@luanpdd/kit-mcp 1.33.0 → 1.35.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (379) hide show
  1. package/LICENSE +21 -21
  2. package/README.md +168 -168
  3. package/gates/agent-no-recursive-dispatch.md +84 -84
  4. package/kit/COMANDOS.md +138 -138
  5. package/kit/COMPATIBILITY.md +70 -70
  6. package/kit/README.md +76 -76
  7. package/kit/agents/advisor-researcher.md +109 -109
  8. package/kit/agents/ai-mutation-tester.md +289 -289
  9. package/kit/agents/assumptions-analyzer.md +110 -110
  10. package/kit/agents/audit-log-implementer.md +314 -314
  11. package/kit/agents/auditor-consistencia-isolamento.md +414 -414
  12. package/kit/agents/b2b-saas-architect.md +157 -157
  13. package/kit/agents/burn-rate-forecaster.md +153 -153
  14. package/kit/agents/cascading-failures-auditor.md +299 -299
  15. package/kit/agents/codebase-mapper.md +769 -769
  16. package/kit/agents/crm-pipeline-implementer.md +257 -257
  17. package/kit/agents/debugger.md +814 -814
  18. package/kit/agents/designer-ui.md +216 -216
  19. package/kit/agents/detector-tenant-quente.md +338 -338
  20. package/kit/agents/evolution-go-integrator.md +201 -201
  21. package/kit/agents/example-reviewer.md +22 -22
  22. package/kit/agents/executor.md +565 -565
  23. package/kit/agents/golden-signals-instrumenter.md +232 -232
  24. package/kit/agents/incident-investigator.md +238 -238
  25. package/kit/agents/integration-checker.md +203 -203
  26. package/kit/agents/invite-flow-implementer.md +190 -190
  27. package/kit/agents/legacy-characterizer.md +369 -369
  28. package/kit/agents/lgpd-compliance-auditor.md +296 -296
  29. package/kit/agents/load-shedding-instrumenter.md +290 -290
  30. package/kit/agents/multi-tenant-isolation-auditor.md +254 -254
  31. package/kit/agents/multi-tenant-rls-writer.md +341 -341
  32. package/kit/agents/nyquist-auditor.md +181 -181
  33. package/kit/agents/observability-coverage-auditor.md +316 -316
  34. package/kit/agents/observability-instrumenter.md +191 -191
  35. package/kit/agents/omm-auditor.md +291 -291
  36. package/kit/agents/org-onboarding-implementer.md +224 -224
  37. package/kit/agents/payload-capture-instrumenter.md +274 -274
  38. package/kit/agents/phase-researcher.md +697 -697
  39. package/kit/agents/plan-checker.md +275 -275
  40. package/kit/agents/planner.md +923 -923
  41. package/kit/agents/postmortem-writer.md +273 -273
  42. package/kit/agents/project-researcher.md +653 -653
  43. package/kit/agents/prr-conductor.md +287 -287
  44. package/kit/agents/refactor-safety-auditor.md +405 -405
  45. package/kit/agents/release-pipeline-auditor.md +364 -364
  46. package/kit/agents/research-synthesizer.md +246 -246
  47. package/kit/agents/roadmapper.md +678 -678
  48. package/kit/agents/schema-checker.md +160 -160
  49. package/kit/agents/seam-finder.md +360 -360
  50. package/kit/agents/shotgun-surgery-detector.md +350 -350
  51. package/kit/agents/slo-engineer.md +217 -217
  52. package/kit/agents/storytelling-analyst.md +300 -300
  53. package/kit/agents/supabase-architect.md +249 -249
  54. package/kit/agents/supabase-auth-bootstrapper.md +400 -400
  55. package/kit/agents/supabase-auth-hook-writer.md +418 -418
  56. package/kit/agents/supabase-branching-architect.md +563 -563
  57. package/kit/agents/supabase-cicd-pipeline-implementer.md +778 -778
  58. package/kit/agents/supabase-column-privileges-writer.md +400 -400
  59. package/kit/agents/supabase-edge-fn-tester.md +288 -288
  60. package/kit/agents/supabase-edge-fn-writer.md +341 -341
  61. package/kit/agents/supabase-mfa-implementer.md +439 -439
  62. package/kit/agents/supabase-migration-writer.md +386 -386
  63. package/kit/agents/supabase-oauth-server-implementer.md +507 -507
  64. package/kit/agents/supabase-rbac-implementer.md +393 -393
  65. package/kit/agents/supabase-realtime-implementer.md +364 -364
  66. package/kit/agents/supabase-rls-hardener.md +522 -522
  67. package/kit/agents/supabase-rls-writer.md +324 -324
  68. package/kit/agents/supabase-roles-implementer.md +356 -356
  69. package/kit/agents/supabase-social-auth-implementer.md +451 -451
  70. package/kit/agents/supabase-sso-saml-architect.md +549 -549
  71. package/kit/agents/supabase-storage-implementer.md +407 -407
  72. package/kit/agents/super-admin-implementer.md +282 -282
  73. package/kit/agents/toil-auditor.md +268 -268
  74. package/kit/agents/ui-auditor.md +438 -438
  75. package/kit/agents/ui-checker.md +305 -305
  76. package/kit/agents/ui-researcher.md +356 -356
  77. package/kit/agents/user-profiler.md +176 -176
  78. package/kit/agents/validador-evolucao-schema.md +336 -336
  79. package/kit/agents/verifier.md +729 -729
  80. package/kit/agents/workflow-generator.md +167 -0
  81. package/kit/commands/adicionar-backlog.md +75 -75
  82. package/kit/commands/adicionar-fase.md +42 -42
  83. package/kit/commands/adicionar-tarefa.md +45 -45
  84. package/kit/commands/adicionar-testes.md +41 -41
  85. package/kit/commands/ajuda.md +21 -21
  86. package/kit/commands/atualizar.md +37 -37
  87. package/kit/commands/auditar-cascading.md +111 -111
  88. package/kit/commands/auditar-marco.md +179 -179
  89. package/kit/commands/auditar-observabilidade-cobertura-workflow.md +121 -0
  90. package/kit/commands/auditar-observabilidade-cobertura.md +183 -183
  91. package/kit/commands/auditar-refactor.md +219 -219
  92. package/kit/commands/auditar-release.md +109 -109
  93. package/kit/commands/auditar-uat.md +23 -23
  94. package/kit/commands/autonomo.md +40 -40
  95. package/kit/commands/branch-pr.md +24 -24
  96. package/kit/commands/burn-rate-status.md +408 -408
  97. package/kit/commands/capturar-payloads.md +193 -193
  98. package/kit/commands/caracterizar.md +212 -212
  99. package/kit/commands/concluir-marco.md +247 -247
  100. package/kit/commands/configuracoes.md +36 -36
  101. package/kit/commands/criar-workflow.md +158 -0
  102. package/kit/commands/dados-distribuidos.md +188 -188
  103. package/kit/commands/definir-perfil.md +10 -10
  104. package/kit/commands/depurar.md +190 -190
  105. package/kit/commands/detectar-duplicacao.md +197 -197
  106. package/kit/commands/discutir-fase.md +131 -131
  107. package/kit/commands/encontrar-seams.md +136 -136
  108. package/kit/commands/entrar-discord.md +17 -17
  109. package/kit/commands/estatisticas.md +18 -18
  110. package/kit/commands/example-greeting.md +33 -33
  111. package/kit/commands/executar-fase.md +58 -58
  112. package/kit/commands/expresso.md +56 -56
  113. package/kit/commands/fase-ui.md +34 -34
  114. package/kit/commands/fazer.md +57 -57
  115. package/kit/commands/fio.md +125 -125
  116. package/kit/commands/fluxos-trabalho.md +64 -64
