cdp-edge 1.13.0 → 1.14.0

package/server-edge-tracker/worker.js

@@ -466,7 +466,7 @@ async function resolveDeviceGraph(DB, currentUserId, email, phone) {
 
 // ── Automação de Mensagens — avalia regras e dispara WA/Email ────────────────
 // Chamado via ctx.waitUntil após saveLead() para não bloquear o browser.
-// Requer secrets: WHATSAPP_TOKEN, WHATSAPP_PHONE_NUMBER_ID, RESEND_API_KEY, RESEND_FROM_EMAIL
+// Requer secrets: WHATSAPP_ACCESS_TOKEN, WHATSAPP_PHONE_NUMBER_ID, RESEND_API_KEY, RESEND_FROM_EMAIL
 async function fireAutomation(env, eventName, leadId, payload) {
   if (!env.DB) return;
 
@@ -498,14 +498,14 @@ async function fireAutomation(env, eventName, leadId, payload) {
       const subject = rule.subject_template ? interpolate(rule.subject_template) : null;
 
       try {
-        if (rule.channel === 'whatsapp' && payload.phone && env.WHATSAPP_TOKEN && env.WHATSAPP_PHONE_NUMBER_ID) {
+        if (rule.channel === 'whatsapp' && payload.phone && env.WHATSAPP_ACCESS_TOKEN && env.WHATSAPP_PHONE_NUMBER_ID) {
           const digits  = String(payload.phone).replace(/\D/g, '');
           const e164    = digits.startsWith('55') ? `+${digits}` : `+55${digits}`;
           const waRes   = await fetch(
             `https://graph.facebook.com/v22.0/${env.WHATSAPP_PHONE_NUMBER_ID}/messages`,
             {
               method: 'POST',
-              headers: { 'Authorization': `Bearer ${env.WHATSAPP_TOKEN}`, 'Content-Type': 'application/json' },
+              headers: { 'Authorization': `Bearer ${env.WHATSAPP_ACCESS_TOKEN}`, 'Content-Type': 'application/json' },
               body: JSON.stringify({ messaging_product: 'whatsapp', recipient_type: 'individual', to: e164, type: 'text', text: { body: message } }),
             }
           );
@@ -1161,8 +1161,8 @@ async function sendSpotifyCapi(env, eventName, payload, request, ctx) {
 // ── WhatsApp — Meta Cloud API v22.0 ──────────────────────────────────────────
 //
 //  Secrets necessários (wrangler secret put):
-//    WA_PHONE_ID          → ID do número no WhatsApp Business (ex: 123456789012345)
-//    WA_ACCESS_TOKEN      → Token permanente da Meta Cloud API
+//    WHATSAPP_PHONE_NUMBER_ID  → Meta: "Phone Number ID" (ex: 123456789012345)
+//    WHATSAPP_ACCESS_TOKEN     → Meta: "Access Token" (Token permanente)
 //    WA_NOTIFY_NUMBER     → Número do dono para receber notificações (ex: 5511999998888)
 //
 //  Formatos suportados:
@@ -1179,7 +1179,7 @@ async function sendSpotifyCapi(env, eventName, payload, request, ctx) {
 //  a uma mensagem do usuário nos últimos 24h.
 //
 async function sendWhatsApp(env, tipo, payload, options = {}) {
-  if (!env.WA_PHONE_ID || !env.WA_ACCESS_TOKEN || !env.WA_NOTIFY_NUMBER) {
+  if (!env.WHATSAPP_PHONE_NUMBER_ID || !env.WHATSAPP_ACCESS_TOKEN || !env.WA_NOTIFY_NUMBER) {
     return { skipped: 'WhatsApp não configurado' };
   }
 
@@ -1297,11 +1297,11 @@ async function sendWhatsApp(env, tipo, payload, options = {}) {
 // ── Executor interno — evita duplicação de fetch entre os formatos ────────────
 async function _sendWARequest(env, body) {
   try {
-    const res = await fetch(`https://graph.facebook.com/v22.0/${env.WA_PHONE_ID}/messages`, {
+    const res = await fetch(`https://graph.facebook.com/v22.0/${env.WHATSAPP_PHONE_NUMBER_ID}/messages`, {
       method: 'POST',
       headers: {
         'Content-Type': 'application/json',
-        'Authorization': `Bearer ${env.WA_ACCESS_TOKEN}`,
+        'Authorization': `Bearer ${env.WHATSAPP_ACCESS_TOKEN}`,
       },
       body: JSON.stringify(body),
     });
@@ -1567,7 +1567,7 @@ async function upsertLtvProfile(env, userId, ltv) {
  *   class: 'High' | 'Medium' | 'Low'
  *   value: valor em BRL (base × multiplicador da classe)
  */
-async function predictLtv(env, payload, request) {
+async function predictLtv(env, payload, request, customSystemPrompt = null) {
   let score = 0;
 
   // 1. Engajamento browser (0–30)
@@ -1640,8 +1640,10 @@ async function predictLtv(env, payload, request) {
   let aiAdjustment = 0;
   if (env.AI && score >= 40) {
     try {
+      const systemContent = customSystemPrompt ||
+        'You are a conversion rate expert. Reply ONLY with a JSON object {"adjustment": <number between -10 and 10>} based on the lead data provided. No explanation.';
       const prompt = [
-        { role: 'system', content: 'You are a conversion rate expert. Reply ONLY with a JSON object {"adjustment": <number between -10 and 10>} based on the lead data provided. No explanation.' },
+        { role: 'system', content: systemContent },
         { role: 'user', content: JSON.stringify({
           utm_source: payload.utmSource,
           intention: intentionLevel,
@@ -2042,6 +2044,1347 @@ async function buildGoogleCustomerMatchExport(env) {
   );
 }
 
