@luanpdd/kit-mcp 1.35.0 → 1.36.0

package/gates/release-pipeline-policy.md

@@ -1,132 +1,132 @@
----
-id: release-pipeline-policy
-stage: pre-milestone-close
-blocking: false
-description: Valida release pipeline scored ≥ X/30 (default 20 = ADEQUATE) em hermeticidade + reprodutibilidade + policy enforcement. Opt-in via workflow.complete_milestone_release_pipeline_gate. Cap 8 livro Google SRE.
----
-
-# Release pipeline policy gate
-
-**When to run:** pre-milestone-close (consultive default; blocking se `workflow.complete_milestone_release_pipeline_gate=true`).
-
-**Skill canônica:** [`release-engineering`](../kit/skills/release-engineering/SKILL.md) + [`hermetic-builds`](../kit/skills/hermetic-builds/SKILL.md)
-
-**Agent invocado:** [`release-pipeline-auditor`](../kit/agents/release-pipeline-auditor.md)
-
-## Check
-
-```bash
-#!/usr/bin/env bash
-# PT-BR: validar release pipeline scored >= threshold
-set -e
-
-# threshold do gate
-THRESHOLD=20  # default: ADEQUATE
-GATE_BLOCKING=false
-
-if [ -f ".planning/config.json" ] && command -v jq >/dev/null; then
-  CFG=$(jq -r '.workflow.complete_milestone_release_pipeline_gate // empty' .planning/config.json 2>/dev/null)
-  if [ "$CFG" = "true" ]; then
-    GATE_BLOCKING=true
-  fi
-  CFG_THRESH=$(jq -r '.workflow.release_pipeline_threshold // empty' .planning/config.json 2>/dev/null)
-  [ -n "$CFG_THRESH" ] && [ "$CFG_THRESH" != "null" ] && THRESHOLD=$CFG_THRESH
-fi
-
-# se não opt-in, gate skip
-if [ "$GATE_BLOCKING" = false ] && [ -z "$RELEASE_PIPELINE_POLICY_FORCE" ]; then
-  echo "INFO: release-pipeline-policy gate is opt-in (workflow.complete_milestone_release_pipeline_gate=false). Skip."
-  exit 0
-fi
-
-# ler RELEASE-AUDIT.md OR delegar via Task se ausente/stale
-AUDIT_FILE=".planning/RELEASE-AUDIT.md"
-SCORE=""
-
-if [ -f "$AUDIT_FILE" ]; then
-  # check se fresh (≤ 30 dias)
-  if [ "$(uname)" = "Darwin" ]; then
-    AUDIT_DATE=$(stat -f %m "$AUDIT_FILE")
-  else
-    AUDIT_DATE=$(stat -c %Y "$AUDIT_FILE")
-  fi
-  AGE_DAYS=$(( ($(date +%s) - AUDIT_DATE) / 86400 ))
-
-  if [ "$AGE_DAYS" -gt 30 ]; then
-    echo "⚠ RELEASE-AUDIT.md stale (${AGE_DAYS}d). Re-rodar /auditar-release antes de close."
-    [ "$GATE_BLOCKING" = true ] && exit 1
-  fi
-
-  # parse score
-  SCORE=$(grep -oE "Score:\*\*\s*[0-9]+/30" "$AUDIT_FILE" | grep -oE "[0-9]+" | head -1)
-fi
-
-if [ -z "$SCORE" ]; then
-  echo "⚠ RELEASE-AUDIT.md ausente OR sem score parseável."
-  echo "Rode: /auditar-release  (gera relatório fresh)"
-  [ "$GATE_BLOCKING" = true ] && exit 1
-  exit 0
-fi
-
-echo ""
-echo "release-pipeline-policy gate — threshold: ${THRESHOLD}/30"
-echo "  RELEASE-AUDIT.md score: ${SCORE}/30"
-echo ""
-
-# decisão
-if [ "$SCORE" -ge "$THRESHOLD" ]; then
-  if [ "$SCORE" -ge 25 ]; then
-    echo "✓ ROBUST (≥ 25/30) — milestone arquivável."
-  else
-    echo "✓ ADEQUATE (20-24) — milestone arquivável com warnings."
-  fi
-  exit 0
-fi
-
-if [ "$SCORE" -lt 15 ]; then
-  echo "✗ BROKEN (< 15/30) — pipeline não pode ser fonte de verdade. ESCALAR."
-elif [ "$SCORE" -lt 20 ]; then
-  echo "✗ FRAGILE (15-19/30) — gaps significativos."
-fi
-
-echo ""
-echo "Próximas ações:"
-echo "  1. Aplicar top 5 fixes do RELEASE-AUDIT.md"
-echo "  2. Re-rodar /auditar-release"
-echo "  3. Re-tentar /concluir-marco após score >= ${THRESHOLD}"
-echo ""
-
-[ "$GATE_BLOCKING" = true ] && exit 1
-exit 0
-```
-
-## Configuração
-
-```json
-{
-  "workflow": {
-    "complete_milestone_release_pipeline_gate": false,
-    "release_pipeline_threshold": 20
-  }
-}
-```
-
-**Default:** `complete_milestone_release_pipeline_gate=false` (opt-in). Threshold 20 = ADEQUATE; promove para 25 (ROBUST) em projetos tier-1.
-
-## Quando NÃO rodar
-
-- Projeto < 6 meses (pipeline ainda imatura)
-- Releases manuais (sem CI/CD complexo)
-- Solo dev side project
-- Projeto puramente experimental
-
-## Ver também
-
-- [`release-pipeline-auditor`](../kit/agents/release-pipeline-auditor.md) — agent canônico
-- [`/auditar-release`](../kit/commands/auditar-release.md) — comando dedicado
-- [`hermetic-builds`](../kit/skills/hermetic-builds/SKILL.md)
-- [`release-engineering`](../kit/skills/release-engineering/SKILL.md)
-- [`prr-checklist-coverage`](./prr-checklist-coverage.md) — gate análogo PRR (v1.10)
-- [`legacy-refactor-safety`](./legacy-refactor-safety.md) — gate análogo Legacy (v1.12)
-
-*Material-fonte: cap 8 livro Google SRE.*
+---
+id: release-pipeline-policy
+stage: pre-milestone-close
+blocking: false
+description: Valida release pipeline scored ≥ X/30 (default 20 = ADEQUATE) em hermeticidade + reprodutibilidade + policy enforcement. Opt-in via workflow.complete_milestone_release_pipeline_gate. Cap 8 livro Google SRE.
+---
+
+# Release pipeline policy gate
+
+**When to run:** pre-milestone-close (consultive default; blocking se `workflow.complete_milestone_release_pipeline_gate=true`).
+
+**Skill canônica:** [`release-engineering`](../kit/skills/release-engineering/SKILL.md) + [`hermetic-builds`](../kit/skills/hermetic-builds/SKILL.md)
+
+**Agent invocado:** [`release-pipeline-auditor`](../kit/agents/release-pipeline-auditor.md)
+
+## Check
+
+```bash
+#!/usr/bin/env bash
+# PT-BR: validar release pipeline scored >= threshold
+set -e
+
+# threshold do gate
+THRESHOLD=20  # default: ADEQUATE
+GATE_BLOCKING=false
+
+if [ -f ".planning/config.json" ] && command -v jq >/dev/null; then
+  CFG=$(jq -r '.workflow.complete_milestone_release_pipeline_gate // empty' .planning/config.json 2>/dev/null)
+  if [ "$CFG" = "true" ]; then
+    GATE_BLOCKING=true
+  fi
+  CFG_THRESH=$(jq -r '.workflow.release_pipeline_threshold // empty' .planning/config.json 2>/dev/null)
+  [ -n "$CFG_THRESH" ] && [ "$CFG_THRESH" != "null" ] && THRESHOLD=$CFG_THRESH
+fi
+
+# se não opt-in, gate skip
+if [ "$GATE_BLOCKING" = false ] && [ -z "$RELEASE_PIPELINE_POLICY_FORCE" ]; then
+  echo "INFO: release-pipeline-policy gate is opt-in (workflow.complete_milestone_release_pipeline_gate=false). Skip."
+  exit 0
+fi
+
+# ler RELEASE-AUDIT.md OR delegar via Task se ausente/stale
+AUDIT_FILE=".planning/RELEASE-AUDIT.md"
+SCORE=""
+
+if [ -f "$AUDIT_FILE" ]; then
+  # check se fresh (≤ 30 dias)
+  if [ "$(uname)" = "Darwin" ]; then
+    AUDIT_DATE=$(stat -f %m "$AUDIT_FILE")
+  else
+    AUDIT_DATE=$(stat -c %Y "$AUDIT_FILE")
+  fi
+  AGE_DAYS=$(( ($(date +%s) - AUDIT_DATE) / 86400 ))
+
+  if [ "$AGE_DAYS" -gt 30 ]; then
+    echo "⚠ RELEASE-AUDIT.md stale (${AGE_DAYS}d). Re-rodar /auditar-release antes de close."
