Sessoes 1-6 acumuladas: hardening B2, defesa em camadas, +192 testes

Repositorio estava ha ~5 sessoes sem commit. Consolida tudo desde d088a89.

Ver commit.md na raiz para descricao completa por sessao.

# Numeros
- A# auditoria abertos: 0/30
- V# verificacoes abertos: 5/52 (todos adiados com plano)
- T# testes escritos: 10/10
- Vitest: 192/192
- SQL integration: 33/33
- E2E (Playwright, novo): 5/5
- Migrations: 17 (10 novas Sessao 6)
- Areas auditadas: 7 (+documentos com 10 V#)

# Highlights Sessao 6 (hoje)
- V#34/V#41 Opcao B2: tenant_features com plano + override (RPC SECURITY DEFINER, tela /saas/tenant-features)
- A#20 rev2 self-hosted: defesa em 5 camadas (honeypot + rate limit + math captcha condicional + paranoid mode + dashboard /saas/security)
- Documentos hardening (V#43-V#49): tenant scoping em storage policies (vazamento entre clinicas eliminado), RPC validate_share_token, signatures policy granular
- SaaS Twilio Config (/saas/twilio-config): UI editavel para SID/webhook/cotacao; AUTH_TOKEN permanece em env var
- T#9 + T#10: useAgendaEvents.spec.js + Playwright E2E (descobriu bug no front que foi corrigido)

# Sessoes anteriores (1-5) consolidadas
- Sessao 1: auth/router/session, normalizeRole extraido
- Sessao 2: agenda - composables/services consolidados
- Sessao 3: pacientes - tenant_id em todas queries
- Sessao 4: security review pagina publica - 14/15 vulnerabilidades corrigidas
- Sessao 5: SaaS - P0 (A#30: 7 tabelas com RLS off corrigidas)

# .gitignore ajustado
- supabase/* + !supabase/functions/ (mantem 10 edge functions, ignora .temp/migrations gerados pelo CLI)
- database-novo/backups/ (regeneravel via db.cjs backup)
- test-results/ + playwright-report/
- .claude/settings.local.json (config local com senha de dev removida do tracking)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