+// ─────────────────────────────────────────────────────────────────────────────
+// SEGMENTAÇÃO DINÂMICA ML — Handlers das Rotas de Clustering
+// ─────────────────────────────────────────────────────────────────────────────
+
+// Helper: parse seguro de JSON armazenado como TEXT no D1
+function tryParseJson(str, fallback) {
+  if (!str) return fallback !== undefined ? fallback : null;
+  try { return JSON.parse(str); } catch { return fallback !== undefined ? fallback : null; }
+}
+
+// ── POST /api/segmentation/cluster ───────────────────────────────────────────
+// Executa clustering K-means/DBSCAN/Hierarchical via Workers AI
+// Requer bindings: DB + AI
+async function handleSegmentationCluster(env, request, headers) {
+  if (!env.DB) return new Response(JSON.stringify({ error: 'DB não configurado' }), { status: 503, headers });
+  if (!env.AI) return new Response(JSON.stringify({ error: 'Workers AI não configurado (verifique binding AI no wrangler.toml)' }), { status: 503, headers });
+
+  const url = new URL(request.url);
+  const algorithm      = url.searchParams.get('algorithm') || 'kmeans';
+  const nClusters      = Math.min(10, Math.max(3, parseInt(url.searchParams.get('n_clusters') || '5')));
+  const clientVertical = url.searchParams.get('vertical') || 'general';
+  const forceRecluster = url.searchParams.get('force') === 'true';
+
+  if (!['kmeans', 'dbscan', 'hierarchical'].includes(algorithm)) {
+    return new Response(JSON.stringify({ error: 'algorithm deve ser: kmeans, dbscan ou hierarchical', received: algorithm }), { status: 400, headers });
+  }
+
+  try {
+    // 1. Cluster recente? Evitar re-clustering desnecessário (< 7 dias)
+    if (!forceRecluster) {
+      const existing = await env.DB.prepare(`
+        SELECT id, created_at, cluster_name FROM ml_segments
+        WHERE clustering_algorithm = ? AND is_active = 1 AND client_vertical = ?
+        ORDER BY created_at DESC LIMIT 1
+      `).bind(algorithm, clientVertical).first();
+
+      if (existing) {
+        const ageDays = (Date.now() - new Date(existing.created_at).getTime()) / (1000 * 60 * 60 * 24);
+        if (ageDays < 7) {
+          return new Response(JSON.stringify({
+            success:      true,
+            message:      'Cluster existente ainda válido (< 7 dias). Use ?force=true para re-clustering.',
+            cluster_id:   existing.id,
+            cluster_name: existing.cluster_name,
+            age_days:     Math.round(ageDays * 10) / 10,
+            use_existing: true,
+          }), { status: 200, headers });
+        }
+      }
+    }
+
+    // 2. Extrair leads históricos do D1 (últimos 6 meses, excluindo bots confirmados)
+    const leadsRes = await env.DB.prepare(`
+      SELECT id, predicted_ltv_class, engagement_score, intention_level,
+             country, state, utm_source, utm_medium, bot_score,
+             CAST(strftime('%H', created_at) AS INTEGER) AS hour_of_day,
+             CAST(julianday('now') - julianday(created_at) AS INTEGER) AS days_since_lead,
+             CASE WHEN strftime('%w', created_at) IN ('0','6') THEN 1 ELSE 0 END AS is_weekend
+      FROM leads
+      WHERE created_at >= datetime('now', '-6 months')
+        AND (bot_score IS NULL OR bot_score < 2)
+      ORDER BY RANDOM()
+      LIMIT 2000
+    `).all();
+
+    const leads = leadsRes.results || [];
+
+    if (leads.length < 50) {
+      return new Response(JSON.stringify({
+        error:       'Dados insuficientes para clustering. Mínimo: 50 leads nos últimos 6 meses.',
+        leads_found: leads.length,
+        required:    50,
+      }), { status: 400, headers });
+    }
+
+    // 3. Feature Engineering — normalização 0–1
+    const features = leads.map(l => ({
+      id:         l.id,
+      ltv:        l.predicted_ltv_class === 'High' ? 1 : (l.predicted_ltv_class === 'Medium' ? 0.5 : 0),
+      engagement: Math.min((l.engagement_score || 0) / 100, 1),
+      intention:  l.intention_level === 'comprador' || l.intention_level === 'high_intent' ? 1
+                : l.intention_level === 'interessado' ? 0.6
+                : l.intention_level === 'curioso'     ? 0.3 : 0,
+      recency:    Math.max(0, 1 - (l.days_since_lead || 0) / 180),
+      hour:       (l.hour_of_day || 12) / 23,
+      is_weekend: l.is_weekend || 0,
+      is_br:      l.country === 'BR' ? 1 : 0,
+      is_paid:    ['facebook','google','tiktok','instagram','youtube'].includes(
+                    (l.utm_source || '').toLowerCase()) ? 1 : 0,
+    }));
+
+    // 4. Prompt para Workers AI
+    const sampleSize = Math.min(features.length, 100);
+    const sample     = features.slice(0, sampleSize);
+
+    const clusteringPrompt =
+`You are a customer segmentation ML expert. Perform ${algorithm} clustering on ${sampleSize} customers into ${nClusters} segments.
+
+Customer features (all normalized 0-1):
+- ltv: predicted lifetime value (0=Low, 0.5=Medium, 1=High)
+- engagement: browser engagement score
+- intention: purchase intention (0=none, 0.3=curious, 0.6=interested, 1=buyer)
+- recency: lead recency (1=today, 0=6 months ago)
+- hour: conversion hour of day
+- is_weekend: converted on weekend (0/1)
+- is_br: lead from Brazil (0/1)
+- is_paid: from paid traffic channel (0/1)
+
+Data (${sampleSize} customers): ${JSON.stringify(sample.slice(0, 50))}
+
+Return ONLY valid JSON, zero explanation:
+{
+  "clusters": [
+    {
+      "cluster_id": 0,
+      "name": "[Nome Descritivo em Português]",
+      "size": ${Math.round(sampleSize / nClusters)},
+      "percentage": ${Math.round(100 / nClusters)},
+      "characteristics": {
+        "avg_ltv_class": 0.5,
+        "avg_behavior_score": 0.5,
+        "avg_engagement_score": 0.5,
+        "avg_intention_level": 0.5,
+        "avg_days_since_lead": 30,
+        "dominant_countries": ["BR"],
+        "dominant_states": ["SP", "RJ"],
+        "dominant_utm_sources": ["facebook"],
+        "top_features": ["ltv", "engagement"]
+      },
+      "centroid": { "ltv": 0.5, "engagement": 0.5, "intention": 0.5 },
+      "action_recommendation": "[Recomendação de campanha específica para este segmento]"
+    }
+  ],
+  "silhouette_score": 0.65,
+  "total_processed": ${sampleSize}
+}`;
+
+    // 5. Executar via Workers AI
+    const startTime = Date.now();
+    const aiRes = await env.AI.run('@cf/meta/llama-3.1-8b-instruct', {
+      messages:   [{ role: 'user', content: clusteringPrompt }],
+      max_tokens: 2000,
+    });
+    const duration = Date.now() - startTime;
+
+    if (!aiRes?.response) throw new Error('Workers AI não retornou resposta');
+
+    // 6. Parse do resultado
+    const jsonMatch = aiRes.response.trim().match(/\{[\s\S]*\}/);
+    if (!jsonMatch) throw new Error('Resposta do Workers AI não contém JSON válido');
+    const mlResult = JSON.parse(jsonMatch[0]);
+
+    if (!Array.isArray(mlResult.clusters) || mlResult.clusters.length === 0) {
+      throw new Error('Workers AI não retornou clusters válidos');
+    }
+
+    // 7. Inativar clusters anteriores do mesmo algoritmo/vertical
+    await env.DB.prepare(
+      `UPDATE ml_segments SET is_active = 0 WHERE clustering_algorithm = ? AND client_vertical = ? AND is_active = 1`
+    ).bind(algorithm, clientVertical).run();
+
+    // 8. Persistir novos clusters no D1
+    const now = new Date().toISOString();
+    for (const cluster of mlResult.clusters) {
+      const ch = cluster.characteristics || {};
+      await env.DB.prepare(`
+        INSERT INTO ml_segments (
+          cluster_id, cluster_name, clustering_algorithm, client_vertical,
+          size, percentage,
+          avg_ltv_class, avg_behavior_score, avg_engagement_score,
+          avg_intention_level, avg_days_since_lead,
+          dominant_countries, dominant_states, dominant_utm_sources, dominant_features,
+          silhouette_score, action_recommendations, bid_recommendations, campaign_recommendations,
+          is_active, created_at, updated_at
+        ) VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,1,?,?)
+      `).bind(
+        cluster.cluster_id || 0,
+        cluster.name        || `Segmento ${cluster.cluster_id}`,
+        algorithm,
+        clientVertical,
+        cluster.size        || 0,
+        cluster.percentage  || 0,
+        ch.avg_ltv_class    || 0,
+        ch.avg_behavior_score   || 0,
+        ch.avg_engagement_score || 0,
+        ch.avg_intention_level  || 0,
+        ch.avg_days_since_lead  || 0,
+        JSON.stringify(ch.dominant_countries   || ['BR']),
+        JSON.stringify(ch.dominant_states      || []),
+        JSON.stringify(ch.dominant_utm_sources || []),
+        JSON.stringify(ch.top_features         || []),
+        mlResult.silhouette_score             || 0,
+        JSON.stringify([cluster.action_recommendation || '']),
+        JSON.stringify([]),
+        JSON.stringify([]),
+        now,
+        now,
+      ).run();
+    }
+
+    // 9. Log no histórico de clustering
+    try {
+      await env.DB.prepare(`
+        INSERT INTO ml_clustering_history (
+          clustering_id, started_at, completed_at, algorithm,
+          n_leads_processed, n_clusters_created, total_duration_ms,
+          workers_ai_neurons_used, status, parameters, results_summary
+        ) VALUES (0, ?, datetime('now'), ?, ?, ?, ?, ?, 'completed', ?, ?)
+      `).bind(
+        new Date(startTime).toISOString(),
+        algorithm,
+        leads.length,
+        mlResult.clusters.length,
+        duration,
+        Math.ceil(duration * 0.01),
+        JSON.stringify({ algorithm, n_clusters: nClusters, vertical: clientVertical }),
+        JSON.stringify({ clusters: mlResult.clusters.length, silhouette: mlResult.silhouette_score }),
+      ).run();
+    } catch (e) { console.error('[Segmentation] history log error:', e.message); }
+
+    return new Response(JSON.stringify({
+      success:          true,
+      algorithm,
+      n_clusters:       mlResult.clusters.length,
+      client_vertical:  clientVertical,
+      leads_analyzed:   leads.length,
+      duration_ms:      duration,
+      silhouette_score: mlResult.silhouette_score || null,
+      clusters:         mlResult.clusters,
+      generated_at:     now,
+    }), { status: 200, headers });
+
+  } catch (err) {
+    console.error('[Segmentation] cluster error:', err.message);
+    try {
+      if (env.DB) {
+        await env.DB.prepare(`
+          INSERT INTO ml_clustering_history
+            (clustering_id, started_at, algorithm, n_leads_processed, n_clusters_created,
+             total_duration_ms, workers_ai_neurons_used, status, error_message, parameters, results_summary)
+          VALUES (0, datetime('now'), ?, 0, 0, 0, 0, 'failed', ?, ?, '{}')
+        `).bind(algorithm, err.message, JSON.stringify({ algorithm, n_clusters: nClusters })).run();
+      }
+    } catch { /* não bloquear a resposta de erro */ }
+
+    return new Response(JSON.stringify({ error: 'Erro ao executar clustering', message: err.message }), { status: 500, headers });
+  }
+}
+
+// ── GET /api/segmentation/list ────────────────────────────────────────────────
+// Lista todos os segmentos ativos com estatísticas
+async function handleSegmentationList(env, request, headers) {
+  if (!env.DB) return new Response(JSON.stringify({ error: 'DB não configurado' }), { status: 503, headers });
+
+  const url       = new URL(request.url);
+  const algorithm = url.searchParams.get('algorithm') || null;
+  const vertical  = url.searchParams.get('vertical')  || null;
+
+  try {
+    const conditions = ['is_active = 1'];
+    const bindings   = [];
+    if (algorithm) { conditions.push('clustering_algorithm = ?'); bindings.push(algorithm); }
+    if (vertical)  { conditions.push('client_vertical = ?');       bindings.push(vertical);  }
+
+    const query = `
+      SELECT id, cluster_id, cluster_name, clustering_algorithm, client_vertical,
+             size, percentage, avg_ltv_class, avg_behavior_score, avg_engagement_score,
+             avg_intention_level, avg_days_since_lead, silhouette_score,
+             dominant_countries, dominant_states, dominant_utm_sources, dominant_features,
+             action_recommendations, bid_recommendations, campaign_recommendations,
+             is_active, created_at, updated_at
+      FROM ml_segments
+      WHERE ${conditions.join(' AND ')}
+      ORDER BY created_at DESC
+      LIMIT 50
+    `;
+
+    const result   = await env.DB.prepare(query).bind(...bindings).all();
+    const segments = (result.results || []).map(s => ({
+      ...s,
+      dominant_countries:       tryParseJson(s.dominant_countries, []),
+      dominant_states:          tryParseJson(s.dominant_states, []),
+      dominant_utm_sources:     tryParseJson(s.dominant_utm_sources, []),
+      dominant_features:        tryParseJson(s.dominant_features, []),
+      action_recommendations:   tryParseJson(s.action_recommendations, []),
+      bid_recommendations:      tryParseJson(s.bid_recommendations, []),
+      campaign_recommendations: tryParseJson(s.campaign_recommendations, []),
+    }));
+
+    return new Response(JSON.stringify({
+      success: true,
+      total:   segments.length,
+      segments,
+    }), { status: 200, headers });
+
+  } catch (err) {
+    console.error('[Segmentation] list error:', err.message);
+    return new Response(JSON.stringify({ error: err.message }), { status: 500, headers });
+  }
+}
+
+// ── GET /api/segmentation/outliers ───────────────────────────────────────────
+// Lista leads marcados como outliers no ml_segment_members (DBSCAN)
+async function handleSegmentationOutliers(env, request, headers) {
+  if (!env.DB) return new Response(JSON.stringify({ error: 'DB não configurado' }), { status: 503, headers });
+
+  const url   = new URL(request.url);
+  const limit = Math.min(parseInt(url.searchParams.get('limit') || '50'), 200);
+  const days  = parseInt(url.searchParams.get('days') || '30');
+
+  try {
+    const result = await env.DB.prepare(`
+      SELECT msm.lead_id, msm.cluster_id, msm.confidence, msm.is_outlier,
+             msm.outlier_reason, msm.assigned_at,
+             l.email, l.phone, l.country, l.state, l.city,
+             l.utm_source, l.bot_score, l.engagement_score, l.intention_level,
+             l.created_at AS lead_created_at
+      FROM ml_segment_members msm
+      LEFT JOIN leads l ON CAST(msm.lead_id AS INTEGER) = l.id
+      WHERE msm.is_outlier = 1