+    [ "$GATE_BLOCKING" = true ] && exit 1
+  fi
+
+  # parse score
+  SCORE=$(grep -oE "Score:\*\*\s*[0-9]+/30" "$AUDIT_FILE" | grep -oE "[0-9]+" | head -1)
+fi
+
+if [ -z "$SCORE" ]; then
+  echo "⚠ RELEASE-AUDIT.md ausente OR sem score parseável."
+  echo "Rode: /auditar-release  (gera relatório fresh)"
+  [ "$GATE_BLOCKING" = true ] && exit 1
+  exit 0
+fi
+
+echo ""
+echo "release-pipeline-policy gate — threshold: ${THRESHOLD}/30"
+echo "  RELEASE-AUDIT.md score: ${SCORE}/30"
+echo ""
+
+# decisão
+if [ "$SCORE" -ge "$THRESHOLD" ]; then
+  if [ "$SCORE" -ge 25 ]; then
+    echo "✓ ROBUST (≥ 25/30) — milestone arquivável."
+  else
+    echo "✓ ADEQUATE (20-24) — milestone arquivável com warnings."
+  fi
+  exit 0
+fi
+
+if [ "$SCORE" -lt 15 ]; then
+  echo "✗ BROKEN (< 15/30) — pipeline não pode ser fonte de verdade. ESCALAR."
+elif [ "$SCORE" -lt 20 ]; then
+  echo "✗ FRAGILE (15-19/30) — gaps significativos."
+fi
+
+echo ""
+echo "Próximas ações:"
+echo "  1. Aplicar top 5 fixes do RELEASE-AUDIT.md"
+echo "  2. Re-rodar /auditar-release"
+echo "  3. Re-tentar /concluir-marco após score >= ${THRESHOLD}"
+echo ""
+
+[ "$GATE_BLOCKING" = true ] && exit 1
+exit 0
+```
+
+## Configuração
+
+```json
+{
+  "workflow": {
+    "complete_milestone_release_pipeline_gate": false,
+    "release_pipeline_threshold": 20
+  }
+}
+```
+
+**Default:** `complete_milestone_release_pipeline_gate=false` (opt-in). Threshold 20 = ADEQUATE; promove para 25 (ROBUST) em projetos tier-1.
+
+## Quando NÃO rodar
+
+- Projeto < 6 meses (pipeline ainda imatura)
+- Releases manuais (sem CI/CD complexo)
+- Solo dev side project
+- Projeto puramente experimental
+
+## Ver também
+
+- [`release-pipeline-auditor`](../kit/agents/release-pipeline-auditor.md) — agent canônico
+- [`/auditar-release`](../kit/commands/auditar-release.md) — comando dedicado
+- [`hermetic-builds`](../kit/skills/hermetic-builds/SKILL.md)
+- [`release-engineering`](../kit/skills/release-engineering/SKILL.md)
+- [`prr-checklist-coverage`](./prr-checklist-coverage.md) — gate análogo PRR (v1.10)
+- [`legacy-refactor-safety`](./legacy-refactor-safety.md) — gate análogo Legacy (v1.12)
+
+*Material-fonte: cap 8 livro Google SRE.*

package/gates/secrets-scan.md

@@ -1,33 +1,33 @@
----
-id: secrets-scan
-stage: any
-blocking: true
-description: Block commits that introduce common secret patterns. Bonus gate, not in original kit.
----
-
-# Secrets scan gate
-
-**When to run:** before any commit that touches files outside `.planning/`. Optional;
-opt in via project `config.json` → `gates.secrets_scan: true`.
-
-## Check
-
-Grep staged diff for high-confidence secret patterns:
-
-- `AKIA[0-9A-Z]{16}` (AWS access key)
-- `sk-(proj-|ant-)?[A-Za-z0-9]{20,}` (OpenAI / Anthropic key)
-- `ghp_[A-Za-z0-9]{36}` (GitHub PAT)
-- `xox[baprs]-[A-Za-z0-9-]{10,}` (Slack token)
-- `-----BEGIN (RSA |EC )?PRIVATE KEY-----`
-
-## Verdict
-
-- **passed** — no matches → proceed
-- **block**  — match found → list file + line, refuse commit. Suggest `git restore --staged <file>`
-
-## Notes
-
-This gate intentionally has zero ML / heuristics. It catches the common-format
-keys that humans accidentally paste; it does not catch base64-encoded secrets
-or custom token formats. Pair with a real secrets scanner (gitleaks, trufflehog)
-for production projects.
