diff --git a/App.tsx b/App.tsx
index a4f6728..70acd7a 100644
--- a/App.tsx
+++ b/App.tsx
@@ -1,34 +1,48 @@
-import React, { useState, useEffect } from 'react';
-import { HashRouter as Router, Routes, Route, Navigate, useLocation } from 'react-router-dom';
-import { Layout } from './components/Layout';
-import { Dashboard } from './pages/Dashboard';
-import { UserDetail } from './pages/UserDetail';
-import { AttendanceDetail } from './pages/AttendanceDetail';
-import { SuperAdmin } from './pages/SuperAdmin';
-import { ApiKeys } from './pages/ApiKeys';
-import { TeamManagement } from './pages/TeamManagement';
-import { Teams } from './pages/Teams';
-import { Funnels } from './pages/Funnels';
-import { Origins } from './pages/Origins';
-import { Login } from './pages/Login';
-import { ForgotPassword } from './pages/ForgotPassword';
-import { ResetPassword } from './pages/ResetPassword';
-import { SetupAccount } from './pages/SetupAccount';
-import { UserProfile } from './pages/UserProfile';
-import { getUserById, logout } from './services/dataService';
-import { User } from './types';
+import React, { useState, useEffect } from "react";
+import {
+  HashRouter as Router,
+  Routes,
+  Route,
+  Navigate,
+  useLocation,
+} from "react-router-dom";
+import { Layout } from "./components/Layout";
+import { Dashboard } from "./pages/Dashboard";
+import { UserDetail } from "./pages/UserDetail";
+import { AttendanceDetail } from "./pages/AttendanceDetail";
+import { SuperAdmin } from "./pages/SuperAdmin";
+import { ApiKeys } from "./pages/ApiKeys";
+import { TeamManagement } from "./pages/TeamManagement";
+import { Teams } from "./pages/Teams";
+import { Funnels } from "./pages/Funnels";
+import { Origins } from "./pages/Origins";
+import { Login } from "./pages/Login";
+import { ForgotPassword } from "./pages/ForgotPassword";
+import { ResetPassword } from "./pages/ResetPassword";
+import { SetupAccount } from "./pages/SetupAccount";
+import { UserProfile } from "./pages/UserProfile";
+import { getUserById, logout } from "./services/dataService";
+import { User } from "./types";
 
-const AuthGuard: React.FC<{ children: React.ReactNode, roles?: string[] }> = ({ children, roles }) => {
+const AuthGuard: React.FC<{ children: React.ReactNode; roles?: string[] }> = ({
+  children,
+  roles,
+}) => {
   const [user, setUser] = useState<User | null>(null);
   const [loading, setLoading] = useState(true);
   const location = useLocation();
 
   useEffect(() => {
     const checkAuth = async () => {
-      const storedUserId = localStorage.getItem('ctms_user_id');
-      const storedToken = localStorage.getItem('ctms_token');
+      const storedUserId = localStorage.getItem("ctms_user_id");
+      const storedToken = localStorage.getItem("ctms_token");
 
-      if (!storedUserId || !storedToken || storedToken === 'undefined' || storedToken === 'null') {
+      if (
+        !storedUserId ||
+        !storedToken ||
+        storedToken === "undefined" ||
+        storedToken === "null"
+      ) {
         if (storedToken) logout(); // Limpar se for "undefined" string
         setLoading(false);
         return;
@@ -37,7 +51,7 @@ const AuthGuard: React.FC<{ children: React.ReactNode, roles?: string[] }> = ({
       try {
         const fetchedUser = await getUserById(storedUserId);
         if (fetchedUser) {
-          if (fetchedUser.status === 'active') {
+          if (fetchedUser.status === "active") {
             setUser(fetchedUser);
           } else {
             // User explicitly marked inactive or deleted
@@ -53,7 +67,7 @@ const AuthGuard: React.FC<{ children: React.ReactNode, roles?: string[] }> = ({
         }
       } catch (err) {
         console.error("Auth check failed (network/server error):", err);
-        // DO NOT logout() here. If the server is offline or restarting, 
+        // DO NOT logout() here. If the server is offline or restarting,
         // we shouldn't wipe the user's local storage tokens.
         // We just leave the user as null, which will redirect them to login,
         // but their tokens remain so they can auto-login when the server is back.
@@ -66,7 +80,11 @@ const AuthGuard: React.FC<{ children: React.ReactNode, roles?: string[] }> = ({
   }, [location.pathname]);
 
   if (loading) {
-    return <div className="flex h-screen items-center justify-center bg-zinc-50 dark:bg-zinc-950 text-zinc-400">Carregando...</div>;
+    return (
+      <div className="flex h-screen items-center justify-center bg-zinc-50 dark:bg-zinc-950 text-zinc-400">
+        Carregando...
+      </div>
+    );
   }
 
   if (!user) {
@@ -78,7 +96,7 @@ const AuthGuard: React.FC<{ children: React.ReactNode, roles?: string[] }> = ({
   }
 
