@omnizap-system/omnizap 2.6.0 → 2.6.2

package/scripts/release.sh

@@ -29,9 +29,6 @@ RELEASE_GITHUB_RELEASE_INCLUDE_CHANGED_FILES="${RELEASE_GITHUB_RELEASE_INCLUDE_C
 RELEASE_GITHUB_RELEASE_MAX_FILES="${RELEASE_GITHUB_RELEASE_MAX_FILES:-300}"
 RELEASE_REQUIRE_DUAL_PUBLISH="${RELEASE_REQUIRE_DUAL_PUBLISH:-1}"
 RELEASE_VERIFY_UNIFIED_VERSION="${RELEASE_VERIFY_UNIFIED_VERSION:-1}"
-RELEASE_README_SYNC="${RELEASE_README_SYNC:-1}"
-RELEASE_README_SYNC_REQUIRED="${RELEASE_README_SYNC_REQUIRED:-0}"
-RELEASE_README_SYNC_COMMAND="${RELEASE_README_SYNC_COMMAND:-npm run readme:sync-snapshot}"
 RELEASE_WIKI_SYNC="${RELEASE_WIKI_SYNC:-1}"
 RELEASE_WIKI_SYNC_REQUIRED="${RELEASE_WIKI_SYNC_REQUIRED:-0}"
 RELEASE_WIKI_SYNC_COMMAND="${RELEASE_WIKI_SYNC_COMMAND:-bash ./scripts/wiki-sync.sh}"
@@ -480,20 +477,6 @@ if ! (
   exit 1
 fi
 
-if [ "$RELEASE_README_SYNC" = "1" ]; then
-  log "Sincronizando bloco dinâmico do README"
-  if ! (
-    cd "$PROJECT_ROOT" &&
-    bash -lc "$RELEASE_README_SYNC_COMMAND"
-  ); then
-    if [ "$RELEASE_README_SYNC_REQUIRED" = "1" ]; then
-      printf '[release] Falha ao sincronizar README e RELEASE_README_SYNC_REQUIRED=1.\n' >&2
-      exit 1
-    fi
-    log "Falha ao sincronizar README. Continuando release (RELEASE_README_SYNC_REQUIRED=0)."
-  fi
-fi
-
 if [ "$RELEASE_WIKI_SYNC" = "1" ]; then
   log "Sincronizando wiki do GitHub"
   if ! (
@@ -563,11 +546,11 @@ if [ "$RELEASE_GITHUB_RELEASE" = "1" ]; then
         --tag "$release_tag" \
         --target "$local_target" \
         --name "$local_name" \
-        --body-file "$release_body_file" \
         --generate-notes "$generate_notes_bool" \
         --prerelease "$prerelease_bool" \
         --draft "$draft_bool" \
-        --latest "$latest_bool"
+        --latest "$latest_bool" \
+        --body-stdin "true" < "$release_body_file"
     )"
   else
     release_output="$(

package/scripts/security-smoketest.mjs

@@ -1,4 +1,5 @@
 #!/usr/bin/env node
+import { now as __timeNow, nowIso as __timeNowIso, toUnixMs as __timeNowMs } from '#time';
 
 import fs from 'node:fs/promises';
 import path from 'node:path';
@@ -15,7 +16,7 @@ const MANUAL = 'MANUAL';
 
 const sqlErrorRegex = /(sql syntax|syntax error|mysql|sqlite|postgres|odbc|query failed|unclosed quotation|ORA-\d+)/i;
 
-const nowIso = () => new Date().toISOString();
+const nowIso = () => __timeNowIso();
 
 const safeJson = async (value) => {
   try {
@@ -190,9 +191,9 @@ const testDdosSafe = async () => {
       const idx = cursor;
       cursor += 1;
       if (idx >= total) return;
-      const startedAt = Date.now();
+      const startedAt = __timeNowMs();
       const res = await request('/healthz');
-      const elapsed = Date.now() - startedAt;
+      const elapsed = __timeNowMs() - startedAt;
       latencies.push(elapsed);
       if (!res.ok) failures += 1;
       if (res.status >= 500) serverErrors += 1;
@@ -202,8 +203,8 @@ const testDdosSafe = async () => {
   await Promise.all(Array.from({ length: concurrency }, () => worker()));
   latencies.sort((a, b) => a - b);
   const p95 = latencies[Math.floor(latencies.length * 0.95)] || 0;
-  const failureRate = total > 0 ? failures / total : 1;
-  const serverErrorRate = total > 0 ? serverErrors / total : 1;
+  const failureRate = failures / total;
+  const serverErrorRate = serverErrors / total;
   const status = failureRate <= 0.1 && serverErrorRate === 0 ? PASS : WARN;
 
