Remove Firebase configuration files from repository

.gitignore

@@ -48,4 +48,10 @@ yarn-error.*
 ServiceAccountBitSleuthWallet.json
 
 # Prevent accidentally committing local absolute paths
-Users/
+Users/
+
+# Firebase configuration files (use .example files as templates)
+google-services.json
+GoogleService-Info.plist
+android/app/google-services.json
+ios/BitSleuthWallet/GoogleService-Info.plist

CONTRIBUTING.md

@@ -149,12 +149,19 @@ touch docs/NEW_FEATURE_GUIDE.md
    cd ios && pod install && cd ..
    ```
 
-4. Start the development server:
+4. **Set up Firebase configuration** (Required):
+   - You must create your own Firebase project before running the app
+   - See [docs/FIREBASE_SETUP.md](docs/FIREBASE_SETUP.md) for complete instructions
+   - Download `google-services.json` and `GoogleService-Info.plist` from your Firebase project
+   - Place them in the required locations (see setup guide)
+   - **Important**: These files are in `.gitignore` and should never be committed
+
+5. Start the development server:
    ```bash
    npm start
    ```
 
-5. Run on a device/simulator:
+6. Run on a device/simulator:
    ```bash
    npm run ios      # iOS
    npm run android  # Android
@@ -202,6 +209,7 @@ Before submitting a PR, make sure to:
 ### Security
 
 - **Never commit secrets**: No API keys, private keys, or sensitive data
+- **Firebase Configuration**: Never commit `google-services.json` or `GoogleService-Info.plist` (they're in `.gitignore`)
 - **Private Keys**: All key management must remain client-side
 - **Review Changes**: Security-sensitive changes require thorough review
 - **Vulnerability Reporting**: Report security issues via our [Security Policy](SECURITY.md), not in public issues

GoogleService-Info.example.plist

@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!-- 
+	This is an EXAMPLE file. Replace with your own GoogleService-Info.plist from Firebase Console.
+
+	Instructions:
+	1. Go to https://console.firebase.google.com/
+	2. Create or select your Firebase project
+	3. Add an iOS app with bundle ID: ai.bitsleuth.wallet
+	4. Download GoogleService-Info.plist
+	5. Replace this example file with your downloaded file
+	6. Place it in: ios/BitSleuthWallet/GoogleService-Info.plist AND root directory
+
+	See docs/FIREBASE_SETUP.md for complete setup guide.
+-->
+<plist version="1.0">
+<dict>
+	<key>API_KEY</key>
+	<string>AIzaSy_YOUR_IOS_API_KEY_HERE</string>
+	<key>GCM_SENDER_ID</key>
+	<string>YOUR_PROJECT_NUMBER</string>
+	<key>PLIST_VERSION</key>
+	<string>1</string>
+	<key>BUNDLE_ID</key>
+	<string>ai.bitsleuth.wallet</string>
+	<key>PROJECT_ID</key>
+	<string>your-project-id</string>
+	<key>STORAGE_BUCKET</key>
+	<string>your-project-id.appspot.com</string>
+	<key>IS_ADS_ENABLED</key>
+	<false></false>
+	<key>IS_ANALYTICS_ENABLED</key>
+	<false></false>
+	<key>IS_APPINVITE_ENABLED</key>
+	<true></true>
+	<key>IS_GCM_ENABLED</key>
+	<true></true>
+	<key>IS_SIGNIN_ENABLED</key>
+	<true></true>
+	<key>GOOGLE_APP_ID</key>
+	<string>1:YOUR_PROJECT_NUMBER:ios:YOUR_APP_ID</string>
+</dict>
+</plist>

README.md

@@ -162,12 +162,18 @@ BitSleuth Wallet is a client-side Bitcoin wallet built with React Native and Exp
 - **Testing**: Expo Go app or configured simulator/emulator
 
 ### Firebase Setup (Required)
+
+**Each developer must configure their own Firebase project.** See [docs/FIREBASE_SETUP.md](docs/FIREBASE_SETUP.md) for detailed instructions.
+
+Required:
 - Firebase project with iOS and Android apps configured
-- `google-services.json` (Android) in `android/app/`
-- `GoogleService-Info.plist` (iOS) in `ios/BitSleuthWallet/`
+- `google-services.json` (Android) in `android/app/` and root directory
+- `GoogleService-Info.plist` (iOS) in `ios/BitSleuthWallet/` and root directory
 - **Firebase Services enabled**: Crashlytics (with Release Monitoring), Performance Monitoring
 - **Firebase Analytics DISABLED** for privacy (explicitly configured)
 
+**Note**: Configuration files are in `.gitignore` and should never be committed to the repository.
+
 ---
 
 ## 🚀 Getting Started
@@ -192,10 +198,20 @@ cd ios && pod install && cd ..
 
 ### 2. Firebase Configuration
 
-Ensure you have the required Firebase configuration files:
+**You must set up your own Firebase project** before running the app. Configuration files are not included in this repository for security reasons.
+
+📖 **See [docs/FIREBASE_SETUP.md](docs/FIREBASE_SETUP.md) for complete setup instructions.**
 
-- **Android**: Place `google-services.json` in `android/app/`
-- **iOS**: Place `GoogleService-Info.plist` in `ios/BitSleuthWallet/`
+Quick summary:
+1. Create a Firebase project at [console.firebase.google.com](https://console.firebase.google.com/)
+2. Add iOS and Android apps to your project
+3. Download `google-services.json` (Android) and place it in:
+   - `android/app/google-services.json`
+   - `google-services.json` (root)
+4. Download `GoogleService-Info.plist` (iOS) and place it in:
+   - `ios/BitSleuthWallet/GoogleService-Info.plist`
+   - `GoogleService-Info.plist` (root)
+5. Enable Crashlytics and Performance Monitoring in Firebase Console
 
 ⚠️ **Important**: Firebase Analytics is **prohibited** for privacy reasons. Only Crashlytics (with Release Monitoring) and Performance Monitoring are enabled. See [docs/FIREBASE_INTEGRATION.md](docs/FIREBASE_INTEGRATION.md) for details.
 

SECURITY.md

@@ -44,6 +44,18 @@ BitSleuth Wallet is designed with security as a top priority:
 - **Biometric/PIN Protection**: Device-level authentication required
 - **Open Source**: Our code is publicly auditable
 - **No Analytics**: We don't track user behavior or collect personal data
+- **Firebase API Keys**: Configuration files are excluded from the repository (see [docs/FIREBASE_SETUP.md](docs/FIREBASE_SETUP.md))
+
+### Firebase Configuration Security
+
+This repository does **not** include Firebase configuration files (`google-services.json` and `GoogleService-Info.plist`) for security reasons:
+
+- **Each developer must use their own Firebase project** for development
+- Configuration files contain API keys that, while designed for client use, should not be publicly exposed in repositories
+- Example template files are provided for reference
+- See [docs/FIREBASE_SETUP.md](docs/FIREBASE_SETUP.md) for complete setup instructions and security best practices
+
+**Important**: If you find actual Firebase configuration files (not `.example` files) committed to this repository, please report it as a security issue.
 
 ### Scope
 
@@ -53,6 +65,8 @@ Security issues in scope:
 - Data exposure or privacy leaks
 - Transaction manipulation or double-spending risks
 - Dependency vulnerabilities in critical packages
+- Exposed Firebase configuration files or API keys in the repository
+- Misconfigured Firebase security rules
 
 Out of scope:
 - Social engineering attacks

android/app/PLACE_GOOGLE_SERVICES_HERE.md

@@ -0,0 +1,21 @@
+# Firebase Configuration Required
+
+Place your `google-services.json` file in this directory.
+
+## Quick Setup
+
+1. Create a Firebase project at https://console.firebase.google.com/
+2. Add an Android app with package name: `ai.bitsleuth.wallet`
+3. Download `google-services.json`
+4. Place it here: `android/app/google-services.json`
+5. Also place a copy in the root directory: `google-services.json`
+
+## Complete Guide
+
+See [docs/FIREBASE_SETUP.md](../../docs/FIREBASE_SETUP.md) for detailed instructions.
+
+## Example File
+
+An example configuration is available at: `android/app/google-services.example.json`
+
+**Note**: Never commit your actual `google-services.json` file to version control. It's in `.gitignore` for your protection.