+        AND msm.assigned_at >= datetime('now', '-' || ? || ' days')
+      ORDER BY msm.assigned_at DESC
+      LIMIT ?
+    `).bind(days, limit).all();
+
+    return new Response(JSON.stringify({
+      success:     true,
+      total:       (result.results || []).length,
+      period_days: days,
+      outliers:    result.results || [],
+    }), { status: 200, headers });
+
+  } catch (err) {
+    console.error('[Segmentation] outliers error:', err.message);
+    return new Response(JSON.stringify({ error: err.message }), { status: 500, headers });
+  }
+}
+
+// ── PUT /api/segmentation/update ─────────────────────────────────────────────
+// Atualiza recomendações de ação/bid/campanha de um segmento existente
+async function handleSegmentationUpdate(env, request, headers) {
+  if (!env.DB) return new Response(JSON.stringify({ error: 'DB não configurado' }), { status: 503, headers });
+
+  let body;
+  try { body = await request.json(); }
+  catch { return new Response(JSON.stringify({ error: 'JSON inválido no body da requisição' }), { status: 400, headers }); }
+
+  const { cluster_id, action_recommendations, bid_recommendations, campaign_recommendations } = body;
+
+  if (cluster_id === undefined || cluster_id === null) {
+    return new Response(JSON.stringify({ error: 'cluster_id é obrigatório' }), { status: 400, headers });
+  }
+
+  try {
+    const sets     = [];
+    const bindings = [];
+
+    if (action_recommendations   !== undefined) { sets.push('action_recommendations = ?');   bindings.push(JSON.stringify(action_recommendations));   }
+    if (bid_recommendations      !== undefined) { sets.push('bid_recommendations = ?');      bindings.push(JSON.stringify(bid_recommendations));      }
+    if (campaign_recommendations !== undefined) { sets.push('campaign_recommendations = ?'); bindings.push(JSON.stringify(campaign_recommendations)); }
+
+    if (sets.length === 0) {
+      return new Response(JSON.stringify({ error: 'Nenhum campo válido para atualizar (action_recommendations, bid_recommendations, campaign_recommendations)' }), { status: 400, headers });
+    }
+
+    sets.push("updated_at = datetime('now')");
+    bindings.push(cluster_id);
+
+    await env.DB.prepare(
+      `UPDATE ml_segments SET ${sets.join(', ')} WHERE id = ?`
+    ).bind(...bindings).run();
+
+    return new Response(JSON.stringify({
+      success:        true,
+      cluster_id,
+      fields_updated: sets.length - 1, // exclui o updated_at
+    }), { status: 200, headers });
+
+  } catch (err) {
+    console.error('[Segmentation] update error:', err.message);
+    return new Response(JSON.stringify({ error: err.message }), { status: 500, headers });
+  }
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// FRAUD DETECTION ENGINE — Fase 4 Enterprise-Level
+// Heurístico puro (sem AI) — latência zero no /track
+// ─────────────────────────────────────────────────────────────────────────────
+
+// Domínios de email descartáveis
+const DISPOSABLE_EMAIL_DOMAINS = new Set([
+  'mailinator.com','guerrillamail.com','tempmail.com','throwaway.email',
+  'yopmail.com','sharklasers.com','guerrillamailblock.com','spam4.me',
+  '10minutemail.com','trashmail.com','maildrop.cc','fakeinbox.com',
+  'dispostable.com','mailnull.com','tempr.email','getnada.com',
+]);
+
+// ASNs conhecidos de datacenters (evitar falsos negativos em ASNs legítimos)
+const DATACENTER_PATTERNS = /amazon|google|microsoft|digitalocean|linode|ovh|vultr|hetzner|contabo|cloudflare|packet|rackspace|leaseweb/i;
+
+// ── checkFraudGate — roda sincronamente ANTES de processar o evento ────────────
+// Retorna { allowed, score, reasons, action }
+// NUNCA joga erro — qualquer falha = allowed (fail-safe)
+async function checkFraudGate(env, request, payload) {
+  const result = { allowed: true, score: 0, reasons: [], action: 'allowed' };
+
+  try {
+    const ip          = request.headers.get('CF-Connecting-IP') || '';
+    const ua          = request.headers.get('User-Agent')        || '';
+    const fingerprint = payload.fingerprint                       || '';
+    const email       = payload.email                             || '';
+    const botScore    = parseInt(payload.botScore || payload.bot_score || 0);
+    const asn         = String(request.cf?.asOrganization || '').toLowerCase();
+    const country     = (request.cf?.country || '').toUpperCase();
+    const acceptLang  = request.headers.get('Accept-Language');
+
+    // 1. KV blocklist check — instantâneo (~0ms)
+    if (env.GEO_CACHE && ip) {
+      const ipBlocked = await env.GEO_CACHE.get(`fraud_block:ip:${ip}`);
+      if (ipBlocked) {
+        return { allowed: false, score: 100, reasons: ['ip_blocklisted'], action: 'dropped' };
+      }
+    }
+    if (env.GEO_CACHE && fingerprint) {
+      const fpBlocked = await env.GEO_CACHE.get(`fraud_block:fp:${fingerprint}`);
+      if (fpBlocked) {
+        return { allowed: false, score: 100, reasons: ['fingerprint_blocklisted'], action: 'dropped' };
+      }
+    }
+
+    // 2. Bot score (já calculado pelo Worker)
+    if (botScore >= 3) { result.score += 60; result.reasons.push('bot_score_high'); }
+    else if (botScore === 2) { result.score += 30; result.reasons.push('bot_score_medium'); }
+
+    // 3. User-Agent suspeito
+    if (/headless|phantomjs|selenium|webdriver|curl|python|scrapy|bot|crawler|spider/i.test(ua)) {
+      result.score += 40; result.reasons.push('suspicious_user_agent');
+    }
+
+    // 4. Datacenter IP
+    if (ip && DATACENTER_PATTERNS.test(asn)) {
+      result.score += 35; result.reasons.push('datacenter_ip');
+    }
+
+    // 5. Sem Accept-Language (bots raramente enviam)
+    if (!acceptLang) {
+      result.score += 20; result.reasons.push('no_accept_language');
+    }
+
+    // 6. Email descartável
+    if (email) {
+      const domain = email.split('@')[1]?.toLowerCase();
+      if (domain && DISPOSABLE_EMAIL_DOMAINS.has(domain)) {
+        result.score += 25; result.reasons.push('disposable_email');
+      }
+    }
+
+    // 7. Velocity check via KV
+    if (env.GEO_CACHE && ip) {
+      const velKey1h = `fraud_velocity:${ip}:h`;
+      const velStr   = await env.GEO_CACHE.get(velKey1h);
+      const vel1h    = parseInt(velStr || '0') + 1;
+
+      // Atualizar contador (TTL: 3600s = 1h)
+      await env.GEO_CACHE.put(velKey1h, String(vel1h), { expirationTtl: 3600 });
+
+      if (vel1h > 20) { result.score += 50; result.reasons.push('ip_velocity_very_high'); }
+      else if (vel1h > 10) { result.score += 25; result.reasons.push('ip_velocity_high'); }
+    }
+
+    result.score = Math.min(100, result.score);
+
+    // 8. Decisão final
+    if (result.score >= 80) {
+      result.allowed = false;
+      result.action  = 'dropped';
+    } else if (result.score >= 40) {
+      result.action = 'flagged';
+      // Ainda permite o evento, mas loga como suspeito
+    }
+
+    return result;
+
+  } catch (err) {
+    console.error('[Fraud] checkFraudGate error:', err.message);
+    return { allowed: true, score: 0, reasons: ['gate_error_fallback'], action: 'allowed' };
+  }
+}
+
+// ── logFraudSignal — persiste no D1 em background via ctx.waitUntil ───────────
+async function logFraudSignal(env, request, payload, fraudResult) {
+  if (!env.DB || fraudResult.action === 'allowed') return; // só loga suspeitos/dropped
+  try {
+    const ip          = request.headers.get('CF-Connecting-IP') || '';
+    const ua          = request.headers.get('User-Agent')        || '';
+    const fingerprint = payload.fingerprint                       || '';
+    const botScore    = parseInt(payload.botScore || payload.bot_score || 0);
+    const asn         = String(request.cf?.asOrganization || '');
+    const country     = (request.cf?.country              || '');
+    const velKey1h    = `fraud_velocity:${ip}:h`;
+    const vel1h       = env.GEO_CACHE ? parseInt(await env.GEO_CACHE.get(velKey1h) || '0') : 0;
+
+    let emailHash = null;
+    if (payload.email) {
+      try { emailHash = await sha256(payload.email.trim().toLowerCase()); } catch {}
+    }
+
+    await env.DB.prepare(`
+      INSERT INTO fraud_signals (
+        ip_address, fingerprint, user_id, email_hash, event_name, event_id,
+        fraud_score, action_taken, reasons,
+        ip_country, ip_asn, user_agent, bot_score, velocity_1h, detected_at
+      ) VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,datetime('now'))
+    `).bind(
+      ip, fingerprint || null, payload.userId || null, emailHash,
+      payload.eventName || null, payload.eventId || null,
+      fraudResult.score, fraudResult.action, JSON.stringify(fraudResult.reasons),
+      country, asn, ua.substring(0, 255), botScore, vel1h,
+    ).run();
+
+    // Se dropped com score alto → criar/atualizar fraud_alert para este IP
+    if (fraudResult.action === 'dropped' && ip) {
+      await env.DB.prepare(`
+        INSERT INTO fraud_alerts (alert_type, entity_type, entity_value, events_total, events_dropped, peak_score, first_seen, last_seen, top_reasons)
+        VALUES ('ip_attack', 'ip', ?, 1, 1, ?, datetime('now'), datetime('now'), ?)
+        ON CONFLICT(entity_type, entity_value) DO UPDATE SET
+          events_total   = events_total + 1,
+          events_dropped = events_dropped + 1,
+          peak_score     = MAX(peak_score, excluded.peak_score),
+          last_seen      = datetime('now'),
+          updated_at     = datetime('now')
+      `).bind(ip, fraudResult.score, JSON.stringify(fraudResult.reasons)).run().catch(() => {
+        // Pode falhar se ON CONFLICT não funcionar (schema sem UNIQUE) — silent
+      });
+    }
+  } catch (err) {
+    console.error('[Fraud] logFraudSignal error:', err.message);
+  }
+}
+
+// ── handleFraudAlerts — GET /api/fraud/alerts ─────────────────────────────────
+async function handleFraudAlerts(env, request, headers) {
+  if (!env.DB) return new Response(JSON.stringify({ error: 'DB não configurado' }), { status: 503, headers });
+
+  const url    = new URL(request.url);
+  const action = url.searchParams.get('action') || null; // 'dropped','flagged'
+  const hours  = parseInt(url.searchParams.get('hours') || '24');
+  const limit  = Math.min(parseInt(url.searchParams.get('limit') || '50'), 200);
+
+  try {
+    const cond     = action ? 'AND action_taken = ?' : '';
+    const bindings = action ? [hours, action, limit] : [hours, limit];
+
+    const result = await env.DB.prepare(`
+      SELECT ip_address, fingerprint, event_name, fraud_score, action_taken,
+             reasons, ip_country, ip_asn, bot_score, velocity_1h, detected_at
+      FROM fraud_signals
+      WHERE detected_at >= datetime('now', '-' || ? || ' hours')
+        ${cond}
+      ORDER BY fraud_score DESC, detected_at DESC
+      LIMIT ?
+    `).bind(...bindings).all();
+
+    const signals = (result.results || []).map(s => ({
+      ...s,
+      reasons: tryParseJson(s.reasons, []),
+    }));
+
+    // Stats rápidas
+    const stats = await env.DB.prepare(`SELECT * FROM v_fraud_dashboard`).first().catch(() => null);
+
+    return new Response(JSON.stringify({
+      success:  true,
+      period_hours: hours,
+      total:    signals.length,
+      stats,
+      alerts:   signals,
+    }), { status: 200, headers });
+
+  } catch (err) {
+    console.error('[Fraud] alerts error:', err.message);
+    return new Response(JSON.stringify({ error: err.message }), { status: 500, headers });
+  }
+}
+
+// ── handleFraudBlocklist — GET /api/fraud/blocklist ──────────────────────────
+async function handleFraudBlocklist(env, request, headers) {
+  if (!env.DB) return new Response(JSON.stringify({ error: 'DB não configurado' }), { status: 503, headers });
+
+  try {
+    const result = await env.DB.prepare(`
+      SELECT entity_type, entity_value, events_total, events_dropped,
+             peak_score, first_seen, last_seen, blocked_at, block_expires, top_reasons
+      FROM fraud_alerts
+      WHERE is_blocked = 1
+      ORDER BY events_dropped DESC
+      LIMIT 100
+    `).all();
+
+    const blocklist = (result.results || []).map(r => ({
+      ...r,
+      top_reasons: tryParseJson(r.top_reasons, []),
+    }));
+
+    return new Response(JSON.stringify({
+      success:   true,
+      total:     blocklist.length,
+      blocklist,
+    }), { status: 200, headers });
+
+  } catch (err) {
+    console.error('[Fraud] blocklist error:', err.message);
+    return new Response(JSON.stringify({ error: err.message }), { status: 500, headers });
+  }
+}
+
+// ── handleFraudBlocklistAdd — POST /api/fraud/blocklist/add ──────────────────
+async function handleFraudBlocklistAdd(env, request, headers) {
+  if (!env.DB) return new Response(JSON.stringify({ error: 'DB não configurado' }), { status: 503, headers });
+
+  let body;
+  try { body = await request.json(); }
+  catch { return new Response(JSON.stringify({ error: 'JSON inválido' }), { status: 400, headers }); }
+
+  const { entity_type, entity_value, ttl_hours = 24, reason = 'manual_block' } = body;
+  if (!entity_type || !entity_value) {
+    return new Response(JSON.stringify({ error: 'entity_type (ip|fingerprint) e entity_value são obrigatórios' }), { status: 400, headers });
+  }
+  if (!['ip', 'fingerprint'].includes(entity_type)) {
+    return new Response(JSON.stringify({ error: 'entity_type deve ser: ip ou fingerprint' }), { status: 400, headers });
+  }
+
+  try {
+    const kvKey    = `fraud_block:${entity_type}:${entity_value}`;
+    const ttlSec   = Math.min(ttl_hours * 3600, 7 * 24 * 3600); // max 7 dias
+    const expiresAt = new Date(Date.now() + ttlSec * 1000).toISOString();
+
+    // Adicionar no KV (checagem instantânea em /track)
+    if (env.GEO_CACHE) {
+      await env.GEO_CACHE.put(kvKey, JSON.stringify({ reason, blocked_at: new Date().toISOString() }), { expirationTtl: ttlSec });
+    }
+
+    // Registrar no D1 para auditoria
+    await env.DB.prepare(`
+      INSERT INTO fraud_alerts (alert_type, entity_type, entity_value, events_total, events_dropped, peak_score, first_seen, last_seen, is_blocked, blocked_at, block_expires, top_reasons)
+      VALUES ('manual', ?, ?, 0, 0, 100, datetime('now'), datetime('now'), 1, datetime('now'), ?, ?)
+      ON CONFLICT DO UPDATE SET is_blocked = 1, blocked_at = datetime('now'), block_expires = excluded.block_expires, updated_at = datetime('now')
+    `).bind(entity_type, entity_value, expiresAt, JSON.stringify([reason])).run().catch(() => {
