cdp-edge 2.0.2 → 2.0.4

package/server-edge-tracker/index.js

@@ -0,0 +1,780 @@
+/**
+ * CDP Edge — index.js (ES Module Entry Point)
+ *
+ * Este arquivo é o novo entry point modular do Worker.
+ * Para usá-lo, altere em wrangler.toml:
+ *   main = "worker.js"   →   main = "index.js"
+ *
+ * O worker.js original permanece intacto como fallback.
+ * Todos os módulos ficam em ./modules/
+ */
+
+// ── Utilitários base ──────────────────────────────────────────────────────────
+import {
+  isAllowedOrigin,
+  corsHeaders,
+  sha256,
+  META_TO_GA4,
+  VALID_EVENT_NAMES,
+} from './modules/utils.js';
+
+// ── Banco de dados (D1) ───────────────────────────────────────────────────────
+import {
+  saveLead,
+  upsertProfile,
+  resolveDeviceGraph,
+  fireAutomation,
+  getProfileByEmail,
+  enrichGeoFromEdge,
+  writeAuditLog,
+  generateEdgeFingerprint,
+  saveEdgeFingerprint,
+  resurrectUTM,
+  upsertLtvProfile,
+} from './modules/db.js';
+
+// ── Dispatch — plataformas de ads ─────────────────────────────────────────────
+import { sendMetaCapi }    from './modules/dispatch/meta.js';
+import { sendGA4Mp }       from './modules/dispatch/ga4.js';
+import { sendTikTokApi }   from './modules/dispatch/tiktok.js';
+import {
+  sendPinterestCapi,
+  sendRedditCapi,
+  sendLinkedInCapi,
+  sendSpotifyCapi,
+} from './modules/dispatch/platforms.js';
+import {
+  sendWhatsApp,
+  processWhatsAppWebhook,
+  verifyHmac,
+} from './modules/dispatch/whatsapp.js';
+
+// ── ML — LTV + A/B Testing ────────────────────────────────────────────────────
+import {
+  predictLtv,
+  getLtvAbVariation,
+  recordAbAssignment,
+  handleLtvAbTestCreate,
+  handleLtvAbTestList,
+  handleLtvAbTestResults,
+  handleLtvAbTestWinner,
+} from './modules/ml/ltv.js';
+
+// ── ML — Segmentação ──────────────────────────────────────────────────────────
+import {
+  handleSegmentationCluster,
+  handleSegmentationList,
+  handleSegmentationOutliers,
+  handleSegmentationUpdate,
+} from './modules/ml/segmentation.js';
+
+// ── ML — Bidding ──────────────────────────────────────────────────────────────
+import {
+  handleBiddingRecommend,
+  handleBiddingHistory,
+  handleBiddingStatus,
+} from './modules/ml/bidding.js';
+
+// ── ML — Fraud Detection ──────────────────────────────────────────────────────
+import {
+  checkFraudGate,
+  logFraudSignal,
+  handleFraudAlerts,
+  handleFraudBlocklist,
+  handleFraudBlocklistAdd,
+  handleFraudBlocklistRemove,
+  handleFraudStats,
+} from './modules/ml/fraud.js';
+
+// ── Intelligence Agent (Cron) ─────────────────────────────────────────────────
+import {
+  runIntelligenceAgent,
+  buildGoogleCustomerMatchExport,
+} from './modules/intelligence.js';
+
+// ─────────────────────────────────────────────────────────────────────────────
+// HANDLER PRINCIPAL
+// ─────────────────────────────────────────────────────────────────────────────
+export default {
+
+  async fetch(request, env, ctx) {
+    const origin  = request.headers.get('Origin') || '';
+    const headers = {
+      'Content-Type': 'application/json',
+      ...corsHeaders(origin, env.SITE_DOMAIN),
+    };
+
+    // Preflight CORS
+    if (request.method === 'OPTIONS') {
+      return new Response(null, { status: 204, headers });
+    }
+
+    const url = new URL(request.url);
+
+    // ── Fraud Gate — Fase 4 (apenas em /track) ────────────────────────────────
+    // Roda ANTES de qualquer processamento de evento
+    // Silent drop (200) — bots não sabem que foram detectados
+    if (url.pathname === '/track' && request.method === 'POST') {
+      let trackBodyForFraud;
+      try {
+        const cloned = request.clone();
+        trackBodyForFraud = await cloned.json().catch(() => ({}));
+      } catch { trackBodyForFraud = {}; }
+
+      const fraudResult = await checkFraudGate(env, request, trackBodyForFraud);
+      if (!fraudResult.allowed) {
+        ctx.waitUntil(logFraudSignal(env, request, trackBodyForFraud, fraudResult));
+        return new Response(JSON.stringify({ status: 'ok', queued: true }), { status: 200, headers });
+      }
+      if (fraudResult.action === 'flagged') {
+        ctx.waitUntil(logFraudSignal(env, request, trackBodyForFraud, fraudResult));
