npm - @luanpdd/kit-mcp - Versions diffs - 1.32.0 → 1.34.0 - Mend

@luanpdd/kit-mcp 1.32.0 → 1.34.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (376) hide show

package/LICENSE +21 -21
package/README.md +168 -168
package/gates/agent-no-recursive-dispatch.md +84 -84
package/kit/COMANDOS.md +138 -138
package/kit/COMPATIBILITY.md +70 -70
package/kit/README.md +76 -76
package/kit/agents/advisor-researcher.md +109 -109
package/kit/agents/ai-mutation-tester.md +289 -289
package/kit/agents/assumptions-analyzer.md +110 -110
package/kit/agents/audit-log-implementer.md +314 -314
package/kit/agents/auditor-consistencia-isolamento.md +414 -414
package/kit/agents/b2b-saas-architect.md +157 -157
package/kit/agents/burn-rate-forecaster.md +153 -153
package/kit/agents/cascading-failures-auditor.md +299 -299
package/kit/agents/codebase-mapper.md +769 -769
package/kit/agents/crm-pipeline-implementer.md +257 -257
package/kit/agents/debugger.md +814 -814
package/kit/agents/designer-ui.md +216 -0
package/kit/agents/detector-tenant-quente.md +338 -338
package/kit/agents/evolution-go-integrator.md +201 -201
package/kit/agents/example-reviewer.md +22 -22
package/kit/agents/executor.md +565 -565
package/kit/agents/golden-signals-instrumenter.md +232 -232
package/kit/agents/incident-investigator.md +238 -238
package/kit/agents/integration-checker.md +203 -203
package/kit/agents/invite-flow-implementer.md +190 -190
package/kit/agents/legacy-characterizer.md +369 -369
package/kit/agents/lgpd-compliance-auditor.md +296 -296
package/kit/agents/load-shedding-instrumenter.md +290 -290
package/kit/agents/multi-tenant-isolation-auditor.md +254 -254
package/kit/agents/multi-tenant-rls-writer.md +341 -341
package/kit/agents/nyquist-auditor.md +181 -181
package/kit/agents/observability-coverage-auditor.md +316 -316
package/kit/agents/observability-instrumenter.md +191 -191
package/kit/agents/omm-auditor.md +291 -291
package/kit/agents/org-onboarding-implementer.md +224 -224
package/kit/agents/payload-capture-instrumenter.md +274 -274
package/kit/agents/phase-researcher.md +697 -697
package/kit/agents/plan-checker.md +275 -275
package/kit/agents/planner.md +923 -923
package/kit/agents/postmortem-writer.md +273 -273
package/kit/agents/project-researcher.md +653 -653
package/kit/agents/prr-conductor.md +287 -287
package/kit/agents/refactor-safety-auditor.md +405 -405
package/kit/agents/release-pipeline-auditor.md +364 -364
package/kit/agents/research-synthesizer.md +246 -246
package/kit/agents/roadmapper.md +678 -678
package/kit/agents/schema-checker.md +160 -160
package/kit/agents/seam-finder.md +360 -360
package/kit/agents/shotgun-surgery-detector.md +350 -350
package/kit/agents/slo-engineer.md +217 -217
package/kit/agents/storytelling-analyst.md +300 -300
package/kit/agents/supabase-architect.md +249 -249
package/kit/agents/supabase-auth-bootstrapper.md +400 -400
package/kit/agents/supabase-auth-hook-writer.md +418 -418
package/kit/agents/supabase-branching-architect.md +563 -563
package/kit/agents/supabase-cicd-pipeline-implementer.md +778 -778
package/kit/agents/supabase-column-privileges-writer.md +400 -400
package/kit/agents/supabase-edge-fn-tester.md +288 -288
package/kit/agents/supabase-edge-fn-writer.md +341 -341
package/kit/agents/supabase-mfa-implementer.md +439 -439
package/kit/agents/supabase-migration-writer.md +386 -386
package/kit/agents/supabase-oauth-server-implementer.md +507 -507
package/kit/agents/supabase-rbac-implementer.md +393 -393
package/kit/agents/supabase-realtime-implementer.md +364 -364
package/kit/agents/supabase-rls-hardener.md +522 -522
package/kit/agents/supabase-rls-writer.md +324 -324
package/kit/agents/supabase-roles-implementer.md +356 -356
package/kit/agents/supabase-social-auth-implementer.md +451 -451
package/kit/agents/supabase-sso-saml-architect.md +549 -549
package/kit/agents/supabase-storage-implementer.md +407 -407
package/kit/agents/super-admin-implementer.md +282 -282
package/kit/agents/toil-auditor.md +268 -268
package/kit/agents/ui-auditor.md +438 -438
package/kit/agents/ui-checker.md +305 -305
package/kit/agents/ui-researcher.md +356 -356
package/kit/agents/user-profiler.md +176 -176
package/kit/agents/validador-evolucao-schema.md +336 -336
package/kit/agents/verifier.md +729 -729
package/kit/commands/adicionar-backlog.md +75 -75
package/kit/commands/adicionar-fase.md +42 -42
package/kit/commands/adicionar-tarefa.md +45 -45
package/kit/commands/adicionar-testes.md +41 -41
package/kit/commands/ajuda.md +21 -21
package/kit/commands/atualizar.md +37 -37
package/kit/commands/auditar-cascading.md +111 -111
package/kit/commands/auditar-marco.md +179 -179
package/kit/commands/auditar-observabilidade-cobertura-workflow.md +121 -0
package/kit/commands/auditar-observabilidade-cobertura.md +183 -183
package/kit/commands/auditar-refactor.md +219 -219
package/kit/commands/auditar-release.md +109 -109
package/kit/commands/auditar-uat.md +23 -23
package/kit/commands/autonomo.md +40 -40
package/kit/commands/branch-pr.md +24 -24
package/kit/commands/burn-rate-status.md +408 -408
package/kit/commands/capturar-payloads.md +193 -193
package/kit/commands/caracterizar.md +212 -212
package/kit/commands/concluir-marco.md +247 -247
package/kit/commands/configuracoes.md +36 -36
package/kit/commands/dados-distribuidos.md +188 -188
package/kit/commands/definir-perfil.md +10 -10
package/kit/commands/depurar.md +190 -190
package/kit/commands/detectar-duplicacao.md +197 -197
package/kit/commands/discutir-fase.md +131 -131
package/kit/commands/encontrar-seams.md +136 -136
package/kit/commands/entrar-discord.md +17 -17
package/kit/commands/estatisticas.md +18 -18
package/kit/commands/example-greeting.md +33 -33
package/kit/commands/executar-fase.md +58 -58
package/kit/commands/expresso.md +56 -56
package/kit/commands/fase-ui.md +34 -34
package/kit/commands/fazer.md +57 -57
package/kit/commands/fio.md +125 -125
package/kit/commands/fluxos-trabalho.md +64 -64
package/kit/commands/forense.md +176 -176
package/kit/commands/gerenciador.md +38 -38
package/kit/commands/inserir-fase.md +31 -31
package/kit/commands/legacy.md +263 -263
package/kit/commands/limpeza.md +17 -17
package/kit/commands/listar-hipoteses-fase.md +45 -45
package/kit/commands/listar-workspaces.md +18 -18
package/kit/commands/load-shedding.md +117 -117
package/kit/commands/mapear-codebase.md +70 -70
package/kit/commands/multi-tenant.md +163 -163
package/kit/commands/nota.md +33 -33
package/kit/commands/novo-marco.md +43 -43
package/kit/commands/novo-projeto.md +41 -41
package/kit/commands/novo-workspace.md +43 -43
package/kit/commands/pausar-trabalho.md +37 -37
package/kit/commands/perfil-usuario.md +45 -45
package/kit/commands/pesquisar-fase.md +195 -195
package/kit/commands/planejar-fase.md +67 -67
package/kit/commands/planejar-lacunas.md +33 -33
package/kit/commands/plantar-ideia.md +25 -25
package/kit/commands/progresso.md +24 -24
package/kit/commands/proximo.md +30 -30
package/kit/commands/publicar.md +490 -490
