From 32fc42a29c4f31ea98015ddff0abf41581a4bbd2 Mon Sep 17 00:00:00 2001
From: Tiago Yamamoto <tiago.ribeiro@inventcloud.com.br>
Date: Fri, 26 Dec 2025 12:45:03 -0300
Subject: [PATCH] docs: Update all documentation files (API_SECURITY, ROADMAP,
 TASKS, DEVOPS, DATABASE, API)

- Updated dates to 2024-12-26
- Added new features: Email System, Avatar Upload, Public Job Posting
- Updated security routes and access levels
- Updated infrastructure and secrets documentation
- Marked completed tasks in ROADMAP and TASKS
---
 docs/API.md          |   4 +-
 docs/API_SECURITY.md | 188 ++++++++++++++++++-----------
 docs/DATABASE.md     |   7 +-
 docs/DEVOPS.md       | 277 ++++++++++++++++++++++---------------------
 docs/ROADMAP.md      | 167 ++++++++++----------------
 docs/TASKS.md        | 122 +++++++++++--------
 6 files changed, 397 insertions(+), 368 deletions(-)

diff --git a/docs/API.md b/docs/API.md
index ed72a12..5808add 100644
--- a/docs/API.md
+++ b/docs/API.md
@@ -2,8 +2,8 @@
 
 Complete API reference with routes, permissions, and modules.
 
-> **Last Updated:** 2024-12-24  
-> **Base URL:** `http://localhost:8521/api/v1`  
+> **Last Updated:** 2024-12-26  
+> **Base URL:** `https://api.gohorsejobs.com/api/v1`  
 > **Auth:** JWT Bearer Token or HttpOnly Cookie
 
 ---
diff --git a/docs/API_SECURITY.md b/docs/API_SECURITY.md
index ddcc067..539d234 100644
--- a/docs/API_SECURITY.md
+++ b/docs/API_SECURITY.md
@@ -1,107 +1,151 @@
 # 🔐 API Security & Access Levels
 
-This document details the security layers, authentication methods, and role-based access control (RBAC) for the GoHorse Jobs API. Use this guide to verify and test route protection.
+Security layers, authentication methods, and RBAC for GoHorse Jobs API.
+
+> **Last Updated:** 2024-12-26
+
+---
 
 ## 🛡️ Authentication Methods
 
-1.  **Bearer Token (JWT)**
-    *   Header: `Authorization: Bearer <token>`
-    *   Used by: Mobile apps, external integrations, simple API tests.
+| Method | Header/Cookie | Used By |
+|--------|--------------|---------|
+| **Bearer Token** | `Authorization: Bearer <token>` | Mobile apps, external integrations |
+| **HttpOnly Cookie** | `jwt=<token>` | Web Frontend (Next.js), Backoffice |
 
-2.  **HttpOnly Cookie**
-    *   Cookie Name: `jwt`
-    *   Used by: Web Frontend (Next.js), Backoffice.
-    *   Properties: `HttpOnly`, `Secure` (in prod), `SameSite=Lax`.
+**Cookie Properties:** `HttpOnly`, `Secure` (prod), `SameSite=Lax`
+
+---
+
+## 🔒 Security Middlewares
+
+| Middleware | File | Description |
+|------------|------|-------------|
+| **Auth** | `middleware/auth.go` | JWT validation + RBAC |
+| **CORS** | `middleware/cors.go` | Whitelist via `CORS_ORIGINS` |
+| **Rate Limiting** | `middleware/rate_limit.go` | 100 req/min per IP |
+| **Security Headers** | `middleware/security_headers.go` | OWASP headers (XSS, CSP) |
+| **Sanitize** | `middleware/sanitize.go` | XSS sanitization in JSON |
+
+---
 
 ## 🚦 Access Levels
 
 | Level | Description | Middleware |
-| :--- | :--- | :--- |
-| **Public** | Open to everyone (Guests). No check performed. | None |
-| **Authenticated** | Requires a valid JWT (Header or Cookie). | `HeaderAuthGuard` |
-| **Role-Restricted** | Requires valid JWT + Specific Role claim. | `HeaderAuthGuard` + `RequireRoles(...)` |
+|-------|-------------|------------|
+| **Public** | Open to everyone | None |
+| **Authenticated** | Requires valid JWT | `HeaderAuthGuard` |
+| **Role-Restricted** | JWT + Specific Role | `HeaderAuthGuard` + `adminOnly` |
+
+---
 
 ## 🗺️ Route Permission Matrix
 
 ### 🟢 Public Routes
-| Method | Route | Description | Notes |
-| :--- | :--- | :--- | :--- |
-| `POST` | `/api/v1/auth/login` | User Login | Returns JWT + Cookie |
-| `POST` | `/api/v1/auth/register` | Candidate Register | Creates `candidate` user |
-| `POST` | `/api/v1/companies` | Company Register | Creates company + `admin` |
-| `GET` | `/api/v1/jobs` | List Jobs | Public search/list |
-| `GET` | `/api/v1/jobs/{id}` | Get Job | Public details |
-| `GET` | `/docs/*` | Swagger UI | API Documentation |
-
-### 🟡 Authenticated Routes (Any Logged User)
-**Requirement**: Valid JWT.
 
