Skills

firebase-development:validate

Installation
SKILL.md

Firebase Code Validation

Overview

This sub-skill validates existing Firebase code against proven patterns and security best practices. It checks configuration, rules, architecture consistency, authentication, testing, and production readiness.

Key principles:

  • Validate against chosen architecture patterns
  • Check security rules thoroughly
  • Verify test coverage exists
  • Review production readiness

When This Sub-Skill Applies

  • Conducting code review of Firebase project
  • Auditing security implementation
  • Preparing for production deployment
  • User says: "review firebase", "validate", "audit firebase", "check firebase code"

Do not use for:

  • Initial setup → firebase-development:project-setup
  • Adding features → firebase-development:add-feature
  • Debugging active errors → firebase-development:debug

TodoWrite Workflow

Create checklist with these 9 steps:

Step 1: Check firebase.json Structure

Validate required sections:

  • hosting - Array or object present
  • functions - Source directory, runtime, predeploy hooks
  • firestore - Rules and indexes files
  • emulators - Local development config

Check hosting pattern matches implementation (site:, target:, or single).

Reference: docs/examples/multi-hosting-setup.md

Step 2: Validate Emulator Configuration

Critical settings:

{
  "emulators": {
    "singleProjectMode": true,
    "ui": { "enabled": true }
  }
}

Verify all services in use have emulator entries.

Reference: docs/examples/emulator-workflow.md

Step 3: Review Firestore Rules

Check for:

  • Helper functions at top (isAuthenticated(), isOwner())
  • Consistent security model (server-write-only OR client-write-validated)
  • diff().affectedKeys().hasOnly([...]) for client writes
  • Collection group rules if using collectionGroup() queries
  • Default deny rule at bottom

Reference: docs/examples/firestore-rules-patterns.md

Step 4: Validate Functions Architecture

Identify pattern in use:

  • Express: Check middleware/, tools/, CORS, health endpoint
  • Domain-Grouped: Check exports, domain boundaries, shared/
  • Individual: Check one function per file structure

Critical: Don't mix patterns. Verify consistency throughout.

Reference: docs/examples/express-function-architecture.md

Step 5: Check Authentication Implementation

For API Keys:

  • Middleware validates key format with project prefix
  • Uses collectionGroup('apiKeys') query
  • Checks active: true flag
  • Attaches userId to request

For Firebase Auth:

  • Functions check request.auth.uid
  • Role lookups use Firestore user document
  • Client connects to auth emulator in development

Reference: docs/examples/api-key-authentication.md

Step 6: Verify ABOUTME Comments

All .ts files should start with:

// ABOUTME: Brief description of what this file does
// ABOUTME: Second line with additional context

grep -L "ABOUTME:" functions/src/**/*.ts  # Find missing

Step 7: Review Test Coverage

Check for:

  • Unit tests: functions/src/__tests__/**/*.test.ts
  • Integration tests: functions/src/__tests__/emulator/**/*.test.ts
  • vitest.config.ts and vitest.emulator.config.ts exist
  • Coverage threshold met (60%+)
npm test && npm run test:coverage

Step 8: Validate Error Handling

All handlers must:

  • Use try-catch blocks
  • Return { success: boolean, message: string, data?: any }
  • Use proper HTTP status codes (400, 401, 403, 500)
  • Log errors with console.error
  • Validate input before processing

Step 9: Security and Production Review

Security checks:

  • No secrets in code (grep -r "apiKey.*=" functions/src/)
  • .env files in .gitignore
  • No allow read, write: if true; in rules
  • Sensitive fields protected from client writes

Production checks:

  • npm audit clean
  • Build succeeds: npm run build
  • Tests pass: npm test
  • Correct project in .firebaserc
  • Indexes defined for complex queries

Validation Checklists

Hosting Pattern

  • Pattern matches firebase.json config
  • Sites/targets exist in Firebase Console
  • Rewrites reference valid functions
  • Emulator ports configured

Authentication Pattern

  • Auth method matches security model
  • Middleware/checks implemented correctly
  • Environment variables documented
  • Emulator connection configured

Security Model

  • Server-write-only: All allow write: if false;
  • Client-write: diff().affectedKeys() validation
  • Default deny rule present
  • Helper functions used consistently

Common Issues

Issue Fix
Missing singleProjectMode Add to emulators config
No default deny rule Add match /{document=**} { allow: if false; }
Mixed architecture Migrate to consistent pattern
Missing ABOUTME Add 2-line header to all .ts files
No integration tests Add emulator tests for workflows
Inconsistent response format Standardize to {success, message, data?}
No error handling Add try-catch to all handlers
Secrets in code Move to environment variables

Integration with Superpowers

For general code quality review beyond Firebase patterns, invoke superpowers:requesting-code-review.

Output

After validation, provide:

  • Summary of findings
  • Issues categorized by severity (critical, important, nice-to-have)
  • Recommendations for remediation
  • Confirmation of best practices compliance

Pattern References

  • Hosting: docs/examples/multi-hosting-setup.md
  • Auth: docs/examples/api-key-authentication.md
  • Functions: docs/examples/express-function-architecture.md
  • Rules: docs/examples/firestore-rules-patterns.md
  • Emulators: docs/examples/emulator-workflow.md
Related skills

More from 2389-research/claude-plugins

Installs
11
Repository
2389-research/c…-plugins
GitHub Stars
31
First Seen
Jan 26, 2026