Automate Firestore rules deploy and add production unknown-queue smoke checks

Author: shadowdevcode

.github/workflows/ci.yml

@@ -37,3 +37,65 @@ jobs:
 
       - name: Run full verification
         run: npm run verify:local
+
+  detect-firestore-changes:
+    name: detect-firestore-changes
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    outputs:
+      firestore_changed: ${{ steps.filter.outputs.firestore_changed }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Detect firestore-related changes
+        id: filter
+        uses: dorny/paths-filter@v3
+        with:
+          filters: |
+            firestore_changed:
+              - firestore.rules
+              - firebase.json
+              - firebase-applet-config.json
+              - scripts/print-firestore-rules-target.mjs
+              - scripts/smoke-firestore-unknown-queue.mjs
+
+  firestore-rules-deploy:
+    name: firestore-rules-deploy
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main' && needs.detect-firestore-changes.outputs.firestore_changed == 'true'
+    needs:
+      - verify-local
+      - detect-firestore-changes
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Verify firestore deploy target
+        run: npm run rules:target:check
+
+      - name: Deploy Firestore rules (production)
+        env:
+          FIREBASE_TOKEN: ${{ secrets.FIREBASE_TOKEN }}
+        run: npm run rules:deploy:prod
+
+      - name: Smoke test unknown ingredient queue access (production)
+        env:
+          SMOKE_OWNER_EMAIL: ${{ secrets.SMOKE_OWNER_EMAIL }}
+          SMOKE_OWNER_PASSWORD: ${{ secrets.SMOKE_OWNER_PASSWORD }}
+          SMOKE_OWNER_HOUSEHOLD_ID: ${{ secrets.SMOKE_OWNER_HOUSEHOLD_ID }}
+          SMOKE_NON_MEMBER_EMAIL: ${{ secrets.SMOKE_NON_MEMBER_EMAIL }}
+          SMOKE_NON_MEMBER_PASSWORD: ${{ secrets.SMOKE_NON_MEMBER_PASSWORD }}
+        run: npm run rules:smoke:prod

README.md

@@ -210,15 +210,17 @@ These constraints are enforced in `firestore.rules` and validated by `test/rules
 - Confirm production Firebase Auth domain setup before release (Google provider and authorized domains)
 
 ### Production Firestore Rules Runbook
-1. Authenticate Firebase CLI:
-   - `npx firebase login`
-2. Verify project/database deploy targets:
-   - `npm run rules:target:check`
-3. Deploy production Firestore rules:
+1. Mainline path (default):
+   - Merge to `main`; CI deploys `firestore.rules` automatically when Firestore files change.
+2. CI deploy preconditions:
+   - `verify-local` must pass.
+   - `npm run rules:target:check` must pass (project/database target integrity gate).
+3. Post-deploy smoke checks:
+   - Owner smoke user must read `households/{householdId}/unknownIngredientQueue`.
+   - Non-member smoke user must receive `PERMISSION_DENIED`.
+4. Emergency/manual deploy only:
    - `npm run rules:deploy:prod`
-4. Validate production owner view:
-   - Sign in as owner and open the pantry/unknown queue section.
-   - Confirm no `Unknown ingredient queue access denied` banner appears.
+   - `npm run rules:smoke:prod`
 5. Optional deploy diagnostics:
    - `npm run rules:deploy:prod:dry`
 
@@ -243,6 +245,11 @@ This project uses GitHub as the deployment source of truth.
 - CI command chain:
   - `npm ci`
   - `npm run verify:local`
+  - `verify-local` includes `npm run rules:target:check`
+- `main` push additional automation:
+  - Detect Firestore-related file changes.
+  - Deploy Firestore rules automatically when changed.
+  - Run production smoke test for owner-allow and non-member-deny unknown queue reads.
 
 ### Local push gate (Husky)
 - Husky install hook is configured via `npm run prepare`.
@@ -255,6 +262,13 @@ This project uses GitHub as the deployment source of truth.
 - Require status checks to pass before merging.
 - Add required status check: `verify-local`.
 - Require branches to be up to date before merging.
+- Add repository secrets for Firestore deploy/smoke workflow:
+  - `FIREBASE_TOKEN`
+  - `SMOKE_OWNER_EMAIL`
+  - `SMOKE_OWNER_PASSWORD`
+  - `SMOKE_OWNER_HOUSEHOLD_ID`
+  - `SMOKE_NON_MEMBER_EMAIL`
+  - `SMOKE_NON_MEMBER_PASSWORD`
 
 ### Required Vercel settings
 - Git repository connected to this GitHub repo.
@@ -275,10 +289,12 @@ This project uses GitHub as the deployment source of truth.
 ### Firestore rules tests fail with Java/emulator error
 - Install Java 17+ and confirm `java -version` resolves correctly in shell.
 
-### `Unknown ingredient queue access denied. Deploy latest Firestore rules and retry.`
-- Ensure Firebase CLI is authenticated: `npx firebase login`
-- Deploy rules to production (includes named Firestore DB target): `npm run rules:deploy:prod`
-- Retry owner view and confirm unknown queue loads.
+### `Unknown ingredient queue access denied... [build:<id>]`
+- Confirm the visible build id is the latest deployment.
+- Validate CI Firestore deploy and smoke test status on latest `main` run.
+- For emergency recovery, deploy + smoke manually:
+  - `npm run rules:deploy:prod`
+  - `npm run rules:smoke:prod`
 
 ### Google sign-in popup fails locally
 - Add `localhost` / `127.0.0.1` to Firebase Auth authorized domains.

package.json

@@ -15,9 +15,10 @@
     "rules:target:check": "node scripts/print-firestore-rules-target.mjs",
     "rules:deploy:prod": "npx firebase deploy --only firestore:rules --project gen-lang-client-0862152879",
     "rules:deploy:prod:dry": "npx firebase deploy --only firestore:rules --project gen-lang-client-0862152879 --debug",
+    "rules:smoke:prod": "node scripts/smoke-firestore-unknown-queue.mjs",
     "e2e": "node test/e2e/run.mjs",
     "e2e:headed": "E2E_HEADLESS=false node test/e2e/run.mjs",
-    "verify:local": "npm run lint && npm run unit:test && npm run build && npm run rules:test && npm run e2e",
+    "verify:local": "npm run rules:target:check && npm run lint && npm run unit:test && npm run build && npm run rules:test && npm run e2e",
     "prepare": "husky"
   },
   "dependencies": {