diff --git a/.gitignore b/.gitignore
index 99fb4d6cd..f02e6dda9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -41,3 +41,9 @@ e2e/.auth/
 
 # TypeScript incremental build artifacts
 *.tsbuildinfo
+
+# Deno lock files — generated por `deno check`/`deno test` localmente.
+# Edge functions são deployadas pelo Lovable Cloud sem necessidade de
+# pinning reproduzível, e CI sempre faz fresh resolution via deno.json.
+deno.lock
+**/deno.lock
diff --git a/docs/RUNBOOK_CONNECTIONS.md b/docs/RUNBOOK_CONNECTIONS.md
new file mode 100644
index 000000000..cd230032b
--- /dev/null
+++ b/docs/RUNBOOK_CONNECTIONS.md
@@ -0,0 +1,188 @@
+# 🔌 Runbook — Módulo `/admin/conexoes`
+
+Guia operacional do módulo de Conexões: diagnóstico, rotação de credenciais,
+auto-test cron, e interpretação de logs.
+
+---
+
+## 🩺 Sintoma → Causa → Ação
+
+### "Carregando..." infinito no seletor de empresas (front)
+
+**Sintoma:** UI fica travada em "Carregando..." por 15-20s antes de ficar vazio.
+
+**Causa raiz:** `crm-db-bridge` não consegue resolver `EXTERNAL_CRM_URL` /
+`EXTERNAL_CRM_SERVICE_ROLE_KEY`. React Query reentra 3× em cada erro 500.
+
+**Diagnóstico:**
+
+```sql
+-- 1. Confirmar que credenciais existem no DB
+SELECT secret_name, secret_source, is_active
+  FROM public.integration_credentials
+ WHERE secret_name LIKE 'EXTERNAL_CRM%';
+
+-- 2. Ver últimos erros do bridge nos logs estruturados
+-- Filtrar por evt='credential_resolved' e source='none'
+```
+
+**Ação:**
+
+1. Cadastrar credenciais via `/admin/conexoes` ou diretamente:
+   ```sql
+   -- Via secrets-manager (preferido)
+   -- POST /functions/v1/secrets-manager
+   -- { "action": "set", "name": "EXTERNAL_CRM_URL", "value": "https://..." }
+   ```
+2. Aliases legados (`CRM_SUPABASE_URL`) também funcionam como fallback via env.
+
+---
+
+### Banner "Credenciais alteradas" não mostra qual secret mudou
+
+**Causa raiz:** payload realtime usa coluna `secret_name`, não `name`.
+Foi corrigido em PR #70 (`CredentialsChangedBanner.tsx`).
+
+**Validar:** alterar uma credencial e verificar que o toast mostra o nome.
+
+---
+
+### `AutoTestJobStatusCard` sempre "untested"
+
+**Causa raiz:** cron `connections-auto-test` órfão (sem schedule).
+
+**Diagnóstico:**
+
+```sql
+SELECT jobname, schedule, active
+  FROM cron.job
+ WHERE jobname = 'connections-auto-test';
+-- Se vazio: migration 20260429163414_* não foi aplicada
+```
+
+**Ação:**
+
+```sql
+-- Aplicar a migration ou rodar manualmente:
+SELECT cron.schedule(
+  'connections-auto-test',
+  '*/15 * * * *',
+  $$ SELECT net.http_post(...); $$
+);
+```
+
+**Validar intervalo configurado:**
+
+```sql
+SELECT public.get_connections_auto_test_interval();
+-- Deve retornar 15 (default) ou outro valor configurado via UI.
+```
+
+---
+
+## 🔐 Rotação de Credenciais CRM
+
+1. **Provedor:** gerar nova `service_role` key no dashboard Supabase do CRM.
+2. **Aplicar:** `/admin/conexoes` → Tab "Supabase" → Card CRM → "Rotacionar".
+3. **Verificar:** seletor de empresas no front carrega em <3s.
+4. **Auditar:** linha em `secret_rotation_log` com user_id e timestamp.
+
+> Cache TTL é 60s — propagação para edge functions é praticamente instantânea
+> via `invalidateCredentialCache()` chamado pelo secrets-manager após rotação.
+
+---
+
+## 🩺 Endpoints de Diagnóstico do `crm-db-bridge`
+
+Todos com **bypass de auth** — operadores precisam diagnosticar mesmo com JWT
+quebrado ou breaker aberto.
+
+```
+GET  /functions/v1/crm-db-bridge?op=ping            → liveness
+GET  /functions/v1/crm-db-bridge?op=diag            → boot/runtime metrics
+GET  /functions/v1/crm-db-bridge?op=breaker_status  → circuit breaker
+GET  /functions/v1/crm-db-bridge?op=creds_health    → resolução das credenciais
+```
+
+Exemplo de `creds_health` em estado saudável:
+
+```json
+{
+  "ok": true, "ts": 1745000000000, "health": "healthy",
+  "credentials": [
+    { "name": "EXTERNAL_CRM_URL", "present": true,
+      "source": "db", "via_alias": false, "resolved_name": "EXTERNAL_CRM_URL",
+      "value_length": 41, "suffix4": "e.co" },
+    { "name": "EXTERNAL_CRM_SERVICE_ROLE_KEY", "present": true,
+      "source": "db", "via_alias": false, "resolved_name": "EXTERNAL_CRM_SERVICE_ROLE_KEY",
+      "value_length": 219, "suffix4": "x9wA" },
+    { "name": "EXTERNAL_CRM_ANON_KEY", "present": true,
+      "source": "env", "via_alias": true, "resolved_name": "CRM_SUPABASE_ANON_KEY",
