cdp-edge 2.0.2 → 2.0.4

package/server-edge-tracker/modules/ml/fraud.js

@@ -0,0 +1,301 @@
+/**
+ * CDP Edge — Fraud Detection (Fase 4)
+ * checkFraudGate, logFraudSignal, handlers das rotas /api/fraud/*
+ */
+
+import { sha256, tryParseJson } from '../utils.js';
+
+// ── Listas de detecção ────────────────────────────────────────────────────────
+export const DISPOSABLE_EMAIL_DOMAINS = new Set([
+  'mailinator.com','guerrillamail.com','tempmail.com','throwaway.email',
+  'yopmail.com','sharklasers.com','guerrillamailblock.com','spam4.me',
+  '10minutemail.com','trashmail.com','maildrop.cc','fakeinbox.com',
+  'dispostable.com','getairmail.com','mailnull.com',
+]);
+
+export const DATACENTER_PATTERNS = /amazon|google|microsoft|digitalocean|linode|ovh|vultr|hetzner|contabo|cloudflare|packet|rackspace|leaseweb/i;
+
+// ── checkFraudGate — roda ANTES de qualquer processamento de evento ────────────
+// Retorna { allowed, score, reasons, action }
+// Falhas no gate = fail-safe (deixa passar)
+export async function checkFraudGate(env, request, payload) {
+  const result = { allowed: true, score: 0, reasons: [], action: 'allowed' };
+
+  try {
+    const ip          = request.headers.get('CF-Connecting-IP') || '';
+    const ua          = request.headers.get('User-Agent')        || '';
+    const fingerprint = payload.fingerprint                       || '';
+    const email       = payload.email                             || '';
+    const botScore    = parseInt(payload.botScore || payload.bot_score || 0);
+    const asn         = String(request.cf?.asOrganization || '').toLowerCase();
+    const country     = (request.cf?.country || '').toUpperCase();
+    const acceptLang  = request.headers.get('Accept-Language');
+
+    // 1. KV blocklist check — instantâneo (~0ms)
+    if (env.GEO_CACHE && ip) {
+      const ipBlocked = await env.GEO_CACHE.get(`fraud_block:ip:${ip}`);
+      if (ipBlocked) {
+        return { allowed: false, score: 100, reasons: ['ip_blocklisted'], action: 'dropped' };
+      }
+    }
+    if (env.GEO_CACHE && fingerprint) {
+      const fpBlocked = await env.GEO_CACHE.get(`fraud_block:fp:${fingerprint}`);
+      if (fpBlocked) {
+        return { allowed: false, score: 100, reasons: ['fingerprint_blocklisted'], action: 'dropped' };
+      }
+    }
+
+    // 2. Bot score
+    if (botScore >= 3) { result.score += 60; result.reasons.push('bot_score_high'); }
+    else if (botScore === 2) { result.score += 30; result.reasons.push('bot_score_medium'); }
+
+    // 3. User-Agent suspeito
+    if (/headless|phantomjs|selenium|webdriver|curl|python|scrapy|bot|crawler|spider/i.test(ua)) {
+      result.score += 40; result.reasons.push('suspicious_user_agent');
+    }
+
+    // 4. Datacenter IP
+    if (ip && DATACENTER_PATTERNS.test(asn)) {
+      result.score += 35; result.reasons.push('datacenter_ip');
+    }
+
+    // 5. Sem Accept-Language
+    if (!acceptLang) {
+      result.score += 20; result.reasons.push('no_accept_language');
+    }
+
+    // 6. Email descartável
+    if (email) {
+      const domain = email.split('@')[1]?.toLowerCase();
+      if (domain && DISPOSABLE_EMAIL_DOMAINS.has(domain)) {
+        result.score += 25; result.reasons.push('disposable_email');
+      }
+    }
+
+    // 7. Velocity check via KV
+    if (env.GEO_CACHE && ip) {
+      const velKey1h = `fraud_velocity:${ip}:h`;
+      const velStr   = await env.GEO_CACHE.get(velKey1h);
+      const vel1h    = parseInt(velStr || '0') + 1;
+
+      await env.GEO_CACHE.put(velKey1h, String(vel1h), { expirationTtl: 3600 });
+
+      if (vel1h > 20) { result.score += 50; result.reasons.push('ip_velocity_very_high'); }
+      else if (vel1h > 10) { result.score += 25; result.reasons.push('ip_velocity_high'); }
+    }
+
+    result.score = Math.min(100, result.score);
+
+    // 8. Decisão final