   return {

package/scripts/security-web-surface-check.mjs

@@ -0,0 +1,218 @@
+#!/usr/bin/env node
+
+import { nowIso as __timeNowIso } from '#time';
+
+import fs from 'node:fs/promises';
+import path from 'node:path';
+import process from 'node:process';
+
+const rawBaseUrl = String(process.env.SECURITY_WEB_SURFACE_BASE_URL || 'https://omnizap.shop').trim() || 'https://omnizap.shop';
+const reportPath = String(process.env.SECURITY_WEB_SURFACE_REPORT_PATH || './temp/security-web-surface-report.json').trim();
+const requestTimeoutMs = Math.max(1_000, Number(process.env.SECURITY_WEB_SURFACE_TIMEOUT_MS || 10_000));
+
+const toBaseOrigin = (value) => {
+  const raw = String(value || '').trim();
+  if (!raw) return 'https://omnizap.shop';
+  try {
+    const parsed = new URL(raw);
+    return parsed.origin;
+  } catch {
+    try {
+      const parsed = new URL(`https://${raw}`);
+      return parsed.origin;
+    } catch {
+      return 'https://omnizap.shop';
+    }
+  }
+};
+
+const baseOrigin = toBaseOrigin(rawBaseUrl);
+
+const PASS = 'PASS';
+const FAIL = 'FAIL';
+
+const STATIC_REQUIRED_HEADERS = ['content-security-policy', 'permissions-policy', 'strict-transport-security', 'x-content-type-options', 'x-frame-options'];
+
+const API_REQUIRED_HEADERS = ['content-security-policy', 'cross-origin-opener-policy', 'cross-origin-resource-policy', 'permissions-policy', 'strict-transport-security', 'x-content-type-options', 'x-frame-options'];
+
+const checks = [
+  {
+    id: 1,
+    name: 'Root static page has security headers',
+    path: '/',
+    expectedStatuses: [200],
+    requiredHeaders: STATIC_REQUIRED_HEADERS,
+  },
+  {
+    id: 2,
+    name: 'Legal page has security headers',
+    path: '/notice-and-takedown/',
+    expectedStatuses: [200],
+    requiredHeaders: STATIC_REQUIRED_HEADERS,
+  },
+  {
+    id: 3,
+    name: 'Dotenv path is not exposed',
+    path: '/.env',
+    forbiddenStatuses: [200],
+    bodyLeakPatterns: [/DB_PASSWORD|MYSQL_PASSWORD|GITHUB_TOKEN|SECRET|PRIVATE_KEY/i],
+  },
+  {
+    id: 4,
+    name: 'Unknown path does not soft-fallback with 200',
+    path: '/__security_probe_nonexistent_omnizap__.txt',
+    expectedStatuses: [404],
+  },
+  {
+    id: 5,
+    name: 'Whitespace path fuzz does not return 200',
+    path: '/assets%20/',
+    forbiddenStatuses: [200],
+  },
+  {
+    id: 6,
+    name: 'API bootstrap keeps hardened headers',
+    path: '/api/home-bootstrap',
+    expectedStatuses: [200],
+    requiredHeaders: API_REQUIRED_HEADERS,
+  },
+];
+
+const request = async (targetPath) => {
+  const normalizedPath = String(targetPath || '/').startsWith('/') ? String(targetPath || '/') : `/${String(targetPath || '/')}`;
+  const url = `${baseOrigin}${normalizedPath}`;
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), requestTimeoutMs);
+
+  try {
+    const response = await fetch(url, {
+      method: 'GET',
+      redirect: 'manual',
+      signal: controller.signal,
+    });
+    const text = await response.text();
+    return {
+      ok: true,
+      url,
+      status: response.status,
+      headers: Object.fromEntries(response.headers.entries()),
+      body: text,
+    };
+  } catch (error) {
+    return {
+      ok: false,
+      url,
+      status: null,
+      headers: {},
+      body: '',
+      error: error?.message || String(error),
+    };
+  } finally {
+    clearTimeout(timeout);
+  }
+};
+
+const summarize = (items) =>
+  items.reduce(
+    (acc, item) => {
+      acc[item.status] = (acc[item.status] || 0) + 1;
+      return acc;
+    },
+    { PASS: 0, FAIL: 0 },
