CRM: Document and report management

Technical specification for document and report management in the PestControlOS CRM (PWA).

Storage

Firebase Storage: All reports and documents stored in Firebase Storage. Path structure: organisation-scoped (e.g. /{orgId}/reports/... or ReportsYY/...). Folder-based organisation; recursive browsing via list API. Access controlled by Storage rules: only authenticated users; path segments (orgId) validated so users access only their organisation’s data.
Metadata (optional): storage_metadata collection in Firestore for real-time refresh or listing without listing Storage repeatedly. Documents keyed by path or object name; updated on upload/delete. Optional; can rely on Storage list alone.

Upload: Role-based upload permissions. Client uploads file to Storage path; optionally creates or updates Firestore metadata document. Rules: allow create only if request.auth != null and path matches user’s org.
Browse: Recursive listing of folders; display tree or flat list. File preview (e.g. PDF in iframe or new tab; images inline). Secure download via signed URL or Storage getDownloadURL with rules enforcing auth.
Rename: Update object metadata or copy to new path and delete old (Storage does not support true rename). Firestore metadata updated if used. Permission: role-based (e.g. same as upload).
Delete: Super-admin only for protected reports. Firestore rules: allow delete only when request.auth.token.role == 'super_admin' for designated paths or document types. Storage rules aligned: delete only for super_admin or same org with delete permission.

No cross-tenant access. Path structure and rules enforce org isolation. Audit: access logged via Storage audit logs or application logs where needed.