@omnizap-system/omnizap 2.6.2 → 2.6.3

package/server/controllers/system/systemController.js

@@ -190,9 +190,7 @@ export const listSystemAdminSessions = async ({ status = null, limit = 200 } = {
     if (row?.sessionId) knownSessionIds.add(row.sessionId);
   }
 
-  const selectedSessionIds = Array.from(knownSessionIds)
-    .filter(Boolean)
-    .slice(0, safeLimit);
+  const selectedSessionIds = Array.from(knownSessionIds).filter(Boolean).slice(0, safeLimit);
   const registryBySession = new Map((registryRows || []).map((row) => [row.sessionId, row]));
 
   const sessions = selectedSessionIds.map((sessionId) => {
@@ -226,14 +224,7 @@ export const listSystemAdminSessions = async ({ status = null, limit = 200 } = {
   };
 };
 
-export const listSystemAdminAssignments = async (
-  {
-    groupJid = null,
-    ownerSessionId = null,
-    includeExpired = false,
-    limit = 200,
-  } = {},
-) => {
+export const listSystemAdminAssignments = async ({ groupJid = null, ownerSessionId = null, includeExpired = false, limit = 200 } = {}) => {
   const safeGroupJid = normalizeOptional(groupJid, 255);
   const safeOwnerSessionId = normalizeOptional(ownerSessionId, 64);
   const safeIncludeExpired = normalizeBoolean(includeExpired, false);
@@ -269,16 +260,7 @@ export const listSystemAdminAssignments = async (
   };
 };
 
-export const setSystemAdminGroupPin = async (
-  {
-    groupJid,
-    pinned,
-    sessionId = null,
-    reason = null,
-    changedBy = 'admin_api',
-    metadata = null,
-  } = {},
-) => {
+export const setSystemAdminGroupPin = async ({ groupJid, pinned, sessionId = null, reason = null, changedBy = 'admin_api', metadata = null } = {}) => {
   const outcome = await groupOwnershipService.setPinned({
     groupJid,
     pinned,
@@ -307,15 +289,7 @@ export const setSystemAdminGroupPin = async (
   };
 };
 
-export const forceSystemAdminGroupFailover = async (
-  {
-    groupJid,
-    targetSessionId,
-    reason = 'admin_force_failover',
-    changedBy = 'admin_api',
-    metadata = null,
-  } = {},
-) => {
+export const forceSystemAdminGroupFailover = async ({ groupJid, targetSessionId, reason = 'admin_force_failover', changedBy = 'admin_api', metadata = null } = {}) => {
   const outcome = await groupOwnershipService.forceAssign({
     groupJid,
     sessionId: targetSessionId,

package/server/email/emailAutomationRuntime.js

@@ -38,6 +38,19 @@ let inFlight = false;
 let timerHandle = null;
 let nextDelayMs = EMAIL_AUTOMATION_POLL_INTERVAL_MS;
 
+const maskEmailForLogs = (value) => {
+  const normalized = String(value || '')
+    .trim()
+    .toLowerCase()
+    .slice(0, 255);
+  const [localPartRaw, domainRaw] = normalized.split('@');
+  const localPart = String(localPartRaw || '').trim();
+  const domain = String(domainRaw || '').trim();
+  if (!localPart || !domain) return 'invalid-email';
+  const localMasked = localPart.length <= 2 ? `${localPart.charAt(0) || '*'}*` : `${localPart.slice(0, 2)}***`;
+  return `${localMasked}@${domain}`;
+};
+
 const applyDelayJitter = (delayMs) => {
   const baseDelay = Math.max(250, Math.floor(Number(delayMs) || 0));
   if (EMAIL_AUTOMATION_IDLE_JITTER_PERCENT <= 0) return baseDelay;
@@ -119,6 +132,16 @@ export const runEmailAutomationTick = async ({ maxPerTick = EMAIL_AUTOMATION_MAX
       });
 
       stats.sent += 1;
+      logger.debug('E-mail da fila entregue com sucesso.', {
+        action: 'email_automation_delivery_succeeded',
+        task_id: task.id,
+        template_key: task.template_key || null,
+        recipient_email_masked: maskEmailForLogs(task.recipient_email),
+        attempts: task.attempts,
+        max_attempts: task.max_attempts,
+        provider_message_id: delivery?.messageId || null,
+        provider_response: delivery?.response || null,
+      });
     } catch (error) {
       stats.failed += 1;
       await failEmailOutboxTask(task.id, {
@@ -129,8 +152,12 @@ export const runEmailAutomationTick = async ({ maxPerTick = EMAIL_AUTOMATION_MAX
       logger.warn('Falha ao entregar e-mail da fila.', {
         action: 'email_automation_delivery_failed',
         task_id: task.id,
-        recipient_email: task.recipient_email,
+        template_key: task.template_key || null,
+        recipient_email_masked: maskEmailForLogs(task.recipient_email),
         attempts: task.attempts,
+        max_attempts: task.max_attempts,
+        retry_delay_seconds: safeRetryDelay,
+        metadata_keys: Object.keys(task?.metadata || {}).slice(0, 20),
         error: error?.message,
       });
     }
@@ -138,6 +165,14 @@ export const runEmailAutomationTick = async ({ maxPerTick = EMAIL_AUTOMATION_MAX
 