+    if (result.score >= 80) {
+      result.allowed = false;
+      result.action  = 'dropped';
+    } else if (result.score >= 40) {
+      result.action = 'flagged';
+    }
+
+    return result;
+
+  } catch (err) {
+    console.error('[Fraud] checkFraudGate error:', err.message);
+    return { allowed: true, score: 0, reasons: ['gate_error_fallback'], action: 'allowed' };
+  }
+}
+
+// ── logFraudSignal — persiste no D1 em background ────────────────────────────
+export async function logFraudSignal(env, request, payload, fraudResult) {
+  if (!env.DB || fraudResult.action === 'allowed') return;
+  try {
+    const ip          = request.headers.get('CF-Connecting-IP') || '';
+    const ua          = request.headers.get('User-Agent')        || '';
+    const fingerprint = payload.fingerprint                       || '';
+    const botScore    = parseInt(payload.botScore || payload.bot_score || 0);
+    const asn         = String(request.cf?.asOrganization || '');
+    const country     = (request.cf?.country              || '');
+    const velKey1h    = `fraud_velocity:${ip}:h`;
+    const vel1h       = env.GEO_CACHE ? parseInt(await env.GEO_CACHE.get(velKey1h) || '0') : 0;
+
+    let emailHash = null;
+    if (payload.email) {
+      try { emailHash = await sha256(payload.email.trim().toLowerCase()); } catch {}
+    }
+
+    await env.DB.prepare(`
+      INSERT INTO fraud_signals (
+        ip_address, fingerprint, user_id, email_hash, event_name, event_id,
+        fraud_score, action_taken, reasons,
+        ip_country, ip_asn, user_agent, bot_score, velocity_1h, detected_at
+      ) VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,datetime('now'))
+    `).bind(
+      ip, fingerprint || null, payload.userId || null, emailHash,
+      payload.eventName || null, payload.eventId || null,
+      fraudResult.score, fraudResult.action, JSON.stringify(fraudResult.reasons),
+      country, asn, ua.substring(0, 255), botScore, vel1h,
+    ).run();
+
+    if (fraudResult.action === 'dropped' && ip) {
+      await env.DB.prepare(`
+        INSERT INTO fraud_alerts (alert_type, entity_type, entity_value, events_total, events_dropped, peak_score, first_seen, last_seen, top_reasons)
+        VALUES ('ip_attack', 'ip', ?, 1, 1, ?, datetime('now'), datetime('now'), ?)
+        ON CONFLICT(entity_type, entity_value) DO UPDATE SET
+          events_total   = events_total + 1,
+          events_dropped = events_dropped + 1,
+          peak_score     = MAX(peak_score, excluded.peak_score),
+          last_seen      = datetime('now'),
+          updated_at     = datetime('now')
+      `).bind(ip, fraudResult.score, JSON.stringify(fraudResult.reasons)).run().catch(() => {});
+    }
+  } catch (err) {
+    console.error('[Fraud] logFraudSignal error:', err.message);
+  }
+}
+
+// ── GET /api/fraud/alerts ─────────────────────────────────────────────────────
+export async function handleFraudAlerts(env, request, headers) {
+  if (!env.DB) return new Response(JSON.stringify({ error: 'DB não configurado' }), { status: 503, headers });
+
+  const url    = new URL(request.url);
+  const action = url.searchParams.get('action') || null;
+  const hours  = parseInt(url.searchParams.get('hours') || '24');
+  const limit  = Math.min(parseInt(url.searchParams.get('limit') || '50'), 200);
+
+  try {
+    const cond     = action ? 'AND action_taken = ?' : '';
+    const bindings = action ? [hours, action, limit] : [hours, limit];
+
+    const result = await env.DB.prepare(`
+      SELECT ip_address, fingerprint, event_name, fraud_score, action_taken,
+             reasons, ip_country, ip_asn, bot_score, velocity_1h, detected_at
+      FROM fraud_signals
+      WHERE detected_at >= datetime('now', '-' || ? || ' hours')
+        ${cond}
+      ORDER BY fraud_score DESC, detected_at DESC
+      LIMIT ?
