npm - @omnizap-system/omnizap - Versions diffs - 2.6.1 → 2.6.3 - Mend

@omnizap-system/omnizap 2.6.1 → 2.6.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (172) hide show

package/.env.example +78 -9
package/.github/workflows/ci.yml +3 -3
package/.github/workflows/security-runner-hardening.yml +1 -1
package/.github/workflows/security-zap-full-scan.yml +1 -0
package/app/config/index.js +6 -0
package/app/configParts/adminIdentity.js +36 -7
package/app/configParts/baileysConfig.js +343 -56
package/app/configParts/groupUtils.js +226 -0
package/app/configParts/loggerConfig.js +185 -0
package/app/configParts/messagePersistenceService.js +307 -5
package/app/configParts/sessionConfig.js +242 -0
package/app/connection/baileysCompatibility.test.js +10 -1
package/app/connection/baileysDbAuthState.js +205 -9
package/app/connection/baileysLibsignalPatch.js +210 -0
package/app/connection/groupOwnerWriteStateResolver.js +141 -0
package/app/connection/socketController.js +694 -123
package/app/connection/socketController.multiSession.test.js +128 -0
package/app/controllers/messageController.js +1 -1
package/app/controllers/messagePipeline/commandMiddleware.js +12 -10
package/app/controllers/messagePipeline/conversationMiddleware.js +2 -1
package/app/controllers/messagePipeline/messagePipelineMiddlewares.test.js +104 -0
package/app/controllers/messagePipeline/preProcessingMiddlewares.js +96 -4
package/app/controllers/messageProcessingPipeline.js +90 -9
package/app/controllers/messageProcessingPipeline.test.js +202 -0
package/app/modules/adminModule/AGENT.md +1 -1
package/app/modules/adminModule/commandConfig.json +3318 -1347
package/app/modules/adminModule/groupCommandHandlers.js +856 -14
package/app/modules/adminModule/groupCommandHandlers.test.js +375 -9
package/app/modules/adminModule/groupWarningRepository.js +152 -0
package/app/modules/aiModule/AGENT.md +47 -30
package/app/modules/aiModule/aiConfigRuntime.js +1 -0
package/app/modules/aiModule/catCommand.js +132 -25
package/app/modules/aiModule/commandConfig.json +114 -28
package/app/modules/analyticsModule/messageAnalysisEventRepository.js +54 -6
package/app/modules/gameModule/AGENT.md +1 -1
package/app/modules/gameModule/commandConfig.json +29 -0
package/app/modules/menuModule/AGENT.md +1 -1
package/app/modules/menuModule/commandConfig.json +45 -10
package/app/modules/menuModule/menuCatalogService.js +190 -0
package/app/modules/menuModule/menuCommandUsageRepository.js +109 -0
package/app/modules/menuModule/menuDynamicService.js +511 -0
package/app/modules/menuModule/menuDynamicService.test.js +141 -0
package/app/modules/menuModule/menus.js +36 -5
package/app/modules/playModule/AGENT.md +10 -5
package/app/modules/playModule/commandConfig.json +74 -16
package/app/modules/playModule/playCommandConstants.js +13 -7
package/app/modules/playModule/playCommandCore.js +4 -6
package/app/modules/playModule/{playCommandYtDlpClient.js → playCommandMediaClient.js} +684 -332
package/app/modules/playModule/playConfigRuntime.js +5 -6
package/app/modules/playModule/playModuleCriticalFlows.test.js +44 -59
package/app/modules/quoteModule/AGENT.md +1 -1
package/app/modules/quoteModule/commandConfig.json +29 -0
package/app/modules/rpgPokemonModule/AGENT.md +1 -1
package/app/modules/rpgPokemonModule/commandConfig.json +29 -0
package/app/modules/statsModule/AGENT.md +1 -1
package/app/modules/statsModule/commandConfig.json +58 -0
package/app/modules/stickerModule/AGENT.md +1 -1
package/app/modules/stickerModule/commandConfig.json +145 -0
package/app/modules/stickerPackModule/AGENT.md +1 -1
package/app/modules/stickerPackModule/autoPackCollectorService.js +5 -1
package/app/modules/stickerPackModule/commandConfig.json +29 -0
package/app/modules/stickerPackModule/stickerAutoPackByTagsRuntime.js +1 -1
package/app/modules/stickerPackModule/stickerPackCommandHandlers.js +78 -57
package/app/modules/stickerPackModule/stickerPackService.js +13 -6
package/app/modules/systemMetricsModule/AGENT.md +1 -1
package/app/modules/systemMetricsModule/commandConfig.json +29 -0
package/app/modules/tiktokModule/AGENT.md +1 -1
package/app/modules/tiktokModule/commandConfig.json +29 -0
package/app/modules/userModule/AGENT.md +1 -1
package/app/modules/userModule/commandConfig.json +29 -0
package/app/modules/waifuPicsModule/AGENT.md +57 -27
package/app/modules/waifuPicsModule/commandConfig.json +87 -0
package/app/observability/metrics.js +136 -0
package/app/services/ai/commandConfigEnrichmentService.js +229 -47
package/app/services/ai/geminiService.js +131 -7
package/app/services/ai/geminiService.test.js +59 -2
package/app/services/ai/moduleAiHelpCoreService.js +33 -4
package/app/services/group/groupMetadataService.js +24 -1
package/app/services/infra/dbWriteQueue.js +51 -21
package/app/services/messaging/newsBroadcastService.js +843 -27
package/app/services/multiSession/assignmentBalancerService.js +452 -0
package/app/services/multiSession/groupOwnershipRepository.js +346 -0
package/app/services/multiSession/groupOwnershipService.js +809 -0
package/app/services/multiSession/groupOwnershipService.test.js +317 -0
package/app/services/multiSession/sessionRegistryService.js +239 -0
package/app/store/aiPromptStore.js +36 -19
package/app/store/groupConfigStore.js +41 -5
package/app/store/premiumUserStore.js +21 -7
package/app/utils/antiLink/antiLinkModule.js +391 -25