+  );
+
+const runCheck = async (check) => {
+  const response = await request(check.path);
+  const reasons = [];
+
+  if (!response.ok) {
+    reasons.push(`network_error:${response.error || 'unknown'}`);
+  }
+
+  if (Array.isArray(check.expectedStatuses) && check.expectedStatuses.length > 0) {
+    if (!check.expectedStatuses.includes(response.status)) {
+      reasons.push(`unexpected_status:${response.status}`);
+    }
+  }
+
+  if (Array.isArray(check.forbiddenStatuses) && check.forbiddenStatuses.length > 0) {
+    if (check.forbiddenStatuses.includes(response.status)) {
+      reasons.push(`forbidden_status:${response.status}`);
+    }
+  }
+
+  const missingHeaders = [];
+  for (const headerName of check.requiredHeaders || []) {
+    const resolved = response.headers?.[headerName];
+    if (!resolved) missingHeaders.push(headerName);
+  }
+
+  if (missingHeaders.length > 0) {
+    reasons.push(`missing_headers:${missingHeaders.join(',')}`);
+  }
+
+  const leakPatternHit = (check.bodyLeakPatterns || []).find((pattern) => pattern.test(String(response.body || '')));
+  if (leakPatternHit) {
+    reasons.push(`body_leak_pattern:${String(leakPatternHit)}`);
+  }
+
+  return {
+    id: check.id,
+    name: check.name,
+    path: check.path,
+    status: reasons.length > 0 ? FAIL : PASS,
+    reasons,
+    evidence: {
+      url: response.url,
+      status: response.status,
+      headers: response.headers,
+      body_preview: String(response.body || '').slice(0, 240),
+    },
+  };
+};
+
+const writeReport = async (payload) => {
+  const absolutePath = path.resolve(process.cwd(), reportPath);
+  await fs.mkdir(path.dirname(absolutePath), { recursive: true });
+  await fs.writeFile(absolutePath, `${JSON.stringify(payload, null, 2)}\n`, 'utf8');
+  return absolutePath;
+};
+
+const main = async () => {
+  const startedAt = __timeNowIso();
+  const results = [];
+
+  for (const check of checks) {
+    const result = await runCheck(check);
+    results.push(result);
+    console.log(`[security-web-surface] ${String(result.id).padStart(2, '0')} ${result.name}: ${result.status}`);
+  }
+
+  const summary = summarize(results);
+  const endedAt = __timeNowIso();
+  const report = {
+    meta: {
+      base_origin: baseOrigin,
+      started_at: startedAt,
+      ended_at: endedAt,
+      timeout_ms: requestTimeoutMs,
+    },
+    summary,
+    results,
+  };
+
+  const reportAbsolutePath = await writeReport(report);
+  console.log('[security-web-surface] ---');
+  console.log(`[security-web-surface] base_origin=${baseOrigin}`);
+  console.log(`[security-web-surface] summary=${JSON.stringify(summary)}`);
+  console.log(`[security-web-surface] report_path=${reportAbsolutePath}`);
+
+  if ((summary.FAIL || 0) > 0) {
+    process.exitCode = 1;
+  }
+};
+
+main().catch((error) => {
+  console.error(`[security-web-surface] fatal_error=${error?.message || error}`);
+  process.exit(1);
+});

package/scripts/sticker-catalog-loadtest.mjs

@@ -1,4 +1,5 @@
 #!/usr/bin/env node
+import { now as __timeNow, nowIso as __timeNowIso, toUnixMs as __timeNowMs } from '#time';
 import http from 'node:http';
 import https from 'node:https';
 import { performance } from 'node:perf_hooks';
@@ -106,7 +107,7 @@ const runRequest = (pathName) =>
 
 const runWorker = async ({ deadlineMs, workerIndex, stats }) => {
   let requestIndex = workerIndex % requestPaths.length;
-  while (Date.now() < deadlineMs) {
+  while (__timeNowMs() < deadlineMs) {
     const pathName = requestPaths[requestIndex % requestPaths.length];
     requestIndex += 1;
 