+    `).bind(...bindings).all();
+
+    const signals = (result.results || []).map(s => ({ ...s, reasons: tryParseJson(s.reasons, []) }));
+    const stats = await env.DB.prepare(`SELECT * FROM v_fraud_dashboard`).first().catch(() => null);
+
+    return new Response(JSON.stringify({ success: true, period_hours: hours, total: signals.length, stats, alerts: signals }), { status: 200, headers });
+  } catch (err) {
+    console.error('[Fraud] alerts error:', err.message);
+    return new Response(JSON.stringify({ error: err.message }), { status: 500, headers });
+  }
+}
+
+// ── GET /api/fraud/blocklist ──────────────────────────────────────────────────
+export async function handleFraudBlocklist(env, request, headers) {
+  if (!env.DB) return new Response(JSON.stringify({ error: 'DB não configurado' }), { status: 503, headers });
+
+  try {
+    const result = await env.DB.prepare(`
+      SELECT entity_type, entity_value, events_total, events_dropped,
+             peak_score, first_seen, last_seen, blocked_at, block_expires, top_reasons
+      FROM fraud_alerts WHERE is_blocked = 1 ORDER BY events_dropped DESC LIMIT 100
+    `).all();
+
+    const blocklist = (result.results || []).map(r => ({ ...r, top_reasons: tryParseJson(r.top_reasons, []) }));
+    return new Response(JSON.stringify({ success: true, total: blocklist.length, blocklist }), { status: 200, headers });
+  } catch (err) {
+    console.error('[Fraud] blocklist error:', err.message);
+    return new Response(JSON.stringify({ error: err.message }), { status: 500, headers });
+  }
+}
+
+// ── POST /api/fraud/blocklist/add ─────────────────────────────────────────────
+export async function handleFraudBlocklistAdd(env, request, headers) {
+  if (!env.DB) return new Response(JSON.stringify({ error: 'DB não configurado' }), { status: 503, headers });
+
+  let body;
+  try { body = await request.json(); }
+  catch { return new Response(JSON.stringify({ error: 'JSON inválido' }), { status: 400, headers }); }
+
+  const { entity_type, entity_value, ttl_hours = 24, reason = 'manual_block' } = body;
+  if (!entity_type || !entity_value) {
+    return new Response(JSON.stringify({ error: 'entity_type (ip|fingerprint) e entity_value são obrigatórios' }), { status: 400, headers });
+  }
+  if (!['ip', 'fingerprint'].includes(entity_type)) {
+    return new Response(JSON.stringify({ error: 'entity_type deve ser: ip ou fingerprint' }), { status: 400, headers });
+  }
+
+  try {
+    const kvKey    = `fraud_block:${entity_type}:${entity_value}`;
+    const ttlSec   = Math.min(ttl_hours * 3600, 7 * 24 * 3600);
+    const expiresAt = new Date(Date.now() + ttlSec * 1000).toISOString();
+
+    if (env.GEO_CACHE) {
+      await env.GEO_CACHE.put(kvKey, JSON.stringify({ reason, blocked_at: new Date().toISOString() }), { expirationTtl: ttlSec });
+    }
+
+    await env.DB.prepare(`
+      INSERT INTO fraud_alerts (alert_type, entity_type, entity_value, events_total, events_dropped, peak_score, first_seen, last_seen, is_blocked, blocked_at, block_expires, top_reasons)
+      VALUES ('manual', ?, ?, 0, 0, 100, datetime('now'), datetime('now'), 1, datetime('now'), ?, ?)