+      // fallback se não tiver UNIQUE constraint na fraud_alerts
+    });
+
+    return new Response(JSON.stringify({
+      success:      true,
+      entity_type,
+      entity_value,
+      kv_key:       kvKey,
+      ttl_hours,
+      expires_at:   expiresAt,
+      message:      `${entity_type} '${entity_value}' bloqueado por ${ttl_hours}h. Efeito imediato via KV.`,
+    }), { status: 200, headers });
+
+  } catch (err) {
+    console.error('[Fraud] blocklist add error:', err.message);
+    return new Response(JSON.stringify({ error: err.message }), { status: 500, headers });
+  }
+}
+
+// ── handleFraudBlocklistRemove — DELETE /api/fraud/blocklist/remove ──────────
+async function handleFraudBlocklistRemove(env, request, headers) {
+  if (!env.DB) return new Response(JSON.stringify({ error: 'DB não configurado' }), { status: 503, headers });
+
+  let body;
+  try { body = await request.json(); }
+  catch { return new Response(JSON.stringify({ error: 'JSON inválido' }), { status: 400, headers }); }
+
+  const { entity_type, entity_value } = body;
+  if (!entity_type || !entity_value) {
+    return new Response(JSON.stringify({ error: 'entity_type e entity_value são obrigatórios' }), { status: 400, headers });
+  }
+
+  try {
+    const kvKey = `fraud_block:${entity_type}:${entity_value}`;
+    if (env.GEO_CACHE) await env.GEO_CACHE.delete(kvKey);
+
+    await env.DB.prepare(
+      `UPDATE fraud_alerts SET is_blocked = 0, resolved_at = datetime('now'), resolved_by = 'manual' WHERE entity_type = ? AND entity_value = ?`
+    ).bind(entity_type, entity_value).run();
+
+    return new Response(JSON.stringify({
+      success:      true,
+      entity_type,
+      entity_value,
+      message:      `${entity_type} '${entity_value}' removido do blocklist. Efeito imediato via KV.`,
+    }), { status: 200, headers });
+
+  } catch (err) {
+    console.error('[Fraud] blocklist remove error:', err.message);
+    return new Response(JSON.stringify({ error: err.message }), { status: 500, headers });
+  }
+}
+
+// ── handleFraudStats — GET /api/fraud/stats ───────────────────────────────────
+async function handleFraudStats(env, request, headers) {
+  if (!env.DB) return new Response(JSON.stringify({ error: 'DB não configurado' }), { status: 503, headers });
+
+  try {
+    const dashboard = await env.DB.prepare(`SELECT * FROM v_fraud_dashboard`).first();
+    const topIps    = await env.DB.prepare(`
+      SELECT ip_address, COUNT(*) as events, MAX(fraud_score) as peak_score
+      FROM fraud_signals
+      WHERE detected_at >= datetime('now', '-24 hours') AND action_taken = 'dropped'
+      GROUP BY ip_address ORDER BY events DESC LIMIT 10
+    `).all();
+    const topReasons = await env.DB.prepare(`
+      SELECT action_taken, COUNT(*) as count FROM fraud_signals
+      WHERE detected_at >= datetime('now', '-24 hours')
+      GROUP BY action_taken
+    `).all();
+
+    return new Response(JSON.stringify({
+      success:       true,
+      period:        '24h',
+      dashboard,
+      top_attacking_ips: topIps.results || [],
+      by_action:     topReasons.results || [],
+    }), { status: 200, headers });
+
+  } catch (err) {
+    console.error('[Fraud] stats error:', err.message);
+    return new Response(JSON.stringify({ error: err.message }), { status: 500, headers });
+  }
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// A/B TESTING DE PROMPTS LTV — Fase 3 Enterprise-Level
+// ─────────────────────────────────────────────────────────────────────────────
+
+// Cache key para o teste ativo (KV — evita hit no D1 a cada request /track)
+const AB_LTV_CACHE_KEY = 'ab_ltv_active_test';
+
+// ── getLtvAbVariation — busca e sorteia variação do teste ativo ─────────────
+// Retorna null se não há teste ativo ou DB/KV indisponíveis
+async function getLtvAbVariation(env) {
+  if (!env.DB) return null;
+
+  try {
+    // 1. Tentar cache KV (TTL: 5 min)
+    let testData = null;
+    if (env.GEO_CACHE) {
+      const cached = await env.GEO_CACHE.get(AB_LTV_CACHE_KEY, 'json');
+      if (cached) testData = cached;
+    }
+
+    // 2. Cache miss ou KV indisponível → buscar do D1
+    if (!testData) {
+      const test = await env.DB.prepare(`
+        SELECT t.id AS test_id, v.id AS variation_id,
+               v.name, v.system_prompt, v.weight, v.is_control
+        FROM ltv_ab_tests t
+        JOIN ltv_ab_variations v ON v.test_id = t.id
+        WHERE t.status = 'running'
+        ORDER BY t.id DESC
+      `).all();
+
+      if (!test.results || test.results.length === 0) {
+        // Sem teste ativo — cachear null por 5 min para não bater no D1
+        if (env.GEO_CACHE) {
+          await env.GEO_CACHE.put(AB_LTV_CACHE_KEY, JSON.stringify(null), { expirationTtl: 300 });
+        }
+        return null;
+      }
+
+      testData = test.results;
+      if (env.GEO_CACHE) {
+        await env.GEO_CACHE.put(AB_LTV_CACHE_KEY, JSON.stringify(testData), { expirationTtl: 300 });
+      }
+    }
+
+    if (!testData || testData.length === 0) return null;
+
+    // 3. Sortear variação por peso ponderado
+    const totalWeight = testData.reduce((s, v) => s + (v.weight || 0.5), 0);
+    let rand = Math.random() * totalWeight;
+    for (const variation of testData) {
+      rand -= (variation.weight || 0.5);
+      if (rand <= 0) return variation;
+    }
+    return testData[testData.length - 1];
+
+  } catch (err) {
+    console.error('[AB-LTV] getLtvAbVariation error:', err.message);
+    return null; // graceful fallback — nunca quebra o fluxo principal
+  }
+}
+
+// ── recordAbAssignment — registra a variação usada para um lead ──────────────
+// Executado via ctx.waitUntil — não bloqueia o /track
+async function recordAbAssignment(env, userId, variationId, testId, predictedLtv, predictedClass, emailHash) {
+  if (!env.DB) return;
+  try {
+    await env.DB.prepare(`
+      INSERT INTO ltv_ab_assignments
+        (test_id, variation_id, user_id, email_hash, predicted_ltv, predicted_class, assigned_at)
+      VALUES (?, ?, ?, ?, ?, ?, datetime('now'))
+    `).bind(testId, variationId, userId, emailHash || null, predictedLtv || null, predictedClass || null).run();
+
+    // Incrementar contador na variação
+    await env.DB.prepare(
+      `UPDATE ltv_ab_variations SET total_assigned = total_assigned + 1 WHERE id = ?`
+    ).bind(variationId).run();
+  } catch (err) {
+    console.error('[AB-LTV] recordAbAssignment error:', err.message);
+  }
+}
+
+// ── handleLtvAbTestCreate — POST /api/ltv/ab-test/create ─────────────────────
+async function handleLtvAbTestCreate(env, request, headers) {
+  if (!env.DB) return new Response(JSON.stringify({ error: 'DB não configurado' }), { status: 503, headers });
+
+  let body;
+  try { body = await request.json(); }
+  catch { return new Response(JSON.stringify({ error: 'JSON inválido no body' }), { status: 400, headers }); }
+
+  const { name, description, min_sample = 100, variations } = body;
+
+  if (!name) return new Response(JSON.stringify({ error: 'name é obrigatório' }), { status: 400, headers });
+  if (!Array.isArray(variations) || variations.length < 2) {
+    return new Response(JSON.stringify({ error: 'Mínimo 2 variações são necessárias' }), { status: 400, headers });
+  }
+
+  // Verificar se há teste em andamento
+  const running = await env.DB.prepare(`SELECT id FROM ltv_ab_tests WHERE status = 'running' LIMIT 1`).first();
+  if (running) {
+    return new Response(JSON.stringify({
+      error: 'Já existe um teste em andamento. Pause ou conclua o teste atual antes de criar um novo.',
+      running_test_id: running.id,
+    }), { status: 409, headers });
+  }
+
+  try {
+    const now = new Date().toISOString();
+
+    // Validar que pesos somam aproximadamente 1.0
+    const totalWeight = variations.reduce((s, v) => s + (v.weight || 0.5), 0);
+    if (Math.abs(totalWeight - 1.0) > 0.05) {
+      return new Response(JSON.stringify({
+        error: `A soma dos weights deve ser 1.0. Recebido: ${totalWeight.toFixed(3)}`,
+      }), { status: 400, headers });
+    }
+
+    const hasControl = variations.some(v => v.is_control);
+    if (!hasControl) {
+      return new Response(JSON.stringify({ error: 'Pelo menos uma variação deve ter is_control: true (baseline)' }), { status: 400, headers });
+    }
+
+    // Criar teste
+    const testRes = await env.DB.prepare(`
+      INSERT INTO ltv_ab_tests (name, description, status, min_sample, created_at)
+      VALUES (?, ?, 'running', ?, ?)
+    `).bind(name, description || null, min_sample, now).run();
+
+    const testId = testRes.meta?.last_row_id;
+    if (!testId) throw new Error('Falha ao criar o teste no D1');
+
+    // Criar variações
+    const createdVariations = [];
+    for (const v of variations) {
+      const vRes = await env.DB.prepare(`
+        INSERT INTO ltv_ab_variations (test_id, name, system_prompt, weight, is_control, created_at)
+        VALUES (?, ?, ?, ?, ?, ?)
+      `).bind(testId, v.name, v.system_prompt, v.weight || 0.5, v.is_control ? 1 : 0, now).run();
+      createdVariations.push({ id: vRes.meta?.last_row_id, name: v.name, weight: v.weight, is_control: !!v.is_control });
+    }
+
+    // Invalidar cache KV
+    if (env.GEO_CACHE) await env.GEO_CACHE.delete(AB_LTV_CACHE_KEY);
+
+    return new Response(JSON.stringify({
+      success:         true,
+      test_id:         testId,
+      name,
+      status:          'running',
+      min_sample,
+      variations:      createdVariations,
+      started_at:      now,
+    }), { status: 201, headers });
+
+  } catch (err) {
+    console.error('[AB-LTV] create error:', err.message);
+    return new Response(JSON.stringify({ error: err.message }), { status: 500, headers });
+  }
+}
+
+// ── handleLtvAbTestList — GET /api/ltv/ab-test/list ──────────────────────────
+async function handleLtvAbTestList(env, request, headers) {
+  if (!env.DB) return new Response(JSON.stringify({ error: 'DB não configurado' }), { status: 503, headers });
+
+  const url    = new URL(request.url);
+  const status = url.searchParams.get('status') || null;
+  const limit  = Math.min(parseInt(url.searchParams.get('limit') || '20'), 50);
+
+  try {
+    const cond     = status ? 'WHERE t.status = ?' : '';
+    const bindings = status ? [status, limit] : [limit];
+
+    const tests = await env.DB.prepare(`
+      SELECT t.id, t.name, t.description, t.status, t.winner_id,
+             t.started_at, t.completed_at, t.created_at, t.min_sample,
+             COUNT(DISTINCT v.id) AS variation_count,
+             SUM(v.total_assigned) AS total_assigned
+      FROM ltv_ab_tests t
+      LEFT JOIN ltv_ab_variations v ON v.test_id = t.id
+      ${cond}
+      GROUP BY t.id
+      ORDER BY t.created_at DESC
+      LIMIT ?
+    `).bind(...bindings).all();
+
+    return new Response(JSON.stringify({
+      success: true,
+      total:   (tests.results || []).length,
+      tests:   tests.results || [],
+    }), { status: 200, headers });
+
+  } catch (err) {
+    console.error('[AB-LTV] list error:', err.message);
+    return new Response(JSON.stringify({ error: err.message }), { status: 500, headers });
+  }
+}
+
+// ── handleLtvAbTestResults — GET /api/ltv/ab-test/results ────────────────────
+async function handleLtvAbTestResults(env, request, headers) {
+  if (!env.DB) return new Response(JSON.stringify({ error: 'DB não configurado' }), { status: 503, headers });
+
+  const url    = new URL(request.url);
+  const testId = url.searchParams.get('test_id') || null;
+
+  try {
+    const cond     = testId ? 'WHERE test_id = ?' : 'WHERE status = \'running\'';
+    const testBind = testId ? [parseInt(testId)] : [];
+
+    const testRes = await env.DB.prepare(`
+      SELECT id, name, status, min_sample, winner_id, started_at FROM ltv_ab_tests ${cond} LIMIT 1
+    `).bind(...testBind).first();
+
+    if (!testRes) {
+      return new Response(JSON.stringify({ error: 'Nenhum teste encontrado' }), { status: 404, headers });
+    }
+
+    const perf = await env.DB.prepare(`
+      SELECT * FROM v_ab_test_performance WHERE test_id = ?
+    `).bind(testRes.id).all();
+
+    const variations = perf.results || [];
+    const ready      = variations.every(v => (v.total_assigned || 0) >= testRes.min_sample);
+    let recommendation = null;
+
+    if (ready && variations.length > 0) {
+      const best = variations.reduce((a, b) =>
+        (b.accuracy_score || 0) > (a.accuracy_score || 0) ? b : a
+      );
+      const control = variations.find(v => v.is_control);
+      const improvement = control
+        ? ((best.accuracy_score || 0) - (control.accuracy_score || 0)) * 100
+        : null;
+      recommendation = {
+        winner_variation_id:   best.variation_id,
+        winner_variation_name: best.variation_name,
+        accuracy_score:        best.accuracy_score,
+        improvement_vs_control: improvement ? `+${improvement.toFixed(1)}%` : null,
+        ready_to_declare:       true,
+      };
+    }
+
+    return new Response(JSON.stringify({
+      success: true,
+      test: {
+        id:          testRes.id,
+        name:        testRes.name,
+        status:      testRes.status,
+        min_sample:  testRes.min_sample,
+        started_at:  testRes.started_at,
+        is_ready:    ready,
+      },
+      variations,
+      recommendation,
+    }), { status: 200, headers });
+
+  } catch (err) {
+    console.error('[AB-LTV] results error:', err.message);
+    return new Response(JSON.stringify({ error: err.message }), { status: 500, headers });
+  }
+}
+
+// ── handleLtvAbTestWinner — POST /api/ltv/ab-test/winner ─────────────────────
+async function handleLtvAbTestWinner(env, request, headers) {
+  if (!env.DB) return new Response(JSON.stringify({ error: 'DB não configurado' }), { status: 503, headers });
+
+  let body;
+  try { body = await request.json(); }
+  catch { return new Response(JSON.stringify({ error: 'JSON inválido' }), { status: 400, headers }); }
+
+  const { test_id, variation_id } = body;
+  if (!test_id || !variation_id) {
+    return new Response(JSON.stringify({ error: 'test_id e variation_id são obrigatórios' }), { status: 400, headers });
+  }
+
+  try {
+    const variation = await env.DB.prepare(
+      `SELECT id, name, system_prompt, is_control FROM ltv_ab_variations WHERE id = ? AND test_id = ?`
+    ).bind(variation_id, test_id).first();
+
+    if (!variation) {