package/app/workers/aiHelperContinuousLearningWorker.js +512 -0
package/database/index.js +6 -0
package/database/migrations/20260307_d0_hardening_down.sql +1 -1
package/database/migrations/20260314_d7_canonical_sender_down.sql +1 -1
package/database/migrations/20260406_d30_security_analytics_down.sql +1 -1
package/database/migrations/20260411_d35_group_community_metadata_down.sql +59 -0
package/database/migrations/20260411_d35_group_community_metadata_up.sql +62 -0
package/database/migrations/20260412_d36_system_config_tables_down.sql +32 -0
package/database/migrations/20260412_d36_system_config_tables_up.sql +66 -0
package/database/migrations/20260413_d37_group_user_warnings_down.sql +11 -0
package/database/migrations/20260413_d37_group_user_warnings_up.sql +24 -0
package/database/migrations/20260414_d38_multi_session_foundation_down.sql +72 -0
package/database/migrations/20260414_d38_multi_session_foundation_up.sql +125 -0
package/database/migrations/20260414_d39_multi_session_cutover_down.sql +103 -0
package/database/migrations/20260414_d39_multi_session_cutover_up.sql +83 -0
package/database/schema.sql +102 -1
package/docker-compose.yml +4 -1
package/docs/compliance/acceptable-use-policy-2026-03-07.md +1 -1
package/docs/compliance/privacy-policy-2026-03-07.md +2 -2
package/docs/security/dsar-lgpd-runbook-2026-03-07.md +1 -1
package/docs/security/network-hardening-runbook-2026-03-07.md +53 -0
package/docs/security/omnizap-static-security-headers.conf +25 -0
package/ecosystem.prod.config.cjs +31 -11
package/index.js +52 -18
package/observability/alert-rules.yml +20 -0
package/observability/grafana/dashboards/omnizap-system-admin.json +229 -0
package/observability/mysql-setup.sql +4 -4
package/observability/system-admin-observability.md +26 -0
package/package.json +14 -6
package/public/comandos/commands-catalog.json +2253 -78
package/public/css/payments-react.css +478 -0
package/public/js/apps/commandsReactApp.js +267 -87
package/public/js/apps/createPackApp.js +3 -3
package/public/js/apps/homeReactApp.js +2 -2
package/public/js/apps/paymentsCancelReactApp.js +45 -0
package/public/js/apps/paymentsReactApp.js +399 -0
package/public/js/apps/paymentsSuccessReactApp.js +148 -0
package/public/js/apps/stickersApp.js +255 -103
package/public/js/apps/termsReactApp.js +57 -8
package/public/js/apps/userPasswordResetReactApp.js +406 -0
package/public/js/apps/userReactApp.js +96 -47
package/public/js/apps/userSystemAdmReactApp.js +1506 -0
package/public/pages/pagamentos-cancelado.html +21 -0
package/public/pages/pagamentos-sucesso.html +21 -0
package/public/pages/pagamentos.html +30 -0
package/public/pages/politica-de-privacidade.html +1 -1
package/public/pages/stickers.html +5 -5
package/public/pages/termos-de-uso-texto-integral.html +1 -1
package/public/pages/termos-de-uso.html +1 -1
package/public/pages/user-password-reset.html +3 -4
package/public/pages/user-systemadm.html +8 -462
package/public/pages/user.html +1 -1
package/scripts/clear-whatsapp-session.sh +123 -0
package/scripts/core-ai-mode.mjs +163 -0
package/scripts/deploy.sh +13 -0
package/scripts/enrich-command-config-ux-openai.mjs +492 -0
package/scripts/generate-commands-catalog.mjs +155 -0
package/scripts/new-whatsapp-session.sh +564 -0
package/scripts/security-web-surface-check.mjs +218 -0
package/server/controllers/admin/adminPanelHandlers.js +253 -3
package/server/controllers/admin/systemAdminController.js +254 -0
package/server/controllers/payments/paymentsController.js +731 -0
package/server/controllers/sticker/stickerCatalogController.js +9 -23
package/server/controllers/system/contactController.js +9 -17
package/server/controllers/system/stickerCatalogSystemContext.js +27 -6
package/server/controllers/system/systemController.js +228 -1
package/server/controllers/userController.js +6 -0
package/server/email/emailAutomationRuntime.js +36 -1
package/server/email/emailAutomationService.js +42 -1
package/server/email/emailTemplateService.js +140 -33
package/server/http/httpRequestUtils.js +18 -14
package/server/http/httpServer.js +8 -4
package/server/middleware/securityHeaders.js +35 -3
package/server/routes/admin/systemAdminRouter.js +6 -0
package/server/routes/indexRouter.js +50 -6
package/server/routes/observability/grafanaProxyRouter.js +254 -0
package/server/routes/payments/paymentsRouter.js +47 -0
package/server/routes/static/staticPageRouter.js +30 -1
package/server/utils/publicContact.js +31 -0
package/utils/whatsapp/contactEnv.js +39 -0
package/vite.config.mjs +5 -1
package/app/modules/playModule/local/installYtDlp.js +0 -25
package/app/modules/playModule/local/ytDlpInstaller.js +0 -28

package/server/email/emailTemplateService.js CHANGED Viewed

@@ -1,6 +1,9 @@
 import { now as __timeNow, nowIso as __timeNowIso, toUnixMs as __timeNowMs } from '#time';
+import logger from '#logger';
+import { resolveAdminPhoneFromEnv, resolveBotPhoneFromEnv, resolveSupportPhoneFromEnv } from '../../utils/whatsapp/contactEnv.js';
 const DEFAULT_SITE_ORIGIN = 'https://omnizap.shop';
 const DEFAULT_BRAND_NAME = 'OmniZap';
+const DEFAULT_BRAND_LOGO_PATH = '/assets/images/brand-logo-128.webp';
 const resolveSiteOrigin = () =>
   String(process.env.SITE_ORIGIN || process.env.WHATSAPP_LOGIN_BASE_URL || DEFAULT_SITE_ORIGIN)
@@ -27,6 +30,24 @@ const escapeHtml = (value) =>
     .replace(/"/g, '&quot;')
     .replace(/'/g, '&#39;');