+      ON CONFLICT DO UPDATE SET is_blocked = 1, blocked_at = datetime('now'), block_expires = excluded.block_expires, updated_at = datetime('now')
+    `).bind(entity_type, entity_value, expiresAt, JSON.stringify([reason])).run().catch(() => {});
+
+    return new Response(JSON.stringify({
+      success: true, entity_type, entity_value, kv_key: kvKey, ttl_hours, expires_at: expiresAt,
+      message: `${entity_type} '${entity_value}' bloqueado por ${ttl_hours}h. Efeito imediato via KV.`,
+    }), { status: 200, headers });
+  } catch (err) {
+    console.error('[Fraud] blocklist add error:', err.message);
+    return new Response(JSON.stringify({ error: err.message }), { status: 500, headers });
+  }
+}
+
+// ── DELETE /api/fraud/blocklist/remove ───────────────────────────────────────
+export async function handleFraudBlocklistRemove(env, request, headers) {
+  if (!env.DB) return new Response(JSON.stringify({ error: 'DB não configurado' }), { status: 503, headers });
+
+  let body;
+  try { body = await request.json(); }
+  catch { return new Response(JSON.stringify({ error: 'JSON inválido' }), { status: 400, headers }); }
+
+  const { entity_type, entity_value } = body;
+  if (!entity_type || !entity_value) {
+    return new Response(JSON.stringify({ error: 'entity_type e entity_value são obrigatórios' }), { status: 400, headers });
+  }
+
+  try {
+    const kvKey = `fraud_block:${entity_type}:${entity_value}`;
+    if (env.GEO_CACHE) await env.GEO_CACHE.delete(kvKey);
+    await env.DB.prepare(`UPDATE fraud_alerts SET is_blocked = 0, resolved_at = datetime('now'), resolved_by = 'manual' WHERE entity_type = ? AND entity_value = ?`).bind(entity_type, entity_value).run();
+
+    return new Response(JSON.stringify({
+      success: true, entity_type, entity_value,
+      message: `${entity_type} '${entity_value}' removido do blocklist. Efeito imediato via KV.`,
+    }), { status: 200, headers });
+  } catch (err) {
+    console.error('[Fraud] blocklist remove error:', err.message);
+    return new Response(JSON.stringify({ error: err.message }), { status: 500, headers });
+  }
+}
+
+// ── GET /api/fraud/stats ──────────────────────────────────────────────────────
+export async function handleFraudStats(env, request, headers) {
+  if (!env.DB) return new Response(JSON.stringify({ error: 'DB não configurado' }), { status: 503, headers });
+
+  try {
+    const dashboard  = await env.DB.prepare(`SELECT * FROM v_fraud_dashboard`).first();
+    const topIps     = await env.DB.prepare(`
+      SELECT ip_address, COUNT(*) as events, MAX(fraud_score) as peak_score
+      FROM fraud_signals
+      WHERE detected_at >= datetime('now', '-24 hours') AND action_taken = 'dropped'
+      GROUP BY ip_address ORDER BY events DESC LIMIT 10
+    `).all();
+    const topReasons = await env.DB.prepare(`
+      SELECT action_taken, COUNT(*) as count FROM fraud_signals
+      WHERE detected_at >= datetime('now', '-24 hours')
+      GROUP BY action_taken
+    `).all();
+
+    return new Response(JSON.stringify({
+      success: true, period: '24h', dashboard,
+      top_attacking_ips: topIps.results || [],
+      by_action: topReasons.results || [],
+    }), { status: 200, headers });
+  } catch (err) {
+    console.error('[Fraud] stats error:', err.message);
+    return new Response(JSON.stringify({ error: err.message }), { status: 500, headers });
+  }
+}

package/server-edge-tracker/modules/ml/ltv.js

@@ -0,0 +1,320 @@
+/**
+ * CDP Edge — LTV Prediction + A/B Testing de Prompts (Fases 3 e 4)
+ * predictLtv, getLtvAbVariation, recordAbAssignment, handlers /api/ltv/*
+ */
+
+// Cache key para o teste ativo (KV — evita hit no D1 a cada request /track)
+const AB_LTV_CACHE_KEY = 'ab_ltv_active_test';
+
+// ── predictLtv — Heurística em 5 dimensões (0-100 pts) ───────────────────────
