ship-safe 1.0.0 → 2.0.0

package/cli/utils/patterns.js

@@ -11,8 +11,11 @@
  *
  * MAINTENANCE NOTES:
  * - Patterns should have low false-positive rates
+ * - Only include patterns with SPECIFIC PREFIXES to avoid noise
  * - Test new patterns against real codebases before adding
  * - Order doesn't matter (all patterns are checked)
+ *
+ * v1.2.0 - Added 40+ new patterns for 2025-2026 services
  */
 
 export const SECRET_PATTERNS = [
@@ -49,27 +52,69 @@ export const SECRET_PATTERNS = [
     severity: 'critical',
     description: 'GitHub App tokens have installation-level access to repositories.'
   },
+  {
+    name: 'GitHub Fine-Grained PAT',
+    pattern: /github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}/g,
+    severity: 'critical',
+    description: 'GitHub fine-grained PATs can access repositories with scoped permissions.'
+  },
   {
     name: 'Stripe Live Secret Key',
     pattern: /sk_live_[a-zA-Z0-9]{24,}/g,
     severity: 'critical',
     description: 'Stripe live keys can process real payments and access customer data.'
   },
-  {
-    name: 'Stripe Live Publishable Key',
-    pattern: /pk_live_[a-zA-Z0-9]{24,}/g,
-    severity: 'high',
-    description: 'Stripe publishable keys are less sensitive but should not be in server code.'
-  },
   {
     name: 'Private Key Block',
     pattern: /-----BEGIN\s+(RSA\s+|EC\s+|DSA\s+|OPENSSH\s+)?PRIVATE\s+KEY-----/g,
     severity: 'critical',
     description: 'Private keys enable impersonation and decryption. Never commit these.'
   },
+  {
+    name: 'PlanetScale Password',
+    pattern: /pscale_pw_[a-zA-Z0-9_-]{32,}/g,
+    severity: 'critical',
+    description: 'PlanetScale passwords grant database access. Keep in environment variables.'
+  },
+  {
+    name: 'PlanetScale OAuth Token',
+    pattern: /pscale_oauth_[a-zA-Z0-9_-]{32,}/g,
+    severity: 'critical',
+    description: 'PlanetScale OAuth tokens can manage your database branches and schema.'
+  },
+  {
+    name: 'Clerk Secret Key',
+    pattern: /sk_live_[a-zA-Z0-9]{27,}/g,
+    severity: 'critical',
+    description: 'Clerk secret keys grant full access to your auth system. Never expose in frontend.'
+  },
+  {
+    name: 'Doppler Service Token',
+    pattern: /dp\.st\.[a-zA-Z0-9_-]+\.[a-zA-Z0-9]{32,}/g,
+    severity: 'critical',
+    description: 'Doppler service tokens grant access to your secrets. Ironic if leaked!'
+  },
+  {
+    name: 'HashiCorp Vault Token',
+    pattern: /hvs\.[a-zA-Z0-9_-]{24,}/g,
+    severity: 'critical',
+    description: 'HashiCorp Vault tokens grant access to your secrets.'
+  },
+  {
+    name: 'Neon Database Connection String',
+    pattern: /postgres(ql)?:\/\/[^:]+:[^@]+@[^.]+\.neon\.tech/g,
+    severity: 'critical',
+    description: 'Neon Postgres connection strings contain database credentials.'
+  },
+  {
+    name: 'MongoDB Atlas Connection String',
+    pattern: /mongodb(\+srv)?:\/\/[^:]+:[^@]+@[^.]+\.mongodb\.net/g,
+    severity: 'critical',
+    description: 'MongoDB Atlas connection strings contain database credentials.'
+  },
 
   // =========================================================================
-  // HIGH: Very likely to be secrets
+  // HIGH: AI/ML Provider Keys (2025-2026)
   // =========================================================================
   {
     name: 'OpenAI API Key',
@@ -77,12 +122,70 @@ export const SECRET_PATTERNS = [
     severity: 'high',
     description: 'OpenAI keys can rack up API charges and access your usage history.'
