npm - sinapse-ai - Versions diffs - 9.3.0 → 9.5.0 - Mend

sinapse-ai 9.3.0 → 9.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (432) hide show

package/.sinapse-ai/development/knowledge-base/infrastructure-decision-framework.md ADDED Viewed

@@ -0,0 +1,221 @@
+# Infrastructure Decision Framework
+> **Agente(s):** @architect (Stratum)
+> **Fonte:** enterprise-infrastructure-patterns.md, aws-cloud-infrastructure.md, load-testing-capacity-planning.md
+> **Uso:** Consultar ao definir stack de infraestrutura para projetos novos ou ao avaliar necessidade de scaling
+---
+## 1. Sistema de Tiers
+### Tier 1: MVP (0-1K usuarios, <$50/mes)
+| Componente | Servico | Custo |
+|-----------|---------|-------|
+| Frontend | Vercel (Hobby/Pro) | $0-20/mes |
+| Backend/API | Vercel Serverless / Supabase Edge Functions | Incluso |
+| Database | Supabase Free/Pro (PostgreSQL) | $0-25/mes |
+| Auth | Supabase Auth (GoTrue) | Incluso |
+| Storage | Supabase Storage (S3-compatible) | Incluso |
+| CDN | Vercel Edge Network | Incluso |
+| Monitoring | Vercel Analytics + Sentry Free | $0 |
+**Quando usar:** MVP, validacao de produto, projetos pessoais, startups pre-revenue.
+### Tier 2: Growth (1K-50K usuarios, $50-500/mes)
+| Componente | Servico | Custo Estimado |
+|-----------|---------|----------------|
+| Frontend | Vercel Pro | $20/mes |
+| Backend/API | Vercel + Supabase Edge Functions | $25-100/mes |
+| Database | Supabase Pro (dedicated compute) | $25-100/mes |
+| Cache | Upstash Redis | $10-50/mes |
+| CDN/Security | Cloudflare Pro | $20/mes |
+| Feature Flags | GrowthBook (self-hosted) | $0 |
+| Monitoring | Sentry + Vercel Analytics | $26-50/mes |
+| Email | Resend / SendGrid | $0-20/mes |
+**Adicoes vs Tier 1:** Cloudflare (WAF, DDoS, cache), Redis (session, rate limiting), monitoring dedicado.
+### Tier 3: Scale (50K-500K usuarios, $500-5K/mes)
+| Componente | Servico | Custo Estimado |
+|-----------|---------|----------------|
+| Frontend | Vercel Enterprise ou CloudFront + S3 | $100-500/mes |
+| Backend/API | Supabase + AWS Lambda / ECS Fargate | $200-1K/mes |
+| Database | Supabase Pro + Read Replicas ou Aurora Serverless v2 | $100-500/mes |
+| Cache | ElastiCache Redis ou Upstash Pro | $50-200/mes |
+| CDN/Security | Cloudflare Business + WAF | $200/mes |
+| Queue | SQS / EventBridge | $10-50/mes |
+| Search | Meilisearch / Typesense | $50-200/mes |
+| Monitoring | Datadog / Grafana Cloud | $100-500/mes |
+**Adicoes vs Tier 2:** Read replicas, queues asincronas, search engine dedicado, observability profunda.
+### Tier 4: Enterprise (500K+ usuarios, $5K+/mes)
+| Componente | Servico | Custo Estimado |
+|-----------|---------|----------------|
+| Compute | ECS Fargate / EKS + Lambda (hibrido) | $1-5K/mes |
+| Database | Aurora PostgreSQL + DynamoDB (polyglot) | $500-2K/mes |
+| Cache | ElastiCache Redis Cluster | $200-1K/mes |
+| CDN | CloudFront + Cloudflare (dual) | $500-2K/mes |
+| Queue/Events | SQS + EventBridge + Step Functions | $50-500/mes |
+| Search | Elasticsearch / OpenSearch | $500-2K/mes |
+| IaC | Terraform + AWS CDK | $0 (tooling) |
+| CI/CD | GitHub Actions + ArgoCD | $0-500/mes |
+| Security | AWS WAF + Shield + GuardDuty | $500-3K/mes |
+| Monitoring | Datadog / Grafana Cloud | $500-2K/mes |
+**Adicoes vs Tier 3:** Multi-AZ, multi-region, IaC completo, GitOps, security stack dedicado.
