual |
+| `aal2` | `aal2` | MFA verificado — sessão totalmente autenticada |
+| `aal2` | `aal1` | MFA foi removido (unenroll) mas JWT ainda não foi atualizado |
+**Fluxo canônico no login:**
+```ts
+// após supabase.auth.signInWithPassword(...)
+const { data: aalData } = await supabase.auth.mfa.getAuthenticatorAssuranceLevel()
+if (aalData.nextLevel === 'aal2' && aalData.nextLevel !== aalData.currentLevel) {
+  // redirecionar para tela de MFA challenge
+  router.push('/auth/mfa-challenge')
+}
+```
+**Em SSR (Next.js):** verificar AAL no middleware ou Server Component, não retornar 401 — sempre redirecionar:
+```ts
+// middleware.ts ou Server Component
+import { createServerClient } from '@supabase/ssr'
+// criar novo client por request (NUNCA reutilizar)
+const supabase = createServerClient(
+  process.env.NEXT_PUBLIC_SUPABASE_URL!,
+  process.env.NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY!,
+  { cookies: { getAll: () => request.cookies.getAll(), setAll: ... } }
+)
+const { data: aalData } = await supabase.auth.mfa.getAuthenticatorAssuranceLevel()
+if (aalData.nextLevel === 'aal2' && aalData.currentLevel !== 'aal2') {
+  // NUNCA retornar 401 em SSR — sempre redirecionar para tela de MFA
+  return NextResponse.redirect(new URL('/auth/mfa-challenge', request.url))
+}
+```
+## Enforce MFA via RLS
+Políticas de enforce MFA **DEVEM** usar `as restrictive` — sem isso, outra política permissiva pode contornar o MFA. Uma política RESTRICTIVE sozinha (sem nenhuma permissiva) bloqueia tudo; combine com política permissiva para o CRUD normal.
+### Variante 1 — Todos os usuários devem ter aal2
+```sql
+-- política RESTRICTIVE bloqueia se não for aal2
+create policy "Requer aal2 para acesso" on public.documentos
+  as restrictive
+  for all
+  to authenticated
+  using ((select auth.jwt()->>'aal') = 'aal2');
+-- política permissiva para SELECT normal
+create policy "Usuários autenticados veem seus documentos" on public.documentos
+  as permissive
+  for select
+  to authenticated
+  using (auth.uid() = user_id);
+```
+### Variante 2 — Só exige aal2 para usuários criados após determinada data (roll-out gradual)
+```sql
+-- exige aal2 apenas para novos usuários (criados a partir de 2025-01-01)
+create policy "Novos usuários precisam de aal2" on public.documentos
+  as restrictive
+  for all
+  to authenticated
+  using (
+    (select auth.jwt()->>'aal') = 'aal2'
+    or
+    -- usuários antigos ficam isentos até migração
+    (select (auth.jwt()->'user_metadata'->>'created_at')::timestamptz
+      < '2025-01-01'::timestamptz)
+  );
+```
+### Variante 3 — Só exige aal2 para quem optou por MFA (opt-in)
+```sql
+-- exige aal2 apenas se o usuário já tem um fator MFA enrollado e verificado
+create policy "Requer aal2 se MFA enrollado" on public.documentos
+  as restrictive
+  for all
+  to authenticated
+  using (
+    -- se não tem fator enrollado: aal1 é ok
+    not exists (
+      select 1 from auth.mfa_factors
+      where user_id = auth.uid()
+        and status = 'verified'
+    )
+    or
+    -- se tem fator enrollado: exige aal2
+    (select auth.jwt()->>'aal') = 'aal2'
+  );
+```
+## Unenroll — Componente `UnenrollMFA`
+```ts
+// listar fatores enrollados
+const { data: factorsData } = await supabase.auth.mfa.listFactors()
+// factorsData.totp   → array de fatores TOTP
+// factorsData.phone  → array de fatores Phone
+// unenroll um fator específico
+const { error } = await supabase.auth.mfa.unenroll({ factorId: 'fator-id-aqui' })
+```
+```tsx
+export function UnenrollMFA() {
+  const [factors, setFactors] = useState<any[]>([])
+  const [error, setError] = useState('')
+  useEffect(() => {
+    supabase.auth.mfa.listFactors().then(({ data }) => {
+      if (data) setFactors([...data.totp, ...data.phone])
+    })
+  }, [])
+  const removerFator = async (factorId: string) => {
+    const { error } = await supabase.auth.mfa.unenroll({ factorId })
+    if (error) { setError(error.message); return }
+    setFactors((prev) => prev.filter((f) => f.id !== factorId))
+  }
+  return (
+    <div>
+      <h3>Fatores MFA cadastrados</h3>
+      {factors.map((fator) => (
+        <div key={fator.id}>
+          <span>{fator.friendly_name || fator.factor_type} ({fator.status})</span>
+          <button onClick={() => removerFator(fator.id)}>Remover</button>
+        </div>
+      ))}
+      {error && <p style={{ color: 'red' }}>{error}</p>}
+    </div>
+  )
+}
+```
+## claim `amr` — verificar método e timestamp
+O claim `amr` (Authentication Methods References) em `auth.jwt()` registra quais métodos foram usados e quando:
+```sql
+-- checar se MFA TOTP foi usado (jsonb_path_query)
+select
+  jsonb_path_query(
+    auth.jwt(),
+    '$.amr[*] ? (@.method == "totp")'
+  ) as mfa_totp_info;
+-- resultado: {"method": "totp", "timestamp": 1704067200}
+-- policy: rejeitar sessões MFA antigas (exige re-verificação a cada 24h)
+create policy "MFA verificado nas últimas 24h" on public.dados_sensiveis
+  as restrictive
+  for all
+  to authenticated
+  using (
+    (select auth.jwt()->>'aal') = 'aal2'
+    and exists (
+      select 1
+      from jsonb_array_elements(auth.jwt()->'amr') as m
+      where (m->>'method') = 'totp'
+        and (m->>'timestamp')::bigint > extract(epoch from now() - interval '24 hours')
+    )
+  );
+```
+## Regras absolutas
+1. **`as restrictive` é OBRIGATÓRIO** em políticas RLS de enforce MFA — sem ele, política permissiva existente contorna o MFA completamente.