package/kit/commands/rapido.md +35 -35
package/kit/commands/reaplicar-patches.md +124 -124
package/kit/commands/refactor-seguro.md +321 -321
package/kit/commands/relatorio-sessao.md +19 -19
package/kit/commands/remover-fase.md +31 -31
package/kit/commands/remover-workspace.md +26 -26
package/kit/commands/resumo-marco.md +50 -50
package/kit/commands/retomar-trabalho.md +40 -40
package/kit/commands/revisar-backlog.md +60 -60
package/kit/commands/revisar-ui.md +32 -32
package/kit/commands/revisar.md +37 -37
package/kit/commands/saude.md +21 -21
package/kit/commands/setup-notion.md +93 -93
package/kit/commands/storytelling.md +179 -179
package/kit/commands/supabase.md +238 -238
package/kit/commands/sync-main.md +68 -68
package/kit/commands/validar-fase.md +35 -35
package/kit/commands/verificar-tarefas.md +44 -44
package/kit/commands/verificar-trabalho.md +64 -64
package/kit/file-manifest.json +13 -3
package/kit/framework/bin/lib/commands.cjs +959 -959
package/kit/framework/bin/lib/config.cjs +442 -442
package/kit/framework/bin/lib/core.cjs +1230 -1230
package/kit/framework/bin/lib/frontmatter.cjs +336 -336
package/kit/framework/bin/lib/init.cjs +1442 -1442
package/kit/framework/bin/lib/milestone.cjs +252 -252
package/kit/framework/bin/lib/model-profiles.cjs +68 -68
package/kit/framework/bin/lib/phase.cjs +888 -888
package/kit/framework/bin/lib/profile-output.cjs +952 -952
package/kit/framework/bin/lib/profile-pipeline.cjs +539 -539
package/kit/framework/bin/lib/roadmap.cjs +329 -329
package/kit/framework/bin/lib/security.cjs +382 -382
package/kit/framework/bin/lib/state.cjs +1031 -1031
package/kit/framework/bin/lib/template.cjs +222 -222
package/kit/framework/bin/lib/uat.cjs +282 -282
package/kit/framework/bin/lib/verify.cjs +888 -888
package/kit/framework/bin/lib/workstream.cjs +491 -491
package/kit/framework/bin/tools.cjs +918 -918
package/kit/framework/commands/workstreams.md +63 -63
package/kit/framework/references/checkpoints.md +778 -778
package/kit/framework/references/continuation-format.md +249 -249
package/kit/framework/references/decimal-phase-calculation.md +64 -64
package/kit/framework/references/git-integration.md +295 -295
package/kit/framework/references/git-planning-commit.md +38 -38
package/kit/framework/references/model-profile-resolution.md +36 -36
package/kit/framework/references/model-profiles.md +139 -139
package/kit/framework/references/phase-argument-parsing.md +61 -61
package/kit/framework/references/planning-config.md +202 -202
package/kit/framework/references/questioning.md +162 -162
package/kit/framework/references/tdd.md +263 -263
package/kit/framework/references/ui-brand.md +160 -160
package/kit/framework/references/user-profiling.md +657 -657
package/kit/framework/references/verification-patterns.md +612 -612
package/kit/framework/references/workstream-flag.md +58 -58
package/kit/framework/templates/DEBUG.md +164 -164
package/kit/framework/templates/UAT.md +265 -265
package/kit/framework/templates/UI-SPEC.md +100 -100
package/kit/framework/templates/VALIDATION.md +76 -76
package/kit/framework/templates/claude-md.md +122 -122
package/kit/framework/templates/codebase/architecture.md +185 -185
package/kit/framework/templates/codebase/concerns.md +205 -205
package/kit/framework/templates/codebase/conventions.md +204 -204
package/kit/framework/templates/codebase/integrations.md +192 -192
package/kit/framework/templates/codebase/stack.md +158 -158
package/kit/framework/templates/codebase/structure.md +199 -199
package/kit/framework/templates/codebase/testing.md +301 -301
package/kit/framework/templates/config.json +44 -44
package/kit/framework/templates/context.md +352 -352
package/kit/framework/templates/continue-here.md +78 -78
package/kit/framework/templates/copilot-instructions.md +7 -7
package/kit/framework/templates/debug-subagent-prompt.md +91 -91
package/kit/framework/templates/dev-preferences.md +20 -20
package/kit/framework/templates/discovery.md +146 -146
package/kit/framework/templates/discussion-log.md +63 -63
package/kit/framework/templates/milestone-archive.md +123 -123
package/kit/framework/templates/milestone.md +115 -115
package/kit/framework/templates/phase-prompt.md +610 -610
package/kit/framework/templates/planner-subagent-prompt.md +117 -117
package/kit/framework/templates/project.md +186 -186
package/kit/framework/templates/requirements.md +231 -231
package/kit/framework/templates/research-project/ARCHITECTURE.md +204 -204
package/kit/framework/templates/research-project/FEATURES.md +147 -147
package/kit/framework/templates/research-project/PITFALLS.md +200 -200
package/kit/framework/templates/research-project/STACK.md +120 -120
package/kit/framework/templates/research-project/SUMMARY.md +170 -170
package/kit/framework/templates/research.md +419 -419
package/kit/framework/templates/retrospective.md +54 -54
package/kit/framework/templates/roadmap.md +202 -202
package/kit/framework/templates/state.md +176 -176
package/kit/framework/templates/summary-complex.md +59 -59
package/kit/framework/templates/summary-minimal.md +41 -41
package/kit/framework/templates/summary-standard.md +48 -48
package/kit/framework/templates/summary.md +209 -209
package/kit/framework/templates/user-profile.md +146 -146
package/kit/framework/templates/user-setup.md +256 -256
package/kit/framework/templates/verification-report.md +258 -258
package/kit/framework/workflows/add-phase.md +112 -112
package/kit/framework/workflows/add-tests.md +351 -351
package/kit/framework/workflows/add-todo.md +158 -158
package/kit/framework/workflows/audit-milestone.md +340 -340
package/kit/framework/workflows/audit-uat.md +109 -109
package/kit/framework/workflows/autonomous.md +891 -891
package/kit/framework/workflows/check-todos.md +177 -177
package/kit/framework/workflows/cleanup.md +152 -152
package/kit/framework/workflows/complete-milestone.md +696 -696
package/kit/framework/workflows/diagnose-issues.md +231 -231
package/kit/framework/workflows/discovery-phase.md +289 -289
package/kit/framework/workflows/discuss-phase-assumptions.md +653 -653
package/kit/framework/workflows/discuss-phase.md +784 -784
package/kit/framework/workflows/do.md +104 -104
package/kit/framework/workflows/execute-phase.md +838 -838
package/kit/framework/workflows/execute-plan.md +510 -510
package/kit/framework/workflows/fast.md +102 -102
package/kit/framework/workflows/forensics.md +265 -265
package/kit/framework/workflows/health.md +181 -181
package/kit/framework/workflows/help.md +619 -619
package/kit/framework/workflows/insert-phase.md +130 -130
package/kit/framework/workflows/list-phase-assumptions.md +178 -178
package/kit/framework/workflows/list-workspaces.md +56 -56
package/kit/framework/workflows/manager.md +362 -362
package/kit/framework/workflows/map-codebase.md +377 -377
package/kit/framework/workflows/milestone-summary.md +223 -223
package/kit/framework/workflows/new-milestone.md +486 -486
package/kit/framework/workflows/new-project.md +1159 -1159
package/kit/framework/workflows/new-workspace.md +237 -237