+      return new Response(JSON.stringify({ error: 'Variação não encontrada para este teste' }), { status: 404, headers });
+    }
+
+    // Marcar winner e concluir o teste
+    await env.DB.prepare(
+      `UPDATE ltv_ab_tests SET winner_id = ?, status = 'completed', completed_at = datetime('now') WHERE id = ?`
+    ).bind(variation_id, test_id).run();
+
+    // Invalidar cache KV (não há mais teste ativo)
+    if (env.GEO_CACHE) await env.GEO_CACHE.delete(AB_LTV_CACHE_KEY);
+
+    return new Response(JSON.stringify({
+      success:             true,
+      test_id,
+      winner_variation_id: variation_id,
+      winner_name:         variation.name,
+      is_control:          variation.is_control === 1,
+      winning_prompt:      variation.system_prompt,
+      message:             variation.is_control === 1
+        ? 'O prompt original (controle) venceu. Nenhuma alteração necessária.'
+        : 'Novo prompt vencedor identificado. Copie o campo winning_prompt e aplique ao predictLtv() como novo default.',
+    }), { status: 200, headers });
+
+  } catch (err) {
+    console.error('[AB-LTV] winner error:', err.message);
+    return new Response(JSON.stringify({ error: err.message }), { status: 500, headers });
+  }
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// BIDDING RECOMMENDATIONS — Handlers das Rotas de Otimização de Bids
+// ─────────────────────────────────────────────────────────────────────────────
+
+// Fatores de plataforma (conservadores por design — usuário escala gradualmente)
+const PLATFORM_FACTORS = { meta: 0.85, google: 0.90, tiktok: 0.75 };
+
+// Multiplicadores por tier de segmento (baseado em avg_ltv_class + avg_behavior_score)
+function getSegmentMultiplier(avgLtvClass, avgBehaviorScore) {
+  const ltv  = parseFloat(avgLtvClass    || 0);
+  const eng  = parseFloat(avgBehaviorScore || 0);
+  if (ltv >= 0.7 && eng >= 0.7)  return 1.4;  // Alto Valor + Alto Engajamento
+  if (ltv >= 0.7 && eng >= 0.4)  return 1.2;  // Alto Valor + Médio Engajamento
+  if (ltv >= 0.4 && eng >= 0.7)  return 1.0;  // Médio Valor + Alto Engajamento
+  if (ltv >= 0.4 && eng >= 0.4)  return 0.8;  // Médio Valor + Médio Engajamento
+  return 0.6;                                   // Baixo Valor ou Baixo Engajamento
+}
+
+// Ajuste de confiança baseado em volume de conversões
+function getConfidenceAdjustment(confidence) {
+  if (confidence >= 0.7) return 1.00;
+  if (confidence >= 0.4) return 0.85;
+  return 0.70;
+}
+
+// ── POST /api/bidding/recommend ───────────────────────────────────────────────
+// Gera recomendações de bid para uma plataforma e vertical
+// Requer binding: DB (AI é opcional — usa fórmula determinística se indisponível)
+async function handleBiddingRecommend(env, request, headers) {
+  if (!env.DB) return new Response(JSON.stringify({ error: 'DB não configurado' }), { status: 503, headers });
+
+  let body;
+  try { body = await request.json(); }
+  catch { return new Response(JSON.stringify({ error: 'JSON inválido no body' }), { status: 400, headers }); }
+
+  const {
+    vertical    = 'geral',
+    platform    = 'meta',
+    target_roi  = 3.5,
+    period_days = 30,
+    campaign_id = null,
+    budget      = null,
+  } = body;
+
+  const platforms = platform === 'all'
+    ? Object.keys(PLATFORM_FACTORS)
+    : [platform].filter(p => PLATFORM_FACTORS[p]);
+
+  if (platforms.length === 0) {
+    return new Response(JSON.stringify({ error: 'platform deve ser: meta, google, tiktok ou all' }), { status: 400, headers });
+  }
+  if (target_roi < 1 || target_roi > 20) {
+    return new Response(JSON.stringify({ error: 'target_roi deve estar entre 1 e 20' }), { status: 400, headers });
+  }
+
+  try {
+    // 1. Checar se há segmentos ML ativos (com dados de LTV real)
+    const segmentsRes = await env.DB.prepare(`
+      SELECT
+        ms.id        AS segment_id,
+        ms.cluster_name,
+        ms.avg_ltv_class,
+        ms.avg_behavior_score,
+        ms.avg_engagement_score,
+        ms.silhouette_score,
+        COUNT(msm.id)    AS member_count,
+        AVG(l.predicted_ltv) AS real_avg_ltv,
+        SUM(CASE WHEN l.event_name IN ('Purchase','CompletePayment') THEN 1 ELSE 0 END) AS conversions
+      FROM ml_segments ms
+      LEFT JOIN ml_segment_members msm ON msm.cluster_id = ms.id
+      LEFT JOIN leads l ON CAST(msm.lead_id AS INTEGER) = l.id
+        AND l.created_at >= datetime('now', '-' || ? || ' days')
+      WHERE ms.is_active = 1
+        AND ms.client_vertical IN (?, 'general')
+      GROUP BY ms.id
+      HAVING member_count > 0
+      ORDER BY real_avg_ltv DESC
+      LIMIT 10
+    `).bind(period_days, vertical).all();
+
+    const segments = segmentsRes.results || [];
+
+    // 2. Fallback se não houver segmentos: usar LTV global dos leads
+    let globalLtv = 0, globalLeads = 0, globalConversions = 0;
+    if (segments.length === 0) {
+      const globalRes = await env.DB.prepare(`
+        SELECT
+          COUNT(*) AS total_leads,
+          AVG(predicted_ltv) AS avg_ltv,
+          SUM(CASE WHEN event_name IN ('Purchase','CompletePayment') THEN 1 ELSE 0 END) AS conversions
+        FROM leads
+        WHERE created_at >= datetime('now', '-' || ? || ' days')
+          AND (bot_score IS NULL OR bot_score < 2)
+      `).bind(period_days).first();
+
+      globalLeads       = globalRes?.total_leads  || 0;
+      globalLtv         = globalRes?.avg_ltv       || 0;
+      globalConversions = globalRes?.conversions    || 0;
+
+      if (globalLeads < 10) {
+        return new Response(JSON.stringify({
+          error:   `Dados insuficientes. Apenas ${globalLeads} leads no período de ${period_days} dias. Mínimo: 10.`,
+          leads_found:  globalLeads,
+          required: 10,
+        }), { status: 400, headers });
+      }
+    }
+
+    // 3. Gerar recomendações por plataforma × segmento
+    const now = new Date().toISOString();
+    const recommendations = [];
+
+    const targetSegments = segments.length > 0
+      ? segments
+      : [{ segment_id: null, cluster_name: 'Global (sem segmentação)', avg_ltv_class: 0.5, avg_behavior_score: 0.5, avg_engagement_score: 0.5, member_count: globalLeads, real_avg_ltv: globalLtv, conversions: globalConversions }];
+
+    for (const seg of targetSegments) {
+      const avgLtv     = parseFloat(seg.real_avg_ltv || 0);
+      const convs      = parseInt(seg.conversions || 0);
+      const confidence = Math.min(1, convs / 100);
+
+      // Sem LTV real? Usar LTV estimado pela classe do segmento
+      const estimatedLtv = avgLtv > 0 ? avgLtv :
+        seg.avg_ltv_class >= 0.7 ? 497 :
+        seg.avg_ltv_class >= 0.4 ? 297 : 97;
+
+      const cpaTarget    = estimatedLtv / target_roi;
+      const segMult      = getSegmentMultiplier(seg.avg_ltv_class, seg.avg_behavior_score);
+      const confAdj      = getConfidenceAdjustment(confidence);
+
+      const alertMsg = convs < 30
+        ? `Atenção: apenas ${convs} conversões no período. Bid baseado em estimativa de LTV — aplique com cautela.`
+        : null;
+
+      for (const plat of platforms) {
+        const platFactor   = PLATFORM_FACTORS[plat];
+        const recommendedBid = Math.max(5, cpaTarget * platFactor * segMult * confAdj);
+        const expectedRoi    = estimatedLtv / (recommendedBid / platFactor);
+
+        // Guardar no D1 em background
+        const reasoning = `Segmento "${seg.cluster_name}": LTV=${estimatedLtv.toFixed(0)} BRL, ` +
+          `CPA_alvo=${cpaTarget.toFixed(0)} BRL, fator_plataforma=${platFactor}, ` +
+          `mult_segmento=${segMult}, ajuste_confiança=${confAdj}, ` +
+          `base: ${convs} conversões em ${period_days} dias.`;
+
+        try {
+          await env.DB.prepare(`
+            INSERT INTO bid_recommendations (
+              generated_at, vertical, platform, period_days, target_roi,
+              segment_id, segment_name, leads_analyzed, conversions_found,
+              avg_ltv, cpa_target, recommended_bid, bid_currency,
+              confidence, expected_roi, reasoning, ai_used, alert_message,
+              platform_factor, confidence_adjustment, segment_multiplier, is_active
+            ) VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0,?,?,?,?,1)
+          `).bind(
+            now, vertical, plat, period_days, target_roi,
+            seg.segment_id || null, seg.cluster_name,
+            seg.member_count || globalLeads, convs,
+            estimatedLtv, cpaTarget, recommendedBid, 'BRL',
+            confidence, expectedRoi, reasoning, alertMsg || null,
+            platFactor, confAdj, segMult,
+          ).run();
+        } catch (e) { console.error('[Bidding] D1 insert error:', e.message); }
+
+        recommendations.push({
+          platform:        plat,
+          segment:         seg.cluster_name,
+          segment_id:      seg.segment_id || null,
+          avg_ltv:         Math.round(estimatedLtv * 100) / 100,
+          avg_ltv_class:   seg.avg_ltv_class >= 0.7 ? 'High' : seg.avg_ltv_class >= 0.4 ? 'Medium' : 'Low',
+          cpa_target:      Math.round(cpaTarget * 100) / 100,
+          recommended_bid: Math.round(recommendedBid * 100) / 100,
+          bid_currency:    'BRL',
+          confidence:      Math.round(confidence * 100) / 100,
+          expected_roi:    Math.round(expectedRoi * 100) / 100,
+          reasoning,
+          alert:           alertMsg,
+        });
+      }
+    }
+
+    // Desativar recomendações anteriores da mesma vertical/plataforma
+    await env.DB.prepare(
+      `UPDATE bid_recommendations SET is_active = 0 WHERE vertical = ? AND generated_at < ? AND is_active = 1`
+    ).bind(vertical, now).run().catch(() => {});
+
+    const avgConfidence = recommendations.length > 0
+      ? recommendations.reduce((s, r) => s + r.confidence, 0) / recommendations.length
+      : 0;
+
+    return new Response(JSON.stringify({
+      success:      true,
+      generated_at: now,
+      vertical,
+      period_days,
+      target_roi,
+      data_quality: {
+        leads_analyzed:    targetSegments.reduce((s, sg) => s + (sg.member_count || 0), 0),
+        conversions_found: targetSegments.reduce((s, sg) => s + (sg.conversions || 0), 0),
+        segments_active:   segments.length,
+        confidence:        Math.round(avgConfidence * 100) / 100,
+      },
+      recommendations,
+      global_summary: {
+        total_recommendations:  recommendations.length,
+        avg_confidence:         Math.round(avgConfidence * 100) / 100,
+        expected_cost_reduction: avgConfidence >= 0.7 ? '-20%' : avgConfidence >= 0.4 ? '-10%' : 'indefinido (dados insuficientes)',
+        segments_analyzed:       segments.length,
+      },
+    }), { status: 200, headers });
+
+  } catch (err) {
+    console.error('[Bidding] recommend error:', err.message);
+    return new Response(JSON.stringify({ error: 'Erro ao gerar recomendações', message: err.message }), { status: 500, headers });
+  }
+}
+
+// ── GET /api/bidding/history ──────────────────────────────────────────────────
+// Retorna histórico de recomendações de bids geradas
+async function handleBiddingHistory(env, request, headers) {
+  if (!env.DB) return new Response(JSON.stringify({ error: 'DB não configurado' }), { status: 503, headers });
+
+  const url      = new URL(request.url);
+  const vertical = url.searchParams.get('vertical') || null;
+  const platform = url.searchParams.get('platform') || null;
+  const limit    = Math.min(parseInt(url.searchParams.get('limit') || '20'), 100);
+
+  try {
+    const conditions = [];
+    const bindings   = [];
+
+    if (vertical) { conditions.push('vertical = ?');  bindings.push(vertical); }
+    if (platform) { conditions.push('platform = ?');  bindings.push(platform); }
+
+    const where = conditions.length > 0 ? `WHERE ${conditions.join(' AND ')}` : '';
+
+    const result = await env.DB.prepare(`
+      SELECT id, generated_at, vertical, platform, period_days, target_roi,
+             segment_name, leads_analyzed, conversions_found, avg_ltv, cpa_target,
+             recommended_bid, bid_currency, confidence, expected_roi,
+             reasoning, alert_message, ai_used, is_active,
+             applied_at, applied_campaign, applied_result
+      FROM bid_recommendations
+      ${where}
+      ORDER BY generated_at DESC
+      LIMIT ?
+    `).bind(...bindings, limit).all();
+
+    const items = (result.results || []).map(r => ({
+      ...r,
+      applied_result: tryParseJson(r.applied_result, null),
+    }));
+
+    return new Response(JSON.stringify({
+      success: true,
+      total:   items.length,
+      history: items,
+    }), { status: 200, headers });
+
+  } catch (err) {
+    console.error('[Bidding] history error:', err.message);
+    return new Response(JSON.stringify({ error: err.message }), { status: 500, headers });
+  }
+}
+
+// ── GET /api/bidding/status ───────────────────────────────────────────────────
+// Status atual das recomendações ativas (última por plataforma por vertical)
+async function handleBiddingStatus(env, request, headers) {
+  if (!env.DB) return new Response(JSON.stringify({ error: 'DB não configurado' }), { status: 503, headers });
+
+  const url      = new URL(request.url);
+  const vertical = url.searchParams.get('vertical') || null;
+
+  try {
+    let query = `
+      SELECT platform, vertical, MAX(generated_at) as last_generated,
+             AVG(confidence) as avg_confidence, AVG(recommended_bid) as avg_bid,
+             COUNT(*) as recommendations_count,
+             SUM(CASE WHEN alert_message IS NOT NULL THEN 1 ELSE 0 END) as alerts_count
+      FROM bid_recommendations
+      WHERE is_active = 1
+    `;
+    const bindings = [];
+    if (vertical) { query += ' AND vertical = ?'; bindings.push(vertical); }
+    query += ' GROUP BY platform, vertical ORDER BY last_generated DESC';
+
+    const result = await env.DB.prepare(query).bind(...bindings).all();
+
+    return new Response(JSON.stringify({
+      success: true,
+      status:  result.results || [],
+    }), { status: 200, headers });
+
+  } catch (err) {
+    console.error('[Bidding] status error:', err.message);
+    return new Response(JSON.stringify({ error: err.message }), { status: 500, headers });
+  }
+}
+
 // ─────────────────────────────────────────────────────────────────────────────
 // HANDLER PRINCIPAL
 // ─────────────────────────────────────────────────────────────────────────────
@@ -2060,6 +3403,29 @@ export default {
 
