chore(contracts): centralize Zod pinning via _shared/contracts barrel (closes #52)

.github/workflows/ci.yml

@@ -127,6 +127,9 @@ jobs:
       - name: ESLint baseline gate (bloqueia apenas regressões novas)
         run: npm run lint:baseline
 
+      - name: Zod pinning gate (issue #52 — barrel centralization)
+        run: npm run check:zod-pinning
+
       # hooks já cobertos pelo job dedicado hooks-tests (timeout-minutes: 10).
       # test:strict-ref e test:coverage omitidos aqui — rodam em ref-warning-suite
       # e integration-tests respectivamente, evitando tripla execução da suite.

package.json

@@ -26,6 +26,7 @@
     "lint:check": "eslint src --max-warnings=500",
     "lint:baseline": "node scripts/check-eslint-baseline.mjs",
     "lint:baseline:update": "node scripts/eslint-baseline-generate.mjs",
+    "check:zod-pinning": "node scripts/check-zod-pinning.mjs",
     "typecheck": "node scripts/check-tsc-baseline.mjs",
     "qa:lint": "eslint src --max-warnings=500",
     "qa:typecheck": "tsc -p tsconfig.app.json --noEmit",

scripts/check-zod-pinning.mjs

@@ -0,0 +1,46 @@
+#!/usr/bin/env node
+/**
+ * Guardrail anti-regressão #52 — pinning centralizado de Zod.
+ *
+ * Falha (exit 1) se encontrar imports diretos de Zod fora de
+ * `supabase/functions/_shared/contracts/`. Edge Functions devem importar
+ * `z` exclusivamente via barrel:
+ *
+ *   import { z } from "../_shared/contracts/index.ts";
+ *
+ * Ref: https://github.com/adm01-debug/promo-gifts-v4/issues/52
+ */
+import { execSync } from 'node:child_process';
+import { exit } from 'node:process';
+
+const ALLOWED_ROOT = 'supabase/functions/_shared/contracts/';
+
+// grep com -P (pcre) não disponível em todo lugar; usa -E e filtramos depois
+let output = '';
+try {
+  output = execSync(
+    'grep -rn "from[[:space:]]*[\\"\\\\\']https://.*zod" supabase/functions/ 2>/dev/null || true',
+    { encoding: 'utf8' },
+  );
+} catch (err) {
+  // grep retorna exit 1 quando não acha nada — tratamos como sucesso
+  output = '';
+}
+
+const violations = output
+  .split('\n')
+  .filter(Boolean)
+  .filter(line => !line.startsWith(ALLOWED_ROOT));
+
+if (violations.length === 0) {
+  console.log('✓ Pinning de Zod centralizado (0 imports diretos fora de _shared/contracts/)');
+  exit(0);
+}
+
+console.error('❌ Imports diretos de Zod encontrados fora de _shared/contracts/:');
+console.error('   (Zod deve ser importado via barrel: import { z } from "../_shared/contracts/index.ts")\n');
+for (const v of violations) {
+  console.error(`   ${v}`);
+}
+console.error('\n   Veja https://github.com/adm01-debug/promo-gifts-v4/issues/52 para contexto.');
+exit(1);

supabase/functions/commemorative-dates/index.ts

@@ -1,7 +1,7 @@
 import { getCorsHeaders } from '../_shared/cors.ts';
 import { safeErrorResponse } from '../_shared/error-response.ts';
 import { createClient } from "https://esm.sh/@supabase/supabase-js@2.49.4";
-import { z } from "https://esm.sh/zod@3.23.8";
+import { z } from "../_shared/contracts/index.ts";
 import { parseBodyWithSchema } from "../_shared/zod-validate.ts";
 
 const ActionSchema = z.object({

supabase/functions/comparison-ai-advisor/index.ts

@@ -3,7 +3,7 @@ import { authenticateRequest, requireRole, authErrorResponse } from '../_shared/
 // Comparison AI Advisor — Lovable AI Gateway
 // Recebe lista slim de produtos e retorna 3-5 bullets + bestFor highVolume/fastDelivery/premium.
 
-import { z } from 'https://deno.land/x/zod@v3.22.4/mod.ts';
+import { z } from "../_shared/contracts/index.ts";
 import { safeErrorFields } from '../_shared/log-safety.ts';
 
 // Fallback CORS headers — sobrescritos per-request via getCorsHeaders(req).

