npm - @luanpdd/kit-mcp - Versions diffs - 1.33.0 → 1.34.0 - Mend

@luanpdd/kit-mcp 1.33.0 → 1.34.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (376) hide show

package/LICENSE +21 -21
package/README.md +168 -168
package/gates/agent-no-recursive-dispatch.md +84 -84
package/kit/COMANDOS.md +138 -138
package/kit/COMPATIBILITY.md +70 -70
package/kit/README.md +76 -76
package/kit/agents/advisor-researcher.md +109 -109
package/kit/agents/ai-mutation-tester.md +289 -289
package/kit/agents/assumptions-analyzer.md +110 -110
package/kit/agents/audit-log-implementer.md +314 -314
package/kit/agents/auditor-consistencia-isolamento.md +414 -414
package/kit/agents/b2b-saas-architect.md +157 -157
package/kit/agents/burn-rate-forecaster.md +153 -153
package/kit/agents/cascading-failures-auditor.md +299 -299
package/kit/agents/codebase-mapper.md +769 -769
package/kit/agents/crm-pipeline-implementer.md +257 -257
package/kit/agents/debugger.md +814 -814
package/kit/agents/designer-ui.md +216 -216
package/kit/agents/detector-tenant-quente.md +338 -338
package/kit/agents/evolution-go-integrator.md +201 -201
package/kit/agents/example-reviewer.md +22 -22
package/kit/agents/executor.md +565 -565
package/kit/agents/golden-signals-instrumenter.md +232 -232
package/kit/agents/incident-investigator.md +238 -238
package/kit/agents/integration-checker.md +203 -203
package/kit/agents/invite-flow-implementer.md +190 -190
package/kit/agents/legacy-characterizer.md +369 -369
package/kit/agents/lgpd-compliance-auditor.md +296 -296
package/kit/agents/load-shedding-instrumenter.md +290 -290
package/kit/agents/multi-tenant-isolation-auditor.md +254 -254
package/kit/agents/multi-tenant-rls-writer.md +341 -341
package/kit/agents/nyquist-auditor.md +181 -181
package/kit/agents/observability-coverage-auditor.md +316 -316
package/kit/agents/observability-instrumenter.md +191 -191
package/kit/agents/omm-auditor.md +291 -291
package/kit/agents/org-onboarding-implementer.md +224 -224
package/kit/agents/payload-capture-instrumenter.md +274 -274
package/kit/agents/phase-researcher.md +697 -697
package/kit/agents/plan-checker.md +275 -275
package/kit/agents/planner.md +923 -923
package/kit/agents/postmortem-writer.md +273 -273
package/kit/agents/project-researcher.md +653 -653
package/kit/agents/prr-conductor.md +287 -287
package/kit/agents/refactor-safety-auditor.md +405 -405
package/kit/agents/release-pipeline-auditor.md +364 -364
package/kit/agents/research-synthesizer.md +246 -246
package/kit/agents/roadmapper.md +678 -678
package/kit/agents/schema-checker.md +160 -160
package/kit/agents/seam-finder.md +360 -360
package/kit/agents/shotgun-surgery-detector.md +350 -350
package/kit/agents/slo-engineer.md +217 -217
package/kit/agents/storytelling-analyst.md +300 -300
package/kit/agents/supabase-architect.md +249 -249
package/kit/agents/supabase-auth-bootstrapper.md +400 -400
package/kit/agents/supabase-auth-hook-writer.md +418 -418
package/kit/agents/supabase-branching-architect.md +563 -563
package/kit/agents/supabase-cicd-pipeline-implementer.md +778 -778
package/kit/agents/supabase-column-privileges-writer.md +400 -400
package/kit/agents/supabase-edge-fn-tester.md +288 -288
package/kit/agents/supabase-edge-fn-writer.md +341 -341
package/kit/agents/supabase-mfa-implementer.md +439 -439
package/kit/agents/supabase-migration-writer.md +386 -386
package/kit/agents/supabase-oauth-server-implementer.md +507 -507
package/kit/agents/supabase-rbac-implementer.md +393 -393
package/kit/agents/supabase-realtime-implementer.md +364 -364
package/kit/agents/supabase-rls-hardener.md +522 -522
package/kit/agents/supabase-rls-writer.md +324 -324
package/kit/agents/supabase-roles-implementer.md +356 -356
package/kit/agents/supabase-social-auth-implementer.md +451 -451
package/kit/agents/supabase-sso-saml-architect.md +549 -549
package/kit/agents/supabase-storage-implementer.md +407 -407
package/kit/agents/super-admin-implementer.md +282 -282
package/kit/agents/toil-auditor.md +268 -268
package/kit/agents/ui-auditor.md +438 -438
package/kit/agents/ui-checker.md +305 -305
package/kit/agents/ui-researcher.md +356 -356
package/kit/agents/user-profiler.md +176 -176
package/kit/agents/validador-evolucao-schema.md +336 -336
package/kit/agents/verifier.md +729 -729
package/kit/commands/adicionar-backlog.md +75 -75
package/kit/commands/adicionar-fase.md +42 -42
package/kit/commands/adicionar-tarefa.md +45 -45
package/kit/commands/adicionar-testes.md +41 -41
package/kit/commands/ajuda.md +21 -21
package/kit/commands/atualizar.md +37 -37
package/kit/commands/auditar-cascading.md +111 -111
package/kit/commands/auditar-marco.md +179 -179
package/kit/commands/auditar-observabilidade-cobertura-workflow.md +121 -0
package/kit/commands/auditar-observabilidade-cobertura.md +183 -183
package/kit/commands/auditar-refactor.md +219 -219
package/kit/commands/auditar-release.md +109 -109
package/kit/commands/auditar-uat.md +23 -23
package/kit/commands/autonomo.md +40 -40
package/kit/commands/branch-pr.md +24 -24
package/kit/commands/burn-rate-status.md +408 -408
package/kit/commands/capturar-payloads.md +193 -193
package/kit/commands/caracterizar.md +212 -212
package/kit/commands/concluir-marco.md +247 -247
package/kit/commands/configuracoes.md +36 -36
package/kit/commands/dados-distribuidos.md +188 -188
package/kit/commands/definir-perfil.md +10 -10
package/kit/commands/depurar.md +190 -190
package/kit/commands/detectar-duplicacao.md +197 -197
package/kit/commands/discutir-fase.md +131 -131
package/kit/commands/encontrar-seams.md +136 -136
package/kit/commands/entrar-discord.md +17 -17
package/kit/commands/estatisticas.md +18 -18
package/kit/commands/example-greeting.md +33 -33
package/kit/commands/executar-fase.md +58 -58
package/kit/commands/expresso.md +56 -56
package/kit/commands/fase-ui.md +34 -34
package/kit/commands/fazer.md +57 -57
package/kit/commands/fio.md +125 -125
package/kit/commands/fluxos-trabalho.md +64 -64
package/kit/commands/forense.md +176 -176
package/kit/commands/gerenciador.md +38 -38
package/kit/commands/inserir-fase.md +31 -31
package/kit/commands/legacy.md +263 -263
package/kit/commands/limpeza.md +17 -17
package/kit/commands/listar-hipoteses-fase.md +45 -45
package/kit/commands/listar-workspaces.md +18 -18
package/kit/commands/load-shedding.md +117 -117
package/kit/commands/mapear-codebase.md +70 -70
package/kit/commands/multi-tenant.md +163 -163
package/kit/commands/nota.md +33 -33
package/kit/commands/novo-marco.md +43 -43
package/kit/commands/novo-projeto.md +41 -41
package/kit/commands/novo-workspace.md +43 -43
package/kit/commands/pausar-trabalho.md +37 -37
package/kit/commands/perfil-usuario.md +45 -45
package/kit/commands/pesquisar-fase.md +195 -195
package/kit/commands/planejar-fase.md +67 -67
package/kit/commands/planejar-lacunas.md +33 -33
package/kit/commands/plantar-ideia.md +25 -25
package/kit/commands/progresso.md +24 -24
package/kit/commands/proximo.md +30 -30
package/kit/commands/publicar.md +490 -490
package/kit/commands/rapido.md +35 -35
package/kit/commands/reaplicar-patches.md +124 -124
package/kit/commands/refactor-seguro.md +321 -321
package/kit/commands/relatorio-sessao.md +19 -19
package/kit/commands/remover-fase.md +31 -31
package/kit/commands/remover-workspace.md +26 -26
