rules_version = '2';

service firebase.storage {
  match /b/{bucket}/o {
    
    // Helper functions
    function isAuthenticated() {
      return request.auth != null;
    }
    
    function isOwner(userId) {
      return isAuthenticated() && request.auth.uid == userId;
    }
    
    function isValidImage() {
      return request.resource.size < 5 * 1024 * 1024 // 5MB max
        && request.resource.contentType.matches('image/.*');
    }
    
    function isValidFile() {
      return request.resource.size < 10 * 1024 * 1024; // 10MB max
    }
    
    // User profile images
    match /users/{userId}/profile/{fileName} {
      allow read: if true; // Public read
      allow write: if isOwner(userId) && isValidImage();
      allow delete: if isOwner(userId);
    }
    
    // Project logos
    match /projects/{projectId}/logo/{fileName} {
      allow read: if true; // Public read
      allow write: if isAuthenticated() && isValidImage();
      allow delete: if isAuthenticated();
    }
    
    // Project files (private)
    match /projects/{projectId}/files/{allPaths=**} {
      allow read: if isAuthenticated();
      allow write: if isAuthenticated() && isValidFile();
      allow delete: if isAuthenticated();
    }
    
    // Default deny all other access
    match /{allPaths=**} {
      allow read, write: if false;
    }
  }
}