From d86a5de2a0e851485b9852d481d9822cb4c29db8 Mon Sep 17 00:00:00 2001 From: null Date: Wed, 17 Jun 2026 19:42:41 -0500 Subject: [PATCH] fix: deny client access to entitlement_events collection --- firestore.rules | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/firestore.rules b/firestore.rules index 0fe211fb..67eb2b57 100644 --- a/firestore.rules +++ b/firestore.rules @@ -350,5 +350,12 @@ service cloud.firestore { allow delete: if isCouplesMember(coupleId); } } + + // ── entitlement_events ──────────────────────────────────────────────────── + // Cloud Functions write idempotency markers here via the Admin SDK. + // No client access needed — explicit deny prevents accidental future grants. + match /entitlement_events/{eventId} { + allow read, write: if false; + } } }