asaas: Tier 1 Fase A foundation — migrations + service + edge function stubs

DESIGN_ASAAS_GATEWAY.md documenta arquitetura. Schema novo: 2
migrations (tables + RLS) cobrindo asaas_customers + asaas_payments
+ asaas_webhook_events. Client service asaasGatewayService.js no
features/financeiro. 3 Edge Function stubs (create-payment-record,
cancel-payment, sync-payment) — webhook financial_records eh Fase B.

Bloqueadores Fase B (implementacao real): user precisa criar conta
Asaas, gerar API keys, configurar webhook, setar ENV vars no
Supabase. Decisao modelo de negocio (A/B/C) tambem pendente.
Stops marcados claramente no DESIGN.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

database-novo/migrations/20260521000002_asaas_gateway_rls.sql

@@ -0,0 +1,72 @@
+-- ============================================================================
+-- Asaas Gateway — RLS policies
+-- ----------------------------------------------------------------------------
+-- Owner-scoped: cada terapeuta vê só os customers/payments do seu tenant.
+-- INSERT/UPDATE bloqueado client-side — só Edge Functions (service role)
+-- podem escrever. Browser só lê (pra exibir QR code, status, etc).
+--
+-- API keys em payment_settings: já tem RLS (não duplica).
+-- ============================================================================
+
+BEGIN;
+
+-- ──────────────────────────────────────────────────────────────────────────
+-- asaas_customers
+-- ──────────────────────────────────────────────────────────────────────────
+ALTER TABLE public.asaas_customers ENABLE ROW LEVEL SECURITY;
+
+CREATE POLICY asaas_customers_member_select
+    ON public.asaas_customers FOR SELECT TO authenticated
+    USING (public.is_tenant_member(tenant_id));
+
+-- INSERT/UPDATE/DELETE bloqueados — Edge Functions usam service_role que bypassa RLS
+CREATE POLICY asaas_customers_no_client_write
+    ON public.asaas_customers FOR INSERT TO authenticated
+    WITH CHECK (false);
+CREATE POLICY asaas_customers_no_client_update
+    ON public.asaas_customers FOR UPDATE TO authenticated
+    USING (false);
+CREATE POLICY asaas_customers_no_client_delete
+    ON public.asaas_customers FOR DELETE TO authenticated
+    USING (false);
+
+-- ──────────────────────────────────────────────────────────────────────────
+-- asaas_payments
+-- ──────────────────────────────────────────────────────────────────────────
+ALTER TABLE public.asaas_payments ENABLE ROW LEVEL SECURITY;
+
+CREATE POLICY asaas_payments_member_select
+    ON public.asaas_payments FOR SELECT TO authenticated
+    USING (public.is_tenant_member(tenant_id));
+
+CREATE POLICY asaas_payments_no_client_write
+    ON public.asaas_payments FOR INSERT TO authenticated
+    WITH CHECK (false);
+CREATE POLICY asaas_payments_no_client_update
+    ON public.asaas_payments FOR UPDATE TO authenticated
+    USING (false);
+CREATE POLICY asaas_payments_no_client_delete
+    ON public.asaas_payments FOR DELETE TO authenticated
+    USING (false);
+
+-- ──────────────────────────────────────────────────────────────────────────
+-- asaas_webhook_events
+-- ──────────────────────────────────────────────────────────────────────────
+-- Audit table — saas_admin lê pra debug. Members não veem.
+ALTER TABLE public.asaas_webhook_events ENABLE ROW LEVEL SECURITY;
+
+CREATE POLICY asaas_webhook_events_saas_admin_select
+    ON public.asaas_webhook_events FOR SELECT TO authenticated
+    USING (public.is_saas_admin());
+
+CREATE POLICY asaas_webhook_events_no_client_write
+    ON public.asaas_webhook_events FOR INSERT TO authenticated
+    WITH CHECK (false);
+CREATE POLICY asaas_webhook_events_no_update
+    ON public.asaas_webhook_events FOR UPDATE TO authenticated
+    USING (false);
+CREATE POLICY asaas_webhook_events_no_delete
+    ON public.asaas_webhook_events FOR DELETE TO authenticated
+    USING (false);
+
+COMMIT;