   // Auto-redirect Super Admins away from the standard dashboard to their specific panel
-  if (location.pathname === '/' && user.role === 'super_admin') {
+  if (location.pathname === "/" && user.role === "super_admin") {
     return <Navigate to="/super-admin" replace />;
   }
 
@@ -93,16 +111,86 @@ const App: React.FC = () => {
         <Route path="/forgot-password" element={<ForgotPassword />} />
         <Route path="/reset-password" element={<ResetPassword />} />
         <Route path="/setup-account" element={<SetupAccount />} />
-        <Route path="/" element={<AuthGuard><Dashboard /></AuthGuard>} />
-        <Route path="/admin/users" element={<AuthGuard roles={['super_admin', 'admin', 'manager']}><TeamManagement /></AuthGuard>} />
-        <Route path="/admin/teams" element={<AuthGuard roles={['super_admin', 'admin', 'manager']}><Teams /></AuthGuard>} />
-        <Route path="/admin/funnels" element={<AuthGuard roles={['super_admin', 'admin', 'manager']}><Funnels /></AuthGuard>} />
-        <Route path="/admin/origins" element={<AuthGuard roles={['super_admin', 'admin', 'manager']}><Origins /></AuthGuard>} />
-        <Route path="/users/:id" element={<AuthGuard><UserDetail /></AuthGuard>} />
-        <Route path="/attendances/:id" element={<AuthGuard><AttendanceDetail /></AuthGuard>} />
-        <Route path="/super-admin" element={<AuthGuard roles={['super_admin']}><SuperAdmin /></AuthGuard>} />
-        <Route path="/super-admin/api-keys" element={<AuthGuard roles={['super_admin']}><ApiKeys /></AuthGuard>} />
-        <Route path="/profile" element={<AuthGuard><UserProfile /></AuthGuard>} />
+        <Route
+          path="/"
+          element={
+            <AuthGuard>
+              <Dashboard />
+            </AuthGuard>
+          }
+        />
+        <Route
+          path="/admin/users"
+          element={
+            <AuthGuard roles={["super_admin", "admin", "manager"]}>
+              <TeamManagement />
+            </AuthGuard>
+          }
+        />
+        <Route
+          path="/admin/teams"
+          element={
+            <AuthGuard roles={["super_admin", "admin", "manager"]}>
+              <Teams />
+            </AuthGuard>
+          }
+        />
+        <Route
+          path="/admin/funnels"
+          element={
+            <AuthGuard roles={["super_admin", "admin"]}>
+              <Funnels />
+            </AuthGuard>
+          }
+        />
+        <Route
+          path="/admin/origins"
+          element={
+            <AuthGuard roles={["super_admin", "admin"]}>
+              <Origins />
+            </AuthGuard>
+          }
+        />
+        <Route
+          path="/users/:id"
+          element={
+            <AuthGuard>
+              <UserDetail />
+            </AuthGuard>
+          }
+        />
+        <Route
+          path="/attendances/:id"
+          element={
+            <AuthGuard>
+              <AttendanceDetail />
+            </AuthGuard>
+          }
+        />
+        <Route
+          path="/super-admin"
+          element={
+            <AuthGuard roles={["super_admin"]}>
+              <SuperAdmin />
+            </AuthGuard>
+          }
+        />
+        <Route
+          path="/super-admin/api-keys"
+          element={
+            <AuthGuard roles={["super_admin"]}>
+              <ApiKeys />
+            </AuthGuard>
+          }
+        />
+        <Route
+          path="/profile"
+          element={
+            <AuthGuard>
+              <UserProfile />
+            </AuthGuard>
+          }
+        />
         <Route path="*" element={<Navigate to="/" replace />} />
       </Routes>
     </Router>
diff --git a/GEMINI.md b/GEMINI.md
index 974bc1b..af37a0c 100644
--- a/GEMINI.md
+++ b/GEMINI.md
@@ -7,38 +7,44 @@ Fasto is a commercial team management system built with React (Vite) on the fron
 We have transitioned from a mock-based prototype to a **secure, multi-tenant production architecture**:
 
