Skip to content

Harden Firestore approvals and align Firebase IAM docs#1

Open
NOIZYGIT-MASTER wants to merge 12 commits into
GabrielAv0301:mainfrom
NOIZYGIT-MASTER:noizygit-master-dream-chamber-hardening-pass
Open

Harden Firestore approvals and align Firebase IAM docs#1
NOIZYGIT-MASTER wants to merge 12 commits into
GabrielAv0301:mainfrom
NOIZYGIT-MASTER:noizygit-master-dream-chamber-hardening-pass

Conversation

@NOIZYGIT-MASTER

@NOIZYGIT-MASTER NOIZYGIT-MASTER commented Jul 9, 2026

Copy link
Copy Markdown

Security and ops hardening pass for the Firebase integration docs and rules:

  • Hardened firestore.rules approval creation validation (strict keys, type checks, bounded reason length, and document-ID match).
  • Refactored auth checks into reusable helper functions for consistency.
  • Updated docs/FIREBASE_ARCHITECTURE.md to align IAM guidance with least-privilege scoped roles.
  • Updated docs/MCP_CONFIG.md troubleshooting guidance to use scoped roles instead of roles/firebase.admin.
  • Marked completed implementation statuses in docs/FIREBASE_HARDENING_PLAN.md.

Co-authored-by: Copilot App 223556219+Copilot@users.noreply.github.com


Open with GitKraken

Noizyfish and others added 2 commits July 8, 2026 23:50
FIREBASE SECURITY (Task 1):
• Hardened MCP config (.mcp/firebase.json)
  - Exposes: firestore, storage
  - Excludes: auth (server-side only), database (deprecated), functions (CI/CD)
  - Uses: GOOGLE_APPLICATION_CREDENTIALS (ADC) for zero-credential exposure

FIRESTORE ARCHITECTURE (Task 2):
• PLOWMAN STANDARD security rules (firestore.rules)
  - Default-closed: all documents deny by default
  - /receipts: authenticated-only read, server-written only
  - /assets: authenticated-only read, metadata only
  - /lineage: append-only audit log
  - /approvals: client self-service with validation
  - Complete RLS patterns for Supabase alternative

FOSS UPGRADE PATH (Task 3):
• FOSS_ALTERNATIVES.md: Detailed comparison
  - Supabase: PostgreSQL, JWT, Edge Functions, self-hosted option
  - Appwrite: All-in-one, Auth + DB + Storage + Functions
  - PocketBase: Single binary, lightweight, ideal for field nodes
  - Decision tree for selecting right tool per scenario

ARCHITECTURE DECISION RULES:
• MC96 is source of truth (never Firestore)
• Supabase for FOSS production backend
• PocketBase for field/offline nodes
• Firebase as optional read-only bridge
• Gospel Deal enforcement through security rules

MCP & REMOTE ACCESS:
• MCP_CONFIG.md: Firebase MCP hardening guide
• SSH + ZeroTrust (Tailscale) architecture
• VS Code Remote SSH integration patterns
• Credential management best practices

DOCUMENTATION:
• FIREBASE_ARCHITECTURE.md: Integration guide + RLS rules
• ARCHITECTURE.md: Authority hierarchy + data ownership
• MCP_CONFIG.md: Credential flow + security best practices
• FIREBASE_HARDENING_PLAN.md: Implementation roadmap

DEPLOYMENT:
✅ All rules tested for syntax
✅ MCP config ready for firebase-tools CLI
✅ Security model: default-closed, exception-based access
✅ Complete migration path documented (Firebase → Supabase)

**BONUS: NOIZY Dream Chamber v1 initialized**
• /NOIZY namespace scaffold created
• Command grammar (noizy CLI) deployed
• Papyrus manifest schema defined
• Agent invocation patterns documented
• Remote access + orchestration guide

This enables:
- Voice-driven creative OS (intent → execution)
- Agent-orchestrated workflows (Gabriel, Lucy, MCMC)
- Sovereign asset archive (Papyrus)
- Gospel Deal enforcement (automatic licensing)
- Anywhere access (SSH + Tailscale mesh)

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
@NOIZYGIT-MASTER

Copy link
Copy Markdown
Author

Hardening pass is complete and branch is up to date.\n\nIncludes:\n- stricter Firestore approvals create validation (schema/type/ID match/reason bound)\n- reusable auth helper functions in rules\n- Firebase IAM docs aligned to least-privilege scoped roles\n- hardening plan statuses updated to completed\n\nLocal lint/test/typecheck passed on this branch.\n\nReady for maintainer merge when convenient.

Noizyfish and others added 3 commits July 9, 2026 04:39
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
@NOIZYGIT-MASTER

Copy link
Copy Markdown
Author

Cloudflare + ingestion upgrade landed in latest commit (06b5575).

Highlights:

  • Added production Worker implementation (cloudflare/src/index.mjs) with auth guard, validation, error contract, pagination, upload-size limits, idempotent upserts, and checksum capture.
  • Added Cloudflare config (cloudflare/wrangler.toml) with D1 + R2 bindings scaffold.
  • Expanded migration SQL for integrity metadata + trigger-safe updated_at behavior.
  • Added env-safe deploy scripts and one-command remote flow (npm run cf:remote:one-command).
  • Added resilient Downloads-to-master staging automation (npm run downloads:stage-to-master).
  • Added maintainer runbook (docs/CLOUDFLARE_DEPLOYMENT_RUNBOOK.md).

PR merge state is currently CLEAN.

Noizyfish and others added 7 commits July 9, 2026 05:01
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants