feat(firestore): added user profile sync and scan_logs analytics

- syncProfile writes email/displayName/photoURL to users/{uid} once per session
- scan_logs collection logs every scan with user email for admin visibility
- updated firestore.rules to allow profile writes and write-only scan_logs

Author: sunnypatell

firestore.rules

@@ -1,9 +1,19 @@
 rules_version = '2';
 service cloud.firestore {
   match /databases/{database}/documents {
+    // users can read/write their own profile doc
+    match /users/{userId} {
+      allow read, write: if request.auth != null && request.auth.uid == userId;
+    }
+
     // users can only read/write their own scan history
     match /users/{userId}/scans/{scanId} {
       allow read, write: if request.auth != null && request.auth.uid == userId;
     }
+
+    // any authenticated user can create a scan log entry (write-only, no reads from client)
+    match /scan_logs/{logId} {
+      allow create: if request.auth != null;
+    }
   }
 }

src/lib/stores/auth.svelte.ts

@@ -13,12 +13,14 @@ import {
 	updateProfile,
 	type User
 } from 'firebase/auth';
-import { auth } from '$lib/firebase';
+import { auth, db } from '$lib/firebase';
+import { doc, setDoc, serverTimestamp } from 'firebase/firestore';
 
 class AuthStore {
 	user = $state<User | null>(null);
 	loading = $state(true);
 	error = $state<string | null>(null);
+	private profileSynced = false;
 
 	get isAuthenticated(): boolean {
 		return this.user !== null;
@@ -49,6 +51,7 @@ class AuthStore {
 			onAuthStateChanged(auth, (user) => {
 				this.user = user;
 				this.loading = false;
+				if (user) this.syncProfile(user);
 			});
 			// handle redirect result from signInWithRedirect fallback
 			getRedirectResult(auth).catch(() => {});
@@ -131,6 +134,26 @@ class AuthStore {
 		this.error = null;
 	}
 
+	/** write user profile to users/{uid} once per session (not every page load) */
+	private async syncProfile(user: User) {
+		if (this.profileSynced) return;
+		this.profileSynced = true;
+		try {
+			await setDoc(
+				doc(db, 'users', user.uid),
+				{
+					email: user.email,
+					displayName: user.displayName ?? null,
+					photoURL: user.photoURL ?? null,
+					lastLogin: serverTimestamp()
+				},
+				{ merge: true }
+			);
+		} catch {
+			// non-critical, don't break the app
+		}
+	}
+
 	private getErrorMessage(err: unknown): string {
 		const code = (err as { code?: string })?.code ?? '';
 		switch (code) {

src/lib/stores/scores.svelte.ts

@@ -10,7 +10,8 @@ import {
 	doc,
 	query,
 	orderBy,
-	limit
+	limit,
+	serverTimestamp
 } from 'firebase/firestore';
 import { db } from '$lib/firebase';
 import { authStore } from './auth.svelte';
@@ -133,6 +134,9 @@ class ScoresStore {
 			const docRef = await addDoc(scansRef, sanitized);
 			console.warn('[scores] saved scan to history:', docRef.id);
 
+			// write to top-level scan_logs for admin visibility
+			this.writeScanLog(sanitized, uid);
+
 			// prune old scans beyond the cap
 			const allScansQuery = query(scansRef, orderBy('timestamp', 'desc'));
 			const allSnap = await getDocs(allScansQuery);
@@ -150,6 +154,25 @@ class ScoresStore {
 		}
 	}
 
+	/** log scan to top-level scan_logs collection for admin browsing */
+	private async writeScanLog(entry: Omit<ScanHistoryEntry, 'id'>, uid: string) {
+		try {
+			const user = authStore.user;
+			await addDoc(collection(db, 'scan_logs'), {
+				uid,
+				email: user?.email ?? null,
+				displayName: user?.displayName ?? null,
+				fileName: entry.fileName ?? null,
+				mode: entry.mode,
+				averageScore: entry.averageScore,
+				passingCount: entry.passingCount,
+				createdAt: serverTimestamp()
+			});
+		} catch {
+			// non-critical, don't break the scan flow
+		}
+	}
+
 	async clearHistory() {
 		if (!browser || !authStore.isAuthenticated || !authStore.user) return;