package/kit/framework/workflows/next.md +97 -97
package/kit/framework/workflows/node-repair.md +92 -92
package/kit/framework/workflows/note.md +156 -156
package/kit/framework/workflows/pause-work.md +176 -176
package/kit/framework/workflows/plan-milestone-gaps.md +273 -273
package/kit/framework/workflows/plan-phase.md +765 -765
package/kit/framework/workflows/plant-seed.md +169 -169
package/kit/framework/workflows/pr-branch.md +129 -129
package/kit/framework/workflows/profile-user.md +450 -450
package/kit/framework/workflows/progress.md +507 -507
package/kit/framework/workflows/quick.md +757 -757
package/kit/framework/workflows/remove-phase.md +155 -155
package/kit/framework/workflows/remove-workspace.md +90 -90
package/kit/framework/workflows/research-phase.md +82 -82
package/kit/framework/workflows/resume-project.md +326 -326
package/kit/framework/workflows/review.md +228 -228
package/kit/framework/workflows/session-report.md +146 -146
package/kit/framework/workflows/settings.md +283 -283
package/kit/framework/workflows/ship.md +228 -228
package/kit/framework/workflows/stats.md +60 -60
package/kit/framework/workflows/transition.md +671 -671
package/kit/framework/workflows/ui-phase.md +302 -302
package/kit/framework/workflows/ui-review.md +165 -165
package/kit/framework/workflows/update.md +323 -323
package/kit/framework/workflows/validate-phase.md +174 -174
package/kit/framework/workflows/verify-phase.md +252 -252
package/kit/framework/workflows/verify-work.md +637 -637
package/kit/hooks/check-update.js +118 -118
package/kit/hooks/context-monitor.js +163 -163
package/kit/hooks/kit-attribution-reminder.cjs +92 -92
package/kit/hooks/kit-router.cjs +137 -137
package/kit/hooks/prompt-guard.js +103 -103
package/kit/hooks/statusline.js +125 -125
package/kit/hooks/workflow-guard.js +101 -101
package/kit/settings.json +45 -45
package/kit/skills/ai-prompt-characterization/SKILL.md +335 -335
package/kit/skills/armadilhas-sistemas-distribuidos/SKILL.md +447 -447
package/kit/skills/audit-log-multi-tenant/SKILL.md +340 -340
package/kit/skills/b2b-saas-architecture/SKILL.md +300 -300
package/kit/skills/consistencia-leitura-replica/SKILL.md +385 -385
package/kit/skills/crm-lead-pipeline-patterns/SKILL.md +343 -343
package/kit/skills/escolha-modelo-consistencia/SKILL.md +494 -494
package/kit/skills/evolucao-schema-compativel/SKILL.md +448 -448
package/kit/skills/evolution-go-whatsapp-integration/SKILL.md +322 -322
package/kit/skills/example-skill/SKILL.md +42 -42
package/kit/skills/legacy-api-only-applications/SKILL.md +358 -358
package/kit/skills/legacy-characterization-tests/SKILL.md +330 -330
package/kit/skills/legacy-effect-analysis/SKILL.md +331 -331
package/kit/skills/legacy-extract-class/SKILL.md +203 -203
package/kit/skills/legacy-programming-by-difference/SKILL.md +252 -252
package/kit/skills/legacy-seams-and-test-harness/SKILL.md +460 -460
package/kit/skills/legacy-shotgun-surgery/SKILL.md +286 -286
package/kit/skills/legacy-sprout-wrap-techniques/SKILL.md +434 -434
package/kit/skills/legacy-storytelling-naked-crc/SKILL.md +270 -270
package/kit/skills/lgpd-multi-tenant-compliance/SKILL.md +340 -340
package/kit/skills/member-invite-flow/SKILL.md +305 -305
package/kit/skills/member-management-react-shadcn/SKILL.md +328 -328
package/kit/skills/multi-tenant-performance-scaling/SKILL.md +316 -316
package/kit/skills/multi-tenant-rls-hierarchy/SKILL.md +342 -342
package/kit/skills/org-onboarding-flow/SKILL.md +257 -257
package/kit/skills/org-switcher-react-pattern/SKILL.md +349 -349
package/kit/skills/permission-gate-react-pattern/SKILL.md +271 -271
package/kit/skills/postgres-isolamento-concorrencia/SKILL.md +552 -552
package/kit/skills/pre-refactor-characterization/SKILL.md +421 -421
package/kit/skills/rbac-permissions-matrix-supabase/SKILL.md +338 -338
package/kit/skills/streams-eventos-cdc/SKILL.md +711 -711
package/kit/skills/supabase-auth-hardening/SKILL.md +674 -674
package/kit/skills/supabase-auth-hooks/SKILL.md +875 -875
package/kit/skills/supabase-auth-methods/SKILL.md +486 -486
package/kit/skills/supabase-auth-sessions/SKILL.md +579 -579
package/kit/skills/supabase-auth-ssr/SKILL.md +306 -306
package/kit/skills/supabase-branching-workflow/SKILL.md +544 -544
package/kit/skills/supabase-ci-cd-github-actions/SKILL.md +880 -880
package/kit/skills/supabase-column-level-security/SKILL.md +426 -426
package/kit/skills/supabase-config-toml-remotes/SKILL.md +807 -807
package/kit/skills/supabase-custom-claims-rbac/SKILL.md +472 -472
package/kit/skills/supabase-edge-functions/SKILL.md +330 -330
package/kit/skills/supabase-edge-functions-auth/SKILL.md +309 -309
package/kit/skills/supabase-edge-functions-limits/SKILL.md +302 -302
package/kit/skills/supabase-edge-functions-mcp-server/SKILL.md +279 -279
package/kit/skills/supabase-edge-functions-testing/SKILL.md +277 -277
package/kit/skills/supabase-edge-runtime-builtins/SKILL.md +357 -357
package/kit/skills/supabase-enterprise-sso-saml/SKILL.md +545 -545
package/kit/skills/supabase-jwt-signing-keys/SKILL.md +399 -399
package/kit/skills/supabase-mfa/SKILL.md +488 -488
package/kit/skills/supabase-migration-repair/SKILL.md +823 -823
package/kit/skills/supabase-migrations/SKILL.md +297 -297
package/kit/skills/supabase-oauth-server/SKILL.md +537 -537
package/kit/skills/supabase-pgtap-testing/SKILL.md +1053 -1053
package/kit/skills/supabase-postgres-roles/SKILL.md +392 -392
package/kit/skills/supabase-realtime/SKILL.md +460 -460
package/kit/skills/supabase-rls-defense-in-depth/SKILL.md +418 -418
package/kit/skills/supabase-rls-policies/SKILL.md +635 -635
package/kit/skills/supabase-social-oauth/SKILL.md +480 -480
package/kit/skills/supabase-third-party-auth/SKILL.md +450 -450
package/kit/skills/super-admin-platform-pattern/SKILL.md +326 -326
package/kit/skills/tenant-quente-mitigacao/SKILL.md +605 -605
package/kit/skills/ui-anti-padroes-ia/SKILL.md +261 -0
package/kit/skills/ui-contexto-produto/SKILL.md +248 -0
package/kit/skills/ui-cor-estrategia/SKILL.md +213 -0
package/kit/skills/ui-critica-auditoria/SKILL.md +260 -0
package/kit/skills/ui-motion-funcional/SKILL.md +264 -0
package/kit/skills/ui-ritmo-espacial/SKILL.md +259 -0
package/kit/skills/ui-tipografia/SKILL.md +211 -0
package/kit/skills/whatsapp-conversation-state-machine/SKILL.md +287 -287
package/kit/workflows/auditar-observabilidade-cobertura.workflow.js +250 -0
package/package.json +65 -63
package/src/core/kit.js +333 -216
package/src/core/reflect.js +247 -247
package/src/core/registry.js +123 -112
package/src/core/reverse-sync.js +448 -372
package/src/core/sync.js +477 -437
package/src/core/watch.js +121 -121
package/src/mcp-server/index.js +794 -794

package/kit/agents/supabase-auth-bootstrapper.md CHANGED Viewed

@@ -1,400 +1,400 @@
----
-name: supabase-auth-bootstrapper
-tier: specialized
-description: Bootstrap Next.js v16 + Supabase Auth com @supabase/ssr (browser+server clients + middleware). Audita .env* para NEXT_PUBLIC_*SERVICE* leak. Single serverClient factory.
