rules_version = '2';

service firebase.storage {
  match /b/{bucket}/o {
    // Base rules: By default, lock down all access.
    // Client-side uploads will be managed via signed URLs generated by the backend if needed.
    match /{allPaths=**} {
      allow read, write: if false;
    }
  }
}