 - **Multi-Tenancy & Data Isolation:** All backend routes (Users, Teams, Attendances) now strictly enforce `tenant_id` checks. It is technically impossible for one organization to query data from another.
-- **God Mode (Tenant Impersonation):** Super Admins can securely impersonate Tenant Admins via a specialized, temporary JWT (`/api/impersonate/:tenantId`). This allows seamless cross-domain support without storing passwords, while strictly maintaining state isolation through forced React reloads and locking mechanisms.
-- **Dynamic Funnel Customization:** 
-  - Funnel stages are no longer hardcoded ENUMs. Each tenant can create multiple dynamic funnels via the `funnels` and `funnel_stages` tables.
-  - Managers can assign specific Teams to specific Funnels.
-  - The Dashboard, User Detail, and Attendance Detail pages now dynamically map and color-code stages based on the active team's assigned funnel.
-- **Real-Time Notification System:** 
-  - Built a persistent notification tray (`/api/notifications`) with real-time polling (10s intervals) and a hidden HTML5 `<audio>` player for cross-browser sound playback.
-  - Automated Triggers: Super Admins are notified of new organizations; Tenant Admins/Managers are notified of new user setups; Users are notified of team assignment changes.
-- **Role-Based Access Control (RBAC):**
-  - **Super Admin:** Global management of all tenants and users (via the hidden `system` tenant).
-  - **Admin/Manager:** Full control over members and teams within their specific organization.
+- **Advanced 2-Token Authentication (Rolling Sessions):**
+  - Replaced the vulnerable 1-year static JWT with a highly secure dual-token system.
+  - Generates a short-lived `AccessToken` (15 min) and a stateful `RefreshToken` (30 days) stored in the DB (`refresh_tokens` table).
+  - Built an Axios-like `apiFetch` interceptor on the frontend that automatically catches 401 Unauthorized errors, fetches a new Access Token in the background, extends the Refresh Token by another 30 days (Sliding Expiration), and retries the original request without logging the user out.
+  - Full remote revocation capability (Logout drops the token from the DB immediately).
+- **God Mode (Tenant Impersonation):** Super Admins can securely impersonate Tenant Admins via a specialized, temporary JWT (`/api/impersonate/:tenantId`). This allows seamless cross-domain support without storing passwords.
+- **Role-Based Access Control (RBAC) Simplification:**
+  - Removed the redundant 'owner' role. The system now strictly relies on 4 tiers:
+  - **Super Admin:** Global management of all tenants and API keys (via the hidden `system` tenant).
+  - **Admin:** Full control over members, teams, funnels, and origins within their specific organization.
+  - **Manager:** Mid-level control. Can edit basic info of users in their specific team, but cannot change user roles or re-assign users to different teams (only Admins can).
   - **Agent:** Restricted access. Can only view their own performance metrics and historical attendances.
+- **Dynamic Funnel & Origin Managers:** 
+  - Funnel stages and Lead Origins are no longer hardcoded ENUMs. Each tenant can create multiple dynamic funnel/origin groups via relational tables (`funnels`, `funnel_stages`, `origin_groups`, `origin_items`).
+  - Admins can customize the exact Tailwind color class (e.g., "bg-green-100") for each stage and origin via visual UI pickers.
+  - Admins assign specific Teams to specific Funnels/Origin Groups.
+  - The Dashboard pie charts and data tables strictly filter and color-code data based on the active team's configuration. Deleted data falls back to an "Outros" category to prevent chart breakage.
+- **n8n / External API Webhooks (Completed):** 
+  - Super Admins can generate persistent `api_keys` for specific tenants.
+  - `GET /api/integration/users`, `/funnels`, and `/origins` allow the n8n AI to dynamically map the tenant's actual agents and workflow stages before processing a chat.
+  - `POST /api/integration/attendances` accepts the AI's final JSON payload (including the `full_summary` text) and injects it directly into the dashboard.
+- **Real-Time Notification System:** 
+  - Built a persistent notification tray (`/api/notifications`) with real-time polling (10s intervals) and a hidden HTML5 `<audio>` player for cross-browser sound playback (custom `.mp3` loaded via Vite).
+  - Automated Triggers: Super Admins are notified of new organizations; Admins/Super Admins are notified of new user setups; Agents are notified of team assignment changes; Managers get "Venda Fechada" alerts when n8n posts a converted lead.
 - **Enhanced UI/UX:** 
-  - Premium "Onyx & Gold" True Black dark mode.
+  - Premium "Onyx & Gold" True Black dark mode (Zinc scale).
   - Fully collapsible interactive sidebar with memory (`localStorage`).
-  - Action buttons across all data tables are permanently visible for faster discoverability (removed hover requirements).
-  - Loading states embedded directly into action buttons to prevent double-submissions.
-- **Secure File Uploads:** Profile avatars use `multer` with strict mimetype validation (JPG/PNG/WEBP), 2MB size limits, and UUID generation.
+  - All Date/Time displays localized to strict Brazilian formatting (`pt-BR`, 24h, `DD/MM/YY`).
 