package/kit/commands/resumo-marco.md +50 -50
package/kit/commands/retomar-trabalho.md +40 -40
package/kit/commands/revisar-backlog.md +60 -60
package/kit/commands/revisar-ui.md +32 -32
package/kit/commands/revisar.md +37 -37
package/kit/commands/saude.md +21 -21
package/kit/commands/setup-notion.md +93 -93
package/kit/commands/storytelling.md +179 -179
package/kit/commands/supabase.md +238 -238
package/kit/commands/sync-main.md +68 -68
package/kit/commands/validar-fase.md +35 -35
package/kit/commands/verificar-tarefas.md +44 -44
package/kit/commands/verificar-trabalho.md +64 -64
package/kit/file-manifest.json +13 -11
package/kit/framework/bin/lib/commands.cjs +959 -959
package/kit/framework/bin/lib/config.cjs +442 -442
package/kit/framework/bin/lib/core.cjs +1230 -1230
package/kit/framework/bin/lib/frontmatter.cjs +336 -336
package/kit/framework/bin/lib/init.cjs +1442 -1442
package/kit/framework/bin/lib/milestone.cjs +252 -252
package/kit/framework/bin/lib/model-profiles.cjs +68 -68
package/kit/framework/bin/lib/phase.cjs +888 -888
package/kit/framework/bin/lib/profile-output.cjs +952 -952
package/kit/framework/bin/lib/profile-pipeline.cjs +539 -539
package/kit/framework/bin/lib/roadmap.cjs +329 -329
package/kit/framework/bin/lib/security.cjs +382 -382
package/kit/framework/bin/lib/state.cjs +1031 -1031
package/kit/framework/bin/lib/template.cjs +222 -222
package/kit/framework/bin/lib/uat.cjs +282 -282
package/kit/framework/bin/lib/verify.cjs +888 -888
package/kit/framework/bin/lib/workstream.cjs +491 -491
package/kit/framework/bin/tools.cjs +918 -918
package/kit/framework/commands/workstreams.md +63 -63
package/kit/framework/references/checkpoints.md +778 -778
package/kit/framework/references/continuation-format.md +249 -249
package/kit/framework/references/decimal-phase-calculation.md +64 -64
package/kit/framework/references/git-integration.md +295 -295
package/kit/framework/references/git-planning-commit.md +38 -38
package/kit/framework/references/model-profile-resolution.md +36 -36
package/kit/framework/references/model-profiles.md +139 -139
package/kit/framework/references/phase-argument-parsing.md +61 -61
package/kit/framework/references/planning-config.md +202 -202
package/kit/framework/references/questioning.md +162 -162
package/kit/framework/references/tdd.md +263 -263
package/kit/framework/references/ui-brand.md +160 -160
package/kit/framework/references/user-profiling.md +657 -657
package/kit/framework/references/verification-patterns.md +612 -612
package/kit/framework/references/workstream-flag.md +58 -58
package/kit/framework/templates/DEBUG.md +164 -164
package/kit/framework/templates/UAT.md +265 -265
package/kit/framework/templates/UI-SPEC.md +100 -100
package/kit/framework/templates/VALIDATION.md +76 -76
package/kit/framework/templates/claude-md.md +122 -122
package/kit/framework/templates/codebase/architecture.md +185 -185
package/kit/framework/templates/codebase/concerns.md +205 -205
package/kit/framework/templates/codebase/conventions.md +204 -204
package/kit/framework/templates/codebase/integrations.md +192 -192
package/kit/framework/templates/codebase/stack.md +158 -158
package/kit/framework/templates/codebase/structure.md +199 -199
package/kit/framework/templates/codebase/testing.md +301 -301
package/kit/framework/templates/config.json +44 -44
package/kit/framework/templates/context.md +352 -352
package/kit/framework/templates/continue-here.md +78 -78
package/kit/framework/templates/copilot-instructions.md +7 -7
package/kit/framework/templates/debug-subagent-prompt.md +91 -91
package/kit/framework/templates/dev-preferences.md +20 -20
package/kit/framework/templates/discovery.md +146 -146
package/kit/framework/templates/discussion-log.md +63 -63
package/kit/framework/templates/milestone-archive.md +123 -123
package/kit/framework/templates/milestone.md +115 -115
package/kit/framework/templates/phase-prompt.md +610 -610
package/kit/framework/templates/planner-subagent-prompt.md +117 -117
package/kit/framework/templates/project.md +186 -186
package/kit/framework/templates/requirements.md +231 -231
package/kit/framework/templates/research-project/ARCHITECTURE.md +204 -204
package/kit/framework/templates/research-project/FEATURES.md +147 -147
package/kit/framework/templates/research-project/PITFALLS.md +200 -200
package/kit/framework/templates/research-project/STACK.md +120 -120
package/kit/framework/templates/research-project/SUMMARY.md +170 -170
package/kit/framework/templates/research.md +419 -419
package/kit/framework/templates/retrospective.md +54 -54
package/kit/framework/templates/roadmap.md +202 -202
package/kit/framework/templates/state.md +176 -176
package/kit/framework/templates/summary-complex.md +59 -59
package/kit/framework/templates/summary-minimal.md +41 -41
package/kit/framework/templates/summary-standard.md +48 -48
package/kit/framework/templates/summary.md +209 -209
package/kit/framework/templates/user-profile.md +146 -146
package/kit/framework/templates/user-setup.md +256 -256
package/kit/framework/templates/verification-report.md +258 -258
package/kit/framework/workflows/add-phase.md +112 -112
package/kit/framework/workflows/add-tests.md +351 -351
package/kit/framework/workflows/add-todo.md +158 -158
package/kit/framework/workflows/audit-milestone.md +340 -340
package/kit/framework/workflows/audit-uat.md +109 -109
package/kit/framework/workflows/autonomous.md +891 -891
package/kit/framework/workflows/check-todos.md +177 -177
package/kit/framework/workflows/cleanup.md +152 -152
package/kit/framework/workflows/complete-milestone.md +696 -696
package/kit/framework/workflows/diagnose-issues.md +231 -231
package/kit/framework/workflows/discovery-phase.md +289 -289
package/kit/framework/workflows/discuss-phase-assumptions.md +653 -653
package/kit/framework/workflows/discuss-phase.md +784 -784
package/kit/framework/workflows/do.md +104 -104
package/kit/framework/workflows/execute-phase.md +838 -838
package/kit/framework/workflows/execute-plan.md +510 -510
package/kit/framework/workflows/fast.md +102 -102
package/kit/framework/workflows/forensics.md +265 -265
package/kit/framework/workflows/health.md +181 -181
package/kit/framework/workflows/help.md +619 -619
package/kit/framework/workflows/insert-phase.md +130 -130
package/kit/framework/workflows/list-phase-assumptions.md +178 -178
package/kit/framework/workflows/list-workspaces.md +56 -56
package/kit/framework/workflows/manager.md +362 -362
package/kit/framework/workflows/map-codebase.md +377 -377
package/kit/framework/workflows/milestone-summary.md +223 -223
package/kit/framework/workflows/new-milestone.md +486 -486
package/kit/framework/workflows/new-project.md +1159 -1159
package/kit/framework/workflows/new-workspace.md +237 -237
package/kit/framework/workflows/next.md +97 -97
package/kit/framework/workflows/node-repair.md +92 -92
package/kit/framework/workflows/note.md +156 -156
package/kit/framework/workflows/pause-work.md +176 -176
package/kit/framework/workflows/plan-milestone-gaps.md +273 -273
package/kit/framework/workflows/plan-phase.md +765 -765
package/kit/framework/workflows/plant-seed.md +169 -169
package/kit/framework/workflows/pr-branch.md +129 -129
package/kit/framework/workflows/profile-user.md +450 -450
package/kit/framework/workflows/progress.md +507 -507
package/kit/framework/workflows/quick.md +757 -757