  117. package/kit/commands/forense.md +176 -176
  118. package/kit/commands/gerenciador.md +38 -38
  119. package/kit/commands/inserir-fase.md +31 -31
  120. package/kit/commands/legacy.md +263 -263
  121. package/kit/commands/limpeza.md +17 -17
  122. package/kit/commands/listar-hipoteses-fase.md +45 -45
  123. package/kit/commands/listar-workspaces.md +18 -18
  124. package/kit/commands/load-shedding.md +117 -117
  125. package/kit/commands/mapear-codebase.md +70 -70
  126. package/kit/commands/multi-tenant.md +163 -163
  127. package/kit/commands/nota.md +33 -33
  128. package/kit/commands/novo-marco.md +43 -43
  129. package/kit/commands/novo-projeto.md +41 -41
  130. package/kit/commands/novo-workspace.md +43 -43
  131. package/kit/commands/pausar-trabalho.md +37 -37
  132. package/kit/commands/perfil-usuario.md +45 -45
  133. package/kit/commands/pesquisar-fase.md +195 -195
  134. package/kit/commands/planejar-fase.md +67 -67
  135. package/kit/commands/planejar-lacunas.md +33 -33
  136. package/kit/commands/plantar-ideia.md +25 -25
  137. package/kit/commands/progresso.md +24 -24
  138. package/kit/commands/proximo.md +30 -30
  139. package/kit/commands/publicar.md +490 -490
  140. package/kit/commands/rapido.md +35 -35
  141. package/kit/commands/reaplicar-patches.md +124 -124
  142. package/kit/commands/refactor-seguro.md +321 -321
  143. package/kit/commands/relatorio-sessao.md +19 -19
  144. package/kit/commands/remover-fase.md +31 -31
  145. package/kit/commands/remover-workspace.md +26 -26
  146. package/kit/commands/resumo-marco.md +50 -50
  147. package/kit/commands/retomar-trabalho.md +40 -40
  148. package/kit/commands/revisar-backlog.md +60 -60
  149. package/kit/commands/revisar-ui.md +32 -32
  150. package/kit/commands/revisar.md +37 -37
  151. package/kit/commands/saude.md +21 -21
  152. package/kit/commands/setup-notion.md +93 -93
  153. package/kit/commands/storytelling.md +179 -179
  154. package/kit/commands/supabase.md +238 -238
  155. package/kit/commands/sync-main.md +68 -68
  156. package/kit/commands/validar-fase.md +35 -35
  157. package/kit/commands/verificar-tarefas.md +44 -44
  158. package/kit/commands/verificar-trabalho.md +64 -64
  159. package/kit/file-manifest.json +424 -419
  160. package/kit/framework/bin/lib/commands.cjs +959 -959
  161. package/kit/framework/bin/lib/config.cjs +442 -442
  162. package/kit/framework/bin/lib/core.cjs +1230 -1230
  163. package/kit/framework/bin/lib/frontmatter.cjs +336 -336
  164. package/kit/framework/bin/lib/init.cjs +1442 -1442
  165. package/kit/framework/bin/lib/milestone.cjs +252 -252
  166. package/kit/framework/bin/lib/model-profiles.cjs +68 -68
  167. package/kit/framework/bin/lib/phase.cjs +888 -888
  168. package/kit/framework/bin/lib/profile-output.cjs +952 -952
  169. package/kit/framework/bin/lib/profile-pipeline.cjs +539 -539
  170. package/kit/framework/bin/lib/roadmap.cjs +329 -329
  171. package/kit/framework/bin/lib/security.cjs +382 -382
  172. package/kit/framework/bin/lib/state.cjs +1031 -1031
  173. package/kit/framework/bin/lib/template.cjs +222 -222
  174. package/kit/framework/bin/lib/uat.cjs +282 -282
  175. package/kit/framework/bin/lib/verify.cjs +888 -888
  176. package/kit/framework/bin/lib/workstream.cjs +491 -491
  177. package/kit/framework/bin/tools.cjs +918 -918
  178. package/kit/framework/commands/workstreams.md +63 -63
  179. package/kit/framework/references/checkpoints.md +778 -778
  180. package/kit/framework/references/continuation-format.md +249 -249
  181. package/kit/framework/references/decimal-phase-calculation.md +64 -64
  182. package/kit/framework/references/git-integration.md +295 -295
  183. package/kit/framework/references/git-planning-commit.md +38 -38
  184. package/kit/framework/references/model-profile-resolution.md +36 -36
  185. package/kit/framework/references/model-profiles.md +139 -139
  186. package/kit/framework/references/phase-argument-parsing.md +61 -61
  187. package/kit/framework/references/planning-config.md +202 -202
  188. package/kit/framework/references/questioning.md +162 -162
  189. package/kit/framework/references/tdd.md +263 -263
  190. package/kit/framework/references/ui-brand.md +160 -160
  191. package/kit/framework/references/user-profiling.md +657 -657
  192. package/kit/framework/references/verification-patterns.md +612 -612
  193. package/kit/framework/references/workstream-flag.md +58 -58
  194. package/kit/framework/templates/DEBUG.md +164 -164
  195. package/kit/framework/templates/UAT.md +265 -265
  196. package/kit/framework/templates/UI-SPEC.md +100 -100
  197. package/kit/framework/templates/VALIDATION.md +76 -76
  198. package/kit/framework/templates/claude-md.md +122 -122
  199. package/kit/framework/templates/codebase/architecture.md +185 -185
  200. package/kit/framework/templates/codebase/concerns.md +205 -205
  201. package/kit/framework/templates/codebase/conventions.md +204 -204
  202. package/kit/framework/templates/codebase/integrations.md +192 -192
  203. package/kit/framework/templates/codebase/stack.md +158 -158
  204. package/kit/framework/templates/codebase/structure.md +199 -199
  205. package/kit/framework/templates/codebase/testing.md +301 -301
  206. package/kit/framework/templates/config.json +44 -44
  207. package/kit/framework/templates/context.md +352 -352
  208. package/kit/framework/templates/continue-here.md +78 -78
  209. package/kit/framework/templates/copilot-instructions.md +7 -7
  210. package/kit/framework/templates/debug-subagent-prompt.md +91 -91
  211. package/kit/framework/templates/dev-preferences.md +20 -20
  212. package/kit/framework/templates/discovery.md +146 -146
  213. package/kit/framework/templates/discussion-log.md +63 -63
  214. package/kit/framework/templates/milestone-archive.md +123 -123
  215. package/kit/framework/templates/milestone.md +115 -115
  216. package/kit/framework/templates/phase-prompt.md +610 -610
  217. package/kit/framework/templates/planner-subagent-prompt.md +117 -117
  218. package/kit/framework/templates/project.md +186 -186
  219. package/kit/framework/templates/requirements.md +231 -231
  220. package/kit/framework/templates/research-project/ARCHITECTURE.md +204 -204
  221. package/kit/framework/templates/research-project/FEATURES.md +147 -147
  222. package/kit/framework/templates/research-project/PITFALLS.md +200 -200
  223. package/kit/framework/templates/research-project/STACK.md +120 -120
  224. package/kit/framework/templates/research-project/SUMMARY.md +170 -170
  225. package/kit/framework/templates/research.md +419 -419
  226. package/kit/framework/templates/retrospective.md +54 -54
  227. package/kit/framework/templates/roadmap.md +202 -202