+const summarizePayloadKeys = (value, maxItems = 24) => {
+  if (!value || typeof value !== 'object' || Array.isArray(value)) return [];
+  return Object.keys(value)
+    .map((key) =>
+      String(key || '')
+        .trim()
+        .slice(0, 64),
+    )
+    .filter(Boolean)
+    .slice(0, maxItems);
+};
+const clipTemplatePreview = (value, maxLength = 140) =>
+  String(value || '')
+    .replace(/\s+/g, ' ')
+    .trim()
+    .slice(0, maxLength);
 const normalizeHttpUrl = (value, fallback = '') => {
   const normalized = String(value || '')
     .trim()
@@ -47,6 +68,19 @@ const normalizeEmailAddress = (value) => {
   return candidate.slice(0, 255);
 };
+const resolveBrandLogoUrl = ({ siteOrigin = '', payloadLogoUrl = '' } = {}) => {
+  const fallbackLogoUrl = normalizeHttpUrl(`${String(siteOrigin || DEFAULT_SITE_ORIGIN).replace(/\/+$/, '')}${DEFAULT_BRAND_LOGO_PATH}`, `${DEFAULT_SITE_ORIGIN}${DEFAULT_BRAND_LOGO_PATH}`);
+  const explicitLogoUrl = normalizeHttpUrl(payloadLogoUrl || process.env.EMAIL_BRAND_LOGO_URL || '', '');
+  if (!explicitLogoUrl) return fallbackLogoUrl;
+  const explicitLower = explicitLogoUrl.toLowerCase();
+  const looksLikeFavicon = explicitLower.endsWith('/favicon.ico') || explicitLower.includes('/favicon-');
+  if (looksLikeFavicon) return fallbackLogoUrl;
+  return explicitLogoUrl;
+};
 const normalizePhoneDigits = (value, maxLength = 20) =>
   String(value || '')
     .replace(/\D+/g, '')
@@ -77,7 +111,7 @@ const resolveBrandConfig = (payload = {}) => {
   const supportFallback = `${siteOrigin}/termos-de-uso/`;
   const replyToAddress = normalizeEmailAddress(payload?.replyTo || process.env.SMTP_REPLY_TO || process.env.EMAIL_REPLY_TO || process.env.MAIL_REPLY_TO || '');
   const fromAddress = normalizeEmailAddress(process.env.SMTP_FROM || process.env.EMAIL_FROM || process.env.MAIL_FROM || process.env.SMTP_USER || process.env.EMAIL_USER || process.env.MAIL_USER || '');
-  const supportPhoneCandidate = normalizePhoneDigits(payload?.supportPhone || process.env.EMAIL_BRAND_SUPPORT_PHONE || process.env.WHATSAPP_SUPPORT_NUMBER || process.env.OWNER_NUMBER || '', 20);
+  const supportPhoneCandidate = normalizePhoneDigits(payload?.supportPhone || resolveSupportPhoneFromEnv({ fallback: resolveAdminPhoneFromEnv({ fallback: '' }) }) || '', 20);
   const supportPhoneDigits = isLikelyPhoneDigits(supportPhoneCandidate) ? supportPhoneCandidate : '';
   const supportPhonePn = formatPhonePn(supportPhoneDigits);
   const supportWhatsappUrl = supportPhoneDigits ? `https://wa.me/${supportPhoneDigits}` : '';
@@ -88,7 +122,10 @@ const resolveBrandConfig = (payload = {}) => {
     siteOrigin,
     brandName: normalizeText(payload?.brandName || process.env.EMAIL_BRAND_NAME || DEFAULT_BRAND_NAME, 80) || DEFAULT_BRAND_NAME,
     brandTagline: normalizeText(payload?.brandTagline || process.env.EMAIL_BRAND_TAGLINE || 'Automação profissional para WhatsApp.', 120) || null,
-    brandLogoUrl: normalizeHttpUrl(payload?.brandLogoUrl || payload?.logoUrl || process.env.EMAIL_BRAND_LOGO_URL || '', ''),
+    brandLogoUrl: resolveBrandLogoUrl({
+      siteOrigin,
+      payloadLogoUrl: payload?.brandLogoUrl || payload?.logoUrl || '',
+    }),
     supportUrl: resolvedSupportUrl,
     supportLabel: resolvedSupportLabel || 'Central de suporte',
     supportEmail: replyToAddress || fromAddress || '',
@@ -127,53 +164,75 @@ const renderEmailLayout = ({ payload = {}, preheader = '', heading = '', greetin
   const safeSecurityNote = normalizeText(securityNote, 220);
   const safeFooterMessage = normalizeText(footerMessage, 220);
   const year = __timeNow().getUTCFullYear();
+  const generatedAt = __timeNowIso();
-  const logoBlock = brand.brandLogoUrl ? `<img src="${escapeHtml(brand.brandLogoUrl)}" alt="${escapeHtml(brand.brandName)}" width="132" style="display:block;border:0;outline:none;text-decoration:none;height:auto;margin:0 auto;" />` : `<div style="display:inline-block;font-size:26px;font-weight:800;color:#0f172a;letter-spacing:0.2px;">${escapeHtml(brand.brandName)}</div>`;
+  const logoBlock = brand.brandLogoUrl ? `<img src="${escapeHtml(brand.brandLogoUrl)}" alt="${escapeHtml(brand.brandName)}" width="138" style="display:block;border:0;outline:none;text-decoration:none;height:auto;" />` : `<div style="display:inline-block;font-size:24px;font-weight:800;line-height:1.1;color:#ffffff;letter-spacing:0.3px;">${escapeHtml(brand.brandName)}</div>`;
-  const greetingBlock = safeGreeting ? `<p style="margin:0 0 10px;color:#0f172a;font-size:16px;font-weight:700;line-height:1.5;">${escapeHtml(safeGreeting)}</p>` : '';
-  const introBlock = safeIntro ? `<p style="margin:0 0 14px;color:#334155;font-size:15px;line-height:1.65;">${escapeHtml(safeIntro)}</p>` : '';
+  const headingBlock = safeHeading ? `<h1 style="margin:0;color:#0f172a;font-size:27px;line-height:1.2;font-weight:800;letter-spacing:0.1px;">${escapeHtml(safeHeading)}</h1>` : '';
+  const greetingBlock = safeGreeting ? `<p style="margin:0 0 10px;color:#0f172a;font-size:16px;font-weight:700;line-height:1.6;">${escapeHtml(safeGreeting)}</p>` : '';
+  const introBlock = safeIntro ? `<p style="margin:0 0 14px;color:#334155;font-size:15px;line-height:1.7;">${escapeHtml(safeIntro)}</p>` : '';
   const bodyBlock = renderParagraphsHtml(body);
   const ctaBlock =
     safeCtaUrl && safeCtaLabel
       ? `