+      "value_length": 219, "suffix4": "g4V0" }
+  ]
+}
+```
+
+| `health` | Significado | Ação |
+|---|---|---|
+| `healthy` | URL + 1 key presentes | nenhuma |
+| `degraded` | só URL ou só key | cadastrar a parte faltante |
+| `missing` | sem URL | bridge fora do ar — cadastrar credenciais |
+
+---
+
+## 📊 Logs Estruturados
+
+### `connections-auto-test`
+
+| Evento | Payload |
+|---|---|
+| `auto-test` | `{type, name, ok, status, latency_ms, attempts, retried, error}` |
+| `auto-test-summary` | `{tested, ok_count, failed, retried, recovered, duration_ms}` |
+| `auto-test-error` | `{id, type, error}` (erro por conexão) |
+| `auto-test-fatal` | `{error}` (erro global, batch abortado) |
+
+### `_shared/credentials.ts`
+
+| Evento | Payload |
+|---|---|
+| `credential_resolved` | `{name, resolved_name, source, has_value, cached, duration_ms, via_alias}` |
+
+> `source: "none"` indica credencial não encontrada — alarme precoce.
+> Desabilitar verbosidade: `LOG_CREDENTIAL_RESOLUTION=off` no env.
+
+---
+
+## 🛡️ RLS de `integration_credentials`
+
+Policies aceitam role `admin` **OU** `dev` (alinhado ao `secrets-manager`).
+Migration: `20260429163441_align_integration_credentials_rls_with_dev.sql`.
+
+```sql
+-- Validar policies
+SELECT policyname, cmd FROM pg_policies
+ WHERE tablename = 'integration_credentials';
+-- 4 linhas esperadas: SELECT, INSERT, UPDATE, DELETE
+```
+
+---
+
+## 🔁 Edge Functions que dependem de credenciais CRM
+
+| Função | Aliases consumidos | Impacto se faltar |
+|---|---|---|
+| `crm-db-bridge` | `EXTERNAL_CRM_URL`, `_SERVICE_ROLE_KEY`, `_ANON_KEY` | front "Carregando..." |
+| `quote-sync` | `EXTERNAL_CRM_URL`, `_SERVICE_ROLE_KEY` | sync de orçamentos pausa |
+| `expert-chat` | `EXTERNAL_CRM_URL`, `_SERVICE_ROLE_KEY` | chat sem contexto de cliente |
+| `quote-public-view` | `EXTERNAL_CRM_URL`, `_SERVICE_ROLE_KEY` | link público quebra |
+
+Todas usam `resolveCredential()` — DB-first, env como fallback.
+
+---
+
+## 📚 Referências
+
+- `supabase/functions/_shared/credentials.ts` — SSOT de resolução
+- `supabase/migrations/20260429163414_*.sql` — schedule do cron
+- `supabase/migrations/20260429163441_*.sql` — RLS para dev
+- `docs/RUNBOOK.md` — runbook geral
diff --git a/scripts/typecheck-edge-functions.mjs b/scripts/typecheck-edge-functions.mjs
index fc18e8087..d1d40bc17 100644
--- a/scripts/typecheck-edge-functions.mjs
+++ b/scripts/typecheck-edge-functions.mjs
@@ -66,7 +66,17 @@ function checkFunction(fn) {
   // `deno check` is the dedicated typecheck command. It's faster than
   // `deno cache` and doesn't execute code. We pass all files at once so
   // shared types within the function are resolved together.
-  const result = spawnSync("deno", ["check", ...files], {
+  //
+  // If the function has a local deno.json (with import map for npm:/jsr:
+  // bare specifiers), pass it via --config so imports like
+  // `import { Hono } from "hono"` resolve. Without this, bare specifiers
+  // fail with: Relative import path "X" not prefixed with / or ./ or ../
+  const localConfig = join(fnDir, "deno.json");
+  const args = ["check"];
+  if (existsSync(localConfig)) args.push("--config", localConfig);
+  args.push(...files);
+
+  const result = spawnSync("deno", args, {
     encoding: "utf8",
     env: { ...process.env, NO_COLOR: "1" },
   });
diff --git a/src/components/admin/connections/CredentialsChangedBanner.tsx b/src/components/admin/connections/CredentialsChangedBanner.tsx
index 9569a5572..bc8f72249 100644
--- a/src/components/admin/connections/CredentialsChangedBanner.tsx
+++ b/src/components/admin/connections/CredentialsChangedBanner.tsx
@@ -1,9 +1,9 @@
-import { useCallback, useEffect, useRef, useState } from "react";
-import { Loader2, RefreshCw, X } from "lucide-react";
-import { supabase } from "@/integrations/supabase/client";
-import { useSecretsManager } from "@/hooks/useSecretsManager";
-import { Button } from "@/components/ui/button";
-import { toast } from "sonner";
+import { useCallback, useEffect, useRef, useState } from 'react';
+import { Loader2, RefreshCw, X } from 'lucide-react';
+import { supabase } from '@/integrations/supabase/client';
+import { useSecretsManager } from '@/hooks/useSecretsManager';
+import { Button } from '@/components/ui/button';
+import { toast } from 'sonner';
 