 | Method | Route | Description |
-| :--- | :--- | :--- |
-| `GET` | `/api/v1/users/me` | Get Own Profile |
-| `PATCH` | `/api/v1/users/{id}` | Update Own Profile (Self-check in handler) |
-| `GET` | `/api/v1/notifications` | Get Own Notifications |
-| `POST` | `/api/v1/applications` | Apply for Job (Candidate) |
-| `POST` | `/api/v1/storage/upload-url` | Get S3 Upload URL |
-| `POST` | `/api/v1/storage/download-url` | Get S3 Download URL |
-| `DELETE` | `/api/v1/storage/files` | Delete S3 File |
+|--------|-------|-------------|
+| `GET` | `/` | Root check |
+| `GET` | `/health` | Health check |
+| `POST` | `/api/v1/auth/login` | Login |
+| `POST` | `/api/v1/auth/register/candidate` | Candidate register |
+| `POST` | `/api/v1/auth/register/company` | Company register |
+| `GET` | `/api/v1/jobs` | List jobs |
+| `GET` | `/api/v1/jobs/{id}` | Job details |
+| `GET` | `/api/v1/companies/{id}` | Company details |
+| `GET` | `/docs/*` | Swagger UI |
 
-### 🟠 Recruiter / CompanyAdmin Routes
-**Requirement**: Role `admin` OR `recruiter`.
+### 🟡 Authenticated Routes
 
 | Method | Route | Description |
-| :--- | :--- | :--- |
-| `POST` | `/api/v1/jobs` | Create Job |
-| `PUT` | `/api/v1/jobs/{id}` | Update Job |
-| `DELETE` | `/api/v1/jobs/{id}` | Delete Job |
-| `GET` | `/api/v1/applications` | List Applications (for own jobs) |
-| `PUT` | `/api/v1/applications/{id}/status` | Update Application Status |
+|--------|-------|-------------|
+| `GET` | `/api/v1/users/me` | Get own profile |
+| `PATCH` | `/api/v1/users/me/profile` | Update profile |
+| `GET` | `/api/v1/notifications` | Get notifications |
+| `POST` | `/api/v1/tokens` | Save FCM token |
+| `GET` | `/api/v1/storage/upload-url` | Get pre-signed URL |
+| `GET` | `/api/v1/conversations` | List conversations |
+| `POST` | `/api/v1/applications` | Apply for job |
 
-### 🔴 Admin / SuperAdmin Routes (Backoffice)
-**Requirement**: Role `superadmin` OR `admin`.
+### 🟠 Recruiter / Company Admin
 
-| Method | Route | Description | Middleware Check |
-| :--- | :--- | :--- | :--- |
-| `GET` | `/api/v1/users` | List All Users | `adminOnly` |
-| `POST` | `/api/v1/users` | Create User (Staff) | `adminOnly` |
-| `DELETE` | `/api/v1/users/{id}` | Delete User | `adminOnly` |
-| `GET` | `/api/v1/users/roles` | List System Roles | `adminOnly` |
-| `GET` | `/api/v1/companies` | List Companies (Full) | `adminOnly` |
-| `PATCH` | `/api/v1/companies/{id}/status` | Activate/Ban Company | `adminOnly` |
-| `GET` | `/api/v1/jobs/moderation` | Moderate Jobs | `adminOnly` |
-| `PATCH` | `/api/v1/jobs/{id}/status` | Approve/Reject Job | `adminOnly` |
-| `POST` | `/api/v1/jobs/{id}/duplicate` | Admin Duplicate Job | `adminOnly` |
-| `GET` | `/api/v1/tags` | List Tags | `adminOnly` |
-| `POST` | `/api/v1/tags` | Create Tag | `adminOnly` |
-| `PATCH` | `/api/v1/tags/{id}` | Update Tag | `adminOnly` |
-| `GET` | `/api/v1/candidates` | List All Candidates | `adminOnly` |
-| `GET` | `/api/v1/audit/logins` | View Audit Logs | `adminOnly` |
+**Requires:** Role `admin` OR `recruiter`
+
+| Method | Route | Description |
+|--------|-------|-------------|
+| `POST` | `/api/v1/jobs` | Create job |
+| `PUT` | `/api/v1/jobs/{id}` | Update job |
+| `DELETE` | `/api/v1/jobs/{id}` | Delete job |
+| `GET` | `/api/v1/applications` | List applications |
+| `PUT` | `/api/v1/applications/{id}/status` | Update status |
+
+### 🔴 Admin / SuperAdmin
+
+**Requires:** Role `superadmin` OR `admin`
+
+| Method | Route | Description |
+|--------|-------|-------------|
+| `GET` | `/api/v1/users` | List all users |
+| `POST` | `/api/v1/users` | Create user |
+| `DELETE` | `/api/v1/users/{id}` | Delete user |
+| `GET` | `/api/v1/admin/companies` | List companies |
+| `PATCH` | `/api/v1/admin/companies/{id}/status` | Update company status |
+| `GET` | `/api/v1/jobs/moderation` | Moderate jobs |
+| `PATCH` | `/api/v1/jobs/{id}/status` | Approve/reject job |
+| `GET` | `/api/v1/admin/email-templates` | List email templates |
+| `PUT` | `/api/v1/admin/email-templates/{slug}` | Update template |
+| `PUT` | `/api/v1/admin/email-settings` | Update SMTP settings |
+| `POST` | `/api/v1/system/credentials` | Save credentials |
+| `POST` | `/api/v1/system/cloudflare/purge` | Purge cache |
+
+---
 