+      }
+    }
+
+    // ── GET /export/customer-match ────────────────────────────────────────────
+    if (request.method === 'GET' && url.pathname === '/export/customer-match') {
+      const authHeader = request.headers.get('Authorization') || '';
+      const token = authHeader.replace('Bearer ', '');
+      if (!env.META_ACCESS_TOKEN || token !== env.META_ACCESS_TOKEN) {
+        return new Response('Unauthorized', { status: 401 });
+      }
+
+      const rows = await buildGoogleCustomerMatchExport(env);
+      return new Response(JSON.stringify({ total: rows.length, data: rows }, null, 2), {
+        headers: { ...headers, 'Content-Disposition': 'attachment; filename="customer-match.json"' },
+      });
+    }
+
+    // ── GET /health ───────────────────────────────────────────────────────────
+    if (request.method === 'GET' && url.pathname === '/health') {
+      const results = {};
+
+      try {
+        await env.DB.prepare('SELECT 1').run();
+        results.d1 = 'ok';
+      } catch (err) {
+        results.d1 = `FAILED: ${err.message}`;
+      }
+
+      try {
+        await env.GEO_CACHE.get('__health_check__');
+        results.kv = 'ok';
+      } catch (err) {
+        results.kv = `FAILED: ${err.message}`;
+      }
+
+      try {
+        await env.AI.run('@cf/meta/llama-3.1-8b-instruct', {
+          messages: [{ role: 'user', content: 'ping' }],
+          max_tokens: 1,
+        });
+        results.ai = 'ok';
+      } catch (err) {
+        results.ai = `FAILED: ${err.message}`;
+      }
+
+      const vars = {
+        META_PIXEL_ID:      env.META_PIXEL_ID      ? 'set' : 'MISSING',
+        GA4_MEASUREMENT_ID: env.GA4_MEASUREMENT_ID ? 'set' : 'MISSING',
+        TIKTOK_PIXEL_ID:    env.TIKTOK_PIXEL_ID    ? 'set' : 'MISSING',
+        SITE_DOMAIN:        env.SITE_DOMAIN        ? 'set' : 'MISSING',
+      };
+
+      const secrets = {
+        META_ACCESS_TOKEN:        env.META_ACCESS_TOKEN        ? 'set' : 'MISSING',
+        GA4_API_SECRET:           env.GA4_API_SECRET           ? 'set' : 'MISSING',
+        WA_WEBHOOK_VERIFY_TOKEN:  env.WA_WEBHOOK_VERIFY_TOKEN  ? 'set' : 'MISSING',
+        WHATSAPP_ACCESS_TOKEN:    env.WHATSAPP_ACCESS_TOKEN    ? 'set' : 'not set (optional - only for auto-reply)',
+        WHATSAPP_PHONE_NUMBER_ID: env.WHATSAPP_PHONE_NUMBER_ID ? 'set' : 'not set (optional - only for auto-reply)',
+        WA_NOTIFY_NUMBER:         env.WA_NOTIFY_NUMBER         ? 'set' : 'not set (optional - only for auto-reply)',
+        TIKTOK_ACCESS_TOKEN:      env.TIKTOK_ACCESS_TOKEN      ? 'set' : 'not set (optional)',
+        CALLMEBOT_PHONE:          env.CALLMEBOT_PHONE          ? 'set' : 'not set (optional)',
+      };
+
+      const hasMissing =
+        Object.values(vars).includes('MISSING') ||
+        Object.values(secrets).includes('MISSING') ||
+        results.d1 !== 'ok';
+
+      return new Response(JSON.stringify({
+        status:    hasMissing ? 'degraded' : 'ok',
+        timestamp: new Date().toISOString(),
+        bindings:  results,
+        vars,
+        secrets,
+      }, null, 2), { headers });
+    }
+
+    // ── POST /track ───────────────────────────────────────────────────────────
+    if (request.method === 'POST' && url.pathname === '/track') {
+      // Reject oversized payloads before reading body (64 KB limit)
+      const contentLength = parseInt(request.headers.get('Content-Length') || '0', 10);
+      if (contentLength > 65536) {
+        return new Response(JSON.stringify({ error: 'Payload muito grande' }), { status: 413, headers });
+      }
+
+      let body;
+      try {
+        body = await request.json();
+      } catch {
+        return new Response(JSON.stringify({ error: 'JSON inválido' }), { status: 400, headers });
+      }
+
+      if (typeof body !== 'object' || Array.isArray(body) || body === null) {
+        return new Response(JSON.stringify({ error: 'Payload inválido' }), { status: 400, headers });
+      }
+
+      const STR_FIELDS = ['email','phone','firstName','lastName','city','state','zip','userId',
+                          'utmSource','utmMedium','utmCampaign','utmContent','utmTerm',
+                          'fbclid','ttclid','gclid','transactionId','productName','currency'];
