CRM WhatsApp Grupo 3 completo + Marco A/B (Asaas) + admin SaaS + refactors polimórficos

Sessão 11+: fechamento do CRM de WhatsApp com dois providers (Evolution/Twilio), sistema de créditos com Asaas/PIX, polimorfismo de telefones/emails, e integração admin SaaS no /saas/addons existente. ═══════════════════════════════════════════════════════════════════════════ GRUPO 3 — WORKFLOW / CRM (completo) ═══════════════════════════════════════════════════════════════════════════ 3.1 Tags · migration conversation_tags + seed de 5 system tags · composable useConversationTags.js · popover + pills no drawer e nos cards do Kanban. 3.2 Atribuição de conversa a terapeuta · migration 20260421000012 com PK (tenant_id, thread_key), UPSERT, RLS que valida assignee como membro ativo do mesmo tenant · view conversation_threads expandida com assigned_to + assigned_at · composable useConversationAssignment.js · drawer com Select filtrável + botão "Assumir" · inbox com filtro aside (Todas/Minhas/Não atribuídas) e chip do responsável em cada card (destaca "Eu" em azul). 3.3 Notas internas · migration conversation_notes · composable + seção colapsável no drawer · apenas o criador pode editar/apagar (RLS). 3.5 Converter desconhecido em paciente · botão + dialog quick-cadastro · "Vincular existente" com Select filter de até 500 pacientes · cria telefone WhatsApp (vinculado) via upsertWhatsappForExisting. 3.6 Histórico de conversa no prontuário · nova aba "Conversas" em PatientProntuario.vue · PatientConversationsTab.vue com stats (total / recebidas / enviadas / primeira / última), SelectButton de filtro, timeline com bolhas por direção, mídia inline (imagem/áudio/vídeo/doc via signed URL), indicadores ✓ ✓✓ de delivery, botão "Abrir no CRM". ═══════════════════════════════════════════════════════════════════════════ MARCO A — UNIFICAÇÃO WHATSAPP (dois providers mutuamente exclusivos) ═══════════════════════════════════════════════════════════════════════════ - Página chooser ConfiguracoesWhatsappChooserPage.vue com 2 cards (Pessoal/ Oficial), deactivate via edge function deactivate-notification-channel - send-whatsapp-message refatorada com roteamento por provider; Twilio deduz 1 crédito antes do envio e refunda em falha - Paridade Twilio (novo): módulo compartilhado supabase/functions/_shared/ whatsapp-hooks.ts com lógica provider-agnóstica (opt-in, opt-out, auto- reply, schedule helpers em TZ São Paulo, makeTwilioCreditedSendFn que envolve envio em dedução atômica + rollback). Consumido por Evolution E Twilio inbound. Evolution refatorado (~290 linhas duplicadas removidas). - Bucket privado whatsapp-media · decrypt via Evolution getBase64From MediaMessage · upload com path tenant/yyyy/mm · signed URLs on-demand ═══════════════════════════════════════════════════════════════════════════ MARCO B — SISTEMA DE CRÉDITOS WHATSAPP + ASAAS ═══════════════════════════════════════════════════════════════════════════ Banco: - Migration 20260421000007_whatsapp_credits (4 tabelas: balance, transactions, packages, purchases) + RPCs add_whatsapp_credits e deduct_whatsapp_credits (atômicas com SELECT FOR UPDATE) - Migration 20260421000013_tenant_cpf_cnpj (coluna em tenants com CHECK de 11 ou 14 dígitos) Edge functions: - create-whatsapp-credit-charge · Asaas v3 (sandbox + prod) · PIX com QR code · getOrCreateAsaasCustomer patcha customer existente com CPF quando está faltando - asaas-webhook · recebe PAYMENT_RECEIVED/CONFIRMED e credita balance Frontend (tenant): - Página /configuracoes/creditos-whatsapp com saldo + loja + histórico - Dialog de confirmação com CPF/CNPJ (validação via isValidCPF/CNPJ de utils/validators, formatação on-blur, pré-fill de tenants.cpf_cnpj, persiste no primeiro uso) · fallback sandbox 24971563792 REMOVIDO - Composable useWhatsappCredits extrai erros amigáveis via error.context.json() Frontend (SaaS admin): - Em /saas/addons (reuso do pattern existente, não criou página paralela): - Aba 4 "Pacotes WhatsApp" — CRUD whatsapp_credit_packages com DataTable, toggle is_active inline, dialog de edição com validação - Aba 5 "Topup WhatsApp" — tenant Select com saldo ao vivo · RPC add_whatsapp_credits com p_admin_id = auth.uid() (auditoria) · histórico das últimas 20 transações topup/adjustment/refund ═══════════════════════════════════════════════════════════════════════════ GRUPO 2 — AUTOMAÇÃO ═══════════════════════════════════════════════════════════════════════════ 2.3 Auto-reply · conversation_autoreply_settings + conversation_autoreply_ log · 3 modos de schedule (agenda das regras semanais, business_hours custom, custom_window) · cooldown por thread · respeita opt-out · agora funciona em Evolution E Twilio (hooks compartilhados) 2.4 Lembretes de sessão · conversation_session_reminders_settings + _logs · edge send-session-reminders (cron) · janelas 24h e 2h antes · Twilio deduz crédito com rollback em falha ═══════════════════════════════════════════════════════════════════════════ GRUPO 5 — COMPLIANCE (LGPD Art. 18 §2) ═══════════════════════════════════════════════════════════════════════════ 5.2 Opt-out · conversation_optouts + conversation_optout_keywords (10 system seed + custom por tenant) · detecção por regex word-boundary e normalização (lowercase + strip acentos + pontuação) · ack automático (deduz crédito em Twilio) · opt-in via "voltar", "retornar", "reativar", "restart" · página /configuracoes/conversas-optouts com CRUD de keywords ═══════════════════════════════════════════════════════════════════════════ REFACTOR POLIMÓRFICO — TELEFONES + EMAILS ═══════════════════════════════════════════════════════════════════════════ - contact_types + contact_phones (entity_type + entity_id) — migration 20260421000008 · contact_email_types + contact_emails — 20260421000011 - Componentes ContactPhonesEditor.vue e ContactEmailsEditor.vue (add/edit/ remove com confirm, primary selector, WhatsApp linked badge) - Composables useContactPhones.js + useContactEmails.js com unsetOtherPrimaries() e validação - Trocado em PatientsCadastroPage.vue e MedicosPage.vue (removidos campos legados telefone/telefone_alternativo e email_principal/email_alternativo) - Migration retroativa v2 (20260421000010) detecta conversation_messages e cria/atualiza phone como WhatsApp vinculado ═══════════════════════════════════════════════════════════════════════════ POLIMENTO VISUAL + INFRA ═══════════════════════════════════════════════════════════════════════════ - Skeletons simplificados no dashboard do terapeuta - Animações fade-up com stagger via [--delay:Xms] (fix specificity sobre .dash-card box-shadow transition) - ConfirmDialog com group="conversation-drawer" (evita montagem duplicada) - Image preview PrimeVue com botão de download injetado via MutationObserver (fetch + blob para funcionar cross-origin) - Áudio/vídeo com preload="metadata" e controles de velocidade do browser - friendlySendError() mapeia códigos do edge pra mensagens pt-BR via error.context.json() - Teleport #cfg-page-actions para ações globais de Configurações - Brotli/Gzip + auto-import Vue/PrimeVue + bundle analyzer - AppLayout consolidado (removidas duplicatas por área) + RouterPassthrough - Removido console.trace debug que estava em watch de router e queries Supabase (degradava perf pra todos) - Realtime em conversation_messages via publication supabase_realtime - Notifier global flutuante com beep + toggle mute (4 camadas: badge + sino + popup + browser notification) ═══════════════════════════════════════════════════════════════════════════ MIGRATIONS NOVAS (13) ═══════════════════════════════════════════════════════════════════════════ 20260420000001_patient_intake_invite_info_rpc 20260420000002_audit_logs_lgpd 20260420000003_audit_logs_unified_view 20260420000004_lgpd_export_patient_rpc 20260420000005_conversation_messages 20260420000005_search_global_rpc 20260420000006_conv_messages_notifications 20260420000007_notif_channels_saas_admin_insert 20260420000008_conv_messages_realtime 20260420000009_conv_messages_delivery_status 20260421000001_whatsapp_media_bucket 20260421000002_conversation_notes 20260421000003_conversation_tags 20260421000004_conversation_autoreply 20260421000005_conversation_optouts 20260421000006_session_reminders 20260421000007_whatsapp_credits 20260421000008_contact_phones 20260421000009_retroactive_whatsapp_link 20260421000010_retroactive_whatsapp_link_v2 20260421000011_contact_emails 20260421000012_conversation_assignments 20260421000013_tenant_cpf_cnpj ═══════════════════════════════════════════════════════════════════════════ EDGE FUNCTIONS NOVAS / MODIFICADAS ═══════════════════════════════════════════════════════════════════════════ Novas: - _shared/whatsapp-hooks.ts (módulo compartilhado) - asaas-webhook - create-whatsapp-credit-charge - deactivate-notification-channel - evolution-webhook-provision - evolution-whatsapp-inbound - get-intake-invite-info - notification-webhook - send-session-reminders - send-whatsapp-message - submit-patient-intake - twilio-whatsapp-inbound ═══════════════════════════════════════════════════════════════════════════ FRONTEND — RESUMO ═══════════════════════════════════════════════════════════════════════════ Composables novos: useAddonExtrato, useAuditoria, useAutoReplySettings, useClinicKPIs, useContactEmails, useContactPhones, useConversationAssignment, useConversationNotes, useConversationOptouts, useConversationTags, useConversations, useLgpdExport, useSessionReminders, useWhatsappCredits Stores: conversationDrawerStore Componentes novos: ConversationDrawer, GlobalInboundNotifier, GlobalSearch, ContactEmailsEditor, ContactPhonesEditor Páginas novas: CRMConversasPage, PatientConversationsTab, AddonsExtratoPage, AuditoriaPage, NotificationsHistoryPage, ConfiguracoesWhatsappChooserPage, ConfiguracoesConversasAutoreplyPage, ConfiguracoesConversasOptoutsPage, ConfiguracoesConversasTagsPage, ConfiguracoesCreditosWhatsappPage, ConfiguracoesLembretesSessaoPage Utils novos: addonExtratoExport, auditoriaExport, excelExport, lgpdExportFormats Páginas existentes alteradas: ClinicDashboard, PatientsCadastroPage, PatientCadastroDialog, PatientsListPage, MedicosPage, PatientProntuario, ConfiguracoesWhatsappPage, SaasWhatsappPage, ConfiguracoesRecursosExtrasPage, ConfiguracoesPage, AgendaTerapeutaPage, AgendaClinicaPage, NotificationItem, NotificationDrawer, AppLayout, AppTopbar, useMenuBadges, patientsRepository, SaasAddonsPage (aba 4 + 5 WhatsApp) Routes: routes.clinic, routes.configs, routes.therapist atualizados Menus: clinic.menu, therapist.menu, saas.menu atualizados ═══════════════════════════════════════════════════════════════════════════ NOTAS - Após subir, rodar supabase functions serve --no-verify-jwt --env-file supabase/functions/.env pra carregar o módulo _shared - WHATSAPP_SETUP.md reescrito (~400 linhas) com setup completo dos 3 providers + troubleshooting + LGPD - HANDOFF.md atualizado com estado atual e próximos passos Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-23 07:05:24 -03:00
parent 037ba3721f
commit 2644e60bb6
191 changed files with 38629 additions and 3756 deletions
@@ -1,5 +1,5 @@
 -- Extensions
-- Gerado automaticamente em 2026-04-17T12:23:04.148Z
+-- Gerado automaticamente em 2026-04-21T23:16:33.041Z
 -- Total: 10

 CREATE EXTENSION IF NOT EXISTS btree_gist WITH SCHEMA public;
@@ -1,5 +1,5 @@
 -- Functions: auth
-- Gerado automaticamente em 2026-04-17T12:23:05.221Z
+-- Gerado automaticamente em 2026-04-21T23:16:34.941Z
 -- Total: 4

 CREATE FUNCTION auth.email() RETURNS text
@@ -1,5 +1,5 @@
 -- Functions: extensions
-- Gerado automaticamente em 2026-04-17T12:23:05.222Z
+-- Gerado automaticamente em 2026-04-21T23:16:34.942Z
 -- Total: 6

 CREATE FUNCTION extensions.grant_pg_cron_access() RETURNS event_trigger
@@ -1,5 +1,5 @@
 -- Functions: pgbouncer
-- Gerado automaticamente em 2026-04-17T12:23:05.222Z
+-- Gerado automaticamente em 2026-04-21T23:16:34.943Z
 -- Total: 1

 CREATE FUNCTION pgbouncer.get_auth(p_usename text) RETURNS TABLE(username text, password text)
@@ -1,5 +1,5 @@
 -- Functions: realtime
-- Gerado automaticamente em 2026-04-17T12:23:05.223Z
+-- Gerado automaticamente em 2026-04-21T23:16:34.949Z
 -- Total: 12

 CREATE FUNCTION realtime.apply_rls(wal jsonb, max_record_bytes integer DEFAULT (1024 * 1024)) RETURNS SETOF realtime.wal_rls
@@ -1,5 +1,5 @@
 -- Functions: storage
-- Gerado automaticamente em 2026-04-17T12:23:05.224Z
+-- Gerado automaticamente em 2026-04-21T23:16:34.950Z
 -- Total: 15

 CREATE FUNCTION storage.can_insert_object(bucketid text, name text, owner uuid, metadata jsonb) RETURNS void
@@ -1,5 +1,5 @@
 -- Functions: supabase_functions
-- Gerado automaticamente em 2026-04-17T12:23:05.224Z
+-- Gerado automaticamente em 2026-04-21T23:16:34.950Z
 -- Total: 1

 CREATE FUNCTION supabase_functions.http_request() RETURNS trigger
@@ -1,6 +1,6 @@
 -- Tables: Addons / Créditos
-- Gerado automaticamente em 2026-04-17T12:23:05.228Z
-- Total: 3
+-- Gerado automaticamente em 2026-04-21T23:16:34.955Z
+-- Total: 7

 CREATE TABLE public.addon_credits (
    id uuid DEFAULT gen_random_uuid() NOT NULL,
@@ -22,7 +22,10 @@ CREATE TABLE public.addon_credits (
    expires_at timestamp with time zone,
    is_active boolean DEFAULT true,
    created_at timestamp with time zone DEFAULT now(),
-    updated_at timestamp with time zone DEFAULT now()
+    updated_at timestamp with time zone DEFAULT now(),
+    CONSTRAINT addon_credits_balance_nonneg_chk CHECK ((balance >= 0)),
+    CONSTRAINT addon_credits_consumed_nonneg_chk CHECK ((total_consumed >= 0)),
+    CONSTRAINT addon_credits_purchased_nonneg_chk CHECK ((total_purchased >= 0))
 );

 CREATE TABLE public.addon_products (
@@ -64,3 +67,70 @@ CREATE TABLE public.addon_transactions (
    created_at timestamp with time zone DEFAULT now(),
    metadata jsonb DEFAULT '{}'::jsonb
 );
+
+CREATE TABLE public.whatsapp_credit_packages (
+    id uuid DEFAULT gen_random_uuid() NOT NULL,
+    name text NOT NULL,
+    description text,
+    credits integer NOT NULL,
+    price_brl numeric(10,2) NOT NULL,
+    is_active boolean DEFAULT true NOT NULL,
+    is_featured boolean DEFAULT false NOT NULL,
+    "position" integer DEFAULT 100 NOT NULL,
+    created_at timestamp with time zone DEFAULT now() NOT NULL,
+    updated_at timestamp with time zone DEFAULT now() NOT NULL,
+    CONSTRAINT whatsapp_credit_packages_credits_check CHECK ((credits > 0)),
+    CONSTRAINT whatsapp_credit_packages_name_check CHECK (((length(name) > 0) AND (length(name) <= 100))),
+    CONSTRAINT whatsapp_credit_packages_price_brl_check CHECK ((price_brl > (0)::numeric))
+);
+
+CREATE TABLE public.whatsapp_credit_purchases (
+    id uuid DEFAULT gen_random_uuid() NOT NULL,
+    tenant_id uuid NOT NULL,
+    package_id uuid,
+    package_name text NOT NULL,
+    credits integer NOT NULL,
+    amount_brl numeric(10,2) NOT NULL,
+    status text DEFAULT 'pending'::text NOT NULL,
+    asaas_customer_id text,
+    asaas_payment_id text,
+    asaas_payment_link text,
+    asaas_pix_qrcode text,
+    asaas_pix_copy_paste text,
+    paid_at timestamp with time zone,
+    expires_at timestamp with time zone,
+    failed_at timestamp with time zone,
+    created_by uuid,
+    created_at timestamp with time zone DEFAULT now() NOT NULL,
+    updated_at timestamp with time zone DEFAULT now() NOT NULL,
+    CONSTRAINT whatsapp_credit_purchases_amount_brl_check CHECK ((amount_brl > (0)::numeric)),
+    CONSTRAINT whatsapp_credit_purchases_credits_check CHECK ((credits > 0)),
+    CONSTRAINT whatsapp_credit_purchases_status_check CHECK ((status = ANY (ARRAY['pending'::text, 'paid'::text, 'failed'::text, 'expired'::text, 'refunded'::text, 'cancelled'::text])))
+);
+
+CREATE TABLE public.whatsapp_credits_balance (
+    tenant_id uuid NOT NULL,
+    balance integer DEFAULT 0 NOT NULL,
+    lifetime_purchased integer DEFAULT 0 NOT NULL,
+    lifetime_used integer DEFAULT 0 NOT NULL,
+    low_balance_threshold integer DEFAULT 20 NOT NULL,
+    low_balance_alerted_at timestamp with time zone,
+    created_at timestamp with time zone DEFAULT now() NOT NULL,
+    updated_at timestamp with time zone DEFAULT now() NOT NULL,
+    CONSTRAINT whatsapp_credits_balance_balance_check CHECK ((balance >= 0)),
+    CONSTRAINT whatsapp_credits_balance_low_balance_threshold_check CHECK ((low_balance_threshold >= 0))
+);
+
+CREATE TABLE public.whatsapp_credits_transactions (
+    id bigint NOT NULL,
+    tenant_id uuid NOT NULL,
+    kind text NOT NULL,
+    amount integer NOT NULL,
+    balance_after integer NOT NULL,
+    conversation_message_id bigint,
+    purchase_id uuid,
+    admin_id uuid,
+    note text,
+    created_at timestamp with time zone DEFAULT now() NOT NULL,
+    CONSTRAINT whatsapp_credits_transactions_kind_check CHECK ((kind = ANY (ARRAY['purchase'::text, 'usage'::text, 'topup_manual'::text, 'refund'::text, 'adjustment'::text])))
+);
@@ -1,5 +1,5 @@
 -- Tables: Agenda / Agendamento
-- Gerado automaticamente em 2026-04-17T12:23:05.229Z
+-- Gerado automaticamente em 2026-04-21T23:16:34.955Z
 -- Total: 10

 CREATE TABLE public.agenda_bloqueios (
@@ -1,5 +1,5 @@
 -- Tables: Central SaaS (docs/FAQ)
-- Gerado automaticamente em 2026-04-17T12:23:05.230Z
+-- Gerado automaticamente em 2026-04-21T23:16:34.957Z
 -- Total: 4

 CREATE TABLE public.saas_doc_votos (
@@ -1,7 +1,36 @@
 -- Tables: Comunicação / Notificações
-- Gerado automaticamente em 2026-04-17T12:23:05.230Z
+-- Gerado automaticamente em 2026-04-21T23:16:34.955Z
 -- Total: 14

+CREATE TABLE public.notification_logs (
+    id uuid DEFAULT gen_random_uuid() NOT NULL,
+    tenant_id uuid NOT NULL,
+    owner_id uuid NOT NULL,
+    queue_id uuid,
+    agenda_evento_id uuid,
+    patient_id uuid NOT NULL,
+    channel text NOT NULL,
+    template_key text NOT NULL,
+    schedule_key text,
+    recipient_address text NOT NULL,
+    resolved_message text,
+    resolved_vars jsonb,
+    status text NOT NULL,
+    provider text,
+    provider_message_id text,
+    provider_status text,
+    provider_response jsonb,
+    sent_at timestamp with time zone,
+    delivered_at timestamp with time zone,
+    read_at timestamp with time zone,
+    failed_at timestamp with time zone,
+    failure_reason text,
+    estimated_cost_brl numeric(8,4) DEFAULT 0,
+    created_at timestamp with time zone DEFAULT now() NOT NULL,
+    updated_at timestamp with time zone DEFAULT now() NOT NULL,
+    CONSTRAINT notification_logs_status_check CHECK ((status = ANY (ARRAY['sent'::text, 'delivered'::text, 'read'::text, 'failed'::text, 'bounced'::text, 'opted_out'::text])))
+);
+
 CREATE TABLE public.email_layout_config (
    id uuid DEFAULT gen_random_uuid() NOT NULL,
    tenant_id uuid NOT NULL,
@@ -123,35 +152,6 @@ CREATE TABLE public.notification_channels (
    CONSTRAINT notification_channels_provider_check CHECK ((provider = ANY (ARRAY['evolution_api'::text, 'meta_official'::text, 'twilio'::text, 'zenvia'::text, 'sendgrid'::text, 'resend'::text, 'smtp'::text, 'zapi'::text])))
 );

-CREATE TABLE public.notification_logs (
-    id uuid DEFAULT gen_random_uuid() NOT NULL,
-    tenant_id uuid NOT NULL,
-    owner_id uuid NOT NULL,
-    queue_id uuid,
-    agenda_evento_id uuid,
-    patient_id uuid NOT NULL,
-    channel text NOT NULL,
-    template_key text NOT NULL,
-    schedule_key text,
-    recipient_address text NOT NULL,
-    resolved_message text,
-    resolved_vars jsonb,
-    status text NOT NULL,
-    provider text,
-    provider_message_id text,
-    provider_status text,
-    provider_response jsonb,
-    sent_at timestamp with time zone,
-    delivered_at timestamp with time zone,
-    read_at timestamp with time zone,
-    failed_at timestamp with time zone,
-    failure_reason text,
-    estimated_cost_brl numeric(8,4) DEFAULT 0,
-    created_at timestamp with time zone DEFAULT now() NOT NULL,
-    updated_at timestamp with time zone DEFAULT now() NOT NULL,
-    CONSTRAINT notification_logs_status_check CHECK ((status = ANY (ARRAY['sent'::text, 'delivered'::text, 'read'::text, 'failed'::text, 'bounced'::text, 'opted_out'::text])))
-);
-
 CREATE TABLE public.notification_preferences (
    id uuid DEFAULT gen_random_uuid() NOT NULL,
    tenant_id uuid NOT NULL,
@@ -260,7 +260,7 @@ CREATE TABLE public.notifications (
    read_at timestamp with time zone,
    archived boolean DEFAULT false NOT NULL,
    created_at timestamp with time zone DEFAULT now() NOT NULL,
-    CONSTRAINT notifications_type_check CHECK ((type = ANY (ARRAY['new_scheduling'::text, 'new_patient'::text, 'recurrence_alert'::text, 'session_status'::text])))
+    CONSTRAINT notifications_type_check CHECK ((type = ANY (ARRAY['new_scheduling'::text, 'new_patient'::text, 'recurrence_alert'::text, 'session_status'::text, 'inbound_message'::text])))
 );