+export async function predictLtv(env, payload, request, customSystemPrompt = null) {
+  let score = 0;
+
+  // 1. Engajamento browser (0–30)
+  const engScore  = parseFloat(payload.engagementScore || 0);
+  const userScore = parseFloat(payload.userScore || 0);
+  score += Math.min(15, Math.round((engScore / 5) * 15));
+  score += Math.min(15, Math.round((userScore / 100) * 15));
+
+  // 2. Origem de tráfego (0–25)
+  const src = (payload.utmSource || '').toLowerCase();
+  const utm_score_map = {
+    facebook: 25, instagram: 25, meta: 25,
+    google: 22, youtube: 22, tiktok: 20,
+    email: 18, sms: 18,
+    organic: 10, direct: 5,
+  };
+  score += utm_score_map[src] ?? (src ? 8 : 3);
+
+  // 3. Contexto de rede (0–15)
+  const hour    = new Date().getUTCHours();
+  const country = (payload.country || request.cf?.country || '').toUpperCase();
+  const org     = String(request.cf?.asOrganization || '').toLowerCase();
+
+  const isHighConvTime = hour >= 21 || hour <= 2;
+  score += isHighConvTime ? 8 : (hour >= 12 && hour <= 20 ? 4 : 1);
+
+  const latam = ['AR', 'CL', 'CO', 'MX', 'PE', 'UY', 'PY', 'BO'];
+  score += country === 'BR' ? 5 : (latam.includes(country) ? 3 : 1);
+
+  const isCorp = /ltda|s\.a\.|corp|telecom|fibra|claro|vivo|tim|oi/.test(org);
+  score += isCorp ? 2 : 0;
+
+  // 4. Contexto do evento (0–20)
+  const intentionLevel = (payload.intentionLevel || '').toLowerCase();
+  if (intentionLevel === 'comprador' || intentionLevel === 'high_intent') score += 20;
+  else if (intentionLevel === 'interessado') score += 12;
+  else if (intentionLevel === 'nurture') score += 6;
+
+  // 5. Dados PII disponíveis (0–10)
+  if (payload.email) score += 4;
+  if (payload.phone) score += 4;
+  if (payload.firstName) score += 2;
+
+  score = Math.min(100, score);
+
+  let ltvClass, ltvMultiplier;
+  if (score >= 70) {
+    ltvClass = 'High';   ltvMultiplier = 3.5;
+  } else if (score >= 40) {
+    ltvClass = 'Medium'; ltvMultiplier = 1.8;
+  } else {
+    ltvClass = 'Low';    ltvMultiplier = 0.8;
+  }
+
+  const productValue   = payload.value ? parseFloat(payload.value) : 0;
+  const baseValue      = productValue > 0 ? productValue : 197;
+  const predictedValue = Math.round(baseValue * ltvMultiplier * 100) / 100;
+
+  // Enriquecimento opcional via Workers AI
+  let aiAdjustment = 0;
+  if (env.AI && score >= 40) {
+    try {
+      const systemContent = customSystemPrompt ||
+        'You are a conversion rate expert. Reply ONLY with a JSON object {"adjustment": <number between -10 and 10>} based on the lead data provided. No explanation.';
+      const prompt = [
+        { role: 'system', content: systemContent },
+        { role: 'user', content: JSON.stringify({
+          utm_source:  payload.utmSource,
+          intention:   intentionLevel,
+          engagement:  engScore,
+          hour_utc:    hour,
+          country,
+          has_email:   !!payload.email,
+          has_phone:   !!payload.phone,
+        })},
+      ];
+      const aiRes = await env.AI.run('@cf/meta/llama-3.1-8b-instruct', { messages: prompt, max_tokens: 32 });
+      const parsed = JSON.parse(aiRes.response.trim());
+      if (typeof parsed.adjustment === 'number') {
+        aiAdjustment = Math.max(-10, Math.min(10, parsed.adjustment));
+      }
+    } catch { /* graceful fallback */ }
+  }
+
+  return {
+    score: Math.min(100, Math.max(0, score + aiAdjustment)),
+    class: ltvClass,
+    value: predictedValue,
+  };
+}
+
+// ── getLtvAbVariation — busca variação ativa do A/B test ─────────────────────
+export async function getLtvAbVariation(env) {
+  if (!env.DB) return null;
+
+  try {
+    let testData = null;
+    if (env.GEO_CACHE) {
+      const cached = await env.GEO_CACHE.get(AB_LTV_CACHE_KEY, 'json');
