firestore.rules

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    
    // Helper function to check if user is authenticated
    function isAuthenticated() {
      return request.auth != null;
    }

    // Helper to check if the document belongs to the signed-in user
    function isOwner(userId) {
      return request.auth.uid == userId;
    }

    // User Settings: Each user owns their own document (keyed by uid)
    match /users/{userId} {
      allow read, write: if isAuthenticated() && isOwner(userId);
    }

    // Survey Memory rules: Users can read all (sharing intelligence), 
    // but only write/update their own entries or increment weights.
    match /survey_memory/{document} {
      allow read: if isAuthenticated();
      allow create: if isAuthenticated();
      allow update: if isAuthenticated(); 
    }

    // Thoughts rules: Strictly user-scoped for privacy
    match /thoughts/{document} {
      allow read: if isAuthenticated() && isOwner(resource.data.userId);
      allow create: if isAuthenticated() && isOwner(request.resource.data.userId);
      allow update, delete: if isAuthenticated() && isOwner(resource.data.userId);
    }

    // Task Queue rules: Strictly user-scoped
    match /task_queues/{document} {
      allow read: if isAuthenticated() && (resource == null || isOwner(resource.data.userId));
      allow write, delete: if isAuthenticated() && (resource == null || isOwner(resource.data.userId));
    }

    // Browser Tabs: Sync across devices
    match /browser_tabs/{document} {
      allow read: if isAuthenticated() && (resource == null || isOwner(resource.data.userId));
      allow create: if isAuthenticated() && isOwner(request.resource.data.userId);
      allow update: if isAuthenticated() && isOwner(resource.data.userId) && isOwner(request.resource.data.userId);
      allow delete: if isAuthenticated() && (resource == null || isOwner(resource.data.userId));
    }

    // Missions: Persistent AI missions
    match /missions/{document} {
      allow read: if isAuthenticated() && isOwner(resource.data.userId);
      allow write: if isAuthenticated() && (resource == null || isOwner(resource.data.userId)) && isOwner(request.resource.data.userId);
    }

    // Routines: Saved browser workflows
    match /routines/{document} {
      allow read: if isAuthenticated() && isOwner(resource.data.userId);
      allow write: if isAuthenticated() && (resource == null || isOwner(resource.data.userId)) && isOwner(request.resource.data.userId);
    }

    // User Sessions: Presence and status
    match /user_sessions/{documentId} {
      allow read: if isAuthenticated() && isOwner(documentId);
      allow write: if isAuthenticated() && isOwner(documentId);
    }

    // Mission Outcomes: Individual learning
    match /mission_outcomes/{document} {
      allow read: if isAuthenticated() && isOwner(resource.data.userId);
      allow write: if isAuthenticated() && (resource == null || isOwner(resource.data.userId)) && isOwner(request.resource.data.userId);
    }

    // Global Knowledge: Anonymous shared learning
    match /global_knowledge/{document} {
      allow read: if isAuthenticated();
      allow create: if isAuthenticated(); 
      allow update, delete: if false; 
    }

    // User Knowledge: Universal hierarchical context (Private)
    match /user_knowledge/{document} {
      allow read: if isAuthenticated() && isOwner(resource.data.userId);
      allow write: if isAuthenticated() && (resource == null || isOwner(resource.data.userId)) && isOwner(request.resource.data.userId);
    }
  }
}