chore(guardrails): 4 melhorias kaizen pós-auditoria Lovable

[adm01-debug]

Resumo

Implementa as 4 melhorias kaizen sugeridas no PR #460 para fechar o ciclo de auditoria da janela Lovable 26/05 com proteções de processo que previnem recorrência dos 3 padrões identificados (bug base64, refactor mascarado, migrations problemáticas).

Mudanças

1️⃣ Workflow detect-base64-content.yml (NOVO)

CI check que detecta arquivos texto acidentalmente commitados em base64. Heurística: linha ≥ 200 chars com alfabeto [A-Za-z0-9+/=] puro em extensões .ts, .tsx, .js, .jsx, .json, .sql, .sh, .md, .yaml, .yml, .html, .css, .env, .toml, .conf, .rc.

• Roda em pull_request → main (revisão obrigatória)
• Roda em push → main (defesa contra commits que pulam PR)
• Lock files / minified / bundles excluídos (podem ter linhas longas legitimamente)
• Falha o check (exit FOUND) e emite ::error file=…,line=…:: para o GitHub annotations

Self-tested antes do commit:

• ✅ 0 false positives em webhook-inbound/index.ts (15KB), vercel.json, .coderabbit.yaml e o próprio workflow
• ✅ TP em payload base64 sintético de 300 chars
• ✅ TN em prosa PT-BR de 234 chars com espaços/vírgulas/acentos (Em um mundo de constantes…)

Cobre regressão dos PRs #319 (lint-untyped-from.sh), #457 (supabase-untyped.ts) e #459 (vercel.json + BUG_REPORT). 3 ocorrências do mesmo padrão em ~7 dias — agora bloqueado.

2️⃣ .coderabbit.yaml (UPDATE)

Adicionados 3 alertas em path_instructions:

Path	Novo alerta
supabase/functions/**/*.ts	DRIFT: flag se PR title/commit contém "Fast Visual Edit", "visual", "stepper", "header", "layout", "centralizou", "moveu" + verificar features (v1/v2, HMAC, rate limit, idempotency, métricas) que possam ter sido removidas. Referência: PR #460.
supabase/migrations/**/*.sql	DRIFT: idem + checks específicos (DROP POLICY massa com função inexistente, ADD COLUMN no-op, SECURITY DEFINER sem REVOKE). Referência: migration 141234.
**/*.{json,html,toml,yaml,yml,sh,sql,ts,tsx,js,jsx,md,css}	BASE64: reforça o workflow no review humano.

3️⃣ .github/workflows/required-checks-guard.yml (UPDATE)

Estende verificação existente para também checar que algum check do Vercel/deploy está como required em main. Tolerante (warning, não fail) durante roll-out — assim que o admin marcar Vercel ou Vercel Preview Comments como required, o warning some.

Background: 26/05/2026, 13:06–14:41 UTC — 20 deploys Vercel ficaram ERROR enquanto 19 commits adicionais entravam em main sem aviso porque o check do Vercel não bloqueava merge. Esta verificação documenta o gap.

4️⃣ docs/RLS_REWRITE_PLAN.md (NOVO) + nota na migration 141234

Substitui criar issue ephemeral por documento técnico versionado explicando:

• Por que a migration 141234 foi convertida em NO-OP (3 problemas identificados, cada um com explicação)
• Snapshot completo das 10 policies atuais em user_roles, order_items, admin_audit_log (consultado direto do banco em 26/05)
• Checklist de 7 passos se alguém decidir retomar o rewrite no futuro (validar problema real, decidir modelo de segregação, validar funções referenciadas, testes por persona, backup, janela controlada, PR humano)

A migration 141234 agora aponta para este doc.

Validações

• ✅ python3 -c "import yaml; yaml.safe_load(...)" nos 3 YAML
• ✅ Detector base64 com 4 arquivos reais do repo: 0 FP
• ✅ Detector base64 com payload sintético >200 chars base64: TP
• ✅ Detector base64 com prosa em PT-BR de 234 chars: TN
• ✅ Migration 141234 continua sintaticamente válida (SELECT 1 WHERE FALSE) — preserva checksum da sequência

Limitações conhecidas

• Branch protection em si (marcar Vercel como required) não pode ser feito via PR — exige clique no settings do GitHub por um admin. Este PR fornece a infraestrutura de monitoramento (workflow já avisa quando não está configurado). A configuração final é uma ação 1-clique no painel.
• O detector base64 é heurístico. Casos legítimos raros que disparem podem ser allow-listados em EXCLUDE_REGEX no próprio workflow (instrução no $GITHUB_STEP_SUMMARY).

---

🤖 Generated with Claude Code

Co-Authored-By: Claude noreply@anthropic.com

---

Summary by cubic

Adds four process guardrails after the Lovable audit: a CI check for accidental base64 files, stricter review prompts, verification that Vercel checks are required, and a documented plan for the paused RLS rewrite (migration 141234 stays NO-OP). This prevents silent build/deploy failures and avoids hidden drift in edge functions and migrations (follow-up to PR #460).

• New Features

  • /.github/workflows/detect-base64-content.yml: fails CI when a text file has a long base64-only line; runs on PRs and pushes; ignores lock/minified/bundled files; adds GitHub annotations.
  • /.coderabbit.yaml: adds DRIFT alerts for supabase/functions/**/*.ts and supabase/migrations/**/*.sql, plus a base64 review reminder.
  • /.github/workflows/required-checks-guard.yml: warns if no Vercel/deploy check is required on main (non-blocking during rollout).

• Migration

  • Adds docs/RLS_REWRITE_PLAN.md explaining why migration 141234 is NO-OP, with a policy snapshot and a 7-step checklist for any future rewrite.
  • Updates 20260526141234_31aaa458-1bc1-476f-bca6-8152907d7a99.sql to reference the doc while preserving the checksum.

^{Written for commit 8450c09. Summary will update on new commits. Review in cubic}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
we-dream-big	Building	Preview, Comment	May 26, 2026 4:09pm

[supabase]

This pull request has been ignored for the connected project doufsxqlfjyuvxuezpln due to reaching the limit of concurrent preview branches.
Go to Project Integrations Settings ↗︎ if you wish to update this limit.

---

Preview Branches by Supabase.
Learn more about Supabase Branching ↗︎.

[coderabbitai]

Warning

Review limit reached

@adm01-debug, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 35 minutes and 40 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: c34e0aa8-cc39-46e0-8588-a0d9f128735e

📥 Commits

Reviewing files that changed from the base of the PR and between fa7ad6d and 8450c09.

📒 Files selected for processing (5)

• .coderabbit.yaml
• .github/workflows/detect-base64-content.yml
• .github/workflows/required-checks-guard.yml
• docs/RLS_REWRITE_PLAN.md
• supabase/migrations/20260526141234_31aaa458-1bc1-476f-bca6-8152907d7a99.sql

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/lovable-guardrails-20260526

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}