 CREATE TABLE public.twilio_subaccount_usage (
@@ -0,0 +1,155 @@
+-- Tables: CRM Conversas (WhatsApp)
+-- Gerado automaticamente em 2026-04-21T23:16:34.956Z
+-- Total: 10
+
+CREATE TABLE public.conversation_autoreply_log (
+    id bigint NOT NULL,
+    tenant_id uuid NOT NULL,
+    thread_key text NOT NULL,
+    sent_at timestamp with time zone DEFAULT now() NOT NULL,
+    message_id uuid
+);
+
+CREATE TABLE public.conversation_autoreply_settings (
+    tenant_id uuid NOT NULL,
+    enabled boolean DEFAULT false NOT NULL,
+    message text DEFAULT 'Olá! Nosso horário de atendimento acabou. Retornaremos sua mensagem assim que possível. Obrigado!'::text NOT NULL,
+    cooldown_minutes integer DEFAULT 180 NOT NULL,
+    schedule_mode text DEFAULT 'agenda'::text NOT NULL,
+    business_hours jsonb DEFAULT '[]'::jsonb NOT NULL,
+    custom_window jsonb DEFAULT '[]'::jsonb NOT NULL,
+    created_at timestamp with time zone DEFAULT now() NOT NULL,
+    updated_at timestamp with time zone DEFAULT now() NOT NULL,
+    CONSTRAINT conversation_autoreply_settings_cooldown_minutes_check CHECK (((cooldown_minutes >= 0) AND (cooldown_minutes <= 43200))),
+    CONSTRAINT conversation_autoreply_settings_message_check CHECK (((length(message) > 0) AND (length(message) <= 2000))),
+    CONSTRAINT conversation_autoreply_settings_schedule_mode_check CHECK ((schedule_mode = ANY (ARRAY['agenda'::text, 'business_hours'::text, 'custom'::text])))
+);
+
+CREATE TABLE public.conversation_messages (
+    id bigint NOT NULL,
+    tenant_id uuid NOT NULL,
+    patient_id uuid,
+    channel text NOT NULL,
+    direction text NOT NULL,
+    from_number text,
+    to_number text,
+    body text,
+    media_url text,
+    media_mime text,
+    provider text NOT NULL,
+    provider_message_id text,
+    provider_raw jsonb,
+    kanban_status text DEFAULT 'awaiting_us'::text NOT NULL,
+    priority integer DEFAULT 0 NOT NULL,
+    read_at timestamp with time zone,
+    responded_at timestamp with time zone,
+    resolved_at timestamp with time zone,
+    received_at timestamp with time zone,
+    created_at timestamp with time zone DEFAULT now() NOT NULL,
+    updated_at timestamp with time zone DEFAULT now() NOT NULL,
+    delivered_at timestamp with time zone,
+    read_by_recipient_at timestamp with time zone,
+    delivery_status text,
+    CONSTRAINT conversation_messages_channel_check CHECK ((channel = ANY (ARRAY['whatsapp'::text, 'sms'::text, 'email'::text]))),
+    CONSTRAINT conversation_messages_delivery_status_check CHECK (((delivery_status IS NULL) OR (delivery_status = ANY (ARRAY['pending'::text, 'sent'::text, 'delivered'::text, 'read'::text, 'failed'::text])))),
+    CONSTRAINT conversation_messages_direction_check CHECK ((direction = ANY (ARRAY['inbound'::text, 'outbound'::text]))),
+    CONSTRAINT conversation_messages_kanban_status_check CHECK ((kanban_status = ANY (ARRAY['urgent'::text, 'awaiting_us'::text, 'awaiting_patient'::text, 'resolved'::text]))),
+    CONSTRAINT conversation_messages_provider_check CHECK ((provider = ANY (ARRAY['twilio'::text, 'evolution'::text, 'manual'::text])))
+);
+
+CREATE TABLE public.conversation_notes (
+    id uuid DEFAULT gen_random_uuid() NOT NULL,
+    tenant_id uuid NOT NULL,
+    thread_key text NOT NULL,
+    patient_id uuid,
+    contact_number text,
+    body text NOT NULL,
+    created_by uuid NOT NULL,
+    created_at timestamp with time zone DEFAULT now() NOT NULL,
+    updated_at timestamp with time zone DEFAULT now() NOT NULL,
+    deleted_at timestamp with time zone,
+    CONSTRAINT conversation_notes_body_check CHECK (((length(body) > 0) AND (length(body) <= 4000)))
+);
+
+CREATE TABLE public.conversation_optout_keywords (
+    id uuid DEFAULT gen_random_uuid() NOT NULL,
+    tenant_id uuid,
+    keyword text NOT NULL,
+    enabled boolean DEFAULT true NOT NULL,
+    is_system boolean DEFAULT false NOT NULL,
+    created_at timestamp with time zone DEFAULT now() NOT NULL,
+    CONSTRAINT conversation_optout_keywords_keyword_check CHECK (((length(keyword) > 0) AND (length(keyword) <= 100)))
+);
+
+CREATE TABLE public.conversation_optouts (
+    id uuid DEFAULT gen_random_uuid() NOT NULL,
+    tenant_id uuid NOT NULL,
+    phone text NOT NULL,
+    patient_id uuid,
+    source text DEFAULT 'keyword'::text NOT NULL,
+    keyword_matched text,
+    original_message text,
+    notes text,
+    blocked_by uuid,
+    opted_out_at timestamp with time zone DEFAULT now() NOT NULL,
+    opted_back_in_at timestamp with time zone,
+    created_at timestamp with time zone DEFAULT now() NOT NULL,
+    updated_at timestamp with time zone DEFAULT now() NOT NULL,
+    CONSTRAINT conversation_optouts_phone_check CHECK ((phone ~ '^\d{6,15}$'::text)),
+    CONSTRAINT conversation_optouts_source_check CHECK ((source = ANY (ARRAY['keyword'::text, 'manual'::text])))
+);
+
+CREATE TABLE public.conversation_tags (
+    id uuid DEFAULT gen_random_uuid() NOT NULL,
+    tenant_id uuid,
+    name text NOT NULL,
+    slug text NOT NULL,
+    color text DEFAULT '#6366f1'::text NOT NULL,
+    icon text,
+    "position" integer DEFAULT 100 NOT NULL,
+    is_system boolean DEFAULT false NOT NULL,
+    created_at timestamp with time zone DEFAULT now() NOT NULL,
+    updated_at timestamp with time zone DEFAULT now() NOT NULL,
+    CONSTRAINT conversation_tags_color_check CHECK ((color ~ '^#[0-9a-fA-F]{6}$'::text)),
+    CONSTRAINT conversation_tags_name_check CHECK (((length(name) > 0) AND (length(name) <= 40))),
+    CONSTRAINT conversation_tags_slug_check CHECK ((slug ~ '^[a-z0-9_-]{1,40}$'::text))
+);
+
+CREATE TABLE public.conversation_thread_tags (
+    tenant_id uuid NOT NULL,
+    thread_key text NOT NULL,
+    tag_id uuid NOT NULL,
+    tagged_by uuid,
+    tagged_at timestamp with time zone DEFAULT now() NOT NULL
+);
+
+CREATE TABLE public.session_reminder_logs (
+    id bigint NOT NULL,
+    event_id uuid NOT NULL,
+    tenant_id uuid NOT NULL,
+    reminder_type text NOT NULL,
+    sent_at timestamp with time zone DEFAULT now() NOT NULL,
+    provider text,
+    skip_reason text,
+    to_phone text,
+    provider_message_id text,
+    conversation_message_id bigint,
+    CONSTRAINT session_reminder_logs_reminder_type_check CHECK ((reminder_type = ANY (ARRAY['24h'::text, '2h'::text])))
+);
+
+CREATE TABLE public.session_reminder_settings (
+    tenant_id uuid NOT NULL,
+    enabled boolean DEFAULT false NOT NULL,
+    send_24h boolean DEFAULT true NOT NULL,
+    send_2h boolean DEFAULT true NOT NULL,
+    template_24h text DEFAULT 'Oi {{nome_paciente}}! 👋 Lembrando da sua sessão amanhã, {{data_sessao}} às {{hora_sessao}}. Até lá!'::text NOT NULL,
+    template_2h text DEFAULT 'Oi {{nome_paciente}}! Sua sessão começa em 2 horas, às {{hora_sessao}}. Te espero! 😊'::text NOT NULL,
+    quiet_hours_enabled boolean DEFAULT true NOT NULL,
+    quiet_hours_start time without time zone DEFAULT '22:00:00'::time without time zone NOT NULL,
+    quiet_hours_end time without time zone DEFAULT '08:00:00'::time without time zone NOT NULL,
+    respect_opt_out boolean DEFAULT true NOT NULL,
+    created_at timestamp with time zone DEFAULT now() NOT NULL,
+    updated_at timestamp with time zone DEFAULT now() NOT NULL,
+    CONSTRAINT session_reminder_settings_template_24h_check CHECK (((length(template_24h) > 0) AND (length(template_24h) <= 2000))),
+    CONSTRAINT session_reminder_settings_template_2h_check CHECK (((length(template_2h) > 0) AND (length(template_2h) <= 2000)))
+);
@@ -1,5 +1,5 @@
 -- Tables: Documentos
-- Gerado automaticamente em 2026-04-17T12:23:05.229Z
+-- Gerado automaticamente em 2026-04-21T23:16:34.955Z
 -- Total: 6

 CREATE TABLE public.document_access_logs (
@@ -111,6 +111,7 @@ CREATE TABLE public.documents (
    retencao_ate timestamp with time zone,
    created_at timestamp with time zone DEFAULT now(),
    updated_at timestamp with time zone DEFAULT now(),
+    content_sha256 text,
    CONSTRAINT documents_status_revisao_check CHECK ((status_revisao = ANY (ARRAY['pendente'::text, 'aprovado'::text, 'rejeitado'::text]))),
    CONSTRAINT documents_tipo_check CHECK ((tipo_documento = ANY (ARRAY['laudo'::text, 'receita'::text, 'exame'::text, 'termo_assinado'::text, 'relatorio_externo'::text, 'identidade'::text, 'convenio'::text, 'declaracao'::text, 'atestado'::text, 'recibo'::text, 'outro'::text]))),
    CONSTRAINT documents_visibilidade_check CHECK ((visibilidade = ANY (ARRAY['privado'::text, 'compartilhado_supervisor'::text, 'compartilhado_portal'::text])))
@@ -1,5 +1,5 @@
 -- Tables: Estrutura / Calendário
-- Gerado automaticamente em 2026-04-17T12:23:05.230Z
+-- Gerado automaticamente em 2026-04-21T23:16:34.956Z
 -- Total: 1

 CREATE TABLE public.feriados (
@@ -1,11 +1,11 @@
 -- Tables: Financeiro
-- Gerado automaticamente em 2026-04-17T12:23:05.228Z
+-- Gerado automaticamente em 2026-04-21T23:16:34.954Z
 -- Total: 10

 CREATE TABLE public.financial_records (
    id uuid DEFAULT gen_random_uuid() NOT NULL,
    owner_id uuid NOT NULL,
-    tenant_id uuid,
+    tenant_id uuid NOT NULL,
    type public.financial_record_type DEFAULT 'receita'::public.financial_record_type NOT NULL,
    amount numeric(10,2) NOT NULL,
    description text,
@@ -35,6 +35,7 @@ CREATE TABLE public.financial_records (
    CONSTRAINT financial_records_clinic_fee_amount_check CHECK ((clinic_fee_amount >= (0)::numeric)),
    CONSTRAINT financial_records_clinic_fee_pct_check CHECK (((clinic_fee_pct >= (0)::numeric) AND (clinic_fee_pct <= (100)::numeric))),
    CONSTRAINT financial_records_discount_amount_check CHECK ((discount_amount >= (0)::numeric)),
+    CONSTRAINT financial_records_fee_lte_amount_chk CHECK (((clinic_fee_amount IS NULL) OR ((clinic_fee_amount >= (0)::numeric) AND (clinic_fee_amount <= amount)))),
    CONSTRAINT financial_records_final_amount_check CHECK ((final_amount >= (0)::numeric)),
    CONSTRAINT financial_records_installments_check CHECK ((installments >= 1)),
    CONSTRAINT financial_records_status_check CHECK ((status = ANY (ARRAY['pending'::text, 'paid'::text, 'partial'::text, 'overdue'::text, 'cancelled'::text, 'refunded'::text])))
@@ -1,6 +1,6 @@
 -- Tables: outros
-- Gerado automaticamente em 2026-04-17T12:23:05.228Z
-- Total: 1
+-- Gerado automaticamente em 2026-04-21T23:16:34.954Z
+-- Total: 17

 CREATE TABLE public._db_migrations (
    id integer NOT NULL,
@@ -9,3 +9,259 @@ CREATE TABLE public._db_migrations (
    category text DEFAULT 'migration'::text NOT NULL,
    applied_at timestamp with time zone DEFAULT now() NOT NULL
 );
+
+CREATE TABLE public.audit_logs (
+    id bigint NOT NULL,
+    tenant_id uuid NOT NULL,
+    user_id uuid,
+    entity_type text NOT NULL,
+    entity_id text,
+    action text NOT NULL,
+    old_values jsonb,
+    new_values jsonb,
+    changed_fields text[],
+    metadata jsonb DEFAULT '{}'::jsonb NOT NULL,
+    created_at timestamp with time zone DEFAULT now() NOT NULL,
+    CONSTRAINT audit_logs_action_check CHECK ((action = ANY (ARRAY['insert'::text, 'update'::text, 'delete'::text])))
+);
+
+CREATE TABLE public.dev_auditoria_items (
+    id bigint NOT NULL,
+    categoria character varying(120),
+    titulo text NOT NULL,
+    descricao_problema text,
+    solucao text,
+    severidade character varying(20),
+    status character varying(20) DEFAULT 'aberto'::character varying NOT NULL,
+    resolvido_em date,
+    sessao_resolucao character varying(160),
+    arquivo_afetado text,
+    tags text[] DEFAULT '{}'::text[],
+    created_at timestamp with time zone DEFAULT now() NOT NULL,
+    updated_at timestamp with time zone DEFAULT now() NOT NULL,
+    ordem integer DEFAULT 0 NOT NULL,
+    CONSTRAINT dev_auditoria_items_severidade_check CHECK (((severidade IS NULL) OR ((severidade)::text = ANY ((ARRAY['critico'::character varying, 'alto'::character varying, 'medio'::character varying, 'baixo'::character varying])::text[])))),
+    CONSTRAINT dev_auditoria_items_status_check CHECK (((status)::text = ANY ((ARRAY['aberto'::character varying, 'em_analise'::character varying, 'resolvido'::character varying, 'wontfix'::character varying, 'duplicado'::character varying])::text[])))
+);
+
+CREATE TABLE public.dev_comparison_competitor_status (
+    id bigint NOT NULL,
+    comparison_id bigint NOT NULL,
+    competitor_id bigint NOT NULL,
+    status character varying(20) DEFAULT 'a_definir'::character varying NOT NULL,
+    nota text,
+    fonte character varying(20),
+    created_at timestamp with time zone DEFAULT now() NOT NULL,
+    updated_at timestamp with time zone DEFAULT now() NOT NULL,
+    CONSTRAINT dev_comparison_competitor_status_fonte_check CHECK (((fonte IS NULL) OR ((fonte)::text = ANY ((ARRAY['fetched'::character varying, 'observacao'::character varying, 'publico'::character varying, 'hipotese'::character varying])::text[])))),
+    CONSTRAINT dev_comparison_competitor_status_status_check CHECK (((status)::text = ANY ((ARRAY['tem'::character varying, 'parcial'::character varying, 'gap'::character varying, 'na'::character varying, 'a_definir'::character varying])::text[])))
+);
+
+CREATE TABLE public.dev_comparison_matrix (
+    id bigint NOT NULL,
+    dominio character varying(120),
+    feature text NOT NULL,
+    nosso_status character varying(20) DEFAULT 'a_definir'::character varying NOT NULL,
+    nossa_nota text,
+    importancia character varying(20),
+    ordem integer DEFAULT 0 NOT NULL,
+    created_at timestamp with time zone DEFAULT now() NOT NULL,
+    updated_at timestamp with time zone DEFAULT now() NOT NULL,
+    CONSTRAINT dev_comparison_matrix_importancia_check CHECK (((importancia IS NULL) OR ((importancia)::text = ANY ((ARRAY['alta'::character varying, 'media'::character varying, 'baixa'::character varying])::text[])))),
+    CONSTRAINT dev_comparison_matrix_nosso_status_check CHECK (((nosso_status)::text = ANY ((ARRAY['tem'::character varying, 'parcial'::character varying, 'gap'::character varying, 'na'::character varying, 'a_definir'::character varying])::text[])))
+);
+
+CREATE TABLE public.dev_competitor_features (
+    id bigint NOT NULL,
+    competitor_id bigint NOT NULL,
+    categoria character varying(120),
+    nome text NOT NULL,
+    descricao text,
+    fonte character varying(20) DEFAULT 'publico'::character varying NOT NULL,
+    fonte_url text,
+    data_fonte date,
+    destaque boolean DEFAULT false NOT NULL,
+    created_at timestamp with time zone DEFAULT now() NOT NULL,
+    updated_at timestamp with time zone DEFAULT now() NOT NULL,
+    ordem integer DEFAULT 0 NOT NULL,
+    CONSTRAINT dev_competitor_features_fonte_check CHECK (((fonte)::text = ANY ((ARRAY['fetched'::character varying, 'observacao'::character varying, 'publico'::character varying, 'hipotese'::character varying])::text[])))
+);
+
+CREATE TABLE public.dev_competitors (
+    id bigint NOT NULL,
+    slug character varying(80) NOT NULL,
+    nome character varying(160) NOT NULL,
+    pais character varying(40),
+    foco character varying(160),
+    pricing text,
+    posicionamento text,
+    url text,
+    ultima_pesquisa date,
+    notas text,
+    ativo boolean DEFAULT true NOT NULL,
+    ordem integer DEFAULT 0 NOT NULL,
+    created_at timestamp with time zone DEFAULT now() NOT NULL,
+    updated_at timestamp with time zone DEFAULT now() NOT NULL
+);
+
+CREATE TABLE public.dev_generation_log (
+    id bigint NOT NULL,
+    tipo character varying(40) NOT NULL,
+    comando text,
+    sucesso boolean DEFAULT false NOT NULL,
+    stdout text,
+    stderr text,
+    duration_ms integer,
+    metadata jsonb DEFAULT '{}'::jsonb,
+    trigger_user_id uuid,
+    created_at timestamp with time zone DEFAULT now() NOT NULL
+);
+
+CREATE TABLE public.dev_roadmap_items (
+    id bigint NOT NULL,
+    phase_id bigint NOT NULL,
+    numero integer,
+    bloco character varying(160),
+    feature text NOT NULL,
+    descricao text,
+    esforco character varying(4),
+    prioridade character varying(20),
+    status character varying(20) DEFAULT 'pendente'::character varying NOT NULL,
+    notas text,
+    assignee character varying(120),
+    data_inicio date,
+    data_conclusao date,
+    ordem integer DEFAULT 0 NOT NULL,
+    tags text[] DEFAULT '{}'::text[],
+    created_at timestamp with time zone DEFAULT now() NOT NULL,
+    updated_at timestamp with time zone DEFAULT now() NOT NULL,
+    CONSTRAINT dev_roadmap_items_esforco_check CHECK (((esforco IS NULL) OR ((esforco)::text = ANY ((ARRAY['S'::character varying, 'M'::character varying, 'L'::character varying, 'XL'::character varying])::text[])))),
+    CONSTRAINT dev_roadmap_items_prioridade_check CHECK (((prioridade IS NULL) OR ((prioridade)::text = ANY ((ARRAY['bloqueador'::character varying, 'alta'::character varying, 'media'::character varying, 'diferencial'::character varying])::text[])))),
+    CONSTRAINT dev_roadmap_items_status_check CHECK (((status)::text = ANY ((ARRAY['pendente'::character varying, 'em_andamento'::character varying, 'concluido'::character varying, 'cancelado'::character varying, 'bloqueado'::character varying])::text[])))
+);
+
+CREATE TABLE public.dev_roadmap_phases (
+    id bigint NOT NULL,
+    numero integer NOT NULL,
+    nome character varying(160) NOT NULL,
+    objetivo text,
+    timeline_sugerida character varying(160),
+    criterio_saida text,
+    status character varying(20) DEFAULT 'planejada'::character varying NOT NULL,
+    data_inicio date,
+    data_fim date,
+    ordem integer DEFAULT 0 NOT NULL,
+    created_at timestamp with time zone DEFAULT now() NOT NULL,
+    updated_at timestamp with time zone DEFAULT now() NOT NULL,
+    CONSTRAINT dev_roadmap_phases_status_check CHECK (((status)::text = ANY ((ARRAY['planejada'::character varying, 'em_andamento'::character varying, 'concluida'::character varying, 'arquivada'::character varying])::text[])))
+);
+
+CREATE TABLE public.dev_test_items (
+    id bigint NOT NULL,
+    area character varying(80) NOT NULL,
+    categoria character varying(120),
+    titulo text NOT NULL,
+    arquivo text,
+    descricao text,
+    total_tests integer DEFAULT 0,
+    passing integer DEFAULT 0,
+    failing integer DEFAULT 0,
+    skipped integer DEFAULT 0,
+    cobertura_pct numeric(5,2),
+    status character varying(20) DEFAULT 'ok'::character varying NOT NULL,
+    last_run_at timestamp with time zone,
+    sessao_criacao character varying(160),
+    notas text,
+    tags text[] DEFAULT '{}'::text[],
+    ordem integer DEFAULT 0 NOT NULL,
+    created_at timestamp with time zone DEFAULT now() NOT NULL,
+    updated_at timestamp with time zone DEFAULT now() NOT NULL,
+    CONSTRAINT dev_test_items_status_check CHECK (((status)::text = ANY ((ARRAY['ok'::character varying, 'falhando'::character varying, 'pendente'::character varying, 'obsoleto'::character varying, 'a_escrever'::character varying])::text[])))
+);
+
+CREATE TABLE public.dev_verificacoes_items (
+    id bigint NOT NULL,
+    area character varying(80) NOT NULL,
+    categoria character varying(120),
+    titulo text NOT NULL,
+    descricao text,
+    resultado text,
+    acao_sugerida text,
+    severidade character varying(20),
+    status character varying(20) DEFAULT 'pendente'::character varying NOT NULL,
+    verificado_em date,
+    sessao_verificacao character varying(160),
+    arquivo_afetado text,
+    auditoria_item_id bigint,
+    tags text[] DEFAULT '{}'::text[],
+    ordem integer DEFAULT 0 NOT NULL,
+    created_at timestamp with time zone DEFAULT now() NOT NULL,
+    updated_at timestamp with time zone DEFAULT now() NOT NULL,
+    CONSTRAINT dev_verificacoes_items_severidade_check CHECK (((severidade IS NULL) OR ((severidade)::text = ANY ((ARRAY['critico'::character varying, 'alto'::character varying, 'medio'::character varying, 'baixo'::character varying])::text[])))),
+    CONSTRAINT dev_verificacoes_items_status_check CHECK (((status)::text = ANY ((ARRAY['pendente'::character varying, 'verificando'::character varying, 'ok'::character varying, 'problema'::character varying, 'corrigido'::character varying, 'wontfix'::character varying])::text[])))
+);
+
+CREATE TABLE public.math_challenges (
+    id uuid DEFAULT gen_random_uuid() NOT NULL,
+    question text NOT NULL,
+    answer integer NOT NULL,
+    used boolean DEFAULT false NOT NULL,
+    created_at timestamp with time zone DEFAULT now() NOT NULL,
+    expires_at timestamp with time zone DEFAULT (now() + '00:05:00'::interval) NOT NULL
+);
+
+CREATE TABLE public.patient_invite_attempts (
+    id uuid DEFAULT gen_random_uuid() NOT NULL,
+    token text NOT NULL,
+    ok boolean NOT NULL,
+    error_code text,
+    error_msg text,
+    client_info text,
+    owner_id uuid,
+    tenant_id uuid,
+    created_at timestamp with time zone DEFAULT now() NOT NULL
+);
+
+CREATE TABLE public.public_submission_attempts (
+    id uuid DEFAULT gen_random_uuid() NOT NULL,
+    endpoint text NOT NULL,
+    ip_hash text,
+    success boolean NOT NULL,
+    error_code text,
+    error_msg text,
+    blocked_by text,
+    user_agent text,
+    metadata jsonb,
+    created_at timestamp with time zone DEFAULT now() NOT NULL
+);
+
+CREATE TABLE public.saas_security_config (
+    id boolean DEFAULT true NOT NULL,
+    honeypot_enabled boolean DEFAULT true NOT NULL,
+    rate_limit_enabled boolean DEFAULT true NOT NULL,
+    rate_limit_window_min integer DEFAULT 10 NOT NULL,
+    rate_limit_max_attempts integer DEFAULT 5 NOT NULL,
+    captcha_after_failures integer DEFAULT 3 NOT NULL,
+    captcha_required_globally boolean DEFAULT false NOT NULL,
+    block_duration_min integer DEFAULT 30 NOT NULL,
+    captcha_required_window_min integer DEFAULT 60 NOT NULL,
+    updated_at timestamp with time zone DEFAULT now() NOT NULL,
+    updated_by uuid,
+    CONSTRAINT saas_security_config_singleton CHECK ((id = true))
+);
+
+CREATE TABLE public.saas_twilio_config (
+    id boolean DEFAULT true NOT NULL,
+    account_sid text,
+    whatsapp_webhook_url text,
+    usd_brl_rate numeric(10,4) DEFAULT 5.5 NOT NULL,
+    margin_multiplier numeric(10,4) DEFAULT 1.4 NOT NULL,
+    notes text,
+    updated_at timestamp with time zone DEFAULT now() NOT NULL,
+    updated_by uuid,
+    CONSTRAINT saas_twilio_config_mult_chk CHECK (((margin_multiplier >= (1)::numeric) AND (margin_multiplier <= (10)::numeric))),
+    CONSTRAINT saas_twilio_config_rate_chk CHECK (((usd_brl_rate > (0)::numeric) AND (usd_brl_rate < (100)::numeric))),
+    CONSTRAINT saas_twilio_config_sid_chk CHECK (((account_sid IS NULL) OR (account_sid ~ '^AC[a-zA-Z0-9]{32}$'::text))),
+    CONSTRAINT saas_twilio_config_singleton CHECK ((id = true)),
+    CONSTRAINT saas_twilio_config_url_chk CHECK (((whatsapp_webhook_url IS NULL) OR (whatsapp_webhook_url ~ '^https?://'::text)))
+);
@@ -1,6 +1,159 @@
 -- Tables: Pacientes
-- Gerado automaticamente em 2026-04-17T12:23:05.230Z
-- Total: 12
+-- Gerado automaticamente em 2026-04-21T23:16:34.956Z
+-- Total: 16
+
+CREATE TABLE public.patient_status_history (
+    id uuid DEFAULT gen_random_uuid() NOT NULL,
+    patient_id uuid NOT NULL,
+    tenant_id uuid NOT NULL,
+    status_anterior text,
+    status_novo text NOT NULL,
+    motivo text,
+    encaminhado_para text,
+    data_saida date,
+    alterado_por uuid,
+    alterado_em timestamp with time zone DEFAULT now() NOT NULL,
+    CONSTRAINT psh_status_novo_check CHECK ((status_novo = ANY (ARRAY['Ativo'::text, 'Inativo'::text, 'Alta'::text, 'Encaminhado'::text, 'Arquivado'::text])))
+);
+
+CREATE TABLE public.contact_email_types (
+    id uuid DEFAULT gen_random_uuid() NOT NULL,
+    tenant_id uuid,
+    name text NOT NULL,
+    slug text NOT NULL,
+    icon text,
+    is_system boolean DEFAULT false NOT NULL,
+    "position" integer DEFAULT 100 NOT NULL,
+    created_at timestamp with time zone DEFAULT now() NOT NULL,
+    updated_at timestamp with time zone DEFAULT now() NOT NULL,
+    CONSTRAINT contact_email_types_name_check CHECK (((length(name) > 0) AND (length(name) <= 40))),
+    CONSTRAINT contact_email_types_slug_check CHECK ((slug ~ '^[a-z0-9_-]{1,40}$'::text))
+);
+
+CREATE TABLE public.contact_emails (
+    id uuid DEFAULT gen_random_uuid() NOT NULL,
+    tenant_id uuid NOT NULL,
+    entity_type text NOT NULL,
+    entity_id uuid NOT NULL,
+    contact_email_type_id uuid NOT NULL,
+    email text NOT NULL,
+    is_primary boolean DEFAULT false NOT NULL,
+    notes text,
+    "position" integer DEFAULT 100 NOT NULL,
+    created_at timestamp with time zone DEFAULT now() NOT NULL,
+    updated_at timestamp with time zone DEFAULT now() NOT NULL,
+    CONSTRAINT contact_emails_email_check CHECK ((email ~* '^[a-z0-9._%+-]+@[a-z0-9.-]+\.[a-z]{2,}$'::text)),
+    CONSTRAINT contact_emails_entity_type_check CHECK ((entity_type = ANY (ARRAY['patient'::text, 'medico'::text])))
+);
+
+CREATE TABLE public.contact_phones (
+    id uuid DEFAULT gen_random_uuid() NOT NULL,
+    tenant_id uuid NOT NULL,
+    entity_type text NOT NULL,
+    entity_id uuid NOT NULL,
+    contact_type_id uuid NOT NULL,
+    number text NOT NULL,
+    is_primary boolean DEFAULT false NOT NULL,
+    whatsapp_linked_at timestamp with time zone,
+    notes text,
+    "position" integer DEFAULT 100 NOT NULL,
+    created_at timestamp with time zone DEFAULT now() NOT NULL,
+    updated_at timestamp with time zone DEFAULT now() NOT NULL,
+    CONSTRAINT contact_phones_entity_type_check CHECK ((entity_type = ANY (ARRAY['patient'::text, 'medico'::text]))),
+    CONSTRAINT contact_phones_number_check CHECK ((number ~ '^\d{8,15}$'::text))
+);
+
+CREATE TABLE public.contact_types (
+    id uuid DEFAULT gen_random_uuid() NOT NULL,
+    tenant_id uuid,
+    name text NOT NULL,
+    slug text NOT NULL,
+    icon text,
+    is_mobile boolean DEFAULT true NOT NULL,
+    is_system boolean DEFAULT false NOT NULL,
+    "position" integer DEFAULT 100 NOT NULL,
+    created_at timestamp with time zone DEFAULT now() NOT NULL,
+    updated_at timestamp with time zone DEFAULT now() NOT NULL,
+    CONSTRAINT contact_types_name_check CHECK (((length(name) > 0) AND (length(name) <= 40))),
+    CONSTRAINT contact_types_slug_check CHECK ((slug ~ '^[a-z0-9_-]{1,40}$'::text))
+);
+
+CREATE TABLE public.patients (
+    id uuid DEFAULT gen_random_uuid() NOT NULL,
+    nome_completo text NOT NULL,
+    email_principal text,
+    telefone text,
+    created_at timestamp with time zone DEFAULT now(),
+    owner_id uuid,
+    avatar_url text,
+    status text DEFAULT 'Ativo'::text,
+    last_attended_at timestamp with time zone,
+    is_native boolean DEFAULT false,
+    naturalidade text,
+    data_nascimento date,
+    rg text,
+    cpf text,
+    identification_color text,
+    genero text,
+    estado_civil text,
+    email_alternativo text,
+    pais text DEFAULT 'Brasil'::text,
+    cep text,
+    cidade text,
+    estado text,
+    endereco text,
+    numero text,
+    bairro text,
+    complemento text,
+    escolaridade text,
+    profissao text,
+    nome_parente text,
+    grau_parentesco text,
+    telefone_alternativo text,
+    onde_nos_conheceu text,
+    encaminhado_por text,
+    nome_responsavel text,
+    telefone_responsavel text,
+    cpf_responsavel text,
+    observacao_responsavel text,
+    cobranca_no_responsavel boolean DEFAULT false,
+    observacoes text,
+    notas_internas text,
+    updated_at timestamp with time zone DEFAULT now(),
+    telefone_parente text,
+    tenant_id uuid NOT NULL,
+    responsible_member_id uuid NOT NULL,
+    user_id uuid,
+    patient_scope text DEFAULT 'clinic'::text NOT NULL,
+    therapist_member_id uuid,
+    nome_social text,
+    pronomes text,
+    etnia text,
+    religiao text,
+    faixa_renda text,
+    canal_preferido text DEFAULT 'whatsapp'::text,
+    horario_contato_inicio time without time zone DEFAULT '08:00:00'::time without time zone,
+    horario_contato_fim time without time zone DEFAULT '20:00:00'::time without time zone,
+    idioma text DEFAULT 'pt-BR'::text,
+    origem text,
+    metodo_pagamento_preferido text,
+    motivo_saida text,
+    data_saida date,
+    encaminhado_para text,
+    risco_elevado boolean DEFAULT false NOT NULL,
+    risco_nota text,
+    risco_sinalizado_em timestamp with time zone,
+    risco_sinalizado_por uuid,
+    horario_contato text,
+    convenio text,
+    convenio_id uuid,
+    CONSTRAINT cpf_responsavel_format_check CHECK (((cpf_responsavel IS NULL) OR (cpf_responsavel ~ '^\d{11}$'::text))),
+    CONSTRAINT patients_cpf_format_check CHECK (((cpf IS NULL) OR (cpf ~ '^\d{11}$'::text))),
+    CONSTRAINT patients_faixa_renda_check CHECK (((faixa_renda IS NULL) OR (faixa_renda = ANY (ARRAY['ate_1sm'::text, '1_3sm'::text, '3_6sm'::text, '6_10sm'::text, 'acima_10sm'::text, 'nao_informado'::text])))),
+    CONSTRAINT patients_metodo_pagamento_check CHECK (((metodo_pagamento_preferido IS NULL) OR (metodo_pagamento_preferido = ANY (ARRAY['pix'::text, 'cartao'::text, 'dinheiro'::text, 'deposito'::text, 'convenio'::text])))),
+    CONSTRAINT patients_risco_consistency_check CHECK (((risco_elevado = false) OR ((risco_elevado = true) AND (risco_nota IS NOT NULL) AND (risco_sinalizado_por IS NOT NULL)))),
+    CONSTRAINT patients_status_check CHECK ((status = ANY (ARRAY['Ativo'::text, 'Em espera'::text, 'Inativo'::text, 'Alta'::text, 'Encaminhado'::text, 'Arquivado'::text])))
+);