   if (stats.claimed > 0) {
     await refreshQueueDepthMetrics().catch(() => null);
+    logger.info('Processamento da fila de e-mail concluído.', {
+      action: 'email_automation_tick_processed',
+      claimed: stats.claimed,
+      sent: stats.sent,
+      failed: stats.failed,
+      max_per_tick: safeMaxPerTick,
+      retry_delay_seconds: safeRetryDelay,
+    });
   }
 
   return stats;

package/server/email/emailAutomationService.js

@@ -1,3 +1,4 @@
+import logger from '#logger';
 import { enqueueEmailOutbox, getEmailOutboxStatusSnapshot } from './emailOutboxRepository.js';
 import { renderEmailTemplate } from './emailTemplateService.js';
 import { getEmailTransportMetadata } from './emailTransportService.js';
@@ -8,6 +9,22 @@ const normalizeEmail = (value) =>
     .toLowerCase()
     .slice(0, 255);
 
+const maskEmailForLogs = (value) => {
+  const normalized = normalizeEmail(value);
+  const [localPartRaw, domainRaw] = normalized.split('@');
+  const localPart = String(localPartRaw || '').trim();
+  const domain = String(domainRaw || '').trim();
+  if (!localPart || !domain) return 'invalid-email';
+  const localMasked = localPart.length <= 2 ? `${localPart.charAt(0) || '*'}*` : `${localPart.slice(0, 2)}***`;
+  return `${localMasked}@${domain}`;
+};
+
+const resolveEmailDomain = (value) => {
+  const normalized = normalizeEmail(value);
+  if (!normalized.includes('@')) return null;
+  return normalized.split('@')[1] || null;
+};
+
 const normalizeOptionalText = (value, maxLength = 500_000) => {
   const normalized =
     String(value || '')
@@ -31,6 +48,12 @@ const resolveEmailBodyFromPayload = ({ templateKey = '', templateData = {}, subj
 
   const renderedTemplate = normalizedTemplateKey ? renderEmailTemplate(normalizedTemplateKey, normalizedTemplateData) : null;
 
+  if (normalizedTemplateKey && !renderedTemplate && !normalizeOptionalText(subject, 180) && !normalizeOptionalText(text, 120_000) && !normalizeOptionalText(html, 500_000)) {
+    const error = new Error(`Template de e-mail inválido ou indisponível: "${normalizedTemplateKey}".`);
+    error.statusCode = 400;
+    throw error;
+  }
+
   const normalizedSubject = normalizeOptionalText(subject, 180) || renderedTemplate?.subject || '';
   const normalizedText = normalizeOptionalText(text, 120_000) || renderedTemplate?.text || null;
   const normalizedHtml = normalizeOptionalText(html, 500_000) || renderedTemplate?.html || null;
@@ -72,6 +95,8 @@ export const queueAutomatedEmail = async ({ to, name = '', templateKey = '', tem
     html,
   });
 
+  const safeMetadata = normalizePayloadObject(metadata);
+
   const taskId = await enqueueEmailOutbox({
     recipientEmail: normalizedEmail,
     recipientName: normalizeOptionalText(name, 120),
@@ -80,7 +105,7 @@ export const queueAutomatedEmail = async ({ to, name = '', templateKey = '', tem
     htmlBody: body.html_body,
     templateKey: body.template_key,
     templatePayload: body.template_payload,
-    metadata: normalizePayloadObject(metadata),
+    metadata: safeMetadata,
     priority,
     scheduledAt,
     maxAttempts,
@@ -93,6 +118,22 @@ export const queueAutomatedEmail = async ({ to, name = '', templateKey = '', tem
     throw error;
   }
 