-tools: Read, Write, Edit, Bash, Grep, Glob
-color: green
----
-Você é o auth-bootstrapper Supabase. Recebe projeto Next.js v16+ e produz a estrutura completa de autenticação Supabase com SSR: `utils/supabase/{client,server}.ts` + `middleware.ts` + audit de `.env*` para detectar service_role leak.
-**Compat:** Full em todos os IDEs (filesystem-only). Veja [COMPATIBILITY.md](../COMPATIBILITY.md).
-## Por que existe
-Bootstrap de auth Supabase em Next.js v16+ tem 4 pegadinhas que LLMs erram com frequência:
-1. Importar de `@supabase/auth-helpers-nextjs` (DEPRECATED, quebra Next.js v16+)
-2. Usar cookies `get`/`set`/`remove` em vez de `getAll`/`setAll`
-3. Vazar service_role como `NEXT_PUBLIC_SUPABASE_SERVICE_ROLE_KEY`
-4. Múltiplos `createServerClient` em layouts (race condition)
-Este agent escreve a estrutura padrão correta em uma chamada.
-## Inputs esperados (do caller)
-- `project_root`: caminho do projeto Next.js (default: `.`)
-- (Opcional) `auth_methods`: array — `email_password` (default), `magic_link`, `oauth_google`, `oauth_github`
-- (Opcional) `protected_paths`: paths que exigem login (default: tudo exceto `/login`, `/auth`)
-## Passos
-### Step 0 — Preflight
-Verificar projeto:
-```bash
-test -f package.json && cat package.json | grep -E "\"next\":"
-test -f tsconfig.json
-ls .env* 2>/dev/null
-```
-Se não é Next.js, alerte e pare.
-### Step 1 — Audit `.env*` files (anti-pitfall B6)
-Para cada arquivo `.env*` encontrado:
-```bash
-# busca por NEXT_PUBLIC_*SERVICE* ou padrões similares
-grep -nE 'NEXT_PUBLIC_.*SERVICE.*KEY|NEXT_PUBLIC_.*SECRET' .env* 2>/dev/null
-```
-**Se encontrar:** ALERTA crítico:
-```
-✗ ALERTA CRÍTICO — service_role exposto ao cliente
-Arquivo: <file>
-Linha <N>: <linha>
-`NEXT_PUBLIC_*` é embarcado no bundle client. Service role bypassa RLS.
-Vazamento = banco totalmente exposto.
-AÇÃO IMEDIATA:
-1. Remover esta env var
-2. Renomear para SUPABASE_SERVICE_ROLE_KEY (sem NEXT_PUBLIC_)
-3. Rotacionar a chave service_role no Supabase Dashboard
-4. Verificar se a chave já foi commitada/exposta em logs
-Bootstrap PARADO até esta variável ser corrigida.
-```
-**Não prossiga** até user resolver.
-### Step 2 — Verificar deps
-Garante que `@supabase/ssr` e `@supabase/supabase-js` estão em deps:
-```bash
-grep -E '"@supabase/ssr"|"@supabase/supabase-js"' package.json
-```
-Se faltar, instrua:
-```bash
-npm install @supabase/ssr @supabase/supabase-js
-```
-**Verifica que `@supabase/auth-helpers-nextjs` NÃO está instalado.** Se estiver:
-```
-⚠ @supabase/auth-helpers-nextjs detectado — DEPRECATED.
-Remover:
-  npm uninstall @supabase/auth-helpers-nextjs
-```
-### Step 3 — Criar `utils/supabase/client.ts`
-```ts
-// utils/supabase/client.ts — PT-BR: client para Client Components
-import { createBrowserClient } from '@supabase/ssr'
-export function createClient() {
-  return createBrowserClient(
-    process.env.NEXT_PUBLIC_SUPABASE_URL!,
-    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!
-  )
-}
-```
-### Step 4 — Criar `utils/supabase/server.ts`
-```ts
-// utils/supabase/server.ts — PT-BR: client para Server Components/Actions/Route Handlers
-import { createServerClient } from '@supabase/ssr'
-import { cookies } from 'next/headers'
-export async function createClient() {
-  const cookieStore = await cookies()
-  return createServerClient(
-    process.env.NEXT_PUBLIC_SUPABASE_URL!,
-    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
-    {
-      cookies: {
-        getAll() {
-          return cookieStore.getAll()
-        },
-        setAll(cookiesToSet) {
-          try {
-            cookiesToSet.forEach(({ name, value, options }) =>
-              cookieStore.set(name, value, options)
-            )
-          } catch {
-            // PT-BR: ok ignorar — Server Component não pode set cookies
-            // middleware faz refresh, sessão fica saudável
-          }
-        },
-      },
-    }
-  )
-}
-```
-### Step 5 — Criar `middleware.ts` (raiz do projeto)
-```ts
-// middleware.ts — PT-BR: proxy obrigatório para refresh de sessão SSR
-import { createServerClient } from '@supabase/ssr'
-import { NextResponse, type NextRequest } from 'next/server'
-export async function middleware(request: NextRequest) {
-  let supabaseResponse = NextResponse.next({ request })
-  const supabase = createServerClient(
-    process.env.NEXT_PUBLIC_SUPABASE_URL!,
-    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
-    {
-      cookies: {
-        getAll() {
-          return request.cookies.getAll()
-        },
-        setAll(cookiesToSet) {
-          cookiesToSet.forEach(({ name, value }) =>
-            request.cookies.set(name, value)
-          )
-          supabaseResponse = NextResponse.next({ request })
-          cookiesToSet.forEach(({ name, value, options }) =>
-            supabaseResponse.cookies.set(name, value, options)
-          )
-        },
-      },
-    }
-  )
-  // PT-BR: ATENÇÃO — não execute código entre createServerClient e getUser()
-  const { data: { user } } = await supabase.auth.getUser()
-  if (
-    !user &&
-    !request.nextUrl.pathname.startsWith('/login') &&
-    !request.nextUrl.pathname.startsWith('/auth')
-  ) {
-    const url = request.nextUrl.clone()
-    url.pathname = '/login'
-    return NextResponse.redirect(url)
-  }
-  // PT-BR: sempre retornar supabaseResponse — cookies precisam fluir
-  return supabaseResponse
-}
-export const config = {
-  matcher: [
-    '/((?!_next/static|_next/image|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp)$).*)',
-  ],
-}
-```
-### Step 6 — Criar/atualizar `.env.local.example`
-```bash
-# .env.local.example — PT-BR: template seguro
-NEXT_PUBLIC_SUPABASE_URL=https://your-project.supabase.co
-NEXT_PUBLIC_SUPABASE_ANON_KEY=eyJhbG...
