fix: classify unknown queue permission denials with runtime diagnostics

Author: shadowdevcode

README.md

@@ -212,12 +212,14 @@ These constraints are enforced in `firestore.rules` and validated by `test/rules
 ### Production Firestore Rules Runbook
 1. Authenticate Firebase CLI:
    - `npx firebase login`
-2. Deploy production Firestore rules:
+2. Verify project/database deploy targets:
+   - `npm run rules:target:check`
+3. Deploy production Firestore rules:
    - `npm run rules:deploy:prod`
-3. Validate production owner view:
+4. Validate production owner view:
    - Sign in as owner and open the pantry/unknown queue section.
    - Confirm no `Unknown ingredient queue access denied` banner appears.
-4. Optional deploy diagnostics:
+5. Optional deploy diagnostics:
    - `npm run rules:deploy:prod:dry`
 
 ## GitHub-Vercel Sync Workflow

package.json

@@ -12,6 +12,7 @@
     "lint": "tsc --noEmit",
     "unit:test": "node --import tsx test/unit/run.ts",
     "rules:test": "node test/rules/check-java.mjs && firebase emulators:exec --only firestore --project demo-rasoi-planner \"tsx test/rules/run.ts\"",
+    "rules:target:check": "node scripts/print-firestore-rules-target.mjs",
     "rules:deploy:prod": "npx firebase deploy --only firestore:rules --project gen-lang-client-0862152879",
     "rules:deploy:prod:dry": "npx firebase deploy --only firestore:rules --project gen-lang-client-0862152879 --debug",
     "e2e": "node test/e2e/run.mjs",

scripts/print-firestore-rules-target.mjs

@@ -0,0 +1,56 @@
+import { readFile } from 'node:fs/promises';
+import path from 'node:path';
+
+async function readJsonFile(filePath) {
+  const raw = await readFile(filePath, 'utf-8');
+  return JSON.parse(raw);
+}
+
+function getFirestoreTargets(firebaseConfig) {
+  const firestoreConfig = firebaseConfig.firestore;
+  if (Array.isArray(firestoreConfig)) {
+    return firestoreConfig;
+  }
+
+  if (firestoreConfig && typeof firestoreConfig === 'object') {
+    return [{ database: '(default)', ...firestoreConfig }];
+  }
+
+  return [];
+}
+
+async function main() {
+  const rootDir = process.cwd();
+  const appConfigPath = path.join(rootDir, 'firebase-applet-config.json');
+  const firebaseJsonPath = path.join(rootDir, 'firebase.json');
+
+  const appConfig = await readJsonFile(appConfigPath);
+  const firebaseConfig = await readJsonFile(firebaseJsonPath);
+
+  const projectId = String(appConfig.projectId ?? '').trim();
+  const databaseId = String(appConfig.firestoreDatabaseId ?? '').trim();
+  const targets = getFirestoreTargets(firebaseConfig);
+  const databases = targets
+    .map((target) => String(target.database ?? '').trim())
+    .filter((value) => value.length > 0);
+
+  const hasDefaultTarget = databases.includes('(default)');
+  const hasNamedTarget = databases.includes(databaseId);
+
+  console.log('Firestore deploy target verification');
+  console.log(`- projectId: ${projectId}`);
+  console.log(`- app databaseId: ${databaseId}`);
+  console.log(`- firebase.json targets: ${databases.join(', ') || '(none)'}`);
+  console.log('- recommended deploy command:');
+  console.log(`  npx firebase deploy --only firestore:rules --project ${projectId}`);
+
+  if (!hasDefaultTarget || !hasNamedTarget) {
+    console.error('Firestore target mismatch detected in firebase.json.');
+    process.exitCode = 1;
+  }
+}
+
+main().catch((error) => {
+  console.error('Failed to verify Firestore deploy targets.', error);
+  process.exitCode = 1;
+});