 ## 🧪 Testing Security
 
-**1. Test Public Access (Should Succeed)**
+**1. Public Access (200 OK)**
 ```bash
-curl http://localhost:8521/api/v1/jobs
+curl https://api.gohorsejobs.com/api/v1/jobs
 ```
 
-**2. Test Protected Route without Token (Should Fail 401)**
+**2. Protected without Token (401)**
 ```bash
-curl http://localhost:8521/api/v1/users/me
-# Expected: 401 Unauthorized
+curl https://api.gohorsejobs.com/api/v1/users/me
 ```
 
-**3. Test Admin Route as Candidate (Should Fail 403)**
-1. Login as Candidate -> Get Token A
-2. Call Admin Route:
+**3. Admin Route as Candidate (403)**
 ```bash
-curl -H "Authorization: Bearer <TOKEN_A>" http://localhost:8521/api/v1/audit/logins
-# Expected: 403 Forbidden
+curl -H "Authorization: Bearer <candidate_token>" \
+  https://api.gohorsejobs.com/api/v1/users
 ```
 
-**4. Test Admin Route as Admin (Should Succeed)**
-1. Login as SuperAdmin -> Get Token B
-2. Call Admin Route:
+**4. Admin Route as Admin (200 OK)**
 ```bash
-curl -H "Authorization: Bearer <TOKEN_B>" http://localhost:8521/api/v1/audit/logins
-# Expected: 200 OK
+curl -H "Authorization: Bearer <admin_token>" \
+  https://api.gohorsejobs.com/api/v1/users
 ```
+
+---
+
+## 🔑 JWT Claims
+
+```json
+{
+  "sub": "019438a1-2b3c-...",
+  "email": "user@example.com",
+  "role": "admin",
+  "tenant_id": "019438a2-3c4d-...",
+  "exp": 1735200000,
+  "iat": 1735113600
+}
+```
+
+---
+
+## 🛡️ Password Security
+
+| Feature | Implementation |
+|---------|---------------|
+| **Hashing** | BCrypt (10 rounds) |
+| **Pepper** | `PASSWORD_PEPPER` env var |
+| **Min Length** | 8 characters |
+| **JWT Secret** | Min 32 characters |
diff --git a/docs/DATABASE.md b/docs/DATABASE.md
index 10c3fc5..7c553f1 100644
--- a/docs/DATABASE.md
+++ b/docs/DATABASE.md
@@ -2,9 +2,10 @@
 
 Complete database documentation for the GoHorseJobs platform.
 
-> **Last Updated:** 2024-12-24  
-> **Database:** PostgreSQL 15+  
-> **ID Strategy:** SERIAL (INT) for core tables, UUID v7 for newer tables
+> **Last Updated:** 2024-12-26  
+> **Database:** PostgreSQL 16+  
+> **ID Strategy:** UUID v7 for core tables, SERIAL for reference tables  
+> **Migrations:** 30 SQL files in `backend/migrations/`
 
 ---
 
diff --git a/docs/DEVOPS.md b/docs/DEVOPS.md
index cffd9e5..650d93c 100644
--- a/docs/DEVOPS.md
+++ b/docs/DEVOPS.md
@@ -1,6 +1,8 @@
 # DevOps - GoHorseJobs
 
-Documentação de infraestrutura, CI/CD e deploy do projeto GoHorseJobs.
+Infraestrutura, CI/CD e deploy do projeto GoHorseJobs.
+
+> **Last Updated:** 2024-12-26
 
 ---
 
@@ -10,108 +12,107 @@ Documentação de infraestrutura, CI/CD e deploy do projeto GoHorseJobs.
 .
 ├── .drone.yml                 # Pipeline CI/CD (Drone)
 ├── k8s/
-│   ├── dev/                   # Manifests Kubernetes - Desenvolvimento
-│   │   ├── backend-deployment.yaml
-│   │   └── backend-service.yaml
-│   ├── hml/                   # Manifests Kubernetes - Homologação
-│   │   ├── backend-deployment.yaml
-│   │   └── backend-service.yaml
-│   └── prd/                   # Manifests Kubernetes - Produção
-│       ├── backend-deployment.yaml
-│       └── backend-service.yaml
+│   ├── dev/                   # Kubernetes - Desenvolvimento
+│   ├── hml/                   # Kubernetes - Homologação
+│   └── prd/                   # Kubernetes - Produção
+│
 ├── backend/
-│   ├── Dockerfile             # Build da API Go
-│   └── .env.example           # Variáveis de ambiente
-├── frontend/                  # Next.js App
-└── seeder-api/                # Seeder Node.js para popular DB
+│   ├── Dockerfile             # Go API (multi-stage, ~73MB)
+│   └── .env.example
+│
+├── backoffice/
+│   ├── Dockerfile             # NestJS (Fastify)
+│   └── .env.example
+│
+├── frontend/
+│   ├── Dockerfile             # Next.js
+│   └── .env.example
+│
+├── seeder-api/                # Node.js seeder
+└── docs/                      # Documentation
 ```
 
 ---
 
 ## 🌍 Ambientes
 
-| Ambiente | Branch | Namespace K8s | Registry Harbor | Réplicas |
-|----------|--------|---------------|-----------------|----------|
-| **DEV** | `dev` | `gohorsejobsdev` | `gohorsejobsdev/gohorsejobs-backend` | 1 |
-| **HML** | `hml` | `gohorsejobshml` | `gohorsejobshml/gohorsejobs-backend` | 2 |
-| **PRD** | `main` | `gohorsejobs` | `gohorsejobs/gohorsejobs-backend` | 3 |
+| Ambiente | Branch | Namespace | Réplicas | URL |
+|----------|--------|-----------|----------|-----|
+| **DEV** | `dev` | `gohorsejobsdev` | 1 | gohorsejobs-dev.appwrite.network |
+| **HML** | `hml` | `gohorsejobshml` | 2 | - |
+| **PRD** | `main` | `gohorsejobs` | 3 | gohorsejobs.com |
 
 ---
 
 ## 🔄 Pipeline CI/CD (Drone)
 
-### Fluxo de Deploy
+### Fluxo
 
 ```
-dev branch → build → push (Harbor) → deploy (K8s gohorsejobsdev)
+dev branch → build → push (Harbor) → deploy (K8s dev)
      ↓
-hml branch → build → push (Harbor) → deploy (K8s gohorsejobshml)
+hml branch → build → push (Harbor) → deploy (K8s hml)
      ↓
-main branch → build → push (Harbor) → deploy (K8s gohorsejobs)
+main branch → build → push (Harbor) → deploy (K8s prd)
 ```
 
-### Triggers
+### Stages
 
-- Push na branch `dev` → executa pipeline `deploy-backend-dev`
-- Push na branch `hml` → executa pipeline `deploy-backend-hml`
-- Push na branch `main` → executa pipeline `deploy-backend-prd`
-
-### Etapas do Pipeline
-
-1. **build-and-push-backend** - Builda imagem Docker e envia para Harbor
-2. **export-envs-to-k8s** - Cria secret `backend-secrets` no namespace
-3. **deploy-backend** - Aplica manifests K8s e reinicia deployment
+1. **build-and-push** - Docker build + push to Harbor
+2. **export-envs-to-k8s** - Create/update secrets
+3. **deploy** - Apply manifests + rollout restart
 
 ---
 
 ## 🔐 Secrets (Drone CI)
 
-Secrets que precisam estar configurados no Drone:
-
 ### Registry
-| Secret | Descrição |
-|--------|-----------|
-| `HARBOR_USERNAME` | Usuário do Harbor |
-| `HARBOR_PASSWORD` | Senha do Harbor |
+| Secret | Description |
+|--------|-------------|
+| `HARBOR_USERNAME` | Harbor username |
+| `HARBOR_PASSWORD` | Harbor password |
 
 ### Database
-| Secret | Ambiente | Descrição |
-|--------|----------|-----------|
-| `DB_HOST` | Todos | Host do PostgreSQL |
-| `DB_PORT` | Todos | Porta do PostgreSQL |
-| `DB_USER` | Todos | Usuário do PostgreSQL |
-| `DB_PASSWORD` | Todos | Senha do PostgreSQL |
-| `DB_SSLMODE` | Todos | `require` ou `disable` |
-| `DB_NAME_DEV` | DEV | Nome do banco dev |
-| `DB_NAME_HML` | HML | Nome do banco hml |
-| `DB_NAME` | PRD | Nome do banco produção |
+| Secret | Description |
+|--------|-------------|
+| `DATABASE_URL` | PostgreSQL connection string |
+| `DB_SSLMODE` | `require` or `disable` |
 
-### S3/Object Storage
-| Secret | Descrição |
-|--------|-----------|
+### Application
+| Secret | Description |
+|--------|-------------|
+| `JWT_SECRET` | JWT secret (min 32 chars) |
+| `PASSWORD_PEPPER` | Password pepper |
+| `CORS_ORIGINS` | Allowed origins |
+
+### External Services
+| Secret | Description |
+|--------|-------------|
+| `RSA_PRIVATE_KEY_BASE64` | RSA key for credentials |
+| `STRIPE_SECRET_KEY` | Stripe API key |
+| `STRIPE_WEBHOOK_SECRET` | Stripe webhook secret |
+| `FIREBASE_SERVICE_ACCOUNT` | Firebase Admin SDK JSON |
+
+### Storage (S3/R2)
+| Secret | Description |
+|--------|-------------|
 | `AWS_ACCESS_KEY_ID` | Access Key |
 | `AWS_SECRET_ACCESS_KEY` | Secret Key |
-| `AWS_ENDPOINT` | Endpoint S3-compatible |
-| `AWS_REGION` | Região |
-| `S3_BUCKET` | Nome do bucket |
+| `AWS_ENDPOINT` | S3-compatible endpoint |
+| `S3_BUCKET` | Bucket name |
 
-### Aplicação
-| Secret | Descrição |
-|--------|-----------|
-| `JWT_SECRET` | Secret para tokens JWT (min. 32 chars) |
-| `PORT` | Porta da API (8521) |
-| `CORS_ORIGINS_DEV` | URLs permitidas CORS (dev) |
-| `CORS_ORIGINS_HML` | URLs permitidas CORS (hml) |
-| `CORS_ORIGINS` | URLs permitidas CORS (prd) |
+### LavinMQ
+| Secret | Description |
+|--------|-------------|
+| `AMQP_URL` | LavinMQ connection URL |
 
 ---
 
 ## ☸️ Kubernetes
 
-### Namespaces
+### Create Namespaces
 
 ```bash
-# Criar namespaces
 kubectl create namespace gohorsejobsdev
 kubectl create namespace gohorsejobshml
 kubectl create namespace gohorsejobs
@@ -119,51 +120,28 @@ kubectl create namespace gohorsejobs
 
 ### Registry Secret
 
-Criar secret para pull de imagens do Harbor em cada namespace:
-
 ```bash
 kubectl create secret docker-registry harbor-registry \
   --docker-server=in.gohorsejobs.com \
   --docker-username=<user> \
   --docker-password=<pass> \
   -n gohorsejobsdev
-
-# Repetir para gohorsejobshml e gohorsejobs
 ```
 
 ### Deploy Manual
 
 ```bash
 # DEV
-kubectl apply -f k8s/dev/backend-deployment.yaml
-kubectl apply -f k8s/dev/backend-service.yaml
+kubectl apply -f k8s/dev/ -n gohorsejobsdev
 
-# HML
-kubectl apply -f k8s/hml/backend-deployment.yaml
-kubectl apply -f k8s/hml/backend-service.yaml
-
-# PRD
-kubectl apply -f k8s/prd/backend-deployment.yaml
-kubectl apply -f k8s/prd/backend-service.yaml
-```
-
-### Comandos Úteis
-
-```bash
-# Ver pods
+# Check pods
 kubectl get pods -n gohorsejobsdev
 
-# Ver logs
+# Check logs
 kubectl logs -f deployment/gohorse-backend -n gohorsejobsdev
 
-# Restart deployment
+# Rollout restart
 kubectl rollout restart deployment/gohorse-backend -n gohorsejobsdev
-
-# Ver secrets
-kubectl get secrets -n gohorsejobsdev
-
-# Descrever deployment
-kubectl describe deployment gohorse-backend -n gohorsejobsdev
 ```
 
 ---
@@ -173,85 +151,108 @@ kubectl describe deployment gohorse-backend -n gohorsejobsdev
 ### Build Local
 
 ```bash
-cd backend
-docker build -t gohorsejobs-backend:local .
+# Backend
+cd backend && docker build -t gohorse-backend .
+
+# Backoffice
+cd backoffice && docker build -t gohorse-backoffice .
+
+# Frontend
+cd frontend && docker build -t gohorse-frontend .
 ```
 
-### Variáveis de Ambiente
+### Docker Compose (Dev)
 
-Ver `.env.example` para lista completa. Principais:
-
-| Variável | Descrição | Exemplo |
-|----------|-----------|---------|
-| `PORT` | Porta da API | `8521` |
-| `DB_HOST` | Host PostgreSQL | `db.example.com` |
-| `DB_NAME` | Nome do banco | `gohorsejobs_dev` |
-| `DB_SSLMODE` | Modo SSL | `require` |
-| `JWT_SECRET` | Secret JWT | `sua-chave-secreta-32-chars` |
+```yaml
+version: '3.8'
+services:
+  backend:
+    build: ./backend
+    ports:
+      - "8521:8521"
+    env_file:
+      - ./backend/.env
+      
+  backoffice:
+    build: ./backoffice
+    ports:
+      - "3001:3001"
+    env_file:
+      - ./backoffice/.env
+      
+  frontend:
+    build: ./frontend
+    ports:
+      - "3000:3000"
+    env_file:
+      - ./frontend/.env
+```
 
 ---
 
-## 🗄️ Banco de Dados
+## 🗄️ Database
 
-### Conexão
+### Connection
 
-```
+```bash
+# PostgreSQL hosted
 Host: db-60059.dc-sp-1.absamcloud.com
 Port: 26868
 SSL: require
 ```
 
-### Bancos por Ambiente
+### Databases
 
-| Ambiente | Database |
-|----------|----------|
+| Environment | Database |
+|-------------|----------|
 | DEV | `gohorsejobs_dev` |
 | HML | `gohorsejobs_hml` |
 | PRD | `gohorsejobs` |
 
+### Migrations
+
+```bash
+cd backend
+go run ./cmd/manual_migrate
+```
+
 ### Seeder
 
 ```bash
 cd seeder-api
 npm install
-npm run seed        # Popular banco
-npm run seed:reset  # Limpar banco
+npm run seed
 ```
 
 ---
 
-## 🧑‍💻 Usuários de Teste
+## 👤 Test Users
 
 ### SuperAdmin
-- **Login:** `superadmin`  
-- **Senha:** `Admin@2025!`
+- **Login:** `superadmin`
+- **Password:** `Admin@2025!`
 
-### Company Admins
-| Login | Senha | Empresa |
-|-------|-------|---------|
-| `takeshi_yamamoto` | `Takeshi@2025` | TechCorp |
-| `kenji@appmakers.mobile` | `Takeshi@2025` | AppMakers |
+### Company Admin
+| Login | Password |
+|-------|----------|
+| `takeshi_yamamoto` | `Takeshi@2025` |
 
-### Recrutadores
-| Login | Senha | Empresa |
-|-------|-------|---------|
-| `maria_santos` | `User@2025` | DesignHub |
-
-### Candidatos
-| Login | Senha |
-|-------|-------|
+### Candidate
+| Login | Password |
+|-------|----------|
 | `paulo_santos` | `User@2025` |
-| `maria@email.com` | `User@2025` |
 
 ---
 
-## 📋 Checklist Deploy Novo Ambiente
+## 📋 Deploy Checklist
 
-- [ ] Criar namespace no K8s
-- [ ] Criar secret `harbor-registry` no namespace
-- [ ] Adicionar secrets no Drone CI
-- [ ] Criar banco de dados
-- [ ] Executar seeder (opcional)
-- [ ] Fazer push na branch correspondente
-- [ ] Verificar logs do pipeline
-- [ ] Testar endpoint `/health`
+- [ ] Create K8s namespace
+- [ ] Create `harbor-registry` secret
+- [ ] Add Drone CI secrets
+- [ ] Create database
+- [ ] Run migrations
+- [ ] Run seeder (optional)
+- [ ] Push to branch
+- [ ] Verify pipeline logs
+- [ ] Test `/health` endpoint
+- [ ] Test `/docs` endpoint
diff --git a/docs/ROADMAP.md b/docs/ROADMAP.md
index cb38239..063618b 100644
--- a/docs/ROADMAP.md
+++ b/docs/ROADMAP.md
@@ -1,9 +1,9 @@
 # 🗺️ GoHorse Jobs - Roadmap
 
-Roadmap de desenvolvimento do projeto GoHorse Jobs.
+Development roadmap for GoHorse Jobs project.
 
-> **Última Atualização:** 2024-12-24  
-> **Branch Atual:** `dev`
+> **Last Updated:** 2024-12-26  
+> **Current Branch:** `dev`
 
 ---
 
@@ -11,147 +11,110 @@ Roadmap de desenvolvimento do projeto GoHorse Jobs.
 
 | Área | Progresso | Status |
 |------|-----------|--------|
-| **Backend API** | 85% | 🟢 Funcional |
-| **Frontend** | 75% | 🟡 Em desenvolvimento |
-| **Backoffice** | 60% | 🟡 Em desenvolvimento |
-| **Seeder** | 95% | 🟢 Completo |
-| **Documentação** | 70% | 🟡 Em progresso |
+| **Backend API** | 95% | 🟢 Production Ready |
+| **Frontend** | 85% | 🟢 Funcional |
+| **Backoffice** | 80% | 🟢 Funcional |
+| **Seeder** | 100% | 🟢 Completo |
+| **Documentação** | 90% | 🟢 Atualizada |
 
 ---
 
 ## ✅ Concluído
 
 ### Backend
-- [x] Estrutura Clean Architecture
-- [x] Autenticação JWT com HttpOnly cookies
-- [x] CRUD de usuários, empresas, vagas
-- [x] Sistema de candidaturas
-- [x] Notificações
-- [x] Password reset
-- [x] XSS sanitization middleware
-- [x] Swagger documentation
-- [x] Multi-tenancy básico
+- [x] Clean Architecture + DDD
+- [x] JWT Auth (Bearer + HttpOnly Cookie)
 - [x] PASSWORD_PEPPER para hash seguro
-- [x] 🆕 Schema unificado (eliminado core_*)
-- [x] 🆕 Migração UUID v7 (Tabelas Core)
-- [x] 🆕 Seeder atualizado (UUID compatible)
+- [x] CRUD usuários, empresas, vagas, candidaturas
+- [x] Sistema de notificações
+- [x] Sistema de tickets de suporte
+- [x] Chat real-time (Appwrite)
+- [x] Email transacional (LavinMQ + Nodemailer)
+- [x] Pre-signed URLs para uploads (S3/R2)
+- [x] Avatar de usuário
+- [x] Credenciais criptografadas (RSA)
+- [x] Cache purge (Cloudflare)
+- [x] XSS sanitization middleware
+- [x] Rate limiting (100 req/min)
+- [x] Swagger documentation
+- [x] UUID v7 migrations
+- [x] 30+ database migrations
 
 ### Frontend
 - [x] Login/Logout com cookies
 - [x] Dashboard candidato
 - [x] Dashboard empresa
-- [x] Listagem de vagas
-- [x] Detalhes da vaga
-- [x] Candidatura a vaga
-- [x] Eye icon toggle de senha
-- [x] Responsividade básica
+- [x] Dashboard admin
+- [x] Listagem/filtros de vagas
+- [x] Detalhes da vaga + Apply
+- [x] Página de suporte (tickets)
+- [x] Sistema de mensagens (chat)
+- [x] Configurações (tema, logo)
+- [x] **NEW:** Email Templates Admin UI
+- [x] **NEW:** Página pública /post-job
+- [x] Responsividade
 - [x] Sonner para notificações
+- [x] i18n (PT/EN)
 
-### Seeder