 CREATE TABLE public.patient_contacts (
    id uuid DEFAULT gen_random_uuid() NOT NULL,
@@ -117,20 +270,6 @@ CREATE TABLE public.patient_patient_tag (
    tenant_id uuid NOT NULL
 );

-CREATE TABLE public.patient_status_history (
-    id uuid DEFAULT gen_random_uuid() NOT NULL,
-    patient_id uuid NOT NULL,
-    tenant_id uuid NOT NULL,
-    status_anterior text,
-    status_novo text NOT NULL,
-    motivo text,
-    encaminhado_para text,
-    data_saida date,
-    alterado_por uuid,
-    alterado_em timestamp with time zone DEFAULT now() NOT NULL,
-    CONSTRAINT psh_status_novo_check CHECK ((status_novo = ANY (ARRAY['Ativo'::text, 'Inativo'::text, 'Alta'::text, 'Encaminhado'::text, 'Arquivado'::text])))
-);
-
 CREATE TABLE public.patient_support_contacts (
    id uuid DEFAULT gen_random_uuid() NOT NULL,
    patient_id uuid NOT NULL,
@@ -172,80 +311,3 @@ CREATE TABLE public.patient_timeline (
    CONSTRAINT pt_evento_tipo_check CHECK ((evento_tipo = ANY (ARRAY['primeira_sessao'::text, 'sessao_realizada'::text, 'sessao_cancelada'::text, 'falta'::text, 'status_alterado'::text, 'risco_sinalizado'::text, 'risco_removido'::text, 'documento_assinado'::text, 'documento_adicionado'::text, 'escala_respondida'::text, 'escala_enviada'::text, 'pagamento_vencido'::text, 'pagamento_recebido'::text, 'tarefa_combinada'::text, 'contato_adicionado'::text, 'prontuario_editado'::text, 'nota_adicionada'::text, 'manual'::text]))),
    CONSTRAINT pt_icone_cor_check CHECK ((icone_cor = ANY (ARRAY['green'::text, 'blue'::text, 'amber'::text, 'red'::text, 'gray'::text, 'purple'::text])))
 );
-
-CREATE TABLE public.patients (
-    id uuid DEFAULT gen_random_uuid() NOT NULL,
-    nome_completo text NOT NULL,
-    email_principal text,
-    telefone text,
-    created_at timestamp with time zone DEFAULT now(),
-    owner_id uuid,
-    avatar_url text,
-    status text DEFAULT 'Ativo'::text,
-    last_attended_at timestamp with time zone,
-    is_native boolean DEFAULT false,
-    naturalidade text,
-    data_nascimento date,
-    rg text,
-    cpf text,
-    identification_color text,
-    genero text,
-    estado_civil text,
-    email_alternativo text,
-    pais text DEFAULT 'Brasil'::text,
-    cep text,
-    cidade text,
-    estado text,
-    endereco text,
-    numero text,
-    bairro text,
-    complemento text,
-    escolaridade text,
-    profissao text,
-    nome_parente text,
-    grau_parentesco text,
-    telefone_alternativo text,
-    onde_nos_conheceu text,
-    encaminhado_por text,
-    nome_responsavel text,
-    telefone_responsavel text,
-    cpf_responsavel text,
-    observacao_responsavel text,
-    cobranca_no_responsavel boolean DEFAULT false,
-    observacoes text,
-    notas_internas text,
-    updated_at timestamp with time zone DEFAULT now(),
-    telefone_parente text,
-    tenant_id uuid NOT NULL,
-    responsible_member_id uuid NOT NULL,
-    user_id uuid,
-    patient_scope text DEFAULT 'clinic'::text NOT NULL,
-    therapist_member_id uuid,
-    nome_social text,
-    pronomes text,
-    etnia text,
-    religiao text,
-    faixa_renda text,
-    canal_preferido text DEFAULT 'whatsapp'::text,
-    horario_contato_inicio time without time zone DEFAULT '08:00:00'::time without time zone,
-    horario_contato_fim time without time zone DEFAULT '20:00:00'::time without time zone,
-    idioma text DEFAULT 'pt-BR'::text,
-    origem text,
-    metodo_pagamento_preferido text,
-    motivo_saida text,
-    data_saida date,
-    encaminhado_para text,
-    risco_elevado boolean DEFAULT false NOT NULL,
-    risco_nota text,
-    risco_sinalizado_em timestamp with time zone,
-    risco_sinalizado_por uuid,
-    horario_contato text,
-    convenio text,
-    convenio_id uuid,
-    CONSTRAINT cpf_responsavel_format_check CHECK (((cpf_responsavel IS NULL) OR (cpf_responsavel ~ '^\d{11}$'::text))),
-    CONSTRAINT patients_cpf_format_check CHECK (((cpf IS NULL) OR (cpf ~ '^\d{11}$'::text))),
-    CONSTRAINT patients_faixa_renda_check CHECK (((faixa_renda IS NULL) OR (faixa_renda = ANY (ARRAY['ate_1sm'::text, '1_3sm'::text, '3_6sm'::text, '6_10sm'::text, 'acima_10sm'::text, 'nao_informado'::text])))),
-    CONSTRAINT patients_metodo_pagamento_check CHECK (((metodo_pagamento_preferido IS NULL) OR (metodo_pagamento_preferido = ANY (ARRAY['pix'::text, 'cartao'::text, 'dinheiro'::text, 'deposito'::text, 'convenio'::text])))),
-    CONSTRAINT patients_risco_consistency_check CHECK (((risco_elevado = false) OR ((risco_elevado = true) AND (risco_nota IS NOT NULL) AND (risco_sinalizado_por IS NOT NULL)))),
-    CONSTRAINT patients_status_check CHECK ((status = ANY (ARRAY['Ativo'::text, 'Em espera'::text, 'Inativo'::text, 'Alta'::text, 'Encaminhado'::text, 'Arquivado'::text])))
-);
@@ -1,5 +1,5 @@
 -- Tables: SaaS / Planos
-- Gerado automaticamente em 2026-04-17T12:23:05.227Z
+-- Gerado automaticamente em 2026-04-21T23:16:34.953Z
 -- Total: 18

 CREATE TABLE public.subscriptions (
@@ -66,7 +66,8 @@ CREATE TABLE public.features (
    description text,
    created_at timestamp with time zone DEFAULT now() NOT NULL,
    descricao text DEFAULT ''::text NOT NULL,
-    name text DEFAULT ''::text NOT NULL
+    name text DEFAULT ''::text NOT NULL,
+    is_active boolean DEFAULT true NOT NULL
 );

 CREATE TABLE public.module_features (
@@ -0,0 +1,15 @@
+-- Tables: Segurança / Rate limiting
+-- Gerado automaticamente em 2026-04-21T23:16:34.957Z
+-- Total: 1
+
+CREATE TABLE public.submission_rate_limits (
+    ip_hash text NOT NULL,
+    endpoint text NOT NULL,
+    attempt_count integer DEFAULT 0 NOT NULL,
+    fail_count integer DEFAULT 0 NOT NULL,
+    window_start timestamp with time zone DEFAULT now() NOT NULL,
+    blocked_until timestamp with time zone,
+    requires_captcha_until timestamp with time zone,
+    last_attempt_at timestamp with time zone DEFAULT now() NOT NULL,
+    created_at timestamp with time zone DEFAULT now() NOT NULL
+);
@@ -1,5 +1,5 @@
 -- Tables: Serviços / Prontuários
-- Gerado automaticamente em 2026-04-17T12:23:05.229Z
+-- Gerado automaticamente em 2026-04-21T23:16:34.956Z
 -- Total: 8

 CREATE TABLE public.commitment_services (
@@ -1,5 +1,5 @@
 -- Tables: Tenants / Multi-tenant
-- Gerado automaticamente em 2026-04-17T12:23:05.228Z
+-- Gerado automaticamente em 2026-04-21T23:16:34.954Z
 -- Total: 10

 CREATE TABLE public.tenant_members (
@@ -1,6 +1,142 @@
 -- Views
-- Gerado automaticamente em 2026-04-17T12:23:05.233Z
-- Total: 27
+-- Gerado automaticamente em 2026-04-21T23:16:34.958Z
+-- Total: 29
+
+CREATE VIEW public.audit_log_unified WITH (security_invoker='true') AS
+ SELECT ('audit:'::text || (al.id)::text) AS uid,
+    al.tenant_id,
+    al.user_id,
+    al.entity_type,
+    al.entity_id,
+    al.action,
+        CASE al.action
+            WHEN 'insert'::text THEN ('Criou '::text || al.entity_type)
+            WHEN 'update'::text THEN (('Alterou '::text || al.entity_type) || COALESCE(((' ('::text || array_to_string(al.changed_fields, ', '::text)) || ')'::text), ''::text))
+            WHEN 'delete'::text THEN ('Excluiu '::text || al.entity_type)
+            ELSE NULL::text
+        END AS description,
+    al.created_at AS occurred_at,
+    'audit_logs'::text AS source,
+    jsonb_build_object('old_values', al.old_values, 'new_values', al.new_values, 'changed_fields', al.changed_fields) AS details
+   FROM public.audit_logs al
+UNION ALL
+ SELECT ('doc_access:'::text || (dal.id)::text) AS uid,
+    dal.tenant_id,
+    dal.user_id,
+    'document'::text AS entity_type,
+    (dal.documento_id)::text AS entity_id,
+    dal.acao AS action,
+        CASE dal.acao
+            WHEN 'visualizou'::text THEN 'Visualizou documento'::text
+            WHEN 'baixou'::text THEN 'Baixou documento'::text
+            WHEN 'imprimiu'::text THEN 'Imprimiu documento'::text
+            WHEN 'compartilhou'::text THEN 'Compartilhou documento'::text
+            WHEN 'assinou'::text THEN 'Assinou documento'::text
+            ELSE dal.acao
+        END AS description,
+    dal.acessado_em AS occurred_at,
+    'document_access_logs'::text AS source,
+    jsonb_build_object('ip', (dal.ip)::text, 'user_agent', dal.user_agent) AS details
+   FROM public.document_access_logs dal
+UNION ALL
+ SELECT ('psh:'::text || (psh.id)::text) AS uid,
+    psh.tenant_id,
+    psh.alterado_por AS user_id,
+    'patient_status'::text AS entity_type,
+    (psh.patient_id)::text AS entity_id,
+    'status_change'::text AS action,
+    (((('Status do paciente: '::text || COALESCE(psh.status_anterior, '—'::text)) || ' → '::text) || psh.status_novo) || COALESCE(((' ('::text || psh.motivo) || ')'::text), ''::text)) AS description,
+    psh.alterado_em AS occurred_at,
+    'patient_status_history'::text AS source,
+    jsonb_build_object('status_anterior', psh.status_anterior, 'status_novo', psh.status_novo, 'motivo', psh.motivo, 'encaminhado_para', psh.encaminhado_para, 'data_saida', psh.data_saida) AS details
+   FROM public.patient_status_history psh
+UNION ALL
+ SELECT ('notif:'::text || (nl.id)::text) AS uid,
+    nl.tenant_id,
+    nl.owner_id AS user_id,
+    'notification'::text AS entity_type,
+    (nl.patient_id)::text AS entity_id,
+    nl.status AS action,
+    (((('Notificação '::text || nl.channel) || ' '::text) || nl.status) || COALESCE((' para '::text || nl.recipient_address), ''::text)) AS description,
+    nl.created_at AS occurred_at,
+    'notification_logs'::text AS source,
+    jsonb_build_object('channel', nl.channel, 'template_key', nl.template_key, 'status', nl.status, 'provider', nl.provider, 'failure_reason', nl.failure_reason) AS details
+   FROM public.notification_logs nl
+UNION ALL
+ SELECT ('addon:'::text || (at.id)::text) AS uid,
+    at.tenant_id,
+    at.admin_user_id AS user_id,
+    'addon_transaction'::text AS entity_type,
+    (at.id)::text AS entity_id,
+    at.type AS action,
+        CASE at.type
+            WHEN 'purchase'::text THEN ((('Compra de '::text || at.amount) || ' créditos de '::text) || at.addon_type)
+            WHEN 'consumption'::text THEN ((('Consumo de '::text || abs(at.amount)) || ' crédito(s) '::text) || at.addon_type)
+            WHEN 'adjustment'::text THEN ('Ajuste de créditos '::text || at.addon_type)
+            WHEN 'refund'::text THEN ((('Reembolso de '::text || abs(at.amount)) || ' créditos '::text) || at.addon_type)
+            ELSE ((at.type || ' '::text) || at.addon_type)
+        END AS description,
+    at.created_at AS occurred_at,
+    'addon_transactions'::text AS source,
+    jsonb_build_object('addon_type', at.addon_type, 'amount', at.amount, 'balance_after', at.balance_after, 'price_cents', at.price_cents, 'payment_reference', at.payment_reference) AS details
+   FROM public.addon_transactions at;
+
+CREATE VIEW public.conversation_threads WITH (security_invoker='true') AS
+ WITH base AS (
+         SELECT cm.id,
+            cm.tenant_id,
+            cm.patient_id,
+            cm.channel,
+            cm.body,
+            cm.direction,
+            cm.kanban_status,
+            cm.read_at,
+            cm.created_at,
+                CASE
+                    WHEN (cm.direction = 'inbound'::text) THEN cm.from_number
+                    ELSE cm.to_number
+                END AS contact_number,
+            COALESCE((cm.patient_id)::text, ('anon:'::text || COALESCE(
+                CASE
+                    WHEN (cm.direction = 'inbound'::text) THEN cm.from_number
+                    ELSE cm.to_number
+                END, 'unknown'::text))) AS thread_key
+           FROM public.conversation_messages cm
+        ), latest AS (
+         SELECT DISTINCT ON (base.tenant_id, base.thread_key) base.tenant_id,
+            base.thread_key,
+            base.patient_id,
+            base.channel,
+            base.contact_number,
+            base.body AS last_message_body,
+            base.direction AS last_message_direction,
+            base.kanban_status,
+            base.created_at AS last_message_at
+           FROM base
+          ORDER BY base.tenant_id, base.thread_key, base.created_at DESC
+        ), counts AS (
+         SELECT base.tenant_id,
+            base.thread_key,
+            count(*) AS message_count,
+            count(*) FILTER (WHERE ((base.direction = 'inbound'::text) AND (base.read_at IS NULL))) AS unread_count
+           FROM base
+          GROUP BY base.tenant_id, base.thread_key
+        )
+ SELECT l.tenant_id,
+    l.thread_key,
+    l.patient_id,
+    p.nome_completo AS patient_name,
+    l.contact_number,
+    l.channel,
+    c.message_count,
+    c.unread_count,
+    l.last_message_at,
+    l.last_message_body,
+    l.last_message_direction,
+    l.kanban_status
+   FROM ((latest l
+     JOIN counts c ON (((c.tenant_id = l.tenant_id) AND (c.thread_key = l.thread_key))))
+     LEFT JOIN public.patients p ON ((p.id = l.patient_id)));