src/App.tsx

@@ -4,6 +4,7 @@ import { onAuthStateChanged, User as FirebaseUser } from 'firebase/auth';
 import {
   collection,
   doc,
+  getDoc,
   onSnapshot,
   orderBy,
   query,
@@ -27,8 +28,12 @@ import {
 import { upsertMealField } from './services/mealService';
 import { HouseholdData, resolveOrCreateHousehold } from './services/householdService';
 import { getAppCopy } from './i18n/copy';
+import firebaseConfig from '../firebase-applet-config.json';
 import {
+  buildUnknownQueueTargetFingerprint,
+  classifyHouseholdMembershipProbe,
   getUnknownQueueLoadErrorMessage,
+  HouseholdMembershipProbeResult,
   isFirestoreFailedPreconditionError,
   sortUnknownIngredientQueueItemsByCreatedAt,
   toFirestoreListenerErrorInfo,
@@ -200,6 +205,36 @@ export default function App() {
           markInitialViewReady();
         };
 
+        const unknownQueuePath = `households/${resolved.householdId}/unknownIngredientQueue`;
+        const targetFingerprint = buildUnknownQueueTargetFingerprint({
+          projectId: firebaseConfig.projectId,
+          databaseId: firebaseConfig.firestoreDatabaseId,
+          householdId: resolved.householdId,
+        });
+
+        const membershipProbeSnapshot = await getDoc(doc(db, 'households', resolved.householdId));
+        const membershipProbeData = membershipProbeSnapshot.exists()
+          ? (membershipProbeSnapshot.data() as HouseholdData)
+          : null;
+        const membershipProbeResult: HouseholdMembershipProbeResult = classifyHouseholdMembershipProbe({
+          householdExists: membershipProbeSnapshot.exists(),
+          householdOwnerId: membershipProbeData?.ownerId ?? null,
+          householdCookEmail: membershipProbeData?.cookEmail ?? null,
+          userUid: user.uid,
+          userEmail: user.email ?? null,
+        });
+
+        console.info('unknown_queue_runtime_target', {
+          projectId: firebaseConfig.projectId,
+          databaseId: firebaseConfig.firestoreDatabaseId,
+          householdId: resolved.householdId,
+          uid: user.uid,
+          email: user.email ?? null,
+          path: unknownQueuePath,
+          targetFingerprint,
+          membershipProbeResult,
+        });
+
         const subscribeUnknownQueueFallback = (): void => {
           if (unknownQueueFallbackUnsub !== null) {
             return;
@@ -221,8 +256,15 @@ export default function App() {
                 householdId: resolved.householdId,
                 code: parsedError.code,
                 message: parsedError.message,
+                projectId: firebaseConfig.projectId,
+                databaseId: firebaseConfig.firestoreDatabaseId,
+                uid: user.uid,
+                email: user.email ?? null,
+                path: unknownQueuePath,
+                targetFingerprint,
+                membershipProbeResult,
               });
-              setUiFeedback({ kind: 'error', message: getUnknownQueueLoadErrorMessage(parsedError) });
+              setUiFeedback({ kind: 'error', message: getUnknownQueueLoadErrorMessage(parsedError, membershipProbeResult) });
               hasLoadedUnknownQueue = true;
               markInitialViewReady();
             },
@@ -245,19 +287,26 @@ export default function App() {
               householdId: resolved.householdId,
               code: parsedError.code,
               message: parsedError.message,
+              projectId: firebaseConfig.projectId,
+              databaseId: firebaseConfig.firestoreDatabaseId,
+              uid: user.uid,
+              email: user.email ?? null,
+              path: unknownQueuePath,
+              targetFingerprint,
+              membershipProbeResult,
             });
 
             if (isFirestoreFailedPreconditionError(parsedError)) {
               if (unknownQueueUnsub !== null) {
                 unknownQueueUnsub();
                 unknownQueueUnsub = null;
               }
-              setUiFeedback({ kind: 'error', message: getUnknownQueueLoadErrorMessage(parsedError) });
+              setUiFeedback({ kind: 'error', message: getUnknownQueueLoadErrorMessage(parsedError, membershipProbeResult) });
               subscribeUnknownQueueFallback();
               return;
             }
 