-- [x] 31 empresas (30 tech + System)
-- [x] 13 empresas fictícias (ACME, Stark, etc)
-- [x] 1129+ vagas
-- [x] Users e candidatos
-- [x] Regiões (BR, US, JP)
-- [x] Cidades
-- [x] Notificações
-- [x] 🆕 Schema unificado e UUID
+### Backoffice (NestJS)
+- [x] Stripe Integration (checkout, portal, webhooks)
+- [x] Dashboard stats
+- [x] Email Worker (LavinMQ consumer)
+- [x] FCM Tokens (push notifications)
+- [x] JWT Auth (Bearer + Cookie)
+- [x] TypeORM entities
 
 ### DevOps
-- [x] Docker setup backend
+- [x] Docker setup (multi-stage, ~73MB)
+- [x] Kubernetes manifests (dev/hml/prd)
+- [x] Drone CI pipelines
 - [x] Migrations automáticas
-- [x] start.sh script unificado
-- [x] Seed reset option
+- [x] Appwrite hosting
 
 ---
 
 ## 🔄 Em Progresso
 
 ### Backend
-- [ ] Rate limiting
-- [ ] Upload de arquivos (currículos)
-- [ ] Busca full-text com pg_trgm
+- [ ] Video interviews
+- [ ] AI matching (job ↔ candidate)
 - [ ] Webhooks para integrações
-- [ ] API de pagamentos (Stripe)
 
 ### Frontend
-- [ ] Dashboard admin completo
-- [ ] Gestão de candidaturas
-- [ ] Filtros avançados de vagas
-- [ ] Favoritos (bookmark jobs)
-- [ ] Perfil do candidato editável
-- [ ] Upload de currículo
 - [ ] PWA / Offline support
+- [ ] App mobile (React Native)
 
 ### Backoffice
-- [ ] Gestão de tenants
-- [ ] Gestão de usuários
-- [ ] Relatórios
-- [ ] Auditoria
-- [ ] Moderação de vagas
+- [ ] Relatórios avançados
+- [ ] Export CSV/Excel
 
 ---
 
 ## 📋 Backlog
 
 ### Alta Prioridade
-- [ ] Email transacional (welcome, reset, application)
-- [ ] Integração Stripe completa (Webhook handlers)
-- [ ] Busca avançada com filtros (Backend pronto, Frontend pendente)
-- [ ] Internacionalização (i18n)
-- [ ] Testes E2E frontend
+- [ ] OAuth (Google, LinkedIn)
+- [ ] 2FA (Two-Factor Auth)
+- [ ] Testes E2E completos
 
 ### Média Prioridade
-- [ ] OAuth (Google, LinkedIn)
-- [ ] Notificações push (web)
-- [ ] Chat em tempo real
-- [ ] Analytics dashboard
-- [ ] Export CSV/Excel
+- [ ] Analytics dashboard avançado
+- [ ] Recomendações de vagas
+- [ ] Notificações por email digest
 
 ### Baixa Prioridade
-- [ ] App mobile (React Native)
 - [ ] Integração ATS
-- [ ] AI matching (job ↔ candidate)
-- [ ] Video interviews
-
----
-
-## 🐛 Bugs Conhecidos
-
-| ID | Descrição | Prioridade | Status |
-|----|-----------|------------|--------|
-| #001 | job_payments FK precisa de migration 019 atualizada | Média | 🟡 Pendente |
-| #002 | Swagger docs desatualizado em alguns endpoints | Baixa | 🟡 Pendente |
-
----
-
-## 📁 Estrutura de Documentação
-
-```
-docs/
-├── DATABASE.md     # Schema completo
-├── ROADMAP.md      # Este arquivo
-├── TASKS.md        # Tarefas pendentes detalhadas
-└── ARCHITECTURE.md # (futuro) Arquitetura detalhada
-
-backend/
-└── README.md       # Documentação da API
-
-backoffice/
-└── README.md       # Documentação do backoffice
-
-seeder-api/
-└── README.md       # Documentação do seeder
-
-frontend/
-└── README.md       # Documentação do frontend
-```
+- [ ] Gamification (badges)
+- [ ] Referral system
 
 ---
 
 ## 🔗 Links Úteis
 
-- **API Docs:** http://localhost:8521/docs/index.html
-- **Frontend:** http://localhost:3000
-- **Database Schema:** [docs/DATABASE.md](DATABASE.md)
-- **Seeder Info:** [seeder-api/README.md](../seeder-api/README.md)
+| Recurso | URL |
+|---------|-----|
+| **API Docs** | `/docs/` (Swagger) |
+| **Frontend Dev** | https://gohorsejobs-dev.appwrite.network |
+| **Database Schema** | [docs/DATABASE.md](DATABASE.md) |
+| **API Reference** | [docs/API.md](API.md) |
+| **Security** | [docs/API_SECURITY.md](API_SECURITY.md) |
diff --git a/docs/TASKS.md b/docs/TASKS.md
index f70586d..29771d2 100644
--- a/docs/TASKS.md
+++ b/docs/TASKS.md
@@ -2,81 +2,88 @@
 
 Lista detalhada de tarefas para evitar retrabalho.
 
-> **Última Atualização:** 2024-12-24
-
----
-
-## 🔥 Sprint Atual (Dezembro 2024)
-
-### Backend
-- [ ] Corrigir migration 019 (job_payments FK)
-- [ ] Atualizar Swagger docs
-- [ ] Adicionar testes para novos endpoints
-- [ ] Implementar rate limiting
-
-### Frontend
-- [ ] Página de perfil editável
-- [ ] Upload de currículo
-- [ ] Filtros avançados na listagem de vagas
-- [ ] Página de favoritos
-