-        <table role="presentation" cellpadding="0" cellspacing="0" border="0" style="margin:10px 0 10px;">
-          <tr>
-            <td align="center" bgcolor="#1d4ed8" style="border-radius:10px;">
-              <a href="${escapeHtml(safeCtaUrl)}" style="display:inline-block;padding:12px 20px;font-size:15px;line-height:1.2;font-weight:700;color:#ffffff;text-decoration:none;">${escapeHtml(safeCtaLabel)}</a>
-            </td>
-          </tr>
-        </table>
-      `.trim()
+      <table role="presentation" cellpadding="0" cellspacing="0" border="0" style="margin:14px 0 8px;">
+        <tr>
+          <td align="center" bgcolor="#1d4ed8" style="border-radius:10px;">
+            <a href="${escapeHtml(safeCtaUrl)}" style="display:inline-block;padding:13px 22px;font-size:15px;line-height:1.2;font-weight:700;color:#ffffff;text-decoration:none;letter-spacing:0.2px;">${escapeHtml(safeCtaLabel)}</a>
+          </td>
+        </tr>
+      </table>
+    `.trim()
       : '';
-  const ctaHintBlock = safeCtaHint ? `<p style="margin:4px 0 0;color:#64748b;font-size:13px;line-height:1.55;">${escapeHtml(safeCtaHint)}</p>` : '';
-  const secondaryCtaBlock = safeSecondaryCtaLabel && safeSecondaryCtaUrl ? `<p style="margin:10px 0 0;color:#1e293b;font-size:14px;line-height:1.6;">${escapeHtml(safeSecondaryCtaLabel)}: <a href="${escapeHtml(safeSecondaryCtaUrl)}" style="color:#2563eb;text-decoration:none;">${escapeHtml(safeSecondaryCtaUrl)}</a></p>` : '';
-  const fallbackLinkBlock = safeCtaUrl ? `<p style="margin:12px 0 0;color:#64748b;font-size:12px;line-height:1.6;word-break:break-all;">Se o botão não funcionar, copie e cole este link no navegador: ${escapeHtml(safeCtaUrl)}</p>` : '';
-  const securityNoteBlock = safeSecurityNote ? `<p style="margin:16px 0 0;padding:10px 12px;background:#f8fafc;border:1px solid #e2e8f0;border-radius:8px;color:#475569;font-size:12px;line-height:1.6;">${escapeHtml(safeSecurityNote)}</p>` : '';
+  const ctaHintBlock = safeCtaHint ? `<p style="margin:6px 0 0;color:#64748b;font-size:13px;line-height:1.6;">${escapeHtml(safeCtaHint)}</p>` : '';
+  const secondaryCtaBlock =
+    safeSecondaryCtaLabel && safeSecondaryCtaUrl
+      ? `
+      <p style="margin:12px 0 0;color:#334155;font-size:13px;line-height:1.65;">
+        ${escapeHtml(safeSecondaryCtaLabel)}:
+        <a href="${escapeHtml(safeSecondaryCtaUrl)}" style="color:#1d4ed8;text-decoration:none;font-weight:600;">${escapeHtml(safeSecondaryCtaUrl)}</a>
+      </p>
+    `.trim()
+      : '';
+  const fallbackLinkBlock = safeCtaUrl ? `<p style="margin:14px 0 0;color:#64748b;font-size:12px;line-height:1.7;word-break:break-all;">Se o botão não funcionar, copie e cole este link no navegador: ${escapeHtml(safeCtaUrl)}</p>` : '';
+  const securityNoteBlock = safeSecurityNote ? `<p style="margin:16px 0 0;padding:12px 13px;background:#f8fafc;border:1px solid #e2e8f0;border-radius:10px;color:#475569;font-size:12px;line-height:1.65;">${escapeHtml(safeSecurityNote)}</p>` : '';
+  const brandTaglineBlock = brand.brandTagline ? `<p style="margin:8px 0 0;color:#cbd5e1;font-size:13px;line-height:1.6;">${escapeHtml(brand.brandTagline)}</p>` : '';
   const supportEmailLine = brand.supportEmail ? `<span style="display:block;margin-top:6px;">E-mail: <a href="mailto:${escapeHtml(brand.supportEmail)}" style="color:#2563eb;text-decoration:none;">${escapeHtml(brand.supportEmail)}</a></span>` : '';
-  const footerMessageBlock = safeFooterMessage ? `<span style="display:block;margin-top:6px;color:#64748b;">${escapeHtml(safeFooterMessage)}</span>` : '';
-  const taglineBlock = brand.brandTagline ? `<p style="margin:8px 0 0;color:#64748b;font-size:13px;line-height:1.6;">${escapeHtml(brand.brandTagline)}</p>` : '';
+  const footerMessageBlock = safeFooterMessage ? `<span style="display:block;margin-top:7px;color:#64748b;">${escapeHtml(safeFooterMessage)}</span>` : '';
   return `
 <!doctype html>
 <html lang="pt-BR">
-  <body style="margin:0;padding:0;background:#f1f5f9;font-family:'Segoe UI',Roboto,Helvetica,Arial,sans-serif;">
+  <body style="margin:0;padding:0;background:#eef2f8;font-family:'Segoe UI',Roboto,Helvetica,Arial,sans-serif;">
     <div style="display:none;max-height:0;overflow:hidden;opacity:0;color:transparent;">${escapeHtml(safePreheader)}</div>
-    <table role="presentation" cellpadding="0" cellspacing="0" border="0" width="100%" style="background:#f1f5f9;padding:28px 10px;">
+    <table role="presentation" cellpadding="0" cellspacing="0" border="0" width="100%" style="background:#eef2f8;padding:26px 10px;">
       <tr>
         <td align="center">
           <table role="presentation" cellpadding="0" cellspacing="0" border="0" width="100%" style="max-width:640px;">
             <tr>
-              <td align="center" style="padding:0 0 16px;">
-                ${logoBlock}
-                ${taglineBlock}
+              <td style="background:#0f172a;border-radius:16px 16px 0 0;padding:22px 24px 20px;">
+                <table role="presentation" cellpadding="0" cellspacing="0" border="0" width="100%">
+                  <tr>
+                    <td align="left" valign="middle" style="padding-right:12px;">
+                      ${logoBlock}
+                      ${brandTaglineBlock}
+                    </td>
+                    <td align="right" valign="middle" style="white-space:nowrap;">
