diff --git a/firestore.rules b/firestore.rules index 0fe211fb..67eb2b57 100644 --- a/firestore.rules +++ b/firestore.rules @@ -350,5 +350,12 @@ service cloud.firestore { allow delete: if isCouplesMember(coupleId); } } + + // ── entitlement_events ──────────────────────────────────────────────────── + // Cloud Functions write idempotency markers here via the Admin SDK. + // No client access needed — explicit deny prevents accidental future grants. + match /entitlement_events/{eventId} { + allow read, write: if false; + } } }