+
+      const { eventName, behavioral_data, ...payload } = body;
+
+      if (!eventName) {
+        return new Response(JSON.stringify({ error: 'eventName é obrigatório' }), { status: 400, headers });
+      }
+
+      if (typeof eventName !== 'string' || eventName.length > 64 || !VALID_EVENT_NAMES.has(eventName)) {
+        return new Response(JSON.stringify({ error: `eventName desconhecido: ${eventName.slice(0, 64)}` }), { status: 400, headers });
+      }
+
+      for (const field of STR_FIELDS) {
+        if (payload[field] !== undefined && payload[field] !== null) {
+          if (typeof payload[field] !== 'string' || payload[field].length > 512) {
+            return new Response(JSON.stringify({ error: `Campo inválido: ${field}` }), { status: 400, headers });
+          }
+        }
+      }
+
+      if (payload.value !== undefined && payload.value !== null) {
+        const v = Number(payload.value);
+        if (isNaN(v) || v < 0 || v > 9_999_999) {
+          return new Response(JSON.stringify({ error: 'value fora do intervalo permitido' }), { status: 400, headers });
+        }
+        payload.value = v;
+      }
+
+      // ── Extrair dados comportamentais do browser ──────────────────────────
+      if (behavioral_data) {
+        payload.engagementScore = behavioral_data.engagement_score ?? behavioral_data.totalScore ?? null;
+        payload.intentionLevel  = behavioral_data.intention_level  ?? null;
+        payload.userScore       = behavioral_data.user_score       ?? null;
+        payload.email     = payload.email     || behavioral_data.email      || null;
+        payload.phone     = payload.phone     || behavioral_data.phone      || null;
+        payload.firstName = payload.firstName || behavioral_data.first_name  || behavioral_data.firstName || null;
+        payload.lastName  = payload.lastName  || behavioral_data.last_name   || behavioral_data.lastName  || null;
+        payload.city      = payload.city      || behavioral_data.city        || null;
+        payload.state     = payload.state     || behavioral_data.state       || null;
+        payload.zip       = payload.zip       || behavioral_data.zip         || null;
+        payload.dob       = payload.dob       || behavioral_data.dob         || null;
+      }
+
+      // ── Edge Fingerprint + UTM Resurrection ──────────────────────────────
+      const fingerprint = await generateEdgeFingerprint(request);
+      payload.utmRestored = false;
+
+      if (fingerprint) {
+        if (payload.utmSource) {
+          ctx.waitUntil(saveEdgeFingerprint(env.DB, fingerprint, payload.userId, payload));
+        } else {
+          const recovered = await resurrectUTM(env.DB, fingerprint);
+          if (recovered) {
+            payload.utmSource   = payload.utmSource   || recovered.utm_source;
+            payload.utmMedium   = payload.utmMedium   || recovered.utm_medium;
+            payload.utmCampaign = payload.utmCampaign || recovered.utm_campaign;
+            payload.utmContent  = payload.utmContent  || recovered.utm_content;
+            payload.utmTerm     = payload.utmTerm     || recovered.utm_term;
+            payload.utmRestored = true;
+            console.log(`[UTM Resurrection] Recovered: ${recovered.utm_source}/${recovered.utm_medium}/${recovered.utm_campaign}`);
+          }
+        }
+      }
+
+      // ── Bot Mitigation ────────────────────────────────────────────────────
+      const botScoreStr = request.cf?.botManagement?.score;
+      const cfBotScore  = botScoreStr !== undefined ? parseInt(botScoreStr) : 100;
+      const ua          = (request.headers.get('User-Agent') || '').toLowerCase();
+      const isBotPattern = /bot|crawler|spider|lighthouse|postman|curl|inspect|headless/i.test(ua);
+
+      const isBot = cfBotScore < 30 || isBotPattern;
+      payload.botScore = isBot ? 2 : (cfBotScore < 60 ? 1 : 0);
+
+      if (isBot && !['Contact', 'Lead', 'Purchase'].includes(eventName)) {
+        return new Response(JSON.stringify({ ok: true, skipped_due_to_bot: true }), { status: 200, headers });
+      }
+
+      // ── Edge Geo Enrichment ───────────────────────────────────────────────
+      const geoData = await enrichGeoFromEdge(request, env, payload);
+
+      // ── First-Party Cookie (Identity Resolution) ──────────────────────────
+      const cookieHeader = request.headers.get('Cookie') || '';
+      const cdpUidMatch  = cookieHeader.match(/_cdp_uid=([^;]+)/);
+      const finalUserId  = payload.userId || (cdpUidMatch ? cdpUidMatch[1] : crypto.randomUUID());
+      payload.userId     = finalUserId;
+
+      const ga4Name = META_TO_GA4[eventName] || eventName.toLowerCase();
+
+      // ── LTV Prediction (+ A/B Testing de Prompts) ─────────────────────────
+      const LTV_EVENTS = ['Lead', 'Contact', 'Schedule', 'CompleteRegistration'];
+      if (LTV_EVENTS.includes(eventName) && !payload.value) {
+        const abVariation = await getLtvAbVariation(env);
+        const ltv = await predictLtv(env, payload, request, abVariation?.system_prompt || null);
+        payload.value    = ltv.value;
+        payload.currency = payload.currency || 'BRL';
+        payload.ltvClass = ltv.class;
+        payload.ltvScore = ltv.score;
+        ctx.waitUntil(upsertLtvProfile(env, payload.userId, ltv));
+        if (abVariation) {
+          const emailHash = payload.email
+            ? await sha256(payload.email.trim().toLowerCase())
+            : null;
+          ctx.waitUntil(
+            recordAbAssignment(
+              env,
+              payload.userId,
+              abVariation.variation_id,
+              abVariation.test_id,
+              ltv.value,
+              ltv.class,
+              emailHash,
+            )
+          );
+        }
+      }
+
+      // Cross-Device Graph — background
+      if (env.DB && payload.userId && (payload.email || payload.phone)) {
+        ctx.waitUntil(resolveDeviceGraph(env.DB, payload.userId, payload.email, payload.phone));
+      }
+
+      // R2 Audit Log — background
+      ctx.waitUntil(writeAuditLog(env, eventName, payload, geoData));
+
+      // Disparar tudo em paralelo
+      const WHATSAPP_NOTIFY_EVENTS = ['Lead', 'Purchase', 'CompleteRegistration'];
+      const [metaRes, ga4Res, ttRes] = await Promise.allSettled([
+        sendMetaCapi(env, eventName, payload, request, ctx),
+        sendGA4Mp(env, ga4Name, payload, ctx),
+        sendTikTokApi(env, eventName, payload, request, ctx),
+        saveLead(env, eventName, payload, request, 'website'),
+        upsertProfile(env, eventName, payload, request),
+        ...(WHATSAPP_NOTIFY_EVENTS.includes(eventName)
+          ? [sendWhatsApp(env, eventName, payload)]
+          : []),
+      ]);
+
+      // Automação de mensagens
+      const AUTOMATION_EVENTS = ['Lead', 'Purchase', 'InitiateCheckout'];
+      if (AUTOMATION_EVENTS.includes(eventName) && env.DB) {
+        ctx.waitUntil(
+          (async () => {
+            try {
+              const lastLead = await env.DB
+                .prepare(`SELECT id FROM leads WHERE event_id = ?1 LIMIT 1`)
+                .bind(payload.eventId || payload.event_id || '')
+                .first();
+              const leadId = lastLead?.id ?? null;
+              if (leadId) await fireAutomation(env, eventName, leadId, payload);
+            } catch (e) { console.error('[Automation] lead lookup error:', e.message); }
+          })()
+        );
+      }
+
+      // Edge Personalization
+      let currentScore = 0;
+      if (env.DB && payload.userId) {
+        try {
+          const profileRow = await env.DB.prepare('SELECT score FROM user_profiles WHERE user_id = ?').bind(payload.userId).first();
+          if (profileRow) currentScore = profileRow.score;
+        } catch {}
+      }
+
+      const resHeaders = new Headers(headers);
+      resHeaders.set('Set-Cookie', `_cdp_uid=${finalUserId}; HttpOnly; Secure; SameSite=Lax; Max-Age=31536000; Path=/; Domain=.${env.SITE_DOMAIN}`);
+
+      return new Response(JSON.stringify({
+        ok:          true,
+        userProfile: { score: currentScore, user_id: finalUserId },
+        meta:        metaRes.value  ?? { error: metaRes.reason?.message },
+        ga4:         ga4Res.value   ?? { error: ga4Res.reason?.message },
+        tiktok:      ttRes.value    ?? { error: ttRes.reason?.message },
+      }), { status: 200, headers: resHeaders });