@@ -129,7 +130,7 @@ const runWorker = async ({ deadlineMs, workerIndex, stats }) => {
 };
 
 const main = async () => {
-  const startedAt = Date.now();
+  const startedAt = __timeNowMs();
   const deadlineMs = startedAt + durationSeconds * 1000;
   const stats = {
     total: 0,
@@ -154,7 +155,7 @@ const main = async () => {
     ),
   );
 
-  const elapsedSeconds = Math.max(0.001, (Date.now() - startedAt) / 1000);
+  const elapsedSeconds = Math.max(0.001, (__timeNowMs() - startedAt) / 1000);
   const sortedLatencies = [...stats.latencies].sort((a, b) => a - b);
   const p50 = quantile(sortedLatencies, 0.5);
   const p90 = quantile(sortedLatencies, 0.9);
@@ -165,7 +166,7 @@ const main = async () => {
 
   const summary = {
     started_at: new Date(startedAt).toISOString(),
-    ended_at: new Date().toISOString(),
+    ended_at: __timeNowIso(),
     base_url: baseUrl,
     duration_seconds: Number(elapsedSeconds.toFixed(3)),
     concurrency,

package/server/auth/googleWebAuth/googleWebAuthService.js

@@ -1,3 +1,4 @@
+import { now as __timeNow, nowIso as __timeNowIso, toUnixMs as __timeNowMs } from '#time';
 import { createHash, randomUUID } from 'node:crypto';
 import axios from 'axios';
 
@@ -35,7 +36,7 @@ export const createGoogleWebAuthService = ({ executeQuery, runSqlTransaction, ta
   const USER_PASSWORD_TABLE = String(tables.STICKER_WEB_USER_PASSWORD || 'web_user_password').trim() || 'web_user_password';
 
   const pruneExpiredGoogleSessions = () => {
-    const now = Date.now();
+    const now = __timeNowMs();
     for (const [token, session] of webGoogleSessionMap.entries()) {
       if (!session || Number(session.expiresAt || 0) <= now) {
         webGoogleSessionMap.delete(token);
@@ -145,15 +146,15 @@ export const createGoogleWebAuthService = ({ executeQuery, runSqlTransaction, ta
       picture: String(row.picture_url || '').trim() || null,
       ownerJid,
       ownerPhone,
-      createdAt: Number.isFinite(createdAtRaw) ? createdAtRaw : Date.now(),
+      createdAt: Number.isFinite(createdAtRaw) ? createdAtRaw : __timeNowMs(),
       expiresAt,
       lastSeenAt: Number.isFinite(lastSeenAtRaw) ? lastSeenAtRaw : 0,
-      lastDbTouchAt: Date.now(),
+      lastDbTouchAt: __timeNowMs(),
     };
   };
 
   const maybePruneExpiredGoogleSessionsFromDb = async () => {
-    const now = Date.now();
+    const now = __timeNowMs();
     if (now - googleWebSessionDbPruneAt < sessionDbPruneIntervalMs) return;
     googleWebSessionDbPruneAt = now;
     try {
@@ -368,7 +369,7 @@ export const createGoogleWebAuthService = ({ executeQuery, runSqlTransaction, ta
   const createGoogleWebSession = (claims, { ownerJid } = {}) => {
     pruneExpiredGoogleSessions();
     const token = randomUUID();
-    const now = Date.now();
+    const now = __timeNowMs();
     const resolvedOwnerJid = normalizeJid(ownerJid) || buildGoogleOwnerJid(claims.sub);
     const resolvedOwnerPhone = toWhatsAppPhoneDigits(resolvedOwnerJid) || '';
     return {
@@ -394,7 +395,7 @@ export const createGoogleWebAuthService = ({ executeQuery, runSqlTransaction, ta
 
