Sessoes 1-6 acumuladas: hardening B2, defesa em camadas, +192 testes

Repositorio estava ha ~5 sessoes sem commit. Consolida tudo desde d088a89. Ver commit.md na raiz para descricao completa por sessao. # Numeros - A# auditoria abertos: 0/30 - V# verificacoes abertos: 5/52 (todos adiados com plano) - T# testes escritos: 10/10 - Vitest: 192/192 - SQL integration: 33/33 - E2E (Playwright, novo): 5/5 - Migrations: 17 (10 novas Sessao 6) - Areas auditadas: 7 (+documentos com 10 V#) # Highlights Sessao 6 (hoje) - V#34/V#41 Opcao B2: tenant_features com plano + override (RPC SECURITY DEFINER, tela /saas/tenant-features) - A#20 rev2 self-hosted: defesa em 5 camadas (honeypot + rate limit + math captcha condicional + paranoid mode + dashboard /saas/security) - Documentos hardening (V#43-V#49): tenant scoping em storage policies (vazamento entre clinicas eliminado), RPC validate_share_token, signatures policy granular - SaaS Twilio Config (/saas/twilio-config): UI editavel para SID/webhook/cotacao; AUTH_TOKEN permanece em env var - T#9 + T#10: useAgendaEvents.spec.js + Playwright E2E (descobriu bug no front que foi corrigido) # Sessoes anteriores (1-5) consolidadas - Sessao 1: auth/router/session, normalizeRole extraido - Sessao 2: agenda - composables/services consolidados - Sessao 3: pacientes - tenant_id em todas queries - Sessao 4: security review pagina publica - 14/15 vulnerabilidades corrigidas - Sessao 5: SaaS - P0 (A#30: 7 tabelas com RLS off corrigidas) # .gitignore ajustado - supabase/* + !supabase/functions/ (mantem 10 edge functions, ignora .temp/migrations gerados pelo CLI) - database-novo/backups/ (regeneravel via db.cjs backup) - test-results/ + playwright-report/ - .claude/settings.local.json (config local com senha de dev removida do tracking) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-19 15:42:46 -03:00
parent d088a89fb7
commit 7c20b518d4
175 changed files with 37325 additions and 37968 deletions
@@ -65,6 +65,7 @@ import { useToast }             from 'primevue/usetoast'
 import { useConfirm }           from 'primevue/useconfirm'
 import { supabase }             from '@/lib/supabase/client'
 import { useTenantStore }       from '@/stores/tenantStore'
+import { logError }             from '@/support/supportLogger'
 import { digitsOnly, fmtCPF, fmtRG, fmtPhone, toISODate, generateCPF } from '@/utils/validators'
 import CadastroRapidoConvenio from '@/components/CadastroRapidoConvenio.vue'
 import CadastroRapidoMedico   from '@/components/CadastroRapidoMedico.vue'
@@ -91,6 +92,11 @@ const tenantStore = useTenantStore()
 async function getCurrentTenantId () {
  return tenantStore.tenantId || tenantStore.currentTenantId || tenantStore.tenant?.id
 }
+
+// Helper sync para blindar queries com .eq('tenant_id', ...) — defesa em profundidade.
+function currentTenantId () {
+  return tenantStore.activeTenantId || tenantStore.tenantId || tenantStore.tenant?.id || null
+}
 async function getCurrentMemberId (tenantId) {
  const { data: a, error: ae } = await supabase.auth.getUser(); if (ae) throw ae
  const uid = a?.user?.id; if (!uid) throw new Error('Sessão inválida.')
@@ -480,29 +486,26 @@ async function loadContatosSuporte (pid) {
 // DB calls
 // ─────────────────────────────────────────────────────────
 async function listGroups () {
-  const probe = await supabase.from('patient_groups').select('*').limit(1)
-  if (probe.error) throw probe.error
-  const row = probe.data?.[0]||{}
-  if ('nome' in row||'cor' in row) {
-    const { data, error } = await supabase.from('patient_groups').select('id,nome,descricao,cor,is_system,is_active').eq('is_active',true).order('nome',{ascending:true})
-    if (error) throw error; return (data||[]).map(g=>({...g,name:g.nome,color:g.cor}))
-  }
-  const { data, error } = await supabase.from('patient_groups').select('id,name,description,color,is_system,is_active').eq('is_active',true).order('name',{ascending:true})
-  if (error) throw error; return (data||[]).map(g=>({...g,nome:g.name,cor:g.color}))
+  const tid = currentTenantId()
+  let q = supabase.from('patient_groups').select('id,nome,descricao,cor,is_system,is_active').eq('is_active',true).order('nome',{ascending:true})
+  if (tid) q = q.eq('tenant_id', tid)
+  const { data, error } = await q
+  if (error) throw error
+  return (data||[]).map(g=>({...g,name:g.nome,color:g.cor}))
 }
 async function listTags () {
-  const probe = await supabase.from('patient_tags').select('*').limit(1)
-  if (probe.error) throw probe.error
-  const row = probe.data?.[0]||{}
-  if ('name' in row||'color' in row) {
-    const { data, error } = await supabase.from('patient_tags').select('id,name,color').order('name',{ascending:true})
-    if (error) throw error; return data||[]
-  }
-  const { data, error } = await supabase.from('patient_tags').select('id,nome,cor').order('nome',{ascending:true})
-  if (error) throw error; return (data||[]).map(t=>({...t,name:t.nome,color:t.cor}))
+  const tid = currentTenantId()
+  let q = supabase.from('patient_tags').select('id,nome,cor').order('nome',{ascending:true})
+  if (tid) q = q.eq('tenant_id', tid)
+  const { data, error } = await q
+  if (error) throw error
+  return (data||[]).map(t=>({...t,name:t.nome,color:t.cor}))
 }
 async function getPatientById (id) {
-  const { data, error } = await supabase.from('patients').select('*').eq('id',id).single()
+  const tid = currentTenantId()
+  let q = supabase.from('patients').select('*').eq('id',id)
+  if (tid) q = q.eq('tenant_id', tid)
+  const { data, error } = await q.maybeSingle()
  if (error) throw error; return data
 }
 async function getPatientRelations (id) {
@@ -515,7 +518,10 @@ async function createPatient (payload) {
  if (error) throw error; return data
 }
 async function updatePatient (id, payload) {
-  const { error } = await supabase.from('patients').update({ ...payload, updated_at:new Date().toISOString() }).eq('id',id)
+  const tid = currentTenantId()
+  let q = supabase.from('patients').update({ ...payload, updated_at:new Date().toISOString() }).eq('id',id)
+  if (tid) q = q.eq('tenant_id', tid)
+  const { error } = await q
  if (error) throw error
 }

@@ -628,7 +634,7 @@ async function onSubmit () {
    convenioId.value=null; convenioNome.value=''; medicosSelecionados.value=[]
    await openPanel(0)
  } catch (e) {
-    console.error(e)
+    logError('patients.cadastro', 'save falhou', e)
    toast.add({ severity:'error', summary:'Erro', detail:e?.message||'Falha ao salvar.', life:4000 })
  } finally { saving.value=false }
 }