+    }
+
+    // ── POST /webhook/hotmart ─────────────────────────────────────────────────
+    if (request.method === 'POST' && url.pathname === '/webhook/hotmart') {
+      if (env.WEBHOOK_SECRET_HOTMART) {
+        const token = request.headers.get('X-Hotmart-Webhook-Token') || '';
+        if (token !== env.WEBHOOK_SECRET_HOTMART) {
+          return new Response('Unauthorized', { status: 401 });
+        }
+      }
+
+      let wh;
+      try { wh = await request.json(); } catch {
+        return new Response('JSON inválido', { status: 400 });
+      }
+
+      const data     = wh.data || wh;
+      const buyer    = data.buyer    || {};
+      const purchase = data.purchase || {};
+      const product  = data.product  || {};
+
+      if (!['APPROVED', 'COMPLETE', 'approved', 'complete'].includes(purchase.status)) {
+        return new Response(JSON.stringify({ skipped: `status ${purchase.status}` }), { status: 200, headers });
+      }
+
+      const hmTxId = String(purchase.transaction || '');
+      if (hmTxId && env.DB) {
+        try {
+          const dup = await env.DB.prepare(
+            'SELECT id FROM webhook_events WHERE transaction_id = ? AND status = ?'
+          ).bind(hmTxId, 'processed').first();
+          if (dup) {
+            return new Response(JSON.stringify({ ok: true, skipped: 'duplicate' }), { status: 200, headers });
+          }
+        } catch {}
+      }
+
+      const profile = await getProfileByEmail(env, buyer.email);
+
+      const payload = {
+        email:       buyer.email,
+        phone:       buyer.phone,
+        firstName:   buyer.name?.split(' ')[0],
+        lastName:    buyer.name?.split(' ').slice(1).join(' ') || undefined,
+        fbp:         profile?.fbp,
+        fbc:         profile?.fbc,
+        userId:      profile?.user_id,
+        gaClientId:  profile?.ga_client_id,
+        value:       purchase.price?.value,
+        currency:    purchase.price?.currency_value || 'BRL',
+        contentIds:  [String(product.id || product.ucode || '')],
+        contentName: product.name,
+        contentType: 'product',
+        pageUrl:     profile?.page_url || `https://${env.SITE_DOMAIN || 'seu-dominio.com.br'}`,
+        orderId:     purchase.transaction,
+        eventId:     `hotmart_${purchase.transaction}`,
+        city:        profile?.city,
+        state:       profile?.state,
+        country:     profile?.country,
+      };
+
+      if (hmTxId && env.DB) {
+        try {
+          await env.DB.prepare(
+            'INSERT OR IGNORE INTO webhook_events (platform, transaction_id, email, status, raw_payload) VALUES (?,?,?,?,?)'
+          ).bind('hotmart', hmTxId, buyer.email || null, 'processed', JSON.stringify(wh)).run();
+        } catch {}
+      }
+
+      ctx.waitUntil(Promise.allSettled([
+        sendMetaCapi(env, 'Purchase', payload, request, ctx),
+        sendGA4Mp(env, 'purchase', payload, ctx),
+        sendTikTokApi(env, 'CompletePayment', payload, request, ctx),
+        saveLead(env, 'Purchase', payload, request, 'hotmart'),
+        sendWhatsApp(env, 'Purchase', payload),
+      ]));
+
+      return new Response(JSON.stringify({ ok: true }), { status: 200, headers });
+    }
+
+    // ── POST /webhook/kiwify ──────────────────────────────────────────────────
+    if (request.method === 'POST' && url.pathname === '/webhook/kiwify') {
+      if (env.WEBHOOK_SECRET_KIWIFY) {
+        const token = request.headers.get('X-Kiwify-Event-Token') || '';
+        if (token !== env.WEBHOOK_SECRET_KIWIFY) {
+          return new Response('Unauthorized', { status: 401 });
+        }
+      }
+
+      let wh;
+      try { wh = await request.json(); } catch {
+        return new Response('JSON inválido', { status: 400 });
+      }
+
+      if (wh.order_status !== 'paid' && wh.order_status !== 'approved') {
+        return new Response(JSON.stringify({ skipped: `status ${wh.order_status}` }), { status: 200, headers });
+      }
+
+      const kwTxId = String(wh.order_id || '');
+      if (kwTxId && env.DB) {
+        try {
+          const dup = await env.DB.prepare(
+            'SELECT id FROM webhook_events WHERE transaction_id = ? AND status = ?'