   const issueAccessTokenForSession = (session) => {
     if (!session?.sub) return '';
-    const expiresInSeconds = Math.max(60, Math.floor((Number(session.expiresAt || 0) - Date.now()) / 1000));
+    const expiresInSeconds = Math.max(60, Math.floor((Number(session.expiresAt || 0) - __timeNowMs()) / 1000));
     return (
       signWebAuthJwt(
         {
@@ -495,7 +496,7 @@ export const createGoogleWebAuthService = ({ executeQuery, runSqlTransaction, ta
 
   const touchGoogleWebSessionActivity = (session) => {
     if (!session?.token || !session?.sub) return;
-    const now = Date.now();
+    const now = __timeNowMs();
     session.lastSeenAt = now;
     if (now - Number(session.lastDbTouchAt || 0) < sessionDbTouchIntervalMs) {
       return;

package/server/auth/jwt/webJwtService.js

@@ -15,7 +15,7 @@ const clampInt = (value, fallback, min, max) => {
 };
 
 const WEB_AUTH_JWT_SECRET = String(process.env.WEB_AUTH_JWT_SECRET || '').trim();
-const WEB_AUTH_JWT_ISSUER = String(process.env.WEB_AUTH_JWT_ISSUER || 'omnizap-system').trim() || 'omnizap-system';
+const WEB_AUTH_JWT_ISSUER = String(process.env.WEB_AUTH_JWT_ISSUER || 'omnizap').trim() || 'omnizap';
 const WEB_AUTH_JWT_AUDIENCE = String(process.env.WEB_AUTH_JWT_AUDIENCE || 'omnizap-web').trim() || 'omnizap-web';
 const WEB_AUTH_JWT_EXPIRES_IN = String(process.env.WEB_AUTH_JWT_EXPIRES_IN || '7d').trim() || '7d';
 const WEB_AUTH_JWT_DISABLED = parseEnvBool(process.env.WEB_AUTH_JWT_DISABLED, false);

package/server/auth/stickerCatalogAuthContext.js

@@ -1,3 +1,4 @@
+import { now as __timeNow, nowIso as __timeNowIso, toUnixMs as __timeNowMs } from '#time';
 import { createGoogleWebAuthRuntime, normalizeGoogleSubject } from './googleWebAuth/googleWebAuthRuntime.js';
 import { isWebAuthJwtEnabled, signWebAuthJwt, verifyWebAuthJwt } from './jwt/webJwtService.js';
 import userPasswordAuthService from './userPassword/index.js';
@@ -13,7 +14,7 @@ export const createStickerCatalogAuthContext = ({ executeQuery, runSqlTransactio
 
     const safeName = sanitizeText(name || '', 80, { allowEmpty: true }) || '';
     const normalizedOwnerJid = normalizeJid(ownerJid) || null;
-    const idempotencyKey = `google_web_welcome:${normalizedEmail}:${new Date().toISOString().slice(0, 10)}`;
+    const idempotencyKey = `google_web_welcome:${normalizedEmail}:${__timeNowIso().slice(0, 10)}`;
 
     void queueWelcomeEmail({
       to: normalizedEmail,

package/server/auth/termsAcceptance/termsAcceptanceHandler.js

@@ -1,3 +1,4 @@
+import { now as __timeNow, nowIso as __timeNowIso, toUnixMs as __timeNowMs } from '#time';
 import { createHash, randomUUID } from 'node:crypto';
 
 const DEFAULT_LEGAL_VERSION = '2026-03-07';
@@ -129,7 +130,7 @@ export const createTermsAcceptanceHandler = ({ executeQuery, tables, logger, sen
     }
 
     const source = normalizeTermsAcceptanceSource(payload.source) || legalDefaultAcceptanceSource;
-    const acceptedAt = new Date();
+    const acceptedAt = __timeNow();
     const acceptedAtClient = parseAcceptedAtClientDate(payload.accepted_at);
     const cookies = parseCookies(req);
     const sessionKey = normalizeTermsAcceptanceSessionKey(cookies[webSessionCookieName] || '');

package/server/auth/userPassword/userPasswordAuthService.js

@@ -1,3 +1,4 @@
+import { now as __timeNow, nowIso as __timeNowIso, toUnixMs as __timeNowMs } from '#time';
 import { hashUserPassword, resolveUserPasswordPolicy, validateUserPassword, verifyUserPasswordHash } from './userPasswordCrypto.js';
 
 const clampInt = (value, fallback, min, max) => {
@@ -139,7 +140,7 @@ export const createUserPasswordAuthService = ({ executeQuery, tables = {}, logge
       return { locked: false, retryAfterSeconds: 0 };
     }
 