+---
+## 2. Decision Tree: Qual Tier Escolher?
+```
+Quantos usuarios esperados nos proximos 6 meses?
+|
++-- < 1K --> TIER 1 (Vercel + Supabase)
+|
++-- 1K-50K --> Tem requisitos de cache ou rate limiting?
+|   |-- SIM --> TIER 2 (+ Cloudflare + Redis)
+|   +-- NAO --> TIER 1 (escalar depois)
+|
++-- 50K-500K --> Precisa de processamento assincrono?
+|   |-- SIM --> TIER 3 (+ AWS Lambda/SQS)
+|   +-- NAO --> TIER 2 estendido
+|
++-- > 500K --> Precisa de multi-region ou compliance enterprise?
+    |-- SIM --> TIER 4 (full AWS)
+    +-- NAO --> TIER 3 estendido
+```
+---
+## 3. Triggers de Graduacao ("Quando Escalar")
+### Tier 1 --> Tier 2
+| Sinal | Metrica | Acao |
+|-------|---------|------|
+| Latencia subindo | p95 > 500ms em API | Adicionar Redis para cache |
+| Rate limiting necessario | Abuso detectado | Cloudflare + Upstash rate limit |
+| Cold starts impactando UX | > 1s em Edge Functions | Avaliar Provisioned Concurrency |
+| DDoS ou bot traffic | Spikes inexplicaveis | Cloudflare WAF |
+### Tier 2 --> Tier 3
+| Sinal | Metrica | Acao |
+|-------|---------|------|
+| DB CPU > 70% sustentado | Dashboard Supabase | Read Replicas ou compute maior |
+| Filas de processamento crescendo | Jobs falhando/atrasando | SQS + Lambda async |
+| Busca textual lenta | Full-text search > 200ms | Meilisearch / Typesense dedicado |
+| Custo Vercel > $500/mes | Fatura mensal | Avaliar CloudFront + S3 |
+### Tier 3 --> Tier 4
+| Sinal | Metrica | Acao |
+|-------|---------|------|
+| Necessidade de multi-region | Usuarios globais | Aurora Global + CloudFront |
+| Compliance (SOC2, HIPAA) | Requisito de cliente | AWS Organizations + SCPs |
+| Infra manual nao escala | > 20 servicos | IaC (Terraform/CDK) + GitOps |
+| Incidentes frequentes | > 2 outages/mes | Observability completa + chaos engineering |
+---
+## 4. Comparativo de Compute (AWS)
+| Criterio | Lambda | ECS/Fargate | App Runner | EC2 |
+|----------|--------|-------------|------------|-----|
+| Execucao max | 15 min | Ilimitado | Ilimitado | Ilimitado |
+| Cold start | 200ms-15s | 30-60s | Rapido | N/A |
+| Scaling | ms (auto) | min (auto) | Auto | ASG (min) |
+| Complexidade | Baixa | Media-Alta | Baixa | Alta |
+| Melhor para | Event-driven, APIs | Containers, sustentado | MVPs, simples | Legacy, GPU |
+**Decision tree:**
+```
+Execucao > 15 min?
+|-- SIM --> Containers (ECS/Fargate) ou EC2
+|-- NAO --> Event-driven ou HTTP API leve?
+    |-- SIM --> Lambda
+    +-- NAO --> Equipe sabe containers?
+        |-- SIM --> ECS/Fargate
+        +-- NAO --> App Runner
+```
+**Breakeven serverless vs containers:** ~15 req/s sustentados. Abaixo = Lambda mais barato. Acima = containers mais custo-efetivos.
+---
+## 5. Comparativo de Storage (AWS)
+| Criterio | S3 | EBS | EFS |
+|----------|-----|-----|-----|
+| Tipo | Object | Block | File (NFS) |
+| Durabilidade | 11 nines | 5 nines | 11 nines |
+| Custo/GB/mes | $0.023 | $0.08 | $0.30 |
+| Melhor para | Objetos, backups, static | Databases, boot volumes | Shared filesystems |
+**Regra:** EBS para velocidade, EFS para acesso compartilhado, S3 para escala e custo.