+---
+id: secrets-scan
+stage: any
+blocking: true
+description: Block commits that introduce common secret patterns. Bonus gate, not in original kit.
+---
+
+# Secrets scan gate
+
+**When to run:** before any commit that touches files outside `.planning/`. Optional;
+opt in via project `config.json` → `gates.secrets_scan: true`.
+
+## Check
+
+Grep staged diff for high-confidence secret patterns:
+
+- `AKIA[0-9A-Z]{16}` (AWS access key)
+- `sk-(proj-|ant-)?[A-Za-z0-9]{20,}` (OpenAI / Anthropic key)
+- `ghp_[A-Za-z0-9]{36}` (GitHub PAT)
+- `xox[baprs]-[A-Za-z0-9-]{10,}` (Slack token)
+- `-----BEGIN (RSA |EC )?PRIVATE KEY-----`
+
+## Verdict
+
+- **passed** — no matches → proceed
+- **block**  — match found → list file + line, refuse commit. Suggest `git restore --staged <file>`
+
+## Notes
+
+This gate intentionally has zero ML / heuristics. It catches the common-format
+keys that humans accidentally paste; it does not catch base64-encoded secrets
+or custom token formats. Pair with a real secrets scanner (gitleaks, trufflehog)
+for production projects.

package/gates/service-role-not-in-user-facing.md

@@ -1,113 +1,113 @@
----
-id: service-role-not-in-user-facing
-stage: pre-verify
-blocking: true
-description: Detecta uso de SUPABASE_SERVICE_ROLE_KEY em Edge Functions com verify_jwt:true (user-facing). Service role bypassa RLS — uso em rota acessível a usuário desliga toda autorização. Skip se projeto não tem supabase/functions/.
----
-
-# Service Role Not In User-Facing gate
-
-**When to run:** pre-verify (blocking — anti-pitfall P0 multi-tenant).
-
-## Check
-
-```bash
-#!/usr/bin/env bash
-# PT-BR: detecta uso de SUPABASE_SERVICE_ROLE_KEY em Edge Functions com verify_jwt:true.
-# Anti-pitfall #2 multi-tenant: service role em rota user-facing = bypass total de RLS.
-# Bash 3.2-portable (macOS default).
-set -e
-
-FUNCTIONS_DIR="supabase/functions"
-CONFIG_FILE="supabase/config.toml"
-
-if [ ! -d "$FUNCTIONS_DIR" ]; then
-  echo "INFO: $FUNCTIONS_DIR não existe — projeto não usa Supabase Edge Functions. Gate skipped."
-  exit 0
-fi
-
-# PT-BR: env vars que indicam uso de service role
-SERVICE_ROLE_PATTERNS="SUPABASE_SERVICE_ROLE_KEY|SERVICE_ROLE_KEY|service_role_key|serviceRoleKey"
-
-VIOLATIONS=0
-VIOLATIONS_DETAIL=""
-
-# PT-BR: iterar cada Edge Function (cada subdir em functions/)
-FUNCTION_DIRS=$(find "$FUNCTIONS_DIR" -mindepth 1 -maxdepth 1 -type d 2>/dev/null)
-
-if [ -z "$FUNCTION_DIRS" ]; then
-  echo "INFO: nenhuma Edge Function em $FUNCTIONS_DIR — gate skipped."