 ## 📌 Roadmap / To-Do
-- [ ] **n8n / External API Integration (Priority 1):** 
-  - Create an `api_keys` table to allow generating persistent, secure API keys for each Tenant.
-  - Build `GET /api/integration/users` so n8n can map its chat agents to Fasto's internal `user_id`s.
-  - Build `POST /api/integration/attendances` to allow n8n to programmatically create new attendances linked to specific tenants and users.
-- [ ] **Sales & Quality Notification Triggers:** Implement backend logic to automatically notify Managers when an attendance is marked as "Won" (Ganhos), receives a critically low quality score, or breaches a specific Response Time SLA.
+- [ ] **Advanced AI Notification Triggers:** Implement backend logic to automatically notify Managers when an attendance payload from n8n receives a critically low quality score (`score < 50`), or breaches a specific Response Time SLA (e.g., `first_response_time_min > 60`).
 - [ ] **Data Export/Reporting:** Allow Admins to export attendance and KPI data to CSV/Excel.
 - [ ] **Billing/Subscription Management:** Integrate a payment gateway (e.g., Stripe/Asaas) to manage tenant trial periods and active statuses dynamically.
 
 ## 🛠 Architecture
 - **Frontend**: React 19, TypeScript, Vite, TailwindCSS (CDN), Recharts, Lucide React.
 - **Backend**: Node.js, Express, MySQL2 (Pool-based), Nodemailer.
-- **Database**: MySQL 8.0 (Schema: `fasto_db`).
+- **Database**: MySQL 8.0 (Schema: `fasto_db` or `agenciac_comia` depending on `.env`).
 - **Deployment**: Docker Compose for local development; Gitea Actions for CI/CD pushing to a Gitea Registry and deploying via Portainer webhook.
 
 ## 📋 Prerequisites
@@ -55,7 +61,7 @@ cp .env.example .env
 *Note:* The backend automatically strips literal quotes from Docker `.env` string values (like `SMTP_PASS`) to prevent authentication crashes.
 
 ### 2. Database
-The project expects a MySQL database. The `docker-compose.local.yml` initializes it. The Node.js backend automatically runs non-destructive schema migrations on startup (adding tables like `notifications`, `funnels`, `funnel_stages`, and modifying `attendances`).
+The project expects a MySQL database. The Node.js backend automatically runs non-destructive schema migrations on startup (adding tables like `refresh_tokens`, `api_keys`, `origin_groups`, etc.).
 
 ### 3. Running Locally (Docker Compose)
 To start the application and database locally:
diff --git a/backend/index.js b/backend/index.js
index a0013c6..db523c7 100644
--- a/backend/index.js
+++ b/backend/index.js
@@ -136,14 +136,17 @@ const authenticateToken = async (req, res, next) => {
 
   if (!token) return res.status(401).json({ error: 'Token não fornecido.' });
 
-  jwt.verify(token, JWT_SECRET, (err, user) => {
-    if (err) return res.status(401).json({ error: 'Token inválido ou expirado.' });
+  try {
+    const user = jwt.verify(token, JWT_SECRET);
     req.user = user;
     next();
-  });
+  } catch (err) {
+    return res.status(401).json({ error: 'Token inválido ou expirado.' });
+  }
 };
 
 const requireRole = (roles) => (req, res, next) => {
+  if (!req.user || !req.user.role) return res.status(401).json({ error: 'Não autenticado.' });
   if (!roles.includes(req.user.role)) return res.status(403).json({ error: 'Acesso negado. Você não tem permissão para realizar esta ação.' });
   next();
 };
@@ -457,7 +460,7 @@ apiRouter.get('/users/:idOrSlug', async (req, res) => {
   try {
     const [rows] = await pool.query('SELECT * FROM users WHERE id = ? OR slug = ?', [req.params.idOrSlug, req.params.idOrSlug]);
     if (!rows || rows.length === 0) return res.status(404).json({ error: 'Not found' });
-    if (!req.user) return res.status(401).json({ error: 'Não autenticado' });
+    if (!req.user || !req.user.role) return res.status(401).json({ error: 'Não autenticado' });
     
