Hi, I’m building a RAG system with Firebase + Genkit.
My documents are stored in a Firestore collection ai_knowledge_chunks with a field accessGroups: string[].

Genkit Retrive documents

const docs = await ai.retrieve({
  retriever,
  query: 'search query',
  options: {
    limit: 5, // Options: Return up to 5 documents
    where: { category: 'example' }, // Optional: Filter by field-value pairs
    collection: 'alternativeCollection', // Optional: Override default collection
  },
});

Example docs:

Public example data → accessGroups: ["public"]
User’s own data → accessGroups: [uid]
Now I want to run retrieval so that:

If the user is authenticated → fetch public + their own docs

If not authenticated → fetch only public docs

I tried something like this:

const auth = ai.currentContext()?.auth;
const uid = auth?.uid;

const access = uid ? ['public', uid] : ['public'];

const raw = await ai.retrieve({
  retriever,
  query,
  options: {
    limit: 12,
    where: { accessGroups: access }   // ❓ Is this correct?
  },
});

But it seems where here is doing strict equality instead of array-contains-any.
In Firestore Admin SDK I would normally write:

firestore.collection("ai_knowledge_chunks")
  .where("accessGroups", "array-contains-any", ["public", uid])
  .findNearest("embedding", queryVec, limit)

My question is:

Does ai.retrieve({ options.where }) support array-contains-any or only equality filters?

If not, is the recommended approach to bypass defineFirestoreRetriever and just use the Admin SDK with .findNearest(...).where(...) directly?

Any best practice to implement this “public + private” access pattern with Genkit retrievers?

Thanks!