 interface CredentialsChangedBannerProps {
   /** Callback executed in parallel with cache invalidation + secret list refresh. */
@@ -12,7 +12,7 @@ interface CredentialsChangedBannerProps {
 
 interface PendingChange {
   count: number;
-  lastEvent: "INSERT" | "UPDATE" | "DELETE";
+  lastEvent: 'INSERT' | 'UPDATE' | 'DELETE';
   lastName: string | null;
   lastAt: number;
 }
@@ -35,16 +35,19 @@ export function CredentialsChangedBanner({ onRefreshed }: CredentialsChangedBann
 
   useEffect(() => {
     const channel = supabase
-      .channel("admin-conexoes-credentials-changes")
+      .channel('admin-conexoes-credentials-changes')
       .on(
-        "postgres_changes",
-        { event: "*", schema: "public", table: "integration_credentials" },
+        'postgres_changes',
+        { event: '*', schema: 'public', table: 'integration_credentials' },
         (payload) => {
-          const event = payload.eventType as "INSERT" | "UPDATE" | "DELETE";
+          const event = payload.eventType as 'INSERT' | 'UPDATE' | 'DELETE';
+          // Coluna real em integration_credentials é `secret_name` —
+          // typo histórico (`name`) escondia o nome do secret alterado
+          // no aviso de auto-refresh.
           const row =
-            (payload.new as { name?: string } | null) ??
-            (payload.old as { name?: string } | null);
-          const name = row?.name ?? null;
+            (payload.new as { secret_name?: string } | null) ??
+            (payload.old as { secret_name?: string } | null);
+          const name = row?.secret_name ?? null;
           setPending((prev) => ({
             count: (prev?.count ?? 0) + 1,
             lastEvent: event,
@@ -71,19 +74,19 @@ export function CredentialsChangedBanner({ onRefreshed }: CredentialsChangedBann
         Promise.resolve().then(() => onRefreshedRef.current?.()),
       ]);
       const elapsed = ((Date.now() - startedAt) / 1000).toFixed(1);
-      const cacheOk = cacheRes.status === "fulfilled" && cacheRes.value.ok;
-      const listOk = listRes.status === "fulfilled";
-      const hookOk = hookRes.status === "fulfilled";
+      const cacheOk = cacheRes.status === 'fulfilled' && cacheRes.value.ok;
+      const listOk = listRes.status === 'fulfilled';
+      const hookOk = hookRes.status === 'fulfilled';
       const credCount = listOk && Array.isArray(listRes.value) ? listRes.value.length : 0;
       const okCount = [cacheOk, listOk, hookOk].filter(Boolean).length;
 