  228. package/kit/framework/templates/state.md +176 -176
  229. package/kit/framework/templates/summary-complex.md +59 -59
  230. package/kit/framework/templates/summary-minimal.md +41 -41
  231. package/kit/framework/templates/summary-standard.md +48 -48
  232. package/kit/framework/templates/summary.md +209 -209
  233. package/kit/framework/templates/user-profile.md +146 -146
  234. package/kit/framework/templates/user-setup.md +256 -256
  235. package/kit/framework/templates/verification-report.md +258 -258
  236. package/kit/framework/workflows/add-phase.md +112 -112
  237. package/kit/framework/workflows/add-tests.md +351 -351
  238. package/kit/framework/workflows/add-todo.md +158 -158
  239. package/kit/framework/workflows/audit-milestone.md +340 -340
  240. package/kit/framework/workflows/audit-uat.md +109 -109
  241. package/kit/framework/workflows/autonomous.md +891 -891
  242. package/kit/framework/workflows/check-todos.md +177 -177
  243. package/kit/framework/workflows/cleanup.md +152 -152
  244. package/kit/framework/workflows/complete-milestone.md +696 -696
  245. package/kit/framework/workflows/diagnose-issues.md +231 -231
  246. package/kit/framework/workflows/discovery-phase.md +289 -289
  247. package/kit/framework/workflows/discuss-phase-assumptions.md +653 -653
  248. package/kit/framework/workflows/discuss-phase.md +784 -784
  249. package/kit/framework/workflows/do.md +104 -104
  250. package/kit/framework/workflows/execute-phase.md +838 -838
  251. package/kit/framework/workflows/execute-plan.md +510 -510
  252. package/kit/framework/workflows/fast.md +102 -102
  253. package/kit/framework/workflows/forensics.md +265 -265
  254. package/kit/framework/workflows/health.md +181 -181
  255. package/kit/framework/workflows/help.md +619 -619
  256. package/kit/framework/workflows/insert-phase.md +130 -130
  257. package/kit/framework/workflows/list-phase-assumptions.md +178 -178
  258. package/kit/framework/workflows/list-workspaces.md +56 -56
  259. package/kit/framework/workflows/manager.md +362 -362
  260. package/kit/framework/workflows/map-codebase.md +377 -377
  261. package/kit/framework/workflows/milestone-summary.md +223 -223
  262. package/kit/framework/workflows/new-milestone.md +486 -486
  263. package/kit/framework/workflows/new-project.md +1159 -1159
  264. package/kit/framework/workflows/new-workspace.md +237 -237
  265. package/kit/framework/workflows/next.md +97 -97
  266. package/kit/framework/workflows/node-repair.md +92 -92
  267. package/kit/framework/workflows/note.md +156 -156
  268. package/kit/framework/workflows/pause-work.md +176 -176
  269. package/kit/framework/workflows/plan-milestone-gaps.md +273 -273
  270. package/kit/framework/workflows/plan-phase.md +765 -765
  271. package/kit/framework/workflows/plant-seed.md +169 -169
  272. package/kit/framework/workflows/pr-branch.md +129 -129
  273. package/kit/framework/workflows/profile-user.md +450 -450
  274. package/kit/framework/workflows/progress.md +507 -507
  275. package/kit/framework/workflows/quick.md +757 -757
  276. package/kit/framework/workflows/remove-phase.md +155 -155
  277. package/kit/framework/workflows/remove-workspace.md +90 -90
  278. package/kit/framework/workflows/research-phase.md +82 -82
  279. package/kit/framework/workflows/resume-project.md +326 -326
  280. package/kit/framework/workflows/review.md +228 -228
  281. package/kit/framework/workflows/session-report.md +146 -146
  282. package/kit/framework/workflows/settings.md +283 -283
  283. package/kit/framework/workflows/ship.md +228 -228
  284. package/kit/framework/workflows/stats.md +60 -60
  285. package/kit/framework/workflows/transition.md +671 -671
  286. package/kit/framework/workflows/ui-phase.md +302 -302
  287. package/kit/framework/workflows/ui-review.md +165 -165
  288. package/kit/framework/workflows/update.md +323 -323
  289. package/kit/framework/workflows/validate-phase.md +174 -174
  290. package/kit/framework/workflows/verify-phase.md +252 -252
  291. package/kit/framework/workflows/verify-work.md +637 -637
  292. package/kit/hooks/check-update.js +118 -118
  293. package/kit/hooks/context-monitor.js +163 -163
  294. package/kit/hooks/kit-attribution-reminder.cjs +92 -92
  295. package/kit/hooks/kit-router.cjs +137 -137
  296. package/kit/hooks/prompt-guard.js +103 -103
  297. package/kit/hooks/statusline.js +125 -125
  298. package/kit/hooks/workflow-guard.js +101 -101
  299. package/kit/settings.json +45 -45
  300. package/kit/skills/ai-prompt-characterization/SKILL.md +335 -335
  301. package/kit/skills/armadilhas-sistemas-distribuidos/SKILL.md +447 -447
  302. package/kit/skills/audit-log-multi-tenant/SKILL.md +340 -340
  303. package/kit/skills/b2b-saas-architecture/SKILL.md +300 -300
  304. package/kit/skills/consistencia-leitura-replica/SKILL.md +385 -385
  305. package/kit/skills/crm-lead-pipeline-patterns/SKILL.md +343 -343
  306. package/kit/skills/dynamic-workflow-authoring/SKILL.md +223 -0
  307. package/kit/skills/escolha-modelo-consistencia/SKILL.md +494 -494
  308. package/kit/skills/evolucao-schema-compativel/SKILL.md +448 -448
  309. package/kit/skills/evolution-go-whatsapp-integration/SKILL.md +322 -322
  310. package/kit/skills/example-skill/SKILL.md +42 -42
  311. package/kit/skills/legacy-api-only-applications/SKILL.md +358 -358
  312. package/kit/skills/legacy-characterization-tests/SKILL.md +330 -330
  313. package/kit/skills/legacy-effect-analysis/SKILL.md +331 -331
  314. package/kit/skills/legacy-extract-class/SKILL.md +203 -203
  315. package/kit/skills/legacy-programming-by-difference/SKILL.md +252 -252
  316. package/kit/skills/legacy-seams-and-test-harness/SKILL.md +460 -460
  317. package/kit/skills/legacy-shotgun-surgery/SKILL.md +286 -286
  318. package/kit/skills/legacy-sprout-wrap-techniques/SKILL.md +434 -434
  319. package/kit/skills/legacy-storytelling-naked-crc/SKILL.md +270 -270
  320. package/kit/skills/lgpd-multi-tenant-compliance/SKILL.md +340 -340
  321. package/kit/skills/member-invite-flow/SKILL.md +305 -305
  322. package/kit/skills/member-management-react-shadcn/SKILL.md +328 -328
  323. package/kit/skills/multi-tenant-performance-scaling/SKILL.md +316 -316
  324. package/kit/skills/multi-tenant-rls-hierarchy/SKILL.md +342 -342
  325. package/kit/skills/org-onboarding-flow/SKILL.md +257 -257
  326. package/kit/skills/org-switcher-react-pattern/SKILL.md +349 -349
  327. package/kit/skills/permission-gate-react-pattern/SKILL.md +271 -271
  328. package/kit/skills/postgres-isolamento-concorrencia/SKILL.md +552 -552
  329. package/kit/skills/pre-refactor-characterization/SKILL.md +421 -421
  330. package/kit/skills/rbac-permissions-matrix-supabase/SKILL.md +338 -338