+      if (cached) testData = cached;
+    }
+
+    if (!testData) {
+      const test = await env.DB.prepare(`
+        SELECT t.id AS test_id, v.id AS variation_id,
+               v.name, v.system_prompt, v.weight, v.is_control
+        FROM ltv_ab_tests t
+        JOIN ltv_ab_variations v ON v.test_id = t.id
+        WHERE t.status = 'running'
+        ORDER BY t.id DESC
+      `).all();
+
+      if (!test.results || test.results.length === 0) {
+        if (env.GEO_CACHE) await env.GEO_CACHE.put(AB_LTV_CACHE_KEY, JSON.stringify(null), { expirationTtl: 300 });
+        return null;
+      }
+
+      testData = test.results;
+      if (env.GEO_CACHE) await env.GEO_CACHE.put(AB_LTV_CACHE_KEY, JSON.stringify(testData), { expirationTtl: 300 });
+    }
+
+    if (!testData || testData.length === 0) return null;
+
+    const totalWeight = testData.reduce((s, v) => s + (v.weight || 0.5), 0);
+    let rand = Math.random() * totalWeight;
+    for (const variation of testData) {
+      rand -= (variation.weight || 0.5);
+      if (rand <= 0) return variation;
+    }
+    return testData[testData.length - 1];
+
+  } catch (err) {
+    console.error('[AB-LTV] getLtvAbVariation error:', err.message);
+    return null;
+  }
+}
+
+// ── recordAbAssignment — registra variação usada para um lead ─────────────────
+export async function recordAbAssignment(env, userId, variationId, testId, predictedLtv, predictedClass, emailHash) {
+  if (!env.DB) return;
+  try {
+    await env.DB.prepare(`
+      INSERT INTO ltv_ab_assignments (test_id, variation_id, user_id, email_hash, predicted_ltv, predicted_class, assigned_at)
+      VALUES (?, ?, ?, ?, ?, ?, datetime('now'))
+    `).bind(testId, variationId, userId, emailHash || null, predictedLtv || null, predictedClass || null).run();
+
+    await env.DB.prepare(`UPDATE ltv_ab_variations SET total_assigned = total_assigned + 1 WHERE id = ?`).bind(variationId).run();
+  } catch (err) {
+    console.error('[AB-LTV] recordAbAssignment error:', err.message);
+  }
+}
+
+// ── POST /api/ltv/ab-test/create ─────────────────────────────────────────────
+export async function handleLtvAbTestCreate(env, request, headers) {
+  if (!env.DB) return new Response(JSON.stringify({ error: 'DB não configurado' }), { status: 503, headers });
+
+  let body;
+  try { body = await request.json(); }
+  catch { return new Response(JSON.stringify({ error: 'JSON inválido no body' }), { status: 400, headers }); }
+
+  const { name, description, min_sample = 100, variations } = body;
+  if (!name) return new Response(JSON.stringify({ error: 'name é obrigatório' }), { status: 400, headers });
+  if (!Array.isArray(variations) || variations.length < 2) {
+    return new Response(JSON.stringify({ error: 'Mínimo 2 variações são necessárias' }), { status: 400, headers });
+  }
+
+  const running = await env.DB.prepare(`SELECT id FROM ltv_ab_tests WHERE status = 'running' LIMIT 1`).first();
+  if (running) {
+    return new Response(JSON.stringify({ error: 'Já existe um teste em andamento.', running_test_id: running.id }), { status: 409, headers });
+  }
+
+  try {
+    const now = new Date().toISOString();
+    const totalWeight = variations.reduce((s, v) => s + (v.weight || 0.5), 0);
+    if (Math.abs(totalWeight - 1.0) > 0.05) {
+      return new Response(JSON.stringify({ error: `A soma dos weights deve ser 1.0. Recebido: ${totalWeight.toFixed(3)}` }), { status: 400, headers });
+    }
+    if (!variations.some(v => v.is_control)) {
+      return new Response(JSON.stringify({ error: 'Pelo menos uma variação deve ter is_control: true' }), { status: 400, headers });
+    }
+
+    const testRes = await env.DB.prepare(`
+      INSERT INTO ltv_ab_tests (name, description, status, min_sample, created_at) VALUES (?, ?, 'running', ?, ?)