+---
+## 6. Deployment Strategies
+| Estrategia | Custo Infra | Rollback | Risco | Melhor Para |
+|-----------|-------------|----------|-------|-------------|
+| Blue/Green | 2x (dobro) | Instantaneo | Medio | Releases maiores |
+| Canary | +pequeno | Rapido | Baixo | Apps de alta evolucao |
+| Rolling Update | Existente | Lento | Medio | Mudancas incrementais |
+```
+Orcamento para dobrar infra?
+|-- SIM --> Blue/Green
+|-- NAO --> Controle fino de % de usuarios?
+    |-- SIM --> Canary
+    +-- NAO --> Rolling Update
+```
+---
+## 7. IaC Decision Framework
+```
+100% AWS?
+|-- SIM --> Prefere linguagens de programacao?
+|   |-- SIM --> AWS CDK
+|   +-- NAO --> CloudFormation
++-- NAO --> Equipe de infra ou dev?
+    |-- INFRA --> Terraform
+    +-- DEV --> Pulumi
+```
+---
+## 8. Load Testing Quick Reference
+| Tipo de Teste | Pergunta que Responde | Quando Usar |
+|--------------|----------------------|-------------|
+| Smoke | Script funciona? | Antes de todo teste |
+| Load | Performa sob carga normal? | Pre-lancamento |
+| Stress | O que acontece alem do normal? | Pre-lancamento |
+| Spike | Sobrevive a picos (Black Friday)? | Pre-evento |
+| Soak | Memory leaks? Degradacao? | Pos-lancamento |
+| Breakpoint | Capacidade maxima? | Capacity planning |
+**Ferramenta recomendada:** k6 (JS/TS nativo, CI/CD, thresholds como SLOs).
+**Metricas-chave (NUNCA usar media):**
+- p50 < 200ms | p95 < 500ms | p99 < 1000ms
+- Error rate < 0.1%
+- CPU < 70% sustentado
+---
+## 9. Cross-References
+- Database scaling: ver `database-scaling-patterns.md`
+- Environments e secrets: ver `environment-deployment-patterns.md`
+- Security pre-deploy: ver `security-pre-deploy-checklist.md`

package/.sinapse-ai/development/knowledge-base/security-pre-deploy-checklist.md ADDED Viewed

@@ -0,0 +1,410 @@
+# Security Pre-Deploy Checklist
+> **Agente(s):** @quality-gate (Quinn), @cyber-orqx (Fortress)
+> **Fonte:** security-hardening-enterprise.md
+> **Uso:** Executar ANTES de cada deploy para producao. Checklist tiered por maturidade do projeto.
+---
+## 1. Checklist por Tier
+### Tier MVP (10 items) -- Minimo absoluto para ir ao ar
+- [ ] **RLS ativado** em TODAS as tabelas com dados de usuario
+- [ ] **service_role** NAO exposto no frontend (grep: `service_role` em `src/`, `app/`, `pages/`)
+- [ ] **API keys** nao hardcoded no codigo (scan: `npx gitleaks detect --source=.`)
+- [ ] **HTTPS** forcado (HSTS header configurado)
+- [ ] **Input validation** com Zod/Joi em todos os endpoints
+- [ ] **Rate limiting** em endpoints de auth (max 5 req/15min)
+- [ ] **CORS** restrito a origens conhecidas (nunca `origin: '*'`)
+- [ ] **npm audit** sem vulnerabilidades critical/high (`npm audit --audit-level=high`)
+- [ ] **.env** no .gitignore + `.env.example` commitado com placeholders
+- [ ] **Senhas/tokens default** removidos (nenhum admin/admin, test/test)
+### Tier Growth (+10 items = 20 total)
+- [ ] **MFA ativado** em contas admin/cloud/prod (licao #1 dos maiores breaches)
+- [ ] **Security headers** configurados (helmet ou next.config.js)
+- [ ] **NEXT_PUBLIC_** nao contem secrets (grep em `.env*`)
+- [ ] **Parameterized queries** em todo SQL (nunca string concatenation)