supabase/functions/connection-tester/index.ts

@@ -4,7 +4,7 @@ import { safeErrorResponse } from "../_shared/error-response.ts";
 // Reads credentials from `integration_credentials` (DB-first) with env fallback.
 // Core ping/persistence logic lives in `_shared/connection-test-runner.ts`.
 import { createClient } from "https://esm.sh/@supabase/supabase-js@2.49.4";
-import { z } from "https://deno.land/x/zod@v3.23.8/mod.ts";
+import { z } from "../_shared/contracts/index.ts";
 import { runConnectionTest } from "../_shared/connection-test-runner.ts";
 
 const BodySchema = z.object({

supabase/functions/crm-db-bridge/index.ts

@@ -1,6 +1,6 @@
 import { getCorsHeaders, handleCorsPreflightIfNeeded } from '../_shared/cors.ts';
 import { createClient, SupabaseClient } from "https://esm.sh/@supabase/supabase-js@2.49.4";
-import { z } from "https://esm.sh/zod@3.23.8";
+import { z } from "../_shared/contracts/index.ts";
 import { runBotProtection } from '../_shared/bot-protection.ts';
 import { getBreaker, circuitOpenResponse, getAllBreakerStatuses } from '../_shared/circuit-breaker.ts';
 import { AsyncLocalStorage } from "node:async_hooks";

supabase/functions/dropbox-list/index.ts

@@ -1,6 +1,6 @@
 import { getCorsHeaders } from '../_shared/cors.ts';
 import { authenticateRequest, requireRole, authErrorResponse } from '../_shared/auth.ts';
-import { z } from "https://esm.sh/zod@3.23.8";
+import { z } from "../_shared/contracts/index.ts";
 import { fetchWithBreaker, CircuitOpenError, circuitOpenResponse } from '../_shared/external-fetch.ts';
 
 const BodySchema = z.object({

supabase/functions/elevenlabs-tts/index.ts

@@ -1,6 +1,6 @@
 import { getCorsHeaders } from '../_shared/cors.ts';
 import { authenticateRequest, authErrorResponse } from '../_shared/auth.ts';
-import { z } from 'https://deno.land/x/zod@v3.22.4/mod.ts';
+import { z } from "../_shared/contracts/index.ts";
 import { runBotProtection } from '../_shared/bot-protection.ts';
 import { fetchWithBreaker, CircuitOpenError, circuitOpenResponse } from '../_shared/external-fetch.ts';
 

supabase/functions/external-db-bridge/index.ts

@@ -6,7 +6,7 @@ import {
   type ServiceClient,
   castSupabaseClient,
 } from "../_shared/supabase-client-adapter.ts";
-import { z } from "https://deno.land/x/zod@v3.23.8/mod.ts";
+import { z } from "../_shared/contracts/index.ts";
 import { buildPublicCorsHeaders, getCorsHeaders, handleCorsPreflightIfNeeded } from "../_shared/cors.ts";
 import {
   type Operation,

supabase/functions/external-db-inspect/index.ts

@@ -1,6 +1,6 @@
 import { getCorsHeaders } from '../_shared/cors.ts';
 import { createClient } from "https://esm.sh/@supabase/supabase-js@2.49.4";
-import { z } from "https://esm.sh/zod@3.23.8";
+import { z } from "../_shared/contracts/index.ts";
 import { runBotProtection } from '../_shared/bot-protection.ts';
 
 const BodySchema = z.object({

supabase/functions/full-op-diagnostics/index.ts

@@ -15,7 +15,7 @@
 // token como usado — preserva a possibilidade de execução real depois.
 // ----------------------------------------------------------------------------
 import { createClient } from "https://esm.sh/@supabase/supabase-js@2.45.0";
-import { z } from "https://esm.sh/zod@3.23.8";
+import { z } from "../_shared/contracts/index.ts";
 import { getCorsHeaders, handleCorsPreflightIfNeeded } from "../_shared/cors.ts";
 
 type CheckStatus = "pass" | "fail" | "skipped" | "error";

supabase/functions/generate-ad-image/index.test.ts

@@ -1,7 +1,6 @@
 import "https://deno.land/std@0.224.0/dotenv/load.ts";
 import { assertEquals } from "https://deno.land/std@0.224.0/assert/mod.ts";
-import { z } from "https://deno.land/x/zod@v3.23.8/mod.ts";
-
+import { z } from "../_shared/contracts/index.ts";
 // Mirror the schema from the function
 const BodySchema = z.object({
   productImageUrl: z.string().url(),

supabase/functions/generate-ad-image/index.ts

@@ -1,7 +1,7 @@
 import { getCorsHeaders, handleCorsPreflightIfNeeded } from '../_shared/cors.ts';
 import { authenticateRequest, authErrorResponse } from '../_shared/auth.ts';
 import { callAiWithTracking, QuotaExceededError } from '../_shared/ai-usage.ts';
-import { z } from "https://deno.land/x/zod@v3.23.8/mod.ts";
+import { z } from "../_shared/contracts/index.ts";
 import { runBotProtection } from '../_shared/bot-protection.ts';
 
 const BodySchema = z.object({

supabase/functions/magic-up-score/index.ts

@@ -2,8 +2,7 @@ import { getCorsHeaders } from '../_shared/cors.ts';
 import { authenticateRequest, authErrorResponse } from '../_shared/auth.ts';
 import { callAiWithTracking, QuotaExceededError } from '../_shared/ai-usage.ts';
 import { runBotProtection } from '../_shared/bot-protection.ts';
-import { z } from "https://deno.land/x/zod@v3.23.8/mod.ts";
-
+import { z } from "../_shared/contracts/index.ts";
 const CriterionSchema = z.object({
   id: z.string().min(1),
   label: z.string().min(1),