+    `).bind(name, description || null, min_sample, now).run();
+
+    const testId = testRes.meta?.last_row_id;
+    if (!testId) throw new Error('Falha ao criar o teste no D1');
+
+    const createdVariations = [];
+    for (const v of variations) {
+      const vRes = await env.DB.prepare(`
+        INSERT INTO ltv_ab_variations (test_id, name, system_prompt, weight, is_control, created_at) VALUES (?, ?, ?, ?, ?, ?)
+      `).bind(testId, v.name, v.system_prompt, v.weight || 0.5, v.is_control ? 1 : 0, now).run();
+      createdVariations.push({ id: vRes.meta?.last_row_id, name: v.name, weight: v.weight, is_control: !!v.is_control });
+    }
+
+    if (env.GEO_CACHE) await env.GEO_CACHE.delete(AB_LTV_CACHE_KEY);
+
+    return new Response(JSON.stringify({ success: true, test_id: testId, name, status: 'running', min_sample, variations: createdVariations, started_at: now }), { status: 201, headers });
+  } catch (err) {
+    console.error('[AB-LTV] create error:', err.message);
+    return new Response(JSON.stringify({ error: err.message }), { status: 500, headers });
+  }
+}
+
+// ── GET /api/ltv/ab-test/list ─────────────────────────────────────────────────
+export async function handleLtvAbTestList(env, request, headers) {
+  if (!env.DB) return new Response(JSON.stringify({ error: 'DB não configurado' }), { status: 503, headers });
+
+  const url    = new URL(request.url);
+  const status = url.searchParams.get('status') || null;
+  const limit  = Math.min(parseInt(url.searchParams.get('limit') || '20'), 50);
+
+  try {
+    const cond     = status ? 'WHERE t.status = ?' : '';
+    const bindings = status ? [status, limit] : [limit];
+
+    const tests = await env.DB.prepare(`
+      SELECT t.id, t.name, t.description, t.status, t.winner_id,
+             t.started_at, t.completed_at, t.created_at, t.min_sample,
+             COUNT(DISTINCT v.id) AS variation_count,
+             SUM(v.total_assigned) AS total_assigned
+      FROM ltv_ab_tests t
+      LEFT JOIN ltv_ab_variations v ON v.test_id = t.id
+      ${cond}
+      GROUP BY t.id
+      ORDER BY t.created_at DESC
+      LIMIT ?