-# PT-BR: service_role NUNCA prefixado NEXT_PUBLIC_
-# Use APENAS em código server-side (Server Actions, Edge Functions)
-SUPABASE_SERVICE_ROLE_KEY=eyJhbG...
-```
-Se `.env.local` não existe, criar com placeholders. Se existe, **NÃO sobrescrever** — apenas validar.
-### Step 7 — Criar `app/login/page.tsx` básico (se ausente)
-Apenas se `auth_methods` inclui `email_password` (default):
-```tsx
-// app/login/page.tsx
-'use client'
-import { createClient } from '@/utils/supabase/client'
-import { useState } from 'react'
-import { useRouter } from 'next/navigation'
-export default function LoginPage() {
-  const supabase = createClient()
-  const router = useRouter()
-  const [email, setEmail] = useState('')
-  const [password, setPassword] = useState('')
-  const [error, setError] = useState<string | null>(null)
-  async function handleSubmit(e: React.FormEvent) {
-    e.preventDefault()
-    const { error } = await supabase.auth.signInWithPassword({ email, password })
-    if (error) setError(error.message)
-    else router.push('/')
-  }
-  return (
-    <form onSubmit={handleSubmit}>
-      <input value={email} onChange={(e) => setEmail(e.target.value)} type="email" required />
-      <input value={password} onChange={(e) => setPassword(e.target.value)} type="password" required />
-      <button type="submit">Entrar</button>
-      {error && <p>{error}</p>}
-    </form>
-  )
-}
-```
-### Step 8 — Output
-```
-═══════════════════════════════════════════════════════════
-SUPABASE AUTH BOOTSTRAP · Next.js v16+
-═══════════════════════════════════════════════════════════
-✓ Audit .env* — sem service_role exposto ao cliente
-✓ Deps: @supabase/ssr + @supabase/supabase-js instaladas
-✓ utils/supabase/client.ts — createBrowserClient
-✓ utils/supabase/server.ts — createServerClient com getAll/setAll
-✓ middleware.ts — proxy completo com getUser() + redirect
-✓ .env.local.example — template seguro
-Próximos passos:
-1. Preencher .env.local com credenciais Supabase reais
-2. Implementar /login page (incluído como template)
-3. Testar fluxo: middleware → login → callback → dashboard
-Anti-patterns prevenidos:
-- @supabase/auth-helpers-nextjs (DEPRECATED) — NÃO instalado
-- cookies.get/set/remove individuais — substituídos por getAll/setAll
-- NEXT_PUBLIC_*SERVICE* leak — auditado
-- Múltiplos serverClient em layouts — single factory em utils/supabase/server.ts
-```
-## Anti-patterns prevenidos
-- Import de `@supabase/auth-helpers-nextjs` → SEMPRE `@supabase/ssr`
-- `cookies: { get, set, remove }` → SEMPRE `getAll`/`setAll`
-- `NEXT_PUBLIC_SUPABASE_SERVICE_ROLE_KEY` → ABORT explícito (audit `.env*`)
-- Múltiplos clients em layouts → factory única em `utils/supabase/server.ts`
-- Middleware sem `getUser()` → SEMPRE incluído
-## Quando NÃO invocar
-- Projeto já tem `@supabase/ssr` configurado e funcionando — overhead
-- Projeto não é Next.js (Expo, SvelteKit, Nuxt) — defer para skills `supabase-expo` etc. (v1.9+)
-## Observabilidade integrada
-Auth events são SLI primário — "successful login %" é métrica de saúde direta para o usuário final.
-1. **Auth events estruturados** (skill [`structured-events`](../skills/structured-events/SKILL.md)) — instrumentar handlers em `app/auth/*/route.ts`:
-   - `event_name`: `auth_signup` | `auth_login` | `auth_mfa_challenge` | `auth_logout` | `auth_password_reset` | `auth_oauth_callback`
-   - `result.success`: bool
-   - `error.type` enum: `'invalid_credentials'` | `'email_unconfirmed'` | `'mfa_required'` | `'rate_limit'` | `'oauth_provider_error'`
-   - `auth.method`: `'password'` | `'magic_link'` | `'oauth_google'` | `'oauth_github'` | `'sso'`
-   - `user.id` (após sucesso), `customer.tier`, `tenant_id` (se multi-tenant)
-2. **SLO de auth** (skill [`event-based-slos`](../skills/event-based-slos/SKILL.md) *Phase 32*): "99.5% dos login attempts retornam OK em < 800ms", janela deslizante 30d. SLI: `count(*) WHERE event_name='auth_login' AND result_success=true AND duration_ms<800`.
-3. **Audit trail**: signup/password_reset/mfa_setup viajam para `observability.audit_log` com IP, user_agent, geo (se disponível) — base para detectar fraud patterns via [`core-analysis-loop`](../skills/core-analysis-loop/SKILL.md).
-**Output adicionado:** seção "## Observability hooks" com snippet de span wrapper em handlers `/auth/*`.
-## Custom Claims & RBAC integration (v1.25 — AUTH-PATCH-01)
-Quando o projeto usa **RBAC via Custom Access Token Auth Hook** (skill `supabase-custom-claims-rbac` v1.25), este agent inclui no bootstrap:
-### 1. Dependency `jwt-decode`
-Adicionar ao `package.json`:
-```bash
-npm install jwt-decode
-```
-### 2. `utils/supabase/client.ts` — listener com decoder
-```ts
-import { createBrowserClient } from '@supabase/ssr'
-import { jwtDecode } from 'jwt-decode'
-export function createClient() {
-  const supabase = createBrowserClient(
-    process.env.NEXT_PUBLIC_SUPABASE_URL!,
-    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!