     const url = new URL(request.url);
 
+    // ── Fraud Gate — Fase 4 (apenas em /track e /api) ────────────────────────
+    // Roda ANTES de qualquer processamento de evento
+    // Silent drop (200) — bots não sabem que foram detectados
+    if (url.pathname === '/track' && request.method === 'POST') {
+      let trackBodyForFraud;
+      try {
+        const cloned = request.clone();
+        trackBodyForFraud = await cloned.json().catch(() => ({}));
+      } catch { trackBodyForFraud = {}; }
+
+      const fraudResult = await checkFraudGate(env, request, trackBodyForFraud);
+      if (!fraudResult.allowed) {
+        // Log em background — não bloqueia a resposta
+        ctx.waitUntil(logFraudSignal(env, request, trackBodyForFraud, fraudResult));
+        // Silent drop: retorna 200 com payload de sucesso falso
+        return new Response(JSON.stringify({ status: 'ok', queued: true }), { status: 200, headers });
+      }
+      if (fraudResult.action === 'flagged') {
+        // Suspeito mas permitido — loga em background
+        ctx.waitUntil(logFraudSignal(env, request, trackBodyForFraud, fraudResult));
+      }
+    }
+
     // ── GET /export/customer-match — exporta leads para Google Ads (download) ──
     if (request.method === 'GET' && url.pathname === '/export/customer-match') {
       // Proteção simples por token (mesmo META_ACCESS_TOKEN ou secret dedicado)
@@ -2116,12 +3482,14 @@ export default {
 