 CREATE VIEW public.current_tenant_id AS
 SELECT current_setting('request.jwt.claim.tenant_id'::text, true) AS current_setting;
@@ -1,6 +1,6 @@
 -- Indexes
-- Gerado automaticamente em 2026-04-17T12:23:05.235Z
-- Total: 270
+-- Gerado automaticamente em 2026-04-21T23:16:34.961Z
+-- Total: 361

 CREATE INDEX agenda_bloqueios_owner_data_idx ON public.agenda_bloqueios USING btree (owner_id, data_inicio, data_fim);

@@ -166,10 +166,126 @@ CREATE INDEX idx_addon_tx_type ON public.addon_transactions USING btree (type);

 CREATE INDEX idx_agenda_eventos_determined_commitment_id ON public.agenda_eventos USING btree (determined_commitment_id);

+CREATE INDEX idx_agenda_eventos_titulo_custom_trgm ON public.agenda_eventos USING gin (titulo_custom public.gin_trgm_ops) WHERE (titulo_custom IS NOT NULL);
+
+CREATE INDEX idx_agenda_eventos_titulo_trgm ON public.agenda_eventos USING gin (titulo public.gin_trgm_ops) WHERE (titulo IS NOT NULL);
+
 CREATE INDEX idx_agenda_excecoes_owner_data ON public.agenda_excecoes USING btree (owner_id, data);

 CREATE INDEX idx_agenda_slots_regras_owner_dia ON public.agenda_slots_regras USING btree (owner_id, dia_semana);

+CREATE INDEX idx_audit_logs_changed_fields ON public.audit_logs USING gin (changed_fields);
+
+CREATE INDEX idx_audit_logs_entity ON public.audit_logs USING btree (entity_type, entity_id);
+
+CREATE INDEX idx_audit_logs_tenant_created ON public.audit_logs USING btree (tenant_id, created_at DESC);
+
+CREATE INDEX idx_audit_logs_user_created ON public.audit_logs USING btree (user_id, created_at DESC) WHERE (user_id IS NOT NULL);
+
+CREATE INDEX idx_autoreply_log_cooldown ON public.conversation_autoreply_log USING btree (tenant_id, thread_key, sent_at DESC);
+
+CREATE INDEX idx_contact_email_types_tenant ON public.contact_email_types USING btree (tenant_id, "position");
+
+CREATE INDEX idx_contact_emails_email ON public.contact_emails USING btree (tenant_id, email);
+
+CREATE INDEX idx_contact_emails_entity ON public.contact_emails USING btree (tenant_id, entity_type, entity_id, "position");
+
+CREATE INDEX idx_contact_phones_entity ON public.contact_phones USING btree (tenant_id, entity_type, entity_id, "position");
+
+CREATE INDEX idx_contact_phones_number ON public.contact_phones USING btree (tenant_id, number);
+
+CREATE INDEX idx_contact_types_tenant ON public.contact_types USING btree (tenant_id, "position");
+
+CREATE INDEX idx_conv_msg_delivery_status ON public.conversation_messages USING btree (tenant_id, delivery_status) WHERE (direction = 'outbound'::text);
+
+CREATE INDEX idx_conv_msg_from_number ON public.conversation_messages USING btree (tenant_id, from_number);
+
+CREATE INDEX idx_conv_msg_kanban ON public.conversation_messages USING btree (tenant_id, kanban_status, priority DESC, created_at DESC);
+
+CREATE INDEX idx_conv_msg_patient ON public.conversation_messages USING btree (patient_id, created_at DESC) WHERE (patient_id IS NOT NULL);
+
+CREATE INDEX idx_conv_msg_provider_msg_id ON public.conversation_messages USING btree (provider_message_id) WHERE (provider_message_id IS NOT NULL);
+
+CREATE INDEX idx_conv_msg_tenant_created ON public.conversation_messages USING btree (tenant_id, created_at DESC);
+
+CREATE INDEX idx_conv_notes_created_by ON public.conversation_notes USING btree (created_by, created_at DESC) WHERE (deleted_at IS NULL);
+
+CREATE INDEX idx_conv_notes_patient ON public.conversation_notes USING btree (patient_id, created_at DESC) WHERE ((deleted_at IS NULL) AND (patient_id IS NOT NULL));
+
+CREATE INDEX idx_conv_notes_tenant_thread ON public.conversation_notes USING btree (tenant_id, thread_key, created_at DESC) WHERE (deleted_at IS NULL);
+
+CREATE INDEX idx_conv_optout_kw_tenant ON public.conversation_optout_keywords USING btree (tenant_id) WHERE (enabled = true);
+
+CREATE INDEX idx_conv_optouts_patient ON public.conversation_optouts USING btree (patient_id) WHERE (patient_id IS NOT NULL);
+
+CREATE INDEX idx_conv_optouts_tenant_phone ON public.conversation_optouts USING btree (tenant_id, phone);
+
+CREATE INDEX idx_conv_tags_tenant ON public.conversation_tags USING btree (tenant_id, "position");
+
+CREATE INDEX idx_conv_thread_tags_tag ON public.conversation_thread_tags USING btree (tag_id);
+
+CREATE INDEX idx_conv_thread_tags_tenant_thread ON public.conversation_thread_tags USING btree (tenant_id, thread_key);
+
+CREATE INDEX idx_dev_auditoria_items_categoria ON public.dev_auditoria_items USING btree (categoria);
+
+CREATE INDEX idx_dev_auditoria_items_ordem ON public.dev_auditoria_items USING btree (ordem);
+
+CREATE INDEX idx_dev_auditoria_items_severidade ON public.dev_auditoria_items USING btree (severidade);
+
+CREATE INDEX idx_dev_auditoria_items_status ON public.dev_auditoria_items USING btree (status);
+
+CREATE INDEX idx_dev_ccs_comp ON public.dev_comparison_competitor_status USING btree (competitor_id);
+
+CREATE INDEX idx_dev_ccs_comparison ON public.dev_comparison_competitor_status USING btree (comparison_id);
+
+CREATE INDEX idx_dev_comparison_matrix_dominio ON public.dev_comparison_matrix USING btree (dominio);
+
+CREATE INDEX idx_dev_comparison_matrix_status ON public.dev_comparison_matrix USING btree (nosso_status);
+
+CREATE INDEX idx_dev_competitor_features_cat ON public.dev_competitor_features USING btree (categoria);
+
+CREATE INDEX idx_dev_competitor_features_comp ON public.dev_competitor_features USING btree (competitor_id);
+
+CREATE INDEX idx_dev_competitor_features_destaque ON public.dev_competitor_features USING btree (destaque);
+
+CREATE INDEX idx_dev_competitor_features_ordem ON public.dev_competitor_features USING btree (competitor_id, ordem);
+
+CREATE INDEX idx_dev_competitors_ativo ON public.dev_competitors USING btree (ativo);
+
+CREATE INDEX idx_dev_competitors_pais ON public.dev_competitors USING btree (pais);
+
+CREATE INDEX idx_dev_generation_log_created ON public.dev_generation_log USING btree (created_at DESC);
+
+CREATE INDEX idx_dev_generation_log_tipo ON public.dev_generation_log USING btree (tipo);
+
+CREATE INDEX idx_dev_roadmap_items_ordem ON public.dev_roadmap_items USING btree (phase_id, ordem);
+
+CREATE INDEX idx_dev_roadmap_items_phase ON public.dev_roadmap_items USING btree (phase_id);
+
+CREATE INDEX idx_dev_roadmap_items_prior ON public.dev_roadmap_items USING btree (prioridade);
+
+CREATE INDEX idx_dev_roadmap_items_status ON public.dev_roadmap_items USING btree (status);
+
+CREATE INDEX idx_dev_roadmap_phases_ordem ON public.dev_roadmap_phases USING btree (ordem);
+
+CREATE INDEX idx_dev_roadmap_phases_status ON public.dev_roadmap_phases USING btree (status);
+
+CREATE INDEX idx_dev_test_items_area ON public.dev_test_items USING btree (area);
+
+CREATE INDEX idx_dev_test_items_ordem ON public.dev_test_items USING btree (area, ordem);
+
+CREATE INDEX idx_dev_test_items_status ON public.dev_test_items USING btree (status);
+
+CREATE INDEX idx_dev_verificacoes_area ON public.dev_verificacoes_items USING btree (area);
+
+CREATE INDEX idx_dev_verificacoes_ordem ON public.dev_verificacoes_items USING btree (area, ordem);
+
+CREATE INDEX idx_dev_verificacoes_severidade ON public.dev_verificacoes_items USING btree (severidade);
+
+CREATE INDEX idx_dev_verificacoes_status ON public.dev_verificacoes_items USING btree (status);
+
+CREATE INDEX idx_documents_content_sha256 ON public.documents USING btree (content_sha256) WHERE (content_sha256 IS NOT NULL);
+
 CREATE INDEX idx_email_templates_global_domain ON public.email_templates_global USING btree (domain) WHERE (is_active = true);

 CREATE INDEX idx_email_templates_global_key ON public.email_templates_global USING btree (key) WHERE (is_active = true);
@@ -178,6 +294,8 @@ CREATE INDEX idx_email_templates_tenant_lookup ON public.email_templates_tenant

 CREATE INDEX idx_email_templates_tenant_owner ON public.email_templates_tenant USING btree (owner_id, template_key) WHERE ((enabled = true) AND (owner_id IS NOT NULL));

+CREATE INDEX idx_features_is_active ON public.features USING btree (is_active) WHERE (is_active = false);
+
 CREATE INDEX idx_financial_categories_user_id ON public.financial_categories USING btree (user_id);

 CREATE INDEX idx_financial_records_active ON public.financial_records USING btree (owner_id, paid_at DESC) WHERE (deleted_at IS NULL);
@@ -216,6 +334,8 @@ CREATE INDEX idx_intakes_owner_status_created ON public.patient_intake_requests

 CREATE INDEX idx_intakes_status_created ON public.patient_intake_requests USING btree (status, created_at DESC);

+CREATE INDEX idx_mc_expires ON public.math_challenges USING btree (expires_at);
+
 CREATE INDEX idx_notice_dismissals_user ON public.notice_dismissals USING btree (user_id, notice_id);

 CREATE INDEX idx_notif_channels_owner_active ON public.notification_channels USING btree (owner_id, channel) WHERE ((is_active = true) AND (deleted_at IS NULL));
@@ -270,12 +390,28 @@ CREATE INDEX idx_patient_groups_owner ON public.patient_groups USING btree (owne

 CREATE INDEX idx_patient_groups_owner_system_nome ON public.patient_groups USING btree (owner_id, is_system, nome);

+CREATE INDEX idx_patient_intake_requests_nome_trgm ON public.patient_intake_requests USING gin (nome_completo public.gin_trgm_ops) WHERE (status = 'new'::text);
+
+CREATE INDEX idx_patient_invite_attempts_created ON public.patient_invite_attempts USING btree (created_at DESC);
+
+CREATE INDEX idx_patient_invite_attempts_ok ON public.patient_invite_attempts USING btree (ok) WHERE (ok = false);
+
+CREATE INDEX idx_patient_invite_attempts_owner ON public.patient_invite_attempts USING btree (owner_id);
+
+CREATE INDEX idx_patient_invite_attempts_token ON public.patient_invite_attempts USING btree (token);
+
 CREATE INDEX idx_patient_tags_owner ON public.patient_tags USING btree (owner_id);

+CREATE INDEX idx_patients_cpf_trgm ON public.patients USING gin (cpf public.gin_trgm_ops) WHERE (cpf IS NOT NULL);
+
 CREATE INDEX idx_patients_created_at ON public.patients USING btree (created_at DESC);

+CREATE INDEX idx_patients_email_trgm ON public.patients USING gin (email_principal public.gin_trgm_ops) WHERE (email_principal IS NOT NULL);
+
 CREATE INDEX idx_patients_last_attended ON public.patients USING btree (last_attended_at DESC);

+CREATE INDEX idx_patients_nome_trgm ON public.patients USING gin (nome_completo public.gin_trgm_ops);
+
 CREATE INDEX idx_patients_origem ON public.patients USING btree (tenant_id, origem) WHERE (origem IS NOT NULL);

 CREATE INDEX idx_patients_owner_email_principal ON public.patients USING btree (owner_id, email_principal);
@@ -304,6 +440,12 @@ CREATE INDEX idx_ppt_patient ON public.patient_patient_tag USING btree (patient_

 CREATE INDEX idx_ppt_tag ON public.patient_patient_tag USING btree (tag_id);

+CREATE INDEX idx_psa_endpoint_created ON public.public_submission_attempts USING btree (endpoint, created_at DESC);
+
+CREATE INDEX idx_psa_failed ON public.public_submission_attempts USING btree (created_at DESC) WHERE (success = false);
+
+CREATE INDEX idx_psa_ip_hash_created ON public.public_submission_attempts USING btree (ip_hash, created_at DESC) WHERE (ip_hash IS NOT NULL);
+
 CREATE INDEX idx_psh_patient ON public.patient_status_history USING btree (patient_id, alterado_em DESC);

 CREATE INDEX idx_psh_tenant ON public.patient_status_history USING btree (tenant_id, alterado_em DESC);
@@ -314,8 +456,16 @@ CREATE INDEX idx_pt_patient_ocorrido ON public.patient_timeline USING btree (pat

 CREATE INDEX idx_pt_tenant ON public.patient_timeline USING btree (tenant_id, ocorrido_em DESC);

+CREATE INDEX idx_services_name_trgm ON public.services USING gin (name public.gin_trgm_ops);
+
+CREATE INDEX idx_session_reminder_tenant_sent ON public.session_reminder_logs USING btree (tenant_id, sent_at DESC);
+
 CREATE INDEX idx_slots_bloq_owner_dia ON public.agenda_slots_bloqueados_semanais USING btree (owner_id, dia_semana);

+CREATE INDEX idx_srl_blocked_until ON public.submission_rate_limits USING btree (blocked_until) WHERE (blocked_until IS NOT NULL);
+
+CREATE INDEX idx_srl_endpoint ON public.submission_rate_limits USING btree (endpoint, last_attempt_at DESC);
+
 CREATE INDEX idx_subscription_intents_plan_interval ON public.subscription_intents_legacy USING btree (plan_key, "interval");

 CREATE INDEX idx_subscription_intents_status ON public.subscription_intents_legacy USING btree (status);
@@ -344,6 +494,18 @@ CREATE INDEX idx_twilio_usage_tenant_period ON public.twilio_subaccount_usage US

 CREATE UNIQUE INDEX idx_twilio_usage_unique_period ON public.twilio_subaccount_usage USING btree (channel_id, period_start, period_end);

+CREATE INDEX idx_wa_credit_packages_active ON public.whatsapp_credit_packages USING btree (is_active, "position", price_brl) WHERE (is_active = true);
+
+CREATE INDEX idx_wa_credit_purchases_asaas_payment ON public.whatsapp_credit_purchases USING btree (asaas_payment_id) WHERE (asaas_payment_id IS NOT NULL);
+
+CREATE INDEX idx_wa_credit_purchases_status ON public.whatsapp_credit_purchases USING btree (status, created_at DESC);
+
+CREATE INDEX idx_wa_credit_purchases_tenant ON public.whatsapp_credit_purchases USING btree (tenant_id, created_at DESC);
+
+CREATE INDEX idx_wa_credits_tx_kind ON public.whatsapp_credits_transactions USING btree (tenant_id, kind, created_at DESC);
+
+CREATE INDEX idx_wa_credits_tx_tenant_created ON public.whatsapp_credits_transactions USING btree (tenant_id, created_at DESC);
+
 CREATE INDEX insurance_plans_owner_idx ON public.insurance_plans USING btree (owner_id);

 CREATE INDEX insurance_plans_tenant_idx ON public.insurance_plans USING btree (tenant_id);
@@ -522,6 +684,24 @@ CREATE INDEX tenant_modules_owner_idx ON public.tenant_modules USING btree (owne

 CREATE UNIQUE INDEX unique_member_per_tenant ON public.tenant_members USING btree (tenant_id, user_id);

+CREATE UNIQUE INDEX uq_contact_email_types_system_slug ON public.contact_email_types USING btree (slug) WHERE (tenant_id IS NULL);
+
+CREATE UNIQUE INDEX uq_contact_email_types_tenant_slug ON public.contact_email_types USING btree (tenant_id, slug) WHERE (tenant_id IS NOT NULL);
+
+CREATE UNIQUE INDEX uq_contact_emails_primary ON public.contact_emails USING btree (entity_type, entity_id) WHERE (is_primary = true);
+
+CREATE UNIQUE INDEX uq_contact_phones_primary ON public.contact_phones USING btree (entity_type, entity_id) WHERE (is_primary = true);
+
+CREATE UNIQUE INDEX uq_contact_types_system_slug ON public.contact_types USING btree (slug) WHERE (tenant_id IS NULL);
+
+CREATE UNIQUE INDEX uq_contact_types_tenant_slug ON public.contact_types USING btree (tenant_id, slug) WHERE (tenant_id IS NOT NULL);
+
+CREATE UNIQUE INDEX uq_conv_optouts_active ON public.conversation_optouts USING btree (tenant_id, phone) WHERE (opted_back_in_at IS NULL);
+
+CREATE UNIQUE INDEX uq_conv_tags_system_slug ON public.conversation_tags USING btree (slug) WHERE (tenant_id IS NULL);
+
+CREATE UNIQUE INDEX uq_conv_tags_tenant_slug ON public.conversation_tags USING btree (tenant_id, slug) WHERE (tenant_id IS NOT NULL);
+
 CREATE UNIQUE INDEX uq_patient_contacts_primario ON public.patient_contacts USING btree (patient_id) WHERE ((is_primario = true) AND (ativo = true));

 CREATE UNIQUE INDEX uq_patients_tenant_user ON public.patients USING btree (tenant_id, user_id) WHERE (user_id IS NOT NULL);
@@ -530,6 +710,8 @@ CREATE UNIQUE INDEX uq_plan_price_active ON public.plan_prices USING btree (plan

 CREATE UNIQUE INDEX uq_plan_prices_active ON public.plan_prices USING btree (plan_id, "interval") WHERE (is_active = true);

+CREATE UNIQUE INDEX uq_session_reminder_event_type ON public.session_reminder_logs USING btree (event_id, reminder_type);
+
 CREATE UNIQUE INDEX uq_subscriptions_active_by_tenant ON public.subscriptions USING btree (tenant_id) WHERE ((tenant_id IS NOT NULL) AND (status = 'active'::text));

 CREATE UNIQUE INDEX uq_subscriptions_active_personal_by_user ON public.subscriptions USING btree (user_id) WHERE ((tenant_id IS NULL) AND (status = 'active'::text));
@@ -1,6 +1,6 @@
 -- Constraints (PK, FK, UNIQUE, CHECK)
-- Gerado automaticamente em 2026-04-17T12:23:05.237Z
-- Total: 275
+-- Gerado automaticamente em 2026-04-21T23:16:34.963Z
+-- Total: 353

 ALTER TABLE ONLY public._db_migrations
    ADD CONSTRAINT _db_migrations_filename_key UNIQUE (filename);
@@ -65,6 +65,9 @@ ALTER TABLE ONLY public.agendador_configuracoes
 ALTER TABLE ONLY public.agendador_solicitacoes
    ADD CONSTRAINT agendador_solicitacoes_pkey PRIMARY KEY (id);

+ALTER TABLE ONLY public.audit_logs
+    ADD CONSTRAINT audit_logs_pkey PRIMARY KEY (id);
+
 ALTER TABLE ONLY public.billing_contracts
    ADD CONSTRAINT billing_contracts_pkey PRIMARY KEY (id);

@@ -80,6 +83,42 @@ ALTER TABLE ONLY public.company_profiles
 ALTER TABLE ONLY public.company_profiles
    ADD CONSTRAINT company_profiles_tenant_id_key UNIQUE (tenant_id);

+ALTER TABLE ONLY public.contact_email_types
+    ADD CONSTRAINT contact_email_types_pkey PRIMARY KEY (id);
+
+ALTER TABLE ONLY public.contact_emails
+    ADD CONSTRAINT contact_emails_pkey PRIMARY KEY (id);
+
+ALTER TABLE ONLY public.contact_phones
+    ADD CONSTRAINT contact_phones_pkey PRIMARY KEY (id);
+
+ALTER TABLE ONLY public.contact_types
+    ADD CONSTRAINT contact_types_pkey PRIMARY KEY (id);
+
+ALTER TABLE ONLY public.conversation_autoreply_log
+    ADD CONSTRAINT conversation_autoreply_log_pkey PRIMARY KEY (id);
+
+ALTER TABLE ONLY public.conversation_autoreply_settings
+    ADD CONSTRAINT conversation_autoreply_settings_pkey PRIMARY KEY (tenant_id);
+
+ALTER TABLE ONLY public.conversation_messages
+    ADD CONSTRAINT conversation_messages_pkey PRIMARY KEY (id);
+
+ALTER TABLE ONLY public.conversation_notes
+    ADD CONSTRAINT conversation_notes_pkey PRIMARY KEY (id);
+
+ALTER TABLE ONLY public.conversation_optout_keywords
+    ADD CONSTRAINT conversation_optout_keywords_pkey PRIMARY KEY (id);
+
+ALTER TABLE ONLY public.conversation_optouts
+    ADD CONSTRAINT conversation_optouts_pkey PRIMARY KEY (id);
+
+ALTER TABLE ONLY public.conversation_tags
+    ADD CONSTRAINT conversation_tags_pkey PRIMARY KEY (id);
+
+ALTER TABLE ONLY public.conversation_thread_tags
+    ADD CONSTRAINT conversation_thread_tags_pkey PRIMARY KEY (tenant_id, thread_key, tag_id);
+
 ALTER TABLE ONLY public.determined_commitment_fields
    ADD CONSTRAINT determined_commitment_fields_pkey PRIMARY KEY (id);

@@ -89,12 +128,51 @@ ALTER TABLE ONLY public.determined_commitments
 ALTER TABLE ONLY public.determined_commitments
    ADD CONSTRAINT determined_commitments_tenant_native_key_uq UNIQUE (tenant_id, native_key);

+ALTER TABLE ONLY public.dev_auditoria_items
+    ADD CONSTRAINT dev_auditoria_items_pkey PRIMARY KEY (id);
+
+ALTER TABLE ONLY public.dev_comparison_competitor_status
+    ADD CONSTRAINT dev_comparison_competitor_statu_comparison_id_competitor_id_key UNIQUE (comparison_id, competitor_id);
+
+ALTER TABLE ONLY public.dev_comparison_competitor_status
+    ADD CONSTRAINT dev_comparison_competitor_status_pkey PRIMARY KEY (id);
+
+ALTER TABLE ONLY public.dev_comparison_matrix
+    ADD CONSTRAINT dev_comparison_matrix_pkey PRIMARY KEY (id);
+
+ALTER TABLE ONLY public.dev_competitor_features
+    ADD CONSTRAINT dev_competitor_features_pkey PRIMARY KEY (id);
+
+ALTER TABLE ONLY public.dev_competitors
+    ADD CONSTRAINT dev_competitors_pkey PRIMARY KEY (id);
+
+ALTER TABLE ONLY public.dev_competitors
+    ADD CONSTRAINT dev_competitors_slug_key UNIQUE (slug);
+
+ALTER TABLE ONLY public.dev_generation_log
+    ADD CONSTRAINT dev_generation_log_pkey PRIMARY KEY (id);
+
+ALTER TABLE ONLY public.dev_roadmap_items
+    ADD CONSTRAINT dev_roadmap_items_pkey PRIMARY KEY (id);
+
+ALTER TABLE ONLY public.dev_roadmap_phases
+    ADD CONSTRAINT dev_roadmap_phases_numero_key UNIQUE (numero);
+
+ALTER TABLE ONLY public.dev_roadmap_phases
+    ADD CONSTRAINT dev_roadmap_phases_pkey PRIMARY KEY (id);
+
+ALTER TABLE ONLY public.dev_test_items
+    ADD CONSTRAINT dev_test_items_pkey PRIMARY KEY (id);
+
 ALTER TABLE ONLY public.dev_user_credentials
    ADD CONSTRAINT dev_user_credentials_email_key UNIQUE (email);