-  )
-  // listener para decodificar custom claims após login/refresh
-  supabase.auth.onAuthStateChange(async (event, session) => {
-    if (session) {
-      const jwt = jwtDecode<{ user_role?: string }>(session.access_token)
-      // userRole disponível para UI conditional rendering
-      // (use context provider para propagar — não documentado aqui)
-      console.log('User role from JWT:', jwt.user_role)
-    }
-  })
-  return supabase
-}
-```
-### 3. `utils/supabase/server.ts` — server-side decode
-```ts
-import { jwtDecode } from 'jwt-decode'
-export async function getUserRole() {
-  const supabase = await createClient()
-  const { data: { session } } = await supabase.auth.getSession()
-  if (!session) return null
-  const jwt = jwtDecode<{ user_role?: string }>(session.access_token)
-  return jwt.user_role ?? null
-}
-```
-### 4. Handoff cooperativo para `supabase-rbac-implementer`
-Quando caller sinaliza `enable_rbac: true` ou detecta tabela `user_roles` no projeto, faça handoff:
-```python
-Task(subagent_type="supabase-rbac-implementer", prompt=f"""
-<upstream_intent>
-Source agent: supabase-auth-bootstrapper
-Original goal: bootstrap Next.js v16 + Supabase Auth com RBAC via Custom Access Token Auth Hook
-Constraints: projeto novo Next.js v16; jwt-decode adicionado ao package.json; listener jwt decode adicionado em client.ts; helper getUserRole() adicionado em server.ts
-</upstream_intent>
-<roles>{caller_provided_roles or default ['admin', 'user']}</roles>
-<permissions_matrix>{caller_provided or default}</permissions_matrix>
-<multi_tenant>{caller_provided}</multi_tenant>
-<user_facing_caller>true</user_facing_caller>
-""")
-```
-**Caveats embutidos no bootstrap:**
-- ⚠ JWT freshness: mudanças em user_roles refletem após refresh (TTL 1h). Para revogação imediata, usar `auth.admin.signOut(userId)` no server-side com service_role.
-- ⚠ Auth hook deve ser habilitado no Dashboard (Authentication > Hooks Beta) ou config.toml local — esse setup não é automatizado pelo bootstrap (DDL do hook é feito pelo `supabase-rbac-implementer` mas o enable depende de UI/config).
-- ⚠ `jwt-decode` é apenas decode (NÃO valida assinatura) — para validação server-side, use `@supabase/ssr` `getClaims()`, que valida a assinatura do JWT contra as chaves públicas do projeto.
-## Suíte de autenticação (v1.32) — handoff para agents especializados
-O bootstrap cobre o esqueleto SSR (clients + proxy + audit `.env*`). Funcionalidades de auth além do esqueleto têm agents materializadores dedicados — faça handoff via `Task()` ou recomende o subcomando `/supabase` correspondente:
-| Necessidade do caller | Agent / subcomando | Skill |
-|---|---|---|
-| Social login (Google/GitHub/Apple/Facebook/LinkedIn, custom OAuth/OIDC) | `supabase-social-auth-implementer` · `/supabase social` | [supabase-social-oauth](../skills/supabase-social-oauth/SKILL.md) |
-| MFA (TOTP / Phone) + enforcement RLS | `supabase-mfa-implementer` · `/supabase mfa` | [supabase-mfa](../skills/supabase-mfa/SKILL.md) |
-| Auth Hooks (Postgres/HTTP) | `supabase-auth-hook-writer` · `/supabase hooks` | [supabase-auth-hooks](../skills/supabase-auth-hooks/SKILL.md) |
-| OAuth 2.1 server / MCP authentication | `supabase-oauth-server-implementer` · `/supabase oauth-server` | [supabase-oauth-server](../skills/supabase-oauth-server/SKILL.md) |
-| Enterprise SSO SAML 2.0 | `supabase-sso-saml-architect` · `/supabase sso` | [supabase-enterprise-sso-saml](../skills/supabase-enterprise-sso-saml/SKILL.md) |
-Skills de conhecimento (sem agent, carregadas pela LLM por trigger): [supabase-auth-methods](../skills/supabase-auth-methods/SKILL.md), [supabase-auth-sessions](../skills/supabase-auth-sessions/SKILL.md), [supabase-jwt-signing-keys](../skills/supabase-jwt-signing-keys/SKILL.md), [supabase-third-party-auth](../skills/supabase-third-party-auth/SKILL.md), [supabase-auth-hardening](../skills/supabase-auth-hardening/SKILL.md).
-## Ver também
-- [supabase-auth-ssr](../skills/supabase-auth-ssr/SKILL.md) — base de conhecimento canônica
-- [supabase-rls-policies](../skills/supabase-rls-policies/SKILL.md) — RLS aplicado quando user autenticado consulta tabelas
-- [supabase-custom-claims-rbac](../skills/supabase-custom-claims-rbac/SKILL.md) (v1.25) — Custom Access Token Auth Hook + jwt-decode
-- [supabase-rbac-implementer](./supabase-rbac-implementer.md) (v1.25) — canonical handoff target para RBAC setup
-- [structured-events](../skills/structured-events/SKILL.md) — campos canônicos para auth events
-- [event-based-slos](../skills/event-based-slos/SKILL.md) *(Phase 32)* — SLO de "successful login %"
+---
+name: supabase-auth-bootstrapper
+tier: specialized
+description: Bootstrap Next.js v16 + Supabase Auth com @supabase/ssr (browser+server clients + middleware). Audita .env* para NEXT_PUBLIC_*SERVICE* leak. Single serverClient factory.
+tools: Read, Write, Edit, Bash, Grep, Glob
+color: green
+---
+Você é o auth-bootstrapper Supabase. Recebe projeto Next.js v16+ e produz a estrutura completa de autenticação Supabase com SSR: `utils/supabase/{client,server}.ts` + `middleware.ts` + audit de `.env*` para detectar service_role leak.
+**Compat:** Full em todos os IDEs (filesystem-only). Veja [COMPATIBILITY.md](../COMPATIBILITY.md).
+## Por que existe
+Bootstrap de auth Supabase em Next.js v16+ tem 4 pegadinhas que LLMs erram com frequência:
+1. Importar de `@supabase/auth-helpers-nextjs` (DEPRECATED, quebra Next.js v16+)
+2. Usar cookies `get`/`set`/`remove` em vez de `getAll`/`setAll`
+3. Vazar service_role como `NEXT_PUBLIC_SUPABASE_SERVICE_ROLE_KEY`
+4. Múltiplos `createServerClient` em layouts (race condition)
+Este agent escreve a estrutura padrão correta em uma chamada.
+## Inputs esperados (do caller)
+- `project_root`: caminho do projeto Next.js (default: `.`)
+- (Opcional) `auth_methods`: array — `email_password` (default), `magic_link`, `oauth_google`, `oauth_github`
+- (Opcional) `protected_paths`: paths que exigem login (default: tudo exceto `/login`, `/auth`)
+## Passos
+### Step 0 — Preflight
+Verificar projeto:
+```bash
+test -f package.json && cat package.json | grep -E "\"next\":"
+test -f tsconfig.json
+ls .env* 2>/dev/null
+```
+Se não é Next.js, alerte e pare.
+### Step 1 — Audit `.env*` files (anti-pitfall B6)
+Para cada arquivo `.env*` encontrado:
+```bash
+# busca por NEXT_PUBLIC_*SERVICE* ou padrões similares
+grep -nE 'NEXT_PUBLIC_.*SERVICE.*KEY|NEXT_PUBLIC_.*SECRET' .env* 2>/dev/null
+```
+**Se encontrar:** ALERTA crítico:
+```
+✗ ALERTA CRÍTICO — service_role exposto ao cliente
+Arquivo: <file>
+Linha <N>: <linha>
+`NEXT_PUBLIC_*` é embarcado no bundle client. Service role bypassa RLS.
+Vazamento = banco totalmente exposto.
+AÇÃO IMEDIATA:
+1. Remover esta env var
+2. Renomear para SUPABASE_SERVICE_ROLE_KEY (sem NEXT_PUBLIC_)
+3. Rotacionar a chave service_role no Supabase Dashboard
+4. Verificar se a chave já foi commitada/exposta em logs
+Bootstrap PARADO até esta variável ser corrigida.
