From 03790ecb9e8e74a3e1153164bece7210f002971f Mon Sep 17 00:00:00 2001
From: Leonardo <lmnohama@gmail.com>
Date: Sat, 13 Jun 2026 20:02:40 -0300
Subject: [PATCH] freemium F3c: root_redirect (config + RPC publica)

- saas_app_config singleton (root_redirect landing|login, RLS saas_admin write)
- get_root_redirect() anon-callable; default 'landing'
- guard/front usam pra rotear "/" do visitante nao-logado (front na sequencia)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 ...freemium_f3c_app_config.supabase_admin.sql | 43 +++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100644 database-novo/manual/freemium_f3c_app_config.supabase_admin.sql

diff --git a/database-novo/manual/freemium_f3c_app_config.supabase_admin.sql b/database-novo/manual/freemium_f3c_app_config.supabase_admin.sql
new file mode 100644
index 0000000..18d84b1
--- /dev/null
+++ b/database-novo/manual/freemium_f3c_app_config.supabase_admin.sql
@@ -0,0 +1,43 @@
+-- =============================================================================
+-- Freemium F3c — root_redirect (pra onde o visitante não-logado vai na raiz "/")
+--
+-- ⚠️ APLICAR COMO supabase_admin (RLS por is_saas_admin).
+--
+-- Config singleton saas_app_config + RPC pública get_root_redirect() (anon lê o
+-- alvo: 'landing' | 'login'). O guard do front usa pra rotear "/". Só saas_admin
+-- altera (via UPDATE direto, gated por RLS).
+-- =============================================================================
+
+BEGIN;
+
+CREATE TABLE IF NOT EXISTS public.saas_app_config (
+    id            boolean PRIMARY KEY DEFAULT true,   -- singleton: sempre id=true
+    root_redirect text NOT NULL DEFAULT 'landing' CHECK (root_redirect IN ('landing','login')),
+    updated_at    timestamptz NOT NULL DEFAULT now(),
+    updated_by    uuid,
+    CONSTRAINT saas_app_config_singleton CHECK (id)
+);
+
+INSERT INTO public.saas_app_config (id) VALUES (true) ON CONFLICT (id) DO NOTHING;
+
+ALTER TABLE public.saas_app_config ENABLE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS saas_app_config_read ON public.saas_app_config;
+CREATE POLICY saas_app_config_read ON public.saas_app_config FOR SELECT USING (true);
+DROP POLICY IF EXISTS saas_app_config_write ON public.saas_app_config;
+CREATE POLICY saas_app_config_write ON public.saas_app_config
+    FOR UPDATE USING (public.is_saas_admin()) WITH CHECK (public.is_saas_admin());
+
+GRANT SELECT ON public.saas_app_config TO anon, authenticated;
+GRANT UPDATE ON public.saas_app_config TO authenticated;
+
+-- RPC pública: alvo do "/" pra visitante não-logado
+CREATE OR REPLACE FUNCTION public.get_root_redirect()
+RETURNS text LANGUAGE sql STABLE SECURITY DEFINER SET search_path TO 'public','pg_temp'
+AS $$
+    SELECT COALESCE((SELECT root_redirect FROM public.saas_app_config WHERE id), 'landing');
+$$;
+ALTER FUNCTION public.get_root_redirect() OWNER TO supabase_admin;
+REVOKE ALL ON FUNCTION public.get_root_redirect() FROM PUBLIC;
+GRANT EXECUTE ON FUNCTION public.get_root_redirect() TO anon, authenticated, service_role;
+
+COMMIT;