Agent skill

firebase-development:validate

This skill should be used when reviewing Firebase code against security model and best practices. Triggers on "review firebase", "check firebase", "validate", "audit firebase", "security review", "look at firebase code". Validates configuration, rules, architecture, and security.

View SKILL.md on GitHub Repository
Stars 36
Forks 1

Install this agent skill to your Project

npx add-skill https://github.com/2389-research/claude-plugins/tree/main/firebase-development/skills/validate

SKILL.md

Firebase Code Validation

Overview

This sub-skill validates existing Firebase code against proven patterns and security best practices. It checks configuration, rules, architecture consistency, authentication, testing, and production readiness.

Key principles:

  • Validate against chosen architecture patterns
  • Check security rules thoroughly
  • Verify test coverage exists
  • Review production readiness

When This Sub-Skill Applies

  • Conducting code review of Firebase project
  • Auditing security implementation
  • Preparing for production deployment
  • User says: "review firebase", "validate", "audit firebase", "check firebase code"

Do not use for:

  • Initial setup → firebase-development:project-setup
  • Adding features → firebase-development:add-feature
  • Debugging active errors → firebase-development:debug

TodoWrite Workflow

Create checklist with these 9 steps:

Step 1: Check firebase.json Structure

Validate required sections:

  • hosting - Array or object present
  • functions - Source directory, runtime, predeploy hooks
  • firestore - Rules and indexes files
  • emulators - Local development config

Check hosting pattern matches implementation (site:, target:, or single).

Reference: docs/examples/multi-hosting-setup.md

Step 2: Validate Emulator Configuration

Critical settings:

json
{
  "emulators": {
    "singleProjectMode": true,
    "ui": { "enabled": true }
  }
}

Verify all services in use have emulator entries.

Reference: docs/examples/emulator-workflow.md

Step 3: Review Firestore Rules

Check for:

  • Helper functions at top (isAuthenticated(), isOwner())
  • Consistent security model (server-write-only OR client-write-validated)
  • diff().affectedKeys().hasOnly([...]) for client writes
  • Collection group rules if using collectionGroup() queries
  • Default deny rule at bottom

Reference: docs/examples/firestore-rules-patterns.md

Step 4: Validate Functions Architecture

Identify pattern in use:

  • Express: Check middleware/, tools/, CORS, health endpoint
  • Domain-Grouped: Check exports, domain boundaries, shared/
  • Individual: Check one function per file structure

Critical: Don't mix patterns. Verify consistency throughout.

Reference: docs/examples/express-function-architecture.md

Step 5: Check Authentication Implementation

For API Keys:

  • Middleware validates key format with project prefix
  • Uses collectionGroup('apiKeys') query
  • Checks active: true flag
  • Attaches userId to request

For Firebase Auth:

  • Functions check request.auth.uid
  • Role lookups use Firestore user document
  • Client connects to auth emulator in development

Reference: docs/examples/api-key-authentication.md

Step 6: Verify ABOUTME Comments

All .ts files should start with:

typescript
// ABOUTME: Brief description of what this file does
// ABOUTME: Second line with additional context
bash
grep -L "ABOUTME:" functions/src/**/*.ts  # Find missing

Step 7: Review Test Coverage

Check for:

  • Unit tests: functions/src/__tests__/**/*.test.ts
  • Integration tests: functions/src/__tests__/emulator/**/*.test.ts
  • vitest.config.ts and vitest.emulator.config.ts exist
  • Coverage threshold met (60%+)
bash
npm test && npm run test:coverage

Step 8: Validate Error Handling

All handlers must:

  • Use try-catch blocks
  • Return { success: boolean, message: string, data?: any }
  • Use proper HTTP status codes (400, 401, 403, 500)
  • Log errors with console.error
  • Validate input before processing

Step 9: Security and Production Review

Security checks:

  • No secrets in code (grep -r "apiKey.*=" functions/src/)
  • .env files in .gitignore
  • No allow read, write: if true; in rules
  • Sensitive fields protected from client writes

Production checks:

  • npm audit clean
  • Build succeeds: npm run build
  • Tests pass: npm test
  • Correct project in .firebaserc
  • Indexes defined for complex queries

Validation Checklists

Hosting Pattern

  • Pattern matches firebase.json config
  • Sites/targets exist in Firebase Console
  • Rewrites reference valid functions
  • Emulator ports configured

Authentication Pattern

  • Auth method matches security model
  • Middleware/checks implemented correctly
  • Environment variables documented
  • Emulator connection configured

Security Model

  • Server-write-only: All allow write: if false;
  • Client-write: diff().affectedKeys() validation
  • Default deny rule present
  • Helper functions used consistently

Common Issues

Issue Fix
Missing singleProjectMode Add to emulators config
No default deny rule Add match /{document=**} { allow: if false; }
Mixed architecture Migrate to consistent pattern
Missing ABOUTME Add 2-line header to all .ts files
No integration tests Add emulator tests for workflows
Inconsistent response format Standardize to {success, message, data?}
No error handling Add try-catch to all handlers
Secrets in code Move to environment variables

Integration with Superpowers

For general code quality review beyond Firebase patterns, invoke superpowers:requesting-code-review.

Output

After validation, provide:

  • Summary of findings
  • Issues categorized by severity (critical, important, nice-to-have)
  • Recommendations for remediation
  • Confirmation of best practices compliance

Pattern References

  • Hosting: docs/examples/multi-hosting-setup.md
  • Auth: docs/examples/api-key-authentication.md
  • Functions: docs/examples/express-function-architecture.md
  • Rules: docs/examples/firestore-rules-patterns.md
  • Emulators: docs/examples/emulator-workflow.md

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

2389-research/claude-plugins

css-development

This skill should be used when working with CSS, creating components, styling elements, refactoring styles, or reviewing CSS code. Triggers on "CSS", "styles", "Tailwind", "dark mode", "component styling", "semantic class", "@apply", "stylesheet". Routes to specialized sub-skills for creation, validation, or refactoring.

36 1
Explore
2389-research/claude-plugins

css-development:create-component

This skill should be used when creating new styled components or adding new CSS classes. Triggers on "create component", "new button", "new card", "add styles", "style component", "build UI element". Guides semantic naming, Tailwind composition, dark mode support, and test coverage.

36 1
Explore
2389-research/claude-plugins

css-development:refactor

This skill should be used when refactoring existing CSS from inline styles or utility classes to semantic patterns. Triggers on "refactor CSS", "extract styles", "consolidate CSS", "convert inline", "clean up styles", "migrate to semantic". Transforms to semantic classes with dark mode and tests.

36 1
Explore
2389-research/claude-plugins

css-development:validate

This skill should be used when reviewing or auditing existing CSS code for consistency with established patterns. Triggers on "review CSS", "audit styles", "check CSS", "validate stylesheet", "CSS review". Checks semantic naming, dark mode coverage, Tailwind usage, and test coverage.

36 1
Explore
2389-research/claude-plugins

ceo-personal-os

This skill should be used when building a personal productivity or operating system for a CEO, founder, or executive. Triggers on "personal OS", "annual review", "life planning", "goal setting system", "Bill Campbell", "Trillion Dollar Coach", "startup failure patterns", "Good to Great", "Level 5 Leadership", "Buy Back Your Time", "E-Myth", "Customer Development", "Steve Blank", "Small Is Beautiful", "Schumacher", "human-scale", "subsidiarity", "Buddhist economics", "permanence".

36 1
Explore
2389-research/claude-plugins

gtm-partner

Strategic go-to-market partner that recommends channels, validates strategy with the user, and generates only the assets that matter. Use when a user has a validated business idea and needs tailored GTM strategy, not generic marketing assets.

36 1
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results