+  logger.info('E-mail enfileirado para processamento.', {
+    action: 'email_outbox_enqueued',
+    task_id: taskId,
+    template_key: body.template_key || null,
+    recipient_email_masked: maskEmailForLogs(normalizedEmail),
+    recipient_domain: resolveEmailDomain(normalizedEmail),
+    subject_length: body.subject.length,
+    has_text_body: Boolean(body.text_body),
+    has_html_body: Boolean(body.html_body),
+    metadata_keys: Object.keys(safeMetadata).slice(0, 20),
+    priority: Number.isFinite(Number(priority)) ? Number(priority) : null,
+    scheduled_at: scheduledAt ? String(scheduledAt) : null,
+    max_attempts: Number.isFinite(Number(maxAttempts)) ? Number(maxAttempts) : null,
+    idempotency_key_present: Boolean(String(idempotencyKey || '').trim()),
+  });
+
   return {
     task_id: taskId,
     recipient_email: normalizedEmail,

package/server/email/emailTemplateService.js

@@ -1,7 +1,9 @@
 import { now as __timeNow, nowIso as __timeNowIso, toUnixMs as __timeNowMs } from '#time';
+import logger from '#logger';
 import { resolveAdminPhoneFromEnv, resolveBotPhoneFromEnv, resolveSupportPhoneFromEnv } from '../../utils/whatsapp/contactEnv.js';
 const DEFAULT_SITE_ORIGIN = 'https://omnizap.shop';
 const DEFAULT_BRAND_NAME = 'OmniZap';
+const DEFAULT_BRAND_LOGO_PATH = '/assets/images/brand-logo-128.webp';
 
 const resolveSiteOrigin = () =>
   String(process.env.SITE_ORIGIN || process.env.WHATSAPP_LOGIN_BASE_URL || DEFAULT_SITE_ORIGIN)
@@ -28,6 +30,24 @@ const escapeHtml = (value) =>
     .replace(/"/g, '"')
     .replace(/'/g, ''');
 
+const summarizePayloadKeys = (value, maxItems = 24) => {
+  if (!value || typeof value !== 'object' || Array.isArray(value)) return [];
+  return Object.keys(value)
+    .map((key) =>
+      String(key || '')
+        .trim()
+        .slice(0, 64),
+    )
+    .filter(Boolean)
+    .slice(0, maxItems);
+};
+
+const clipTemplatePreview = (value, maxLength = 140) =>
+  String(value || '')
+    .replace(/\s+/g, ' ')
+    .trim()
+    .slice(0, maxLength);
+
 const normalizeHttpUrl = (value, fallback = '') => {
   const normalized = String(value || '')
     .trim()
@@ -48,6 +68,19 @@ const normalizeEmailAddress = (value) => {
   return candidate.slice(0, 255);
 };
 
+const resolveBrandLogoUrl = ({ siteOrigin = '', payloadLogoUrl = '' } = {}) => {
+  const fallbackLogoUrl = normalizeHttpUrl(`${String(siteOrigin || DEFAULT_SITE_ORIGIN).replace(/\/+$/, '')}${DEFAULT_BRAND_LOGO_PATH}`, `${DEFAULT_SITE_ORIGIN}${DEFAULT_BRAND_LOGO_PATH}`);
+
+  const explicitLogoUrl = normalizeHttpUrl(payloadLogoUrl || process.env.EMAIL_BRAND_LOGO_URL || '', '');
+  if (!explicitLogoUrl) return fallbackLogoUrl;
+
+  const explicitLower = explicitLogoUrl.toLowerCase();
+  const looksLikeFavicon = explicitLower.endsWith('/favicon.ico') || explicitLower.includes('/favicon-');
+  if (looksLikeFavicon) return fallbackLogoUrl;
+
+  return explicitLogoUrl;
+};
+
 const normalizePhoneDigits = (value, maxLength = 20) =>
   String(value || '')
     .replace(/\D+/g, '')
@@ -89,7 +122,10 @@ const resolveBrandConfig = (payload = {}) => {
     siteOrigin,
     brandName: normalizeText(payload?.brandName || process.env.EMAIL_BRAND_NAME || DEFAULT_BRAND_NAME, 80) || DEFAULT_BRAND_NAME,
     brandTagline: normalizeText(payload?.brandTagline || process.env.EMAIL_BRAND_TAGLINE || 'Automação profissional para WhatsApp.', 120) || null,
-    brandLogoUrl: normalizeHttpUrl(payload?.brandLogoUrl || payload?.logoUrl || process.env.EMAIL_BRAND_LOGO_URL || '', ''),
+    brandLogoUrl: resolveBrandLogoUrl({
+      siteOrigin,
+      payloadLogoUrl: payload?.brandLogoUrl || payload?.logoUrl || '',
+    }),
     supportUrl: resolvedSupportUrl,
     supportLabel: resolvedSupportLabel || 'Central de suporte',
     supportEmail: replyToAddress || fromAddress || '',
@@ -128,53 +164,75 @@ const renderEmailLayout = ({ payload = {}, preheader = '', heading = '', greetin
   const safeSecurityNote = normalizeText(securityNote, 220);
   const safeFooterMessage = normalizeText(footerMessage, 220);
   const year = __timeNow().getUTCFullYear();
+  const generatedAt = __timeNowIso();
 
