Closer/docs
null 5f7c785f5c docs(manual): batch 5 review — 3 missing rule helpers + releaseKeys sender-read fix
The Firestore security rules Helper functions table was missing 3
helpers that the rules file actually exports:
  - otherCoupleMember(coupleId, uid) - the partner of a couple
  - partnerReflectedDate(coupleId, dateId, uid) - has the partner
    already reflected on a date reflection?
  - isPublicKey(value) - matches the pub:v1:... wire format for the
    ECIES P-256 public key write to users/{uid}/devices/primary

The isPublicKey regex I added at first was wrong (I wrote
'pub:v1:[A-Za-z0-9_-]+={0,2}$' but the real one is
'pub:v1:[A-Za-z0-9_-]{40,}$' - 40-char minimum, no padding).
Corrected.

The releaseKeys per-collection enforcement said 'readable only by the
named recipient' but the rule actually allows the sender (answer
owner) to read their own releaseKeys doc as well - the rule comment
explains: writeReleaseKey does an idempotency existence-check get()
before writing, and without the sender-read allowance that get()
returned PERMISSION_DENIED and releaseOwnKey threw, breaking the
daily reveal. The keybox is ECIES-encrypted to the recipient, so
the sender reading it leaks nothing.

Other Batch 5 claims verified clean:
- All 25 helpers in the table exist in firestore.rules
  (isSignedIn through isUpdatingCoupleRhythm).
- users/{uid}/fcmTokens/{tokenId}: isOwner(uid) for read+write.
- users/{uid}/devices/{deviceId}: read = isOwner(uid) OR same-couple
  partner; create/update = isOwner(uid).
- invites/{code}: read = isSignedIn() && inviter match; writes denied.
- couples/{coupleId}: create requires E2EE field presence, update via
  isUpdatingCoupleRhythm OR isUpdatingRecoveryWrap only; delete denied.
- daily_question/{date}/answers/{userId}: metadata-only fields
  (userId/questionId/answerType/schemaVersion/answerDate/createdAt/
  updatedAt/isRevealed) per isCoupleKeyAnswerCreate.
- couples/{coupleId}/{this_or_that|desire_sync|how_well|wheel} wildcard
  match: answers map keyed by uid, enc:v1: per user, plus
  categoryName/questions, requires coupleEncryptionEnabled.
- entitlement_events/{eventId}: allow read,write = false (no client).
2026-07-08 23:24:38 -05:00
..
brand docs(store): sharpen privacy promise in README banner 2026-07-08 23:11:36 -05:00
crypto docs(crypto): key-storage migration design (design-only, gated) 2026-07-06 21:08:52 -05:00
qa feat: signup flow, age gate, user model updates, how well screen, game prompt banner 2026-07-02 02:42:55 -05:00
release docs(store): rename marketing assets to Closer Couples 2026-07-08 22:01:10 -05:00
screenshots docs(readme): refresh daily question screenshots 2026-07-08 14:53:12 -05:00
store docs(store): sharpen privacy promise in README banner 2026-07-08 23:11:36 -05:00
Engineering_Reference_Manual.md docs(manual): batch 5 review — 3 missing rule helpers + releaseKeys sender-read fix 2026-07-08 23:24:38 -05:00
NameChange.md docs(store): sharpen privacy promise in README banner 2026-07-08 23:11:36 -05:00
copy-guide.md docs: brand identity, copy guide, release checklists, store assets, README 2026-06-21 17:56:46 -05:00
date-planning-roadmap.md feat(dates): add Date Match MVP Phase 1 — swipe UI, Firestore models, 30+ seed ideas, match reveal 2026-06-16 23:30:58 -05:00
standardization-review.md docs: update standardization review to completed state 2026-07-06 22:19:33 -05:00