+                      <span style="display:inline-block;padding:6px 10px;border:1px solid rgba(148,163,184,0.45);border-radius:999px;font-size:11px;font-weight:700;letter-spacing:0.35px;text-transform:uppercase;color:#e2e8f0;">Comunicado oficial</span>
+                    </td>
+                  </tr>
+                </table>
+              </td>
+            </tr>
+            <tr>
+              <td style="background:#ffffff;border-left:1px solid #d9e2ef;border-right:1px solid #d9e2ef;padding:26px 24px 10px;">
+                ${headingBlock}
               </td>
             </tr>
             <tr>
-              <td style="background:#ffffff;border:1px solid #dbe3ef;border-radius:14px;padding:26px 24px;box-shadow:0 4px 24px rgba(15,23,42,0.06);">
-                <h1 style="margin:0 0 14px;color:#0f172a;font-size:25px;line-height:1.25;">${escapeHtml(safeHeading)}</h1>
+              <td style="background:#ffffff;border-left:1px solid #d9e2ef;border-right:1px solid #d9e2ef;padding:0 24px 22px;">
                 ${greetingBlock}
                 ${introBlock}
                 ${bodyBlock}
@@ -185,11 +244,12 @@ const renderEmailLayout = ({ payload = {}, preheader = '', heading = '', greetin
               </td>
             </tr>
             <tr>
-              <td style="padding:14px 2px 0;color:#64748b;font-size:12px;line-height:1.7;text-align:left;">
+              <td style="background:#ffffff;border:1px solid #d9e2ef;border-top:none;border-radius:0 0 16px 16px;padding:14px 24px 18px;color:#64748b;font-size:12px;line-height:1.7;">
                 <span style="display:block;">${escapeHtml(brand.brandName)} © ${year}. Todos os direitos reservados.</span>
                 <span style="display:block;margin-top:6px;">Central de suporte: <a href="${escapeHtml(brand.supportUrl)}" style="color:#2563eb;text-decoration:none;">${escapeHtml(brand.supportLabel)}</a></span>
                 ${supportEmailLine}
                 ${footerMessageBlock}
+                <span style="display:block;margin-top:7px;color:#94a3b8;font-size:11px;">Gerado em ${escapeHtml(generatedAt)} UTC.</span>
               </td>
             </tr>
           </table>
@@ -216,7 +276,7 @@ const resolveNavigationLinks = (payload = {}) => {
 };
 const resolveWelcomeBotWhatsApp = (payload = {}) => {
-  const botPhoneCandidate = normalizePhoneDigits(payload?.botPhone || payload?.botNumber || process.env.EMAIL_WELCOME_BOT_PHONE || process.env.WHATSAPP_BOT_NUMBER || process.env.BOT_NUMBER || process.env.BOT_PHONE_NUMBER || process.env.PHONE_NUMBER || process.env.EMAIL_BRAND_SUPPORT_PHONE || '', 20);
+  const botPhoneCandidate = normalizePhoneDigits(payload?.botPhone || payload?.botNumber || process.env.EMAIL_WELCOME_BOT_PHONE || resolveBotPhoneFromEnv({ fallback: resolveSupportPhoneFromEnv({ fallback: '' }) }) || '', 20);
   const botPhoneDigits = isLikelyPhoneDigits(botPhoneCandidate) ? botPhoneCandidate : '';
   const botPhonePn = formatPhonePn(botPhoneDigits);
   const botWhatsAppUrl = botPhoneDigits ? `https://wa.me/${botPhoneDigits}` : '';
@@ -456,19 +516,66 @@ const TEMPLATE_BUILDERS = {
 };
 export const renderEmailTemplate = (templateKey, payload = {}) => {
+  const renderStartedAtMs = __timeNowMs();
   const normalizedTemplateKey = normalizeTemplateKey(templateKey);
-  if (!normalizedTemplateKey) return null;
+  const payloadKeys = summarizePayloadKeys(payload);
+  if (!normalizedTemplateKey) {
+    logger.warn('Render de template de e-mail ignorado por chave inválida.', {
+      action: 'email_template_render_invalid_key',
+      template_key_raw: clipTemplatePreview(templateKey, 64),
+      payload_keys: payloadKeys,
+    });
+    return null;
+  }
   const builder = TEMPLATE_BUILDERS[normalizedTemplateKey];
-  if (typeof builder !== 'function') return null;
+  if (typeof builder !== 'function') {
+    logger.warn('Template de e-mail não encontrado.', {
+      action: 'email_template_builder_not_found',
+      template_key: normalizedTemplateKey,
+      payload_keys: payloadKeys,
+    });
+    return null;
+  }
   const rendered = builder(payload || {});
-  if (!rendered) return null;
+  if (!rendered) {
+    logger.warn('Template de e-mail retornou conteúdo vazio.', {
+      action: 'email_template_builder_empty',
+      template_key: normalizedTemplateKey,
+      payload_keys: payloadKeys,
+    });
+    return null;
+  }
   const subject = normalizeText(rendered.subject, 180);
   const text = normalizeText(rendered.text, 120_000);
   const html = normalizeText(rendered.html, 500_000);
-  if (!subject || (!text && !html)) return null;
+  if (!subject || (!text && !html)) {
+    logger.warn('Template de e-mail inválido após normalização.', {
+      action: 'email_template_render_invalid_output',
+      template_key: normalizedTemplateKey,
+      subject_length: subject.length,
+      text_length: text.length,
+      html_length: html.length,
+      payload_keys: payloadKeys,
+    });
+    return null;
+  }
+  logger.debug('Template de e-mail renderizado com sucesso.', {
+    action: 'email_template_rendered',
+    template_key: normalizedTemplateKey,
+    subject_preview: clipTemplatePreview(subject),
+    subject_length: subject.length,
+    text_length: text.length,
+    html_length: html.length,
+    has_text: Boolean(text),
+    has_html: Boolean(html),
+    payload_keys: payloadKeys,
