Marketplace firebase-development-validate
This skill should be used when reviewing Firebase code against security model and best practices. Triggers on "review firebase", "check firebase", "validate", "audit firebase", "security review", "look at firebase code". Validates configuration, rules, architecture, and security.
install
source · Clone the upstream repo
git clone https://github.com/aiskillstore/marketplace
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/aiskillstore/marketplace "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/2389-research/firebase-development/validate" ~/.claude/skills/aiskillstore-marketplace-firebase-development-validate-77ac28 && rm -rf "$T"
manifest:
skills/2389-research/firebase-development/validate/SKILL.mdsource content
Firebase Code Validation
Overview
This sub-skill validates existing Firebase code against proven patterns and security best practices. It checks configuration, rules, architecture consistency, authentication, testing, and production readiness.
Key principles:
- Validate against chosen architecture patterns
- Check security rules thoroughly
- Verify test coverage exists
- Review production readiness
When This Sub-Skill Applies
- Conducting code review of Firebase project
- Auditing security implementation
- Preparing for production deployment
- User says: "review firebase", "validate", "audit firebase", "check firebase code"
Do not use for:
- Initial setup →
firebase-development:project-setup - Adding features →
firebase-development:add-feature - Debugging active errors →
firebase-development:debug
TodoWrite Workflow
Create checklist with these 9 steps:
Step 1: Check firebase.json Structure
Validate required sections:
- Array or object presenthosting
- Source directory, runtime, predeploy hooksfunctions
- Rules and indexes filesfirestore
- Local development configemulators
Check hosting pattern matches implementation (site:, target:, or single).
Reference:
docs/examples/multi-hosting-setup.mdStep 2: Validate Emulator Configuration
Critical settings:
{ "emulators": { "singleProjectMode": true, "ui": { "enabled": true } } }
Verify all services in use have emulator entries.
Reference:
docs/examples/emulator-workflow.mdStep 3: Review Firestore Rules
Check for:
- Helper functions at top (
,isAuthenticated()
)isOwner() - Consistent security model (server-write-only OR client-write-validated)
for client writesdiff().affectedKeys().hasOnly([...])- Collection group rules if using
queriescollectionGroup() - Default deny rule at bottom
Reference:
docs/examples/firestore-rules-patterns.mdStep 4: Validate Functions Architecture
Identify pattern in use:
- Express: Check
,middleware/
, CORS, health endpointtools/ - Domain-Grouped: Check exports, domain boundaries,
shared/ - Individual: Check one function per file structure
Critical: Don't mix patterns. Verify consistency throughout.
Reference:
docs/examples/express-function-architecture.mdStep 5: Check Authentication Implementation
For API Keys:
- Middleware validates key format with project prefix
- Uses
querycollectionGroup('apiKeys') - Checks
flagactive: true - Attaches
to requestuserId
For Firebase Auth:
- Functions check
request.auth.uid - Role lookups use Firestore user document
- Client connects to auth emulator in development
Reference:
docs/examples/api-key-authentication.mdStep 6: Verify ABOUTME Comments
All
.ts// ABOUTME: Brief description of what this file does // ABOUTME: Second line with additional context
grep -L "ABOUTME:" functions/src/**/*.ts # Find missing
Step 7: Review Test Coverage
Check for:
- Unit tests:
functions/src/__tests__/**/*.test.ts - Integration tests:
functions/src/__tests__/emulator/**/*.test.ts
andvitest.config.ts
existvitest.emulator.config.ts- Coverage threshold met (60%+)
npm test && npm run test:coverage
Step 8: Validate Error Handling
All handlers must:
- Use try-catch blocks
- Return
{ success: boolean, message: string, data?: any } - Use proper HTTP status codes (400, 401, 403, 500)
- Log errors with
console.error - Validate input before processing
Step 9: Security and Production Review
Security checks:
- No secrets in code (
)grep -r "apiKey.*=" functions/src/
files in.env.gitignore- No
in rulesallow read, write: if true; - Sensitive fields protected from client writes
Production checks:
cleannpm audit- Build succeeds:
npm run build - Tests pass:
npm test - Correct project in
.firebaserc - Indexes defined for complex queries
Validation Checklists
Hosting Pattern
- Pattern matches firebase.json config
- Sites/targets exist in Firebase Console
- Rewrites reference valid functions
- Emulator ports configured
Authentication Pattern
- Auth method matches security model
- Middleware/checks implemented correctly
- Environment variables documented
- Emulator connection configured
Security Model
- Server-write-only: All
allow write: if false; - Client-write:
validationdiff().affectedKeys() - Default deny rule present
- Helper functions used consistently
Common Issues
| Issue | Fix |
|---|---|
Missing | Add to emulators config |
| No default deny rule | Add |
| Mixed architecture | Migrate to consistent pattern |
| Missing ABOUTME | Add 2-line header to all .ts files |
| No integration tests | Add emulator tests for workflows |
| Inconsistent response format | Standardize to |
| No error handling | Add try-catch to all handlers |
| Secrets in code | Move to environment variables |
Integration with Superpowers
For general code quality review beyond Firebase patterns, invoke
superpowers:requesting-code-reviewOutput
After validation, provide:
- Summary of findings
- Issues categorized by severity (critical, important, nice-to-have)
- Recommendations for remediation
- Confirmation of best practices compliance
Pattern References
- Hosting:
docs/examples/multi-hosting-setup.md - Auth:
docs/examples/api-key-authentication.md - Functions:
docs/examples/express-function-architecture.md - Rules:
docs/examples/firestore-rules-patterns.md - Emulators:
docs/examples/emulator-workflow.md