-  const logoBlock = brand.brandLogoUrl ? `<img src="${escapeHtml(brand.brandLogoUrl)}" alt="${escapeHtml(brand.brandName)}" width="132" style="display:block;border:0;outline:none;text-decoration:none;height:auto;margin:0 auto;" />` : `<div style="display:inline-block;font-size:26px;font-weight:800;color:#0f172a;letter-spacing:0.2px;">${escapeHtml(brand.brandName)}</div>`;
+  const logoBlock = brand.brandLogoUrl ? `<img src="${escapeHtml(brand.brandLogoUrl)}" alt="${escapeHtml(brand.brandName)}" width="138" style="display:block;border:0;outline:none;text-decoration:none;height:auto;" />` : `<div style="display:inline-block;font-size:24px;font-weight:800;line-height:1.1;color:#ffffff;letter-spacing:0.3px;">${escapeHtml(brand.brandName)}</div>`;
 
-  const greetingBlock = safeGreeting ? `<p style="margin:0 0 10px;color:#0f172a;font-size:16px;font-weight:700;line-height:1.5;">${escapeHtml(safeGreeting)}</p>` : '';
-  const introBlock = safeIntro ? `<p style="margin:0 0 14px;color:#334155;font-size:15px;line-height:1.65;">${escapeHtml(safeIntro)}</p>` : '';
+  const headingBlock = safeHeading ? `<h1 style="margin:0;color:#0f172a;font-size:27px;line-height:1.2;font-weight:800;letter-spacing:0.1px;">${escapeHtml(safeHeading)}</h1>` : '';
+  const greetingBlock = safeGreeting ? `<p style="margin:0 0 10px;color:#0f172a;font-size:16px;font-weight:700;line-height:1.6;">${escapeHtml(safeGreeting)}</p>` : '';
+  const introBlock = safeIntro ? `<p style="margin:0 0 14px;color:#334155;font-size:15px;line-height:1.7;">${escapeHtml(safeIntro)}</p>` : '';
   const bodyBlock = renderParagraphsHtml(body);
 
   const ctaBlock =
     safeCtaUrl && safeCtaLabel
       ? `
-        <table role="presentation" cellpadding="0" cellspacing="0" border="0" style="margin:10px 0 10px;">
-          <tr>
-            <td align="center" bgcolor="#1d4ed8" style="border-radius:10px;">
-              <a href="${escapeHtml(safeCtaUrl)}" style="display:inline-block;padding:12px 20px;font-size:15px;line-height:1.2;font-weight:700;color:#ffffff;text-decoration:none;">${escapeHtml(safeCtaLabel)}</a>
-            </td>
-          </tr>
-        </table>
-      `.trim()
+      <table role="presentation" cellpadding="0" cellspacing="0" border="0" style="margin:14px 0 8px;">
+        <tr>
+          <td align="center" bgcolor="#1d4ed8" style="border-radius:10px;">
+            <a href="${escapeHtml(safeCtaUrl)}" style="display:inline-block;padding:13px 22px;font-size:15px;line-height:1.2;font-weight:700;color:#ffffff;text-decoration:none;letter-spacing:0.2px;">${escapeHtml(safeCtaLabel)}</a>
+          </td>
+        </tr>
+      </table>
+    `.trim()
       : '';
 
-  const ctaHintBlock = safeCtaHint ? `<p style="margin:4px 0 0;color:#64748b;font-size:13px;line-height:1.55;">${escapeHtml(safeCtaHint)}</p>` : '';
-  const secondaryCtaBlock = safeSecondaryCtaLabel && safeSecondaryCtaUrl ? `<p style="margin:10px 0 0;color:#1e293b;font-size:14px;line-height:1.6;">${escapeHtml(safeSecondaryCtaLabel)}: <a href="${escapeHtml(safeSecondaryCtaUrl)}" style="color:#2563eb;text-decoration:none;">${escapeHtml(safeSecondaryCtaUrl)}</a></p>` : '';
-  const fallbackLinkBlock = safeCtaUrl ? `<p style="margin:12px 0 0;color:#64748b;font-size:12px;line-height:1.6;word-break:break-all;">Se o botão não funcionar, copie e cole este link no navegador: ${escapeHtml(safeCtaUrl)}</p>` : '';
-  const securityNoteBlock = safeSecurityNote ? `<p style="margin:16px 0 0;padding:10px 12px;background:#f8fafc;border:1px solid #e2e8f0;border-radius:8px;color:#475569;font-size:12px;line-height:1.6;">${escapeHtml(safeSecurityNote)}</p>` : '';
-
+  const ctaHintBlock = safeCtaHint ? `<p style="margin:6px 0 0;color:#64748b;font-size:13px;line-height:1.6;">${escapeHtml(safeCtaHint)}</p>` : '';
+  const secondaryCtaBlock =
+    safeSecondaryCtaLabel && safeSecondaryCtaUrl
+      ? `
+      <p style="margin:12px 0 0;color:#334155;font-size:13px;line-height:1.65;">
+        ${escapeHtml(safeSecondaryCtaLabel)}:
+        <a href="${escapeHtml(safeSecondaryCtaUrl)}" style="color:#1d4ed8;text-decoration:none;font-weight:600;">${escapeHtml(safeSecondaryCtaUrl)}</a>
+      </p>
+    `.trim()
+      : '';
+  const fallbackLinkBlock = safeCtaUrl ? `<p style="margin:14px 0 0;color:#64748b;font-size:12px;line-height:1.7;word-break:break-all;">Se o botão não funcionar, copie e cole este link no navegador: ${escapeHtml(safeCtaUrl)}</p>` : '';
+  const securityNoteBlock = safeSecurityNote ? `<p style="margin:16px 0 0;padding:12px 13px;background:#f8fafc;border:1px solid #e2e8f0;border-radius:10px;color:#475569;font-size:12px;line-height:1.65;">${escapeHtml(safeSecurityNote)}</p>` : '';
+  const brandTaglineBlock = brand.brandTagline ? `<p style="margin:8px 0 0;color:#cbd5e1;font-size:13px;line-height:1.6;">${escapeHtml(brand.brandTagline)}</p>` : '';
   const supportEmailLine = brand.supportEmail ? `<span style="display:block;margin-top:6px;">E-mail: <a href="mailto:${escapeHtml(brand.supportEmail)}" style="color:#2563eb;text-decoration:none;">${escapeHtml(brand.supportEmail)}</a></span>` : '';
-  const footerMessageBlock = safeFooterMessage ? `<span style="display:block;margin-top:6px;color:#64748b;">${escapeHtml(safeFooterMessage)}</span>` : '';
-  const taglineBlock = brand.brandTagline ? `<p style="margin:8px 0 0;color:#64748b;font-size:13px;line-height:1.6;">${escapeHtml(brand.brandTagline)}</p>` : '';
+  const footerMessageBlock = safeFooterMessage ? `<span style="display:block;margin-top:7px;color:#64748b;">${escapeHtml(safeFooterMessage)}</span>` : '';
 
   return `
 <!doctype html>
 <html lang="pt-BR">
-  <body style="margin:0;padding:0;background:#f1f5f9;font-family:'Segoe UI',Roboto,Helvetica,Arial,sans-serif;">
+  <body style="margin:0;padding:0;background:#eef2f8;font-family:'Segoe UI',Roboto,Helvetica,Arial,sans-serif;">
     <div style="display:none;max-height:0;overflow:hidden;opacity:0;color:transparent;">${escapeHtml(safePreheader)}</div>
-    <table role="presentation" cellpadding="0" cellspacing="0" border="0" width="100%" style="background:#f1f5f9;padding:28px 10px;">
+    <table role="presentation" cellpadding="0" cellspacing="0" border="0" width="100%" style="background:#eef2f8;padding:26px 10px;">
       <tr>
         <td align="center">
           <table role="presentation" cellpadding="0" cellspacing="0" border="0" width="100%" style="max-width:640px;">
             <tr>
-              <td align="center" style="padding:0 0 16px;">
-                ${logoBlock}
-                ${taglineBlock}
+              <td style="background:#0f172a;border-radius:16px 16px 0 0;padding:22px 24px 20px;">
+                <table role="presentation" cellpadding="0" cellspacing="0" border="0" width="100%">
+                  <tr>
+                    <td align="left" valign="middle" style="padding-right:12px;">
+                      ${logoBlock}
+                      ${brandTaglineBlock}
+                    </td>
+                    <td align="right" valign="middle" style="white-space:nowrap;">
+                      <span style="display:inline-block;padding:6px 10px;border:1px solid rgba(148,163,184,0.45);border-radius:999px;font-size:11px;font-weight:700;letter-spacing:0.35px;text-transform:uppercase;color:#e2e8f0;">Comunicado oficial</span>
+                    </td>
+                  </tr>
+                </table>
+              </td>
+            </tr>
+            <tr>
+              <td style="background:#ffffff;border-left:1px solid #d9e2ef;border-right:1px solid #d9e2ef;padding:26px 24px 10px;">
+                ${headingBlock}
               </td>
             </tr>
             <tr>
-              <td style="background:#ffffff;border:1px solid #dbe3ef;border-radius:14px;padding:26px 24px;box-shadow:0 4px 24px rgba(15,23,42,0.06);">
-                <h1 style="margin:0 0 14px;color:#0f172a;font-size:25px;line-height:1.25;">${escapeHtml(safeHeading)}</h1>
+              <td style="background:#ffffff;border-left:1px solid #d9e2ef;border-right:1px solid #d9e2ef;padding:0 24px 22px;">
                 ${greetingBlock}
                 ${introBlock}
                 ${bodyBlock}
@@ -186,11 +244,12 @@ const renderEmailLayout = ({ payload = {}, preheader = '', heading = '', greetin
               </td>
             </tr>
             <tr>
-              <td style="padding:14px 2px 0;color:#64748b;font-size:12px;line-height:1.7;text-align:left;">
+              <td style="background:#ffffff;border:1px solid #d9e2ef;border-top:none;border-radius:0 0 16px 16px;padding:14px 24px 18px;color:#64748b;font-size:12px;line-height:1.7;">
                 <span style="display:block;">${escapeHtml(brand.brandName)} © ${year}. Todos os direitos reservados.</span>
                 <span style="display:block;margin-top:6px;">Central de suporte: <a href="${escapeHtml(brand.supportUrl)}" style="color:#2563eb;text-decoration:none;">${escapeHtml(brand.supportLabel)}</a></span>
                 ${supportEmailLine}
                 ${footerMessageBlock}
+                <span style="display:block;margin-top:7px;color:#94a3b8;font-size:11px;">Gerado em ${escapeHtml(generatedAt)} UTC.</span>
               </td>
             </tr>
           </table>
@@ -457,19 +516,66 @@ const TEMPLATE_BUILDERS = {
 };
 