  331. package/kit/skills/streams-eventos-cdc/SKILL.md +711 -711
  332. package/kit/skills/supabase-auth-hardening/SKILL.md +674 -674
  333. package/kit/skills/supabase-auth-hooks/SKILL.md +875 -875
  334. package/kit/skills/supabase-auth-methods/SKILL.md +486 -486
  335. package/kit/skills/supabase-auth-sessions/SKILL.md +579 -579
  336. package/kit/skills/supabase-auth-ssr/SKILL.md +306 -306
  337. package/kit/skills/supabase-branching-workflow/SKILL.md +544 -544
  338. package/kit/skills/supabase-ci-cd-github-actions/SKILL.md +880 -880
  339. package/kit/skills/supabase-column-level-security/SKILL.md +426 -426
  340. package/kit/skills/supabase-config-toml-remotes/SKILL.md +807 -807
  341. package/kit/skills/supabase-custom-claims-rbac/SKILL.md +472 -472
  342. package/kit/skills/supabase-edge-functions/SKILL.md +330 -330
  343. package/kit/skills/supabase-edge-functions-auth/SKILL.md +309 -309
  344. package/kit/skills/supabase-edge-functions-limits/SKILL.md +302 -302
  345. package/kit/skills/supabase-edge-functions-mcp-server/SKILL.md +279 -279
  346. package/kit/skills/supabase-edge-functions-testing/SKILL.md +277 -277
  347. package/kit/skills/supabase-edge-runtime-builtins/SKILL.md +357 -357
  348. package/kit/skills/supabase-enterprise-sso-saml/SKILL.md +545 -545
  349. package/kit/skills/supabase-jwt-signing-keys/SKILL.md +399 -399
  350. package/kit/skills/supabase-mfa/SKILL.md +488 -488
  351. package/kit/skills/supabase-migration-repair/SKILL.md +823 -823
  352. package/kit/skills/supabase-migrations/SKILL.md +297 -297
  353. package/kit/skills/supabase-oauth-server/SKILL.md +537 -537
  354. package/kit/skills/supabase-pgtap-testing/SKILL.md +1053 -1053
  355. package/kit/skills/supabase-postgres-roles/SKILL.md +392 -392
  356. package/kit/skills/supabase-realtime/SKILL.md +460 -460
  357. package/kit/skills/supabase-rls-defense-in-depth/SKILL.md +418 -418
  358. package/kit/skills/supabase-rls-policies/SKILL.md +635 -635
  359. package/kit/skills/supabase-social-oauth/SKILL.md +480 -480
  360. package/kit/skills/supabase-third-party-auth/SKILL.md +450 -450
  361. package/kit/skills/super-admin-platform-pattern/SKILL.md +326 -326
  362. package/kit/skills/tenant-quente-mitigacao/SKILL.md +605 -605
  363. package/kit/skills/ui-anti-padroes-ia/SKILL.md +261 -261
  364. package/kit/skills/ui-contexto-produto/SKILL.md +248 -248
  365. package/kit/skills/ui-cor-estrategia/SKILL.md +213 -213
  366. package/kit/skills/ui-critica-auditoria/SKILL.md +260 -260
  367. package/kit/skills/ui-motion-funcional/SKILL.md +264 -264
  368. package/kit/skills/ui-ritmo-espacial/SKILL.md +259 -259
  369. package/kit/skills/ui-tipografia/SKILL.md +211 -211
  370. package/kit/skills/whatsapp-conversation-state-machine/SKILL.md +287 -287
  371. package/kit/workflows/auditar-observabilidade-cobertura.workflow.js +250 -0
  372. package/package.json +65 -63
  373. package/src/core/kit.js +333 -216
  374. package/src/core/reflect.js +247 -247
  375. package/src/core/registry.js +123 -112
  376. package/src/core/reverse-sync.js +448 -372
  377. package/src/core/sync.js +477 -437
  378. package/src/core/watch.js +121 -121
  379. package/src/mcp-server/index.js +794 -794
package/kit/skills/supabase-postgres-roles/SKILL.md CHANGED
@@ -1,392 +1,392 @@
1
- ---
2
- name: supabase-postgres-roles
3
- description: Use ao gerenciar Postgres roles em Supabase — system access (cron jobs, BI tools, ETL, admin scripts). Distinção canônica vs RLS+Custom Claims (application access).
4
- ---
5
-
6
- # Supabase — Postgres Roles
7
-
8
- ## Quando usar (e quando NÃO usar)
9
-
10
- Postgres roles gerenciam acesso ao banco — **system access** (service accounts internos, cron jobs, BI tools, ETL, admin scripts).
11
-
12
- **Use Postgres roles APENAS para:**
13
-
14
- - ✅ Service accounts internos (cron jobs com pg_cron, BI tools como Metabase, ETL scripts)
15
- - ✅ Admin roles com BYPASSRLS (`security_admin`, `dpo_role`, `lead_manager`, `platform_admin`)
16
- - ✅ Roles para column-level GRANTs específicos (cross-ref skill `supabase-column-level-security` v1.24)
17
- - ✅ Custom roles que substituem service_role key em scripts (auditabilidade superior)
18
-
19
- **NÃO use Postgres roles para:**
20
-
21
- - ❌ "Admin vs user" application access → use **RLS + Custom Claims** (skill `supabase-custom-claims-rbac` v1.25)
22
- - ❌ Filtrar dados por linha → use **RLS row-level** (skill `supabase-rls-policies` v1.23)
23
- - ❌ Filtrar dados por coluna → use **Column-Level Privileges** (skill `supabase-column-level-security` v1.24)
24
- - ❌ Substituir auth.users (auth.users é gerenciado pelo Supabase Auth — não criar roles para end-users)
25
-
26
- Trigger phrases:
27
-
28
- - "create role Postgres", "custom Postgres role"
29
- - "role hierarchy", "INHERIT NOINHERIT"
30
- - "GRANT REVOKE Postgres"
31
- - "service account Supabase", "cron job role"
32
- - "Postgres roles vs RLS"
33
-
34
- ## Distinção canônica
35
-
36
- | | Application Access | System Access |
37
- |---|---|---|
38
- | Mecanismo | RLS + Custom Claims | Postgres Roles |
39
- | Quem é o "user" | End-user via JWT (`auth.uid()`) | Service account interno |
40
- | Identidade | JWT claim (`user_role`) | Postgres role login |
41
- | Permissions | Granular por linha/coluna | Per tabela/schema/function |
42
- | Audit trail | RLS denial logs (42501) | pg_stat_statements por role |
43
- | Example | "User admin pode deletar messages" | "Cron job pode SELECT em todas tabs para backup" |
44
-
45
- ## Princípio canônico
46
-
47
- Roles vs Users:
48
-
49
- - **Role** = entidade Postgres que pode ter permissions
50
- - **User** = role com `LOGIN` privilege (pode autenticar via senha)
51
- - **Group** = role sem `LOGIN` (usado para herança de permissions)
52
-
53
- ```sql
54
- -- group role (sem LOGIN — usado para hierarchy)
55
- create role "readonly_group";
56
-
57
- -- user role (com LOGIN — service account)
58
- create role "readonly_user" with login password 'extremely_secure_pwd';
59
-
60
- -- user role inherita do group
61
- grant readonly_group to readonly_user;
62
- -- agora readonly_user tem todas permissions do readonly_group
63
- ```
64
-
65
- ## Pattern 1: CREATE ROLE básico
66
-
67
- ### Group role (sem LOGIN)
68
-
69
- ```sql
70
- create role "billing_group";
71
- -- usado apenas como container de permissions; não pode logar
72
- ```
73
-
74
- ### User role (com LOGIN PASSWORD)
75
-
76
- ```sql
77
- create role "billing_service" with login password 'p4ss-w0rd!sup3r_s3cur3';
78
- ```
79
-
80
- **Password best practices (canônico):**
81
-
82
- 1. **12+ characters mínimo** — quanto mais longo, melhor
83
- 2. **Use password manager** para gerar (Bitwarden, 1Password, etc.)