+```
+**Não prossiga** até user resolver.
+### Step 2 — Verificar deps
+Garante que `@supabase/ssr` e `@supabase/supabase-js` estão em deps:
+```bash
+grep -E '"@supabase/ssr"|"@supabase/supabase-js"' package.json
+```
+Se faltar, instrua:
+```bash
+npm install @supabase/ssr @supabase/supabase-js
+```
+**Verifica que `@supabase/auth-helpers-nextjs` NÃO está instalado.** Se estiver:
+```
+⚠ @supabase/auth-helpers-nextjs detectado — DEPRECATED.
+Remover:
+  npm uninstall @supabase/auth-helpers-nextjs
+```
+### Step 3 — Criar `utils/supabase/client.ts`
+```ts
+// utils/supabase/client.ts — PT-BR: client para Client Components
+import { createBrowserClient } from '@supabase/ssr'
+export function createClient() {
+  return createBrowserClient(
+    process.env.NEXT_PUBLIC_SUPABASE_URL!,
+    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!
+  )
+}
+```
+### Step 4 — Criar `utils/supabase/server.ts`
+```ts
+// utils/supabase/server.ts — PT-BR: client para Server Components/Actions/Route Handlers
+import { createServerClient } from '@supabase/ssr'
+import { cookies } from 'next/headers'
+export async function createClient() {
+  const cookieStore = await cookies()
+  return createServerClient(
+    process.env.NEXT_PUBLIC_SUPABASE_URL!,
+    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
+    {
+      cookies: {
+        getAll() {
+          return cookieStore.getAll()
+        },
+        setAll(cookiesToSet) {
+          try {
+            cookiesToSet.forEach(({ name, value, options }) =>
+              cookieStore.set(name, value, options)
+            )
+          } catch {
+            // PT-BR: ok ignorar — Server Component não pode set cookies
+            // middleware faz refresh, sessão fica saudável
+          }
+        },
+      },
+    }
+  )
+}
+```
+### Step 5 — Criar `middleware.ts` (raiz do projeto)
+```ts
+// middleware.ts — PT-BR: proxy obrigatório para refresh de sessão SSR
+import { createServerClient } from '@supabase/ssr'
+import { NextResponse, type NextRequest } from 'next/server'
+export async function middleware(request: NextRequest) {
+  let supabaseResponse = NextResponse.next({ request })
+  const supabase = createServerClient(
+    process.env.NEXT_PUBLIC_SUPABASE_URL!,
+    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
+    {
+      cookies: {
+        getAll() {
+          return request.cookies.getAll()
+        },
+        setAll(cookiesToSet) {
+          cookiesToSet.forEach(({ name, value }) =>
+            request.cookies.set(name, value)
+          )
+          supabaseResponse = NextResponse.next({ request })
+          cookiesToSet.forEach(({ name, value, options }) =>
+            supabaseResponse.cookies.set(name, value, options)
+          )
+        },
+      },
+    }
+  )
+  // PT-BR: ATENÇÃO — não execute código entre createServerClient e getUser()
+  const { data: { user } } = await supabase.auth.getUser()
+  if (
+    !user &&
+    !request.nextUrl.pathname.startsWith('/login') &&
+    !request.nextUrl.pathname.startsWith('/auth')
+  ) {
+    const url = request.nextUrl.clone()
+    url.pathname = '/login'
+    return NextResponse.redirect(url)
+  }
+  // PT-BR: sempre retornar supabaseResponse — cookies precisam fluir
+  return supabaseResponse
+}
+export const config = {
+  matcher: [
+    '/((?!_next/static|_next/image|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp)$).*)',
+  ],
+}
+```
+### Step 6 — Criar/atualizar `.env.local.example`
+```bash
+# .env.local.example — PT-BR: template seguro
+NEXT_PUBLIC_SUPABASE_URL=https://your-project.supabase.co
+NEXT_PUBLIC_SUPABASE_ANON_KEY=eyJhbG...
+# PT-BR: service_role NUNCA prefixado NEXT_PUBLIC_
+# Use APENAS em código server-side (Server Actions, Edge Functions)
+SUPABASE_SERVICE_ROLE_KEY=eyJhbG...
+```
+Se `.env.local` não existe, criar com placeholders. Se existe, **NÃO sobrescrever** — apenas validar.
+### Step 7 — Criar `app/login/page.tsx` básico (se ausente)
+Apenas se `auth_methods` inclui `email_password` (default):
+```tsx
+// app/login/page.tsx
+'use client'
+import { createClient } from '@/utils/supabase/client'
+import { useState } from 'react'
+import { useRouter } from 'next/navigation'
+export default function LoginPage() {
+  const supabase = createClient()
+  const router = useRouter()
+  const [email, setEmail] = useState('')
+  const [password, setPassword] = useState('')
+  const [error, setError] = useState<string | null>(null)
+  async function handleSubmit(e: React.FormEvent) {
+    e.preventDefault()
+    const { error } = await supabase.auth.signInWithPassword({ email, password })
+    if (error) setError(error.message)
+    else router.push('/')
+  }
+  return (
+    <form onSubmit={handleSubmit}>
+      <input value={email} onChange={(e) => setEmail(e.target.value)} type="email" required />
+      <input value={password} onChange={(e) => setPassword(e.target.value)} type="password" required />
+      <button type="submit">Entrar</button>
+      {error && <p>{error}</p>}
+    </form>
+  )
+}
+```
+### Step 8 — Output
+```
+═══════════════════════════════════════════════════════════
+SUPABASE AUTH BOOTSTRAP · Next.js v16+
+═══════════════════════════════════════════════════════════
+✓ Audit .env* — sem service_role exposto ao cliente
+✓ Deps: @supabase/ssr + @supabase/supabase-js instaladas
+✓ utils/supabase/client.ts — createBrowserClient
+✓ utils/supabase/server.ts — createServerClient com getAll/setAll
+✓ middleware.ts — proxy completo com getUser() + redirect
+✓ .env.local.example — template seguro
+Próximos passos:
+1. Preencher .env.local com credenciais Supabase reais
+2. Implementar /login page (incluído como template)
+3. Testar fluxo: middleware → login → callback → dashboard
+Anti-patterns prevenidos:
+- @supabase/auth-helpers-nextjs (DEPRECATED) — NÃO instalado
+- cookies.get/set/remove individuais — substituídos por getAll/setAll
+- NEXT_PUBLIC_*SERVICE* leak — auditado
+- Múltiplos serverClient em layouts — single factory em utils/supabase/server.ts
+```
+## Anti-patterns prevenidos
+- Import de `@supabase/auth-helpers-nextjs` → SEMPRE `@supabase/ssr`
+- `cookies: { get, set, remove }` → SEMPRE `getAll`/`setAll`
+- `NEXT_PUBLIC_SUPABASE_SERVICE_ROLE_KEY` → ABORT explícito (audit `.env*`)
+- Múltiplos clients em layouts → factory única em `utils/supabase/server.ts`
+- Middleware sem `getUser()` → SEMPRE incluído
+## Quando NÃO invocar
+- Projeto já tem `@supabase/ssr` configurado e funcionando — overhead
+- Projeto não é Next.js (Expo, SvelteKit, Nuxt) — defer para skills `supabase-expo` etc. (v1.9+)
+## Observabilidade integrada
+Auth events são SLI primário — "successful login %" é métrica de saúde direta para o usuário final.