package/kit/framework/workflows/remove-phase.md +155 -155
package/kit/framework/workflows/remove-workspace.md +90 -90
package/kit/framework/workflows/research-phase.md +82 -82
package/kit/framework/workflows/resume-project.md +326 -326
package/kit/framework/workflows/review.md +228 -228
package/kit/framework/workflows/session-report.md +146 -146
package/kit/framework/workflows/settings.md +283 -283
package/kit/framework/workflows/ship.md +228 -228
package/kit/framework/workflows/stats.md +60 -60
package/kit/framework/workflows/transition.md +671 -671
package/kit/framework/workflows/ui-phase.md +302 -302
package/kit/framework/workflows/ui-review.md +165 -165
package/kit/framework/workflows/update.md +323 -323
package/kit/framework/workflows/validate-phase.md +174 -174
package/kit/framework/workflows/verify-phase.md +252 -252
package/kit/framework/workflows/verify-work.md +637 -637
package/kit/hooks/check-update.js +118 -118
package/kit/hooks/context-monitor.js +163 -163
package/kit/hooks/kit-attribution-reminder.cjs +92 -92
package/kit/hooks/kit-router.cjs +137 -137
package/kit/hooks/prompt-guard.js +103 -103
package/kit/hooks/statusline.js +125 -125
package/kit/hooks/workflow-guard.js +101 -101
package/kit/settings.json +45 -45
package/kit/skills/ai-prompt-characterization/SKILL.md +335 -335
package/kit/skills/armadilhas-sistemas-distribuidos/SKILL.md +447 -447
package/kit/skills/audit-log-multi-tenant/SKILL.md +340 -340
package/kit/skills/b2b-saas-architecture/SKILL.md +300 -300
package/kit/skills/consistencia-leitura-replica/SKILL.md +385 -385
package/kit/skills/crm-lead-pipeline-patterns/SKILL.md +343 -343
package/kit/skills/escolha-modelo-consistencia/SKILL.md +494 -494
package/kit/skills/evolucao-schema-compativel/SKILL.md +448 -448
package/kit/skills/evolution-go-whatsapp-integration/SKILL.md +322 -322
package/kit/skills/example-skill/SKILL.md +42 -42
package/kit/skills/legacy-api-only-applications/SKILL.md +358 -358
package/kit/skills/legacy-characterization-tests/SKILL.md +330 -330
package/kit/skills/legacy-effect-analysis/SKILL.md +331 -331
package/kit/skills/legacy-extract-class/SKILL.md +203 -203
package/kit/skills/legacy-programming-by-difference/SKILL.md +252 -252
package/kit/skills/legacy-seams-and-test-harness/SKILL.md +460 -460
package/kit/skills/legacy-shotgun-surgery/SKILL.md +286 -286
package/kit/skills/legacy-sprout-wrap-techniques/SKILL.md +434 -434
package/kit/skills/legacy-storytelling-naked-crc/SKILL.md +270 -270
package/kit/skills/lgpd-multi-tenant-compliance/SKILL.md +340 -340
package/kit/skills/member-invite-flow/SKILL.md +305 -305
package/kit/skills/member-management-react-shadcn/SKILL.md +328 -328
package/kit/skills/multi-tenant-performance-scaling/SKILL.md +316 -316
package/kit/skills/multi-tenant-rls-hierarchy/SKILL.md +342 -342
package/kit/skills/org-onboarding-flow/SKILL.md +257 -257
package/kit/skills/org-switcher-react-pattern/SKILL.md +349 -349
package/kit/skills/permission-gate-react-pattern/SKILL.md +271 -271
package/kit/skills/postgres-isolamento-concorrencia/SKILL.md +552 -552
package/kit/skills/pre-refactor-characterization/SKILL.md +421 -421
package/kit/skills/rbac-permissions-matrix-supabase/SKILL.md +338 -338
package/kit/skills/streams-eventos-cdc/SKILL.md +711 -711
package/kit/skills/supabase-auth-hardening/SKILL.md +674 -674
package/kit/skills/supabase-auth-hooks/SKILL.md +875 -875
package/kit/skills/supabase-auth-methods/SKILL.md +486 -486
package/kit/skills/supabase-auth-sessions/SKILL.md +579 -579
package/kit/skills/supabase-auth-ssr/SKILL.md +306 -306
package/kit/skills/supabase-branching-workflow/SKILL.md +544 -544
package/kit/skills/supabase-ci-cd-github-actions/SKILL.md +880 -880
package/kit/skills/supabase-column-level-security/SKILL.md +426 -426
package/kit/skills/supabase-config-toml-remotes/SKILL.md +807 -807
package/kit/skills/supabase-custom-claims-rbac/SKILL.md +472 -472
package/kit/skills/supabase-edge-functions/SKILL.md +330 -330
package/kit/skills/supabase-edge-functions-auth/SKILL.md +309 -309
package/kit/skills/supabase-edge-functions-limits/SKILL.md +302 -302
package/kit/skills/supabase-edge-functions-mcp-server/SKILL.md +279 -279
package/kit/skills/supabase-edge-functions-testing/SKILL.md +277 -277
package/kit/skills/supabase-edge-runtime-builtins/SKILL.md +357 -357
package/kit/skills/supabase-enterprise-sso-saml/SKILL.md +545 -545
package/kit/skills/supabase-jwt-signing-keys/SKILL.md +399 -399
package/kit/skills/supabase-mfa/SKILL.md +488 -488
package/kit/skills/supabase-migration-repair/SKILL.md +823 -823
package/kit/skills/supabase-migrations/SKILL.md +297 -297
package/kit/skills/supabase-oauth-server/SKILL.md +537 -537
package/kit/skills/supabase-pgtap-testing/SKILL.md +1053 -1053
package/kit/skills/supabase-postgres-roles/SKILL.md +392 -392
package/kit/skills/supabase-realtime/SKILL.md +460 -460
package/kit/skills/supabase-rls-defense-in-depth/SKILL.md +418 -418
package/kit/skills/supabase-rls-policies/SKILL.md +635 -635
package/kit/skills/supabase-social-oauth/SKILL.md +480 -480
package/kit/skills/supabase-third-party-auth/SKILL.md +450 -450
package/kit/skills/super-admin-platform-pattern/SKILL.md +326 -326
package/kit/skills/tenant-quente-mitigacao/SKILL.md +605 -605
package/kit/skills/ui-anti-padroes-ia/SKILL.md +261 -261
package/kit/skills/ui-contexto-produto/SKILL.md +248 -248
package/kit/skills/ui-cor-estrategia/SKILL.md +213 -213
package/kit/skills/ui-critica-auditoria/SKILL.md +260 -260
package/kit/skills/ui-motion-funcional/SKILL.md +264 -264
package/kit/skills/ui-ritmo-espacial/SKILL.md +259 -259
package/kit/skills/ui-tipografia/SKILL.md +211 -211
package/kit/skills/whatsapp-conversation-state-machine/SKILL.md +287 -287
package/kit/workflows/auditar-observabilidade-cobertura.workflow.js +250 -0
package/package.json +65 -63
package/src/core/kit.js +333 -216
package/src/core/reflect.js +247 -247
package/src/core/registry.js +123 -112
package/src/core/reverse-sync.js +448 -372
package/src/core/sync.js +477 -437
package/src/core/watch.js +121 -121
package/src/mcp-server/index.js +794 -794

package/kit/skills/supabase-oauth-server/SKILL.md CHANGED Viewed

@@ -1,537 +1,537 @@
----
-name: supabase-oauth-server
-description: Use ao implementar OAuth 2.1 Server com Supabase como identity provider, incluindo autenticação MCP, PKCE, OIDC, registro de clients e RLS por client_id.
----
-# Supabase — OAuth 2.1 Server (Identity Provider & MCP Auth)
-## Quando usar
-LLM carrega esta skill quando o projeto precisar do **Supabase como identity provider OAuth 2.1 / OIDC** — seja para autenticar agentes de IA via MCP, apps mobile/desktop, developer platforms ou enterprise SSO.
-Trigger phrases:
-- "OAuth 2.1 server Supabase", "Supabase as identity provider"
-- "Sign in with my app", "MCP authentication"
-- "OAuth client registration", "authorization endpoint Supabase"
-- "OIDC server", "supabase.auth.oauth"
-- "Model Context Protocol auth", "agente MCP autenticado"
-- "dynamic client registration Supabase"
-## Princípio canônico
-O Supabase OAuth Server transforma seu projeto Supabase em um **authorization server OAuth 2.1 + OIDC completo**. Em vez de apenas consumir provedores OAuth externos (Google, GitHub), seu app **se torna** o provedor — os usuários fazem login com a sua plataforma.