   },
+  {
+    name: 'OpenAI Project Key',
+    pattern: /sk-proj-[a-zA-Z0-9_-]{48,}/g,
+    severity: 'high',
+    description: 'OpenAI project keys grant access to specific project resources.'
+  },
   {
     name: 'Anthropic API Key',
-    pattern: /sk-ant-[a-zA-Z0-9-]{32,}/g,
+    pattern: /sk-ant-[a-zA-Z0-9_-]{32,}/g,
     severity: 'high',
     description: 'Anthropic API keys grant access to Claude and your usage quota.'
   },
+  {
+    name: 'Google AI (Gemini) API Key',
+    pattern: /AIzaSy[a-zA-Z0-9_-]{33}/g,
+    severity: 'high',
+    description: 'Google AI API keys grant access to Gemini and other Google AI services.'
+  },
+  {
+    name: 'Replicate API Token',
+    pattern: /r8_[a-zA-Z0-9]{37}/g,
+    severity: 'high',
+    description: 'Replicate tokens can run AI models and incur charges on your account.'
+  },
+  {
+    name: 'Hugging Face Token',
+    pattern: /hf_[a-zA-Z0-9]{34}/g,
+    severity: 'high',
+    description: 'Hugging Face tokens grant access to models, datasets, and Inference API.'
+  },
+  {
+    name: 'Perplexity API Key',
+    pattern: /pplx-[a-f0-9]{48}/g,
+    severity: 'high',
+    description: 'Perplexity API keys can access their search-augmented AI models.'
+  },
+  {
+    name: 'Groq API Key',
+    pattern: /gsk_[a-zA-Z0-9]{52}/g,
+    severity: 'high',
+    description: 'Groq API keys provide access to fast LLM inference.'
+  },
+  {
+    name: 'Cohere API Key',
+    pattern: /(?:cohere|COHERE)[_-]?(?:api[_-]?)?key["']?\s*[:=]\s*["']?([a-zA-Z0-9]{40})["']?/gi,
+    severity: 'high',
+    description: 'Cohere API keys grant access to their NLP models.'
+  },
+  {
+    name: 'Mistral API Key',
+    pattern: /(?:mistral|MISTRAL)[_-]?(?:api[_-]?)?key["']?\s*[:=]\s*["']?([a-zA-Z0-9]{32})["']?/gi,
+    severity: 'high',
+    description: 'Mistral AI API keys can access their language models.'
+  },
+  {
+    name: 'Together AI API Key',
+    pattern: /(?:together|TOGETHER)[_-]?(?:api[_-]?)?key["']?\s*[:=]\s*["']?([a-f0-9]{64})["']?/gi,
+    severity: 'high',
+    description: 'Together AI keys grant access to open-source model hosting.'
+  },
+
+  // =========================================================================
+  // HIGH: Communication & Messaging
+  // =========================================================================
   {
     name: 'Slack Token',
     pattern: /xox[baprs]-[0-9]{10,13}-[0-9]{10,13}[a-zA-Z0-9-]*/g,
@@ -108,11 +211,15 @@ export const SECRET_PATTERNS = [
     description: 'Discord bot tokens grant full control over your bot.'
   },
   {
-    name: 'Twilio API Key',
-    pattern: /SK[a-f0-9]{32}/g,
+    name: 'Telegram Bot Token',
+    pattern: /[0-9]{8,10}:[a-zA-Z0-9_-]{35}/g,
     severity: 'high',
-    description: 'Twilio keys can send SMS/calls and access account data.'
+    description: 'Telegram bot tokens grant full control over your bot.'