-  exit 0
-fi
-
-for fn_dir in $FUNCTION_DIRS; do
-  fn_name=$(basename "$fn_dir")
-
-  # PT-BR: skip _shared (não é Edge Function deployable)
-  [ "$fn_name" = "_shared" ] && continue
-
-  # PT-BR: descobrir verify_jwt setting da função (default: true se ausente)
-  VERIFY_JWT="true"  # default Supabase
-  if [ -f "$CONFIG_FILE" ]; then
-    # PT-BR: parsing leve — procurar [functions.<name>] block + verify_jwt
-    SECTION_VERIFY=$(awk -v fn="$fn_name" '
-      $0 ~ "^\\[functions\\." fn "\\]" { in_section = 1; next }
-      in_section && /^\[/ { in_section = 0 }
-      in_section && /verify_jwt/ {
-        gsub(/[ \t]/, "")
-        split($0, a, "=")
-        print a[2]
-        exit
-      }
-    ' "$CONFIG_FILE" 2>/dev/null)
-
-    if [ -n "$SECTION_VERIFY" ]; then
-      VERIFY_JWT="$SECTION_VERIFY"
-    fi
-  fi
-
-  # PT-BR: se verify_jwt=false (webhook/internal), skip — service role é OK aqui
-  if [ "$VERIFY_JWT" = "false" ]; then
-    continue
-  fi
-
-  # PT-BR: buscar uso de service role em arquivos .ts/.js da function
-  SERVICE_ROLE_FILES=$(grep -rlE "$SERVICE_ROLE_PATTERNS" "$fn_dir" --include="*.ts" --include="*.js" --include="*.mjs" 2>/dev/null || true)
-
-  if [ -n "$SERVICE_ROLE_FILES" ]; then
-    VIOLATIONS=$((VIOLATIONS + 1))
-    VIOLATIONS_DETAIL="${VIOLATIONS_DETAIL}
-  Edge Function '$fn_name' (verify_jwt=$VERIFY_JWT) usa service role:
-$(echo "$SERVICE_ROLE_FILES" | sed 's/^/    /')"
-  fi
-done
-
-if [ "$VIOLATIONS" -eq 0 ]; then
-  echo "PASS: nenhuma Edge Function user-facing (verify_jwt=true) usa SERVICE_ROLE_KEY."
-  exit 0
-else
-  echo "FAIL: $VIOLATIONS Edge Function(s) user-facing usam SERVICE_ROLE_KEY:$VIOLATIONS_DETAIL"
-  echo ""
-  echo "Fix: use ANON_KEY com JWT do user para preservar RLS. Se realmente precisa de service role:"
-  echo "  - Mover lógica privilegiada para Edge Function separada com verify_jwt=false (webhook ou cron-only)"
-  echo "  - OU validar manualmente quem está chamando antes de usar service role (anti-pattern, mas explícito)"
-  echo "Ref: kit/skills/_shared-multi-tenant/glossary.md (sub-seção super_admin) + kit/skills/supabase-rls-policies/SKILL.md"
-  exit 1
-fi
-```
-
-## Verdict
-
-- **passed** — nenhum service role em Edge Function user-facing → continuar
-- **block** — apresentar lista de Edge Functions violadoras + fix recomendado
-
-## Notes
-
-Edge Functions com `verify_jwt = false` (webhooks Evolution Go, Stripe, schedulers internos via pg_cron) podem usar service role legitimamente — gate skippa essas.
-
-Detecção pode produzir falso-positivo se code referencia o nome da var em comentário ou string literal (ex: documentação dentro do code). Para suprimir, mover documentação para arquivo externo ou usar comentário JSDoc fora do regex match.
-
-Para super-admin operations user-facing (impersonation, cross-tenant queries), pattern correto é:
-1. Endpoint user-facing valida `super_admin: true` em JWT app_metadata
-2. Endpoint chama segunda Edge Function interna (verify_jwt=false) que usa service role
-3. Audit log obrigatório no caminho
+---
+id: service-role-not-in-user-facing
+stage: pre-verify
+blocking: true
+description: Detecta uso de SUPABASE_SERVICE_ROLE_KEY em Edge Functions com verify_jwt:true (user-facing). Service role bypassa RLS — uso em rota acessível a usuário desliga toda autorização. Skip se projeto não tem supabase/functions/.
+---
+
+# Service Role Not In User-Facing gate
+
+**When to run:** pre-verify (blocking — anti-pitfall P0 multi-tenant).
+
+## Check
+
+```bash
+#!/usr/bin/env bash
+# PT-BR: detecta uso de SUPABASE_SERVICE_ROLE_KEY em Edge Functions com verify_jwt:true.
+# Anti-pitfall #2 multi-tenant: service role em rota user-facing = bypass total de RLS.
+# Bash 3.2-portable (macOS default).
+set -e
+
+FUNCTIONS_DIR="supabase/functions"
+CONFIG_FILE="supabase/config.toml"
+
+if [ ! -d "$FUNCTIONS_DIR" ]; then
+  echo "INFO: $FUNCTIONS_DIR não existe — projeto não usa Supabase Edge Functions. Gate skipped."