+2. **SSR: criar novo client por request** — nunca reutilizar instância `supabase` entre requests (vazamento de sessão entre usuários).
+3. **Sempre checar `getAuthenticatorAssuranceLevel()` após login** — não assumir que o login sozinho garante aal2.
+4. **Redirecionar para tela MFA em SSR, nunca retornar 401** — 401 em middleware SSR quebra a UX e não orienta o usuário.
+5. **TOTP exige challenge antes de verify** — `mfa.verify()` sem `mfa.challenge()` prévio falha.
+6. **Usar `@supabase/ssr`, nunca `auth-helpers-nextjs`** — pacote legado descontinuado.
+## Anti-patterns
+### Anti-pattern 1: Omitir `as restrictive` na política de enforce
+**Errado:**
+```sql
+-- política SEM as restrictive
+create policy "Requer MFA" on public.documentos
+  for all to authenticated
+  using ((select auth.jwt()->>'aal') = 'aal2');
+-- outra política permissiva existente pode contornar esta!
+```
+**Por quê:** sem `as restrictive`, a avaliação de RLS é `(policy_permissiva OR policy_mfa)`. Se qualquer política permissiva retornar verdadeiro, o acesso é liberado independente do MFA.
+**Certo:**
+```sql
+create policy "Requer MFA" on public.documentos
+  as restrictive   -- ← OBRIGATÓRIO
+  for all to authenticated
+  using ((select auth.jwt()->>'aal') = 'aal2');
+```
+### Anti-pattern 2: Retornar 401 em SSR ao invés de redirecionar
+**Errado:**
+```ts
+// middleware.ts
+if (aalData.currentLevel !== 'aal2') {
+  return new Response('Unauthorized', { status: 401 })
+}
+```
+**Por quê:** usuário recebe erro genérico sem saber o que fazer. Em Next.js, um 401 no middleware pode causar loop ou tela branca.
+**Certo:**
+```ts
+if (aalData.nextLevel === 'aal2' && aalData.currentLevel !== 'aal2') {
+  return NextResponse.redirect(new URL('/auth/mfa-challenge', request.url))
+}
+```
+### Anti-pattern 3: Reutilizar client Supabase em SSR entre requests
+**Errado:**
+```ts
+// lib/supabase.ts — singleton compartilhado (ERRADO para SSR)
+export const supabase = createServerClient(URL, KEY, { cookies: globalCookies })
+// múltiplos requests compartilham o mesmo client → sessões vazam
+```
+**Por quê:** em ambiente serverless, o mesmo módulo pode ser reusado entre requests de usuários diferentes. O client guarda estado de sessão — vazamento de sessão entre usuários.
+**Certo:** criar novo client a cada invocação de Server Component ou middleware:
+```ts
+// app/page.tsx (Server Component)
+import { createServerClient } from '@supabase/ssr'
+import { cookies } from 'next/headers'
+export default async function Page() {
+  const cookieStore = await cookies()
+  const supabase = createServerClient(URL, KEY, {
+    cookies: {
+      getAll: () => cookieStore.getAll(),
+      setAll: (cookiesToSet) => { /* ... */ },
+    },
+  })
+  // ...
+}
+```
+### Anti-pattern 4: Chamar `mfa.verify()` sem `mfa.challenge()` prévio
+**Errado:**
+```ts
+// tentando verificar sem challenge
+await supabase.auth.mfa.verify({
+  factorId: 'fator-id',
+  challengeId: 'id-inventado',
+  code: userCode,
+})
+```
+**Por quê:** `challengeId` é gerado pelo servidor e tem TTL. IDs inválidos causam erro `invalid_challenge`.
+**Certo:** sempre `challenge()` → `verify()` em sequência, e lidar com expiração:
+```ts
+const { data: ch } = await supabase.auth.mfa.challenge({ factorId })
+if (!ch) return // tratar erro
+const { error } = await supabase.auth.mfa.verify({
+  factorId,
+  challengeId: ch.id,
+  code: userCode,
+})
+```
+## Ver também
+- [supabase-auth-methods](../supabase-auth-methods/SKILL.md) — providers de login (email, OAuth, magic link)
+- [supabase-auth-hooks](../supabase-auth-hooks/SKILL.md) — MFA Verification Hook (Teams/Enterprise) para rate-limit customizado
+- [supabase-rls-policies](../supabase-rls-policies/SKILL.md) — fundamentos de RLS e políticas RESTRICTIVE vs PERMISSIVE
+- [supabase-auth-ssr](../supabase-auth-ssr/SKILL.md) — padrão `@supabase/ssr` com Next.js
+- [supabase-custom-claims-rbac](../supabase-custom-claims-rbac/SKILL.md) — combinar MFA (aal2) com RBAC via custom claims
+- [supabase-mfa-implementer](../../agents/supabase-mfa-implementer.md) — agente que materializa setup completo de MFA