   },
+
+  // =========================================================================
+  // HIGH: Email Services
+  // =========================================================================
   {
     name: 'SendGrid API Key',
     pattern: /SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43}/g,
@@ -125,6 +232,44 @@ export const SECRET_PATTERNS = [
     severity: 'high',
     description: 'Mailgun keys can send emails and access logs.'
   },
+  {
+    name: 'Resend API Key',
+    pattern: /re_[a-zA-Z0-9]{32,}/g,
+    severity: 'high',
+    description: 'Resend API keys can send emails from your account and access logs.'
+  },
+  {
+    name: 'Postmark Server Token',
+    pattern: /(?:postmark|POSTMARK)[_-]?(?:server[_-]?)?token["']?\s*[:=]\s*["']?([a-f0-9-]{36})["']?/gi,
+    severity: 'high',
+    description: 'Postmark tokens can send emails from your account.'
+  },
+  {
+    name: 'Mailchimp API Key',
+    pattern: /[a-f0-9]{32}-us[0-9]{1,2}/g,
+    severity: 'high',
+    description: 'Mailchimp API keys can access your audience and send campaigns.'
+  },
+
+  // =========================================================================
+  // HIGH: SMS & Phone
+  // =========================================================================
+  {
+    name: 'Twilio API Key',
+    pattern: /SK[a-f0-9]{32}/g,
+    severity: 'high',
+    description: 'Twilio keys can send SMS/calls and access account data.'
+  },
+  {
+    name: 'Twilio Account SID',
+    pattern: /AC[a-f0-9]{32}/g,
+    severity: 'medium',
+    description: 'Twilio Account SIDs identify your account. Usually paired with auth token.'
+  },
+
+  // =========================================================================
+  // HIGH: Databases & Backend Services
+  // =========================================================================
   {
     name: 'Firebase/Google Service Account',
     pattern: /"type":\s*"service_account"/g,
@@ -137,6 +282,34 @@ export const SECRET_PATTERNS = [
     severity: 'high',
     description: 'Supabase service role keys bypass Row Level Security. Keep server-side only.'
   },
+  {
+    name: 'Upstash Redis REST Token',
+    pattern: /AX[a-zA-Z0-9]{34,}/g,
+    severity: 'high',
+    description: 'Upstash Redis tokens grant access to your serverless Redis database.'
+  },
+  {
+    name: 'Upstash QStash Token',
+    pattern: /qstash_[a-zA-Z0-9]{32,}/g,
+    severity: 'high',
+    description: 'Upstash QStash tokens can schedule and manage message queues.'
+  },
+  {
+    name: 'Turso Database URL',
+    pattern: /libsql:\/\/[^.]+\.turso\.io/g,
+    severity: 'high',
+    description: 'Turso database URLs. Check for embedded auth tokens in full connection string.'
+  },
+  {
+    name: 'Convex Deployment URL',
+    pattern: /https:\/\/[a-z]+-[a-z]+-[0-9]+\.convex\.cloud/g,
+    severity: 'medium',
+    description: 'Convex deployment URLs identify your backend. Check for paired secrets.'
+  },
+
+  // =========================================================================
+  // HIGH: Hosting & Deployment
+  // =========================================================================
   {
     name: 'Vercel Token',
     pattern: /vercel_[a-zA-Z0-9]{24}/gi,
@@ -161,19 +334,167 @@ export const SECRET_PATTERNS = [
     severity: 'high',
     description: 'DigitalOcean tokens can manage droplets and resources.'
   },
+  {
+    name: 'Render API Key',
+    pattern: /rnd_[a-zA-Z0-9]{32,}/g,
+    severity: 'high',
+    description: 'Render API keys can manage your services and deployments.'
+  },
+  {
+    name: 'Fly.io Token',
+    pattern: /FlyV1\s+[a-zA-Z0-9_-]{43}/g,
+    severity: 'high',
+    description: 'Fly.io tokens can deploy and manage your applications.'