-            setUiFeedback({ kind: 'error', message: getUnknownQueueLoadErrorMessage(parsedError) });
+            setUiFeedback({ kind: 'error', message: getUnknownQueueLoadErrorMessage(parsedError, membershipProbeResult) });
             hasLoadedUnknownQueue = true;
             markInitialViewReady();
           },

src/utils/unknownQueue.ts

@@ -6,6 +6,22 @@ export interface FirestoreListenerErrorInfo {
   name: string | null;
 }
 
+export interface UnknownQueueTargetFingerprintInput {
+  databaseId: string;
+  householdId: string;
+  projectId: string;
+}
+
+export interface HouseholdMembershipProbeInput {
+  householdCookEmail: string | null;
+  householdExists: boolean;
+  householdOwnerId: string | null;
+  userEmail: string | null;
+  userUid: string;
+}
+
+export type HouseholdMembershipProbeResult = 'owner' | 'cook' | 'non-member' | 'household-missing';
+
 function toRecord(value: unknown): Record<string, unknown> | null {
   if (typeof value !== 'object' || value === null) {
     return null;
@@ -39,9 +55,41 @@ export function isFirestorePermissionDeniedError(error: FirestoreListenerErrorIn
   return error.code === 'permission-denied';
 }
 
-export function getUnknownQueueLoadErrorMessage(error: FirestoreListenerErrorInfo): string {
+function normalizeEmail(value: string | null): string {
+  return value === null ? '' : value.trim().toLowerCase();
+}
+
+export function classifyHouseholdMembershipProbe(input: HouseholdMembershipProbeInput): HouseholdMembershipProbeResult {
+  if (!input.householdExists) {
+    return 'household-missing';
+  }
+
+  if (input.householdOwnerId === input.userUid) {
+    return 'owner';
+  }
+
+  const normalizedCookEmail = normalizeEmail(input.householdCookEmail);
+  const normalizedUserEmail = normalizeEmail(input.userEmail);
+  if (normalizedCookEmail.length > 0 && normalizedCookEmail === normalizedUserEmail) {
+    return 'cook';
+  }
+
+  return 'non-member';
+}
+
+export function buildUnknownQueueTargetFingerprint(input: UnknownQueueTargetFingerprintInput): string {
+  return `${input.projectId}/${input.databaseId}/households/${input.householdId}/unknownIngredientQueue`;
+}
+
+export function getUnknownQueueLoadErrorMessage(
+  error: FirestoreListenerErrorInfo,
+  membershipProbeResult: HouseholdMembershipProbeResult | null,
+): string {
   if (isFirestorePermissionDeniedError(error)) {
-    return 'Unknown ingredient queue access denied. Deploy latest Firestore rules and retry.';
+    if (membershipProbeResult === 'non-member' || membershipProbeResult === 'household-missing') {
+      return 'Unknown ingredient queue access denied. Household membership mismatch suspected.';
+    }
+    return 'Unknown ingredient queue access denied. Firestore target mismatch suspected. Verify project/database rules deployment.';
   }
 
   if (isFirestoreFailedPreconditionError(error)) {

test/unit/run.ts

@@ -5,6 +5,8 @@ import { buildPantryLog } from '../../src/services/logService';
 import { sanitizeFirestorePayload } from '../../src/utils/firestorePayload';
 import { getIngredientNativeContextLabel, resolveIngredientVisual } from '../../src/utils/ingredientVisuals';
 import {
+  buildUnknownQueueTargetFingerprint,
+  classifyHouseholdMembershipProbe,
   getUnknownQueueLoadErrorMessage,
   isFirestoreFailedPreconditionError,
   isFirestorePermissionDeniedError,
@@ -347,20 +349,30 @@ function testUnknownQueueErrorParsingAndMessaging(): void {
     name: 'FirebaseError',
   });
   assert.equal(isFirestorePermissionDeniedError(permissionDenied), true);
-  assert.equal(getUnknownQueueLoadErrorMessage(permissionDenied), 'Unknown ingredient queue access denied. Deploy latest Firestore rules and retry.');
+  assert.equal(
+    getUnknownQueueLoadErrorMessage(permissionDenied, 'owner'),
+    'Unknown ingredient queue access denied. Firestore target mismatch suspected. Verify project/database rules deployment.',
+  );
+  assert.equal(
+    getUnknownQueueLoadErrorMessage(permissionDenied, 'non-member'),
+    'Unknown ingredient queue access denied. Household membership mismatch suspected.',
+  );
 