+- [ ] **Error handling** seguro (sem stack traces em producao)
+- [ ] **JWT** com expiracao curta (access: 15-30min, refresh: 7-14 dias)
+- [ ] **Cookie** de sessao: httpOnly, secure, sameSite strict
+- [ ] **Dependabot/Renovate** configurado para PRs automaticos
+- [ ] **Branch protection** ativa em main (require PR + review)
+- [ ] **Secret scanning** habilitado no GitHub
+### Tier Enterprise (+15 items = 35 total)
+- [ ] **WAF** configurado (Cloudflare WAF ou AWS WAF com CRS)
+- [ ] **SAST** no CI/CD (Semgrep ou CodeQL em PRs)
+- [ ] **SCA** com behavioral analysis (Socket.dev)
+- [ ] **DAST** contra staging (OWASP ZAP em CI)
+- [ ] **SBOM** gerado e atualizado (`npm sbom --sbom-format cyclonedx`)
+- [ ] **GitHub Actions** pinned por hash (nao por tag)
+- [ ] **LGPD** compliance (consentimento, portal de direitos, DPO designado)
+- [ ] **Logging** centralizado de falhas de autorizacao
+- [ ] **Backup** verificado nos ultimos 90 dias
+- [ ] **Incident response** plan documentado
+- [ ] **KMS** com keys separadas por servico
+- [ ] **VPC/Network** segmentado (public/private subnets)
+- [ ] **GuardDuty** ou equivalente em todas as contas
+- [ ] **Passkeys/WebAuthn** como opcao de autenticacao
+- [ ] **SRI** (Subresource Integrity) em scripts externos
+---
+## 2. OWASP Top 10:2025 -- Quick-Fix Patterns
+### A01: Broken Access Control (#1)
+```javascript
+// PROIBIDO: Confiar em parametros do client
+app.get('/api/users/:id', (req, res) => {
+  const profile = await db.getUserProfile(req.params.id); // IDOR!
+});
+// CORRETO: Validar ownership
+app.get('/api/users/:id', authenticate, (req, res) => {
+  if (req.params.id !== req.user.id && !req.user.roles.includes('admin')) {
+    return res.status(403).json({ error: 'Forbidden' });
+  }
+  const profile = await db.getUserProfile(req.params.id);
+});
+```
+```sql
+-- RLS obrigatorio em Supabase
+ALTER TABLE user_profiles ENABLE ROW LEVEL SECURITY;
+CREATE POLICY "users_read_own" ON user_profiles FOR SELECT
+    USING ((SELECT auth.uid()) = user_id);
+```
+### A02: Security Misconfiguration (#2 -- subiu de #5)
+```javascript
+// PROIBIDO: Stack traces em producao
+res.status(500).json({ error: err.stack });
+// CORRETO: Mensagem generica + log interno
+logger.error('Internal error', { error: err.message, requestId: req.id });
+res.status(500).json({ error: 'Internal server error', requestId: req.id });
+```
+```javascript
+// next.config.js -- desabilitar headers reveladores
+module.exports = {
+  poweredByHeader: false,
+  headers: async () => [{
+    source: '/:path*',
+    headers: [
+      { key: 'X-Frame-Options', value: 'DENY' },
+      { key: 'X-Content-Type-Options', value: 'nosniff' },
+      { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
+    ],
+  }],
+};
+```
+### A03: Supply Chain Failures (NOVA)
+```bash
+# CI: usar npm ci (NUNCA npm install)
+npm ci
+# Pinnar GitHub Actions por hash
+- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+# Verificar integridade de scripts externos (SRI)
+```
+```html
+<script
+  src="https://cdn.example.com/analytics.js"
+  integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+..."