+  },
+  {
+    name: 'Railway Token',
+    pattern: /(?:railway|RAILWAY)[_-]?token["']?\s*[:=]\s*["']?([a-f0-9-]{36})["']?/gi,
+    severity: 'high',
+    description: 'Railway API tokens can manage your services.'
+  },
+  {
+    name: 'Netlify Personal Access Token',
+    pattern: /nfp_[a-zA-Z0-9]{40}/g,
+    severity: 'high',
+    description: 'Netlify PATs can manage sites and deploys.'
+  },
+  {
+    name: 'Cloudflare API Token',
+    pattern: /(?:cloudflare|CF)[_-]?(?:api[_-]?)?token["']?\s*[:=]\s*["']?([a-zA-Z0-9_-]{40})["']?/gi,
+    severity: 'high',
+    description: 'Cloudflare API tokens can manage DNS, workers, and other services.'
+  },
 
   // =========================================================================
-  // MEDIUM: Likely secrets, but may have false positives
+  // HIGH: Auth Providers
   // =========================================================================
   {
-    name: 'Generic API Key',
-    pattern: /["']?(?:api[_-]?key|apikey)["']?\s*[:=]\s*["']([a-zA-Z0-9_\-]{16,})["']/gi,
+    name: 'Clerk Publishable Key (Live)',
+    pattern: /pk_live_[a-zA-Z0-9]{27,}/g,
+    severity: 'medium',
+    description: 'Clerk publishable keys are meant for frontend but verify it\'s intentional.'
+  },
+  {
+    name: 'Clerk Test Secret Key',
+    pattern: /sk_test_[a-zA-Z0-9]{27,}/g,
+    severity: 'medium',
+    description: 'Clerk test keys are lower risk but should still be in environment variables.'
+  },
+  {
+    name: 'Auth0 Domain with Credentials',
+    pattern: /https:\/\/[^.]+\.auth0\.com.*client_secret/gi,
+    severity: 'critical',
+    description: 'Auth0 URLs with embedded client secrets should never be in code.'
+  },
+  {
+    name: 'Supabase Anon Key in Code',
+    pattern: /(?:supabase|SUPABASE)[_-]?(?:anon[_-]?)?key["']?\s*[:=]\s*["']?(eyJ[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+)["']?/gi,
+    severity: 'medium',
+    description: 'Supabase anon keys. Safe for frontend but verify RLS is enabled.'
+  },
+
+  // =========================================================================
+  // HIGH: Productivity & SaaS
+  // =========================================================================
+  {
+    name: 'Linear API Key',
+    pattern: /lin_api_[a-zA-Z0-9]{40}/g,
+    severity: 'high',
+    description: 'Linear API keys can access your project management data.'
+  },
+  {
+    name: 'Notion API Key',
+    pattern: /secret_[a-zA-Z0-9]{43}/g,
+    severity: 'high',
+    description: 'Notion API keys can access and modify your workspace content.'
+  },
+  {
+    name: 'Airtable API Key',
+    pattern: /pat[a-zA-Z0-9]{14}\.[a-f0-9]{64}/g,
+    severity: 'high',
+    description: 'Airtable personal access tokens grant access to your bases.'
+  },
+  {
+    name: 'Figma Personal Access Token',
+    pattern: /figd_[a-zA-Z0-9_-]{40,}/g,
+    severity: 'high',
+    description: 'Figma PATs can access your design files and projects.'
+  },
+
+  // =========================================================================
+  // HIGH: Payments (Additional)
+  // =========================================================================
+  {
+    name: 'Stripe Test Secret Key',
+    pattern: /sk_test_[a-zA-Z0-9]{24,}/g,
+    severity: 'medium',
+    description: 'Stripe test keys are lower risk but should still be in environment variables.'
+  },
+  {
+    name: 'Stripe Live Publishable Key',
+    pattern: /pk_live_[a-zA-Z0-9]{24,}/g,
+    severity: 'medium',
+    description: 'Stripe publishable keys are meant for frontend but verify it\'s intentional.'