 export const renderEmailTemplate = (templateKey, payload = {}) => {
+  const renderStartedAtMs = __timeNowMs();
   const normalizedTemplateKey = normalizeTemplateKey(templateKey);
-  if (!normalizedTemplateKey) return null;
+  const payloadKeys = summarizePayloadKeys(payload);
+
+  if (!normalizedTemplateKey) {
+    logger.warn('Render de template de e-mail ignorado por chave inválida.', {
+      action: 'email_template_render_invalid_key',
+      template_key_raw: clipTemplatePreview(templateKey, 64),
+      payload_keys: payloadKeys,
+    });
+    return null;
+  }
   const builder = TEMPLATE_BUILDERS[normalizedTemplateKey];
-  if (typeof builder !== 'function') return null;
+  if (typeof builder !== 'function') {
+    logger.warn('Template de e-mail não encontrado.', {
+      action: 'email_template_builder_not_found',
+      template_key: normalizedTemplateKey,
+      payload_keys: payloadKeys,
+    });
+    return null;
+  }
 
   const rendered = builder(payload || {});
-  if (!rendered) return null;
+  if (!rendered) {
+    logger.warn('Template de e-mail retornou conteúdo vazio.', {
+      action: 'email_template_builder_empty',
+      template_key: normalizedTemplateKey,
+      payload_keys: payloadKeys,
+    });
+    return null;
+  }
 
   const subject = normalizeText(rendered.subject, 180);
   const text = normalizeText(rendered.text, 120_000);
   const html = normalizeText(rendered.html, 500_000);
 
-  if (!subject || (!text && !html)) return null;
+  if (!subject || (!text && !html)) {
+    logger.warn('Template de e-mail inválido após normalização.', {
+      action: 'email_template_render_invalid_output',
+      template_key: normalizedTemplateKey,
+      subject_length: subject.length,
+      text_length: text.length,
+      html_length: html.length,
+      payload_keys: payloadKeys,
+    });
+    return null;
+  }
+
+  logger.debug('Template de e-mail renderizado com sucesso.', {
+    action: 'email_template_rendered',
+    template_key: normalizedTemplateKey,
+    subject_preview: clipTemplatePreview(subject),
+    subject_length: subject.length,
+    text_length: text.length,
+    html_length: html.length,
+    has_text: Boolean(text),
+    has_html: Boolean(html),
+    payload_keys: payloadKeys,
+    render_duration_ms: Math.max(0, __timeNowMs() - renderStartedAtMs),
+  });
 
   return {
     subject,

package/server/http/httpRequestUtils.js

@@ -225,7 +225,7 @@ export const buildCookieString = (name, value, req, options = {}) => {
   return parts.join('; ');
 };
 
-export const readJsonBody = async (req, { maxBytes = 64 * 1024 } = {}) =>
+export const readRawBody = async (req, { maxBytes = 64 * 1024 } = {}) =>
   new Promise((resolve, reject) => {
     const chunks = [];
     let total = 0;
@@ -243,20 +243,24 @@ export const readJsonBody = async (req, { maxBytes = 64 * 1024 } = {}) =>
     });
 
     req.on('end', () => {
-      const raw = Buffer.concat(chunks).toString('utf8').trim();
-      if (!raw) {
-        resolve({});
-        return;
-      }
-
-      try {
-        resolve(JSON.parse(raw));
-      } catch {
-        const error = new Error('JSON invalido.');
-        error.statusCode = 400;
-        reject(error);
-      }
+      resolve(Buffer.concat(chunks));
     });
 