-**Casos de uso principais:**
-| Caso | Descrição |
-|------|-----------|
-| Developer platform | "Login com MinhaPlatforma" para apps de terceiros |
-| MCP Server auth | Agentes de IA se autenticam como usuários existentes |
-| Apps mobile/desktop | Token-based auth sem secret key exposto |
-| Enterprise SSO | Federar autenticação via OIDC para ferramentas internas |
-**Padrões suportados:**
-- **OAuth 2.1** com PKCE obrigatório (código de autorização + PKCE — fluxo implícito removido na v2.1)
-- **OIDC** — ID tokens, endpoint UserInfo, discovery automático
-- **Scopes**: `openid`, `email`, `profile`, `phone`
-- **Dynamic Client Registration** — clients se registram programaticamente
-- **JWKS** — validação de chaves públicas
-- **Authorization Code + Refresh Token** flows
-## Habilitando o OAuth Server
-### Via Dashboard
-`Authentication > OAuth Server` → habilitar toggle.
-### Via `config.toml` (desenvolvimento local)
-```toml
-[auth.oauth_server]
-enabled = true
-authorization_url_path = "/authorize"       # rota da UI de consentimento no seu app
-allow_dynamic_registration = true           # clients se registram via API
-```
-`authorization_url_path` aponta para a rota do **seu app** que renderiza a UI de consentimento. Supabase redireciona o usuário para lá com `?authorization_id=<uuid>` na URL.
-## Endpoints expostos automaticamente
-| Endpoint | Função |
-|----------|--------|
-| `GET /auth/v1/oauth/authorize` | Inicia o fluxo de autorização |
-| `POST /auth/v1/oauth/token` | Troca code por tokens / refresh |
-| `GET /auth/v1/.well-known/jwks.json` | Chaves públicas para validação de JWT |
-| `GET /auth/v1/.well-known/openid-configuration` | Discovery OIDC |
-| `GET /auth/v1/.well-known/oauth-authorization-server/auth/v1` | Discovery OAuth — **MCP usa este** |
-| `GET /auth/v1/oauth/userinfo` | Dados do usuário autenticado (OIDC) |
-O endpoint de **MCP discovery** (`/auth/v1/.well-known/oauth-authorization-server/auth/v1`) é detectado automaticamente por clientes MCP como o Claude Desktop e implementações FastMCP.
-## Authorization UI — página de consentimento
-Supabase redireciona o browser do usuário para `authorization_url_path?authorization_id=<uuid>`. Você deve criar esta rota no seu app.
-```tsx
-// app/authorize/page.tsx (Next.js App Router)
-import { createClient } from '@/lib/supabase/server'
-interface Props {
-  searchParams: { authorization_id?: string }
-}
-export default async function AuthorizePage({ searchParams }: Props) {
-  const authorizationId = searchParams.authorization_id
-  if (!authorizationId) return <p>Parâmetro inválido.</p>
-  // IMPORTANTE: inicializar client DENTRO do request handler
-  const supabase = await createClient()
-  const { data, error } = await supabase.auth.oauth.getAuthorizationDetails(authorizationId)
-  if (error || !data) return <p>Autorização inválida ou expirada.</p>
-  const { client, scopes } = data
-  return (
-    <div className="max-w-md mx-auto mt-20 p-6 border rounded-lg shadow">
-      <h1 className="text-xl font-bold mb-4">Autorizar acesso</h1>
-      <p className="mb-2">
-        <strong>{client.name}</strong> está solicitando acesso à sua conta.
-      </p>
-      <p className="text-sm text-gray-500 mb-6">
-        Permissões solicitadas: {scopes.join(', ')}
-      </p>
-      <ConsentForm authorizationId={authorizationId} />
-    </div>
-  )
-}
-```
-```tsx
-// app/authorize/ConsentForm.tsx — Client Component
-'use client'
-import { createClient } from '@/lib/supabase/client'
-export function ConsentForm({ authorizationId }: { authorizationId: string }) {
-  const supabase = createClient()
-  async function handleApprove() {
-    const { data, error } = await supabase.auth.oauth.approveAuthorization(authorizationId)
-    if (error) { alert('Erro ao aprovar: ' + error.message); return }
-    // data.redirect_uri — redirecionar o browser para esta URL
-    window.location.href = data.redirect_uri
-  }
-  async function handleDeny() {
-    const { data, error } = await supabase.auth.oauth.denyAuthorization(authorizationId)
-    if (error) { alert('Erro ao negar: ' + error.message); return }
-    window.location.href = data.redirect_uri
-  }
-  return (
-    <div className="flex gap-4">
-      <button onClick={handleApprove} className="btn-primary">Autorizar</button>
-      <button onClick={handleDeny} className="btn-secondary">Negar</button>
-    </div>
-  )
-}
-```
-**Fluxo da UI de consentimento:**
-1. `getAuthorizationDetails(id)` — busca dados do client e scopes solicitados
-2. Renderiza UI para o usuário revisar
-3. `approveAuthorization(id)` → retorna `redirect_uri` com `code` → browser navega
-4. `denyAuthorization(id)` → retorna `redirect_uri` com `error=access_denied`
-## Registro de OAuth Clients
-### Via Admin API (server-side com service_role)
-```ts
-// lib/oauth-clients.ts — executar no backend
-import { createClient } from '@supabase/supabase-js'
-const supabaseAdmin = createClient(
-  process.env.SUPABASE_URL!,
-  process.env.SUPABASE_SERVICE_ROLE_KEY!  // nunca expor no cliente
-)
-// Client público (apps mobile/desktop, MCP servers sem secret)
-const { data: publicClient, error } = await supabaseAdmin.auth.admin.oauth.createClient({
-  name: 'Meu App Mobile',
-  redirect_uris: ['myapp://oauth/callback'],
-  client_type: 'public',                     // sem client_secret
-  token_endpoint_auth_method: 'none',        // PKCE obrigatório
-})
-console.log(publicClient?.client_id)  // sb_publishable_...
-// Client confidencial (server-side apps com secret)
-const { data: confidentialClient } = await supabaseAdmin.auth.admin.oauth.createClient({
-  name: 'API Server Parceiro',
-  redirect_uris: ['https://parceiro.exemplo.com/auth/callback'],
-  client_type: 'confidential',
-  token_endpoint_auth_method: 'client_secret_basic', // ou 'client_secret_post'
-})
-console.log(confidentialClient?.client_id)     // identificador
-console.log(confidentialClient?.client_secret) // guardar com segurança — exibido UMA VEZ
-```
-### Client types
-| Tipo | `token_endpoint_auth_method` | Uso |
-|------|------------------------------|-----|
-| `public` | `none` | Mobile, desktop, MCP, SPA |
-| `confidential` | `client_secret_basic` (padrão) | Server-side |
-| `confidential` | `client_secret_post` | Body params em vez de header |
-## Fluxo Authorization Code + PKCE
-### Passo 1: Gerar PKCE
-```ts
-// utils/pkce.ts
-function base64urlEncode(buffer: ArrayBuffer): string {
-  return btoa(String.fromCharCode(...new Uint8Array(buffer)))
-    .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '')
-}
-export async function generatePKCE() {
-  // code_verifier: string aleatório de 43-128 chars
-  const codeVerifier = base64urlEncode(crypto.getRandomValues(new Uint8Array(32)))
-  // code_challenge: SHA-256(code_verifier) em Base64-URL
-  const encoder = new TextEncoder()
-  const data = encoder.encode(codeVerifier)
-  const digest = await crypto.subtle.digest('SHA-256', data)
-  const codeChallenge = base64urlEncode(digest)
-  return { codeVerifier, codeChallenge }
-}
-```
-### Passo 2: Iniciar autorização
-```ts
-const { codeVerifier, codeChallenge } = await generatePKCE()
-// Armazenar code_verifier de forma segura (sessão ou localStorage criptografado)
-sessionStorage.setItem('oauth_code_verifier', codeVerifier)
-const params = new URLSearchParams({
-  response_type: 'code',
-  client_id: 'meu-client-id',
-  redirect_uri: 'https://meuapp.com/auth/callback',
-  scope: 'openid email profile',
-  state: crypto.randomUUID(),         // CSRF protection
-  code_challenge: codeChallenge,
-  code_challenge_method: 'S256',      // único método suportado
-})
-// Redireciona para Supabase
-window.location.href = `${SUPABASE_URL}/auth/v1/oauth/authorize?${params}`
-```
-### Passo 3: Trocar código por tokens (callback)
-```ts
-// app/auth/callback/route.ts
-export async function GET(request: Request) {
-  const url = new URL(request.url)
-  const code = url.searchParams.get('code')
-  const state = url.searchParams.get('state')
-  const codeVerifier = sessionStorage.getItem('oauth_code_verifier')!