+  },
+  {
+    name: 'Stripe Webhook Secret',
+    pattern: /whsec_[a-zA-Z0-9]{32,}/g,
+    severity: 'high',
+    description: 'Stripe webhook secrets validate incoming webhooks. Keep server-side only.'
+  },
+  {
+    name: 'Lemon Squeezy API Key',
+    pattern: /(?:lemon|LEMON)[_-]?(?:squeezy|SQUEEZY)?[_-]?(?:api[_-]?)?key["']?\s*[:=]\s*["']?([a-f0-9-]{36})["']?/gi,
+    severity: 'high',
+    description: 'Lemon Squeezy API keys can manage your store and orders.'
+  },
+  {
+    name: 'Paddle API Key',
+    pattern: /(?:paddle|PADDLE)[_-]?(?:api[_-]?)?key["']?\s*[:=]\s*["']?([a-f0-9]{64})["']?/gi,
+    severity: 'high',
+    description: 'Paddle API keys can manage your subscriptions and payments.'
+  },
+
+  // =========================================================================
+  // HIGH: Analytics & Monitoring
+  // =========================================================================
+  {
+    name: 'Sentry DSN',
+    pattern: /https:\/\/[a-f0-9]{32}@[a-z0-9]+\.ingest\.sentry\.io\/[0-9]+/g,
+    severity: 'medium',
+    description: 'Sentry DSNs are semi-public but contain project identifiers.'
+  },
+  {
+    name: 'PostHog API Key',
+    pattern: /phc_[a-zA-Z0-9]{32,}/g,
+    severity: 'medium',
+    description: 'PostHog project API keys. Usually safe in frontend but verify.'
+  },
+  {
+    name: 'New Relic API Key',
+    pattern: /NRAK-[A-Z0-9]{27}/g,
+    severity: 'high',
+    description: 'New Relic API keys can access your monitoring data and configurations.'
+  },
+  {
+    name: 'Datadog API Key',
+    pattern: /(?:datadog|DD)[_-]?(?:api[_-]?)?key["']?\s*[:=]\s*["']?([a-f0-9]{32})["']?/gi,
+    severity: 'high',
+    description: 'Datadog API keys can access and send monitoring data.'
+  },
+
+  // =========================================================================
+  // MEDIUM: Generic patterns (may have false positives)
+  // =========================================================================
+  {
+    name: 'Generic API Key Assignment',
+    pattern: /["']?(?:api[_-]?key|apikey)["']?\s*[:=]\s*["']([a-zA-Z0-9_\-]{20,})["']/gi,
     severity: 'medium',
     description: 'Hardcoded API keys should be moved to environment variables.'
   },
   {
-    name: 'Generic Secret',
-    pattern: /["']?(?:secret|secret[_-]?key)["']?\s*[:=]\s*["']([a-zA-Z0-9_\-]{16,})["']/gi,
+    name: 'Generic Secret Assignment',
+    pattern: /["']?(?:secret|secret[_-]?key)["']?\s*[:=]\s*["']([a-zA-Z0-9_\-]{20,})["']/gi,
     severity: 'medium',
     description: 'Hardcoded secrets should be moved to environment variables.'
   },
@@ -190,22 +511,22 @@ export const SECRET_PATTERNS = [
     description: 'Database URLs with embedded passwords expose your database.'
   },
   {
-    name: 'Bearer Token',
+    name: 'Bearer Token in Code',
     pattern: /["']Bearer\s+[a-zA-Z0-9_\-\.=]{20,}["']/gi,
     severity: 'medium',
     description: 'Hardcoded bearer tokens should not be in source code.'
   },
-  {
-    name: 'JWT Token',
-    pattern: /["']?jwt["']?\s*[:=]\s*["']?(eyJ[a-zA-Z0-9_-]*\.eyJ[a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]*)["']?/gi,
-    severity: 'medium',
-    description: 'JWTs in source code may be test tokens, but verify they\'re not production.'