     req.on('error', (error) => reject(error));
   });
+
+export const readJsonBody = async (req, { maxBytes = 64 * 1024 } = {}) => {
+  const rawBuffer = await readRawBody(req, { maxBytes });
+  const raw = rawBuffer.toString('utf8').trim();
+  if (!raw) {
+    return {};
+  }
+
+  try {
+    return JSON.parse(raw);
+  } catch {
+    const error = new Error('JSON invalido.');
+    error.statusCode = 400;
+    throw error;
+  }
+};

package/server/middleware/securityHeaders.js

@@ -39,7 +39,9 @@ const HELMET_CSP_DIRECTIVES = {
   baseUri: ["'self'"],
   objectSrc: ["'none'"],
   frameAncestors: ["'self'"],
-  formAction: ["'self'"],
+  // Google Identity Services usa submit interno para accounts.google.com/gsi/transform.
+  // Sem essa origem no form-action o login pode travar na etapa de transform.
+  formAction: ["'self'", 'https://accounts.google.com'],
   scriptSrc: ["'self'", "'unsafe-inline'", 'https://accounts.google.com', 'https://cdn.tailwindcss.com'],
   styleSrc: ["'self'", "'unsafe-inline'", 'https://fonts.googleapis.com', 'https://cdnjs.cloudflare.com'],
   imgSrc: ["'self'", 'data:', 'blob:', 'https:'],
@@ -71,6 +73,11 @@ const helmetMiddleware = helmet({
     directives: HELMET_CSP_DIRECTIVES,
     reportOnly: !HELMET_CSP_ENFORCE,
   },
+  // Fluxos OAuth/FedCM em popup (Google GIS) podem quebrar com COOP strict.
+  // Permitimos opener em popups mantendo isolamento para navegação principal.
+  crossOriginOpenerPolicy: {
+    policy: 'same-origin-allow-popups',
+  },
   crossOriginEmbedderPolicy: false,
   // Mantemos permissões explícitas para browser APIs sensíveis.
   permissionsPolicy: {
@@ -78,6 +85,7 @@ const helmetMiddleware = helmet({
       geolocation: [],
       microphone: [],
       camera: [],
+      'identity-credentials-get': ['self'],
     },
   },
 });
@@ -86,7 +94,12 @@ const applyFallbackHeaders = (res) => {
   if (!res.getHeader('X-Content-Type-Options')) res.setHeader('X-Content-Type-Options', 'nosniff');
   if (!res.getHeader('X-Frame-Options')) res.setHeader('X-Frame-Options', 'DENY');
   if (!res.getHeader('Referrer-Policy')) res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
-  if (!res.getHeader('Permissions-Policy')) res.setHeader('Permissions-Policy', 'geolocation=(), microphone=(), camera=()');
+  if (!res.getHeader('Permissions-Policy')) {
+    res.setHeader(
+      'Permissions-Policy',
+      'geolocation=(), microphone=(), camera=(), identity-credentials-get=(self)',
+    );
+  }
   if (FALLBACK_CSP_HEADER && !res.getHeader('Content-Security-Policy') && !res.getHeader('Content-Security-Policy-Report-Only')) {
     const cspHeaderName = HELMET_CSP_ENFORCE ? 'Content-Security-Policy' : 'Content-Security-Policy-Report-Only';
     res.setHeader(cspHeaderName, FALLBACK_CSP_HEADER);

package/server/routes/indexRouter.js

@@ -3,6 +3,7 @@ import path from 'node:path';
 import { maybeHandleMetricsRequest } from './metrics/metricsRouter.js';
 import { maybeHandleHealthRequest, shouldHandleHealthPath } from './health/healthRouter.js';
 import { getEmailAutomationRouterConfig, maybeHandleEmailAutomationRequest, shouldHandleEmailAutomationPath } from './email/emailAutomationRouter.js';
+import { getPaymentsRouterConfig, maybeHandlePaymentsRequest, shouldHandlePaymentsPath } from './payments/paymentsRouter.js';
 import { buildUserApiPaths, getUserRouterConfig, maybeHandleUserRequest, shouldHandleUserPath } from './user/userRouter.js';
 import { getSystemAdminRouterConfig, maybeHandleSystemAdminRequest, shouldHandleSystemAdminPath } from './admin/systemAdminRouter.js';
 import { getStickerSiteRouterConfig, maybeHandleStickerSiteRequest, shouldHandleStickerSitePath } from './sticker/stickerSiteRouter.js';
@@ -76,6 +77,16 @@ const loadEmailAutomationConfigSafe = async () => {
   }
 };
 