+          ).bind(kwTxId, 'processed').first();
+          if (dup) {
+            return new Response(JSON.stringify({ ok: true, skipped: 'duplicate' }), { status: 200, headers });
+          }
+        } catch {}
+      }
+
+      const customer = wh.Customer || {};
+      const product  = wh.Product  || {};
+      const profile  = await getProfileByEmail(env, customer.email);
+
+      const payload = {
+        email:       customer.email,
+        phone:       customer.mobile,
+        firstName:   customer.full_name?.split(' ')[0],
+        lastName:    customer.full_name?.split(' ').slice(1).join(' ') || undefined,
+        fbp:         profile?.fbp,
+        fbc:         profile?.fbc,
+        userId:      profile?.user_id,
+        gaClientId:  profile?.ga_client_id,
+        value:       wh.order_value ? parseFloat(wh.order_value) / 100 : undefined,
+        currency:    'BRL',
+        contentIds:  [String(product.product_id || '')],
+        contentName: product.product_name,
+        contentType: 'product',
+        pageUrl:     profile?.page_url || `https://${env.SITE_DOMAIN || 'seu-dominio.com.br'}`,
+        orderId:     wh.order_id,
+        eventId:     `kiwify_${wh.order_id}`,
+        city:        profile?.city,
+        state:       profile?.state,
+        country:     profile?.country,
+      };
+
+      if (kwTxId && env.DB) {
+        try {
+          await env.DB.prepare(
+            'INSERT OR IGNORE INTO webhook_events (platform, transaction_id, email, status, raw_payload) VALUES (?,?,?,?,?)'
+          ).bind('kiwify', kwTxId, customer.email || null, 'processed', JSON.stringify(wh)).run();
+        } catch {}
+      }
+
+      ctx.waitUntil(Promise.allSettled([
+        sendMetaCapi(env, 'Purchase', payload, request, ctx),
+        sendGA4Mp(env, 'purchase', payload, ctx),
+        sendTikTokApi(env, 'CompletePayment', payload, request, ctx),
+        sendPinterestCapi(env, 'Purchase', payload, request, ctx),
+        sendRedditCapi(env, 'Purchase', payload, request, ctx),
+        sendLinkedInCapi(env, 'Purchase', payload, request, ctx),
+        sendSpotifyCapi(env, 'Purchase', payload, request, ctx),
+        saveLead(env, 'Purchase', payload, request, 'kiwify'),
+        sendWhatsApp(env, 'Purchase', payload),
+      ]));
+
+      return new Response(JSON.stringify({ ok: true }), { status: 200, headers });
+    }
+
+    // ── POST /webhook/ticto ───────────────────────────────────────────────────
+    if (request.method === 'POST' && url.pathname === '/webhook/ticto') {
+      let rawBody;
+      try { rawBody = await request.text(); } catch {
+        return new Response('Leitura de body falhou', { status: 400 });
+      }
+      if (env.WEBHOOK_SECRET_TICTO) {
+        const sig   = request.headers.get('X-Ticto-Signature') || '';
+        const valid = await verifyHmac(env.WEBHOOK_SECRET_TICTO, rawBody, sig);
+        if (!valid) {
+          return new Response('Unauthorized', { status: 401 });
+        }
+      }
+
+      let wh;
+      try { wh = JSON.parse(rawBody); } catch {
+        return new Response('JSON inválido', { status: 400 });
+      }
+
+      const STATUS_PAID = ['paid', 'approved', 'complete', 'completed'];
+      if (!STATUS_PAID.includes((wh.status || '').toLowerCase())) {
+        return new Response(JSON.stringify({ skipped: `status ${wh.status}` }), { status: 200, headers });
+      }
+
+      const customer = wh.customer  || {};
+      const order    = wh.order     || {};
+      const item     = wh.item      || {};
+      const tracking = wh.tracking  || wh.url_params || {};
+
+      const valueRaw      = order.paid_amount ?? order.total ?? order.amount;
+      const value         = valueRaw ? parseFloat(valueRaw) / 100 : undefined;
+      const transactionId = order.hash || order.transaction_hash || order.id;
+      const tcTxId        = String(order.hash || order.transaction_hash || order.id || '');
+
+      if (tcTxId && env.DB) {
+        try {
+          const dup = await env.DB.prepare(
+            'SELECT id FROM webhook_events WHERE transaction_id = ? AND status = ?'