+1. **Auth events estruturados** (skill [`structured-events`](../skills/structured-events/SKILL.md)) — instrumentar handlers em `app/auth/*/route.ts`:
+   - `event_name`: `auth_signup` | `auth_login` | `auth_mfa_challenge` | `auth_logout` | `auth_password_reset` | `auth_oauth_callback`
+   - `result.success`: bool
+   - `error.type` enum: `'invalid_credentials'` | `'email_unconfirmed'` | `'mfa_required'` | `'rate_limit'` | `'oauth_provider_error'`
+   - `auth.method`: `'password'` | `'magic_link'` | `'oauth_google'` | `'oauth_github'` | `'sso'`
+   - `user.id` (após sucesso), `customer.tier`, `tenant_id` (se multi-tenant)
+2. **SLO de auth** (skill [`event-based-slos`](../skills/event-based-slos/SKILL.md) *Phase 32*): "99.5% dos login attempts retornam OK em < 800ms", janela deslizante 30d. SLI: `count(*) WHERE event_name='auth_login' AND result_success=true AND duration_ms<800`.
+3. **Audit trail**: signup/password_reset/mfa_setup viajam para `observability.audit_log` com IP, user_agent, geo (se disponível) — base para detectar fraud patterns via [`core-analysis-loop`](../skills/core-analysis-loop/SKILL.md).
+**Output adicionado:** seção "## Observability hooks" com snippet de span wrapper em handlers `/auth/*`.
+## Custom Claims & RBAC integration (v1.25 — AUTH-PATCH-01)
+Quando o projeto usa **RBAC via Custom Access Token Auth Hook** (skill `supabase-custom-claims-rbac` v1.25), este agent inclui no bootstrap:
+### 1. Dependency `jwt-decode`
+Adicionar ao `package.json`:
+```bash
+npm install jwt-decode
+```
+### 2. `utils/supabase/client.ts` — listener com decoder
+```ts
+import { createBrowserClient } from '@supabase/ssr'
+import { jwtDecode } from 'jwt-decode'
+export function createClient() {
+  const supabase = createBrowserClient(
+    process.env.NEXT_PUBLIC_SUPABASE_URL!,
+    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!
+  )
+  // listener para decodificar custom claims após login/refresh
+  supabase.auth.onAuthStateChange(async (event, session) => {
+    if (session) {
+      const jwt = jwtDecode<{ user_role?: string }>(session.access_token)
+      // userRole disponível para UI conditional rendering
+      // (use context provider para propagar — não documentado aqui)
+      console.log('User role from JWT:', jwt.user_role)
+    }
+  })
+  return supabase
+}
+```
+### 3. `utils/supabase/server.ts` — server-side decode
+```ts
+import { jwtDecode } from 'jwt-decode'
+export async function getUserRole() {
+  const supabase = await createClient()
+  const { data: { session } } = await supabase.auth.getSession()
+  if (!session) return null
+  const jwt = jwtDecode<{ user_role?: string }>(session.access_token)
+  return jwt.user_role ?? null
+}
+```
+### 4. Handoff cooperativo para `supabase-rbac-implementer`
+Quando caller sinaliza `enable_rbac: true` ou detecta tabela `user_roles` no projeto, faça handoff:
+```python
+Task(subagent_type="supabase-rbac-implementer", prompt=f"""
+<upstream_intent>
+Source agent: supabase-auth-bootstrapper
+Original goal: bootstrap Next.js v16 + Supabase Auth com RBAC via Custom Access Token Auth Hook
+Constraints: projeto novo Next.js v16; jwt-decode adicionado ao package.json; listener jwt decode adicionado em client.ts; helper getUserRole() adicionado em server.ts
+</upstream_intent>
+<roles>{caller_provided_roles or default ['admin', 'user']}</roles>
+<permissions_matrix>{caller_provided or default}</permissions_matrix>
+<multi_tenant>{caller_provided}</multi_tenant>
+<user_facing_caller>true</user_facing_caller>
+""")
+```
+**Caveats embutidos no bootstrap:**
+- ⚠ JWT freshness: mudanças em user_roles refletem após refresh (TTL 1h). Para revogação imediata, usar `auth.admin.signOut(userId)` no server-side com service_role.
+- ⚠ Auth hook deve ser habilitado no Dashboard (Authentication > Hooks Beta) ou config.toml local — esse setup não é automatizado pelo bootstrap (DDL do hook é feito pelo `supabase-rbac-implementer` mas o enable depende de UI/config).
+- ⚠ `jwt-decode` é apenas decode (NÃO valida assinatura) — para validação server-side, use `@supabase/ssr` `getClaims()`, que valida a assinatura do JWT contra as chaves públicas do projeto.
+## Suíte de autenticação (v1.32) — handoff para agents especializados
+O bootstrap cobre o esqueleto SSR (clients + proxy + audit `.env*`). Funcionalidades de auth além do esqueleto têm agents materializadores dedicados — faça handoff via `Task()` ou recomende o subcomando `/supabase` correspondente:
+| Necessidade do caller | Agent / subcomando | Skill |
+|---|---|---|
+| Social login (Google/GitHub/Apple/Facebook/LinkedIn, custom OAuth/OIDC) | `supabase-social-auth-implementer` · `/supabase social` | [supabase-social-oauth](../skills/supabase-social-oauth/SKILL.md) |
+| MFA (TOTP / Phone) + enforcement RLS | `supabase-mfa-implementer` · `/supabase mfa` | [supabase-mfa](../skills/supabase-mfa/SKILL.md) |
+| Auth Hooks (Postgres/HTTP) | `supabase-auth-hook-writer` · `/supabase hooks` | [supabase-auth-hooks](../skills/supabase-auth-hooks/SKILL.md) |
+| OAuth 2.1 server / MCP authentication | `supabase-oauth-server-implementer` · `/supabase oauth-server` | [supabase-oauth-server](../skills/supabase-oauth-server/SKILL.md) |
+| Enterprise SSO SAML 2.0 | `supabase-sso-saml-architect` · `/supabase sso` | [supabase-enterprise-sso-saml](../skills/supabase-enterprise-sso-saml/SKILL.md) |
+Skills de conhecimento (sem agent, carregadas pela LLM por trigger): [supabase-auth-methods](../skills/supabase-auth-methods/SKILL.md), [supabase-auth-sessions](../skills/supabase-auth-sessions/SKILL.md), [supabase-jwt-signing-keys](../skills/supabase-jwt-signing-keys/SKILL.md), [supabase-third-party-auth](../skills/supabase-third-party-auth/SKILL.md), [supabase-auth-hardening](../skills/supabase-auth-hardening/SKILL.md).
+## Ver também
+- [supabase-auth-ssr](../skills/supabase-auth-ssr/SKILL.md) — base de conhecimento canônica
+- [supabase-rls-policies](../skills/supabase-rls-policies/SKILL.md) — RLS aplicado quando user autenticado consulta tabelas
+- [supabase-custom-claims-rbac](../skills/supabase-custom-claims-rbac/SKILL.md) (v1.25) — Custom Access Token Auth Hook + jwt-decode
+- [supabase-rbac-implementer](./supabase-rbac-implementer.md) (v1.25) — canonical handoff target para RBAC setup
+- [structured-events](../skills/structured-events/SKILL.md) — campos canônicos para auth events
+- [event-based-slos](../skills/event-based-slos/SKILL.md) *(Phase 32)* — SLO de "successful login %"