+    render_duration_ms: Math.max(0, __timeNowMs() - renderStartedAtMs),
+  });
   return {
     subject,

package/server/http/httpRequestUtils.js CHANGED Viewed

@@ -225,7 +225,7 @@ export const buildCookieString = (name, value, req, options = {}) => {
   return parts.join('; ');
 };
-export const readJsonBody = async (req, { maxBytes = 64 * 1024 } = {}) =>
+export const readRawBody = async (req, { maxBytes = 64 * 1024 } = {}) =>
   new Promise((resolve, reject) => {
     const chunks = [];
     let total = 0;
@@ -243,20 +243,24 @@ export const readJsonBody = async (req, { maxBytes = 64 * 1024 } = {}) =>
     });
     req.on('end', () => {
-      const raw = Buffer.concat(chunks).toString('utf8').trim();
-      if (!raw) {
-        resolve({});
-        return;
-      }
-      try {
-        resolve(JSON.parse(raw));
-      } catch {
-        const error = new Error('JSON invalido.');
-        error.statusCode = 400;
-        reject(error);
-      }
+      resolve(Buffer.concat(chunks));
     });
     req.on('error', (error) => reject(error));
   });
+export const readJsonBody = async (req, { maxBytes = 64 * 1024 } = {}) => {
+  const rawBuffer = await readRawBody(req, { maxBytes });
+  const raw = rawBuffer.toString('utf8').trim();
+  if (!raw) {
+    return {};
+  }
+  try {
+    return JSON.parse(raw);
+  } catch {
+    const error = new Error('JSON invalido.');
+    error.statusCode = 400;
+    throw error;
+  }
+};

package/server/http/httpServer.js CHANGED Viewed

@@ -6,6 +6,7 @@ import { getMetricsServerConfig, isMetricsEnabled, recordHttpRequest, resolveRou
 import { applyCachePolicy } from '../middleware/cachePolicy.js';
 import { applySensitiveRouteRateLimit } from '../middleware/endpointRateLimit.js';
 import { applySecurityHeaders } from '../middleware/securityHeaders.js';
+import { shouldHandleGrafanaProxyPath } from '../routes/observability/grafanaProxyRouter.js';
 import { getIndexRouteConfigs, routeRequest } from '../routes/indexRouter.js';
 import { parseRequestUrl, normalizeRequestId } from './requestContext.js';
@@ -65,6 +66,7 @@ export const startHttpServer = () => {
       userConfig: routeConfigs?.userConfig || null,
       systemAdminConfig: routeConfigs?.systemAdminConfig || null,
     });
+    const isGrafanaProxyRequest = shouldHandleGrafanaProxyPath(pathname, routeConfigs?.grafanaProxyConfig || null);
     res.once('finish', () => {
       recordHttpRequest({
@@ -76,10 +78,12 @@ export const startHttpServer = () => {
     });
     try {
-      applySecurityHeaders(req, res);
-      applyCachePolicy(req, res, { pathname });
-      const allowedByRateLimit = await applySensitiveRouteRateLimit(req, res, { pathname });
-      if (!allowedByRateLimit) return;
+      if (!isGrafanaProxyRequest) {
+        applySecurityHeaders(req, res);
+        applyCachePolicy(req, res, { pathname });
+        const allowedByRateLimit = await applySensitiveRouteRateLimit(req, res, { pathname });
+        if (!allowedByRateLimit) return;
+      }
       await routeRequest(req, res, {
         pathname,

package/server/middleware/securityHeaders.js CHANGED Viewed

@@ -10,23 +10,44 @@ const parseEnvBool = (value, fallback = false) => {
   return fallback;
 };
+const parseEnvList = (value) =>
+  String(value || '')
+    .split(',')
+    .map((item) => String(item || '').trim())
+    .filter(Boolean);
+const toHttpOrigin = (value) => {
+  const raw = String(value || '').trim();
+  if (!raw) return '';
+  try {
+    const parsed = new URL(raw);
+    if (!['http:', 'https:'].includes(parsed.protocol)) return '';
+    return parsed.origin;
+  } catch {
+    return '';
+  }
+};
 const HELMET_CSP_ENFORCE = parseEnvBool(process.env.HELMET_CONTENT_SECURITY_POLICY_ENABLED, true);
 const BACKEND_BUILD_ID = String(process.env.OMNIZAP_BUILD_ID || '')
   .trim()
   .slice(0, 80);
+const FRAME_SRC_EXTRA = Array.from(new Set([...parseEnvList(process.env.HELMET_CSP_FRAME_SRC_EXTRA), process.env.SYSTEM_ADMIN_GRAFANA_URL, process.env.GRAFANA_PUBLIC_URL].map((item) => toHttpOrigin(item)).filter(Boolean)));
 const HELMET_CSP_DIRECTIVES = {
   defaultSrc: ["'self'"],
   baseUri: ["'self'"],
   objectSrc: ["'none'"],
   frameAncestors: ["'self'"],
-  formAction: ["'self'"],
+  // Google Identity Services usa submit interno para accounts.google.com/gsi/transform.
+  // Sem essa origem no form-action o login pode travar na etapa de transform.
+  formAction: ["'self'", 'https://accounts.google.com'],
   scriptSrc: ["'self'", "'unsafe-inline'", 'https://accounts.google.com', 'https://cdn.tailwindcss.com'],
   styleSrc: ["'self'", "'unsafe-inline'", 'https://fonts.googleapis.com', 'https://cdnjs.cloudflare.com'],
   imgSrc: ["'self'", 'data:', 'blob:', 'https:'],
   fontSrc: ["'self'", 'data:', 'https://fonts.gstatic.com', 'https://cdnjs.cloudflare.com'],
   connectSrc: ["'self'", 'https://accounts.google.com', 'https://oauth2.googleapis.com', 'https://api.github.com'],
-  frameSrc: ["'self'", 'https://accounts.google.com'],
+  frameSrc: ["'self'", 'https://accounts.google.com', ...FRAME_SRC_EXTRA],
   workerSrc: ["'self'", 'blob:'],
   manifestSrc: ["'self'"],
 };
@@ -52,6 +73,11 @@ const helmetMiddleware = helmet({
     directives: HELMET_CSP_DIRECTIVES,
     reportOnly: !HELMET_CSP_ENFORCE,
   },
+  // Fluxos OAuth/FedCM em popup (Google GIS) podem quebrar com COOP strict.
