chore(redeploy-fase2): close T3/T22/T23 gaps with guard + UI checklist#166
Conversation
- docs(DEPLOYMENT): reescrita completa removendo `supabase db push` perigoso; documenta arquitetura dual Lovable+Vercel, desync de migrations e procedimento correto de DDL via MCP/Dashboard - ci(quality): novo step "Migrations sync guard" rodando scripts/check-no-db-push.mjs — bloqueia reintrodução acidental do comando fora da allowlist documental - scripts: novo check-no-db-push.mjs (allowlist explícita de docs histórico/proibição); ajusta gen-migrations-readme.mjs para parar de imprimir a instrução errada - docs(storage/PUBLIC_BUCKETS): registra 3 tentativas via MCP do recibos_authenticated_read com causa-raiz comprovada (storage.objects pertence a supabase_storage_admin, postgres não é membro), formaliza ação manual via dashboard como única via - docs(redeploy-fase2-checklist-ui): documento único click-by-click para os 3 passos UI restantes (storage policy, security toggles, branch protection) — calibrado para único maintainer (require approvals = 0 em vez de 1 para não auto-bloquear) Refs #78 #80 #151
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
WalkthroughAdiciona um guard CI que detecta ocorrências de ChangesGuarda de Migração e Documentação de Deployment
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
@coderabbitai review (PR está como draft de propósito — quero a revisão completa antes de marcar como ready. Foco em: corretude do Generated by Claude Code |
|
Iniciando a revisão completa agora. ✅ Actions performedFull review triggered. |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 5
🧹 Nitpick comments (2)
.github/workflows/ci.yml (1)
50-57: ⚡ Quick winMover o guard de migrations antes do
npm cipara fail-fast.Esse check só usa
git grep/Node nativo; rodar antes de instalar dependências economiza minutos quando falhar.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/ci.yml around lines 50 - 57, Reorder the CI steps so the "Migrations sync guard (desync 332 vs 209 — ver docs/DEPLOYMENT.md)" job runs before "Install dependencies" (npm ci) to fail-fast; locate the step with the exact name "Migrations sync guard (desync 332 vs 209 — ver docs/DEPLOYMENT.md)" in .github/workflows/ci.yml and move that block above the "Install dependencies" block (keep the existing "Seller-scope checker (RLS defesa em profundidade)" placement if desired), ensuring YAML indentation and ordering remain valid.docs/DEPLOYMENT.md (1)
27-40: ⚡ Quick winAdicionar exceção explícita para operações em
storage.objectsno fluxo de DDL.A seção “Como aplicar mudanças de schema” está genérica; vale registrar aqui que algumas operações (como policies em
storage.objects) podem exigir Dashboard por restrição de owner/role, para evitar nova tentativa via MCP.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/DEPLOYMENT.md` around lines 27 - 40, Add an explicit exception to the DDL workflow: state that operations touching storage.objects (for example setting policies on storage.objects) often require owner/role restrictions and must be applied via the Dashboard (SQL Editor) instead of the MCP/apply_migration path; reference apply_migration, supabase_migrations.schema_migrations and MCP as the automated path and Dashboard/SQL Editor as the manual path, instruct authors to still include a descriptive supabase/migrations/*.sql file noting the manual Dashboard change and avoid re-applying it via merge_branch to prod.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docs/DEPLOYMENT.md`:
- Line 122: The sentence "3. **Storage:** buckets têm versionamento
desabilitado; restaurar do PITR" is misleading because PITR only restores
Postgres (including storage.objects metadata) and does not restore S3/Storage
files; update that bullet to explicitly state PITR does NOT recover object files
and add recommended recovery strategies: enable bucket versioning, maintain
separate S3 backups or lifecycle snapshots, and document a manual recovery path
using storage.objects metadata to reconcile objects with backups; replace the
current line with this clarified statement and a short note about required
separate file-recovery procedures.
In `@docs/redeploy/REDEPLOY-FASE2-CHECKLIST-UI.md`:
- Line 180: Update the checklist row that currently instructs validating with
`git push --force` (the table row containing "Issue `#78` já está fechada") to
remove the `--force` guidance: replace the instruction with a recommendation to
attempt a normal `git push` and note that the expected outcome is a rejection
due to branch protection, or instruct to re-open and validate using a safe push
workflow without force. Ensure the new text clearly omits `--force` and explains
that a normal push rejection confirms protection.