supabase/functions/mcp-keys-issue/index.ts

@@ -16,7 +16,7 @@ import { getCorsHeaders } from "../_shared/cors.ts";
  */
 
 import { createClient } from "https://esm.sh/@supabase/supabase-js@2.95.0";
-import { z } from "https://esm.sh/zod@3.23.8";
+import { z } from "../_shared/contracts/index.ts";
 import {
   KNOWN_SCOPES,
   FULL_SCOPE,

supabase/functions/mcp-keys-revoke/index.ts

@@ -6,7 +6,7 @@ import { getCorsHeaders } from "../_shared/cors.ts";
  * payload_summary antes do trigger DB.
  */
 import { createClient } from "https://esm.sh/@supabase/supabase-js@2.95.0";
-import { z } from "https://esm.sh/zod@3.23.8";
+import { z } from "../_shared/contracts/index.ts";
 import { getOrCreateRequestId, REQUEST_ID_HEADER } from "../_shared/request-id.ts";
 import { writeAuditEntry, summarizePayload, extractRequestMeta } from "../_shared/audit-log.ts";
 import { recordMcpViolation, mapViolationReason } from "../_shared/mcp-violations.ts";

supabase/functions/mcp-keys-rotate/index.ts

@@ -8,7 +8,7 @@ import { getCorsHeaders } from "../_shared/cors.ts";
  */
 
 import { createClient } from "https://esm.sh/@supabase/supabase-js@2.95.0";
-import { z } from "https://esm.sh/zod@3.23.8";
+import { z } from "../_shared/contracts/index.ts";
 import {
   FULL_SCOPE_CONFIRMATION,
   FULL_SCOPE_MIN_JUSTIFICATION,

supabase/functions/mcp-keys-update/index.ts

@@ -6,7 +6,7 @@ import { getCorsHeaders } from "../_shared/cors.ts";
  * Toda mudança é auditada com request_id, payload_summary, duração e status.
  */
 import { createClient } from "https://esm.sh/@supabase/supabase-js@2.95.0";
-import { z } from "https://esm.sh/zod@3.23.8";
+import { z } from "../_shared/contracts/index.ts";
 import {
   KNOWN_SCOPES,
   FULL_SCOPE_CONFIRMATION,

supabase/functions/quote-sync/index.ts

@@ -2,7 +2,7 @@ import { getCorsHeaders } from "../_shared/cors.ts";
 import { authenticateRequest, requireRole, authErrorResponse } from "../_shared/auth.ts";
 /// <reference lib="deno.ns" />
 import { createClient } from "npm:@supabase/supabase-js@2.49.1";
-import { z } from "https://esm.sh/zod@3.23.8";
+import { z } from "../_shared/contracts/index.ts";
 import { parseBodyWithSchema } from "../_shared/zod-validate.ts";
 import { resolveCredential } from "../_shared/credentials.ts";
 

supabase/functions/rate-limit-check/index.ts

@@ -1,8 +1,7 @@
 import { getCorsHeaders, handleCorsPreflightIfNeeded } from '../_shared/cors.ts';
 import { safeErrorResponse } from '../_shared/error-response.ts';
 import { logSecurityEvent } from '../_shared/security.ts';
-import { z } from "https://deno.land/x/zod@v3.23.8/mod.ts";
-
+import { z } from "../_shared/contracts/index.ts";
 const BodySchema = z.object({
   endpoint: z.enum(['login', 'api', 'ai', 'approval']).default('api'),
 }).partial();

supabase/functions/secrets-manager/index.ts

@@ -2,7 +2,7 @@ import { getCorsHeaders } from "../_shared/cors.ts";
 // Admin-only secrets manager for the Conexões hub.
 // Persists values in `integration_credentials` and never returns plaintext to the client.
 import { createClient } from "https://esm.sh/@supabase/supabase-js@2.49.4";
-import { z } from "https://deno.land/x/zod@v3.23.8/mod.ts";
+import { z } from "../_shared/contracts/index.ts";
 import {
   invalidateCredentialCache,
   getCredentialCacheMetrics,

supabase/functions/verify-email/index.ts

@@ -1,7 +1,6 @@
 import { getCorsHeaders, handleCorsPreflightIfNeeded } from '../_shared/cors.ts';
 import { createClient } from "https://esm.sh/@supabase/supabase-js@2.49.4";
-import { z } from "https://deno.land/x/zod@v3.23.8/mod.ts";
-
+import { z } from "../_shared/contracts/index.ts";
 const BodySchema = z.object({
   token: z.string().min(1, "Token não fornecido"),
 });

supabase/functions/voice-agent/index.ts

@@ -1,6 +1,6 @@
 import { getCorsHeaders } from '../_shared/cors.ts';
 import { authenticateRequest, authErrorResponse } from '../_shared/auth.ts';
-import { z } from 'https://deno.land/x/zod@v3.22.4/mod.ts';
+import { z } from "../_shared/contracts/index.ts";
 import { callAiWithTracking, QuotaExceededError } from '../_shared/ai-usage.ts';
 import { SYSTEM_PROMPT, VOICE_COMMAND_TOOL, TOOL_CHOICE } from './systemPrompt.ts';
 import { parseAiResponse } from './parseAiResponse.ts';