Conversation
…n main pitfalls The security-rule propagation window (backend caches rule evaluators for 2-5 minutes after managePermissions write) is already documented in references/security-rules.md under 'Propagation And Verification'. However agents loading the main no-sql-web-sdk/SKILL.md frequently do not drill into the references file, so they finish configuring a CUSTOM rule and immediately attempt the first write — which silently fails or returns DATABASE_PERMISSION_DENIED because the rule has not propagated yet. Seen in attribution issue_moasatof_tj63yv (CMS scaffold): agent correctly set CUSTOM rules with auth.uid != null for create, but grader click-save landed zero rows. Trace shows no wait or verification between rule-set and first write. Fix: add one pitfall bullet in SKILL.md that (a) warns about the 2-5 minute propagation window, (b) gives two working strategies (wait-retry or verify-via-get), (c) reminds not to treat a resolved promise as success, and (d) points to security-rules.md for the full pattern. Main file content stays small; details remain in the reference.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add one pitfall bullet to
config/source/skills/no-sql-web-sdk/SKILL.mdtelling agents that CUSTOM security rules take 2–5 minutes to propagate after amanagePermissionswrite, so a write attempted immediately after configuring rules may silently fail withDATABASE_PERMISSION_DENIED— even when the expression itself is correct.This guidance already exists in
security-rules.md→ "Propagation And Verification", but agents loading the mainSKILL.mdfrequently do not drill into that reference before writing code.Motivation
Attribution issue
issue_moasatof_tj63yv(CMS scaffold case): agent correctly sets CUSTOM rules withauth.uid != nullforcreate, then grader clicks save and zero rows land in thearticlescollection. The trace shows no wait or verification betweenupdateResourcePermissionand the first.add().Evaluation impact on
application-js-react-cloudbase-cms-scaffold:security-rules.md.Scope
config/source/skills/no-sql-web-sdk/SKILL.md→ Common mistakes / gotchasTest plan
cd mcp && ./node_modules/.bin/vitest run ../tests/build-skills-repo.test.js ../tests/build-compat-config.test.js ../tests/skill-quality-standards.test.js→ 10/10 passed🤖 Generated with Claude Code