84
- 3. **Mix upper + lower + numbers + special symbols** (`! @ # $ % &`)
85
- 4. **NÃO use dictionary words** comuns
86
- 5. **Roteie via secrets vault** — nunca hardcode em git
87
-
88
- ### Caveat — Percent-encoding em connection string
89
-
90
- Special symbols em password precisam ser **percent-encoded** quando usados em connection string:
91
-
92
- ```
93
- ANTES (raw password): p=ssword
94
- DEPOIS (em URL): p%3Dssword
95
-
96
- Connection string:
97
- postgresql://postgres.projectref:p%3Dssword@aws-0-us-east-1.pooler.supabase.com:6543/postgres
98
- ```
99
-
100
- Tabela de encoding canônica:
101
-
102
- | Char | Encoded |
103
- |------|---------|
104
- | `=` | `%3D` |
105
- | `&` | `%26` |
106
- | `+` | `%2B` |
107
- | `#` | `%23` |
108
- | `:` | `%3A` |
109
- | `/` | `%2F` |
110
- | `@` | `%40` |
111
- | `space` | `%20` |
112
-
113
- ## Pattern 2: GRANT / REVOKE permissions
114
-
115
- GRANT canônico:
116
-
117
- ```sql
118
- -- permission em schema completo
119
- grant usage on schema public to billing_service;
120
- grant select on all tables in schema public to billing_service;
121
-
122
- -- permission em tabela específica
123
- grant select, insert on table public.invoices to billing_service;
124
-
125
- -- permission em função específica
126
- grant execute on function public.calculate_total(uuid) to billing_service;
127
-
128
- -- permission em sequence (necessário para INSERT em tabelas com SERIAL/BIGSERIAL)
129
- grant usage on sequence public.invoices_id_seq to billing_service;
130
- ```
131
-
132
- REVOKE canônico:
133
-
134
- ```sql
135
- revoke select on table public.invoices from billing_service;
136
- revoke execute on function public.calculate_total(uuid) from billing_service;
137
- ```
138
-
139
- **Caveat — Default privileges para novos objetos:**
140
-
141
- GRANT em "all tables" só cobre tabelas **existentes**. Para tabelas futuras criadas no schema, use `ALTER DEFAULT PRIVILEGES`:
142
-
143
- ```sql
144
- -- todas tabelas futuras criadas em public terão SELECT GRANT para billing_service
145
- alter default privileges in schema public
146
- grant select on tables to billing_service;
147
- ```
148
-
149
- ## Pattern 3: Role Hierarchy (INHERIT / NOINHERIT)
150
-
151
- INHERIT (default): child role herda permissions do parent.
152
-
153
- ```sql
154
- -- group com permissions base
155
- create role "readers";
156
- grant select on all tables in schema public to readers;
157
-
158
- -- user inherita
159
- create role "alice" with login password 'pwd1';
160
- grant readers to alice;
161
- -- alice agora tem SELECT em todas tabelas public (via readers)
162
-
163
- -- multi-level hierarchy
164
- create role "admins";
165
- grant readers to admins; -- admins inherita de readers
166
- grant insert, update, delete on all tables in schema public to admins;
167
-
168
- create role "bob" with login password 'pwd2';
169
- grant admins to bob;
170
- -- bob inherita de admins (que inherita de readers) — full CRUD em public
171
- ```
172
-
173
- NOINHERIT: child role tem que **explicitamente** assumir parent role para usar permissions.
174
-
175
- ```sql
176
- create role "superuser_proxy" noinherit;
177
- grant postgres to superuser_proxy;
178
-
179
- -- Para usar permissions de postgres, superuser_proxy precisa SET ROLE:
180
- set role postgres;
181
- -- agora opera como postgres
182
- reset role;
183
- ```
184
-
185
- **Quando usar NOINHERIT:**
186
-
187
- - Roles superuser (postgres) — exigir SET ROLE explícito como guard
188
- - Audit trail mais claro (queries mostram a role ativa)
189
- - Princípio canônico: opt-in explícito em vez de implícito
190
-
191
- ## 10 Predefined Supabase Roles (documentação)
192
-
193
- Supabase configura 10 roles automaticamente em todo projeto. **Não criar substitutos** — documentar e usar conforme apropriado.
194
-
195
- ### `postgres`
196
- **Tipo:** Admin/superuser. **Quando usar:** scripts de admin via dashboard ou psql direto.
197
- **NUNCA:** dar password ao third-party ou expor.
198
-
199
- ### `anon`
200
- **Tipo:** Public unauthenticated. **Quando usar:** requests sem JWT (cliente deslogado).
201
- **Caveat:** `anon` Postgres role ≠ anonymous Auth user (cross-ref skill `supabase-rls-policies` v1.23).
202
-
203
- ### `authenticator`
204
- **Tipo:** PostgREST switch role. **Quando usar:** internal — PostgREST recebe JWT, valida, e switches para `anon` ou `authenticated` baseado em claims.
205
- **Caveat:** acesso muito limitado — apenas SWITCH ROLE.
206
-
207
- ### `authenticated`
208
- **Tipo:** Logged-in users. **Quando usar:** requests com JWT válido (autenticado).
209
-
210
- ### `service_role`
211
- **Tipo:** Bypass RLS. **Quando usar:** backend tasks (Edge Functions, scripts admin).
212
- **NUNCA:** expor ao cliente — vazamento = acesso total ao DB.
213
-
214
- ### `supabase_auth_admin`
215
- **Tipo:** Auth middleware. **Quando usar:** internal — Supabase Auth service.
216
- **Caveat:** GRANT EXECUTE em Custom Access Token Auth Hook (cross-ref skill `supabase-custom-claims-rbac` v1.25); scope `auth` schema.
217
-
218
- ### `supabase_storage_admin`
219
- **Tipo:** Storage middleware. **Quando usar:** internal — Supabase Storage service. Scope `storage` schema.
220
-
221
- ### `supabase_etl_admin`
222
- **Tipo:** Replication. **Quando usar:** internal — Replication powered by Supabase ETL. Read-all + bypass RLS + write `etl` schema.
223
-
224
- ### `dashboard_user`
225
- **Tipo:** Supabase UI. **Quando usar:** internal — commands via Supabase dashboard.
226
-
227
- ### `supabase_admin`
228
- **Tipo:** Internal admin. **Quando usar:** internal — upgrades + automations.
229
-
230
- ## Pattern 4: Custom service account roles
231
-
232
- Caso canônico — criar role dedicado em vez de service_role API key:
233
-
234
- ```sql
235
- -- 1. role para cron job (sem LOGIN — usado via pg_cron)
236
- create role "cron_job_role" noinherit;
237
- -- bypass RLS para acessar todas orgs
238
- alter role "cron_job_role" with bypassrls;
239
-
240
- -- 2. GRANTs específicos
241
- grant usage on schema public to cron_job_role;
242
- grant select, insert, delete on table public.audit_log to cron_job_role;
243
-
244
- -- 3. pg_cron usa este role
245
- select cron.schedule(
246
- 'cleanup_old_logs',
247
- '0 3 * * *',
248
- $$ delete from public.audit_log where created_at < now() - interval '90 days' $$
249
- );
250
- -- pg_cron executa as queries com este role; auditabilidade superior vs service_role API key
251
- ```
252
-
253
- ```sql
254
- -- role para BI tool (Metabase) — read-only com login
255
- create role "metabase_reader" with login password 'percent-encode-this!';
256
- alter role "metabase_reader" with bypassrls; -- BI precisa ver todas linhas
257
-
258
- grant usage on schema public to metabase_reader;
259
- grant select on all tables in schema public to metabase_reader;
260
- alter default privileges in schema public
261
- grant select on tables to metabase_reader;
262
- ```
263
-
264
- ## Changing postgres password
265
-
266
- Mudar password do `postgres` role:
267
-
268
- 1. **Dashboard:** Database Settings page → "Database password" → enter new
269
- 2. **Sem downtime:** serviços internos (PostgREST, PgBouncer, etc.) auto-update
270
- 3. **External services com hardcoded credentials:** manual update necessário (revisar deploy configs)
271
-
272
- **NÃO:** dar password do `postgres` role para third-party — crie role dedicado.
273
-
274
- ## Auditoria — pg_stat_statements por role
275
-
276
- Cada role tem queries rastreáveis em `pg_stat_statements`:
277
-
278
- ```sql
279
- select
280
- rolname,
281
- count(*) as query_count,
282
- sum(total_exec_time)::numeric(10,2) as total_time_ms
283
- from pg_stat_statements s
284
- join pg_roles r on s.userid = r.oid
285
- where rolname not in ('postgres', 'authenticator') -- filtrar admin
286
- group by rolname
287
- order by total_time_ms desc;
288
- ```
289
-
290
- Identificar qual service account está consumindo mais — útil para debug + capacity planning.
291
-
292
- ## Anti-patterns
293
-
294
- ### Anti-pattern 1: Usar service_role API key para tudo
295
-
296
- **Errado:**
297
- ```bash
298
- # .env do cron job
299
- SUPABASE_KEY=eyJ...service_role_key...