In `@scripts/check-no-db-push.mjs`:
- Around line 35-43: The current execSync call hides real git errors by
appending "|| true"; remove that and instead run execSync("git grep -l
--untracked --no-recurse-submodules -- 'supabase db push'"), then in the catch
for that execSync call inspect the thrown error's status/code (e.status or
e.status === 1 / e.code) — if status === 1 treat it as "no matches" and set raw
= '' (or leave as empty string) and continue, otherwise log the full error (use
e.message and e.status) and process.exit(2); update references around the raw
variable and the try/catch block that contains the execSync invocation.
- Line 37: A busca literal "git grep -l --untracked --no-recurse-submodules --
'supabase db push' || true" é frágil para espaços variáveis; atualize essa
invocação para usar uma regex que aceite qualquer quantidade de whitespace (por
exemplo supabase[[:space:]]+db[[:space:]]+push) e habilite regex estendida no
git grep (use a flag apropriada, ex. -E) para que variações como múltiplos
espaços ou quebras de linha ainda sejam capturadas.
- Around line 30-32: A função isAllowed usa ALLOWLIST.some(p => path === p ||
path.startsWith(p)) permitindo bypass por prefixo para arquivos; altere a lógica
para exigir igualdade exata para entradas de arquivo e usar prefix match somente
para entradas de diretório (por exemplo, tratar uma entrada como diretório se
terminar em '/'). Atualize isAllowed para verificar path === p ||
(p.endsWith('/') && path.startsWith(p)), referenciando a função isAllowed e a
constante ALLOWLIST ao fazer a correção.
---
Nitpick comments:
In @.github/workflows/ci.yml:
- Around line 50-57: Reorder the CI steps so the "Migrations sync guard (desync
332 vs 209 — ver docs/DEPLOYMENT.md)" job runs before "Install dependencies"
(npm ci) to fail-fast; locate the step with the exact name "Migrations sync
guard (desync 332 vs 209 — ver docs/DEPLOYMENT.md)" in .github/workflows/ci.yml
and move that block above the "Install dependencies" block (keep the existing
"Seller-scope checker (RLS defesa em profundidade)" placement if desired),
ensuring YAML indentation and ordering remain valid.
In `@docs/DEPLOYMENT.md`:
- Around line 27-40: Add an explicit exception to the DDL workflow: state that
operations touching storage.objects (for example setting policies on
storage.objects) often require owner/role restrictions and must be applied via
the Dashboard (SQL Editor) instead of the MCP/apply_migration path; reference
apply_migration, supabase_migrations.schema_migrations and MCP as the automated
path and Dashboard/SQL Editor as the manual path, instruct authors to still
include a descriptive supabase/migrations/*.sql file noting the manual Dashboard
change and avoid re-applying it via merge_branch to prod.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: e3c56bf4-b5d8-4b70-baf1-5412a9a852c2
📒 Files selected for processing (6)
.github/workflows/ci.ymldocs/DEPLOYMENT.mddocs/redeploy/REDEPLOY-FASE2-CHECKLIST-UI.mddocs/storage/PUBLIC_BUCKETS.mdscripts/check-no-db-push.mjsscripts/gen-migrations-readme.mjs
scripts/check-no-db-push.mjs: - isAllowed: prefix match SOMENTE para entradas terminadas em '/' (diretório); igualdade exata para arquivos — evita bypass via DEPLOYMENT.md.tmp/.bak/etc - regex ERE com whitespace livre (supabase[[:space:]]+db[[:space:]]+push) via `git grep -lE` — captura variações como `supabase db push` - error path explícito: status=1 do git grep = "nenhum match" (continua); qualquer outro erro de I/O agora vai a stderr com status+message e process.exit(2). Removido `|| true` que mascarava falhas reais .github/workflows/ci.yml: - Migrations sync guard movido para ANTES de `npm ci` (fail-fast). O guard usa só git+node nativo, não precisa de deps. Falha agora em ~10s em vez de ~3min de install docs/DEPLOYMENT.md: - Seção Rollback: corrigido item 3 (Storage) — PITR NÃO recupera arquivos do Storage (S3-compatible), apenas metadados em storage.objects. Adicionada recomendação P2 (versionamento de bucket OU job de cópia para R2/S3 externo) - Seção "Como aplicar DDL": exceção explícita para storage.objects documentando que precisa Dashboard (3 tentativas registradas em docs/storage/PUBLIC_BUCKETS.md) docs/redeploy/REDEPLOY-FASE2-CHECKLIST-UI.md: - Troubleshooting: removida orientação de `git push --force` (perigosa para não-dev). Substituída por push direto simples; a rejeição "protected branch hook declined" já comprova proteção sem usar force Validação local: 4 cenários do guard testados (normal, bypass prefixo, whitespace múltiplo, normal final) — todos OK. Refs PR #166
Resposta aos 5 comentários + 2 nitpicks do @coderabbitaiCommit
Validação local executada$ node scripts/check-no-db-push.mjs
✅ check-no-db-push: nenhum uso novo de `supabase db push` detectado.