 ALTER TABLE ONLY public.dev_user_credentials
    ADD CONSTRAINT dev_user_credentials_pkey PRIMARY KEY (id);

+ALTER TABLE ONLY public.dev_verificacoes_items
+    ADD CONSTRAINT dev_verificacoes_items_pkey PRIMARY KEY (id);
+
 ALTER TABLE ONLY public.document_access_logs
    ADD CONSTRAINT document_access_logs_pkey PRIMARY KEY (id);

@@ -170,6 +248,9 @@ ALTER TABLE ONLY public.insurance_plans
 ALTER TABLE ONLY public.login_carousel_slides
    ADD CONSTRAINT login_carousel_slides_pkey PRIMARY KEY (id);

+ALTER TABLE ONLY public.math_challenges
+    ADD CONSTRAINT math_challenges_pkey PRIMARY KEY (id);
+
 ALTER TABLE ONLY public.medicos
    ADD CONSTRAINT medicos_crm_owner_unique UNIQUE NULLS NOT DISTINCT (owner_id, crm);

@@ -230,6 +311,9 @@ ALTER TABLE ONLY public.patient_groups
 ALTER TABLE ONLY public.patient_intake_requests
    ADD CONSTRAINT patient_intake_requests_pkey PRIMARY KEY (id);

+ALTER TABLE ONLY public.patient_invite_attempts
+    ADD CONSTRAINT patient_invite_attempts_pkey PRIMARY KEY (id);
+
 ALTER TABLE ONLY public.patient_invites
    ADD CONSTRAINT patient_invites_pkey PRIMARY KEY (id);

@@ -290,6 +374,9 @@ ALTER TABLE ONLY public.professional_pricing
 ALTER TABLE ONLY public.profiles
    ADD CONSTRAINT profiles_pkey PRIMARY KEY (id);

+ALTER TABLE ONLY public.public_submission_attempts
+    ADD CONSTRAINT public_submission_attempts_pkey PRIMARY KEY (id);
+
 ALTER TABLE ONLY public.recurrence_exceptions
    ADD CONSTRAINT recurrence_exceptions_pkey PRIMARY KEY (id);

@@ -320,9 +407,24 @@ ALTER TABLE ONLY public.saas_faq_itens
 ALTER TABLE ONLY public.saas_faq
    ADD CONSTRAINT saas_faq_pkey PRIMARY KEY (id);

+ALTER TABLE ONLY public.saas_security_config
+    ADD CONSTRAINT saas_security_config_pkey PRIMARY KEY (id);
+
+ALTER TABLE ONLY public.saas_twilio_config
+    ADD CONSTRAINT saas_twilio_config_pkey PRIMARY KEY (id);
+
 ALTER TABLE ONLY public.services
    ADD CONSTRAINT services_pkey PRIMARY KEY (id);

+ALTER TABLE ONLY public.session_reminder_logs
+    ADD CONSTRAINT session_reminder_logs_pkey PRIMARY KEY (id);
+
+ALTER TABLE ONLY public.session_reminder_settings
+    ADD CONSTRAINT session_reminder_settings_pkey PRIMARY KEY (tenant_id);
+
+ALTER TABLE ONLY public.submission_rate_limits
+    ADD CONSTRAINT submission_rate_limits_pkey PRIMARY KEY (ip_hash, endpoint);
+
 ALTER TABLE ONLY public.subscription_events
    ADD CONSTRAINT subscription_events_pkey PRIMARY KEY (id);

@@ -398,6 +500,18 @@ ALTER TABLE ONLY public.notification_templates
 ALTER TABLE ONLY public.user_settings
    ADD CONSTRAINT user_settings_pkey PRIMARY KEY (user_id);

+ALTER TABLE ONLY public.whatsapp_credit_packages
+    ADD CONSTRAINT whatsapp_credit_packages_pkey PRIMARY KEY (id);
+
+ALTER TABLE ONLY public.whatsapp_credit_purchases
+    ADD CONSTRAINT whatsapp_credit_purchases_pkey PRIMARY KEY (id);
+
+ALTER TABLE ONLY public.whatsapp_credits_balance
+    ADD CONSTRAINT whatsapp_credits_balance_pkey PRIMARY KEY (tenant_id);
+
+ALTER TABLE ONLY public.whatsapp_credits_transactions
+    ADD CONSTRAINT whatsapp_credits_transactions_pkey PRIMARY KEY (id);
+
 ALTER TABLE ONLY public.addon_credits
    ADD CONSTRAINT addon_credits_owner_id_fkey FOREIGN KEY (owner_id) REFERENCES auth.users(id);

@@ -476,6 +590,12 @@ ALTER TABLE ONLY public.agendador_solicitacoes
 ALTER TABLE ONLY public.agendador_solicitacoes
    ADD CONSTRAINT agendador_sol_tenant_fk FOREIGN KEY (tenant_id) REFERENCES public.tenants(id) ON DELETE CASCADE;

+ALTER TABLE ONLY public.audit_logs
+    ADD CONSTRAINT audit_logs_tenant_id_fkey FOREIGN KEY (tenant_id) REFERENCES public.tenants(id) ON DELETE CASCADE;
+
+ALTER TABLE ONLY public.audit_logs
+    ADD CONSTRAINT audit_logs_user_id_fkey FOREIGN KEY (user_id) REFERENCES auth.users(id) ON DELETE SET NULL;
+
 ALTER TABLE ONLY public.billing_contracts
    ADD CONSTRAINT billing_contracts_owner_id_fkey FOREIGN KEY (owner_id) REFERENCES auth.users(id) ON DELETE CASCADE;

@@ -500,6 +620,69 @@ ALTER TABLE ONLY public.commitment_time_logs
 ALTER TABLE ONLY public.company_profiles
    ADD CONSTRAINT company_profiles_tenant_id_fkey FOREIGN KEY (tenant_id) REFERENCES public.tenants(id) ON DELETE CASCADE;

+ALTER TABLE ONLY public.contact_email_types
+    ADD CONSTRAINT contact_email_types_tenant_id_fkey FOREIGN KEY (tenant_id) REFERENCES public.tenants(id) ON DELETE CASCADE;
+
+ALTER TABLE ONLY public.contact_emails
+    ADD CONSTRAINT contact_emails_contact_email_type_id_fkey FOREIGN KEY (contact_email_type_id) REFERENCES public.contact_email_types(id) ON DELETE RESTRICT;
+
+ALTER TABLE ONLY public.contact_emails
+    ADD CONSTRAINT contact_emails_tenant_id_fkey FOREIGN KEY (tenant_id) REFERENCES public.tenants(id) ON DELETE CASCADE;
+
+ALTER TABLE ONLY public.contact_phones
+    ADD CONSTRAINT contact_phones_contact_type_id_fkey FOREIGN KEY (contact_type_id) REFERENCES public.contact_types(id) ON DELETE RESTRICT;
+
+ALTER TABLE ONLY public.contact_phones
+    ADD CONSTRAINT contact_phones_tenant_id_fkey FOREIGN KEY (tenant_id) REFERENCES public.tenants(id) ON DELETE CASCADE;
+
+ALTER TABLE ONLY public.contact_types
+    ADD CONSTRAINT contact_types_tenant_id_fkey FOREIGN KEY (tenant_id) REFERENCES public.tenants(id) ON DELETE CASCADE;
+
+ALTER TABLE ONLY public.conversation_autoreply_log
+    ADD CONSTRAINT conversation_autoreply_log_tenant_id_fkey FOREIGN KEY (tenant_id) REFERENCES public.tenants(id) ON DELETE CASCADE;
+
+ALTER TABLE ONLY public.conversation_autoreply_settings
+    ADD CONSTRAINT conversation_autoreply_settings_tenant_id_fkey FOREIGN KEY (tenant_id) REFERENCES public.tenants(id) ON DELETE CASCADE;
+
+ALTER TABLE ONLY public.conversation_messages
+    ADD CONSTRAINT conversation_messages_patient_id_fkey FOREIGN KEY (patient_id) REFERENCES public.patients(id) ON DELETE SET NULL;
+
+ALTER TABLE ONLY public.conversation_messages
+    ADD CONSTRAINT conversation_messages_tenant_id_fkey FOREIGN KEY (tenant_id) REFERENCES public.tenants(id) ON DELETE CASCADE;
+
+ALTER TABLE ONLY public.conversation_notes
+    ADD CONSTRAINT conversation_notes_created_by_fkey FOREIGN KEY (created_by) REFERENCES auth.users(id) ON DELETE SET NULL;
+
+ALTER TABLE ONLY public.conversation_notes
+    ADD CONSTRAINT conversation_notes_patient_id_fkey FOREIGN KEY (patient_id) REFERENCES public.patients(id) ON DELETE SET NULL;
+
+ALTER TABLE ONLY public.conversation_notes
+    ADD CONSTRAINT conversation_notes_tenant_id_fkey FOREIGN KEY (tenant_id) REFERENCES public.tenants(id) ON DELETE CASCADE;
+
+ALTER TABLE ONLY public.conversation_optout_keywords
+    ADD CONSTRAINT conversation_optout_keywords_tenant_id_fkey FOREIGN KEY (tenant_id) REFERENCES public.tenants(id) ON DELETE CASCADE;
+
+ALTER TABLE ONLY public.conversation_optouts
+    ADD CONSTRAINT conversation_optouts_blocked_by_fkey FOREIGN KEY (blocked_by) REFERENCES auth.users(id) ON DELETE SET NULL;
+
+ALTER TABLE ONLY public.conversation_optouts
+    ADD CONSTRAINT conversation_optouts_patient_id_fkey FOREIGN KEY (patient_id) REFERENCES public.patients(id) ON DELETE SET NULL;
+
+ALTER TABLE ONLY public.conversation_optouts
+    ADD CONSTRAINT conversation_optouts_tenant_id_fkey FOREIGN KEY (tenant_id) REFERENCES public.tenants(id) ON DELETE CASCADE;
+
+ALTER TABLE ONLY public.conversation_tags
+    ADD CONSTRAINT conversation_tags_tenant_id_fkey FOREIGN KEY (tenant_id) REFERENCES public.tenants(id) ON DELETE CASCADE;
+
+ALTER TABLE ONLY public.conversation_thread_tags
+    ADD CONSTRAINT conversation_thread_tags_tag_id_fkey FOREIGN KEY (tag_id) REFERENCES public.conversation_tags(id) ON DELETE CASCADE;
+
+ALTER TABLE ONLY public.conversation_thread_tags
+    ADD CONSTRAINT conversation_thread_tags_tagged_by_fkey FOREIGN KEY (tagged_by) REFERENCES auth.users(id) ON DELETE SET NULL;
+
+ALTER TABLE ONLY public.conversation_thread_tags
+    ADD CONSTRAINT conversation_thread_tags_tenant_id_fkey FOREIGN KEY (tenant_id) REFERENCES public.tenants(id) ON DELETE CASCADE;
+
 ALTER TABLE ONLY public.determined_commitment_fields
    ADD CONSTRAINT determined_commitment_fields_commitment_id_fkey FOREIGN KEY (commitment_id) REFERENCES public.determined_commitments(id) ON DELETE CASCADE;

@@ -509,6 +692,21 @@ ALTER TABLE ONLY public.determined_commitment_fields
 ALTER TABLE ONLY public.determined_commitments
    ADD CONSTRAINT determined_commitments_tenant_id_fkey FOREIGN KEY (tenant_id) REFERENCES public.tenants(id) ON DELETE CASCADE;

+ALTER TABLE ONLY public.dev_comparison_competitor_status
+    ADD CONSTRAINT dev_comparison_competitor_status_comparison_id_fkey FOREIGN KEY (comparison_id) REFERENCES public.dev_comparison_matrix(id) ON DELETE CASCADE;
+
+ALTER TABLE ONLY public.dev_comparison_competitor_status
+    ADD CONSTRAINT dev_comparison_competitor_status_competitor_id_fkey FOREIGN KEY (competitor_id) REFERENCES public.dev_competitors(id) ON DELETE CASCADE;
+
+ALTER TABLE ONLY public.dev_competitor_features
+    ADD CONSTRAINT dev_competitor_features_competitor_id_fkey FOREIGN KEY (competitor_id) REFERENCES public.dev_competitors(id) ON DELETE CASCADE;
+
+ALTER TABLE ONLY public.dev_roadmap_items
+    ADD CONSTRAINT dev_roadmap_items_phase_id_fkey FOREIGN KEY (phase_id) REFERENCES public.dev_roadmap_phases(id) ON DELETE CASCADE;
+
+ALTER TABLE ONLY public.dev_verificacoes_items
+    ADD CONSTRAINT dev_verificacoes_items_auditoria_item_id_fkey FOREIGN KEY (auditoria_item_id) REFERENCES public.dev_auditoria_items(id) ON DELETE SET NULL;
+
 ALTER TABLE ONLY public.document_access_logs
    ADD CONSTRAINT document_access_logs_documento_id_fkey FOREIGN KEY (documento_id) REFERENCES public.documents(id) ON DELETE CASCADE;

@@ -752,6 +950,18 @@ ALTER TABLE ONLY public.saas_faq_itens
 ALTER TABLE ONLY public.services
    ADD CONSTRAINT services_owner_id_fkey FOREIGN KEY (owner_id) REFERENCES auth.users(id) ON DELETE CASCADE;

+ALTER TABLE ONLY public.session_reminder_logs
+    ADD CONSTRAINT session_reminder_logs_conversation_message_id_fkey FOREIGN KEY (conversation_message_id) REFERENCES public.conversation_messages(id) ON DELETE SET NULL;
+
+ALTER TABLE ONLY public.session_reminder_logs
+    ADD CONSTRAINT session_reminder_logs_event_id_fkey FOREIGN KEY (event_id) REFERENCES public.agenda_eventos(id) ON DELETE CASCADE;
+
+ALTER TABLE ONLY public.session_reminder_logs
+    ADD CONSTRAINT session_reminder_logs_tenant_id_fkey FOREIGN KEY (tenant_id) REFERENCES public.tenants(id) ON DELETE CASCADE;
+
+ALTER TABLE ONLY public.session_reminder_settings
+    ADD CONSTRAINT session_reminder_settings_tenant_id_fkey FOREIGN KEY (tenant_id) REFERENCES public.tenants(id) ON DELETE CASCADE;
+
 ALTER TABLE ONLY public.subscription_intents_personal
    ADD CONSTRAINT sint_personal_subscription_id_fkey FOREIGN KEY (subscription_id) REFERENCES public.subscriptions(id) ON DELETE SET NULL;

@@ -826,3 +1036,27 @@ ALTER TABLE ONLY public.twilio_subaccount_usage

 ALTER TABLE ONLY public.user_settings
    ADD CONSTRAINT user_settings_user_id_fkey FOREIGN KEY (user_id) REFERENCES auth.users(id) ON DELETE CASCADE;
+
+ALTER TABLE ONLY public.whatsapp_credit_purchases
+    ADD CONSTRAINT whatsapp_credit_purchases_created_by_fkey FOREIGN KEY (created_by) REFERENCES auth.users(id) ON DELETE SET NULL;
+
+ALTER TABLE ONLY public.whatsapp_credit_purchases
+    ADD CONSTRAINT whatsapp_credit_purchases_package_id_fkey FOREIGN KEY (package_id) REFERENCES public.whatsapp_credit_packages(id) ON DELETE SET NULL;
+
+ALTER TABLE ONLY public.whatsapp_credit_purchases
+    ADD CONSTRAINT whatsapp_credit_purchases_tenant_id_fkey FOREIGN KEY (tenant_id) REFERENCES public.tenants(id) ON DELETE CASCADE;
+
+ALTER TABLE ONLY public.whatsapp_credits_balance
+    ADD CONSTRAINT whatsapp_credits_balance_tenant_id_fkey FOREIGN KEY (tenant_id) REFERENCES public.tenants(id) ON DELETE CASCADE;
+
+ALTER TABLE ONLY public.whatsapp_credits_transactions
+    ADD CONSTRAINT whatsapp_credits_transactions_admin_id_fkey FOREIGN KEY (admin_id) REFERENCES auth.users(id) ON DELETE SET NULL;
+
+ALTER TABLE ONLY public.whatsapp_credits_transactions
+    ADD CONSTRAINT whatsapp_credits_transactions_conversation_message_id_fkey FOREIGN KEY (conversation_message_id) REFERENCES public.conversation_messages(id) ON DELETE SET NULL;
+
+ALTER TABLE ONLY public.whatsapp_credits_transactions
+    ADD CONSTRAINT whatsapp_credits_transactions_purchase_id_fkey FOREIGN KEY (purchase_id) REFERENCES public.whatsapp_credit_purchases(id) ON DELETE SET NULL;
+
+ALTER TABLE ONLY public.whatsapp_credits_transactions
+    ADD CONSTRAINT whatsapp_credits_transactions_tenant_id_fkey FOREIGN KEY (tenant_id) REFERENCES public.tenants(id) ON DELETE CASCADE;
@@ -1,6 +1,6 @@
 -- Triggers
-- Gerado automaticamente em 2026-04-17T12:23:05.238Z
-- Total: 80
+-- Gerado automaticamente em 2026-04-21T23:16:34.965Z
+-- Total: 111

 CREATE TRIGGER on_auth_user_created AFTER INSERT ON auth.users FOR EACH ROW EXECUTE FUNCTION public.handle_new_user();

@@ -40,6 +40,16 @@ CREATE TRIGGER trg_agenda_eventos_busy_mirror_upd AFTER UPDATE ON public.agenda_

 CREATE TRIGGER trg_agenda_regras_semanais_no_overlap BEFORE INSERT OR UPDATE ON public.agenda_regras_semanais FOR EACH ROW EXECUTE FUNCTION public.fn_agenda_regras_semanais_no_overlap();

+CREATE TRIGGER trg_audit_agenda_eventos AFTER INSERT OR DELETE OR UPDATE ON public.agenda_eventos FOR EACH ROW EXECUTE FUNCTION public.log_audit_change();
+
+CREATE TRIGGER trg_audit_documents AFTER INSERT OR DELETE OR UPDATE ON public.documents FOR EACH ROW EXECUTE FUNCTION public.log_audit_change();
+
+CREATE TRIGGER trg_audit_financial_records AFTER INSERT OR DELETE OR UPDATE ON public.financial_records FOR EACH ROW EXECUTE FUNCTION public.log_audit_change();
+
+CREATE TRIGGER trg_audit_patients AFTER INSERT OR DELETE OR UPDATE ON public.patients FOR EACH ROW EXECUTE FUNCTION public.log_audit_change();
+
+CREATE TRIGGER trg_audit_tenant_members AFTER INSERT OR DELETE OR UPDATE ON public.tenant_members FOR EACH ROW EXECUTE FUNCTION public.log_audit_change();
+
 CREATE TRIGGER trg_auto_financial_from_session AFTER UPDATE OF status ON public.agenda_eventos FOR EACH ROW EXECUTE FUNCTION public.auto_create_financial_record_from_session();

 CREATE TRIGGER trg_cancel_notifs_on_opt_out AFTER UPDATE ON public.notification_preferences FOR EACH ROW EXECUTE FUNCTION public.cancel_notifications_on_opt_out();
@@ -48,10 +58,50 @@ CREATE TRIGGER trg_cancel_notifs_on_session_cancel AFTER UPDATE ON public.agenda

 CREATE TRIGGER trg_company_profiles_updated_at BEFORE UPDATE ON public.company_profiles FOR EACH ROW EXECUTE FUNCTION public.set_updated_at();

+CREATE TRIGGER trg_contact_email_types_updated_at BEFORE UPDATE ON public.contact_email_types FOR EACH ROW EXECUTE FUNCTION public.set_updated_at();
+
+CREATE TRIGGER trg_contact_emails_sync_legacy AFTER INSERT OR DELETE OR UPDATE ON public.contact_emails FOR EACH ROW EXECUTE FUNCTION public.sync_legacy_email_fields();
+
+CREATE TRIGGER trg_contact_emails_updated_at BEFORE UPDATE ON public.contact_emails FOR EACH ROW EXECUTE FUNCTION public.set_updated_at();
+
+CREATE TRIGGER trg_contact_phones_sync_legacy AFTER INSERT OR DELETE OR UPDATE ON public.contact_phones FOR EACH ROW EXECUTE FUNCTION public.sync_legacy_phone_fields();
+
+CREATE TRIGGER trg_contact_phones_updated_at BEFORE UPDATE ON public.contact_phones FOR EACH ROW EXECUTE FUNCTION public.set_updated_at();
+
+CREATE TRIGGER trg_contact_types_updated_at BEFORE UPDATE ON public.contact_types FOR EACH ROW EXECUTE FUNCTION public.set_updated_at();
+
+CREATE TRIGGER trg_conv_autoreply_settings_updated_at BEFORE UPDATE ON public.conversation_autoreply_settings FOR EACH ROW EXECUTE FUNCTION public.set_updated_at();
+
+CREATE TRIGGER trg_conv_messages_updated_at BEFORE UPDATE ON public.conversation_messages FOR EACH ROW EXECUTE FUNCTION public.set_updated_at();
+
+CREATE TRIGGER trg_conv_notes_updated_at BEFORE UPDATE ON public.conversation_notes FOR EACH ROW EXECUTE FUNCTION public.set_updated_at();
+
+CREATE TRIGGER trg_conv_optouts_updated_at BEFORE UPDATE ON public.conversation_optouts FOR EACH ROW EXECUTE FUNCTION public.set_updated_at();
+
+CREATE TRIGGER trg_conv_tags_updated_at BEFORE UPDATE ON public.conversation_tags FOR EACH ROW EXECUTE FUNCTION public.set_updated_at();
+
 CREATE TRIGGER trg_determined_commitment_fields_updated_at BEFORE UPDATE ON public.determined_commitment_fields FOR EACH ROW EXECUTE FUNCTION public.set_updated_at();

 CREATE TRIGGER trg_determined_commitments_updated_at BEFORE UPDATE ON public.determined_commitments FOR EACH ROW EXECUTE FUNCTION public.set_updated_at();

+CREATE TRIGGER trg_dev_auditoria_items_updated_at BEFORE UPDATE ON public.dev_auditoria_items FOR EACH ROW EXECUTE FUNCTION public.dev_set_updated_at();
+
+CREATE TRIGGER trg_dev_ccs_updated_at BEFORE UPDATE ON public.dev_comparison_competitor_status FOR EACH ROW EXECUTE FUNCTION public.dev_set_updated_at();
+
+CREATE TRIGGER trg_dev_comparison_matrix_updated_at BEFORE UPDATE ON public.dev_comparison_matrix FOR EACH ROW EXECUTE FUNCTION public.dev_set_updated_at();
+
+CREATE TRIGGER trg_dev_competitor_features_updated_at BEFORE UPDATE ON public.dev_competitor_features FOR EACH ROW EXECUTE FUNCTION public.dev_set_updated_at();
+
+CREATE TRIGGER trg_dev_competitors_updated_at BEFORE UPDATE ON public.dev_competitors FOR EACH ROW EXECUTE FUNCTION public.dev_set_updated_at();
+
+CREATE TRIGGER trg_dev_roadmap_items_updated_at BEFORE UPDATE ON public.dev_roadmap_items FOR EACH ROW EXECUTE FUNCTION public.dev_set_updated_at();
+
+CREATE TRIGGER trg_dev_roadmap_phases_updated_at BEFORE UPDATE ON public.dev_roadmap_phases FOR EACH ROW EXECUTE FUNCTION public.dev_set_updated_at();
+
+CREATE TRIGGER trg_dev_test_items_updated_at BEFORE UPDATE ON public.dev_test_items FOR EACH ROW EXECUTE FUNCTION public.dev_set_updated_at();
+
+CREATE TRIGGER trg_dev_verificacoes_updated_at BEFORE UPDATE ON public.dev_verificacoes_items FOR EACH ROW EXECUTE FUNCTION public.dev_set_updated_at();
+
 CREATE TRIGGER trg_documents_timeline_insert AFTER INSERT ON public.documents FOR EACH ROW EXECUTE FUNCTION public.fn_documents_timeline_insert();