-  },
   {
     name: 'Basic Auth Header',
-    pattern: /["']Basic\s+[A-Za-z0-9+/=]{10,}["']/gi,
+    pattern: /["']Basic\s+[A-Za-z0-9+/=]{20,}["']/gi,
     severity: 'medium',
     description: 'Basic auth headers contain base64-encoded credentials.'
+  },
+  {
+    name: 'Private Key in Environment Variable',
+    pattern: /PRIVATE[_-]?KEY["']?\s*[:=]\s*["']([^"']+)["']/gi,
+    severity: 'high',
+    description: 'Private keys should be loaded from files, not hardcoded.'
   }
 ];
 

package/configs/firebase/firestore-rules.txt

@@ -0,0 +1,215 @@
+// =============================================================================
+// FIREBASE FIRESTORE SECURITY RULES TEMPLATES
+// =============================================================================
+//
+// Copy these rules to your Firebase Console > Firestore > Rules
+//
+// WHY THIS MATTERS:
+// - Default test mode rules allow ANYONE to read/write ALL data
+// - Test mode is the #1 cause of Firebase data breaches
+// - 40% of Firebase apps have misconfigured security rules
+//
+// HOW TO USE:
+// 1. Go to Firebase Console > Firestore Database > Rules
+// 2. Replace the default rules with these templates
+// 3. Customize for your data structure
+// 4. Publish and test thoroughly
+//
+// =============================================================================
+
+rules_version = '2';
+service cloud.firestore {
+  match /databases/{database}/documents {
+
+    // =========================================================================
+    // HELPER FUNCTIONS
+    // =========================================================================
+
+    // Check if user is authenticated
+    function isAuthenticated() {
+      return request.auth != null;
+    }
+
+    // Get the authenticated user's ID
+    function userId() {
+      return request.auth.uid;
+    }
+
+    // Check if user owns a document (document has a userId field)
+    function isOwner() {
+      return isAuthenticated() && resource.data.userId == userId();
+    }
+
+    // Check if user is creating a document with their own userId
+    function isCreatingOwn() {
+      return isAuthenticated() && request.resource.data.userId == userId();
+    }
+
+    // Check if user has a specific role (requires a users collection with role field)
+    function hasRole(role) {
+      return isAuthenticated() &&
+        get(/databases/$(database)/documents/users/$(userId())).data.role == role;
+    }
+
+    // Check if user is admin
+    function isAdmin() {
+      return hasRole('admin');
+    }
+
+    // Validate that required fields exist
+    function hasRequiredFields(fields) {
+      return request.resource.data.keys().hasAll(fields);
+    }
+
+    // Check if only allowed fields are being modified
+    function onlyUpdating(fields) {
+      return request.resource.data.diff(resource.data).affectedKeys().hasOnly(fields);
+    }
+
+    // =========================================================================
+    // PATTERN 1: USER PROFILES (User owns their profile)
+    // =========================================================================
+
+    match /users/{userId} {
+      // Users can read their own profile
+      allow read: if isAuthenticated() && request.auth.uid == userId;
+
+      // Users can create their own profile
+      allow create: if isAuthenticated()
+        && request.auth.uid == userId
+        && hasRequiredFields(['email', 'createdAt'])
+        && request.resource.data.createdAt == request.time;
+
+      // Users can update their own profile (except role)
+      allow update: if isAuthenticated()
+        && request.auth.uid == userId
+        && !request.resource.data.diff(resource.data).affectedKeys().hasAny(['role']);
+
+      // Only admins can delete users
+      allow delete: if isAdmin();
+    }
+
+    // =========================================================================
+    // PATTERN 2: PRIVATE DATA (User's own data)
+    // =========================================================================
+
+    match /private/{userId}/{document=**} {
+      // Users can only access their own private data
+      allow read, write: if isAuthenticated() && request.auth.uid == userId;
+    }
+
+    // =========================================================================