       if (okCount === 3) {
-        toast.success("Status e cards atualizados", {
+        toast.success('Status e cards atualizados', {
           description: `Cache invalidado · ${credCount} credenciais relidas (${elapsed}s)`,
         });
         setPending(null);
       } else {
-        toast.warning("Atualização parcial", {
+        toast.warning('Atualização parcial', {
           description: `Algumas operações falharam (${elapsed}s)`,
         });
       }
@@ -95,16 +98,16 @@ export function CredentialsChangedBanner({ onRefreshed }: CredentialsChangedBann
   if (!pending) return null;
 
   const eventLabel =
-    pending.lastEvent === "INSERT"
-      ? "criada"
-      : pending.lastEvent === "DELETE"
-        ? "removida"
-        : "alterada";
+    pending.lastEvent === 'INSERT'
+      ? 'criada'
+      : pending.lastEvent === 'DELETE'
+        ? 'removida'
+        : 'alterada';
 
   const description =
     pending.count === 1
-      ? `Credencial ${pending.lastName ? `"${pending.lastName}" ` : ""}${eventLabel} no banco.`
-      : `${pending.count} alterações detectadas em credenciais (última: ${pending.lastName ?? "—"}, ${eventLabel}).`;
+      ? `Credencial ${pending.lastName ? `"${pending.lastName}" ` : ''}${eventLabel} no banco.`
+      : `${pending.count} alterações detectadas em credenciais (última: ${pending.lastName ?? '—'}, ${eventLabel}).`;
 
   return (
     <div
@@ -112,10 +115,13 @@ export function CredentialsChangedBanner({ onRefreshed }: CredentialsChangedBann
       aria-live="polite"
       className="flex items-center gap-3 rounded-lg border border-amber-500/40 bg-amber-500/10 px-4 py-2.5 text-sm"
     >
-      <RefreshCw className="h-4 w-4 shrink-0 text-amber-600 dark:text-amber-400" aria-hidden="true" />
-      <div className="flex-1 min-w-0">
+      <RefreshCw
+        className="h-4 w-4 shrink-0 text-amber-600 dark:text-amber-400"
+        aria-hidden="true"
+      />
+      <div className="min-w-0 flex-1">
         <p className="font-medium text-foreground">Credenciais alteradas no banco</p>
-        <p className="text-xs text-muted-foreground truncate">{description}</p>
+        <p className="truncate text-xs text-muted-foreground">{description}</p>
       </div>
       <Button
         type="button"
@@ -126,11 +132,11 @@ export function CredentialsChangedBanner({ onRefreshed }: CredentialsChangedBann
         aria-label="Recarregar status e cards agora"
       >
         {isRefreshing ? (
-          <Loader2 className="h-4 w-4 mr-1 animate-spin" />
+          <Loader2 className="mr-1 h-4 w-4 animate-spin" />
         ) : (
-          <RefreshCw className="h-4 w-4 mr-1" />
+          <RefreshCw className="mr-1 h-4 w-4" />
         )}
-        {isRefreshing ? "Atualizando…" : "Atualizar agora"}
+        {isRefreshing ? 'Atualizando…' : 'Atualizar agora'}
       </Button>
       <Button
         type="button"
diff --git a/supabase/functions/_shared/credentials.test.ts b/supabase/functions/_shared/credentials.test.ts
index 304fedc66..8a3fd14e8 100644
--- a/supabase/functions/_shared/credentials.test.ts
+++ b/supabase/functions/_shared/credentials.test.ts
@@ -18,6 +18,7 @@
 
 import { assert, assertEquals } from "https://deno.land/std@0.224.0/assert/mod.ts";
 import {
+  buildCredentialsHealth,
   invalidateCredentialCache,
   resolveCredential,
 } from "../_shared/credentials.ts";
@@ -424,3 +425,104 @@ Deno.test(
     assertEquals(dbReads, 2, "DB foi re-lido exatamente 1x após invalidação");
   },
 );
+
+// ============================================================================
+// buildCredentialsHealth — snapshot agregado para endpoints ?op=creds_health
+// ============================================================================
+
+Deno.test("buildCredentialsHealth: tudo presente em DB → health='healthy'", async () => {
+  invalidateCredentialCache();
+  clearAll("EXTERNAL_CRM_URL", ["CRM_SUPABASE_URL"]);
+  clearAll("EXTERNAL_CRM_SERVICE_ROLE_KEY", ["CRM_SUPABASE_SERVICE_KEY"]);
+  clearAll("EXTERNAL_CRM_ANON_KEY", ["CRM_SUPABASE_ANON_KEY"]);
+
+  const client = mockServiceClient({
+    EXTERNAL_CRM_URL: "https://crm.supabase.co",
+    EXTERNAL_CRM_SERVICE_ROLE_KEY: "service-key-12345678",
+    EXTERNAL_CRM_ANON_KEY: "anon-key-12345678",
+  });
+
+  const summary = await buildCredentialsHealth([
+    "EXTERNAL_CRM_URL",
+    "EXTERNAL_CRM_SERVICE_ROLE_KEY",
+    "EXTERNAL_CRM_ANON_KEY",
+  ], { serviceClient: client });
+
+  assertEquals(summary.ok, true);
+  assertEquals(summary.health, "healthy");
+  assertEquals(summary.credentials.length, 3);
+
+  const url = summary.credentials.find((c) => c.name === "EXTERNAL_CRM_URL")!;
+  assertEquals(url.present, true);
+  assertEquals(url.source, "db");
+  assertEquals(url.via_alias, false);
+  assertEquals(url.value_length, "https://crm.supabase.co".length);
+  assertEquals(url.suffix4, "e.co");
+
+  const svc = summary.credentials.find((c) => c.name === "EXTERNAL_CRM_SERVICE_ROLE_KEY")!;
+  assertEquals(svc.present, true);
+  assertEquals(svc.suffix4, "5678");
+});
+
+Deno.test("buildCredentialsHealth: URL ausente → health='missing' (independente das keys)", async () => {
+  invalidateCredentialCache();
+  clearAll("EXTERNAL_CRM_URL", ["CRM_SUPABASE_URL"]);
+  clearAll("EXTERNAL_CRM_SERVICE_ROLE_KEY", ["CRM_SUPABASE_SERVICE_KEY"]);
+  clearAll("EXTERNAL_CRM_ANON_KEY", ["CRM_SUPABASE_ANON_KEY"]);
+
+  // Mesmo com SERVICE_ROLE presente, sem URL não tem como conectar.
+  const client = mockServiceClient({
+    EXTERNAL_CRM_SERVICE_ROLE_KEY: "service-key-only",
+  });
+
+  const summary = await buildCredentialsHealth([
+    "EXTERNAL_CRM_URL",
+    "EXTERNAL_CRM_SERVICE_ROLE_KEY",
+    "EXTERNAL_CRM_ANON_KEY",
+  ], { serviceClient: client });
+
+  assertEquals(summary.health, "missing");
+  const url = summary.credentials.find((c) => c.name === "EXTERNAL_CRM_URL")!;
+  assertEquals(url.present, false);
+  assertEquals(url.suffix4, null);
+  assertEquals(url.value_length, 0);
+});
+
+Deno.test("buildCredentialsHealth: URL presente, todas keys ausentes → health='degraded'", async () => {
+  invalidateCredentialCache();
+  clearAll("EXTERNAL_CRM_URL", ["CRM_SUPABASE_URL"]);
+  clearAll("EXTERNAL_CRM_SERVICE_ROLE_KEY", ["CRM_SUPABASE_SERVICE_KEY"]);
+  clearAll("EXTERNAL_CRM_ANON_KEY", ["CRM_SUPABASE_ANON_KEY"]);
+
+  const client = mockServiceClient({
+    EXTERNAL_CRM_URL: "https://crm.supabase.co",
+  });
+
+  const summary = await buildCredentialsHealth([
+    "EXTERNAL_CRM_URL",
+    "EXTERNAL_CRM_SERVICE_ROLE_KEY",
+    "EXTERNAL_CRM_ANON_KEY",
+  ], { serviceClient: client });
+
+  assertEquals(summary.health, "degraded");
+});
+
+Deno.test("buildCredentialsHealth: alias legado em env → via_alias=true e source='env'", async () => {
+  invalidateCredentialCache();
+  clearAll("EXTERNAL_CRM_URL", ["CRM_SUPABASE_URL"]);
+  Deno.env.set("CRM_SUPABASE_URL", "https://legacy-alias-crm.supabase.co");
+
+  const client = mockServiceClient({}); // DB vazio
+  const summary = await buildCredentialsHealth(
+    ["EXTERNAL_CRM_URL"],
+    { serviceClient: client },
+  );
+
+  const url = summary.credentials[0];
+  assertEquals(url.present, true);
+  assertEquals(url.source, "env");
+  assertEquals(url.via_alias, true);
+  assertEquals(url.resolved_name, "CRM_SUPABASE_URL");
+
+  Deno.env.delete("CRM_SUPABASE_URL");
+});
diff --git a/supabase/functions/_shared/credentials.ts b/supabase/functions/_shared/credentials.ts
index 7ce5b5923..09cf7ef3e 100644
--- a/supabase/functions/_shared/credentials.ts
+++ b/supabase/functions/_shared/credentials.ts
@@ -218,6 +218,99 @@ export function getCredentialCacheMetrics(): CacheMetricsSnapshot {
   };
 }
 