-    const elapsedSeconds = Math.max(0, Math.floor((Date.now() - lastFailedAtMs) / 1000));
+    const elapsedSeconds = Math.max(0, Math.floor((__timeNowMs() - lastFailedAtMs) / 1000));
     const retryAfterSeconds = Math.max(0, lockoutSeconds - elapsedSeconds);
     if (retryAfterSeconds <= 0) {
       return { locked: false, retryAfterSeconds: 0 };

package/server/auth/userPassword/userPasswordRecoveryService.js

@@ -1,3 +1,4 @@
+import { now as __timeNow, nowIso as __timeNowIso, toUnixMs as __timeNowMs } from '#time';
 import { createHash, pbkdf2 as pbkdf2Callback, randomInt, randomUUID, timingSafeEqual } from 'node:crypto';
 import { promisify } from 'node:util';
 
@@ -312,7 +313,7 @@ export const createUserPasswordRecoveryService = ({ executeQuery, userPasswordAu
     const oldestCreatedAt = rows?.[0]?.oldest_created_at ? Date.parse(rows[0].oldest_created_at) : NaN;
     if (!Number.isFinite(oldestCreatedAt)) return safeWindowSeconds;
 
-    const elapsedSeconds = Math.max(0, Math.floor((Date.now() - oldestCreatedAt) / 1000));
+    const elapsedSeconds = Math.max(0, Math.floor((__timeNowMs() - oldestCreatedAt) / 1000));
     return Math.max(1, safeWindowSeconds - elapsedSeconds);
   };
 
@@ -334,7 +335,7 @@ export const createUserPasswordRecoveryService = ({ executeQuery, userPasswordAu
     const row = Array.isArray(rows) ? rows[0] : null;
     if (!row) return null;
     const createdAtMs = row.created_at ? Date.parse(row.created_at) : NaN;
-    const elapsedSeconds = Number.isFinite(createdAtMs) ? Math.max(0, Math.floor((Date.now() - createdAtMs) / 1000)) : resendCooldownSeconds;
+    const elapsedSeconds = Number.isFinite(createdAtMs) ? Math.max(0, Math.floor((__timeNowMs() - createdAtMs) / 1000)) : resendCooldownSeconds;
     const retryAfterSeconds = Math.max(0, resendCooldownSeconds - elapsedSeconds);
     return {
       id: Number(row.id || 0),
@@ -496,7 +497,7 @@ export const createUserPasswordRecoveryService = ({ executeQuery, userPasswordAu
           remote_ip: normalizeIp(requestMeta?.remoteIp) || null,
         },
         priority: 95,
-        idempotencyKey: `web_user_password_recovery:${knownUser.google_sub}:${normalizedPurpose}:${new Date().toISOString().slice(0, 16)}`,
+        idempotencyKey: `web_user_password_recovery:${knownUser.google_sub}:${normalizedPurpose}:${__timeNowIso().slice(0, 16)}`,
       });
     } catch (error) {
       await executeQuery(

package/server/auth/webAccount/webAccountHandlers.js

@@ -1,3 +1,4 @@
+import { now as __timeNow, nowIso as __timeNowIso, toUnixMs as __timeNowMs } from '#time';
 import { scryptSync } from 'node:crypto';
 
 const MY_PROFILE_DEFAULT_STATS = Object.freeze({
@@ -119,7 +120,7 @@ const toPasswordRecoverySessionExpiresAt = (claims) => {
 const toPasswordRecoverySessionExpiresIn = (claims) => {
   const expUnix = Number(claims?.exp || 0);
   if (!Number.isFinite(expUnix) || expUnix <= 0) return null;
-  return Math.max(0, Math.floor(expUnix - Date.now() / 1000));
+  return Math.max(0, Math.floor(expUnix - __timeNowMs() / 1000));
 };
 