android/app/google-services.example.json

@@ -0,0 +1,31 @@
+{
+  "_comment": "This is an EXAMPLE file. Replace with your own google-services.json from Firebase Console.",
+  "_instructions": "1. Go to https://console.firebase.google.com/ 2. Create/select your project 3. Add Android app 4. Download google-services.json 5. Replace this file",
+  "project_info": {
+    "project_number": "YOUR_PROJECT_NUMBER",
+    "project_id": "your-project-id",
+    "storage_bucket": "your-project-id.appspot.com"
+  },
+  "client": [
+    {
+      "client_info": {
+        "mobilesdk_app_id": "1:YOUR_PROJECT_NUMBER:android:YOUR_APP_ID",
+        "android_client_info": {
+          "package_name": "ai.bitsleuth.wallet"
+        }
+      },
+      "oauth_client": [],
+      "api_key": [
+        {
+          "current_key": "AIzaSy_YOUR_ANDROID_API_KEY_HERE"
+        }
+      ],
+      "services": {
+        "appinvite_service": {
+          "other_platform_oauth_client": []
+        }
+      }
+    }
+  ],
+  "configuration_version": "1"
+}

docs/FIREBASE_CONFIG_README.md

@@ -0,0 +1,61 @@
+# Firebase Configuration Files - Examples
+
+This directory contains example Firebase configuration files. **These are templates only** and should not be used in production.
+
+## Files
+
+- `google-services.example.json` - Example Android Firebase configuration
+- `GoogleService-Info.example.plist` - Example iOS Firebase configuration
+
+## Setup Instructions
+
+**You must create your own Firebase project and download your own configuration files.**
+
+### Quick Setup
+
+1. Create a Firebase project at [Firebase Console](https://console.firebase.google.com/)
+2. Add iOS and Android apps with the bundle ID `ai.bitsleuth.wallet`
+3. Download your configuration files:
+   - `google-services.json` for Android
+   - `GoogleService-Info.plist` for iOS
+4. Place them in the correct locations:
+   - `google-services.json` → `android/app/google-services.json` (and root directory)
+   - `GoogleService-Info.plist` → `ios/BitSleuthWallet/GoogleService-Info.plist` (and root directory)
+
+### Complete Setup Guide
+
+For detailed instructions, including:
+- Firebase service configuration
+- API key security and restrictions
+- App Check setup
+- Troubleshooting
+- EAS Build configuration
+
+See: **[docs/FIREBASE_SETUP.md](docs/FIREBASE_SETUP.md)**
+
+## Security Note
+
+The configuration files contain Firebase API keys. While these keys are designed for client-side use, they should still be handled with care:
+
+- ✅ Use your own Firebase project for development
+- ✅ Implement proper Firebase security rules
+- ✅ Restrict API keys in Google Cloud Console
+- ✅ Enable App Check for production
+- ❌ **Never commit your actual configuration files to public repositories**
+
+The actual configuration files are in `.gitignore` to prevent accidental commits.
+
+## Why Not Include Configuration Files?
+
+For open-source projects like BitSleuth Wallet, we follow security best practices:
+
+1. **Prevent Project Enumeration**: Keeping config files private makes it harder for attackers to find and target the Firebase project
+2. **Encourage Proper Setup**: Each developer should use their own Firebase project for development
+3. **Avoid Abuse**: Even with proper security rules, exposed API keys can lead to quota abuse
+4. **Industry Standard**: Most open-source projects with Firebase integration use this approach
+
+## Need Help?
+
+- 📖 Read the complete guide: [docs/FIREBASE_SETUP.md](docs/FIREBASE_SETUP.md)
+- 🔧 Firebase Integration details: [docs/FIREBASE_INTEGRATION.md](docs/FIREBASE_INTEGRATION.md)
+- 🐛 Open an issue if you encounter problems (don't share your actual API keys!)