+// =============================================================================
+// Credentials health summary — observability snapshot without exposing values.
+// =============================================================================
+// Reusable primitive consumed by edge functions that expose ?op=creds_health
+// (currently crm-db-bridge; expand to quote-sync/expert-chat/quote-public-view
+// in follow-up PRs). Returns presence/source/alias/length/suffix4 per name,
+// plus an aggregated `health` flag.
+//
+// Health aggregation rules (URL é considerada o pivô — sem URL nada conecta):
+//   - "missing"   : nenhum dos nomes "URL" está presente
+//   - "degraded"  : URL presente, mas zero "key" presente
+//   - "healthy"   : URL presente E ao menos 1 "key" presente
+//
+// Para detectar URL, consideramos `name.endsWith("_URL")`. Mantemos simples;
+// edge fns com nomenclatura diferente podem passar `urlNames`/`keyNames`
+// explicitamente.
+
+export interface CredentialHealthEntry {
+  name: string;
+  present: boolean;
+  source: CredentialSource;
+  via_alias: boolean;
+  resolved_name: string;
+  value_length: number;
+  /** Last 4 chars of the secret value, for ops to fingerprint without leaking. */
+  suffix4: string | null;
+}
+
+export interface CredentialsHealthSummary {
+  ok: true;
+  ts: number;
+  health: "healthy" | "degraded" | "missing";
+  credentials: CredentialHealthEntry[];
+}
+
+export interface BuildCredentialsHealthOptions {
+  /**
+   * Name suffixes that identify URL-like credentials. Defaults to ["_URL"].
+   * Used for the "missing" classification (no URL → missing).
+   */
+  urlSuffixes?: string[];
+  /** Optional service client to pass through to resolveCredential. */
+  serviceClient?: SupabaseClient | null;
+}
+
+function summarizeCredential(name: string, res: CredentialResolution): CredentialHealthEntry {
+  return {
+    name,
+    present: res.value !== null,
+    source: res.source,
+    via_alias: res.resolved_name !== name,
+    resolved_name: res.resolved_name,
+    value_length: res.value?.length ?? 0,
+    suffix4: res.value ? res.value.slice(-4) : null,
+  };
+}
+
+/**
+ * Resolve uma lista de credenciais e devolve um snapshot agregado de saúde,
+ * sem expor valores. Usado por endpoints `?op=creds_health` em edge functions
+ * que dependem de credenciais externas (CRM, Promobrind, etc).
+ */
+export async function buildCredentialsHealth(
+  names: readonly string[],
+  options: BuildCredentialsHealthOptions = {},
+): Promise<CredentialsHealthSummary> {
+  const urlSuffixes = options.urlSuffixes ?? ["_URL"];
+  const resolutions = await Promise.all(
+    names.map((name) => resolveCredential(name, options.serviceClient)),
+  );
+  const credentials = names.map((name, i) => summarizeCredential(name, resolutions[i]));
+
+  const isUrlName = (n: string) => urlSuffixes.some((suf) => n.endsWith(suf));
+  const urlEntries = credentials.filter((c) => isUrlName(c.name));
+  const keyEntries = credentials.filter((c) => !isUrlName(c.name));
+
+  const anyUrlPresent = urlEntries.some((c) => c.present);
+  const anyKeyPresent = keyEntries.some((c) => c.present);
+
+  const health: CredentialsHealthSummary["health"] = !anyUrlPresent
+    ? "missing"
+    : !anyKeyPresent
+      ? "degraded"
+      : "healthy";
+
+  return {
+    ok: true,
+    ts: Date.now(),
+    health,
+    credentials,
+  };
+}
+
 /** Reset all in-memory metrics. Cache itself is NOT cleared. */
 export function resetCredentialCacheMetrics(): void {
   METRICS.started_at = Date.now();
diff --git a/supabase/functions/crm-db-bridge/creds_health.test.ts b/supabase/functions/crm-db-bridge/creds_health.test.ts
new file mode 100644
index 000000000..bfc3e784f
--- /dev/null
+++ b/supabase/functions/crm-db-bridge/creds_health.test.ts
@@ -0,0 +1,102 @@
+// supabase/functions/crm-db-bridge/creds_health.test.ts
+//
+// Integration test for the ?op=creds_health diagnostic endpoint introduced
+// to make credential resolution observable without exposing values.
+//
+// Like diag.test.ts and ping.test.ts, this hits a real deployed bridge —
+// run locally with `deno test --allow-net --allow-env -A`, with the
+// environment configured to point at a deployed Supabase project.
+import "https://deno.land/std@0.224.0/dotenv/load.ts";
+import { assertEquals, assert } from "https://deno.land/std@0.224.0/assert/mod.ts";
+
+const SUPABASE_URL = Deno.env.get("VITE_SUPABASE_URL")!;
+const SUPABASE_ANON_KEY = Deno.env.get("VITE_SUPABASE_PUBLISHABLE_KEY")!;
+const FN_URL = `${SUPABASE_URL}/functions/v1/crm-db-bridge`;
+
+const VALID_HEALTHS = new Set(["healthy", "degraded", "missing"]);
+const VALID_SOURCES = new Set(["db", "env", "none"]);
+const EXPECTED_NAMES = [
+  "EXTERNAL_CRM_URL",
+  "EXTERNAL_CRM_SERVICE_ROLE_KEY",
+  "EXTERNAL_CRM_ANON_KEY",
+];
+
+function assertCredentialEntry(label: string, entry: unknown) {
+  assert(entry && typeof entry === "object", `${label} entry must be object`);
+  const e = entry as Record<string, unknown>;
+  assertEquals(typeof e.name, "string", `${label}.name`);
+  assertEquals(typeof e.present, "boolean", `${label}.present`);
+  assert(VALID_SOURCES.has(e.source as string), `${label}.source must be db|env|none, got ${e.source}`);
+  assertEquals(typeof e.via_alias, "boolean", `${label}.via_alias`);
+  assertEquals(typeof e.resolved_name, "string", `${label}.resolved_name`);
+  assertEquals(typeof e.value_length, "number", `${label}.value_length`);
+  if (e.present === true) {
+    assertEquals(typeof e.suffix4, "string", `${label}.suffix4 should be string when present`);
+    assertEquals((e.suffix4 as string).length, 4, `${label}.suffix4 should be 4 chars`);
+    assert((e.value_length as number) > 0, `${label}.value_length must be positive when present`);
+  } else {
+    assertEquals(e.suffix4, null, `${label}.suffix4 should be null when not present`);
+    assertEquals(e.value_length, 0, `${label}.value_length must be 0 when not present`);
+  }
+}
+
+Deno.test("creds_health (GET ?op=creds_health) returns shape contract", async () => {
+  const res = await fetch(`${FN_URL}?op=creds_health`, {
+    method: "GET",
+    headers: { apikey: SUPABASE_ANON_KEY },
+  });
+  const body = await res.json();
+  assertEquals(res.status, 200);
+  assertEquals(body.ok, true);
+  assert(typeof body.ts === "number");
+
+  assert(VALID_HEALTHS.has(body.health), `health must be healthy|degraded|missing, got ${body.health}`);
+
+  assert(Array.isArray(body.credentials), "credentials must be array");
+  assertEquals(body.credentials.length, EXPECTED_NAMES.length);
+  for (const name of EXPECTED_NAMES) {
+    const entry = body.credentials.find((c: { name: string }) => c.name === name);
+    assert(entry, `missing credential entry for ${name}`);
+    assertCredentialEntry(name, entry);
+  }
+
+  // Health aggregation contract:
+  //   missing  ⇔ no URL-suffixed name is present
+  //   degraded ⇔ URL present, but no key present
+  //   healthy  ⇔ URL present AND at least one key present
+  const url = body.credentials.find((c: { name: string }) => c.name === "EXTERNAL_CRM_URL")!;
+  const service = body.credentials.find((c: { name: string }) => c.name === "EXTERNAL_CRM_SERVICE_ROLE_KEY")!;
+  const anon = body.credentials.find((c: { name: string }) => c.name === "EXTERNAL_CRM_ANON_KEY")!;
+  if (!url.present) assertEquals(body.health, "missing");
+  else if (!service.present && !anon.present) assertEquals(body.health, "degraded");
+  else assertEquals(body.health, "healthy");
+});
+
+Deno.test("creds_health (POST { operation: 'creds_health' }) returns same shape", async () => {
+  const res = await fetch(FN_URL, {
+    method: "POST",
+    headers: { "content-type": "application/json", apikey: SUPABASE_ANON_KEY },
+    body: JSON.stringify({ operation: "creds_health" }),
+  });
+  const body = await res.json();
+  assertEquals(res.status, 200);
+  assertEquals(body.ok, true);
+  assert(VALID_HEALTHS.has(body.health));
+  assert(Array.isArray(body.credentials));
+  assertEquals(body.credentials.length, EXPECTED_NAMES.length);
+});
+
+Deno.test("creds_health bypasses auth (no apikey header)", async () => {
+  // Operadores precisam diagnosticar mesmo com JWT/keys quebrados.
+  // Igual a ping/diag/breaker_status: bypass total de auth.
+  const res = await fetch(`${FN_URL}?op=creds_health`, { method: "GET" });
+  // Pode retornar 200 (bypass total) — em alguns ambientes o gateway exige
+  // apikey antes da função; nesse caso a request falha em 401 antes mesmo
+  // de chegar ao código da function. Aceitamos ambos: o que importa é que
+  // a function não bloqueia explicitamente sem auth.
+  assert(res.status === 200 || res.status === 401, `unexpected status ${res.status}`);
+  if (res.status === 200) {
+    const body = await res.json();
+    assertEquals(body.ok, true);
+  }
+});
diff --git a/supabase/functions/crm-db-bridge/index.ts b/supabase/functions/crm-db-bridge/index.ts
index 1b99f2854..af44ce282 100644
--- a/supabase/functions/crm-db-bridge/index.ts
+++ b/supabase/functions/crm-db-bridge/index.ts
@@ -5,7 +5,7 @@ import { runBotProtection } from '../_shared/bot-protection.ts';
 import { getBreaker, circuitOpenResponse, getAllBreakerStatuses } from '../_shared/circuit-breaker.ts';
 import { AsyncLocalStorage } from "node:async_hooks";
 import { getOrCreateRequestId, REQUEST_ID_HEADER } from "../_shared/request-id.ts";
-import { resolveCredential } from "../_shared/credentials.ts";
+import { resolveCredential, buildCredentialsHealth } from "../_shared/credentials.ts";
 
