docs: document firestore security rules and composite indexes (closes…

[Snehith-Roy]

… #219)

Pull Request Template 🚀

Description

This PR adds docs/FIRESTORE_SECURITY.md to document the security rules and composite index setups as requested. It thoroughly outlines:

• The isOnlyProfileUpdate() helper and the whitelisted profile fields.
• The isStreakUpdate() helper and validations preventing longest streak manipulation.
• Point change boundaries and strict restrictions on gitRankPoints calculations.
• Referral system safeguards preventing duplicate usedBy entries and arbitrary point farming.
• The 4 composite indexes built around the users collection filtered by onboardingStatus.

Related Issue

Closes #219

Type of Change

Please delete options that are not relevant:

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update

Screenshots / Videos (if applicable)

N/A - Documentation addition only.

Testing Done

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce.

• Command run: npm run test
• Command run: npm run lint
• Command run: npm run build
• Visual verification on local dev server (http://localhost:5173)
• Verified the documentation accurately reflects the logic in firestore.rules and firestore.indexes.json

Checklist

• My code follows the style guidelines of this project.
• I have performed a self-review of my own code.
• I have commented my code, particularly in hard-to-understand areas.
• I have made corresponding changes to the documentation.
• My changes generate no new warnings or console errors.
• I have added tests that prove my fix is effective or that my feature works.
• New and existing unit tests pass locally with my changes.
• Any dependent changes have been merged and published in downstream modules.

Contributor Declaration

• I confirm that this contribution is made under the rules of GSSoC 2026 and NSoC 2026.
• I confirm that I have been assigned the related issue by a maintainer before opening this PR.
• I have read the Contributing Guidelines and Code of Conduct.

---

Thank you for contributing! Maintainers will review your PR soon.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
ranker-hub	Ready	Preview, Comment	Jun 5, 2026 3:52pm

[indresh404]

Check tests failed

[indresh404]

If your PR still shows the old failed Vercel check, please rebase (or merge the latest main branch into your branch) and push again to trigger a fresh deployment/check run.