300
- ```
301
-
302
- **Por quê:** sem auditabilidade — todas queries logam como `service_role`; difícil identificar qual script fez o quê.
303
-
304
- **Certo:** criar role dedicado por service account:
305
- ```sql
306
- create role "cron_billing_role" noinherit;
307
- alter role "cron_billing_role" with bypassrls;
308
- -- GRANTs específicos
309
- -- pg_cron usa este role; queries logam com identidade clara
310
- ```
311
-
312
- ### Anti-pattern 2: Custom role para "admin vs user" application access
313
-
314
- **Errado:**
315
- ```sql
316
- -- criar role "admin" Postgres para gerenciar quem é admin no app
317
- create role "app_admin";
318
- -- ... add users to this role ...
319
- ```
320
-
321
- **Por quê:** Postgres roles não são designed para application access — não dinâmico, não auditável, mistura system + application concerns.
322
-
323
- **Certo:** use RLS + Custom Claims (skill `supabase-custom-claims-rbac` v1.25) — `user_role: 'admin'` no JWT via auth hook, consultado por `authorize()`.
324
-
325
- ### Anti-pattern 3: Password sem percent-encoding em URL
326
-
327
- **Errado:**
328
- ```
329
- postgresql://user:p=ssword@host/db
330
- ```
331
-
332
- **Por quê:** `=` é parseado como query string separator — conexão falha.
333
-
334
- **Certo:**
335
- ```
336
- postgresql://user:p%3Dssword@host/db
337
- ```
338
-
339
- ### Anti-pattern 4: INHERIT em superuser-like role
340
-
341
- **Errado:**
342
- ```sql
343
- create role "dba_role" inherit; -- inherit default em todos roles
344
- grant postgres to dba_role;
345
- -- dba_role agora tem postgres privileges implicitly
346
- ```
347
-
348
- **Por quê:** sem audit trail explícito de quando privileges admin são usados.
349
-
350
- **Certo:** NOINHERIT + SET ROLE explícito:
351
- ```sql
352
- create role "dba_role" noinherit;
353
- grant postgres to dba_role;
354
- -- usuário precisa: set role postgres; ...; reset role;
355
- -- queries logam com identidade postgres durante operação
356
- ```
357
-
358
- ### Anti-pattern 5: Criar role sem documentação
359
-
360
- **Errado:**
361
- ```sql
362
- create role "xyz" with login password 'pwd';
363
- -- 6 meses depois, ninguém sabe pra que serve
364
- ```
365
-
366
- **Por quê:** sem documentação, próximo dev assume é abandoned + remove ou mantém indefinidamente.
367
-
368
- **Certo:** sempre comment no migration + entry em README:
369
- ```sql
370
- -- role para Metabase BI conectar em produção (read-only)
371
- -- Owner: data-team@company.com
372
- -- Created: 2026-05-11 v1.26
373
- create role "metabase_reader" with login password '<from-vault>';
374
- comment on role "metabase_reader" is 'BI tool service account — read-only. Owner: data-team@company.com';
375
- ```
376
-
377
- ## Cross-suite integration (v1.26)
378
-
379
- Esta skill é base para agent novo `supabase-roles-implementer` (Phase 145) — recebe spec via `Task()` e materializa CREATE ROLE + GRANT/REVOKE + hierarchy. Pattern de handoff cooperativo herdado de v1.23-v1.25.
380
-
381
- Para column-level GRANTs específicos por role, **combine** com skill `supabase-column-level-security` (v1.24). Para custom claims que entregam `user_role` no JWT, use skill `supabase-custom-claims-rbac` (v1.25) — Postgres roles são para system access; custom claims são para application access.
382
-
383
- ## Ver também
384
-
385
- - [supabase-roles-implementer](../../agents/supabase-roles-implementer.md) (v1.26) — canonical materializer
386
- - [supabase-rls-policies](../supabase-rls-policies/SKILL.md) (v1.23) — section "Postgres Roles vs RLS — quando usar qual" (v1.26)
387
- - [supabase-rls-defense-in-depth](../supabase-rls-defense-in-depth/SKILL.md) (v1.23) — Camada 10 (Postgres Roles Hierarchy) v1.26
388
- - [supabase-database-functions](../supabase-database-functions/SKILL.md) — GRANT EXECUTE patterns
389
- - [supabase-column-level-security](../supabase-column-level-security/SKILL.md) (v1.24) — combinar com column-level GRANTs por role
390
- - [supabase-custom-claims-rbac](../supabase-custom-claims-rbac/SKILL.md) (v1.25) — distinção canônica system access vs application access
391
- - [glossário compartilhado](../_shared-supabase/glossary.md) — termos Postgres roles, INHERIT/NOINHERIT, LOGIN PASSWORD, GRANT/REVOKE syntax, role hierarchy, predefined Supabase roles, role switching authenticator, percent-encoding password
392
- - Doc oficial Postgres: [Database Roles](https://www.postgresql.org/docs/current/database-roles.html), [Role Membership](https://www.postgresql.org/docs/current/role-membership.html), [Function Permissions](https://www.postgresql.org/docs/current/perm-functions.html)
1
+ ---
2
+ name: supabase-postgres-roles
3
+ description: Use ao gerenciar Postgres roles em Supabase — system access (cron jobs, BI tools, ETL, admin scripts). Distinção canônica vs RLS+Custom Claims (application access).
4
+ ---
5
+
6
+ # Supabase — Postgres Roles
7
+
8
+ ## Quando usar (e quando NÃO usar)
9
+
10
+ Postgres roles gerenciam acesso ao banco — **system access** (service accounts internos, cron jobs, BI tools, ETL, admin scripts).
11
+
12
+ **Use Postgres roles APENAS para:**
13
+
14
+ - ✅ Service accounts internos (cron jobs com pg_cron, BI tools como Metabase, ETL scripts)
15
+ - ✅ Admin roles com BYPASSRLS (`security_admin`, `dpo_role`, `lead_manager`, `platform_admin`)
16
+ - ✅ Roles para column-level GRANTs específicos (cross-ref skill `supabase-column-level-security` v1.24)
17
+ - ✅ Custom roles que substituem service_role key em scripts (auditabilidade superior)
18
+
19
+ **NÃO use Postgres roles para:**
20
+
21
+ - ❌ "Admin vs user" application access → use **RLS + Custom Claims** (skill `supabase-custom-claims-rbac` v1.25)
22
+ - ❌ Filtrar dados por linha → use **RLS row-level** (skill `supabase-rls-policies` v1.23)
23
+ - ❌ Filtrar dados por coluna → use **Column-Level Privileges** (skill `supabase-column-level-security` v1.24)
24
+ - ❌ Substituir auth.users (auth.users é gerenciado pelo Supabase Auth — não criar roles para end-users)
25
+
26
+ Trigger phrases:
27
+
28
+ - "create role Postgres", "custom Postgres role"
29
+ - "role hierarchy", "INHERIT NOINHERIT"
30
+ - "GRANT REVOKE Postgres"
31
+ - "service account Supabase", "cron job role"
32
+ - "Postgres roles vs RLS"
33
+
34
+ ## Distinção canônica
35
+
36
+ | | Application Access | System Access |
37
+ |---|---|---|
38
+ | Mecanismo | RLS + Custom Claims | Postgres Roles |
39
+ | Quem é o "user" | End-user via JWT (`auth.uid()`) | Service account interno |
40
+ | Identidade | JWT claim (`user_role`) | Postgres role login |
41
+ | Permissions | Granular por linha/coluna | Per tabela/schema/function |
42
+ | Audit trail | RLS denial logs (42501) | pg_stat_statements por role |
43
+ | Example | "User admin pode deletar messages" | "Cron job pode SELECT em todas tabs para backup" |
44
+
45
+ ## Princípio canônico
46
+
47
+ Roles vs Users:
48
+
49
+ - **Role** = entidade Postgres que pode ter permissions
50
+ - **User** = role com `LOGIN` privilege (pode autenticar via senha)
51
+ - **Group** = role sem `LOGIN` (usado para herança de permissions)
52
+
53
+ ```sql
54
+ -- group role (sem LOGIN — usado para hierarchy)
55
+ create role "readonly_group";
56
+
57
+ -- user role (com LOGIN — service account)
58
+ create role "readonly_user" with login password 'extremely_secure_pwd';
59
+
60
+ -- user role inherita do group
61
+ grant readonly_group to readonly_user;
62
+ -- agora readonly_user tem todas permissions do readonly_group
63
+ ```
64
+
65
+ ## Pattern 1: CREATE ROLE básico
66
+
67
+ ### Group role (sem LOGIN)
68
+
69
+ ```sql
70
+ create role "billing_group";
71
+ -- usado apenas como container de permissions; não pode logar
72
+ ```
73
+
74
+ ### User role (com LOGIN PASSWORD)
75
+
76
+ ```sql
77
+ create role "billing_service" with login password 'p4ss-w0rd!sup3r_s3cur3';
78
+ ```
79
+
80
+ **Password best practices (canônico):**
81
+
82
+ 1. **12+ characters mínimo** — quanto mais longo, melhor
83
+ 2. **Use password manager** para gerar (Bitwarden, 1Password, etc.)
