Merge pull request #10 from VectorInstitute/add_firestore_rules

Add firestore db rules

Author: amrit110

.gitignore

@@ -30,3 +30,4 @@ terraform.tfvars
 .terraform.tfstate.lock.info
 
 .coder
+keys/

.python-version

@@ -0,0 +1 @@
+3.12

config/firestore.rules

@@ -0,0 +1,57 @@
+rules_version = '2';
+
+service cloud.firestore {
+  match /databases/{database}/documents {
+
+    // Helper function to check if user is authenticated
+    function isAuthenticated() {
+      return request.auth != null;
+    }
+
+    // Helper function to get GitHub handle from auth
+    // Assumes GitHub auth is being used with Coder
+    function getGitHubHandle() {
+      return request.auth.token.github_handle;
+    }
+
+    // Helper function to get the user's team name from their participant document
+    function getUserTeam() {
+      let participantDoc = get(/databases/$(database)/documents/participants/$(getGitHubHandle()));
+      return participantDoc.data.team_name;
+    }
+
+    // Helper function to check if user belongs to a specific team
+    function isUserTeam(teamName) {
+      return isAuthenticated() && getUserTeam() == teamName;
+    }
+
+    // Global keys collection - read-only for all authenticated users
+    match /global_keys/{document=**} {
+      allow read: if isAuthenticated();
+      allow write: if false; // Only admins via backend
+    }
+
+    // Teams collection - users can only read their own team's data
+    match /teams/{teamId} {
+      // Users can only read their own team (which contains API keys)
+      allow read: if isUserTeam(teamId);
+      allow write: if false; // Only admins via backend
+    }
+
+    // Participants collection
+    match /participants/{participantId} {
+      // Users can read their own participant document
+      allow read: if isAuthenticated() &&
+                     participantId == getGitHubHandle();
+
+      // Users can update their own onboarded status and onboarded_at timestamp
+      allow update: if isAuthenticated() &&
+                       participantId == getGitHubHandle() &&
+                       request.resource.data.diff(resource.data).affectedKeys()
+                         .hasOnly(['onboarded', 'onboarded_at']);
+
+      // No create or delete for participants (admin only)
+      allow create, delete: if false;
+    }
+  }
+}

config/langfuse_keys.csv.example

@@ -0,0 +1,3 @@
+team_name,langfuse_secret_key,langfuse_public_key
+example-team,sk-lf-example-secret-key-12345,pk-lf-example-public-key-12345
+awesome-team,sk-lf-awesome-secret-key-67890,pk-lf-awesome-public-key-67890

config/participants.csv.example

@@ -0,0 +1,7 @@
+github_handle,team_name,email
+alice-smith,example-team,alice.smith@example.com
+bob-jones,example-team,bob.jones@example.com
+carol-davis,team-alpha,carol.davis@example.com
+david-wilson,team-alpha,david.wilson@example.com
+eve-martinez,team-beta,eve.martinez@example.com
+frank-garcia,team-beta,frank.garcia@example.com

pyproject.toml

@@ -9,11 +9,14 @@ requires-python = ">=3.12"
 dependencies = [
     "google-cloud-firestore>=2.18.0",
     "google-auth>=2.29.0",
+    "google-cloud-secret-manager>=2.20.0",
+    "firebase-admin>=6.5.0",
     "openai>=1.0.0",
     "weaviate-client>=4.0.0",
     "requests>=2.31.0",
     "python-dotenv>=1.0.0",
     "pandas>=2.0.0",
+    "rich>=13.0.0",
 ]
 
 [build-system]