 const breaker = getBreaker("crm-db");
 
@@ -149,22 +149,24 @@ function jsonResponse(body: unknown, status = 200): Response {
   return new Response(JSON.stringify(finalBody), { status, headers });
 }
 
-type DiagOp = "ping" | "diag" | "breaker_status";
+type DiagOp = "ping" | "diag" | "breaker_status" | "creds_health";
 
 /**
- * Detecta operações de diagnóstico (`ping` | `diag` | `breaker_status`)
- * sem consumir o body original. Aceita querystring (`?op=…`, `?ping=1`,
- * `?diag=1`, `?breaker=1`) ou body JSON `{ "operation": "…" }`.
+ * Detecta operações de diagnóstico (`ping` | `diag` | `breaker_status` |
+ * `creds_health`) sem consumir o body original. Aceita querystring
+ * (`?op=…`, `?ping=1`, `?diag=1`, `?breaker=1`, `?creds=1`) ou body JSON
+ * `{ "operation": "…" }`.
  */
 async function detectDiagOp(req: Request): Promise<DiagOp | null> {
   // Query string
   try {
     const url = new URL(req.url);
     const op = url.searchParams.get("op");
-    if (op === "ping" || op === "diag" || op === "breaker_status") return op;
+    if (op === "ping" || op === "diag" || op === "breaker_status" || op === "creds_health") return op;
     if (url.searchParams.get("ping") === "1") return "ping";
     if (url.searchParams.get("diag") === "1") return "diag";
     if (url.searchParams.get("breaker") === "1") return "breaker_status";
+    if (url.searchParams.get("creds") === "1") return "creds_health";
   } catch { /* ignore */ }
 
   // Body JSON (POST/PUT/PATCH apenas; clonamos para não consumir o original)
@@ -174,7 +176,7 @@ async function detectDiagOp(req: Request): Promise<DiagOp | null> {
       try {
         const cloned = req.clone();
         const peek = await cloned.json() as { operation?: unknown };
-        if (peek?.operation === "ping" || peek?.operation === "diag" || peek?.operation === "breaker_status") {
+        if (peek?.operation === "ping" || peek?.operation === "diag" || peek?.operation === "breaker_status" || peek?.operation === "creds_health") {
           return peek.operation as DiagOp;
         }
       } catch { /* corpo inválido — não é diag */ }
@@ -183,6 +185,22 @@ async function detectDiagOp(req: Request): Promise<DiagOp | null> {
   return null;
 }
 
+/**
+ * Snapshot do estado de resolução das credenciais CRM, sem expor valores.
+ * Bypass auth (igual a ping/diag/breaker_status) — operadores precisam
+ * conseguir checar saúde mesmo se JWT/secrets estiverem quebrados.
+ *
+ * Lógica de agregação está em `_shared/credentials.ts:buildCredentialsHealth`
+ * para reuso por outras edge functions (quote-sync, expert-chat, etc).
+ */
+async function buildCredsHealthSnapshot() {
+  return await buildCredentialsHealth([
+    "EXTERNAL_CRM_URL",
+    "EXTERNAL_CRM_SERVICE_ROLE_KEY",
+    "EXTERNAL_CRM_ANON_KEY",
+  ]);
+}
+
 /**
  * Snapshot completo de métricas de boot/runtime do isolate atual.
  * Cada isolate tem sua própria vida — quando o runtime descarta o isolate
@@ -819,6 +837,9 @@ Deno.serve((req) => {
       all,
     });
   }
+  if (diagOp === "creds_health") {
+    return jsonResponse(await buildCredsHealthSnapshot());
+  }
 
   // Marca início da request real (pós-diag) para medir cold vs warm path.
   // `was_cold` = true para a 1ª request real após o boot do isolate.
@@ -845,30 +866,43 @@ Deno.serve((req) => {
     const auth = await authenticateRequest(req);
     if (auth.error) return auth.error;
 
-    const CRM_URL = Deno.env.get("CRM_SUPABASE_URL");
-    const CRM_SERVICE_KEY = Deno.env.get("CRM_SUPABASE_SERVICE_KEY");
-    const CRM_KEY = CRM_SERVICE_KEY || Deno.env.get("CRM_SUPABASE_ANON_KEY");
+    // SSOT: DB-first via integration_credentials, env fallback via aliases.
+    // Antes lia Deno.env.get() direto e ignorava credenciais salvas pela UI
+    // (/admin/conexoes), causando 500 mesmo após o usuário cadastrar a CRM.
+    const [urlRes, svcRes, anonRes] = await Promise.all([
+      resolveCredential("EXTERNAL_CRM_URL"),
+      resolveCredential("EXTERNAL_CRM_SERVICE_ROLE_KEY"),
+      resolveCredential("EXTERNAL_CRM_ANON_KEY"),
+    ]);
+    const CRM_URL = urlRes.value;
+    const CRM_SERVICE_KEY = svcRes.value;
+    const CRM_ANON_VAL = anonRes.value;
+    const CRM_KEY = CRM_SERVICE_KEY || CRM_ANON_VAL;
     if (!CRM_URL || !CRM_KEY) {
       return jsonResponse({ error: "CRM database credentials not configured" }, 500);
     }
 
-    const CRM_ANON = Deno.env.get("CRM_SUPABASE_ANON_KEY") || "";
-    const keysMatch = CRM_SERVICE_KEY === CRM_ANON;
-    console.log(`[crm-db-bridge] CRM_URL prefix: ${CRM_URL.substring(0, 30)}..., using ${CRM_SERVICE_KEY ? 'SERVICE_KEY' : 'ANON_KEY'} (len=${CRM_KEY.length}), anon_len=${CRM_ANON.length}, KEYS_MATCH=${keysMatch}, svc_last4=${CRM_KEY.slice(-4)}, anon_last4=${CRM_ANON.slice(-4)}`);
-
-    // DIAGNOSTIC: test raw REST call to verify key works
-    try {
-      const testUrl = `${CRM_URL}/rest/v1/companies?select=id&limit=1`;
-      const testResp = await fetch(testUrl, {
-        headers: {
-          'apikey': CRM_KEY,
-          'Authorization': `Bearer ${CRM_KEY}`,
-        },
-      });
-      const testBody = await testResp.text();
-      console.log(`[DIAG] Raw REST: status=${testResp.status}, body=${testBody.substring(0, 200)}`);
-    } catch (diagErr) {
-      console.error(`[DIAG] Raw REST error:`, diagErr);
+    const CRM_ANON = CRM_ANON_VAL ?? "";
+
+    // Log de resolução só na 1ª request por isolate (cold) ou se LOG_CRM_BRIDGE_VERBOSE=on.
+    // Antes corria em toda request → poluía logs sem agregar info nova.
+    // Use ?op=creds_health para snapshot sob demanda em qualquer momento.
+    if (wasCold || Deno.env.get("LOG_CRM_BRIDGE_VERBOSE") === "on") {
+      const using = CRM_SERVICE_KEY ? "SERVICE_KEY" : "ANON_KEY";
+      const keySource = CRM_SERVICE_KEY ? svcRes.source : anonRes.source;
+      console.log(JSON.stringify({
+        evt: "crm-creds-resolved",
+        url_source: urlRes.source,
+        url_via_alias: urlRes.resolved_name !== "EXTERNAL_CRM_URL",
+        url_prefix: CRM_URL.substring(0, 30),
+        using,
+        key_source: keySource,
+        key_len: CRM_KEY.length,
+        anon_len: CRM_ANON.length,
+        keys_match: CRM_SERVICE_KEY === CRM_ANON,
+        svc_last4: CRM_KEY.slice(-4),
+        anon_last4: CRM_ANON.slice(-4),
+      }));
     }
 