     if (req.user.role !== 'super_admin' && rows[0].tenant_id !== req.user.tenant_id) {
       return res.status(403).json({ error: 'Acesso negado.' });
diff --git a/components/Layout.tsx b/components/Layout.tsx
index 5761146..e3b6729 100644
--- a/components/Layout.tsx
+++ b/components/Layout.tsx
@@ -239,8 +239,12 @@ export const Layout: React.FC<{ children: React.ReactNode }> = ({ children }) =>
                 <>
                   <SidebarItem to="/admin/users" icon={Users} label="Membros" collapsed={isSidebarCollapsed} />
                   <SidebarItem to="/admin/teams" icon={Building2} label={currentUser.role === 'manager' ? 'Meu Time' : 'Times'} collapsed={isSidebarCollapsed} />
-                  <SidebarItem to="/admin/funnels" icon={Layers} label="Gerenciar Funis" collapsed={isSidebarCollapsed} />
-                  <SidebarItem to="/admin/origins" icon={Target} label="Origens de Lead" collapsed={isSidebarCollapsed} />
+                  {currentUser.role !== 'manager' && (
+                    <>
+                      <SidebarItem to="/admin/funnels" icon={Layers} label="Gerenciar Funis" collapsed={isSidebarCollapsed} />
+                      <SidebarItem to="/admin/origins" icon={Target} label="Origens de Lead" collapsed={isSidebarCollapsed} />
+                    </>
+                  )}
                 </>
               )}
             </>
diff --git a/docker-compose.yml b/docker-compose.yml
index 47e820a..cbc73d9 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,4 +1,4 @@
-version: '3.8'
+version: "3.8"
 
 services:
   app:
@@ -43,6 +43,23 @@ services:
     networks:
       - fasto-net
 
+  backup-mysql:
+    image: databack/mysql-backup
+    environment:
+      DB_SERVER: db
+      DB_USER: root
+      DB_PASS: ${DB_PASSWORD:-root_password}
+      DB_DUMP_CRON: "55 2 * * *" # Roda todo dia exatamente às 02:55 da manhã
+      DB_CLEANUP_TIME: 4320 # Apaga os locais mais velhos que 3 dias
+    volumes:
+      - /root/backups_db:/db
+    networks:
+      - fasto-net
+    deploy:
+      placement:
+        constraints:
+          - node.role == manager
+
 volumes:
   db_data:
 
diff --git a/pages/UserProfile.tsx b/pages/UserProfile.tsx
index 515fb0a..8597ce3 100644
--- a/pages/UserProfile.tsx
+++ b/pages/UserProfile.tsx
@@ -202,9 +202,17 @@ export const UserProfile: React.FC = () => {
                       id="fullName"
                       value={name}
                       onChange={(e) => setName(e.target.value)}
-                      className="block w-full pl-10 pr-3 py-2 border border-zinc-200 dark:border-zinc-800 rounded-lg bg-white dark:bg-zinc-950 text-zinc-900 dark:text-zinc-100 placeholder-zinc-400 dark:placeholder-zinc-600 focus:outline-none focus:ring-2 focus:ring-yellow-400/20 focus:border-yellow-400 transition-all sm:text-sm"
+                      disabled={user.role === 'agent'}
+                      className={`block w-full pl-10 pr-3 py-2 border border-zinc-200 dark:border-zinc-800 rounded-lg sm:text-sm transition-all ${
+                        user.role === 'agent' 
+                          ? 'bg-zinc-50 dark:bg-zinc-900/50 text-zinc-500 dark:text-zinc-500 cursor-not-allowed'
+                          : 'bg-white dark:bg-zinc-950 text-zinc-900 dark:text-zinc-100 placeholder-zinc-400 dark:placeholder-zinc-600 focus:outline-none focus:ring-2 focus:ring-yellow-400/20 focus:border-yellow-400'
+                      }`}
                     />
                   </div>
+                  {user.role === 'agent' && (
+                    <p className="text-xs text-zinc-400 dark:text-zinc-500 mt-1">Contate um administrador para alterar seu nome.</p>
+                  )}
                 </div>
 
                 <div className="space-y-2">