+const loadPaymentsConfigSafe = async () => {
+  try {
+    return await getPaymentsRouterConfig();
+  } catch {
+    return {
+      apiBasePath: '/api/payments',
+    };
+  }
+};
+
 const loadStickerSiteConfigSafe = async () => {
   try {
     return await getStickerSiteRouterConfig();
@@ -129,10 +140,11 @@ const loadGrafanaProxyConfigSafe = async () => {
 
 export const getIndexRouteConfigs = async () => {
   if (!indexRouteConfigsPromise) {
-    indexRouteConfigsPromise = Promise.all([loadUserConfigSafe(), loadSystemAdminConfigSafe(), loadEmailAutomationConfigSafe(), loadStickerSiteConfigSafe(), loadStickerDataConfigSafe(), loadStickerApiConfigSafe(), loadGrafanaProxyConfigSafe()]).then(([userConfig, systemAdminConfig, emailAutomationConfig, stickerSiteConfig, stickerDataConfig, stickerApiConfig, grafanaProxyConfig]) => ({
+    indexRouteConfigsPromise = Promise.all([loadUserConfigSafe(), loadSystemAdminConfigSafe(), loadEmailAutomationConfigSafe(), loadPaymentsConfigSafe(), loadStickerSiteConfigSafe(), loadStickerDataConfigSafe(), loadStickerApiConfigSafe(), loadGrafanaProxyConfigSafe()]).then(([userConfig, systemAdminConfig, emailAutomationConfig, paymentsConfig, stickerSiteConfig, stickerDataConfig, stickerApiConfig, grafanaProxyConfig]) => ({
       userConfig,
       systemAdminConfig,
       emailAutomationConfig,
+      paymentsConfig,
       grafanaProxyConfig,
       stickerConfig: {
         ...stickerSiteConfig,
@@ -156,6 +168,7 @@ export const routeRequest = async (req, res, { pathname, url, metricsPath = '/me
   const userConfig = resolvedConfigs?.userConfig || null;
   const systemAdminConfig = resolvedConfigs?.systemAdminConfig || null;
   const emailAutomationConfig = resolvedConfigs?.emailAutomationConfig || null;
+  const paymentsConfig = resolvedConfigs?.paymentsConfig || null;
   const grafanaProxyConfig = resolvedConfigs?.grafanaProxyConfig || null;
   const stickerConfig = resolvedConfigs?.stickerConfig || null;
 
@@ -180,14 +193,21 @@ export const routeRequest = async (req, res, { pathname, url, metricsPath = '/me
     return sendNotFound(req, res);
   }
 
-  // 4) Grafana proxy (/api/grafana e alias /grafana)
+  // 4) Payments API
+  if (shouldHandlePaymentsPath(pathname, paymentsConfig)) {
+    const handled = await maybeHandlePaymentsRequest(req, res, { pathname, url });
+    if (handled) return true;
+    return sendNotFound(req, res);
+  }
+
+  // 5) Grafana proxy (/api/grafana e alias /grafana)
   if (shouldHandleGrafanaProxyPath(pathname, grafanaProxyConfig)) {
     const handled = await maybeHandleGrafanaProxyRequest(req, res, { pathname, url, config: grafanaProxyConfig });
     if (handled) return true;
     return sendNotFound(req, res);
   }
 
-  // 5) User
+  // 6) User
   const systemAdminCandidate = shouldHandleSystemAdminStep(pathname, systemAdminConfig);
   if (shouldHandleUserStep(pathname, userConfig)) {
     const handled = await maybeHandleUserRequest(req, res, { pathname, url });
@@ -197,14 +217,14 @@ export const routeRequest = async (req, res, { pathname, url, metricsPath = '/me
     if (!systemAdminCandidate) return sendNotFound(req, res);
   }
 
-  // 6) System admin + legacy /stickers/admin
+  // 7) System admin + legacy /stickers/admin
   if (systemAdminCandidate) {
     const handled = await maybeHandleSystemAdminRequest(req, res, { pathname, url });
     if (handled) return true;
     return sendNotFound(req, res);
   }
 
-  // 7) Sticker catalog apenas nos prefixes permitidos
+  // 8) Sticker catalog apenas nos prefixes permitidos
   if (shouldHandleStickerSitePath(pathname, stickerConfig)) {
     const handled = await maybeHandleStickerSiteRequest(req, res, { pathname, url });
     if (handled) return true;
@@ -236,14 +256,14 @@ export const routeRequest = async (req, res, { pathname, url, metricsPath = '/me
     return sendNotFound(req, res);
   }
 
-  // 8) Paginas estaticas (templates em public/pages)
+  // 9) Paginas estaticas (templates em public/pages)
   if (shouldHandleStaticPagePath(pathname)) {
     const handled = await maybeHandleStaticPageRequest(req, res, { pathname });
     if (handled) return true;
     return sendNotFound(req, res);
   }
 
-  // 9) 404 global
+  // 10) 404 global
   return sendNotFound(req, res);
 };