     // Reusa client cacheado no escopo do módulo (singleton por isolate).
diff --git a/supabase/functions/expert-chat/index.ts b/supabase/functions/expert-chat/index.ts
index 8e1a669ec..dcaa6b00f 100644
--- a/supabase/functions/expert-chat/index.ts
+++ b/supabase/functions/expert-chat/index.ts
@@ -5,6 +5,7 @@ import { z } from "npm:zod@3.23.8";
 import { callAiWithTracking, QuotaExceededError } from '../_shared/ai-usage.ts';
 import { rateLimiters, applyRateLimit } from '../_shared/rate-limiter.ts';
 import { runBotProtection } from '../_shared/bot-protection.ts';
+import { resolveCredential } from '../_shared/credentials.ts';
 
 // ============================================
 // SCHEMAS
@@ -612,8 +613,16 @@ Deno.serve(async (req) => {
     if (clientId) {
       console.log("Fetching client data from CRM for:", clientId);
 
-      const CRM_URL = Deno.env.get("CRM_SUPABASE_URL");
-      const CRM_KEY = Deno.env.get("CRM_SUPABASE_ANON_KEY");
+      // SSOT: lê de integration_credentials (DB-first) com fallback para
+      // env vars legadas (CRM_SUPABASE_*). Antes ignorava credenciais
+      // salvas pela UI /admin/conexoes.
+      const [urlRes, svcRes, anonRes] = await Promise.all([
+        resolveCredential("EXTERNAL_CRM_URL"),
+        resolveCredential("EXTERNAL_CRM_SERVICE_ROLE_KEY"),
+        resolveCredential("EXTERNAL_CRM_ANON_KEY"),
+      ]);
+      const CRM_URL = urlRes.value;
+      const CRM_KEY = svcRes.value ?? anonRes.value;
 
       if (CRM_URL && CRM_KEY) {
         const crmClient = createClient(CRM_URL, CRM_KEY);
diff --git a/supabase/functions/quote-public-view/index.ts b/supabase/functions/quote-public-view/index.ts
index 3321fba8c..f75d928a3 100644
--- a/supabase/functions/quote-public-view/index.ts
+++ b/supabase/functions/quote-public-view/index.ts
@@ -1,6 +1,7 @@
 import { createClient } from "https://esm.sh/@supabase/supabase-js@2.49.4";
 import { z } from "../_shared/zod-validate.ts";
 import { runBotProtection } from "../_shared/bot-protection.ts";
+import { resolveCredential } from "../_shared/credentials.ts";
 
 const corsHeaders = {
   "Access-Control-Allow-Origin": "*",
@@ -84,9 +85,22 @@ Deno.serve(async (req: Request) => {
     const serviceRoleKey = Deno.env.get("SUPABASE_SERVICE_ROLE_KEY")!;
     const supabase = createClient(supabaseUrl, serviceRoleKey);
 
-    // CRM bridge credentials
-    const crmUrl = Deno.env.get("CRM_SUPABASE_URL")!;
-    const crmKey = Deno.env.get("CRM_SUPABASE_ANON_KEY")!;
+    // CRM bridge credentials — DB-first via integration_credentials,
+    // env fallback via aliases. O `!` antigo causava throw quando o
+    // env não estava configurado mesmo com credenciais salvas pela UI.
+    const [crmUrlRes, crmSvcRes, crmAnonRes] = await Promise.all([
+      resolveCredential("EXTERNAL_CRM_URL"),
+      resolveCredential("EXTERNAL_CRM_SERVICE_ROLE_KEY"),
+      resolveCredential("EXTERNAL_CRM_ANON_KEY"),
+    ]);
+    const crmUrl = crmUrlRes.value;
+    const crmKey = crmSvcRes.value ?? crmAnonRes.value;
+    if (!crmUrl || !crmKey) {
+      return new Response(
+        JSON.stringify({ error: "CRM database credentials not configured" }),
+        { status: 500, headers: { ...corsHeaders, "Content-Type": "application/json" } },
+      );
+    }
     const crmClient = createClient(crmUrl, crmKey);
 
     const clientIp = getClientIpFromReq(req);
diff --git a/supabase/functions/quote-sync/index.ts b/supabase/functions/quote-sync/index.ts
index 13a29fe95..405b295de 100644
--- a/supabase/functions/quote-sync/index.ts
+++ b/supabase/functions/quote-sync/index.ts
@@ -3,13 +3,27 @@ import { getCorsHeaders } from "../_shared/cors.ts";
 import { createClient } from "npm:@supabase/supabase-js@2.49.1";
 import { z } from "https://esm.sh/zod@3.23.8";
 import { parseBodyWithSchema } from "../_shared/zod-validate.ts";
+import { resolveCredential } from "../_shared/credentials.ts";
 
 const supabaseUrl = Deno.env.get("SUPABASE_URL")!;
 const supabaseServiceKey = Deno.env.get("SUPABASE_SERVICE_ROLE_KEY")!;
-const crmUrl = Deno.env.get("CRM_SUPABASE_URL");
-const crmKey = Deno.env.get("CRM_SUPABASE_ANON_KEY");
 const n8nWebhookUrl = Deno.env.get("N8N_QUOTE_WEBHOOK_URL");
 
+/**
+ * Resolve credenciais do CRM externo (DB-first via integration_credentials,
+ * env fallback via aliases CRM_SUPABASE_URL → EXTERNAL_CRM_URL).
+ * Antes lia Deno.env.get() em escopo de módulo, ignorando rotações
+ * salvas pela UI /admin/conexoes.
+ */
+async function getCrmCreds(): Promise<{ url: string | null; key: string | null }> {
+  const [urlRes, svcRes, anonRes] = await Promise.all([
+    resolveCredential("EXTERNAL_CRM_URL"),
+    resolveCredential("EXTERNAL_CRM_SERVICE_ROLE_KEY"),
+    resolveCredential("EXTERNAL_CRM_ANON_KEY"),
+  ]);
+  return { url: urlRes.value, key: svcRes.value ?? anonRes.value };
+}
+
 // ===== Zod Schemas =====
 
 const SyncQuoteSchema = z.object({
@@ -128,6 +142,7 @@ Deno.serve(async (req) => {
       }
 
       case "sync_all_pending": {
+        const { url: crmUrl, key: crmKey } = await getCrmCreds();
         if (!crmUrl || !crmKey) throw new Error("CRM database not configured");
         const crm = createClient(crmUrl, crmKey);
 