 CREATE TRIGGER trg_documents_updated_at BEFORE UPDATE ON public.documents FOR EACH ROW EXECUTE FUNCTION public.set_updated_at();
@@ -68,10 +118,14 @@ CREATE TRIGGER trg_email_templates_global_updated_at BEFORE UPDATE ON public.ema

 CREATE TRIGGER trg_email_templates_tenant_updated_at BEFORE UPDATE ON public.email_templates_tenant FOR EACH ROW EXECUTE FUNCTION public.set_updated_at();

+CREATE TRIGGER trg_fanout_inbound_to_notifications AFTER INSERT ON public.conversation_messages FOR EACH ROW EXECUTE FUNCTION public.fanout_inbound_message_to_notifications();
+
 CREATE TRIGGER trg_financial_exceptions_updated_at BEFORE UPDATE ON public.financial_exceptions FOR EACH ROW EXECUTE FUNCTION public.set_updated_at();

 CREATE TRIGGER trg_financial_records_auto_overdue BEFORE UPDATE ON public.financial_records FOR EACH ROW EXECUTE FUNCTION public.trg_fn_financial_records_auto_overdue();

+CREATE TRIGGER trg_financial_records_inject_tenant BEFORE INSERT ON public.financial_records FOR EACH ROW EXECUTE FUNCTION public.financial_records_inject_tenant();
+
 CREATE TRIGGER trg_financial_records_updated_at BEFORE UPDATE ON public.financial_records FOR EACH ROW EXECUTE FUNCTION public.set_updated_at();

 CREATE TRIGGER trg_global_notices_updated_at BEFORE UPDATE ON public.global_notices FOR EACH ROW EXECUTE FUNCTION public.set_updated_at();
@@ -138,6 +192,8 @@ CREATE TRIGGER trg_psc_updated_at BEFORE UPDATE ON public.patient_support_contac

 CREATE TRIGGER trg_services_updated_at BEFORE UPDATE ON public.services FOR EACH ROW EXECUTE FUNCTION public.set_services_updated_at();

+CREATE TRIGGER trg_session_reminder_settings_updated_at BEFORE UPDATE ON public.session_reminder_settings FOR EACH ROW EXECUTE FUNCTION public.set_updated_at();
+
 CREATE TRIGGER trg_subscription_intents_view_insert INSTEAD OF INSERT ON public.subscription_intents FOR EACH ROW EXECUTE FUNCTION public.subscription_intents_view_insert();

 CREATE TRIGGER trg_subscriptions_validate_scope BEFORE INSERT OR UPDATE ON public.subscriptions FOR EACH ROW EXECUTE FUNCTION public.subscriptions_validate_scope();
@@ -152,6 +208,12 @@ CREATE TRIGGER trg_therapist_payouts_updated_at BEFORE UPDATE ON public.therapis

 CREATE TRIGGER trg_user_settings_updated_at BEFORE UPDATE ON public.user_settings FOR EACH ROW EXECUTE FUNCTION public.set_updated_at();

+CREATE TRIGGER trg_wa_credit_packages_updated_at BEFORE UPDATE ON public.whatsapp_credit_packages FOR EACH ROW EXECUTE FUNCTION public.set_updated_at();
+
+CREATE TRIGGER trg_wa_credit_purchases_updated_at BEFORE UPDATE ON public.whatsapp_credit_purchases FOR EACH ROW EXECUTE FUNCTION public.set_updated_at();
+
+CREATE TRIGGER trg_wa_credits_balance_updated_at BEFORE UPDATE ON public.whatsapp_credits_balance FOR EACH ROW EXECUTE FUNCTION public.set_updated_at();
+
 CREATE TRIGGER tr_check_filters BEFORE INSERT OR UPDATE ON realtime.subscription FOR EACH ROW EXECUTE FUNCTION realtime.subscription_check_filters();

 CREATE TRIGGER enforce_bucket_name_length_trigger BEFORE INSERT OR UPDATE OF name ON storage.buckets FOR EACH ROW EXECUTE FUNCTION storage.enforce_bucket_name_length();
@@ -1,7 +1,7 @@
 -- RLS Policies
-- Gerado automaticamente em 2026-04-17T12:23:05.240Z
-- Enable RLS: 88 tabelas
-- Policies: 252
+-- Gerado automaticamente em 2026-04-21T23:16:34.967Z
+-- Enable RLS: 131 tabelas
+-- Policies: 344

 -- Enable RLS
 ALTER TABLE public.addon_credits ENABLE ROW LEVEL SECURITY;
@@ -17,13 +17,36 @@ ALTER TABLE public.agenda_slots_bloqueados_semanais ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.agenda_slots_regras ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.agendador_configuracoes ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.agendador_solicitacoes ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.audit_logs ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.billing_contracts ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.commitment_services ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.commitment_time_logs ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.company_profiles ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.contact_email_types ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.contact_emails ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.contact_phones ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.contact_types ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.conversation_autoreply_log ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.conversation_autoreply_settings ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.conversation_messages ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.conversation_notes ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.conversation_optout_keywords ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.conversation_optouts ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.conversation_tags ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.conversation_thread_tags ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.determined_commitment_fields ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.determined_commitments ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.dev_auditoria_items ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.dev_comparison_competitor_status ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.dev_comparison_matrix ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.dev_competitor_features ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.dev_competitors ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.dev_generation_log ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.dev_roadmap_items ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.dev_roadmap_phases ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.dev_test_items ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.dev_user_credentials ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.dev_verificacoes_items ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.document_access_logs ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.document_generated ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.document_share_links ENABLE ROW LEVEL SECURITY;
@@ -43,6 +66,7 @@ ALTER TABLE public.global_notices ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.insurance_plan_services ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.insurance_plans ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.login_carousel_slides ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.math_challenges ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.medicos ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.module_features ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.modules ENABLE ROW LEVEL SECURITY;
@@ -60,6 +84,7 @@ ALTER TABLE public.patient_discounts ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.patient_group_patient ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.patient_groups ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.patient_intake_requests ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.patient_invite_attempts ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.patient_invites ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.patient_patient_tag ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.patient_status_history ENABLE ROW LEVEL SECURITY;
@@ -69,9 +94,13 @@ ALTER TABLE public.patient_timeline ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.patients ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.payment_settings ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.plan_features ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.plan_prices ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.plan_public ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.plan_public_bullets ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.plans ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.professional_pricing ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.profiles ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.public_submission_attempts ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.recurrence_exceptions ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.recurrence_rule_services ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.recurrence_rules ENABLE ROW LEVEL SECURITY;
@@ -80,11 +109,21 @@ ALTER TABLE public.saas_doc_votos ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.saas_docs ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.saas_faq ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.saas_faq_itens ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.saas_security_config ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.saas_twilio_config ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.services ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.session_reminder_logs ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.session_reminder_settings ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.submission_rate_limits ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.subscription_events ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.subscription_intents_legacy ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.subscription_intents_personal ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.subscription_intents_tenant ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.subscriptions ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.support_sessions ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.tenant_feature_exceptions_log ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.tenant_features ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.tenant_invites ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.tenant_members ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.tenant_modules ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.tenants ENABLE ROW LEVEL SECURITY;
@@ -92,6 +131,10 @@ ALTER TABLE public.therapist_payout_records ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.therapist_payouts ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.twilio_subaccount_usage ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.user_settings ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.whatsapp_credit_packages ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.whatsapp_credit_purchases ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.whatsapp_credits_balance ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.whatsapp_credits_transactions ENABLE ROW LEVEL SECURITY;

 -- Policies
 CREATE POLICY addon_credits_admin_select ON public.addon_credits FOR SELECT TO authenticated USING ((EXISTS ( SELECT 1
@@ -115,8 +158,8 @@ CREATE POLICY addon_products_admin_all ON public.addon_products TO authenticated
 CREATE POLICY addon_products_select_authenticated ON public.addon_products FOR SELECT TO authenticated USING (((deleted_at IS NULL) AND (is_active = true) AND (is_visible = true)));

 CREATE POLICY addon_transactions_admin_insert ON public.addon_transactions FOR INSERT TO authenticated WITH CHECK ((EXISTS ( SELECT 1
-   FROM public.saas_admins
-  WHERE (saas_admins.user_id = auth.uid()))));
+   FROM public.saas_admins sa
+  WHERE (sa.user_id = auth.uid()))));

 CREATE POLICY addon_transactions_admin_select ON public.addon_transactions FOR SELECT TO authenticated USING ((EXISTS ( SELECT 1
   FROM public.saas_admins
@@ -180,7 +223,43 @@ CREATE POLICY agendador_sol_patient_read ON public.agendador_solicitacoes FOR SE

 CREATE POLICY agendador_sol_public_insert ON public.agendador_solicitacoes FOR INSERT TO anon WITH CHECK (true);

-CREATE POLICY "billing_contracts: owner full access" ON public.billing_contracts USING ((owner_id = auth.uid())) WITH CHECK ((owner_id = auth.uid()));
+CREATE POLICY "audit_logs: no direct delete" ON public.audit_logs FOR DELETE TO authenticated USING (false);
+
+CREATE POLICY "audit_logs: no direct insert" ON public.audit_logs FOR INSERT TO authenticated WITH CHECK (false);
+
+CREATE POLICY "audit_logs: no direct update" ON public.audit_logs FOR UPDATE TO authenticated USING (false) WITH CHECK (false);
+
+CREATE POLICY "audit_logs: select tenant" ON public.audit_logs FOR SELECT TO authenticated USING ((public.is_saas_admin() OR (tenant_id IN ( SELECT tm.tenant_id
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text))))));
+
+CREATE POLICY "autoreply_log: select" ON public.conversation_autoreply_log FOR SELECT TO authenticated USING ((public.is_saas_admin() OR (EXISTS ( SELECT 1
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.tenant_id = conversation_autoreply_log.tenant_id) AND (tm.status = 'active'::text))))));
+
+CREATE POLICY "autoreply_settings: insert" ON public.conversation_autoreply_settings FOR INSERT TO authenticated WITH CHECK ((public.is_saas_admin() OR (EXISTS ( SELECT 1
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.tenant_id = conversation_autoreply_settings.tenant_id) AND (tm.status = 'active'::text))))));
+
+CREATE POLICY "autoreply_settings: select" ON public.conversation_autoreply_settings FOR SELECT TO authenticated USING ((public.is_saas_admin() OR (EXISTS ( SELECT 1
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.tenant_id = conversation_autoreply_settings.tenant_id) AND (tm.status = 'active'::text))))));
+
+CREATE POLICY "autoreply_settings: update" ON public.conversation_autoreply_settings FOR UPDATE TO authenticated USING ((public.is_saas_admin() OR (EXISTS ( SELECT 1
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.tenant_id = conversation_autoreply_settings.tenant_id) AND (tm.status = 'active'::text))))));
+
+CREATE POLICY "billing_contracts: delete" ON public.billing_contracts FOR DELETE TO authenticated USING (((owner_id = auth.uid()) OR public.is_saas_admin()));
+
+CREATE POLICY "billing_contracts: insert" ON public.billing_contracts FOR INSERT TO authenticated WITH CHECK (((owner_id = auth.uid()) AND (tenant_id IN ( SELECT tm.tenant_id
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text))))));
+
+CREATE POLICY "billing_contracts: select" ON public.billing_contracts FOR SELECT TO authenticated USING (((owner_id = auth.uid()) OR public.is_saas_admin() OR (tenant_id IN ( SELECT tm.tenant_id
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text))))));
+
+CREATE POLICY "billing_contracts: update" ON public.billing_contracts FOR UPDATE TO authenticated USING (((owner_id = auth.uid()) OR public.is_saas_admin())) WITH CHECK (((owner_id = auth.uid()) OR public.is_saas_admin()));

 CREATE POLICY bloqueios_delete ON public.agenda_bloqueios FOR DELETE TO authenticated USING ((owner_id = auth.uid()));

@@ -198,11 +277,13 @@ CREATE POLICY clinic_admin_read_all_docs ON public.saas_docs FOR SELECT TO authe
   FROM public.profiles
  WHERE ((profiles.id = auth.uid()) AND (profiles.role = ANY (ARRAY['clinic_admin'::text, 'tenant_admin'::text])))))));

-CREATE POLICY "commitment_services: owner full access" ON public.commitment_services USING ((EXISTS ( SELECT 1
+CREATE POLICY "commitment_services: tenant_member" ON public.commitment_services TO authenticated USING ((EXISTS ( SELECT 1
   FROM public.services s
-  WHERE ((s.id = commitment_services.service_id) AND (s.owner_id = auth.uid()))))) WITH CHECK ((EXISTS ( SELECT 1
+  WHERE ((s.id = commitment_services.service_id) AND ((s.owner_id = auth.uid()) OR public.is_saas_admin() OR (s.tenant_id IN ( SELECT tm.tenant_id
+           FROM public.tenant_members tm
+          WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text))))))))) WITH CHECK ((EXISTS ( SELECT 1
   FROM public.services s
-  WHERE ((s.id = commitment_services.service_id) AND (s.owner_id = auth.uid())))));
+  WHERE ((s.id = commitment_services.service_id) AND ((s.owner_id = auth.uid()) OR public.is_saas_admin())))));

 CREATE POLICY company_profiles_delete ON public.company_profiles FOR DELETE USING ((EXISTS ( SELECT 1
   FROM public.tenant_members
@@ -222,13 +303,99 @@ CREATE POLICY company_profiles_update ON public.company_profiles FOR UPDATE USIN
   FROM public.tenant_members
  WHERE ((tenant_members.tenant_id = company_profiles.tenant_id) AND (tenant_members.user_id = auth.uid())))));

+CREATE POLICY "contact_email_types: manage custom" ON public.contact_email_types TO authenticated USING (((is_system = false) AND (tenant_id IS NOT NULL) AND (public.is_saas_admin() OR (EXISTS ( SELECT 1
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.tenant_id = contact_email_types.tenant_id) AND (tm.status = 'active'::text))))))) WITH CHECK (((is_system = false) AND (tenant_id IS NOT NULL) AND (public.is_saas_admin() OR (EXISTS ( SELECT 1
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.tenant_id = contact_email_types.tenant_id) AND (tm.status = 'active'::text)))))));
+
+CREATE POLICY "contact_email_types: select" ON public.contact_email_types FOR SELECT TO authenticated USING (((tenant_id IS NULL) OR public.is_saas_admin() OR (EXISTS ( SELECT 1
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.tenant_id = contact_email_types.tenant_id) AND (tm.status = 'active'::text))))));
+
+CREATE POLICY "contact_emails: all tenant" ON public.contact_emails TO authenticated USING ((public.is_saas_admin() OR (EXISTS ( SELECT 1
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.tenant_id = contact_emails.tenant_id) AND (tm.status = 'active'::text)))))) WITH CHECK ((public.is_saas_admin() OR (EXISTS ( SELECT 1
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.tenant_id = contact_emails.tenant_id) AND (tm.status = 'active'::text))))));
+
+CREATE POLICY "contact_phones: all tenant" ON public.contact_phones TO authenticated USING ((public.is_saas_admin() OR (EXISTS ( SELECT 1
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.tenant_id = contact_phones.tenant_id) AND (tm.status = 'active'::text)))))) WITH CHECK ((public.is_saas_admin() OR (EXISTS ( SELECT 1
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.tenant_id = contact_phones.tenant_id) AND (tm.status = 'active'::text))))));
+
+CREATE POLICY "contact_types: manage custom" ON public.contact_types TO authenticated USING (((is_system = false) AND (tenant_id IS NOT NULL) AND (public.is_saas_admin() OR (EXISTS ( SELECT 1
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.tenant_id = contact_types.tenant_id) AND (tm.status = 'active'::text))))))) WITH CHECK (((is_system = false) AND (tenant_id IS NOT NULL) AND (public.is_saas_admin() OR (EXISTS ( SELECT 1
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.tenant_id = contact_types.tenant_id) AND (tm.status = 'active'::text)))))));
+
+CREATE POLICY "contact_types: select" ON public.contact_types FOR SELECT TO authenticated USING (((tenant_id IS NULL) OR public.is_saas_admin() OR (EXISTS ( SELECT 1
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.tenant_id = contact_types.tenant_id) AND (tm.status = 'active'::text))))));
+
+CREATE POLICY "conv_msg: no direct delete" ON public.conversation_messages FOR DELETE TO authenticated USING (false);
+
+CREATE POLICY "conv_msg: no direct insert" ON public.conversation_messages FOR INSERT TO authenticated WITH CHECK (false);
+
+CREATE POLICY "conv_msg: select tenant" ON public.conversation_messages FOR SELECT TO authenticated USING ((public.is_saas_admin() OR (tenant_id IN ( SELECT tm.tenant_id
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text))))));
+
+CREATE POLICY "conv_msg: update kanban" ON public.conversation_messages FOR UPDATE TO authenticated USING ((tenant_id IN ( SELECT tm.tenant_id
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text))))) WITH CHECK ((tenant_id IN ( SELECT tm.tenant_id
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text)))));
+
+CREATE POLICY "conv_notes: insert tenant members" ON public.conversation_notes FOR INSERT TO authenticated WITH CHECK (((created_by = auth.uid()) AND (public.is_saas_admin() OR (EXISTS ( SELECT 1
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.tenant_id = conversation_notes.tenant_id) AND (tm.status = 'active'::text)))))));
+
+CREATE POLICY "conv_notes: select tenant members" ON public.conversation_notes FOR SELECT TO authenticated USING (((deleted_at IS NULL) AND (public.is_saas_admin() OR (EXISTS ( SELECT 1
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.tenant_id = conversation_notes.tenant_id) AND (tm.status = 'active'::text)))))));
+
+CREATE POLICY "conv_notes: update creator or saas" ON public.conversation_notes FOR UPDATE TO authenticated USING (((deleted_at IS NULL) AND ((created_by = auth.uid()) OR public.is_saas_admin()))) WITH CHECK ((created_by = ( SELECT conversation_notes_1.created_by
+   FROM public.conversation_notes conversation_notes_1
+  WHERE (conversation_notes_1.id = conversation_notes_1.id))));
+
+CREATE POLICY "conv_tags: delete custom" ON public.conversation_tags FOR DELETE TO authenticated USING (((is_system = false) AND (tenant_id IS NOT NULL) AND (public.is_saas_admin() OR (EXISTS ( SELECT 1
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.tenant_id = conversation_tags.tenant_id) AND (tm.status = 'active'::text)))))));
+
+CREATE POLICY "conv_tags: insert custom" ON public.conversation_tags FOR INSERT TO authenticated WITH CHECK (((tenant_id IS NOT NULL) AND (is_system = false) AND (public.is_saas_admin() OR (EXISTS ( SELECT 1
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.tenant_id = conversation_tags.tenant_id) AND (tm.status = 'active'::text)))))));
+
+CREATE POLICY "conv_tags: select" ON public.conversation_tags FOR SELECT TO authenticated USING (((tenant_id IS NULL) OR public.is_saas_admin() OR (EXISTS ( SELECT 1
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.tenant_id = conversation_tags.tenant_id) AND (tm.status = 'active'::text))))));
+
+CREATE POLICY "conv_tags: update custom" ON public.conversation_tags FOR UPDATE TO authenticated USING (((is_system = false) AND (tenant_id IS NOT NULL) AND (public.is_saas_admin() OR (EXISTS ( SELECT 1
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.tenant_id = conversation_tags.tenant_id) AND (tm.status = 'active'::text))))))) WITH CHECK ((is_system = false));
+
+CREATE POLICY "conv_thread_tags: delete" ON public.conversation_thread_tags FOR DELETE TO authenticated USING ((public.is_saas_admin() OR (EXISTS ( SELECT 1
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.tenant_id = conversation_thread_tags.tenant_id) AND (tm.status = 'active'::text))))));
+
+CREATE POLICY "conv_thread_tags: insert" ON public.conversation_thread_tags FOR INSERT TO authenticated WITH CHECK (((tagged_by = auth.uid()) AND (public.is_saas_admin() OR (EXISTS ( SELECT 1
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.tenant_id = conversation_thread_tags.tenant_id) AND (tm.status = 'active'::text)))))));
+
+CREATE POLICY "conv_thread_tags: select" ON public.conversation_thread_tags FOR SELECT TO authenticated USING ((public.is_saas_admin() OR (EXISTS ( SELECT 1
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.tenant_id = conversation_thread_tags.tenant_id) AND (tm.status = 'active'::text))))));
+
 CREATE POLICY ctl_delete_for_active_member ON public.commitment_time_logs FOR DELETE TO authenticated USING ((EXISTS ( SELECT 1
   FROM public.tenant_members tm
  WHERE ((tm.tenant_id = commitment_time_logs.tenant_id) AND (tm.user_id = auth.uid()) AND (tm.status = 'active'::text)))));

-CREATE POLICY ctl_insert_for_active_member ON public.commitment_time_logs FOR INSERT TO authenticated WITH CHECK ((EXISTS ( SELECT 1
+CREATE POLICY ctl_insert_for_active_member ON public.commitment_time_logs FOR INSERT TO authenticated WITH CHECK ((tenant_id IN ( SELECT tm.tenant_id
   FROM public.tenant_members tm
-  WHERE ((tm.tenant_id = commitment_time_logs.tenant_id) AND (tm.user_id = auth.uid()) AND (tm.status = 'active'::text)))));
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text)))));

 CREATE POLICY ctl_select_for_active_member ON public.commitment_time_logs FOR SELECT TO authenticated USING ((EXISTS ( SELECT 1
   FROM public.tenant_members tm
@@ -240,7 +407,9 @@ CREATE POLICY ctl_update_for_active_member ON public.commitment_time_logs FOR UP
   FROM public.tenant_members tm
  WHERE ((tm.tenant_id = commitment_time_logs.tenant_id) AND (tm.user_id = auth.uid()) AND (tm.status = 'active'::text)))));

-CREATE POLICY "dal: tenant members can insert" ON public.document_access_logs FOR INSERT WITH CHECK (true);
+CREATE POLICY "dal: tenant members can insert" ON public.document_access_logs FOR INSERT TO authenticated WITH CHECK ((tenant_id IN ( SELECT tm.tenant_id
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text)))));

 CREATE POLICY "dal: tenant members can select" ON public.document_access_logs FOR SELECT USING ((tenant_id IN ( SELECT tm.tenant_id
   FROM public.tenant_members tm
@@ -250,9 +419,9 @@ CREATE POLICY dc_delete_custom_for_active_member ON public.determined_commitment
   FROM public.tenant_members tm
  WHERE ((tm.tenant_id = determined_commitments.tenant_id) AND (tm.user_id = auth.uid()) AND (tm.status = 'active'::text))))));

-CREATE POLICY dc_insert_for_active_member ON public.determined_commitments FOR INSERT TO authenticated WITH CHECK ((EXISTS ( SELECT 1
+CREATE POLICY dc_insert_for_active_member ON public.determined_commitments FOR INSERT TO authenticated WITH CHECK ((tenant_id IN ( SELECT tm.tenant_id
   FROM public.tenant_members tm
-  WHERE ((tm.tenant_id = determined_commitments.tenant_id) AND (tm.user_id = auth.uid()) AND (tm.status = 'active'::text)))));
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text)))));

 CREATE POLICY dc_select_for_active_member ON public.determined_commitments FOR SELECT TO authenticated USING ((EXISTS ( SELECT 1
   FROM public.tenant_members tm
@@ -268,9 +437,9 @@ CREATE POLICY dcf_delete_for_active_member ON public.determined_commitment_field
   FROM public.tenant_members tm
  WHERE ((tm.tenant_id = determined_commitment_fields.tenant_id) AND (tm.user_id = auth.uid()) AND (tm.status = 'active'::text)))));