+  // Permitimos opener em popups mantendo isolamento para navegação principal.
+  crossOriginOpenerPolicy: {
+    policy: 'same-origin-allow-popups',
+  },
   crossOriginEmbedderPolicy: false,
   // Mantemos permissões explícitas para browser APIs sensíveis.
   permissionsPolicy: {
@@ -59,6 +85,7 @@ const helmetMiddleware = helmet({
       geolocation: [],
       microphone: [],
       camera: [],
+      'identity-credentials-get': ['self'],
     },
   },
 });
@@ -67,7 +94,12 @@ const applyFallbackHeaders = (res) => {
   if (!res.getHeader('X-Content-Type-Options')) res.setHeader('X-Content-Type-Options', 'nosniff');
   if (!res.getHeader('X-Frame-Options')) res.setHeader('X-Frame-Options', 'DENY');
   if (!res.getHeader('Referrer-Policy')) res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
-  if (!res.getHeader('Permissions-Policy')) res.setHeader('Permissions-Policy', 'geolocation=(), microphone=(), camera=()');
+  if (!res.getHeader('Permissions-Policy')) {
+    res.setHeader(
+      'Permissions-Policy',
+      'geolocation=(), microphone=(), camera=(), identity-credentials-get=(self)',
+    );
+  }
   if (FALLBACK_CSP_HEADER && !res.getHeader('Content-Security-Policy') && !res.getHeader('Content-Security-Policy-Report-Only')) {
     const cspHeaderName = HELMET_CSP_ENFORCE ? 'Content-Security-Policy' : 'Content-Security-Policy-Report-Only';
     res.setHeader(cspHeaderName, FALLBACK_CSP_HEADER);

package/server/routes/admin/systemAdminRouter.js CHANGED Viewed

@@ -24,8 +24,10 @@ const DEFAULT_USER_SYSTEM_ADMIN_WEB_PATH = '/user/systemadm';
 const DEFAULT_LEGACY_STICKER_ADMIN_WEB_PATH = '/stickers/admin';
 const DEFAULT_SYSTEM_ADMIN_API_BASE_PATH = '/api/admin';
 const DEFAULT_SYSTEM_ADMIN_API_SESSION_PATH = '/api/admin/session';
+const DEFAULT_SYSTEM_ADMIN_API_MULTI_SESSION_PATH = '/api/admin/multi-session';
 const DEFAULT_LEGACY_STICKER_ADMIN_API_BASE_PATH = '/api/sticker-packs/admin';
 const DEFAULT_LEGACY_STICKER_ADMIN_API_SESSION_PATH = '/api/sticker-packs/admin/session';
+const DEFAULT_LEGACY_STICKER_ADMIN_API_MULTI_SESSION_PATH = '/api/sticker-packs/admin/multi-session';
 export const getSystemAdminRouterConfig = async () => {
   const controller = await loadSystemAdminController();
@@ -35,8 +37,10 @@ export const getSystemAdminRouterConfig = async () => {
     legacyWebPath: normalizeBasePath(legacyConfig.legacyWebPath, DEFAULT_LEGACY_STICKER_ADMIN_WEB_PATH),
     apiAdminBasePath: normalizeBasePath(legacyConfig.apiAdminBasePath, DEFAULT_SYSTEM_ADMIN_API_BASE_PATH),
     apiAdminSessionPath: normalizeBasePath(legacyConfig.apiAdminSessionPath, DEFAULT_SYSTEM_ADMIN_API_SESSION_PATH),
+    apiAdminMultiSessionPath: normalizeBasePath(legacyConfig.apiAdminMultiSessionPath, DEFAULT_SYSTEM_ADMIN_API_MULTI_SESSION_PATH),
     legacyApiAdminBasePath: normalizeBasePath(legacyConfig.legacyApiAdminBasePath, DEFAULT_LEGACY_STICKER_ADMIN_API_BASE_PATH),
     legacyApiAdminSessionPath: normalizeBasePath(legacyConfig.legacyApiAdminSessionPath, DEFAULT_LEGACY_STICKER_ADMIN_API_SESSION_PATH),
+    legacyApiAdminMultiSessionPath: normalizeBasePath(legacyConfig.legacyApiAdminMultiSessionPath, DEFAULT_LEGACY_STICKER_ADMIN_API_MULTI_SESSION_PATH),
   };
 };
@@ -46,8 +50,10 @@ export const shouldHandleSystemAdminPath = (pathname, systemAdminConfig = null)
     legacyWebPath: DEFAULT_LEGACY_STICKER_ADMIN_WEB_PATH,
     apiAdminBasePath: DEFAULT_SYSTEM_ADMIN_API_BASE_PATH,
     apiAdminSessionPath: DEFAULT_SYSTEM_ADMIN_API_SESSION_PATH,
+    apiAdminMultiSessionPath: DEFAULT_SYSTEM_ADMIN_API_MULTI_SESSION_PATH,
     legacyApiAdminBasePath: DEFAULT_LEGACY_STICKER_ADMIN_API_BASE_PATH,
     legacyApiAdminSessionPath: DEFAULT_LEGACY_STICKER_ADMIN_API_SESSION_PATH,
+    legacyApiAdminMultiSessionPath: DEFAULT_LEGACY_STICKER_ADMIN_API_MULTI_SESSION_PATH,
   };
   if (startsWithPath(pathname, resolvedConfig.webPath)) return true;

package/server/routes/indexRouter.js CHANGED Viewed

@@ -3,12 +3,14 @@ import path from 'node:path';
 import { maybeHandleMetricsRequest } from './metrics/metricsRouter.js';
 import { maybeHandleHealthRequest, shouldHandleHealthPath } from './health/healthRouter.js';
 import { getEmailAutomationRouterConfig, maybeHandleEmailAutomationRequest, shouldHandleEmailAutomationPath } from './email/emailAutomationRouter.js';
+import { getPaymentsRouterConfig, maybeHandlePaymentsRequest, shouldHandlePaymentsPath } from './payments/paymentsRouter.js';
 import { buildUserApiPaths, getUserRouterConfig, maybeHandleUserRequest, shouldHandleUserPath } from './user/userRouter.js';
 import { getSystemAdminRouterConfig, maybeHandleSystemAdminRequest, shouldHandleSystemAdminPath } from './admin/systemAdminRouter.js';
 import { getStickerSiteRouterConfig, maybeHandleStickerSiteRequest, shouldHandleStickerSitePath } from './sticker/stickerSiteRouter.js';
 import { getStickerDataRouterConfig, maybeHandleStickerDataRequest, shouldHandleStickerDataPath } from './sticker/stickerDataRouter.js';