@@ -220,6 +235,7 @@ Deno.serve(async (req) => {
 
 // ===== Fetch quote data from external CRM database =====
 async function fetchQuoteFromCRM(quoteId: string): Promise<QuoteData | null> {
+  const { url: crmUrl, key: crmKey } = await getCrmCreds();
   if (!crmUrl || !crmKey) {
     throw new Error("CRM database credentials not configured");
   }
@@ -279,6 +295,7 @@ async function fetchQuoteFromCRM(quoteId: string): Promise<QuoteData | null> {
 }
 
 async function updateCRMSyncStatus(quoteId: string, n8nResponse: Record<string, unknown>): Promise<void> {
+  const { url: crmUrl, key: crmKey } = await getCrmCreds();
   if (!crmUrl || !crmKey) return;
   const crm = createClient(crmUrl, crmKey);
   const { error } = await crm.from("quotes").update({
diff --git a/supabase/migrations/20260429163414_schedule_connections_auto_test_cron.sql b/supabase/migrations/20260429163414_schedule_connections_auto_test_cron.sql
new file mode 100644
index 000000000..6274cee8e
--- /dev/null
+++ b/supabase/migrations/20260429163414_schedule_connections_auto_test_cron.sql
@@ -0,0 +1,49 @@
+-- ============================================================================
+-- Schedule the `connections-auto-test` cron job
+-- ----------------------------------------------------------------------------
+-- A migration anterior (20260423184705) criou as helpers
+-- public.get_connections_auto_test_interval() / set_connections_auto_test_interval()
+-- assumindo que o cron job `connections-auto-test` já existia. Mas nenhuma
+-- migration criava de fato esse job — então o auto-test nunca rodava em
+-- produção e o card AutoTestJobStatus ficava sempre "untested".
+--
+-- Esta migration cria o job idempotentemente apontando para a edge function
+-- /functions/v1/connections-auto-test, com schedule default a cada 15 min
+-- (valor permitido pela helper set_connections_auto_test_interval).
+-- ============================================================================
+
+DO $$
+BEGIN
+  -- Idempotente: remove versão antiga se existir antes de re-agendar
+  IF EXISTS (SELECT 1 FROM cron.job WHERE jobname = 'connections-auto-test') THEN
+    PERFORM cron.unschedule('connections-auto-test');
+  END IF;
+END $$;
+
+SELECT cron.schedule(
+  'connections-auto-test',
+  '*/15 * * * *', -- a cada 15 minutos (valor permitido pela helper de intervalo)
+  $$
+  SELECT net.http_post(
+    url := 'https://nmojwpihnslkssljowjh.supabase.co/functions/v1/connections-auto-test',
+    headers := jsonb_build_object(
+      'Content-Type', 'application/json',
+      'apikey', 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6Im5tb2p3cGlobnNsa3NzbGpvd2poIiwicm9sZSI6ImFub24iLCJpYXQiOjE3NzI1Nzc0MjgsImV4cCI6MjA4ODE1MzQyOH0.49N47oFn_4O9EGZdoPOYDd_Iez7ft4s9eNITM8N1Eeg'
+    ),
+    body := '{"trigger":"cron"}'::jsonb,
+    timeout_milliseconds := 30000
+  ) AS request_id;
+  $$
+);
+
+-- Sanity check: helper deve agora retornar 15 (não NULL)
+DO $$
+DECLARE
+  configured_minutes integer;
+BEGIN
+  SELECT public.get_connections_auto_test_interval() INTO configured_minutes;
+  IF configured_minutes IS DISTINCT FROM 15 THEN
+    RAISE WARNING 'connections-auto-test scheduled but interval helper returned %, expected 15',
+      configured_minutes;
+  END IF;
+END $$;
diff --git a/supabase/migrations/20260429163441_align_integration_credentials_rls_with_dev.sql b/supabase/migrations/20260429163441_align_integration_credentials_rls_with_dev.sql
new file mode 100644
index 000000000..bab5a286e
--- /dev/null
+++ b/supabase/migrations/20260429163441_align_integration_credentials_rls_with_dev.sql
@@ -0,0 +1,63 @@
+-- ============================================================================
+-- Alinha RLS de integration_credentials com a regra real de permissão
+-- ----------------------------------------------------------------------------
+-- A edge function secrets-manager autoriza role 'dev' (não admin), mas as
+-- policies da tabela exigem 'admin'. Como secrets-manager usa service_role
+-- (que ignora RLS) o fluxo via UI funciona, mas:
+--   1. Auditoria e ferramentas de policy-checker mostram divergência;
+--   2. Acesso direto via SQL editor com role 'dev' falha silenciosamente;
+--   3. Realtime pode bloquear payloads para subscriptors 'dev'.
+--
+-- Este patch:
+--   - Faz drop das 4 policies antigas (admin-only)
+--   - Recria como FOR ALL com USING/WITH CHECK aceitando admin OU dev
+-- ============================================================================
+
+DROP POLICY IF EXISTS "Admins can view integration credentials"
+  ON public.integration_credentials;
+DROP POLICY IF EXISTS "Admins can insert integration credentials"
+  ON public.integration_credentials;
+DROP POLICY IF EXISTS "Admins can update integration credentials"
+  ON public.integration_credentials;
+DROP POLICY IF EXISTS "Admins can delete integration credentials"
+  ON public.integration_credentials;
+
+CREATE POLICY "Admins and devs can view integration credentials"
+  ON public.integration_credentials
+  FOR SELECT
+  TO authenticated
+  USING (
+    public.has_role(auth.uid(), 'admin'::public.app_role)
+    OR public.has_role(auth.uid(), 'dev'::public.app_role)
+  );
+
+CREATE POLICY "Admins and devs can insert integration credentials"
+  ON public.integration_credentials
+  FOR INSERT
+  TO authenticated
+  WITH CHECK (
+    public.has_role(auth.uid(), 'admin'::public.app_role)
+    OR public.has_role(auth.uid(), 'dev'::public.app_role)
+  );
+
+CREATE POLICY "Admins and devs can update integration credentials"
+  ON public.integration_credentials
+  FOR UPDATE
+  TO authenticated
+  USING (
+    public.has_role(auth.uid(), 'admin'::public.app_role)
+    OR public.has_role(auth.uid(), 'dev'::public.app_role)
+  )
+  WITH CHECK (
+    public.has_role(auth.uid(), 'admin'::public.app_role)
+    OR public.has_role(auth.uid(), 'dev'::public.app_role)
+  );
+
+CREATE POLICY "Admins and devs can delete integration credentials"
+  ON public.integration_credentials
+  FOR DELETE
+  TO authenticated
+  USING (
+    public.has_role(auth.uid(), 'admin'::public.app_role)
+    OR public.has_role(auth.uid(), 'dev'::public.app_role)
+  );