Here’s how to lock this down so it never flips back, plus a 60-sec verify.

Make Admin pick the correct bucket 100% of the time
1) Initialize Admin exactly once, with storageBucket set

In whichever file is your first/only Admin init (e.g. server/firebaseAdmin.ts):

// server/firebaseAdmin.ts
import { initializeApp, getApps, getApp } from "firebase-admin/app";
import { getStorage } from "firebase-admin/storage";

const STORAGE_BUCKET = process.env.FB_STORAGE_BUCKET || "ibrandbiz-bcfbe.firebasestorage.app";

// Important: initialize ONCE and include storageBucket to set the default
export const adminApp =
  getApps().length ? getApp() : initializeApp({ storageBucket: STORAGE_BUCKET });

// Always get the bucket from this app instance
export const bucket = getStorage(adminApp).bucket();

// Optional: sanity log on startup
console.log("[Admin] Storage bucket:", bucket.name);


Then everywhere else import from this module:

// import { bucket } from "./firebaseAdmin";


Avoid calling initializeApp() in multiple files—one singleton only.

2) Remove/patch any other inits

Search & kill extra initializations:

rg -n "initializeApp\(|getStorage\(|storageBucket|appspot\.com|firebasestorage\.app" server


If another module imports Admin directly, make it import your singleton instead.

If you must keep a second file (e.g., firebaseStorage.ts), have it import bucket from firebaseAdmin.ts and do not call initializeApp() again.

3) (Optional) set env to avoid hardcoding

In Replit/ENV:

FB_STORAGE_BUCKET=ibrandbiz-bcfbe.firebasestorage.app


Your code above will pick it up.

60-second verify after the restart

Server boot log should print:

[Admin] Storage bucket: ibrandbiz-bcfbe.firebasestorage.app


Upload one tiny dummy file (admin user):

Path expected: templates/business-plan/test/ping.txt

It should appear in Console under that bucket.

Network logs: your upload handler should not mention .appspot.com anywhere now.

Do you need to change rules?

Nope. Same bucket, same rules. Restart + single-source Admin init is the fix.

Bonus guardrails (nice-to-have)

Add a startup assert:

if (bucket.name !== "ibrandbiz-bcfbe.firebasestorage.app") {
  throw new Error(`Wrong bucket initialized: ${bucket.name}`);
}


In the upload route, log bucket.name once per request:

console.log("[Upload] Using bucket:", bucket.name);