       // Secrets obrigatórios
       const secrets = {
-        META_ACCESS_TOKEN:   env.META_ACCESS_TOKEN   ? 'set' : 'MISSING',
-        GA4_API_SECRET:      env.GA4_API_SECRET      ? 'set' : 'MISSING',
-        WA_ACCESS_TOKEN:     env.WA_ACCESS_TOKEN     ? 'set' : 'MISSING',
-        WA_NOTIFY_NUMBER:    env.WA_NOTIFY_NUMBER    ? 'set' : 'MISSING',
-        TIKTOK_ACCESS_TOKEN: env.TIKTOK_ACCESS_TOKEN ? 'set' : 'not set (optional)',
-        CALLMEBOT_PHONE:     env.CALLMEBOT_PHONE     ? 'set' : 'not set (optional)',
+        META_ACCESS_TOKEN:           env.META_ACCESS_TOKEN           ? 'set' : 'MISSING',
+        GA4_API_SECRET:              env.GA4_API_SECRET              ? 'set' : 'MISSING',
+        WA_WEBHOOK_VERIFY_TOKEN:    env.WA_WEBHOOK_VERIFY_TOKEN    ? 'set' : 'MISSING',
+        WHATSAPP_ACCESS_TOKEN:     env.WHATSAPP_ACCESS_TOKEN     ? 'set' : 'not set (optional - only for auto-reply)',
+        WHATSAPP_PHONE_NUMBER_ID: env.WHATSAPP_PHONE_NUMBER_ID ? 'set' : 'not set (optional - only for auto-reply)',
+        WA_NOTIFY_NUMBER:          env.WA_NOTIFY_NUMBER          ? 'set' : 'not set (optional - only for auto-reply)',
+        TIKTOK_ACCESS_TOKEN:       env.TIKTOK_ACCESS_TOKEN       ? 'set' : 'not set (optional)',
+        CALLMEBOT_PHONE:           env.CALLMEBOT_PHONE           ? 'set' : 'not set (optional)',
       };
 