-  const tokenResponse = await fetch(`${SUPABASE_URL}/auth/v1/oauth/token`, {
-    method: 'POST',
-    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
-    body: new URLSearchParams({
-      grant_type: 'authorization_code',
-      client_id: 'meu-client-id',
-      code: code!,
-      redirect_uri: 'https://meuapp.com/auth/callback',
-      code_verifier: codeVerifier,    // PKCE — valida o challenge original
-    }),
-  })
-  const tokens = await tokenResponse.json()
-  // tokens.access_token, tokens.refresh_token, tokens.id_token (se openid scope)
-}
-```
-### Passo 4: Refresh Token
-```ts
-const refreshResponse = await fetch(`${SUPABASE_URL}/auth/v1/oauth/token`, {
-  method: 'POST',
-  headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
-  body: new URLSearchParams({
-    grant_type: 'refresh_token',
-    client_id: 'meu-client-id',
-    refresh_token: storedRefreshToken,
-  }),
-})
-```
-## MCP Authentication — Destaque Especial
-Este kit-mcp é em si um **servidor MCP** — esta seção é especialmente relevante.
-### Por que Supabase + MCP funciona
-O protocolo MCP 2025 exige que servidores exponham um endpoint de discovery OAuth compatível com RFC 8414. O Supabase expõe automaticamente:
-```
-GET https://<project>.supabase.co/auth/v1/.well-known/oauth-authorization-server/auth/v1
-```
-Clientes MCP (Claude Desktop, FastMCP, SDK oficial) detectam este endpoint e executam o fluxo OAuth 2.1 automaticamente — sem configuração manual de endpoints.
-### MCP Server com FastMCP autenticado
-```ts
-// server.ts — MCP server com autenticação Supabase OAuth
-import { FastMCP } from 'fastmcp'
-import { createClient } from '@supabase/supabase-js'
-const server = new FastMCP({
-  name: 'meu-mcp-server',
-  version: '1.0.0',
-  // FastMCP detecta o discovery automático do Supabase
-  oauth: {
-    issuer: process.env.SUPABASE_URL + '/auth/v1',
-    clientId: process.env.MCP_OAUTH_CLIENT_ID!,
-    scopes: ['openid', 'email', 'profile'],
-  },
-})
-server.addTool({
-  name: 'get-my-data',
-  description: 'Retorna dados do usuário autenticado',
-  execute: async (args, context) => {
-    // context.accessToken — JWT do usuário autenticado via OAuth
-    const supabase = createClient(
-      process.env.SUPABASE_URL!,
-      process.env.SUPABASE_ANON_KEY!,  // usar sb_publishable_... em novos projetos
-      { global: { headers: { Authorization: `Bearer ${context.accessToken}` } } }
-    )
-    const { data, error } = await supabase.from('my_table').select('*')
-    return data
-  },
-})
-server.start({ transportType: 'stdio' })
-```
-### Registrar o client MCP no Supabase
-```ts
-// scripts/register-mcp-client.ts
-const { data } = await supabaseAdmin.auth.admin.oauth.createClient({
-  name: 'MCP Server - Produção',
-  redirect_uris: ['http://localhost:3333/callback'],  // FastMCP local server
-  client_type: 'public',            // sem secret — PKCE protege
-  token_endpoint_auth_method: 'none',
-})
-console.log('MCP_OAUTH_CLIENT_ID=' + data?.client_id)
-```
-### Dynamic Client Registration (DCR)
-Com `allow_dynamic_registration = true`, clientes MCP se registram automaticamente:
-```bash
-# Clientes chamam este endpoint automaticamente (RFC 7591)
-POST https://<project>.supabase.co/auth/v1/oauth/clients
-Content-Type: application/json
-{
-  "client_name": "Claude Desktop",
-  "redirect_uris": ["http://localhost:63856/callback"],
-  "token_endpoint_auth_method": "none"
-}
-```
-## Access Token Claims
-O access token JWT gerado pelo OAuth Server contém o claim especial `client_id`:
-```json
-{
-  "sub": "user-uuid",
-  "role": "authenticated",
-  "client_id": "meu-client-id",   // identifica QUAL client OAuth emitiu o token
-  "email": "user@exemplo.com",
-  "iat": 1700000000,
-  "exp": 1700003600
-}
-```
-Use `client_id` em políticas RLS para controlar acesso por client OAuth.
-## OIDC — ID Tokens
-Ao incluir o scope `openid`, o token endpoint retorna um `id_token` além do `access_token`.
-**Requisito crítico:** ID tokens **exigem** algoritmo assimétrico (RS256 ou ES256). Configure signing keys assimétricas — veja skill [supabase-jwt-signing-keys](../supabase-jwt-signing-keys/SKILL.md).
-```ts
-// Decodificar ID token (client-side)
-import { jwtDecode } from 'jwt-decode'
-const idTokenClaims = jwtDecode(tokens.id_token)
-// { sub, email, name, picture, phone, iat, exp, aud, iss }
-```
-## Token Security + RLS por client_id
-Scopes controlam **quais dados OIDC** são retornados (email, profile, phone). Scopes **NÃO** controlam acesso ao banco de dados — isso é responsabilidade do RLS.
-Use o claim `client_id` em políticas para separar acesso por client OAuth:
-```sql
--- Conceder acesso apenas a um client OAuth específico
-create policy "Apenas client parceiro pode ler dados_parceiro" on public.dados_parceiro
-  for select to authenticated
-  using (
-    (auth.jwt() ->> 'client_id') = 'client-id-do-parceiro'
-  );
--- Restringir dados sensíveis de qualquer client OAuth
-create policy "Dados financeiros apenas via sessão direta" on public.dados_financeiros
-  for select to authenticated
-  using (
-    -- NULL client_id = sessão direta (não OAuth); presença = token OAuth
-    (auth.jwt() ->> 'client_id') IS NULL
-  );
--- Separar políticas: sessão direta vs qualquer client OAuth
-create policy "Acesso direto ou client autorizado" on public.perfil_publico
-  for select to authenticated
-  using (
-    (auth.jwt() ->> 'client_id') IS NULL                     -- sessão direta
-    OR (auth.jwt() ->> 'client_id') = 'client-aprovado'      -- client OAuth específico
-  );
-```
-## Custom Access Token Hook por client_id
-Use o Auth Hook para personalizar `audience` ou claims com base no `client_id`:
-```sql
-create or replace function public.custom_access_token_hook(event jsonb)
-returns jsonb
-language plpgsql
-stable
-as $$
-declare
-  claims jsonb;
-  client_id text;
-begin
-  claims := event->'claims';
-  client_id := claims ->> 'client_id';
-  -- Adicionar audience específica por client
-  if client_id = 'parceiro-externo-id' then
-    claims := jsonb_set(claims, '{aud}', '"parceiro-externo"');
-    claims := jsonb_set(claims, '{custom_plan}', '"enterprise"');
-  end if;
-  event := jsonb_set(event, '{claims}', claims);
-  return event;
-end;
-$$;
-```
-## Gerenciar Grants do Usuário
-```ts
-// Listar todos os clients OAuth com acesso concedido pelo usuário
-const { data: grants } = await supabase.auth.oauth.getUserGrants()
-// [{ client_id, client_name, scopes, granted_at }]
-// Revogar acesso de um client específico
-const { error } = await supabase.auth.oauth.revokeGrant('client-id-para-revogar')
-```
-## Regras absolutas
-1. **PKCE obrigatório** — OAuth 2.1 remove fluxo implícito; todo client usa `code_challenge_method: 'S256'`
-2. **Signing keys assimétricas (RS256/ES256)** — ID tokens **falham** com HS256; configure antes de habilitar OIDC
-3. **Redirect URIs com match exato** — sem wildcards em produção; cada URI deve ser cadastrada explicitamente
-4. **Nunca expor `service_role` key no cliente** — registro de clients via Admin API é sempre server-side
-5. **Inicializar client Supabase DENTRO do request handler** — nunca em escopo de módulo (vazamento entre requests em Vercel Fluid compute / Edge Functions com conexões reutilizadas)
-6. **RLS com `client_id` controla acesso ao banco** — scopes controlam apenas dados OIDC (email, profile); RLS é a única barreira real para dados do banco
-7. **Separar clients por ambiente** — client de dev ≠ client de produção; redirect URIs não podem cruzar ambientes
-## Anti-patterns
-### Anti-pattern 1: Usar HS256 para ID tokens
-**Errado:**
-```toml
-[auth]
-jwt_secret = "meu-secret-compartilhado"  # HS256 — ID tokens FALHAM
-```
-**Por quê:** a especificação OIDC exige algoritmo assimétrico para ID tokens — HS256 é shared secret e não permite validação por terceiros sem expor o secret. Supabase rejeita ID token com HS256.