-CREATE POLICY dcf_insert_for_active_member ON public.determined_commitment_fields FOR INSERT TO authenticated WITH CHECK ((EXISTS ( SELECT 1
+CREATE POLICY dcf_insert_for_active_member ON public.determined_commitment_fields FOR INSERT TO authenticated WITH CHECK ((tenant_id IN ( SELECT tm.tenant_id
   FROM public.tenant_members tm
-  WHERE ((tm.tenant_id = determined_commitment_fields.tenant_id) AND (tm.user_id = auth.uid()) AND (tm.status = 'active'::text)))));
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text)))));

 CREATE POLICY dcf_select_for_active_member ON public.determined_commitment_fields FOR SELECT TO authenticated USING ((EXISTS ( SELECT 1
   FROM public.tenant_members tm
@@ -284,6 +453,16 @@ CREATE POLICY dcf_update_for_active_member ON public.determined_commitment_field

 CREATE POLICY "delete own" ON public.agenda_bloqueios FOR DELETE USING ((owner_id = auth.uid()));

+CREATE POLICY dev_auditoria_items_saas_admin_all ON public.dev_auditoria_items TO authenticated USING (public.is_saas_admin()) WITH CHECK (public.is_saas_admin());
+
+CREATE POLICY dev_comparison_competitor_status_saas_admin_all ON public.dev_comparison_competitor_status TO authenticated USING (public.is_saas_admin()) WITH CHECK (public.is_saas_admin());
+
+CREATE POLICY dev_comparison_matrix_saas_admin_all ON public.dev_comparison_matrix TO authenticated USING (public.is_saas_admin()) WITH CHECK (public.is_saas_admin());
+
+CREATE POLICY dev_competitor_features_saas_admin_all ON public.dev_competitor_features TO authenticated USING (public.is_saas_admin()) WITH CHECK (public.is_saas_admin());
+
+CREATE POLICY dev_competitors_saas_admin_all ON public.dev_competitors TO authenticated USING (public.is_saas_admin()) WITH CHECK (public.is_saas_admin());
+
 CREATE POLICY dev_creds_select_saas_admin ON public.dev_user_credentials FOR SELECT TO authenticated USING ((EXISTS ( SELECT 1
   FROM public.profiles p
  WHERE ((p.id = auth.uid()) AND (p.role = 'saas_admin'::text)))));
@@ -294,35 +473,67 @@ CREATE POLICY dev_creds_write_saas_admin ON public.dev_user_credentials TO authe
   FROM public.profiles p
  WHERE ((p.id = auth.uid()) AND (p.role = 'saas_admin'::text)))));

+CREATE POLICY dev_generation_log_saas_admin_all ON public.dev_generation_log TO authenticated USING (public.is_saas_admin()) WITH CHECK (public.is_saas_admin());
+
+CREATE POLICY dev_roadmap_items_saas_admin_all ON public.dev_roadmap_items TO authenticated USING (public.is_saas_admin()) WITH CHECK (public.is_saas_admin());
+
+CREATE POLICY dev_roadmap_phases_saas_admin_all ON public.dev_roadmap_phases TO authenticated USING (public.is_saas_admin()) WITH CHECK (public.is_saas_admin());
+
+CREATE POLICY dev_test_items_saas_admin_all ON public.dev_test_items TO authenticated USING (public.is_saas_admin()) WITH CHECK (public.is_saas_admin());
+
+CREATE POLICY dev_verificacoes_items_saas_admin_all ON public.dev_verificacoes_items TO authenticated USING (public.is_saas_admin()) WITH CHECK (public.is_saas_admin());
+
 CREATE POLICY "dg: generator full access" ON public.document_generated USING ((gerado_por = auth.uid())) WITH CHECK ((gerado_por = auth.uid()));

 CREATE POLICY "dg: tenant members can select" ON public.document_generated FOR SELECT USING ((tenant_id IN ( SELECT tm.tenant_id
   FROM public.tenant_members tm
  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text)))));

-CREATE POLICY "documents: owner full access" ON public.documents USING ((owner_id = auth.uid())) WITH CHECK ((owner_id = auth.uid()));
+CREATE POLICY "documents: delete" ON public.documents FOR DELETE TO authenticated USING (((owner_id = auth.uid()) OR public.is_saas_admin()));

-CREATE POLICY "ds: tenant members access" ON public.document_signatures USING ((tenant_id IN ( SELECT tm.tenant_id
+CREATE POLICY "documents: insert" ON public.documents FOR INSERT TO authenticated WITH CHECK (((owner_id = auth.uid()) AND (tenant_id IN ( SELECT tm.tenant_id
   FROM public.tenant_members tm
-  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text))))) WITH CHECK ((tenant_id IN ( SELECT tm.tenant_id
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text))))));
+
+CREATE POLICY "documents: portal patient read" ON public.documents FOR SELECT TO authenticated USING (((compartilhado_portal = true) AND (patient_id IN ( SELECT p.id
+   FROM public.patients p
+  WHERE (p.user_id = auth.uid()))) AND ((expira_compartilhamento IS NULL) OR (expira_compartilhamento > now()))));
+
+CREATE POLICY "documents: select" ON public.documents FOR SELECT TO authenticated USING (((owner_id = auth.uid()) OR public.is_saas_admin() OR (tenant_id IN ( SELECT tm.tenant_id
   FROM public.tenant_members tm
-  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text)))));
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text))))));

-CREATE POLICY "dsl: creator full access" ON public.document_share_links USING ((criado_por = auth.uid())) WITH CHECK ((criado_por = auth.uid()));
+CREATE POLICY "documents: update" ON public.documents FOR UPDATE TO authenticated USING (((owner_id = auth.uid()) OR public.is_saas_admin())) WITH CHECK (((owner_id = auth.uid()) OR public.is_saas_admin()));

-CREATE POLICY "dsl: public read by token" ON public.document_share_links FOR SELECT USING (((ativo = true) AND (expira_em > now()) AND (usos < usos_max)));
+CREATE POLICY "ds: delete" ON public.document_signatures FOR DELETE TO authenticated USING (((signatario_id = auth.uid()) OR public.is_saas_admin() OR (tenant_id IN ( SELECT tm.tenant_id
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text) AND (tm.role = ANY (ARRAY['tenant_admin'::text, 'admin'::text, 'owner'::text])))))));
+
+CREATE POLICY "ds: insert" ON public.document_signatures FOR INSERT TO authenticated WITH CHECK (((tenant_id IN ( SELECT tm.tenant_id
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text)))) AND ((signatario_id IS NULL) OR (signatario_id = auth.uid()))));
+
+CREATE POLICY "ds: select" ON public.document_signatures FOR SELECT TO authenticated USING ((public.is_saas_admin() OR (tenant_id IN ( SELECT tm.tenant_id
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text))))));
+
+CREATE POLICY "ds: update" ON public.document_signatures FOR UPDATE TO authenticated USING (((signatario_id = auth.uid()) OR public.is_saas_admin())) WITH CHECK (((signatario_id = auth.uid()) OR public.is_saas_admin()));
+
+CREATE POLICY "dsl: creator full access" ON public.document_share_links TO authenticated USING (((criado_por = auth.uid()) OR public.is_saas_admin())) WITH CHECK ((criado_por = auth.uid()));

 CREATE POLICY "dt: global templates readable by all" ON public.document_templates FOR SELECT USING ((is_global = true));

 CREATE POLICY "dt: owner can delete" ON public.document_templates FOR DELETE USING (((owner_id = auth.uid()) AND (is_global = false)));

-CREATE POLICY "dt: owner can insert" ON public.document_templates FOR INSERT WITH CHECK (((owner_id = auth.uid()) AND (is_global = false)));
+CREATE POLICY "dt: owner can insert" ON public.document_templates FOR INSERT TO authenticated WITH CHECK (((is_global = false) AND (owner_id = auth.uid()) AND (tenant_id IN ( SELECT tm.tenant_id
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text))))));

 CREATE POLICY "dt: owner can update" ON public.document_templates FOR UPDATE USING (((owner_id = auth.uid()) AND (is_global = false))) WITH CHECK (((owner_id = auth.uid()) AND (is_global = false)));

 CREATE POLICY "dt: saas admin can delete global" ON public.document_templates FOR DELETE USING (((is_global = true) AND public.is_saas_admin()));

-CREATE POLICY "dt: saas admin can insert global" ON public.document_templates FOR INSERT WITH CHECK (((is_global = true) AND public.is_saas_admin()));
+CREATE POLICY "dt: saas admin can insert global" ON public.document_templates FOR INSERT TO authenticated WITH CHECK (((is_global = true) AND public.is_saas_admin()));

 CREATE POLICY "dt: saas admin can update global" ON public.document_templates FOR UPDATE USING (((is_global = true) AND public.is_saas_admin())) WITH CHECK (((is_global = true) AND public.is_saas_admin()));

@@ -330,47 +541,57 @@ CREATE POLICY "dt: tenant members can select" ON public.document_templates FOR S
   FROM public.tenant_members tm
  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text))))));

+CREATE POLICY "email_layout_config: tenant_admin all" ON public.email_layout_config TO authenticated USING ((public.is_saas_admin() OR (tenant_id IN ( SELECT tm.tenant_id
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text) AND (tm.role = ANY (ARRAY['tenant_admin'::text, 'admin'::text, 'owner'::text]))))))) WITH CHECK ((public.is_saas_admin() OR (tenant_id IN ( SELECT tm.tenant_id
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text) AND (tm.role = ANY (ARRAY['tenant_admin'::text, 'admin'::text, 'owner'::text])))))));
+
+CREATE POLICY "email_templates_tenant: tenant_admin all" ON public.email_templates_tenant TO authenticated USING ((public.is_saas_admin() OR (tenant_id IN ( SELECT tm.tenant_id
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text) AND (tm.role = ANY (ARRAY['tenant_admin'::text, 'admin'::text, 'owner'::text]))))))) WITH CHECK ((public.is_saas_admin() OR (tenant_id IN ( SELECT tm.tenant_id
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text) AND (tm.role = ANY (ARRAY['tenant_admin'::text, 'admin'::text, 'owner'::text])))))));
+
 CREATE POLICY ent_inv_select_own ON public.entitlements_invalidation FOR SELECT USING (((owner_id = auth.uid()) OR public.is_saas_admin()));

 CREATE POLICY ent_inv_update_saas ON public.entitlements_invalidation FOR UPDATE USING (public.is_saas_admin()) WITH CHECK (public.is_saas_admin());

 CREATE POLICY ent_inv_write_saas ON public.entitlements_invalidation FOR INSERT WITH CHECK (public.is_saas_admin());

-CREATE POLICY faq_admin_write ON public.saas_faq TO authenticated USING ((EXISTS ( SELECT 1
-   FROM public.profiles
-  WHERE ((profiles.id = auth.uid()) AND (profiles.role = ANY (ARRAY['saas_admin'::text, 'tenant_admin'::text, 'clinic_admin'::text]))))));
-
 CREATE POLICY faq_auth_read ON public.saas_faq FOR SELECT TO authenticated USING ((ativo = true));

-CREATE POLICY faq_itens_admin_write ON public.saas_faq_itens TO authenticated USING ((EXISTS ( SELECT 1
-   FROM public.profiles
-  WHERE ((profiles.id = auth.uid()) AND (profiles.role = ANY (ARRAY['saas_admin'::text, 'tenant_admin'::text, 'clinic_admin'::text]))))));
-
 CREATE POLICY faq_itens_auth_read ON public.saas_faq_itens FOR SELECT TO authenticated USING (((ativo = true) AND (EXISTS ( SELECT 1
   FROM public.saas_docs d
  WHERE ((d.id = saas_faq_itens.doc_id) AND (d.ativo = true))))));

+CREATE POLICY faq_itens_saas_admin_write ON public.saas_faq_itens TO authenticated USING (public.is_saas_admin()) WITH CHECK (public.is_saas_admin());
+
 CREATE POLICY faq_public_read ON public.saas_faq FOR SELECT USING (((publico = true) AND (ativo = true)));

+CREATE POLICY faq_saas_admin_write ON public.saas_faq TO authenticated USING (public.is_saas_admin()) WITH CHECK (public.is_saas_admin());
+
 CREATE POLICY features_read_authenticated ON public.features FOR SELECT TO authenticated USING (true);

 CREATE POLICY features_write_saas_admin ON public.features TO authenticated USING (public.is_saas_admin()) WITH CHECK (public.is_saas_admin());

-CREATE POLICY feriados_delete ON public.feriados FOR DELETE USING ((owner_id = auth.uid()));
+CREATE POLICY feriados_delete ON public.feriados FOR DELETE TO authenticated USING (((owner_id = auth.uid()) OR ((tenant_id IS NOT NULL) AND (tenant_id IN ( SELECT tm.tenant_id
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text) AND (tm.role = ANY (ARRAY['tenant_admin'::text, 'admin'::text, 'owner'::text]))))))));

 CREATE POLICY feriados_global_select ON public.feriados FOR SELECT USING ((tenant_id IS NULL));

-CREATE POLICY feriados_insert ON public.feriados FOR INSERT WITH CHECK ((tenant_id IN ( SELECT tenant_members.tenant_id
-   FROM public.tenant_members
-  WHERE (tenant_members.user_id = auth.uid()))));
+CREATE POLICY feriados_insert ON public.feriados FOR INSERT TO authenticated WITH CHECK (((tenant_id IS NOT NULL) AND (owner_id = auth.uid()) AND (tenant_id IN ( SELECT tm.tenant_id
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text))))));

 CREATE POLICY feriados_saas_delete ON public.feriados FOR DELETE USING ((EXISTS ( SELECT 1
   FROM public.saas_admins
  WHERE (saas_admins.user_id = auth.uid()))));

-CREATE POLICY feriados_saas_insert ON public.feriados FOR INSERT WITH CHECK ((EXISTS ( SELECT 1
-   FROM public.saas_admins
-  WHERE (saas_admins.user_id = auth.uid()))));
+CREATE POLICY feriados_saas_insert ON public.feriados FOR INSERT TO authenticated WITH CHECK (((tenant_id IS NULL) AND (EXISTS ( SELECT 1
+   FROM public.saas_admins sa
+  WHERE (sa.user_id = auth.uid())))));

 CREATE POLICY feriados_saas_select ON public.feriados FOR SELECT USING ((EXISTS ( SELECT 1
   FROM public.saas_admins
@@ -406,15 +627,37 @@ CREATE POLICY global_notices_select ON public.global_notices FOR SELECT TO authe

 CREATE POLICY "insert own" ON public.agenda_bloqueios FOR INSERT WITH CHECK ((owner_id = auth.uid()));

-CREATE POLICY insurance_plan_services_owner ON public.insurance_plan_services USING ((EXISTS ( SELECT 1
+CREATE POLICY "insurance_plan_services: tenant_member" ON public.insurance_plan_services TO authenticated USING ((EXISTS ( SELECT 1
   FROM public.insurance_plans ip
-  WHERE ((ip.id = insurance_plan_services.insurance_plan_id) AND (ip.owner_id = auth.uid()))))) WITH CHECK ((EXISTS ( SELECT 1
+  WHERE ((ip.id = insurance_plan_services.insurance_plan_id) AND ((ip.owner_id = auth.uid()) OR public.is_saas_admin() OR (ip.tenant_id IN ( SELECT tm.tenant_id
+           FROM public.tenant_members tm
+          WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text))))))))) WITH CHECK ((EXISTS ( SELECT 1
   FROM public.insurance_plans ip
-  WHERE ((ip.id = insurance_plan_services.insurance_plan_id) AND (ip.owner_id = auth.uid())))));
+  WHERE ((ip.id = insurance_plan_services.insurance_plan_id) AND ((ip.owner_id = auth.uid()) OR public.is_saas_admin())))));

-CREATE POLICY "insurance_plans: owner full access" ON public.insurance_plans USING ((owner_id = auth.uid())) WITH CHECK ((owner_id = auth.uid()));
+CREATE POLICY "insurance_plans: delete" ON public.insurance_plans FOR DELETE TO authenticated USING (((owner_id = auth.uid()) OR public.is_saas_admin()));

-CREATE POLICY "medicos: owner full access" ON public.medicos USING ((owner_id = auth.uid())) WITH CHECK ((owner_id = auth.uid()));
+CREATE POLICY "insurance_plans: insert" ON public.insurance_plans FOR INSERT TO authenticated WITH CHECK (((owner_id = auth.uid()) AND (tenant_id IN ( SELECT tm.tenant_id
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text))))));
+
+CREATE POLICY "insurance_plans: select" ON public.insurance_plans FOR SELECT TO authenticated USING (((owner_id = auth.uid()) OR public.is_saas_admin() OR (tenant_id IN ( SELECT tm.tenant_id
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text))))));
+
+CREATE POLICY "insurance_plans: update" ON public.insurance_plans FOR UPDATE TO authenticated USING (((owner_id = auth.uid()) OR public.is_saas_admin())) WITH CHECK (((owner_id = auth.uid()) OR public.is_saas_admin()));
+
+CREATE POLICY "medicos: delete" ON public.medicos FOR DELETE TO authenticated USING (((owner_id = auth.uid()) OR public.is_saas_admin()));
+
+CREATE POLICY "medicos: insert" ON public.medicos FOR INSERT TO authenticated WITH CHECK (((owner_id = auth.uid()) AND (tenant_id IN ( SELECT tm.tenant_id
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text))))));
+
+CREATE POLICY "medicos: select" ON public.medicos FOR SELECT TO authenticated USING (((owner_id = auth.uid()) OR public.is_saas_admin() OR (tenant_id IN ( SELECT tm.tenant_id
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text))))));
+
+CREATE POLICY "medicos: update" ON public.medicos FOR UPDATE TO authenticated USING (((owner_id = auth.uid()) OR public.is_saas_admin())) WITH CHECK (((owner_id = auth.uid()) OR public.is_saas_admin()));

 CREATE POLICY module_features_read_authenticated ON public.module_features FOR SELECT TO authenticated USING (true);

@@ -426,12 +669,32 @@ CREATE POLICY modules_write_saas_admin ON public.modules TO authenticated USING

 CREATE POLICY notice_dismissals_own ON public.notice_dismissals TO authenticated USING ((user_id = auth.uid())) WITH CHECK ((user_id = auth.uid()));

+CREATE POLICY notif_channels_delete ON public.notification_channels FOR DELETE TO authenticated USING (((owner_id = auth.uid()) OR public.is_saas_admin()));
+
+CREATE POLICY notif_channels_insert ON public.notification_channels FOR INSERT TO authenticated WITH CHECK ((public.is_saas_admin() OR ((owner_id = auth.uid()) AND (tenant_id IN ( SELECT tm.tenant_id
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text)))))));
+
+CREATE POLICY notif_channels_modify ON public.notification_channels FOR UPDATE TO authenticated USING (((owner_id = auth.uid()) OR public.is_saas_admin())) WITH CHECK (((owner_id = auth.uid()) OR public.is_saas_admin()));
+
+CREATE POLICY notif_channels_select ON public.notification_channels FOR SELECT TO authenticated USING (((deleted_at IS NULL) AND (public.is_saas_admin() OR (owner_id = auth.uid()) OR (tenant_id IN ( SELECT tm.tenant_id
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text)))))));
+
 CREATE POLICY notif_logs_owner ON public.notification_logs FOR SELECT USING ((owner_id = auth.uid()));

+CREATE POLICY notif_logs_tenant_member ON public.notification_logs FOR SELECT TO authenticated USING ((public.is_saas_admin() OR (tenant_id IN ( SELECT tm.tenant_id
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text))))));
+
 CREATE POLICY notif_prefs_owner ON public.notification_preferences USING (((owner_id = auth.uid()) AND (deleted_at IS NULL))) WITH CHECK ((owner_id = auth.uid()));

 CREATE POLICY notif_queue_owner ON public.notification_queue FOR SELECT USING ((owner_id = auth.uid()));

+CREATE POLICY notif_queue_tenant_member ON public.notification_queue FOR SELECT TO authenticated USING ((public.is_saas_admin() OR (tenant_id IN ( SELECT tm.tenant_id
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text))))));
+
 CREATE POLICY notif_schedules_owner ON public.notification_schedules USING (((owner_id = auth.uid()) AND (deleted_at IS NULL))) WITH CHECK ((owner_id = auth.uid()));

 CREATE POLICY notif_templates_admin_all ON public.notification_templates TO authenticated USING ((EXISTS ( SELECT 1
@@ -444,7 +707,33 @@ CREATE POLICY notif_templates_read_global ON public.notification_templates FOR S

 CREATE POLICY notif_templates_write_owner ON public.notification_templates TO authenticated USING (((owner_id = auth.uid()) OR public.is_tenant_member(tenant_id))) WITH CHECK (((owner_id = auth.uid()) OR public.is_tenant_member(tenant_id)));

-CREATE POLICY notification_channels_owner ON public.notification_channels USING (((owner_id = auth.uid()) AND (deleted_at IS NULL))) WITH CHECK ((owner_id = auth.uid()));
+CREATE POLICY "optout_kw: delete custom" ON public.conversation_optout_keywords FOR DELETE TO authenticated USING (((is_system = false) AND (tenant_id IS NOT NULL) AND (public.is_saas_admin() OR (EXISTS ( SELECT 1
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.tenant_id = conversation_optout_keywords.tenant_id) AND (tm.status = 'active'::text)))))));
+
+CREATE POLICY "optout_kw: insert custom" ON public.conversation_optout_keywords FOR INSERT TO authenticated WITH CHECK (((tenant_id IS NOT NULL) AND (is_system = false) AND (public.is_saas_admin() OR (EXISTS ( SELECT 1
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.tenant_id = conversation_optout_keywords.tenant_id) AND (tm.status = 'active'::text)))))));
+
+CREATE POLICY "optout_kw: select" ON public.conversation_optout_keywords FOR SELECT TO authenticated USING (((tenant_id IS NULL) OR public.is_saas_admin() OR (EXISTS ( SELECT 1
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.tenant_id = conversation_optout_keywords.tenant_id) AND (tm.status = 'active'::text))))));
+
+CREATE POLICY "optout_kw: update/delete custom" ON public.conversation_optout_keywords FOR UPDATE TO authenticated USING (((is_system = false) AND (tenant_id IS NOT NULL) AND (public.is_saas_admin() OR (EXISTS ( SELECT 1
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.tenant_id = conversation_optout_keywords.tenant_id) AND (tm.status = 'active'::text)))))));
+
+CREATE POLICY "optouts: insert" ON public.conversation_optouts FOR INSERT TO authenticated WITH CHECK ((public.is_saas_admin() OR (EXISTS ( SELECT 1
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.tenant_id = conversation_optouts.tenant_id) AND (tm.status = 'active'::text))))));
+
+CREATE POLICY "optouts: select" ON public.conversation_optouts FOR SELECT TO authenticated USING ((public.is_saas_admin() OR (EXISTS ( SELECT 1
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.tenant_id = conversation_optouts.tenant_id) AND (tm.status = 'active'::text))))));
+
+CREATE POLICY "optouts: update" ON public.conversation_optouts FOR UPDATE TO authenticated USING ((public.is_saas_admin() OR (EXISTS ( SELECT 1
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.tenant_id = conversation_optouts.tenant_id) AND (tm.status = 'active'::text))))));

 CREATE POLICY "owner only" ON public.notifications USING ((owner_id = auth.uid())) WITH CHECK ((owner_id = auth.uid()));

@@ -478,6 +767,8 @@ CREATE POLICY patient_intake_requests_select ON public.patient_intake_requests F

 CREATE POLICY patient_intake_requests_write ON public.patient_intake_requests USING ((public.is_clinic_tenant(tenant_id) AND public.is_tenant_member(tenant_id) AND public.tenant_has_feature(tenant_id, 'patients.edit'::text))) WITH CHECK ((public.is_clinic_tenant(tenant_id) AND public.is_tenant_member(tenant_id) AND public.tenant_has_feature(tenant_id, 'patients.edit'::text)));