+    // PATTERN 3: POSTS/CONTENT (Public read, authenticated write)
+    // =========================================================================
+
+    match /posts/{postId} {
+      // Anyone can read published posts
+      allow read: if resource.data.published == true
+        || (isAuthenticated() && resource.data.authorId == userId());
+
+      // Authenticated users can create posts
+      allow create: if isAuthenticated()
+        && request.resource.data.authorId == userId()
+        && hasRequiredFields(['title', 'content', 'authorId', 'createdAt'])
+        && request.resource.data.createdAt == request.time;
+
+      // Authors can update their own posts
+      allow update: if isAuthenticated()
+        && resource.data.authorId == userId()
+        && request.resource.data.authorId == userId();  // Can't change author
+
+      // Authors and admins can delete
+      allow delete: if isAuthenticated()
+        && (resource.data.authorId == userId() || isAdmin());
+    }
+
+    // =========================================================================
+    // PATTERN 4: ORGANIZATION/TEAM DATA
+    // =========================================================================
+
+    match /organizations/{orgId} {
+      // Function to check org membership
+      function isOrgMember() {
+        return isAuthenticated() &&
+          exists(/databases/$(database)/documents/organizations/$(orgId)/members/$(userId()));
+      }
+
+      function isOrgAdmin() {
+        return isAuthenticated() &&
+          get(/databases/$(database)/documents/organizations/$(orgId)/members/$(userId())).data.role == 'admin';
+      }
+
+      // Org members can read org data
+      allow read: if isOrgMember();
+
+      // Only org admins can update org settings
+      allow update: if isOrgAdmin();
+
+      // Nested collection: org members
+      match /members/{memberId} {
+        allow read: if isOrgMember();
+        allow write: if isOrgAdmin();
+      }
+
+      // Nested collection: org projects
+      match /projects/{projectId} {
+        allow read: if isOrgMember();
+        allow create: if isOrgMember()
+          && request.resource.data.createdBy == userId();
+        allow update: if isOrgMember();
+        allow delete: if isOrgAdmin();
+      }
+    }
+
+    // =========================================================================
+    // PATTERN 5: RATE LIMITING (Using timestamps)
+    // =========================================================================
+
+    match /rateLimited/{docId} {
+      // Allow creation only if user hasn't created one in the last minute
+      allow create: if isAuthenticated()
+        && (!exists(/databases/$(database)/documents/rateLimited/$(userId()))
+          || get(/databases/$(database)/documents/rateLimited/$(userId())).data.lastAction < request.time - duration.value(1, 'm'));
+    }
+
+    // =========================================================================
+    // PATTERN 6: READ-ONLY PUBLIC DATA
+    // =========================================================================
+
+    match /public/{document=**} {
+      // Anyone can read public data
+      allow read: if true;
+
+      // Only admins can write
+      allow write: if isAdmin();
+    }
+
+    // =========================================================================
+    // ANTI-PATTERNS: NEVER DO THIS
+    // =========================================================================
+
+    // BAD: Allows anyone to read/write everything
+    // match /{document=**} {
+    //   allow read, write: if true;
+    // }
+
+    // BAD: Test mode rules (auto-generated, REMOVE before production)
+    // match /{document=**} {
+    //   allow read, write: if request.time < timestamp.date(2024, 12, 31);
+    // }
+
+    // BAD: Checking auth but not ownership
+    // match /users/{userId} {
+    //   allow read, write: if request.auth != null;  // Any user can access any user!
+    // }
+
+    // =========================================================================
+    // DEFAULT: DENY ALL (Safety net)
+    // =========================================================================
+
+    // Deny access to any collection not explicitly defined above
+    match /{document=**} {
+      allow read, write: if false;
+    }
+  }
+}