   const failedPrecondition = toFirestoreListenerErrorInfo({
     code: 'failed-precondition',
     message: 'The query requires an index.',
     name: 'FirebaseError',
   });
   assert.equal(isFirestoreFailedPreconditionError(failedPrecondition), true);
-  assert.equal(getUnknownQueueLoadErrorMessage(failedPrecondition), 'Unknown ingredient queue index is missing. Showing fallback order while index is provisioned.');
+  assert.equal(
+    getUnknownQueueLoadErrorMessage(failedPrecondition, 'owner'),
+    'Unknown ingredient queue index is missing. Showing fallback order while index is provisioned.',
+  );
 
   const unknownError = toFirestoreListenerErrorInfo(new Error('boom'));
   assert.equal(isFirestoreFailedPreconditionError(unknownError), false);
   assert.equal(isFirestorePermissionDeniedError(unknownError), false);
-  assert.equal(getUnknownQueueLoadErrorMessage(unknownError), 'Failed to load unknown ingredient queue.');
+  assert.equal(getUnknownQueueLoadErrorMessage(unknownError, null), 'Failed to load unknown ingredient queue.');
 }
 
 function testUnknownQueueFallbackSortOrder(): void {
@@ -397,6 +409,56 @@ function testUnknownQueueFallbackSortOrder(): void {
   assert.deepEqual(sorted.map((item) => item.id), ['queue-1', 'queue-2', 'queue-3']);
 }
 
+function testUnknownQueueTargetFingerprintAndMembershipProbe(): void {
+  const fingerprint = buildUnknownQueueTargetFingerprint({
+    projectId: 'project-x',
+    databaseId: 'db-y',
+    householdId: 'house-z',
+  });
+  assert.equal(fingerprint, 'project-x/db-y/households/house-z/unknownIngredientQueue');
+
+  assert.equal(
+    classifyHouseholdMembershipProbe({
+      householdExists: true,
+      householdOwnerId: 'owner-1',
+      householdCookEmail: 'cook@example.com',
+      userUid: 'owner-1',
+      userEmail: 'owner@example.com',
+    }),
+    'owner',
+  );
+  assert.equal(
+    classifyHouseholdMembershipProbe({
+      householdExists: true,
+      householdOwnerId: 'owner-1',
+      householdCookEmail: 'cook@example.com',
+      userUid: 'cook-uid',
+      userEmail: 'cook@example.com',
+    }),
+    'cook',
+  );
+  assert.equal(
+    classifyHouseholdMembershipProbe({
+      householdExists: true,
+      householdOwnerId: 'owner-1',
+      householdCookEmail: 'cook@example.com',
+      userUid: 'intruder',
+      userEmail: 'intruder@example.com',
+    }),
+    'non-member',
+  );
+  assert.equal(
+    classifyHouseholdMembershipProbe({
+      householdExists: false,
+      householdOwnerId: null,
+      householdCookEmail: null,
+      userUid: 'owner-1',
+      userEmail: 'owner@example.com',
+    }),
+    'household-missing',
+  );
+}
+
 function run(): void {
   testPantryCategoryNormalization();
   testPantryCategoryLabels();
@@ -419,6 +481,7 @@ function run(): void {
   testIngredientVisualCategoryFallback();
   testUnknownQueueErrorParsingAndMessaging();
   testUnknownQueueFallbackSortOrder();
+  testUnknownQueueTargetFingerprintAndMembershipProbe();
   console.log('All unit tests passed.');
 }