+CREATE POLICY patient_invite_attempts_owner_read ON public.patient_invite_attempts FOR SELECT TO authenticated USING (((owner_id = auth.uid()) OR public.is_saas_admin()));
+
 CREATE POLICY patient_invites_owner_all ON public.patient_invites TO authenticated USING ((owner_id = auth.uid())) WITH CHECK ((owner_id = auth.uid()));

 CREATE POLICY patient_invites_select ON public.patient_invites FOR SELECT USING ((public.is_clinic_tenant(tenant_id) AND public.is_tenant_member(tenant_id) AND public.tenant_has_feature(tenant_id, 'patients.view'::text)));
@@ -508,17 +799,37 @@ CREATE POLICY patients_update ON public.patients FOR UPDATE USING ((public.is_cl

 CREATE POLICY "payment_settings: owner full access" ON public.payment_settings USING ((owner_id = auth.uid())) WITH CHECK ((owner_id = auth.uid()));

+CREATE POLICY "payment_settings: tenant_admin read" ON public.payment_settings FOR SELECT TO authenticated USING (((tenant_id IS NOT NULL) AND (tenant_id IN ( SELECT tm.tenant_id
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text) AND (tm.role = ANY (ARRAY['tenant_admin'::text, 'admin'::text, 'owner'::text])))))));
+
 CREATE POLICY plan_features_read_authenticated ON public.plan_features FOR SELECT TO authenticated USING (true);

 CREATE POLICY plan_features_write_saas_admin ON public.plan_features TO authenticated USING (public.is_saas_admin()) WITH CHECK (public.is_saas_admin());

+CREATE POLICY plan_prices_read ON public.plan_prices FOR SELECT TO authenticated USING (true);
+
+CREATE POLICY plan_prices_write ON public.plan_prices TO authenticated USING (public.is_saas_admin()) WITH CHECK (public.is_saas_admin());
+
+CREATE POLICY plan_public_bullets_read_anon ON public.plan_public_bullets FOR SELECT TO authenticated, anon USING (true);
+
+CREATE POLICY plan_public_bullets_write ON public.plan_public_bullets TO authenticated USING (public.is_saas_admin()) WITH CHECK (public.is_saas_admin());
+
+CREATE POLICY plan_public_read_anon ON public.plan_public FOR SELECT TO authenticated, anon USING (true);
+
+CREATE POLICY plan_public_write ON public.plan_public TO authenticated USING (public.is_saas_admin()) WITH CHECK (public.is_saas_admin());
+
 CREATE POLICY plans_read_authenticated ON public.plans FOR SELECT TO authenticated USING (true);

 CREATE POLICY plans_write_saas_admin ON public.plans TO authenticated USING (public.is_saas_admin()) WITH CHECK (public.is_saas_admin());

 CREATE POLICY "professional_pricing: owner full access" ON public.professional_pricing USING ((owner_id = auth.uid())) WITH CHECK ((owner_id = auth.uid()));

-CREATE POLICY profiles_insert_own ON public.profiles FOR INSERT WITH CHECK ((id = auth.uid()));
+CREATE POLICY "professional_pricing: tenant_admin read" ON public.professional_pricing FOR SELECT TO authenticated USING ((tenant_id IN ( SELECT tm.tenant_id
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text) AND (tm.role = ANY (ARRAY['tenant_admin'::text, 'admin'::text, 'owner'::text]))))));
+
+CREATE POLICY profiles_insert_own ON public.profiles FOR INSERT TO authenticated WITH CHECK ((id = auth.uid()));

 CREATE POLICY profiles_read_saas_admin ON public.profiles FOR SELECT USING (public.is_saas_admin());

@@ -526,6 +837,8 @@ CREATE POLICY profiles_select_own ON public.profiles FOR SELECT USING ((id = aut

 CREATE POLICY profiles_update_own ON public.profiles FOR UPDATE USING ((id = auth.uid())) WITH CHECK ((id = auth.uid()));

+CREATE POLICY psa_read_saas_admin ON public.public_submission_attempts FOR SELECT TO authenticated USING (public.is_saas_admin());
+
 CREATE POLICY "psc: owner full access" ON public.patient_support_contacts USING ((owner_id = auth.uid())) WITH CHECK ((owner_id = auth.uid()));

 CREATE POLICY psh_insert ON public.patient_status_history FOR INSERT WITH CHECK ((public.is_clinic_tenant(tenant_id) AND public.is_tenant_member(tenant_id) AND public.tenant_has_feature(tenant_id, 'patients.edit'::text)));
@@ -538,12 +851,6 @@ CREATE POLICY pt_select ON public.patient_timeline FOR SELECT USING ((public.is_

 CREATE POLICY public_read ON public.login_carousel_slides FOR SELECT USING ((ativo = true));

-CREATE POLICY "read features (auth)" ON public.features FOR SELECT TO authenticated USING (true);
-
-CREATE POLICY "read plan_features (auth)" ON public.plan_features FOR SELECT TO authenticated USING (true);
-
-CREATE POLICY "read plans (auth)" ON public.plans FOR SELECT TO authenticated USING (true);
-
 CREATE POLICY recurrence_exceptions_tenant ON public.recurrence_exceptions TO authenticated USING ((tenant_id IN ( SELECT tenant_members.tenant_id
   FROM public.tenant_members
  WHERE (tenant_members.user_id = auth.uid())))) WITH CHECK ((tenant_id IN ( SELECT tenant_members.tenant_id
@@ -572,6 +879,16 @@ CREATE POLICY recurrence_rules_clinic_write ON public.recurrence_rules USING ((p

 CREATE POLICY recurrence_rules_owner ON public.recurrence_rules TO authenticated USING ((owner_id = auth.uid())) WITH CHECK ((owner_id = auth.uid()));

+CREATE POLICY "reminder_logs: tenant members select" ON public.session_reminder_logs FOR SELECT TO authenticated USING ((public.is_saas_admin() OR (EXISTS ( SELECT 1
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.tenant_id = session_reminder_logs.tenant_id) AND (tm.status = 'active'::text))))));
+
+CREATE POLICY "reminder_settings: tenant members all" ON public.session_reminder_settings TO authenticated USING ((public.is_saas_admin() OR (EXISTS ( SELECT 1
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.tenant_id = session_reminder_settings.tenant_id) AND (tm.status = 'active'::text)))))) WITH CHECK ((public.is_saas_admin() OR (EXISTS ( SELECT 1
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.tenant_id = session_reminder_settings.tenant_id) AND (tm.status = 'active'::text))))));
+
 CREATE POLICY "saas_admin can read subscription_intents" ON public.subscription_intents_legacy FOR SELECT TO authenticated USING ((EXISTS ( SELECT 1
   FROM public.saas_admins a
  WHERE (a.user_id = auth.uid()))));
@@ -594,11 +911,29 @@ CREATE POLICY saas_admin_full_access ON public.saas_docs TO authenticated USING

 CREATE POLICY saas_admins_select_self ON public.saas_admins FOR SELECT TO authenticated USING ((user_id = auth.uid()));

+CREATE POLICY saas_security_config_read ON public.saas_security_config FOR SELECT TO authenticated USING (true);
+
+CREATE POLICY saas_security_config_write ON public.saas_security_config FOR UPDATE TO authenticated USING (public.is_saas_admin()) WITH CHECK (public.is_saas_admin());
+
+CREATE POLICY saas_twilio_config_read ON public.saas_twilio_config FOR SELECT TO authenticated USING (public.is_saas_admin());
+
 CREATE POLICY "select own" ON public.agenda_bloqueios FOR SELECT USING ((owner_id = auth.uid()));

 CREATE POLICY service_role_manage_usage ON public.twilio_subaccount_usage USING ((auth.role() = 'service_role'::text));

-CREATE POLICY "services: owner full access" ON public.services USING ((owner_id = auth.uid())) WITH CHECK ((owner_id = auth.uid()));
+CREATE POLICY "services: delete" ON public.services FOR DELETE TO authenticated USING (((owner_id = auth.uid()) OR public.is_saas_admin()));
+
+CREATE POLICY "services: insert" ON public.services FOR INSERT TO authenticated WITH CHECK (((owner_id = auth.uid()) AND (tenant_id IN ( SELECT tm.tenant_id
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text))))));
+
+CREATE POLICY "services: select" ON public.services FOR SELECT TO authenticated USING (((owner_id = auth.uid()) OR public.is_saas_admin() OR (tenant_id IN ( SELECT tm.tenant_id
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text))))));
+
+CREATE POLICY "services: update" ON public.services FOR UPDATE TO authenticated USING (((owner_id = auth.uid()) OR public.is_saas_admin())) WITH CHECK (((owner_id = auth.uid()) OR public.is_saas_admin()));
+
+CREATE POLICY srl_read_saas_admin ON public.submission_rate_limits FOR SELECT TO authenticated USING (public.is_saas_admin());

 CREATE POLICY subscription_events_read_saas ON public.subscription_events FOR SELECT USING (public.is_saas_admin());

@@ -606,9 +941,15 @@ CREATE POLICY subscription_events_write_saas ON public.subscription_events FOR I

 CREATE POLICY subscription_intents_insert_own ON public.subscription_intents_legacy FOR INSERT TO authenticated WITH CHECK ((user_id = auth.uid()));

+CREATE POLICY subscription_intents_personal_owner ON public.subscription_intents_personal TO authenticated USING (((user_id = auth.uid()) OR public.is_saas_admin())) WITH CHECK (((user_id = auth.uid()) OR public.is_saas_admin()));
+
 CREATE POLICY subscription_intents_select_own ON public.subscription_intents_legacy FOR SELECT TO authenticated USING ((user_id = auth.uid()));

-CREATE POLICY "subscriptions read own" ON public.subscriptions FOR SELECT TO authenticated USING ((user_id = auth.uid()));
+CREATE POLICY subscription_intents_tenant_member ON public.subscription_intents_tenant TO authenticated USING ((public.is_saas_admin() OR (tenant_id IN ( SELECT tm.tenant_id
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text) AND (tm.role = ANY (ARRAY['tenant_admin'::text, 'admin'::text]))))))) WITH CHECK ((public.is_saas_admin() OR (tenant_id IN ( SELECT tm.tenant_id
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text) AND (tm.role = ANY (ARRAY['tenant_admin'::text, 'admin'::text])))))));

 CREATE POLICY "subscriptions: read if linked owner_users" ON public.subscriptions FOR SELECT TO authenticated USING ((EXISTS ( SELECT 1
   FROM public.owner_users ou
@@ -616,33 +957,53 @@ CREATE POLICY "subscriptions: read if linked owner_users" ON public.subscription

 CREATE POLICY subscriptions_insert_own_personal ON public.subscriptions FOR INSERT TO authenticated WITH CHECK (((user_id = auth.uid()) AND (tenant_id IS NULL)));

-CREATE POLICY subscriptions_no_direct_update ON public.subscriptions FOR UPDATE TO authenticated USING (false) WITH CHECK (false);
-
 CREATE POLICY subscriptions_read_own ON public.subscriptions FOR SELECT TO authenticated USING (((user_id = auth.uid()) OR public.is_saas_admin()));

 CREATE POLICY subscriptions_select_for_tenant_members ON public.subscriptions FOR SELECT TO authenticated USING (((tenant_id IS NOT NULL) AND (EXISTS ( SELECT 1
   FROM public.tenant_members tm
  WHERE ((tm.tenant_id = subscriptions.tenant_id) AND (tm.user_id = auth.uid()) AND (tm.status = 'active'::text))))));

-CREATE POLICY subscriptions_select_own_personal ON public.subscriptions FOR SELECT TO authenticated USING (((user_id = auth.uid()) AND (tenant_id IS NULL)));
-
 CREATE POLICY subscriptions_update_only_saas_admin ON public.subscriptions FOR UPDATE TO authenticated USING (public.is_saas_admin()) WITH CHECK (public.is_saas_admin());

 CREATE POLICY support_sessions_saas_delete ON public.support_sessions FOR DELETE USING (((auth.uid() = admin_id) AND (EXISTS ( SELECT 1
   FROM public.profiles
  WHERE ((profiles.id = auth.uid()) AND (profiles.role = 'saas_admin'::text))))));

-CREATE POLICY support_sessions_saas_insert ON public.support_sessions FOR INSERT WITH CHECK (((auth.uid() = admin_id) AND (EXISTS ( SELECT 1
-   FROM public.profiles
-  WHERE ((profiles.id = auth.uid()) AND (profiles.role = 'saas_admin'::text))))));
+CREATE POLICY support_sessions_saas_insert ON public.support_sessions FOR INSERT TO authenticated WITH CHECK (((admin_id = auth.uid()) AND (EXISTS ( SELECT 1
+   FROM public.saas_admins sa
+  WHERE (sa.user_id = auth.uid())))));

 CREATE POLICY support_sessions_saas_select ON public.support_sessions FOR SELECT USING (((auth.uid() = admin_id) AND (EXISTS ( SELECT 1
   FROM public.profiles
  WHERE ((profiles.id = auth.uid()) AND (profiles.role = 'saas_admin'::text))))));

-CREATE POLICY "tenant manages own overrides" ON public.email_templates_tenant USING ((tenant_id = auth.uid())) WITH CHECK ((tenant_id = auth.uid()));
+CREATE POLICY tenant_feature_exceptions_log_read ON public.tenant_feature_exceptions_log FOR SELECT TO authenticated USING ((public.is_saas_admin() OR (tenant_id IN ( SELECT tm.tenant_id
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text))))));

-CREATE POLICY "tenant owns email layout config" ON public.email_layout_config USING ((tenant_id = auth.uid())) WITH CHECK ((tenant_id = auth.uid()));
+CREATE POLICY tenant_features_select ON public.tenant_features FOR SELECT TO authenticated USING ((public.is_saas_admin() OR (tenant_id IN ( SELECT tm.tenant_id
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text))))));
+
+CREATE POLICY tenant_features_write_saas_only ON public.tenant_features TO authenticated USING (public.is_saas_admin()) WITH CHECK (public.is_saas_admin());
+
+CREATE POLICY tenant_invites_delete ON public.tenant_invites FOR DELETE TO authenticated USING ((public.is_saas_admin() OR (tenant_id IN ( SELECT tm.tenant_id
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text) AND (tm.role = ANY (ARRAY['tenant_admin'::text, 'admin'::text, 'owner'::text])))))));
+
+CREATE POLICY tenant_invites_insert ON public.tenant_invites FOR INSERT TO authenticated WITH CHECK (((invited_by = auth.uid()) AND (tenant_id IN ( SELECT tm.tenant_id
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text) AND (tm.role = ANY (ARRAY['tenant_admin'::text, 'admin'::text, 'owner'::text])))))));
+
+CREATE POLICY tenant_invites_select ON public.tenant_invites FOR SELECT TO authenticated USING ((public.is_saas_admin() OR (tenant_id IN ( SELECT tm.tenant_id
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text) AND (tm.role = ANY (ARRAY['tenant_admin'::text, 'admin'::text, 'owner'::text])))))));
+
+CREATE POLICY tenant_invites_update ON public.tenant_invites FOR UPDATE TO authenticated USING ((public.is_saas_admin() OR (tenant_id IN ( SELECT tm.tenant_id
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text) AND (tm.role = ANY (ARRAY['tenant_admin'::text, 'admin'::text, 'owner'::text]))))))) WITH CHECK ((public.is_saas_admin() OR (tenant_id IN ( SELECT tm.tenant_id
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text) AND (tm.role = ANY (ARRAY['tenant_admin'::text, 'admin'::text, 'owner'::text])))))));

 CREATE POLICY tenant_members_write_saas ON public.tenant_members TO authenticated USING (public.is_saas_admin()) WITH CHECK (public.is_saas_admin());

@@ -680,7 +1041,7 @@ CREATE POLICY tm_select_own_membership ON public.tenant_members FOR SELECT TO au

 CREATE POLICY "update own" ON public.agenda_bloqueios FOR UPDATE USING ((owner_id = auth.uid()));

-CREATE POLICY user_settings_insert_own ON public.user_settings FOR INSERT WITH CHECK ((user_id = auth.uid()));
+CREATE POLICY user_settings_insert_own ON public.user_settings FOR INSERT TO authenticated WITH CHECK ((user_id = auth.uid()));

 CREATE POLICY user_settings_select_own ON public.user_settings FOR SELECT USING ((user_id = auth.uid()));

@@ -692,6 +1053,28 @@ CREATE POLICY votos_select_own ON public.saas_doc_votos FOR SELECT TO authentica

 CREATE POLICY votos_upsert_own ON public.saas_doc_votos TO authenticated USING ((user_id = auth.uid())) WITH CHECK ((user_id = auth.uid()));

+CREATE POLICY "wa_credits_balance: select tenant" ON public.whatsapp_credits_balance FOR SELECT TO authenticated USING ((public.is_saas_admin() OR (EXISTS ( SELECT 1
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.tenant_id = whatsapp_credits_balance.tenant_id) AND (tm.status = 'active'::text))))));
+
+CREATE POLICY "wa_credits_balance: update tenant" ON public.whatsapp_credits_balance FOR UPDATE TO authenticated USING ((public.is_saas_admin() OR (EXISTS ( SELECT 1
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.tenant_id = whatsapp_credits_balance.tenant_id) AND (tm.status = 'active'::text)))))) WITH CHECK ((public.is_saas_admin() OR (EXISTS ( SELECT 1
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.tenant_id = whatsapp_credits_balance.tenant_id) AND (tm.status = 'active'::text))))));
+
+CREATE POLICY "wa_credits_tx: select tenant" ON public.whatsapp_credits_transactions FOR SELECT TO authenticated USING ((public.is_saas_admin() OR (EXISTS ( SELECT 1
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.tenant_id = whatsapp_credits_transactions.tenant_id) AND (tm.status = 'active'::text))))));
+
+CREATE POLICY "wa_packages: manage saas admin" ON public.whatsapp_credit_packages TO authenticated USING (public.is_saas_admin()) WITH CHECK (public.is_saas_admin());
+
+CREATE POLICY "wa_packages: select active" ON public.whatsapp_credit_packages FOR SELECT TO authenticated USING (((is_active = true) OR public.is_saas_admin()));
+
+CREATE POLICY "wa_purchases: select tenant" ON public.whatsapp_credit_purchases FOR SELECT TO authenticated USING ((public.is_saas_admin() OR (EXISTS ( SELECT 1
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.tenant_id = whatsapp_credit_purchases.tenant_id) AND (tm.status = 'active'::text))))));
+
 CREATE POLICY "Allow authenticated updates" ON storage.objects FOR UPDATE TO authenticated USING ((bucket_id = ANY (ARRAY['avatars'::text, 'logos'::text])));

 CREATE POLICY "Allow authenticated uploads" ON storage.objects FOR INSERT TO authenticated WITH CHECK ((bucket_id = ANY (ARRAY['avatars'::text, 'logos'::text])));
@@ -730,25 +1113,31 @@ CREATE POLICY avatars_update_own ON storage.objects FOR UPDATE TO authenticated

 CREATE POLICY avatars_update_own_folder ON storage.objects FOR UPDATE USING (((bucket_id = 'avatars'::text) AND (auth.role() = 'authenticated'::text) AND (name ~~ (('owners/'::text || auth.uid()) || '/%'::text)))) WITH CHECK (((bucket_id = 'avatars'::text) AND (auth.role() = 'authenticated'::text) AND (name ~~ (('owners/'::text || auth.uid()) || '/%'::text))));

-CREATE POLICY "documents: authenticated delete" ON storage.objects FOR DELETE TO authenticated USING ((bucket_id = 'documents'::text));
+CREATE POLICY "documents: tenant member delete" ON storage.objects FOR DELETE TO authenticated USING (((bucket_id = 'documents'::text) AND (public.is_saas_admin() OR (((storage.foldername(name))[1])::uuid IN ( SELECT tm.tenant_id
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text)))))));

-CREATE POLICY "documents: authenticated read" ON storage.objects FOR SELECT TO authenticated USING ((bucket_id = 'documents'::text));
+CREATE POLICY "documents: tenant member read" ON storage.objects FOR SELECT TO authenticated USING (((bucket_id = 'documents'::text) AND (public.is_saas_admin() OR (((storage.foldername(name))[1])::uuid IN ( SELECT tm.tenant_id
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text)))))));

-CREATE POLICY "documents: authenticated upload" ON storage.objects FOR INSERT TO authenticated WITH CHECK ((bucket_id = 'documents'::text));
+CREATE POLICY "documents: tenant member upload" ON storage.objects FOR INSERT TO authenticated WITH CHECK (((bucket_id = 'documents'::text) AND (((storage.foldername(name))[1])::uuid IN ( SELECT tm.tenant_id
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text))))));

-CREATE POLICY "generated-docs: authenticated delete" ON storage.objects FOR DELETE TO authenticated USING ((bucket_id = 'generated-docs'::text));
+CREATE POLICY "generated-docs: tenant member delete" ON storage.objects FOR DELETE TO authenticated USING (((bucket_id = 'generated-docs'::text) AND (public.is_saas_admin() OR (((storage.foldername(name))[1])::uuid IN ( SELECT tm.tenant_id
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text)))))));

-CREATE POLICY "generated-docs: authenticated read" ON storage.objects FOR SELECT TO authenticated USING ((bucket_id = 'generated-docs'::text));
+CREATE POLICY "generated-docs: tenant member read" ON storage.objects FOR SELECT TO authenticated USING (((bucket_id = 'generated-docs'::text) AND (public.is_saas_admin() OR (((storage.foldername(name))[1])::uuid IN ( SELECT tm.tenant_id
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text)))))));

-CREATE POLICY "generated-docs: authenticated upload" ON storage.objects FOR INSERT TO authenticated WITH CHECK ((bucket_id = 'generated-docs'::text));
+CREATE POLICY "generated-docs: tenant member upload" ON storage.objects FOR INSERT TO authenticated WITH CHECK (((bucket_id = 'generated-docs'::text) AND (((storage.foldername(name))[1])::uuid IN ( SELECT tm.tenant_id
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text))))));

-CREATE POLICY intake_read_anon ON storage.objects FOR SELECT TO anon USING (((bucket_id = 'avatars'::text) AND (name ~~ 'intakes/%'::text)));
-
-CREATE POLICY intake_read_public ON storage.objects FOR SELECT USING (((bucket_id = 'avatars'::text) AND (name ~~ 'intakes/%'::text)));
-
-CREATE POLICY intake_upload_anon ON storage.objects FOR INSERT TO anon WITH CHECK (((bucket_id = 'avatars'::text) AND (name ~~ 'intakes/%'::text)));
-
-CREATE POLICY intake_upload_public ON storage.objects FOR INSERT WITH CHECK (((bucket_id = 'avatars'::text) AND (name ~~ 'intakes/%'::text)));
+CREATE POLICY intake_read_owner_only ON storage.objects FOR SELECT TO authenticated USING (((bucket_id = 'avatars'::text) AND ((storage.foldername(name))[1] = 'intakes'::text)));

 CREATE POLICY public_read ON storage.objects FOR SELECT USING ((bucket_id = 'saas-docs'::text));

@@ -759,3 +1148,9 @@ CREATE POLICY saas_admin_delete ON storage.objects FOR DELETE TO authenticated U
 CREATE POLICY saas_admin_upload ON storage.objects FOR INSERT TO authenticated WITH CHECK (((bucket_id = 'saas-docs'::text) AND (EXISTS ( SELECT 1
   FROM public.saas_admins
  WHERE (saas_admins.user_id = auth.uid())))));
+
+CREATE POLICY "whatsapp-media: delete saas admin" ON storage.objects FOR DELETE TO authenticated USING (((bucket_id = 'whatsapp-media'::text) AND public.is_saas_admin()));
+
+CREATE POLICY "whatsapp-media: read tenant members" ON storage.objects FOR SELECT TO authenticated USING (((bucket_id = 'whatsapp-media'::text) AND (public.is_saas_admin() OR (EXISTS ( SELECT 1
+   FROM public.tenant_members tm
+  WHERE ((tm.user_id = auth.uid()) AND (tm.status = 'active'::text) AND ((storage.foldername(objects.name))[1] = (tm.tenant_id)::text)))))));