+          ).bind(tcTxId, 'processed').first();
+          if (dup) {
+            return new Response(JSON.stringify({ ok: true, skipped: 'duplicate' }), { status: 200, headers });
+          }
+        } catch {}
+      }
+
+      const urlUserId = tracking.user_id || wh.url_params?.user_id;
+      let profile = await getProfileByEmail(env, customer.email);
+      if (!profile && urlUserId && env.DB) {
+        try {
+          profile = await env.DB.prepare(
+            'SELECT * FROM user_profiles WHERE user_id = ? ORDER BY updated_at DESC LIMIT 1'
+          ).bind(urlUserId).first();
+        } catch {}
+      }
+
+      const fbclid = tracking.fbclid || wh.url_params?.fbclid;
+      const fbc    = profile?.fbc || (fbclid ? `fb.1.${Date.now()}.${fbclid}` : undefined);
+
+      const payload = {
+        email:       customer.email,
+        phone:       customer.phone,
+        firstName:   customer.name?.split(' ')[0],
+        lastName:    customer.name?.split(' ').slice(1).join(' ') || undefined,
+        fbp:         profile?.fbp,
+        fbc,
+        ttp:         profile?.ttp,
+        userId:      profile?.user_id,
+        gaClientId:  profile?.ga_client_id,
+        value,
+        currency:    'BRL',
+        contentIds:  [String(item.product_id || '')],
+        contentName: item.product_name,
+        contentType: 'product',
+        pageUrl:     profile?.page_url || `https://${env.SITE_DOMAIN || 'seu-dominio.com.br'}`,
+        orderId:     transactionId,
+        eventId:     `ticto_${transactionId}`,
+        city:        profile?.city,
+        state:       profile?.state,
+        country:     profile?.country || 'br',
+        utmSource:   tracking.utm_source   || tracking.src || '',
+        utmMedium:   tracking.utm_medium   || '',
+        utmCampaign: tracking.utm_campaign || '',
+        utmContent:  tracking.utm_content  || '',
+      };
+
+      if (tcTxId && env.DB) {
+        try {
+          await env.DB.prepare(
+            'INSERT OR IGNORE INTO webhook_events (platform, transaction_id, email, status, raw_payload) VALUES (?,?,?,?,?)'
+          ).bind('ticto', tcTxId, customer.email || null, 'processed', JSON.stringify(wh)).run();
+        } catch {}
+      }
+
+      ctx.waitUntil(Promise.allSettled([
+        sendMetaCapi(env, 'Purchase', payload, request, ctx),
+        sendGA4Mp(env, 'purchase', payload, ctx),
+        sendTikTokApi(env, 'CompletePayment', payload, request, ctx),
+        sendPinterestCapi(env, 'Purchase', payload, request, ctx),
+        sendRedditCapi(env, 'Purchase', payload, request, ctx),
+        sendLinkedInCapi(env, 'Purchase', payload, request, ctx),
+        sendSpotifyCapi(env, 'Purchase', payload, request, ctx),
+        saveLead(env, 'Purchase', payload, request, 'ticto'),
+        sendWhatsApp(env, 'Purchase', payload),
+      ]));
+
+      return new Response(JSON.stringify({ ok: true }), { status: 200, headers });
+    }
+
+    // ── GET /webhook/whatsapp — verificação do webhook pela Meta ─────────────
+    if (request.method === 'GET' && url.pathname === '/webhook/whatsapp') {
+      const mode      = url.searchParams.get('hub.mode');
+      const token     = url.searchParams.get('hub.verify_token');
+      const challenge = url.searchParams.get('hub.challenge');
+
+      if (mode === 'subscribe' && env.WA_WEBHOOK_VERIFY_TOKEN && token === env.WA_WEBHOOK_VERIFY_TOKEN) {
+        return new Response(challenge, { status: 200, headers: { 'Content-Type': 'text/plain' } });
+      }
+      return new Response('Forbidden', { status: 403 });
+    }
+
+    // ── POST /webhook/whatsapp — mensagens recebidas (CTWA) ──────────────────
+    if (request.method === 'POST' && url.pathname === '/webhook/whatsapp') {
+      let body;
+      try { body = await request.json(); } catch {
+        return new Response('JSON inválido', { status: 400 });
+      }
+
+      const result = await processWhatsAppWebhook(env, body, request, ctx);
+      return new Response(JSON.stringify({ ok: true, ...result }), { status: 200, headers });