-**Certo:** configurar signing key assimétrica (ES256 recomendado) antes de habilitar o OAuth Server com scope `openid`.
-### Anti-pattern 2: Redirect URI com wildcard em produção
-**Errado:**
-```ts
-await supabaseAdmin.auth.admin.oauth.createClient({
-  redirect_uris: ['https://*.meuapp.com/callback'],  // wildcard — BLOQUEADO
-})
-```
-**Por quê:** wildcards em redirect URIs são vetores de open redirect — atacante pode redirecionar o code para domínio controlado.
-**Certo:** listar cada URI explicitamente; para previews Vercel, use allowlist na configuração de auth, não wildcards no client OAuth.
-### Anti-pattern 3: Client Supabase em escopo de módulo
-**Errado:**
-```ts
-// lib/supabase.ts — ERRADO para Edge Functions / Vercel
-const supabase = createClient(URL, KEY)  // escopo de módulo — vaza entre requests
-export default supabase
-```
-**Por quê:** em ambientes serverless com conexões reutilizadas (Vercel Fluid compute, Edge Functions), o client é compartilhado entre requests de usuários diferentes — vazamento de sessão.
-**Certo:** sempre `const supabase = await createClient()` dentro do request handler ou Server Component.
-### Anti-pattern 4: Achar que scopes restringem o banco
-**Errado:**
-```ts
-// developer pensa que scope: 'email' significa "client só acessa emails"
-await supabaseAdmin.auth.admin.oauth.createClient({
-  // ...
-})
-// E não cria nenhuma RLS policy — ERRO: client acessa TODO o banco
-```
-**Por quê:** scopes em OAuth controlam apenas quais claims OIDC (email, phone, profile) o `id_token`/`userinfo` retorna. O `access_token` tem role `authenticated` e acessa o banco segundo as RLS policies — não tem restrição automática por scope.
-**Certo:** sempre escrever RLS policies usando `(auth.jwt() ->> 'client_id')` para controlar quais clients acessam quais tabelas.
-## Ver também
-- [supabase-jwt-signing-keys](../supabase-jwt-signing-keys/SKILL.md) — configurar ES256/RS256 antes de habilitar OIDC
-- [supabase-auth-hooks](../supabase-auth-hooks/SKILL.md) — Custom Access Token Hook para claims por client_id
-- [supabase-rls-policies](../supabase-rls-policies/SKILL.md) — patterns RLS com claim client_id
-- [supabase-edge-functions-mcp-server](../supabase-edge-functions-mcp-server/SKILL.md) — MCP server em Edge Functions
-- [supabase-oauth-server-implementer](../../agents/supabase-oauth-server-implementer.md) — agente que materializa setup completo
-- [supabase-auth-ssr](../supabase-auth-ssr/SKILL.md) — @supabase/ssr e getClaims() no servidor
+---
+name: supabase-oauth-server
+description: Use ao implementar OAuth 2.1 Server com Supabase como identity provider, incluindo autenticação MCP, PKCE, OIDC, registro de clients e RLS por client_id.
+---
+# Supabase — OAuth 2.1 Server (Identity Provider & MCP Auth)
+## Quando usar
+LLM carrega esta skill quando o projeto precisar do **Supabase como identity provider OAuth 2.1 / OIDC** — seja para autenticar agentes de IA via MCP, apps mobile/desktop, developer platforms ou enterprise SSO.
+Trigger phrases:
+- "OAuth 2.1 server Supabase", "Supabase as identity provider"
+- "Sign in with my app", "MCP authentication"
+- "OAuth client registration", "authorization endpoint Supabase"
+- "OIDC server", "supabase.auth.oauth"
+- "Model Context Protocol auth", "agente MCP autenticado"
+- "dynamic client registration Supabase"
+## Princípio canônico
+O Supabase OAuth Server transforma seu projeto Supabase em um **authorization server OAuth 2.1 + OIDC completo**. Em vez de apenas consumir provedores OAuth externos (Google, GitHub), seu app **se torna** o provedor — os usuários fazem login com a sua plataforma.
+**Casos de uso principais:**
+| Caso | Descrição |
+|------|-----------|
+| Developer platform | "Login com MinhaPlatforma" para apps de terceiros |
+| MCP Server auth | Agentes de IA se autenticam como usuários existentes |
+| Apps mobile/desktop | Token-based auth sem secret key exposto |
+| Enterprise SSO | Federar autenticação via OIDC para ferramentas internas |
+**Padrões suportados:**
+- **OAuth 2.1** com PKCE obrigatório (código de autorização + PKCE — fluxo implícito removido na v2.1)
+- **OIDC** — ID tokens, endpoint UserInfo, discovery automático
+- **Scopes**: `openid`, `email`, `profile`, `phone`
+- **Dynamic Client Registration** — clients se registram programaticamente
+- **JWKS** — validação de chaves públicas
+- **Authorization Code + Refresh Token** flows
+## Habilitando o OAuth Server
+### Via Dashboard
+`Authentication > OAuth Server` → habilitar toggle.
+### Via `config.toml` (desenvolvimento local)
+```toml
+[auth.oauth_server]
+enabled = true
+authorization_url_path = "/authorize"       # rota da UI de consentimento no seu app
+allow_dynamic_registration = true           # clients se registram via API
+```
+`authorization_url_path` aponta para a rota do **seu app** que renderiza a UI de consentimento. Supabase redireciona o usuário para lá com `?authorization_id=<uuid>` na URL.
+## Endpoints expostos automaticamente
+| Endpoint | Função |
+|----------|--------|
+| `GET /auth/v1/oauth/authorize` | Inicia o fluxo de autorização |
+| `POST /auth/v1/oauth/token` | Troca code por tokens / refresh |
+| `GET /auth/v1/.well-known/jwks.json` | Chaves públicas para validação de JWT |
+| `GET /auth/v1/.well-known/openid-configuration` | Discovery OIDC |
+| `GET /auth/v1/.well-known/oauth-authorization-server/auth/v1` | Discovery OAuth — **MCP usa este** |
+| `GET /auth/v1/oauth/userinfo` | Dados do usuário autenticado (OIDC) |
+O endpoint de **MCP discovery** (`/auth/v1/.well-known/oauth-authorization-server/auth/v1`) é detectado automaticamente por clientes MCP como o Claude Desktop e implementações FastMCP.
+## Authorization UI — página de consentimento
+Supabase redireciona o browser do usuário para `authorization_url_path?authorization_id=<uuid>`. Você deve criar esta rota no seu app.
+```tsx
+// app/authorize/page.tsx (Next.js App Router)
+import { createClient } from '@/lib/supabase/server'
+interface Props {
+  searchParams: { authorization_id?: string }
+}
+export default async function AuthorizePage({ searchParams }: Props) {
+  const authorizationId = searchParams.authorization_id
+  if (!authorizationId) return <p>Parâmetro inválido.</p>
+  // IMPORTANTE: inicializar client DENTRO do request handler
+  const supabase = await createClient()
+  const { data, error } = await supabase.auth.oauth.getAuthorizationDetails(authorizationId)
+  if (error || !data) return <p>Autorização inválida ou expirada.</p>
+  const { client, scopes } = data
+  return (
+    <div className="max-w-md mx-auto mt-20 p-6 border rounded-lg shadow">
+      <h1 className="text-xl font-bold mb-4">Autorizar acesso</h1>
+      <p className="mb-2">
+        <strong>{client.name}</strong> está solicitando acesso à sua conta.