+    `).bind(...bindings).all();
+
+    return new Response(JSON.stringify({ success: true, total: (tests.results || []).length, tests: tests.results || [] }), { status: 200, headers });
+  } catch (err) {
+    console.error('[AB-LTV] list error:', err.message);
+    return new Response(JSON.stringify({ error: err.message }), { status: 500, headers });
+  }
+}
+
+// ── GET /api/ltv/ab-test/results ─────────────────────────────────────────────
+export async function handleLtvAbTestResults(env, request, headers) {
+  if (!env.DB) return new Response(JSON.stringify({ error: 'DB não configurado' }), { status: 503, headers });
+
+  const url    = new URL(request.url);
+  const testId = url.searchParams.get('test_id') || null;
+
+  try {
+    const cond    = testId ? 'WHERE test_id = ?' : 'WHERE status = \'running\'';
+    const testBind = testId ? [parseInt(testId)] : [];
+
+    const testRes = await env.DB.prepare(`SELECT id, name, status, min_sample, winner_id, started_at FROM ltv_ab_tests ${cond} LIMIT 1`).bind(...testBind).first();
+    if (!testRes) return new Response(JSON.stringify({ error: 'Nenhum teste encontrado' }), { status: 404, headers });
+
+    const perf = await env.DB.prepare(`SELECT * FROM v_ab_test_performance WHERE test_id = ?`).bind(testRes.id).all();
+    const variations = perf.results || [];
+    const ready      = variations.every(v => (v.total_assigned || 0) >= testRes.min_sample);
+    let recommendation = null;
+
+    if (ready && variations.length > 0) {
+      const best = variations.reduce((a, b) => (b.accuracy_score || 0) > (a.accuracy_score || 0) ? b : a);
+      const control = variations.find(v => v.is_control);
+      const improvement = control ? ((best.accuracy_score || 0) - (control.accuracy_score || 0)) * 100 : null;
+      recommendation = {
+        winner_variation_id: best.variation_id, winner_variation_name: best.variation_name,
+        accuracy_score: best.accuracy_score, improvement_vs_control: improvement ? `+${improvement.toFixed(1)}%` : null,
+        ready_to_declare: true,
+      };
+    }
+
+    return new Response(JSON.stringify({
+      success: true,
+      test: { id: testRes.id, name: testRes.name, status: testRes.status, min_sample: testRes.min_sample, started_at: testRes.started_at, is_ready: ready },
+      variations, recommendation,
+    }), { status: 200, headers });
+  } catch (err) {
+    console.error('[AB-LTV] results error:', err.message);
+    return new Response(JSON.stringify({ error: err.message }), { status: 500, headers });
+  }
+}
+
+// ── POST /api/ltv/ab-test/winner ──────────────────────────────────────────────
+export async function handleLtvAbTestWinner(env, request, headers) {
+  if (!env.DB) return new Response(JSON.stringify({ error: 'DB não configurado' }), { status: 503, headers });
+
+  let body;
+  try { body = await request.json(); }
+  catch { return new Response(JSON.stringify({ error: 'JSON inválido' }), { status: 400, headers }); }
+
+  const { test_id, variation_id } = body;
+  if (!test_id || !variation_id) {
+    return new Response(JSON.stringify({ error: 'test_id e variation_id são obrigatórios' }), { status: 400, headers });
+  }
+
+  try {
+    const variation = await env.DB.prepare(`SELECT id, name, system_prompt, is_control FROM ltv_ab_variations WHERE id = ? AND test_id = ?`).bind(variation_id, test_id).first();
+    if (!variation) return new Response(JSON.stringify({ error: 'Variação não encontrada para este teste' }), { status: 404, headers });
+
+    await env.DB.prepare(`UPDATE ltv_ab_tests SET winner_id = ?, status = 'completed', completed_at = datetime('now') WHERE id = ?`).bind(variation_id, test_id).run();
+    if (env.GEO_CACHE) await env.GEO_CACHE.delete(AB_LTV_CACHE_KEY);
+
+    return new Response(JSON.stringify({
+      success: true, test_id, winner_variation_id: variation_id, winner_name: variation.name,
+      is_control: variation.is_control === 1, winning_prompt: variation.system_prompt,
+      message: variation.is_control === 1
+        ? 'O prompt original (controle) venceu. Nenhuma alteração necessária.'
+        : 'Novo prompt vencedor identificado. Copie o campo winning_prompt e aplique ao predictLtv() como novo default.',
+    }), { status: 200, headers });
+  } catch (err) {
+    console.error('[AB-LTV] winner error:', err.message);
+    return new Response(JSON.stringify({ error: err.message }), { status: 500, headers });
+  }
+}