 const signPasswordRecoverySessionToken = ({ sub = '', email = '', ownerJid = '' } = {}, { isWebAuthJwtEnabled, signWebAuthJwt, passwordRecoverySessionAuthMethod, passwordRecoverySessionTtlSeconds }) => {
@@ -202,9 +203,7 @@ const isUnknownColumnError = (error, columnName = '') => {
   if (code !== 'ER_BAD_FIELD_ERROR' && errno !== 1054) return false;
   if (!columnName) return true;
   const message = String(error?.message || '').toLowerCase();
-  const normalizedColumn = String(columnName || '')
-    .trim()
-    .toLowerCase();
+  const normalizedColumn = String(columnName).trim().toLowerCase();
   if (!normalizedColumn) return true;
   return message.includes(`unknown column '${normalizedColumn}'`) || message.includes(`unknown column \`${normalizedColumn}\``);
 };
@@ -233,7 +232,7 @@ export const createWebAccountAuthHandlers = ({ sendJson, readJsonBody, logger, p
     return '';
   };
 
-  const maybePrunePasswordLoginIdentityThrottle = async (nowMs = Date.now()) => {
+  const maybePrunePasswordLoginIdentityThrottle = async (nowMs = __timeNowMs()) => {
     if (nowMs - passwordLoginIdentityPruneAt < 60 * 60 * 1000) return;
     passwordLoginIdentityPruneAt = nowMs;
     const staleAfterSeconds = Math.max(60 * 60, passwordLoginIdentityLockoutSeconds * 2);
@@ -266,12 +265,12 @@ export const createWebAccountAuthHandlers = ({ sendJson, readJsonBody, logger, p
       );
       const row = Array.isArray(rows) ? rows[0] : null;
       const lockedUntilMs = Date.parse(String(row?.locked_until || ''));
-      if (!Number.isFinite(lockedUntilMs) || lockedUntilMs <= Date.now()) {
+      if (!Number.isFinite(lockedUntilMs) || lockedUntilMs <= __timeNowMs()) {
         return { locked: false, retryAfterSeconds: 0 };
       }
       return {
         locked: true,
-        retryAfterSeconds: Math.max(1, Math.ceil((lockedUntilMs - Date.now()) / 1000)),
+        retryAfterSeconds: Math.max(1, Math.ceil((lockedUntilMs - __timeNowMs()) / 1000)),
       };
     } catch (error) {
       logger?.warn?.('Falha ao consultar throttle distribuido de login por identidade.', {
@@ -321,12 +320,12 @@ export const createWebAccountAuthHandlers = ({ sendJson, readJsonBody, logger, p
       );
       const row = Array.isArray(rows) ? rows[0] : null;
       const lockedUntilMs = Date.parse(String(row?.locked_until || ''));
-      if (!Number.isFinite(lockedUntilMs) || lockedUntilMs <= Date.now()) {
+      if (!Number.isFinite(lockedUntilMs) || lockedUntilMs <= __timeNowMs()) {
         return { locked: false, retryAfterSeconds: 0 };
       }
       return {
         locked: true,
-        retryAfterSeconds: Math.max(1, Math.ceil((lockedUntilMs - Date.now()) / 1000)),
+        retryAfterSeconds: Math.max(1, Math.ceil((lockedUntilMs - __timeNowMs()) / 1000)),
       };
     } catch (error) {
       logger?.warn?.('Falha ao registrar tentativa no throttle distribuido de login por identidade.', {
@@ -1201,7 +1200,7 @@ export const createWebAccountAuthHandlers = ({ sendJson, readJsonBody, logger, p
 
         let avgDaily = 0;
         if (usage.messages > 0 && usage.first_message_at) {
-          const daysDiff = Math.max(1, (Date.now() - new Date(usage.first_message_at).getTime()) / (1000 * 60 * 60 * 24));
+          const daysDiff = Math.max(1, (__timeNowMs() - new Date(usage.first_message_at).getTime()) / (1000 * 60 * 60 * 24));
           avgDaily = (usage.messages / daysDiff).toFixed(2);
         }