+  crossorigin="anonymous"
+></script>
+```
+### A05: Injection (#5)
+```javascript
+// PROIBIDO: SQL Injection
+const query = `SELECT * FROM users WHERE email = '${userInput}'`;
+// CORRETO: Parameterized
+const query = 'SELECT * FROM users WHERE email = $1';
+await db.query(query, [userInput]);
+// Supabase: ja parametrizado
+const { data } = await supabase.from('users').select('*').eq('email', userInput);
+```
+### A07: Authentication Failures
+```javascript
+// Rate limiting em login (anti brute-force)
+const authLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000,  // 15 min
+  max: 5,
+  keyGenerator: (req) => req.body.email || req.ip,
+});
+app.post('/api/auth/login', authLimiter, loginHandler);
+```
+---
+## 3. Supply Chain Security Checks
+### Ferramentas por Fase
+| Fase | Ferramenta | Comando/Config |
+|------|-----------|----------------|
+| Pre-commit | gitleaks | `npx gitleaks detect --source=.` |
+| PR | npm audit | `npm audit --audit-level=high` |
+| PR | Socket.dev | GitHub App (automatico) |
+| Merge | CodeQL | GitHub Advanced Security |
+| Continuous | Dependabot/Renovate | `.github/dependabot.yml` |
+### npm audit no CI
+```bash
+# OBRIGATORIO: falhar build se vulnerabilidades critical/high
+npm audit --audit-level=high
+# Gerar SBOM
+npm sbom --sbom-format cyclonedx > sbom.json
+```
+### Dependabot Config Minimo
+```yaml
+# .github/dependabot.yml
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+    reviewers:
+      - "team/devs"
+```
+### Lockfile Integrity
+```json
+// package.json -- versoes exatas (nao ranges)
+{
+  "dependencies": {
+    "express": "4.21.2",    // exato
+    "lodash": "~4.17.21"   // patch only
+  }
+}
+```
+**Regra:** SEMPRE usar `npm ci` no CI. NUNCA `npm install` (pode atualizar lockfile).
+---
+## 4. LGPD Compliance Checklist (Lei Brasileira)
+- [ ] **Consentimento** explicito antes de coletar dados pessoais (Art. 7-8)
+- [ ] **Portal de direitos** do titular: acesso, correcao, exclusao (Art. 18)
+- [ ] **DPO/Encarregado** designado (Art. 41)
+- [ ] **Politica de privacidade** publicada e acessivel (Art. 9)
+- [ ] **Notificacao de breach** em ate 3 dias uteis (Resolucao 15)
+- [ ] **Data retention** com periodos definidos e documentados
+- [ ] **Transferencia internacional** com SCCs se aplicavel (Art. 33)
+- [ ] **Dados de criancas** com consentimento dos pais (Art. 14)
+- [ ] **Audit logging** de todo acesso a dados pessoais
+- [ ] **Anonimizacao** de dados em ambientes de staging/dev
+---
+## 5. Secret Scanning Commands
+```bash
+# Gitleaks -- detectar secrets no historico git
+npx gitleaks detect --source=. --verbose
+# Verificar secrets em arquivos staged
+npx gitleaks protect --staged
+# npm provenance -- verificar origem de pacotes
+npm audit signatures
+# Grep manual por patterns comuns
+# (usar Grep tool, nao bash grep)
+# Patterns: sk_live_, sk_test_, AKIA, ghp_, gho_
+```
+### Patterns de Secrets para Detectar
+| Pattern | Tipo | Risco |
+|---------|------|-------|
+| `sk_live_` | Stripe Secret Key | Critico |
+| `sk_test_` | Stripe Test Key | Alto |
+| `AKIA` | AWS Access Key | Critico |
+| `ghp_` / `gho_` | GitHub Personal/OAuth Token | Alto |
+| `eyJ` (base64 JWT) | JWT hardcoded | Alto |
+| `-----BEGIN RSA` | Private key | Critico |
+| `service_role` | Supabase service key | Critico |
+| `mongodb+srv://` com senha | MongoDB conn string | Critico |
+---
+## 6. RLS Validation Queries
+```sql
+-- Verificar tabelas SEM RLS (BLOCKER)
+SELECT schemaname, tablename
+FROM pg_tables
+WHERE schemaname = 'public'
+  AND tablename NOT IN ('_prisma_migrations', 'schema_migrations')
+  AND NOT rowsecurity;
+-- Verificar tabelas com RLS mas SEM policies (falso senso de seguranca)
+SELECT t.tablename
+FROM pg_tables t
+LEFT JOIN pg_policies p ON t.tablename = p.tablename
+WHERE t.schemaname = 'public'