+    }
+
+    // ── ML — Segmentação Dinâmica ─────────────────────────────────────────────
+    if (url.pathname === '/api/segmentation/cluster' && request.method === 'POST') {
+      return handleSegmentationCluster(env, request, headers);
+    }
+    if (url.pathname === '/api/segmentation/list' && request.method === 'GET') {
+      return handleSegmentationList(env, request, headers);
+    }
+    if (url.pathname === '/api/segmentation/outliers' && request.method === 'GET') {
+      return handleSegmentationOutliers(env, request, headers);
+    }
+    if (url.pathname === '/api/segmentation/update' && request.method === 'PUT') {
+      return handleSegmentationUpdate(env, request, headers);
+    }
+
+    // ── ML — Bidding Recommendations ──────────────────────────────────────────
+    if (url.pathname === '/api/bidding/recommend' && request.method === 'POST') {
+      return handleBiddingRecommend(env, request, headers);
+    }
+    if (url.pathname === '/api/bidding/history' && request.method === 'GET') {
+      return handleBiddingHistory(env, request, headers);
+    }
+    if (url.pathname === '/api/bidding/status' && request.method === 'GET') {
+      return handleBiddingStatus(env, request, headers);
+    }
+
+    // ── ML — A/B Testing de Prompts LTV ──────────────────────────────────────
+    if (url.pathname === '/api/ltv/ab-test/create' && request.method === 'POST') {
+      return handleLtvAbTestCreate(env, request, headers);
+    }
+    if (url.pathname === '/api/ltv/ab-test/list' && request.method === 'GET') {
+      return handleLtvAbTestList(env, request, headers);
+    }
+    if (url.pathname === '/api/ltv/ab-test/results' && request.method === 'GET') {
+      return handleLtvAbTestResults(env, request, headers);
+    }
+    if (url.pathname === '/api/ltv/ab-test/winner' && request.method === 'POST') {
+      return handleLtvAbTestWinner(env, request, headers);
+    }
+
+    // ── Fraud Detection — Fase 4 ──────────────────────────────────────────────
+    if (url.pathname === '/api/fraud/alerts' && request.method === 'GET') {
+      return handleFraudAlerts(env, request, headers);
+    }
+    if (url.pathname === '/api/fraud/blocklist' && request.method === 'GET') {
+      return handleFraudBlocklist(env, request, headers);
+    }
+    if (url.pathname === '/api/fraud/blocklist/add' && request.method === 'POST') {
+      return handleFraudBlocklistAdd(env, request, headers);
+    }
+    if (url.pathname === '/api/fraud/blocklist/remove' && request.method === 'DELETE') {
+      return handleFraudBlocklistRemove(env, request, headers);
+    }
+    if (url.pathname === '/api/fraud/stats' && request.method === 'GET') {
+      return handleFraudStats(env, request, headers);
+    }
+
+    // 404
+    return new Response(JSON.stringify({ error: 'rota não encontrada' }), { status: 404, headers });
+  },
+
+  // ── Cron Handler — Intelligence Agent ────────────────────────────────────────
+  async scheduled(event, env, ctx) {
+    const cron      = event.cron;
+    const isMonthly = cron === '0 3 1 * *';
+
+    console.log(`[Intelligence Agent] Cron executado: ${cron}`);
+    ctx.waitUntil(runIntelligenceAgent(env, isMonthly ? 'monthly_audit' : 'weekly_check'));
+  },
+
+  // ── Queue Consumer — Retry de eventos com falha ───────────────────────────────
+  async queue(batch, env) {
+    for (const message of batch.messages) {
+      const { eventType, payload, platform, attempt = 1 } = message.body;
+
+      console.log(`[Queue] Reprocessando: ${platform}/${eventType} (tentativa ${attempt})`);
+
+      try {
+        if (platform === 'meta')   await sendMetaCapi(env, eventType, payload, null, null);
+        if (platform === 'ga4')    await sendGA4Mp(env, eventType, payload, null);
+        if (platform === 'tiktok') await sendTikTokApi(env, eventType, payload, null, null);
+
+        message.ack();
+      } catch (err) {
+        console.error(`[Queue] Falha ao reprocessar ${platform}/${eventType}:`, err.message);
+        message.retry();
+      }
+    }
+  },
+};