Security

Guardrails

Access control: least privilege per service account; prefer OIDC over long‑lived keys
AuthN: Firebase Auth (users); JWT + IAM (services)
AuthZ: Firestore Security Rules + Express middleware (RBAC baseline)
Network: HTTPS only
CI/CD security: merge security updates ≤ 7 days; block PRs with known vulns
Supply chain: lockfiles committed, no Git URL deps, npm provenance where possible
AppSec: ESLint security rules enabled
Monitoring: alert on auth anomalies, Firestore quota spikes, Cloud Task retries

Firestore rules baseline:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{userId} {
      allow read, update: if request.auth != null && request.auth.uid == userId;
      allow create: if request.auth != null;
      allow delete: if false;
    }
  }
}

LLM Notes

Always include auth checks in examples. Do not bypass rules or suggest wildcard access.

Guardrails​

LLM Notes​

Guardrails

LLM Notes