# Bypass de prefixo (DEPLOYMENT.md.tmp): bloqueia ✅
# Whitespace múltiplo (supabase db push): detecta ✅
# Estado normal: passa ✅@coderabbitai re-revise quando puder, por favor. 🤖 Generated via session_01WKZNWA4MqhKVTqB8Ta4bNW Generated by Claude Code |
|
Tip For best results, initiate chat on the files or code changes. 🧩 Analysis chainVou ler os arquivos atuais para verificar os 7 itens antes de re-revisar. 🏁 Script executed: Length of output: 40165 🏁 Script executed: Length of output: 2582
✅ Verificação dos 7 itens
Arquivos referenciados no 🔎 Novos achados[Nit]
|
…eview - scripts/check-no-db-push.mjs: header comment corrigido para refletir que git grep é linha-a-linha; quebra de linha entre tokens não é detectada (mantém: espaços múltiplos e tabs sim) - docs/.../REDEPLOY-FASE2-CHECKLIST-UI.md: teste push protection agora usa caminho relativo (`fake-secret.txt`) em vez de `/tmp/...` que faria `git add -f` falhar com "outside repository" Refs PR #166
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: daad208aa7
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| | Require code scanning results | ⬜ OFF por ora | Pode ligar depois quando CodeQL tiver baseline | | ||
|
|
||
| 7. Em **Require status checks**, adicione (digite cada um — autocomplete vai sugerir após primeiro run de cada workflow): | ||
| - `Verify push to main is from PR merge` (workflow `branch-protection-sentinel.yml`) |
There was a problem hiding this comment.
This checklist tells the maintainer to require Verify push to main is from PR merge, but I checked .github/workflows/branch-protection-sentinel.yml and that workflow only runs on push to main (plus workflow_dispatch), not on pull_request. If this is added as a required status check for main, PR heads will never produce that check, so normal PR merges will be stuck waiting for a missing status.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docs/DEPLOYMENT.md`:
- Around line 58-71: The fenced ASCII diagram block in the docs/DEPLOYMENT.md
file is missing a language identifier causing MD040; add a language tag (for
example ```text) to the opening fence of the diagram block so it becomes ```text
... ``` to satisfy the linter and preserve the diagram formatting.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 77cc5def-3499-49a9-88ce-cb35566d136f
📒 Files selected for processing (4)
.github/workflows/ci.ymldocs/DEPLOYMENT.mddocs/redeploy/REDEPLOY-FASE2-CHECKLIST-UI.mdscripts/check-no-db-push.mjs
🚧 Files skipped from review as they are similar to previous changes (1)
- .github/workflows/ci.yml
There was a problem hiding this comment.
Pull request overview
This PR closes remaining “Fase 2 redeploy” gaps by hardening documentation + CI against unsafe Supabase migration commands, and consolidating the remaining manual (UI-only) security/storage steps into a single checklist.
Changes:
- Rewrites deployment and migrations guidance to explicitly forbid
supabase db pushgiven the documented migrations desync. - Adds a CI fail-fast guard (
check-no-db-push) to block reintroduction ofsupabase db pushinstructions outside an allowlist. - Documents the remaining UI-only steps (Supabase storage policy + GitHub security toggles + branch protection) in a consolidated click-by-click checklist.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| scripts/gen-migrations-readme.mjs | Removes/overrides the previously generated “db push” guidance in the migrations README generator. |
| scripts/check-no-db-push.mjs | New repo-wide guard that fails CI if supabase db push appears outside an allowlist. |
| docs/storage/PUBLIC_BUCKETS.md | Documents the storage policy gap and the (UI-only) remediation path with recorded attempts. |
| docs/redeploy/REDEPLOY-FASE2-CHECKLIST-UI.md | New consolidated UI checklist for the remaining Fase 2 manual steps. |
| docs/DEPLOYMENT.md | Full rewrite of deployment guide reflecting redeploy realities and safer operational procedures. |
| .github/workflows/ci.yml | Adds a fail-fast CI step to run the check-no-db-push guard before dependency install. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - npm 10+ | ||
| - Conta Supabase com acesso ao projeto `doufsxqlfjyuvxuezpln` | ||
|
|
||
| **Não usa Redis.** Cache no-op se a env var não estiver definida (`src/lib/cache.ts`). |
| - `CodeQL` (workflow `codeql.yml`) | ||
|
|
||
| > **Se algum nome não aparecer no autocomplete**, é porque o workflow ainda não rodou nessa branch — pode digitar manual. Mas idealmente espere que rode 1× para evitar typo. |
| Causa raiz confirmada (validado em 2026-05-12): | ||
|
|
||
| ```sql | ||
| CREATE POLICY "recibos_authenticated_read" ON storage.objects | ||
| FOR SELECT TO authenticated USING (bucket_id = 'recibos-entrega'); | ||
|
|
||
| COMMENT ON POLICY "recibos_authenticated_read" ON storage.objects IS | ||
| 'Leitura de recibos de entrega restrita a usuários autenticados. T23 redeploy 2026-05.'; | ||
| -- storage.objects pertence a supabase_storage_admin, postgres NÃO é membro: | ||
| SELECT current_user, (SELECT rolname FROM pg_roles WHERE oid = relowner) | ||
| FROM pg_class WHERE relname='objects' AND relnamespace='storage'::regnamespace; | ||
| -- => postgres | supabase_storage_admin | ||
| ``` |
| ); | ||
| } | ||
|
|
||
| // ERE: aceita whitespace variável (espaços múltiplos, tabs, quebras). |
- docs/redeploy/REDEPLOY-FASE2-CHECKLIST-UI.md (CRITICAL): remove 'Verify push to main is from PR merge' (branch-protection-sentinel.yml) da lista de required status checks. O workflow só tem trigger 'push: branches:[main]', não 'pull_request:'. Adicioná-lo como required check travaria TODAS as PRs esperando um check que nunca aparece no head da PR. Adicionado warning explicito explicando o motivo e o papel real do sentinel (auditoria pós-merge, não gate de PR). Achado por @chatgpt-codex-connector. - docs/DEPLOYMENT.md: adicionada linguagem 'text' ao bloco cercado do diagrama de arquitetura de deploy (MD040 / fenced-code-language). Achado por @coderabbitai re-review. Refs PR #166
- docs/DEPLOYMENT.md (line 87): referência a src/lib/cache.ts removida porque o arquivo não existe; substituída por menção ao TanStack Query como camada real de cache de UI - docs/redeploy/REDEPLOY-FASE2-CHECKLIST-UI.md: lista de required checks agora especifica 'Analyze (javascript-typescript)' (nome do job, com matrix expandida) em vez de 'CodeQL' (nome do workflow). Warning explicito explicando a distinção - docs/storage/PUBLIC_BUCKETS.md: query de validação expandida para incluir pg_has_role(...,'MEMBER') verifying that postgres também NÃO é membro de supabase_storage_admin (só confirmar owner não sustenta a causa raiz) - scripts/check-no-db-push.mjs: comentario inline removeu palavra 'quebras' para não conflitar com header (que já explica que git grep é linha-a-linha) Refs PR #166
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 0f0939cec2
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| echo "AKIAIOSFODNN7EXAMPLE" > fake-secret.txt | ||
| git add -f fake-secret.txt && git commit -m "test secret" | ||
| git push |
There was a problem hiding this comment.
When this optional validation is run before branch protection is configured, the push can succeed instead of producing GH013: GitHub documents that pattern pairs such as AWS keys require both the ID and secret in the same file, but this writes only the access-key ID. In that case the maintainer has just pushed fake-secret.txt to main, and the following git reset HEAD~1 only cleans the local branch, not the remote; use a disposable branch/repo or include a safe provider-documented test token that is guaranteed to be blocked.
Useful? React with 👍 / 👎.