+  exit 0
+fi
+
+# PT-BR: env vars que indicam uso de service role
+SERVICE_ROLE_PATTERNS="SUPABASE_SERVICE_ROLE_KEY|SERVICE_ROLE_KEY|service_role_key|serviceRoleKey"
+
+VIOLATIONS=0
+VIOLATIONS_DETAIL=""
+
+# PT-BR: iterar cada Edge Function (cada subdir em functions/)
+FUNCTION_DIRS=$(find "$FUNCTIONS_DIR" -mindepth 1 -maxdepth 1 -type d 2>/dev/null)
+
+if [ -z "$FUNCTION_DIRS" ]; then
+  echo "INFO: nenhuma Edge Function em $FUNCTIONS_DIR — gate skipped."
+  exit 0
+fi
+
+for fn_dir in $FUNCTION_DIRS; do
+  fn_name=$(basename "$fn_dir")
+
+  # PT-BR: skip _shared (não é Edge Function deployable)
+  [ "$fn_name" = "_shared" ] && continue
+
+  # PT-BR: descobrir verify_jwt setting da função (default: true se ausente)
+  VERIFY_JWT="true"  # default Supabase
+  if [ -f "$CONFIG_FILE" ]; then
+    # PT-BR: parsing leve — procurar [functions.<name>] block + verify_jwt
+    SECTION_VERIFY=$(awk -v fn="$fn_name" '
+      $0 ~ "^\\[functions\\." fn "\\]" { in_section = 1; next }
+      in_section && /^\[/ { in_section = 0 }
+      in_section && /verify_jwt/ {
+        gsub(/[ \t]/, "")
+        split($0, a, "=")
+        print a[2]
+        exit
+      }
+    ' "$CONFIG_FILE" 2>/dev/null)
+
+    if [ -n "$SECTION_VERIFY" ]; then
+      VERIFY_JWT="$SECTION_VERIFY"
+    fi
+  fi
+
+  # PT-BR: se verify_jwt=false (webhook/internal), skip — service role é OK aqui
+  if [ "$VERIFY_JWT" = "false" ]; then
+    continue
+  fi
+
+  # PT-BR: buscar uso de service role em arquivos .ts/.js da function
+  SERVICE_ROLE_FILES=$(grep -rlE "$SERVICE_ROLE_PATTERNS" "$fn_dir" --include="*.ts" --include="*.js" --include="*.mjs" 2>/dev/null || true)
+
+  if [ -n "$SERVICE_ROLE_FILES" ]; then
+    VIOLATIONS=$((VIOLATIONS + 1))
+    VIOLATIONS_DETAIL="${VIOLATIONS_DETAIL}
+  Edge Function '$fn_name' (verify_jwt=$VERIFY_JWT) usa service role:
+$(echo "$SERVICE_ROLE_FILES" | sed 's/^/    /')"
+  fi
+done
+
+if [ "$VIOLATIONS" -eq 0 ]; then
+  echo "PASS: nenhuma Edge Function user-facing (verify_jwt=true) usa SERVICE_ROLE_KEY."
+  exit 0
+else
+  echo "FAIL: $VIOLATIONS Edge Function(s) user-facing usam SERVICE_ROLE_KEY:$VIOLATIONS_DETAIL"
+  echo ""
+  echo "Fix: use ANON_KEY com JWT do user para preservar RLS. Se realmente precisa de service role:"
+  echo "  - Mover lógica privilegiada para Edge Function separada com verify_jwt=false (webhook ou cron-only)"
+  echo "  - OU validar manualmente quem está chamando antes de usar service role (anti-pattern, mas explícito)"
+  echo "Ref: kit/skills/_shared-multi-tenant/glossary.md (sub-seção super_admin) + kit/skills/supabase-rls-policies/SKILL.md"
+  exit 1
+fi
+```
+
+## Verdict
+
+- **passed** — nenhum service role em Edge Function user-facing → continuar
+- **block** — apresentar lista de Edge Functions violadoras + fix recomendado
+
+## Notes
+
+Edge Functions com `verify_jwt = false` (webhooks Evolution Go, Stripe, schedulers internos via pg_cron) podem usar service role legitimamente — gate skippa essas.
+
+Detecção pode produzir falso-positivo se code referencia o nome da var em comentário ou string literal (ex: documentação dentro do code). Para suprimir, mover documentação para arquivo externo ou usar comentário JSDoc fora do regex match.
+
+Para super-admin operations user-facing (impersonation, cross-tenant queries), pattern correto é:
+1. Endpoint user-facing valida `super_admin: true` em JWT app_metadata
+2. Endpoint chama segunda Edge Function interna (verify_jwt=false) que usa service role
+3. Audit log obrigatório no caminho