 import { getStickerApiRouterConfig, maybeHandleStickerApiRequest, shouldHandleStickerApiPath } from './sticker/stickerApiRouter.js';
 import { maybeHandleStaticPageRequest, shouldHandleStaticPagePath } from './static/staticPageRouter.js';
+import { getGrafanaProxyRouterConfig, maybeHandleGrafanaProxyRequest, shouldHandleGrafanaProxyPath } from './observability/grafanaProxyRouter.js';
 const startsWithPath = (pathname, prefix) => {
   if (!pathname || !prefix) return false;
@@ -75,6 +77,16 @@ const loadEmailAutomationConfigSafe = async () => {
   }
 };
+const loadPaymentsConfigSafe = async () => {
+  try {
+    return await getPaymentsRouterConfig();
+  } catch {
+    return {
+      apiBasePath: '/api/payments',
+    };
+  }
+};
 const loadStickerSiteConfigSafe = async () => {
   try {
     return await getStickerSiteRouterConfig();
@@ -112,12 +124,28 @@ const loadStickerApiConfigSafe = async () => {
   }
 };
+const loadGrafanaProxyConfigSafe = async () => {
+  try {
+    return getGrafanaProxyRouterConfig();
+  } catch {
+    return {
+      enabled: false,
+      basePath: '/api/grafana',
+      legacyBasePath: '/grafana',
+      timeoutMs: 15000,
+      target: null,
+    };
+  }
+};
 export const getIndexRouteConfigs = async () => {
   if (!indexRouteConfigsPromise) {
-    indexRouteConfigsPromise = Promise.all([loadUserConfigSafe(), loadSystemAdminConfigSafe(), loadEmailAutomationConfigSafe(), loadStickerSiteConfigSafe(), loadStickerDataConfigSafe(), loadStickerApiConfigSafe()]).then(([userConfig, systemAdminConfig, emailAutomationConfig, stickerSiteConfig, stickerDataConfig, stickerApiConfig]) => ({
+    indexRouteConfigsPromise = Promise.all([loadUserConfigSafe(), loadSystemAdminConfigSafe(), loadEmailAutomationConfigSafe(), loadPaymentsConfigSafe(), loadStickerSiteConfigSafe(), loadStickerDataConfigSafe(), loadStickerApiConfigSafe(), loadGrafanaProxyConfigSafe()]).then(([userConfig, systemAdminConfig, emailAutomationConfig, paymentsConfig, stickerSiteConfig, stickerDataConfig, stickerApiConfig, grafanaProxyConfig]) => ({
       userConfig,
       systemAdminConfig,
       emailAutomationConfig,
+      paymentsConfig,
+      grafanaProxyConfig,
       stickerConfig: {
         ...stickerSiteConfig,
         ...stickerDataConfig,
@@ -140,6 +168,8 @@ export const routeRequest = async (req, res, { pathname, url, metricsPath = '/me
   const userConfig = resolvedConfigs?.userConfig || null;
   const systemAdminConfig = resolvedConfigs?.systemAdminConfig || null;
   const emailAutomationConfig = resolvedConfigs?.emailAutomationConfig || null;
+  const paymentsConfig = resolvedConfigs?.paymentsConfig || null;
+  const grafanaProxyConfig = resolvedConfigs?.grafanaProxyConfig || null;
   const stickerConfig = resolvedConfigs?.stickerConfig || null;
   // 1) Metrics
@@ -163,7 +193,21 @@ export const routeRequest = async (req, res, { pathname, url, metricsPath = '/me
     return sendNotFound(req, res);
   }
-  // 4) User
+  // 4) Payments API
+  if (shouldHandlePaymentsPath(pathname, paymentsConfig)) {
+    const handled = await maybeHandlePaymentsRequest(req, res, { pathname, url });
+    if (handled) return true;
+    return sendNotFound(req, res);
+  }
+  // 5) Grafana proxy (/api/grafana e alias /grafana)
+  if (shouldHandleGrafanaProxyPath(pathname, grafanaProxyConfig)) {
+    const handled = await maybeHandleGrafanaProxyRequest(req, res, { pathname, url, config: grafanaProxyConfig });
+    if (handled) return true;
+    return sendNotFound(req, res);
+  }
+  // 6) User
   const systemAdminCandidate = shouldHandleSystemAdminStep(pathname, systemAdminConfig);
   if (shouldHandleUserStep(pathname, userConfig)) {
     const handled = await maybeHandleUserRequest(req, res, { pathname, url });
@@ -173,14 +217,14 @@ export const routeRequest = async (req, res, { pathname, url, metricsPath = '/me
     if (!systemAdminCandidate) return sendNotFound(req, res);
   }
-  // 5) System admin + legacy /stickers/admin
+  // 7) System admin + legacy /stickers/admin
   if (systemAdminCandidate) {
     const handled = await maybeHandleSystemAdminRequest(req, res, { pathname, url });
     if (handled) return true;
     return sendNotFound(req, res);
   }
-  // 6) Sticker catalog apenas nos prefixes permitidos
+  // 8) Sticker catalog apenas nos prefixes permitidos
   if (shouldHandleStickerSitePath(pathname, stickerConfig)) {
     const handled = await maybeHandleStickerSiteRequest(req, res, { pathname, url });
     if (handled) return true;
@@ -212,14 +256,14 @@ export const routeRequest = async (req, res, { pathname, url, metricsPath = '/me
     return sendNotFound(req, res);
   }
-  // 7) Paginas estaticas (templates em public/pages)
+  // 9) Paginas estaticas (templates em public/pages)
   if (shouldHandleStaticPagePath(pathname)) {
     const handled = await maybeHandleStaticPageRequest(req, res, { pathname });
     if (handled) return true;
     return sendNotFound(req, res);
   }
-  // 8) 404 global
+  // 10) 404 global
   return sendNotFound(req, res);
 };