+      </p>
+      <p className="text-sm text-gray-500 mb-6">
+        Permissões solicitadas: {scopes.join(', ')}
+      </p>
+      <ConsentForm authorizationId={authorizationId} />
+    </div>
+  )
+}
+```
+```tsx
+// app/authorize/ConsentForm.tsx — Client Component
+'use client'
+import { createClient } from '@/lib/supabase/client'
+export function ConsentForm({ authorizationId }: { authorizationId: string }) {
+  const supabase = createClient()
+  async function handleApprove() {
+    const { data, error } = await supabase.auth.oauth.approveAuthorization(authorizationId)
+    if (error) { alert('Erro ao aprovar: ' + error.message); return }
+    // data.redirect_uri — redirecionar o browser para esta URL
+    window.location.href = data.redirect_uri
+  }
+  async function handleDeny() {
+    const { data, error } = await supabase.auth.oauth.denyAuthorization(authorizationId)
+    if (error) { alert('Erro ao negar: ' + error.message); return }
+    window.location.href = data.redirect_uri
+  }
+  return (
+    <div className="flex gap-4">
+      <button onClick={handleApprove} className="btn-primary">Autorizar</button>
+      <button onClick={handleDeny} className="btn-secondary">Negar</button>
+    </div>
+  )
+}
+```
+**Fluxo da UI de consentimento:**
+1. `getAuthorizationDetails(id)` — busca dados do client e scopes solicitados
+2. Renderiza UI para o usuário revisar
+3. `approveAuthorization(id)` → retorna `redirect_uri` com `code` → browser navega
+4. `denyAuthorization(id)` → retorna `redirect_uri` com `error=access_denied`
+## Registro de OAuth Clients
+### Via Admin API (server-side com service_role)
+```ts
+// lib/oauth-clients.ts — executar no backend
+import { createClient } from '@supabase/supabase-js'
+const supabaseAdmin = createClient(
+  process.env.SUPABASE_URL!,
+  process.env.SUPABASE_SERVICE_ROLE_KEY!  // nunca expor no cliente
+)
+// Client público (apps mobile/desktop, MCP servers sem secret)
+const { data: publicClient, error } = await supabaseAdmin.auth.admin.oauth.createClient({
+  name: 'Meu App Mobile',
+  redirect_uris: ['myapp://oauth/callback'],
+  client_type: 'public',                     // sem client_secret
+  token_endpoint_auth_method: 'none',        // PKCE obrigatório
+})
+console.log(publicClient?.client_id)  // sb_publishable_...
+// Client confidencial (server-side apps com secret)
+const { data: confidentialClient } = await supabaseAdmin.auth.admin.oauth.createClient({
+  name: 'API Server Parceiro',
+  redirect_uris: ['https://parceiro.exemplo.com/auth/callback'],
+  client_type: 'confidential',
+  token_endpoint_auth_method: 'client_secret_basic', // ou 'client_secret_post'
+})
+console.log(confidentialClient?.client_id)     // identificador
+console.log(confidentialClient?.client_secret) // guardar com segurança — exibido UMA VEZ
+```
+### Client types
+| Tipo | `token_endpoint_auth_method` | Uso |
+|------|------------------------------|-----|
+| `public` | `none` | Mobile, desktop, MCP, SPA |
+| `confidential` | `client_secret_basic` (padrão) | Server-side |
+| `confidential` | `client_secret_post` | Body params em vez de header |
+## Fluxo Authorization Code + PKCE
+### Passo 1: Gerar PKCE
+```ts
+// utils/pkce.ts
+function base64urlEncode(buffer: ArrayBuffer): string {
+  return btoa(String.fromCharCode(...new Uint8Array(buffer)))
+    .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '')
+}
+export async function generatePKCE() {
+  // code_verifier: string aleatório de 43-128 chars
+  const codeVerifier = base64urlEncode(crypto.getRandomValues(new Uint8Array(32)))
+  // code_challenge: SHA-256(code_verifier) em Base64-URL
+  const encoder = new TextEncoder()
+  const data = encoder.encode(codeVerifier)
+  const digest = await crypto.subtle.digest('SHA-256', data)
+  const codeChallenge = base64urlEncode(digest)
+  return { codeVerifier, codeChallenge }
+}
+```
+### Passo 2: Iniciar autorização
+```ts
+const { codeVerifier, codeChallenge } = await generatePKCE()
+// Armazenar code_verifier de forma segura (sessão ou localStorage criptografado)
+sessionStorage.setItem('oauth_code_verifier', codeVerifier)
+const params = new URLSearchParams({
+  response_type: 'code',
+  client_id: 'meu-client-id',
+  redirect_uri: 'https://meuapp.com/auth/callback',
+  scope: 'openid email profile',
+  state: crypto.randomUUID(),         // CSRF protection
+  code_challenge: codeChallenge,
+  code_challenge_method: 'S256',      // único método suportado
+})
+// Redireciona para Supabase
+window.location.href = `${SUPABASE_URL}/auth/v1/oauth/authorize?${params}`
+```
+### Passo 3: Trocar código por tokens (callback)
+```ts
+// app/auth/callback/route.ts
+export async function GET(request: Request) {
+  const url = new URL(request.url)
+  const code = url.searchParams.get('code')
+  const state = url.searchParams.get('state')
+  const codeVerifier = sessionStorage.getItem('oauth_code_verifier')!
+  const tokenResponse = await fetch(`${SUPABASE_URL}/auth/v1/oauth/token`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+    body: new URLSearchParams({
+      grant_type: 'authorization_code',
+      client_id: 'meu-client-id',
+      code: code!,
+      redirect_uri: 'https://meuapp.com/auth/callback',
+      code_verifier: codeVerifier,    // PKCE — valida o challenge original
+    }),
+  })
+  const tokens = await tokenResponse.json()
+  // tokens.access_token, tokens.refresh_token, tokens.id_token (se openid scope)
+}
+```
+### Passo 4: Refresh Token
+```ts
+const refreshResponse = await fetch(`${SUPABASE_URL}/auth/v1/oauth/token`, {
+  method: 'POST',
+  headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+  body: new URLSearchParams({
+    grant_type: 'refresh_token',
+    client_id: 'meu-client-id',
+    refresh_token: storedRefreshToken,
+  }),
+})
+```
+## MCP Authentication — Destaque Especial
+Este kit-mcp é em si um **servidor MCP** — esta seção é especialmente relevante.
+### Por que Supabase + MCP funciona
+O protocolo MCP 2025 exige que servidores exponham um endpoint de discovery OAuth compatível com RFC 8414. O Supabase expõe automaticamente:
+```
+GET https://<project>.supabase.co/auth/v1/.well-known/oauth-authorization-server/auth/v1
+```
+Clientes MCP (Claude Desktop, FastMCP, SDK oficial) detectam este endpoint e executam o fluxo OAuth 2.1 automaticamente — sem configuração manual de endpoints.
+### MCP Server com FastMCP autenticado
+```ts
+// server.ts — MCP server com autenticação Supabase OAuth
+import { FastMCP } from 'fastmcp'
+import { createClient } from '@supabase/supabase-js'
+const server = new FastMCP({
+  name: 'meu-mcp-server',
+  version: '1.0.0',
+  // FastMCP detecta o discovery automático do Supabase
+  oauth: {
+    issuer: process.env.SUPABASE_URL + '/auth/v1',
+    clientId: process.env.MCP_OAUTH_CLIENT_ID!,
+    scopes: ['openid', 'email', 'profile'],
+  },
+})
+server.addTool({
+  name: 'get-my-data',
+  description: 'Retorna dados do usuário autenticado',
+  execute: async (args, context) => {
+    // context.accessToken — JWT do usuário autenticado via OAuth
+    const supabase = createClient(
+      process.env.SUPABASE_URL!,
+      process.env.SUPABASE_ANON_KEY!,  // usar sb_publishable_... em novos projetos
+      { global: { headers: { Authorization: `Bearer ${context.accessToken}` } } }
+    )
+    const { data, error } = await supabase.from('my_table').select('*')
+    return data
+  },
+})
+server.start({ transportType: 'stdio' })
+```
+### Registrar o client MCP no Supabase
+```ts
+// scripts/register-mcp-client.ts
+const { data } = await supabaseAdmin.auth.admin.oauth.createClient({
+  name: 'MCP Server - Produção',
+  redirect_uris: ['http://localhost:3333/callback'],  // FastMCP local server
+  client_type: 'public',            // sem secret — PKCE protege
+  token_endpoint_auth_method: 'none',
+})
+console.log('MCP_OAUTH_CLIENT_ID=' + data?.client_id)
+```
+### Dynamic Client Registration (DCR)
+Com `allow_dynamic_registration = true`, clientes MCP se registram automaticamente:
+```bash
+# Clientes chamam este endpoint automaticamente (RFC 7591)
+POST https://<project>.supabase.co/auth/v1/oauth/clients
+Content-Type: application/json
+{
+  "client_name": "Claude Desktop",
+  "redirect_uris": ["http://localhost:63856/callback"],
+  "token_endpoint_auth_method": "none"
+}
+```
+## Access Token Claims
+O access token JWT gerado pelo OAuth Server contém o claim especial `client_id`:
+```json
+{
+  "sub": "user-uuid",
+  "role": "authenticated",
+  "client_id": "meu-client-id",   // identifica QUAL client OAuth emitiu o token
+  "email": "user@exemplo.com",
+  "iat": 1700000000,
+  "exp": 1700003600
+}
+```
+Use `client_id` em políticas RLS para controlar acesso por client OAuth.