Codex apontou que o teste opcional de Push Protection antes podia falhar silenciosamente: 1) AWS access key ID isolado nem sempre é detectado (GitHub exige par ID+secret no mesmo arquivo para o pattern AWS), 2) se nao detectar, o arquivo de teste vai para main no remoto, 3) git reset HEAD~1 so limpa local. Nova versao: - Cria branch descartavel test/secret-scan-validation a partir de main - Inclui par AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY no mesmo arquivo (padrao genuinamente detectado pelo GitHub) - Limpeza limpa branch local E remota (defense in depth se push passar) Refs PR #166
…check-no-db-push Esses arquivos foram adicionados ao main após PR #166 (que criou o guard) e citam `supabase db push` exclusivamente para proibi-lo — contexto idêntico aos demais docs na allowlist. Sem os dois na allowlist, o guard bloqueava o CI desta PR sem motivo real. https://claude.ai/code/session_01WKZNWA4MqhKVTqB8Ta4bNW
Contexto
Fecha as 3 pendências residuais da Fase 2 do redeploy 2026-05 (T3, T22, T23) descobertas durante o diagnóstico de prontidão. Resolve o que pode ser resolvido por código e formaliza o que só funciona via UI (com simulação documentada do bloqueio técnico).
Refs: #78 (branch protection), #80 (security toggles),
docs/redeploy/REDEPLOY-FASE2-EXECUTION-LOG.md.O que muda
🛡️ T3 — Migrations sync hardening
docs/DEPLOYMENT.md: reescrita completa. A versão anterior ensinavasupabase db push— comando que destruiria o banco prod dado o desync 332-vs-209 documentado na T3. Novo doc cobre arquitetura dual Lovable+Vercel, política de DDL via MCP/Dashboard, checklist pré-deploy e rollback.scripts/check-no-db-push.mjs(novo): allowlist-based guard. Falha o CI se alguém reintroduzirsupabase db pushfora dos arquivos de proibição/auditoria.ci.yml(jobquality): novo stepMigrations sync guardinvocando o script acima.scripts/gen-migrations-readme.mjs: remove a instrução errada (supabase db pushcomo caminho de aplicação) que era gerada automaticamente na README de migrations.📋 T22 + T23 — Checklist UI consolidado
docs/redeploy/REDEPLOY-FASE2-CHECKLIST-UI.md(novo): documento único click-by-click para os 3 passos UI restantes. Calibrado para o único maintainer atual: Require approvals = 0 em vez de 1 (caso contrário o próprio maintainer ficaria bloqueado em PRs solo) — explicado no doc com a Opção A vs B.🪪 T23 — Tentativa MCP e documentação do bloqueio
docs/storage/PUBLIC_BUCKETS.md: formaliza 3 tentativas executadas hoje via MCP (execute_sql,apply_migration,apply_migration + SET LOCAL ROLE), todas bloqueadas com42501. Causa-raiz confirmada por query:storage.objectspertence asupabase_storage_admin; rolepostgres(via MCP) não é membro.Por que não fechei tudo via código
recibos_authenticated_readexecute_sql,apply_migrationplain,apply_migrationcomSET LOCAL ROLE supabase_storage_admin)supabase_storage_adminmainPUT /repos/.../branches/{branch}/protectionPATCH /repos/{owner}/{repo}(security_and_analysis) nemPUT vulnerability-alertsOs 3 itens precisam de ~10 min de cliques na UI seguindo
docs/redeploy/REDEPLOY-FASE2-CHECKLIST-UI.md.Simulação exaustiva de cenários (executada antes do plano)
24 cenários simulados, agrupados em 3 desafios (storage policy, GitHub hardening, migrations desync) + transversais. Gaps detectados e mitigados:
USING(bucket_id=...)puro deixa qualquer authenticated ler qualquer recibo entre orgs → decisão do usuário (resposta: aceito esse nível de exposição, recibos não são sensíveis o suficiente para exigir ACL fina).Require approvals=1= deadlock → checklist usa Opção A (approvals=0) por default.name:dos jobs hoje.gen-migrations-readme.mjsre-gerava a instrução errada → corrigido em conjunto com o guard.Detalhes na conversa do PR + comentário do CodeRabbit que será solicitado.
Validação executada localmente
$ node scripts/check-no-db-push.mjs ✅ check-no-db-push: nenhum uso novo de `supabase db push` detectado.Próximos passos pós-merge
docs/redeploy/REDEPLOY-FASE2-CHECKLIST-UI.md(~10 min)Test plan
node scripts/check-no-db-push.mjslocalmente → OKSELECT policyname FROM pg_policies WHERE schemaname='storage' AND policyname LIKE 'recibos%'retorna 3 linhas🤖 Generated via session_01WKZNWA4MqhKVTqB8Ta4bNW
Generated by Claude Code
Summary by CodeRabbit
Documentação
Chores