84
+ 3. **Mix upper + lower + numbers + special symbols** (`! @ # $ % &`)
85
+ 4. **NÃO use dictionary words** comuns
86
+ 5. **Roteie via secrets vault** — nunca hardcode em git
87
+
88
+ ### Caveat — Percent-encoding em connection string
89
+
90
+ Special symbols em password precisam ser **percent-encoded** quando usados em connection string:
91
+
92
+ ```
93
+ ANTES (raw password): p=ssword
94
+ DEPOIS (em URL): p%3Dssword
95
+
96
+ Connection string:
97
+ postgresql://postgres.projectref:p%3Dssword@aws-0-us-east-1.pooler.supabase.com:6543/postgres
98
+ ```
99
+
100
+ Tabela de encoding canônica:
101
+
102
+ | Char | Encoded |
103
+ |------|---------|
104
+ | `=` | `%3D` |
105
+ | `&` | `%26` |
106
+ | `+` | `%2B` |
107
+ | `#` | `%23` |
108
+ | `:` | `%3A` |
109
+ | `/` | `%2F` |
110
+ | `@` | `%40` |
111
+ | `space` | `%20` |
112
+
113
+ ## Pattern 2: GRANT / REVOKE permissions
114
+
115
+ GRANT canônico:
116
+
117
+ ```sql
118
+ -- permission em schema completo
119
+ grant usage on schema public to billing_service;
120
+ grant select on all tables in schema public to billing_service;
121
+
122
+ -- permission em tabela específica
123
+ grant select, insert on table public.invoices to billing_service;
124
+
125
+ -- permission em função específica
126
+ grant execute on function public.calculate_total(uuid) to billing_service;
127
+
128
+ -- permission em sequence (necessário para INSERT em tabelas com SERIAL/BIGSERIAL)
129
+ grant usage on sequence public.invoices_id_seq to billing_service;
130
+ ```
131
+
132
+ REVOKE canônico:
133
+
134
+ ```sql
135
+ revoke select on table public.invoices from billing_service;
136
+ revoke execute on function public.calculate_total(uuid) from billing_service;
137
+ ```
138
+
139
+ **Caveat — Default privileges para novos objetos:**
140
+
141
+ GRANT em "all tables" só cobre tabelas **existentes**. Para tabelas futuras criadas no schema, use `ALTER DEFAULT PRIVILEGES`:
142
+
143
+ ```sql
144
+ -- todas tabelas futuras criadas em public terão SELECT GRANT para billing_service
145
+ alter default privileges in schema public
146
+ grant select on tables to billing_service;
147
+ ```
148
+
149
+ ## Pattern 3: Role Hierarchy (INHERIT / NOINHERIT)
150
+
151
+ INHERIT (default): child role herda permissions do parent.
152
+
153
+ ```sql
154
+ -- group com permissions base
155
+ create role "readers";
156
+ grant select on all tables in schema public to readers;
157
+
158
+ -- user inherita
159
+ create role "alice" with login password 'pwd1';
160
+ grant readers to alice;
161
+ -- alice agora tem SELECT em todas tabelas public (via readers)
162
+
163
+ -- multi-level hierarchy
164
+ create role "admins";
165
+ grant readers to admins; -- admins inherita de readers
166
+ grant insert, update, delete on all tables in schema public to admins;
167
+
168
+ create role "bob" with login password 'pwd2';
169
+ grant admins to bob;
170
+ -- bob inherita de admins (que inherita de readers) — full CRUD em public
171
+ ```
172
+
173
+ NOINHERIT: child role tem que **explicitamente** assumir parent role para usar permissions.
174
+
175
+ ```sql
176
+ create role "superuser_proxy" noinherit;
177
+ grant postgres to superuser_proxy;
178
+
179
+ -- Para usar permissions de postgres, superuser_proxy precisa SET ROLE:
180
+ set role postgres;
181
+ -- agora opera como postgres
182
+ reset role;
183
+ ```
184
+
185
+ **Quando usar NOINHERIT:**
186
+
187
+ - Roles superuser (postgres) — exigir SET ROLE explícito como guard
188
+ - Audit trail mais claro (queries mostram a role ativa)
189
+ - Princípio canônico: opt-in explícito em vez de implícito
190
+
191
+ ## 10 Predefined Supabase Roles (documentação)
192
+
193
+ Supabase configura 10 roles automaticamente em todo projeto. **Não criar substitutos** — documentar e usar conforme apropriado.
194
+
195
+ ### `postgres`
196
+ **Tipo:** Admin/superuser. **Quando usar:** scripts de admin via dashboard ou psql direto.
197
+ **NUNCA:** dar password ao third-party ou expor.
198
+
199
+ ### `anon`
200
+ **Tipo:** Public unauthenticated. **Quando usar:** requests sem JWT (cliente deslogado).
201
+ **Caveat:** `anon` Postgres role ≠ anonymous Auth user (cross-ref skill `supabase-rls-policies` v1.23).
202
+
203
+ ### `authenticator`
204
+ **Tipo:** PostgREST switch role. **Quando usar:** internal — PostgREST recebe JWT, valida, e switches para `anon` ou `authenticated` baseado em claims.
205
+ **Caveat:** acesso muito limitado — apenas SWITCH ROLE.
206
+
207
+ ### `authenticated`
208
+ **Tipo:** Logged-in users. **Quando usar:** requests com JWT válido (autenticado).
209
+
210
+ ### `service_role`
211
+ **Tipo:** Bypass RLS. **Quando usar:** backend tasks (Edge Functions, scripts admin).
212
+ **NUNCA:** expor ao cliente — vazamento = acesso total ao DB.
213
+
214
+ ### `supabase_auth_admin`
215
+ **Tipo:** Auth middleware. **Quando usar:** internal — Supabase Auth service.
216
+ **Caveat:** GRANT EXECUTE em Custom Access Token Auth Hook (cross-ref skill `supabase-custom-claims-rbac` v1.25); scope `auth` schema.
217
+
218
+ ### `supabase_storage_admin`
219
+ **Tipo:** Storage middleware. **Quando usar:** internal — Supabase Storage service. Scope `storage` schema.
220
+
221
+ ### `supabase_etl_admin`
222
+ **Tipo:** Replication. **Quando usar:** internal — Replication powered by Supabase ETL. Read-all + bypass RLS + write `etl` schema.
223
+
224
+ ### `dashboard_user`
225
+ **Tipo:** Supabase UI. **Quando usar:** internal — commands via Supabase dashboard.
226
+
227
+ ### `supabase_admin`
228
+ **Tipo:** Internal admin. **Quando usar:** internal — upgrades + automations.