+## OIDC — ID Tokens
+Ao incluir o scope `openid`, o token endpoint retorna um `id_token` além do `access_token`.
+**Requisito crítico:** ID tokens **exigem** algoritmo assimétrico (RS256 ou ES256). Configure signing keys assimétricas — veja skill [supabase-jwt-signing-keys](../supabase-jwt-signing-keys/SKILL.md).
+```ts
+// Decodificar ID token (client-side)
+import { jwtDecode } from 'jwt-decode'
+const idTokenClaims = jwtDecode(tokens.id_token)
+// { sub, email, name, picture, phone, iat, exp, aud, iss }
+```
+## Token Security + RLS por client_id
+Scopes controlam **quais dados OIDC** são retornados (email, profile, phone). Scopes **NÃO** controlam acesso ao banco de dados — isso é responsabilidade do RLS.
+Use o claim `client_id` em políticas para separar acesso por client OAuth:
+```sql
+-- Conceder acesso apenas a um client OAuth específico
+create policy "Apenas client parceiro pode ler dados_parceiro" on public.dados_parceiro
+  for select to authenticated
+  using (
+    (auth.jwt() ->> 'client_id') = 'client-id-do-parceiro'
+  );
+-- Restringir dados sensíveis de qualquer client OAuth
+create policy "Dados financeiros apenas via sessão direta" on public.dados_financeiros
+  for select to authenticated
+  using (
+    -- NULL client_id = sessão direta (não OAuth); presença = token OAuth
+    (auth.jwt() ->> 'client_id') IS NULL
+  );
+-- Separar políticas: sessão direta vs qualquer client OAuth
+create policy "Acesso direto ou client autorizado" on public.perfil_publico
+  for select to authenticated
+  using (
+    (auth.jwt() ->> 'client_id') IS NULL                     -- sessão direta
+    OR (auth.jwt() ->> 'client_id') = 'client-aprovado'      -- client OAuth específico
+  );
+```
+## Custom Access Token Hook por client_id
+Use o Auth Hook para personalizar `audience` ou claims com base no `client_id`:
+```sql
+create or replace function public.custom_access_token_hook(event jsonb)
+returns jsonb
+language plpgsql
+stable
+as $$
+declare
+  claims jsonb;
+  client_id text;
+begin
+  claims := event->'claims';
+  client_id := claims ->> 'client_id';
+  -- Adicionar audience específica por client
+  if client_id = 'parceiro-externo-id' then
+    claims := jsonb_set(claims, '{aud}', '"parceiro-externo"');
+    claims := jsonb_set(claims, '{custom_plan}', '"enterprise"');
+  end if;
+  event := jsonb_set(event, '{claims}', claims);
+  return event;
+end;
+$$;
+```
+## Gerenciar Grants do Usuário
+```ts
+// Listar todos os clients OAuth com acesso concedido pelo usuário
+const { data: grants } = await supabase.auth.oauth.getUserGrants()
+// [{ client_id, client_name, scopes, granted_at }]
+// Revogar acesso de um client específico
+const { error } = await supabase.auth.oauth.revokeGrant('client-id-para-revogar')
+```
+## Regras absolutas
+1. **PKCE obrigatório** — OAuth 2.1 remove fluxo implícito; todo client usa `code_challenge_method: 'S256'`
+2. **Signing keys assimétricas (RS256/ES256)** — ID tokens **falham** com HS256; configure antes de habilitar OIDC
+3. **Redirect URIs com match exato** — sem wildcards em produção; cada URI deve ser cadastrada explicitamente
+4. **Nunca expor `service_role` key no cliente** — registro de clients via Admin API é sempre server-side
+5. **Inicializar client Supabase DENTRO do request handler** — nunca em escopo de módulo (vazamento entre requests em Vercel Fluid compute / Edge Functions com conexões reutilizadas)
+6. **RLS com `client_id` controla acesso ao banco** — scopes controlam apenas dados OIDC (email, profile); RLS é a única barreira real para dados do banco
+7. **Separar clients por ambiente** — client de dev ≠ client de produção; redirect URIs não podem cruzar ambientes
+## Anti-patterns
+### Anti-pattern 1: Usar HS256 para ID tokens
+**Errado:**
+```toml
+[auth]
+jwt_secret = "meu-secret-compartilhado"  # HS256 — ID tokens FALHAM
+```
+**Por quê:** a especificação OIDC exige algoritmo assimétrico para ID tokens — HS256 é shared secret e não permite validação por terceiros sem expor o secret. Supabase rejeita ID token com HS256.
+**Certo:** configurar signing key assimétrica (ES256 recomendado) antes de habilitar o OAuth Server com scope `openid`.
+### Anti-pattern 2: Redirect URI com wildcard em produção
+**Errado:**
+```ts
+await supabaseAdmin.auth.admin.oauth.createClient({
+  redirect_uris: ['https://*.meuapp.com/callback'],  // wildcard — BLOQUEADO
+})
+```
+**Por quê:** wildcards em redirect URIs são vetores de open redirect — atacante pode redirecionar o code para domínio controlado.
+**Certo:** listar cada URI explicitamente; para previews Vercel, use allowlist na configuração de auth, não wildcards no client OAuth.
+### Anti-pattern 3: Client Supabase em escopo de módulo
+**Errado:**
+```ts
+// lib/supabase.ts — ERRADO para Edge Functions / Vercel
+const supabase = createClient(URL, KEY)  // escopo de módulo — vaza entre requests
+export default supabase
+```
+**Por quê:** em ambientes serverless com conexões reutilizadas (Vercel Fluid compute, Edge Functions), o client é compartilhado entre requests de usuários diferentes — vazamento de sessão.
+**Certo:** sempre `const supabase = await createClient()` dentro do request handler ou Server Component.
+### Anti-pattern 4: Achar que scopes restringem o banco
+**Errado:**
+```ts
+// developer pensa que scope: 'email' significa "client só acessa emails"
+await supabaseAdmin.auth.admin.oauth.createClient({
+  // ...
+})
+// E não cria nenhuma RLS policy — ERRO: client acessa TODO o banco
+```
+**Por quê:** scopes em OAuth controlam apenas quais claims OIDC (email, phone, profile) o `id_token`/`userinfo` retorna. O `access_token` tem role `authenticated` e acessa o banco segundo as RLS policies — não tem restrição automática por scope.
+**Certo:** sempre escrever RLS policies usando `(auth.jwt() ->> 'client_id')` para controlar quais clients acessam quais tabelas.
+## Ver também
+- [supabase-jwt-signing-keys](../supabase-jwt-signing-keys/SKILL.md) — configurar ES256/RS256 antes de habilitar OIDC
+- [supabase-auth-hooks](../supabase-auth-hooks/SKILL.md) — Custom Access Token Hook para claims por client_id
+- [supabase-rls-policies](../supabase-rls-policies/SKILL.md) — patterns RLS com claim client_id
+- [supabase-edge-functions-mcp-server](../supabase-edge-functions-mcp-server/SKILL.md) — MCP server em Edge Functions
+- [supabase-oauth-server-implementer](../../agents/supabase-oauth-server-implementer.md) — agente que materializa setup completo
+- [supabase-auth-ssr](../supabase-auth-ssr/SKILL.md) — @supabase/ssr e getClaims() no servidor