+  AND t.rowsecurity = true
+GROUP BY t.tablename
+HAVING COUNT(p.policyname) = 0;
+-- Listar todas as policies ativas
+SELECT tablename, policyname, permissive, roles, cmd, qual
+FROM pg_policies
+WHERE schemaname = 'public'
+ORDER BY tablename;
+```
+---
+## 7. API Security Headers Checklist
+### Headers Obrigatorios
+| Header | Valor | Funcao |
+|--------|-------|--------|
+| `Content-Security-Policy` | Strict com nonces | Previne XSS |
+| `Strict-Transport-Security` | `max-age=63072000; includeSubDomains; preload` | Forca HTTPS |
+| `X-Frame-Options` | `DENY` | Previne clickjacking |
+| `X-Content-Type-Options` | `nosniff` | Previne MIME sniffing |
+| `Referrer-Policy` | `strict-origin-when-cross-origin` | Controla referer |
+| `Permissions-Policy` | `camera=(), microphone=(), geolocation=()` | Restringe browser APIs |
+### Implementacao com helmet
+```javascript
+import helmet from 'helmet';
+app.use(helmet({
+  contentSecurityPolicy: {
+    directives: {
+      defaultSrc: ["'self'"],
+      scriptSrc: ["'self'"],
+      imgSrc: ["'self'", 'data:', 'https://cdn.myapp.com'],
+      connectSrc: ["'self'", 'https://api.myapp.com', 'https://*.supabase.co'],
+      objectSrc: ["'none'"],
+      frameAncestors: ["'none'"],
+    },
+  },
+  strictTransportSecurity: { maxAge: 63072000, includeSubDomains: true, preload: true },
+  xFrameOptions: { action: 'deny' },
+}));
+```
+---
+## 8. Rate Limiting por Endpoint
+| Endpoint | Limite | Janela | Justificativa |
+|----------|--------|--------|---------------|
+| Login/Register | 5 req | 15 min | Anti brute-force |
+| Password reset | 3 req | 1 hora | Anti abuso |
+| API geral (auth) | 100 req | 1 min | Uso normal |
+| API geral (public) | 30 req | 1 min | Prevenir abuso |
+| Upload | 10 req | 1 hora | Recursos custosos |
+| Webhook | 1000 req | 1 min | Volume alto esperado |
+---
+## 9. Input Validation Pattern (Zod)
+```typescript
+import { z } from 'zod';
+const CreateUserSchema = z.object({
+  email: z.string().email().max(255).transform(v => v.toLowerCase().trim()),
+  name: z.string().min(2).max(100),
+  role: z.enum(['viewer', 'editor', 'admin']).default('viewer'),
+});
+app.post('/api/users', async (req, res) => {
+  const result = CreateUserSchema.safeParse(req.body);
+  if (!result.success) {
+    return res.status(400).json({ error: 'Validation failed', details: result.error.flatten() });
+  }
+  const user = await createUser(result.data);
+  res.json(user);
+});
+```
+---
+## 10. CI/CD Security Pipeline (GitHub Actions)
+```yaml
+name: Security Scanning
+on:
+  pull_request:
+    branches: [main]
+jobs:
+  sast:
+    runs-on: ubuntu-latest
+    container: { image: semgrep/semgrep }
+    steps:
+      - uses: actions/checkout@v4
+      - run: semgrep scan --config auto --sarif --output semgrep.sarif
+  sca:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: npm ci
+      - run: npm audit --audit-level=high
+  secrets:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with: { fetch-depth: 0 }
+      - uses: gitleaks/gitleaks-action@v2
+```
+---
+## 11. Auth Best Practices Quick-Reference
+| Pratica | Recomendacao |
+|---------|-------------|
+| Algoritmo JWT | RS256 (assimetrico) |
+| Access token TTL | 15-30 minutos |
+| Refresh token TTL | 7-14 dias |
+| Storage browser | httpOnly cookie (NUNCA localStorage) |
+| MFA recomendado | Passkeys > TOTP > Push > SMS |
+| OAuth flow | Authorization Code + PKCE (sempre) |
+| Implicit flow | NUNCA usar (deprecated) |
+| Key rotation | A cada 90 dias |
+---
+## 12. Cross-References
+- Infrastructure security por tier: ver `infrastructure-decision-framework.md`
+- Secrets management tools: ver `environment-deployment-patterns.md`
+- RLS optimization patterns: ver `database-scaling-patterns.md`
+- Constitution Article X (Security): ver `.claude/rules/security-data-protection.md`