229
+
230
+ ## Pattern 4: Custom service account roles
231
+
232
+ Caso canônico — criar role dedicado em vez de service_role API key:
233
+
234
+ ```sql
235
+ -- 1. role para cron job (sem LOGIN — usado via pg_cron)
236
+ create role "cron_job_role" noinherit;
237
+ -- bypass RLS para acessar todas orgs
238
+ alter role "cron_job_role" with bypassrls;
239
+
240
+ -- 2. GRANTs específicos
241
+ grant usage on schema public to cron_job_role;
242
+ grant select, insert, delete on table public.audit_log to cron_job_role;
243
+
244
+ -- 3. pg_cron usa este role
245
+ select cron.schedule(
246
+ 'cleanup_old_logs',
247
+ '0 3 * * *',
248
+ $$ delete from public.audit_log where created_at < now() - interval '90 days' $$
249
+ );
250
+ -- pg_cron executa as queries com este role; auditabilidade superior vs service_role API key
251
+ ```
252
+
253
+ ```sql
254
+ -- role para BI tool (Metabase) — read-only com login
255
+ create role "metabase_reader" with login password 'percent-encode-this!';
256
+ alter role "metabase_reader" with bypassrls; -- BI precisa ver todas linhas
257
+
258
+ grant usage on schema public to metabase_reader;
259
+ grant select on all tables in schema public to metabase_reader;
260
+ alter default privileges in schema public
261
+ grant select on tables to metabase_reader;
262
+ ```
263
+
264
+ ## Changing postgres password
265
+
266
+ Mudar password do `postgres` role:
267
+
268
+ 1. **Dashboard:** Database Settings page → "Database password" → enter new
269
+ 2. **Sem downtime:** serviços internos (PostgREST, PgBouncer, etc.) auto-update
270
+ 3. **External services com hardcoded credentials:** manual update necessário (revisar deploy configs)
271
+
272
+ **NÃO:** dar password do `postgres` role para third-party — crie role dedicado.
273
+
274
+ ## Auditoria — pg_stat_statements por role
275
+
276
+ Cada role tem queries rastreáveis em `pg_stat_statements`:
277
+
278
+ ```sql
279
+ select
280
+ rolname,
281
+ count(*) as query_count,
282
+ sum(total_exec_time)::numeric(10,2) as total_time_ms
283
+ from pg_stat_statements s
284
+ join pg_roles r on s.userid = r.oid
285
+ where rolname not in ('postgres', 'authenticator') -- filtrar admin
286
+ group by rolname
287
+ order by total_time_ms desc;
288
+ ```
289
+
290
+ Identificar qual service account está consumindo mais — útil para debug + capacity planning.
291
+
292
+ ## Anti-patterns
293
+
294
+ ### Anti-pattern 1: Usar service_role API key para tudo
295
+
296
+ **Errado:**
297
+ ```bash
298
+ # .env do cron job
299
+ SUPABASE_KEY=eyJ...service_role_key...
300
+ ```
301
+
302
+ **Por quê:** sem auditabilidade — todas queries logam como `service_role`; difícil identificar qual script fez o quê.
303
+
304
+ **Certo:** criar role dedicado por service account:
305
+ ```sql
306
+ create role "cron_billing_role" noinherit;
307
+ alter role "cron_billing_role" with bypassrls;
308
+ -- GRANTs específicos
309
+ -- pg_cron usa este role; queries logam com identidade clara
310
+ ```
311
+
312
+ ### Anti-pattern 2: Custom role para "admin vs user" application access
313
+
314
+ **Errado:**
315
+ ```sql
316
+ -- criar role "admin" Postgres para gerenciar quem é admin no app
317
+ create role "app_admin";
318
+ -- ... add users to this role ...
319
+ ```
320
+
321
+ **Por quê:** Postgres roles não são designed para application access — não dinâmico, não auditável, mistura system + application concerns.
322
+
323
+ **Certo:** use RLS + Custom Claims (skill `supabase-custom-claims-rbac` v1.25) — `user_role: 'admin'` no JWT via auth hook, consultado por `authorize()`.
324
+
325
+ ### Anti-pattern 3: Password sem percent-encoding em URL
326
+
327
+ **Errado:**
328
+ ```
329
+ postgresql://user:p=ssword@host/db
330
+ ```
331
+
332
+ **Por quê:** `=` é parseado como query string separator — conexão falha.
333
+
334
+ **Certo:**
335
+ ```
336
+ postgresql://user:p%3Dssword@host/db
337
+ ```
338
+
339
+ ### Anti-pattern 4: INHERIT em superuser-like role
340
+
341
+ **Errado:**
342
+ ```sql
343
+ create role "dba_role" inherit; -- inherit default em todos roles
344
+ grant postgres to dba_role;
345
+ -- dba_role agora tem postgres privileges implicitly
346
+ ```
347
+
348
+ **Por quê:** sem audit trail explícito de quando privileges admin são usados.
349
+
350
+ **Certo:** NOINHERIT + SET ROLE explícito:
351
+ ```sql
352
+ create role "dba_role" noinherit;
353
+ grant postgres to dba_role;
354
+ -- usuário precisa: set role postgres; ...; reset role;
355
+ -- queries logam com identidade postgres durante operação
356
+ ```
357
+
358
+ ### Anti-pattern 5: Criar role sem documentação
359
+
360
+ **Errado:**
361
+ ```sql
362
+ create role "xyz" with login password 'pwd';
363
+ -- 6 meses depois, ninguém sabe pra que serve
364
+ ```
365
+
366
+ **Por quê:** sem documentação, próximo dev assume é abandoned + remove ou mantém indefinidamente.
367
+
368
+ **Certo:** sempre comment no migration + entry em README:
369
+ ```sql
370
+ -- role para Metabase BI conectar em produção (read-only)
371
+ -- Owner: data-team@company.com
372
+ -- Created: 2026-05-11 v1.26
373
+ create role "metabase_reader" with login password '<from-vault>';
374
+ comment on role "metabase_reader" is 'BI tool service account — read-only. Owner: data-team@company.com';
375
+ ```
376
+
377
+ ## Cross-suite integration (v1.26)
378
+
379
+ Esta skill é base para agent novo `supabase-roles-implementer` (Phase 145) — recebe spec via `Task()` e materializa CREATE ROLE + GRANT/REVOKE + hierarchy. Pattern de handoff cooperativo herdado de v1.23-v1.25.
380
+
381
+ Para column-level GRANTs específicos por role, **combine** com skill `supabase-column-level-security` (v1.24). Para custom claims que entregam `user_role` no JWT, use skill `supabase-custom-claims-rbac` (v1.25) — Postgres roles são para system access; custom claims são para application access.
382
+
383
+ ## Ver também
384
+
385
+ - [supabase-roles-implementer](../../agents/supabase-roles-implementer.md) (v1.26) — canonical materializer
386
+ - [supabase-rls-policies](../supabase-rls-policies/SKILL.md) (v1.23) — section "Postgres Roles vs RLS — quando usar qual" (v1.26)
387
+ - [supabase-rls-defense-in-depth](../supabase-rls-defense-in-depth/SKILL.md) (v1.23) — Camada 10 (Postgres Roles Hierarchy) v1.26
388
+ - [supabase-database-functions](../supabase-database-functions/SKILL.md) — GRANT EXECUTE patterns
389
+ - [supabase-column-level-security](../supabase-column-level-security/SKILL.md) (v1.24) — combinar com column-level GRANTs por role
390
+ - [supabase-custom-claims-rbac](../supabase-custom-claims-rbac/SKILL.md) (v1.25) — distinção canônica system access vs application access
391
+ - [glossário compartilhado](../_shared-supabase/glossary.md) — termos Postgres roles, INHERIT/NOINHERIT, LOGIN PASSWORD, GRANT/REVOKE syntax, role hierarchy, predefined Supabase roles, role switching authenticator, percent-encoding password
392
+ - Doc oficial Postgres: [Database Roles](https://www.postgresql.org/docs/current/database-roles.html), [Role Membership](https://www.postgresql.org/docs/current/role-membership.html), [Function Permissions](https://www.postgresql.org/docs/current/perm-functions.html)