fix: ajustes de botão de ajuda e login

.claude/settings.local.json

@@ -34,7 +34,8 @@
       "Bash(netstat:*)",
       "Bash(ss:*)",
       "Bash(lsof:*)",
-      "Bash(dotnet run:*)"
+      "Bash(dotnet run:*)",
+      "Bash(dotnet user-secrets:*)"
     ]
   },
   "enableAllProjectMcpServers": false

src/BCards.Web/Areas/Support/ViewComponents/SupportFabViewComponent.cs

@@ -20,10 +20,18 @@ public class SupportFabViewComponent : ViewComponent
         try
         {
             var userId = UserClaimsPrincipal?.FindFirst(ClaimTypes.NameIdentifier)?.Value;
+
+            // Não mostrar botão de ajuda para usuários não autenticados
+            if (string.IsNullOrEmpty(userId))
+            {
+                _logger.LogDebug("SupportFab não exibido - usuário não autenticado");
+                return Content(string.Empty);
+            }
+
             var options = await _supportService.GetAvailableOptionsAsync(userId);
 
             _logger.LogDebug("SupportFab invocado para usuário {UserId} - Opções: Rating={CanRate}, Form={CanUseContactForm}, Telegram={CanAccessTelegram}",
-                userId ?? "anônimo", options.CanRate, options.CanUseContactForm, options.CanAccessTelegram);
+                userId, options.CanRate, options.CanUseContactForm, options.CanAccessTelegram);
 
             return View(options);
         }

src/BCards.Web/Program.cs

@@ -309,8 +309,18 @@ authBuilder.AddCookie(options =>
     options.SlidingExpiration = true;
     options.Cookie.HttpOnly = true;
     options.Cookie.IsEssential = true;
-    options.Cookie.SameSite = SameSiteMode.None; // Para Cloudflare
-    options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
+
+    // SameSite: None para produção (Cloudflare), Lax para desenvolvimento (OAuth local)
+    if (builder.Environment.IsDevelopment())
+    {
+        options.Cookie.SameSite = SameSiteMode.Lax;
+        options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest; // Permite HTTP em dev
+    }
+    else
+    {
+        options.Cookie.SameSite = SameSiteMode.None; // Para Cloudflare
+        options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
+    }
 });
 
 // Always register Google and Microsoft authentication schemes
@@ -612,11 +622,11 @@ app.Use(async (context, next) =>
 
     // Content Security Policy - Protects against XSS attacks
     var csp = "default-src 'self'; " +
-              "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net https://code.jquery.com https://cdn.jsdelivr.net/npm/bootstrap@5.3.2 https://accounts.google.com https://apis.google.com; " +
-              "style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://fonts.googleapis.com https://cdn.jsdelivr.net/npm/bootstrap@5.3.2; " +
+              "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net https://code.jquery.com https://cdn.jsdelivr.net/npm/bootstrap@5.3.2 https://accounts.google.com https://apis.google.com https://www.clarity.ms https://static.cloudflareinsights.com; " +
+              "style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://fonts.googleapis.com https://cdn.jsdelivr.net/npm/bootstrap@5.3.2 https://cdnjs.cloudflare.com; " +
               "img-src 'self' data: https: blob:; " +
-              "font-src 'self' https://fonts.gstatic.com https://cdn.jsdelivr.net; " +
-              "connect-src 'self' https://accounts.google.com https://apis.google.com https://login.microsoftonline.com; " +
+              "font-src 'self' https://fonts.gstatic.com https://cdn.jsdelivr.net https://cdnjs.cloudflare.com; " +
+              "connect-src 'self' https://accounts.google.com https://apis.google.com https://login.microsoftonline.com https://www.clarity.ms; " +
               "frame-src 'self' https://accounts.google.com https://login.microsoftonline.com; " +
               "object-src 'none'; " +
               "base-uri 'self'; " +