       const hasMissing =
@@ -2227,12 +3595,14 @@ export default {
 
       const ga4Name = META_TO_GA4[eventName] || eventName.toLowerCase();
 
-      // ── LTV Prediction — eventos de topo de funil ─────────────────────────────
+      // ── LTV Prediction (+ A/B Testing de Prompts) ────────────────────────────
       // Lead, Contact, Schedule: sem valor monetário real → injetar LTV preditivo
       // Isso treina os algoritmos de Meta/TikTok a priorizar leads de alto valor
       const LTV_EVENTS = ['Lead', 'Contact', 'Schedule', 'CompleteRegistration'];
       if (LTV_EVENTS.includes(eventName) && !payload.value) {
-        const ltv = await predictLtv(env, payload, request);
+        // A/B Testing: busca variação ativa (usa KV cache — ~0ms de latência extra)
+        const abVariation = await getLtvAbVariation(env);
+        const ltv = await predictLtv(env, payload, request, abVariation?.system_prompt || null);
         payload.value           = ltv.value;
         payload.currency        = payload.currency || 'BRL';
         payload.ltvClass        = ltv.class;
@@ -2241,6 +3611,23 @@ export default {
         ctx.waitUntil(
           upsertLtvProfile(env, payload.userId, ltv)
         );
+        // Registrar assignment do A/B test em background (não bloqueia)
+        if (abVariation) {
+          const emailHash = payload.email
+            ? await sha256(payload.email.trim().toLowerCase())
+            : null;
+          ctx.waitUntil(
+            recordAbAssignment(
+              env,
+              payload.userId,
+              abVariation.variation_id,
+              abVariation.test_id,
+              ltv.value,
+              ltv.class,
+              emailHash,
+            )
+          );
+        }
       }
 
       // Cross-Device Graph — background (não bloqueia resposta)
@@ -2678,6 +4065,62 @@ export default {
       return new Response(JSON.stringify({ ok: true, ...result }), { status: 200, headers });
     }
 
+    // ── Segmentação Dinâmica ML ──────────────────────────────────────────
+    if (url.pathname === '/api/segmentation/cluster' && request.method === 'POST') {
+      return handleSegmentationCluster(env, request, headers);
+    }
+    if (url.pathname === '/api/segmentation/list' && request.method === 'GET') {
+      return handleSegmentationList(env, request, headers);
+    }
+    if (url.pathname === '/api/segmentation/outliers' && request.method === 'GET') {
+      return handleSegmentationOutliers(env, request, headers);
+    }
+    if (url.pathname === '/api/segmentation/update' && request.method === 'PUT') {
+      return handleSegmentationUpdate(env, request, headers);
+    }
+
+    // ── Bidding Recommendations ML ────────────────────────────────────────────
+    if (url.pathname === '/api/bidding/recommend' && request.method === 'POST') {
+      return handleBiddingRecommend(env, request, headers);
+    }
+    if (url.pathname === '/api/bidding/history' && request.method === 'GET') {
+      return handleBiddingHistory(env, request, headers);
+    }
+    if (url.pathname === '/api/bidding/status' && request.method === 'GET') {
+      return handleBiddingStatus(env, request, headers);
+    }
+
+    // ── A/B Testing de Prompts LTV ────────────────────────────────────────────
+    if (url.pathname === '/api/ltv/ab-test/create' && request.method === 'POST') {
+      return handleLtvAbTestCreate(env, request, headers);
+    }
+    if (url.pathname === '/api/ltv/ab-test/list' && request.method === 'GET') {
+      return handleLtvAbTestList(env, request, headers);
+    }
+    if (url.pathname === '/api/ltv/ab-test/results' && request.method === 'GET') {
+      return handleLtvAbTestResults(env, request, headers);
+    }
+    if (url.pathname === '/api/ltv/ab-test/winner' && request.method === 'POST') {
+      return handleLtvAbTestWinner(env, request, headers);
+    }
+
+    // ── Fraud Detection — Fase 4 ──────────────────────────────────────────────
+    if (url.pathname === '/api/fraud/alerts' && request.method === 'GET') {
+      return handleFraudAlerts(env, request, headers);
+    }
+    if (url.pathname === '/api/fraud/blocklist' && request.method === 'GET') {
+      return handleFraudBlocklist(env, request, headers);
+    }
+    if (url.pathname === '/api/fraud/blocklist/add' && request.method === 'POST') {
+      return handleFraudBlocklistAdd(env, request, headers);
+    }
+    if (url.pathname === '/api/fraud/blocklist/remove' && request.method === 'DELETE') {
+      return handleFraudBlocklistRemove(env, request, headers);
+    }
+    if (url.pathname === '/api/fraud/stats' && request.method === 'GET') {
+      return handleFraudStats(env, request, headers);
+    }
+
     // 404 para rotas não encontradas
     return new Response(
       JSON.stringify({ error: 'rota não encontrada' }),