supabase/functions/submit-patient-intake/index.js

@@ -0,0 +1,210 @@
+/*
+|--------------------------------------------------------------------------
+| Agência PSI — Edge Function: submit-patient-intake (A#20 rev2)
+|--------------------------------------------------------------------------
+| Defesa em camadas SELF-HOSTED (substitui Turnstile):
+|   1. Honeypot field            → frontend renderiza, edge rejeita se vier preenchido
+|   2. Rate limit por IP         → check_rate_limit RPC
+|   3. Math captcha CONDICIONAL  → exigido só após N falhas do mesmo IP
+|   4. Logging                   → record_submission_attempt RPC (genérico)
+|   5. Modo paranoid             → saas_security_config.captcha_required_globally
+|
+| Endpoints:
+|   POST /                  → submit do form
+|   POST /captcha-challenge → gera math challenge (id+question) sob demanda
+|--------------------------------------------------------------------------
+*/
+
+import { createClient } from 'https://esm.sh/@supabase/supabase-js@2'
+
+const SUPABASE_URL          = Deno.env.get('SUPABASE_URL')
+const SUPABASE_SERVICE_KEY  = Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')
+const ENDPOINT_NAME         = 'patient_intake'
+
+const supabase = createClient(SUPABASE_URL, SUPABASE_SERVICE_KEY)
+
+const CORS_HEADERS = {
+    'Access-Control-Allow-Origin':  '*',
+    'Access-Control-Allow-Methods': 'POST, OPTIONS',
+    'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type'
+}
+
+function jsonResponse(body, status = 200) {
+    return new Response(JSON.stringify(body), {
+        status,
+        headers: { 'content-type': 'application/json', ...CORS_HEADERS }
+    })
+}
+
+// SHA-256 estável (rate limit é por hash, nunca pelo IP cru — privacidade)
+async function hashIp(ip) {
+    if (!ip) return null
+    const buf = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(`agenciapsi:${ip}`))
+    return Array.from(new Uint8Array(buf)).map((b) => b.toString(16).padStart(2, '0')).join('').slice(0, 32)
+}
+
+function getClientIp(req) {
+    const xff = req.headers.get('x-forwarded-for')
+    if (xff) return xff.split(',')[0].trim()
+    return req.headers.get('cf-connecting-ip') || req.headers.get('x-real-ip') || null
+}
+
+// ─────────────────────────────────────────────────────────────────────────
+// Handler principal
+// -----------------------------------------------------------------------------
+Deno.serve(async (req) => {
+    if (req.method === 'OPTIONS') return new Response(null, { status: 204, headers: CORS_HEADERS })
+    if (req.method !== 'POST')    return jsonResponse({ error: 'method-not-allowed' }, 405)
+
+    const url = new URL(req.url)
+    const isCaptchaEndpoint = url.pathname.endsWith('/captcha-challenge')
+
+    // ── Endpoint de challenge (sem rate limit aqui pra não bloquear UX) ──
+    if (isCaptchaEndpoint) {
+        const { data, error } = await supabase.rpc('generate_math_challenge')
+        if (error) return jsonResponse({ error: 'challenge-failed', message: error.message }, 500)
+        return jsonResponse({ challenge: data }, 200)
+    }
+
+    // ── Endpoint principal: submit do intake ──
+    let body
+    try {
+        body = await req.json()
+    } catch {
+        return jsonResponse({ error: 'invalid-json' }, 400)
+    }
+
+    const token        = String(body?.token || '').trim()
+    const payload      = body?.payload && typeof body.payload === 'object' ? body.payload : null
+    const honeypot     = String(body?.website || '').trim() // honeypot field name
+    const captchaId    = body?.captcha_id ? String(body.captcha_id) : null
+    const captchaAnswer = body?.captcha_answer != null ? Number(body.captcha_answer) : null
+    const ip           = getClientIp(req)
+    const ipHash       = await hashIp(ip)
+    const userAgent    = String(body?.client_info || req.headers.get('user-agent') || '').slice(0, 500)
+
+    // ── 1) HONEYPOT: bot tipicamente preenche todos os campos ──
+    if (honeypot.length > 0) {
+        await supabase.rpc('record_submission_attempt', {
+            p_endpoint:   ENDPOINT_NAME,
+            p_ip_hash:    ipHash,
+            p_success:    false,
+            p_blocked_by: 'honeypot',
+            p_error_code: 'honeypot_filled',
+            p_error_msg:  null,
+            p_user_agent: userAgent,
+            p_metadata:   null
+        })
+        // Resposta deliberadamente igual à de sucesso pra não dar feedback ao bot
+        return jsonResponse({ ok: true, intake_id: null }, 200)
+    }
+
+    if (!token || !payload) {
+        await supabase.rpc('record_submission_attempt', {
+            p_endpoint:   ENDPOINT_NAME,
+            p_ip_hash:    ipHash,
+            p_success:    false,
+            p_blocked_by: 'validation',
+            p_error_code: 'missing_fields',
+            p_error_msg:  null,
+            p_user_agent: userAgent,
+            p_metadata:   null
+        })
+        return jsonResponse({ error: 'missing-fields' }, 400)
+    }
+
+    // ── 2) RATE LIMIT + decisão de captcha ──
+    const { data: rl, error: rlErr } = await supabase.rpc('check_rate_limit', {
+        p_ip_hash:  ipHash,
+        p_endpoint: ENDPOINT_NAME
+    })
+    if (rlErr) {
+        // fail-open mas logado
+        console.error('[submit-patient-intake] check_rate_limit failed:', rlErr.message)
+    }
+
+    if (rl && rl.allowed === false) {
+        await supabase.rpc('record_submission_attempt', {
+            p_endpoint:   ENDPOINT_NAME,
+            p_ip_hash:    ipHash,
+            p_success:    false,
+            p_blocked_by: 'rate_limit',
+            p_error_code: rl.reason || 'blocked',
+            p_error_msg:  null,
+            p_user_agent: userAgent,
+            p_metadata:   null
+        })
+        return jsonResponse({
+            error: 'rate-limited',
+            retry_after_seconds: rl.retry_after_seconds || null
+        }, 429)
+    }
+
+    // ── 3) MATH CAPTCHA condicional ──
+    if (rl && rl.requires_captcha === true) {
+        if (!captchaId || !Number.isFinite(captchaAnswer)) {
+            await supabase.rpc('record_submission_attempt', {
+                p_endpoint:   ENDPOINT_NAME,
+                p_ip_hash:    ipHash,
+                p_success:    false,
+                p_blocked_by: 'captcha',
+                p_error_code: 'captcha_required',
+                p_error_msg:  null,
+                p_user_agent: userAgent,
+                p_metadata:   null
+            })
+            return jsonResponse({ error: 'captcha-required' }, 403)
+        }
+
+        const { data: ok, error: vErr } = await supabase.rpc('verify_math_challenge', {
+            p_id:     captchaId,
+            p_answer: captchaAnswer
+        })
+        if (vErr || !ok) {
+            await supabase.rpc('record_submission_attempt', {
+                p_endpoint:   ENDPOINT_NAME,
+                p_ip_hash:    ipHash,
+                p_success:    false,
+                p_blocked_by: 'captcha',
+                p_error_code: 'captcha_wrong',
+                p_error_msg:  vErr?.message || null,
+                p_user_agent: userAgent,
+                p_metadata:   null
+            })
+            return jsonResponse({ error: 'captcha-wrong' }, 403)
+        }
+    }
+
+    // ── 4) Chama RPC do intake ──
+    const { data, error } = await supabase.rpc('create_patient_intake_request_v2', {
+        p_token:       token,
+        p_payload:     payload,
+        p_client_info: userAgent || null
+    })
+
+    if (error) {
+        await supabase.rpc('record_submission_attempt', {
+            p_endpoint:   ENDPOINT_NAME,
+            p_ip_hash:    ipHash,
+            p_success:    false,
+            p_blocked_by: 'rpc',
+            p_error_code: error.code || 'rpc_err',
+            p_error_msg:  error.message,
+            p_user_agent: userAgent,
+            p_metadata:   null
+        })
+        return jsonResponse({ error: 'rpc-failed', message: error.message }, 400)
+    }
+
+    await supabase.rpc('record_submission_attempt', {
+        p_endpoint:   ENDPOINT_NAME,
+        p_ip_hash:    ipHash,
+        p_success:    true,
+        p_blocked_by: null,
+        p_error_code: null,
+        p_error_msg:  null,
+        p_user_agent: userAgent,
+        p_metadata:   null
+    })
+    return jsonResponse({ ok: true, intake_id: data }, 200)
+})