-### Documentação
-- [x] DATABASE.md - Schema completo
-- [x] ROADMAP.md - Este arquivo
-- [x] TASKS.md - Tarefas
-- [ ] ARCHITECTURE.md - Arquitetura detalhada
-- [ ] API.md - Endpoints detalhados
+> **Last Updated:** 2024-12-26
 
 ---
 
 ## ✅ Recentemente Concluído
 
-### 2024-12-24
-- [x] **Schema Unification** - Eliminado tabelas core_* redundantes
-  - Removido `core_companies`, `core_users`, `core_user_roles`
-  - Unificado em `companies`, `users`, `user_roles`
-  - Atualizado 11 arquivos (migrations, repositories, seeders)
+### 2024-12-26
+- [x] **Email System**
+  - Backend: EmailService (LavinMQ producer)
+  - NestJS: Email consumer + Nodemailer
+  - Migrations: email_settings, email_templates
   
-- [x] **start.sh Updates**
-  - Opção 4: Run migrations (Node.js)
-  - Opção 6: Reset + Migrate + Seed completo
+- [x] **Email Templates Admin UI**
+  - Frontend: `/dashboard/admin/email-templates`
+  - CRUD: List, Create, Edit, Delete
 
-- [x] **Migration Runner**
-  - Criado `seeder-api/src/migrate.js`
-  - Suporte a erros de tabelas existentes
+- [x] **Avatar Upload**
+  - Backend: StorageService (pre-signed URLs)
+  - Migration: avatar_url column
+  - Frontend: profileApi.uploadAvatar
 
-- [x] **Documentação**
-  - DATABASE.md reescrito completo
-  - ROADMAP.md criado
-  - TASKS.md criado
+- [x] **Public Job Posting**
+  - Frontend: `/post-job` page
+  - 3-step wizard (Company + Job + Confirm)
 
-### 2024-12-23
-- [x] JWT Auth Guard no backoffice (Bearer + Cookie)
-- [x] PASSWORD_PEPPER integration
-- [x] Frontend auth improvements
-- [x] seeder-api README atualizado
+- [x] **Documentation**
+  - BACKEND.md reescrito completo
+  - BACKOFFICE.md reescrito completo
+  - API_SECURITY.md atualizado
+  - ROADMAP.md atualizado
+
+### 2024-12-25
+- [x] Profile page fixes (500 error)
+- [x] Type mismatches resolved
+- [x] Comprehensive logging added
+
+### 2024-12-24
+- [x] Ticket system integration
+- [x] Settings page (Theme, Logo)
+- [x] Chat tables (Appwrite)
+- [x] System settings table
+
+---
+
+## 🔥 Sprint Atual
+
+### Backend
+- [ ] Video interviews endpoint
+- [ ] AI matching algorithm
+- [ ] Webhook sistema
+
+### Frontend
+- [ ] PWA manifest
+- [ ] Service worker
+- [ ] Offline support
+
+### Backoffice
+- [ ] Revenue reports
+- [ ] User analytics
+- [ ] Export features
 
 ---
 
 ## 🚧 Não Fazer (Evitar Retrabalho)
 
-> ⚠️ **IMPORTANTE:** Estas tarefas NÃO devem ser feitas pois já foram resolvidas ou descartadas.
+> ⚠️ **IMPORTANTE:** Estas tarefas NÃO devem ser feitas pois já foram resolvidas.
 
 | Tarefa | Motivo |
 |--------|--------|
 | Criar core_companies | REMOVIDO - Usar `companies` |
 | Criar core_users | REMOVIDO - Usar `users` |
-| Usar UUID para users/jobs | MANTIDO SERIAL - Decisão arquitetural |
-| psql para migrations | REMOVIDO - Usar `npm run migrate` |
+| Email via API direta | REMOVIDO - Usar LavinMQ queue |
+| Avatar upload direto | REMOVIDO - Usar pre-signed URLs |
+| psql para migrations | REMOVIDO - Usar `go run ./cmd/manual_migrate` |
 
 ---
 
 ## 📝 Notas de Implementação
 
 ### IDs do Banco
-- **SERIAL (INT):** users, companies, jobs, applications, regions, cities
-- **UUID v4:** notifications, tickets, job_payments
-- **NÃO usar UUID v7** - Não suportado pelo gen_random_uuid()
+- **UUID v7:** users, companies, jobs, applications, notifications, tickets
+- **SERIAL:** regions, cities, job_posting_prices
 
 ### Autenticação
 - Backend: JWT em HttpOnly cookie OU Authorization header
@@ -88,10 +95,23 @@ Lista detalhada de tarefas para evitar retrabalho.
 - PASSWORD_PEPPER obrigatório em produção
 - Hash: `bcrypt.hash(password + PEPPER, 10)`
 
+### Uploads
+- Pre-signed URLs via `/api/v1/storage/upload-url`
+- Direct upload to S3/R2
+- Update profile with key via PATCH
+
+### Emails
+```
+Go Backend → Publish to LavinMQ (mail_queue)
+                    ↓
+NestJS → Consume → Fetch template → Render → Send
+```
+
 ---
 
 ## 🔗 Referências
 
 - [DATABASE.md](DATABASE.md) - Schema do banco
 - [ROADMAP.md](ROADMAP.md) - Roadmap geral
-- [seeder-api/README.md](../seeder-api/README.md) - Como popular dados
+- [API_SECURITY.md](API_SECURITY.md) - Segurança
+- [DEVOPS.md](DEVOPS.md) - Infraestrutura