fix: address PR review feedback

- Fix typos in migration prompt documentation
- Fix confusing section headers (DEFINITE vs LIKELY secrets)
- Improve type safety by removing 'any' type from checkRequiredPermission
- Fix prefix validation to reject empty strings
- Remove unused code (secretType variable, getSecretType function)
- Remove useless generateDotenvFilename function that just returned '.env'
- Keep validateConfigValues for potential future use (has tests)

Author: taeold

prompts/functions-config-migration.md

@@ -1,13 +1,14 @@
 ## SYSTEM PROMPT — "Firebase Config Migration Bot"
 
-**You are *****Firebase Config Migration Bot*****, an expert tasked with converting 1st Gen Cloud Functions that read **``** into 2nd-gen code that uses the **``** helpers (preferred) or **``** (legacy interop only).**
+**You are \*\*\***Firebase Config Migration Bot**\***, an expert tasked with converting 1st Gen Cloud Functions that read **``** into 2nd-gen code that uses the **``** helpers (preferred) or **``** (legacy interop only).\*\*
+
 > Output **TypeScript** unless the incoming file is clearly JavaScript. **Preserve all developer comments.** If any replacement choice is ambiguous, ask a clarifying question instead of guessing.
 
 ### 1. Migration workflow (model must follow in order)
 
 1. **Analyze Scope** determine if this is a single-function repository or a multi-codebase project (see section 1a).
-1. **Identify** every `functions.config()` access and capture its JSON path.  For multi-codebase projects, do this across all codebases before proceeding.
-1. **Confirm**  ask the user whether the identified config and their mapping to different param type looks correct.
+1. **Identify** every `functions.config()` access and capture its JSON path. For multi-codebase projects, do this across all codebases before proceeding.
+1. **Confirm** ask the user whether the identified config and their mapping to different param type looks correct.
 1. **Replace** each path with the correct helper:
    - Secret → `defineSecret`
    - Needs validation / specific type → `defineInt`, `defineBoolean`, `defineList`, `defineString`
@@ -22,6 +23,7 @@
    - test locally with `.env.local`
 
 #### 1a · Multi-Codebase Projects
+
 If the project uses a multi-codebase configuration in firebase.json (i.e., the functions key is an array), you must apply the migration logic to each codebase individually while treating the configuration as a shared, project-level resource.
 
 1. **Identify Codebases** conceptually parse the firebase.json functions array to identify each codebase and its corresponding source directory (e.g., teamA, teamB).
@@ -40,6 +42,7 @@ Do not prefix parameter names with the codebase name (e.g., avoid TEAM_A_API_KEY
 - **Injected outside Firebase at runtime?** → `process.env.NAME`
 
 ### 3. Edge‑case notes
+
 - **Invalid keys** – Some config keys cannot be directly converted to valid environment variable names (e.g., keys starting with digits, containing invalid characters). These will be marked in the configuration analysis. Always:
   - Ask the user for their preferred prefix (default suggestion: `CONFIG_`)
   - Apply the same prefix consistently to all invalid keys
@@ -66,10 +69,11 @@ import { defineString } from "firebase-functions/params";
 const GREETING = defineString("SOME_GREETING");
 console.log(GREETING.value());
 ```
+
 </example>
 
 <example>
-### Example 2 – senitive configurations as secrets
+### Example 2 – sensitive configurations as secrets
 
 **Before**
 
@@ -95,8 +99,10 @@ export const processPayment = onCall(
   () => {
     const apiKey = STRIPE_KEY.value();
     // ...
-});
+  },
+);
 ```
+
 </example>
 
 <example>
@@ -106,12 +112,14 @@ export const processPayment = onCall(
 import { defineList, defineBoolean } from "firebase-functions/params";
 const FEATURE_X_ENABLED = defineBoolean("FEATURE_X_ENABLED", { default: false });
 ```
+
 </example>
 
 <example>
 ### Example 4 - Nested configuration values
 
 **Before**
+
 ```ts
 import * as functions from "firebase-functions";
 
@@ -144,18 +152,15 @@ import { onCall } from "firebase-functions/v2/https";
 const SERVICE_API_KEY = defineSecret("SERVICE_API_KEY");
 const SERVICE_API_ENDPOINT = defineString("SERVICE_API_ENDPOINT");
 
-const SERVICE_DB_USER = defineString("SERVICE_DB_USER"); // nested configrations are flattened
+const SERVICE_DB_USER = defineString("SERVICE_DB_USER"); // nested configurations are flattened
 const SERVICE_DB_PASS = defineSecret("SERVICE_DB_PASS");
 const SERVICE_DB_URL = defineString("SERVICE_DB_URL");
 
 export const processUserData = onCall(
   { secrets: [SERVICE_API_KEY, SERVICE_DB_PASS] },
   async (request) => {
     if (!request.auth) {
-      throw new HttpsError(
-        "unauthenticated",
-        "The function must be called while authenticated."
-      );
+      throw new HttpsError("unauthenticated", "The function must be called while authenticated.");
     }
 
     const service = new ThirdPartyService({
@@ -171,15 +176,17 @@ export const processUserData = onCall(
 
     // ... function logic using the service and db clients
     return { status: "success" };
-  }
+  },
 );
 ```
+
 </example>
 
 <example>
 ### Example 5 - indirect access via intermediate variable
 
 **Before**
+
 ```ts
 import functions from "firebase-functions";
 
@@ -192,6 +199,7 @@ const accountSid = providerConfig["account-sid"]; // not sensitive
 ```
 
 **After**
+
 ```ts
 import { defineSecret, defineString } from "firebase-functions/params";
 
@@ -204,8 +212,10 @@ const TFA_PROVIDER_ACCOUNT_SID = defineString("TFA_PROVIDER_ACCOUNT_SID");
 const apiKey = TFA_PROVIDER_API_KEY.value();
 const accountSid = TFA_PROVIDER_ACCOUNT_SID.value();
 ```
+
 </example>
 
 ## Final Notes
+
 - Be comprehensive. Look through the source code thoroughly and try to identify ALL use of functions.config() API.
-- Refrain from making any other changes, like reasonable code refactors or correct use of Firebase Functions API. Scope the change just to functions.config() migration to minimize risk and to create a change focused on a single goal - to correctly migrate from legacy functions.config() API
+- Refrain from making any other changes, like reasonable code refactors or correct use of Firebase Functions API. Scope the change just to functions.config() migration to minimize risk and to create a change focused on a single goal - to correctly migrate from legacy functions.config() API

scripts/extensions-deploy-tests/tests.ts

@@ -27,7 +27,7 @@ describe("firebase deploy --only extensions", () => {
       FIREBASE_PROJECT,
       ["--only", "extensions", "--non-interactive", "--force"],
       (data: any) => {
-        if (`${data}`.match(/Deploy complete/)) {
+        if (/Deploy complete/.exec(`${data}`)) {
           return true;
         }
       },

scripts/gen-auth-api-spec.ts

@@ -301,7 +301,6 @@ function forEachOperation(openapi3: any, callback: (operation: any) => void): vo
  *
  * This is needed for API specs that has a different server than the main one
  * (e.g. securetokens.googleapis.com) so its server is preserved after merge.
- *
  * @param openapi3 the API spec to patch.
  */
 function pushServersDownToEachPath(openapi3: any): void {

scripts/storage-emulator-integration/conformance/persistence.test.ts

@@ -79,7 +79,7 @@ describe("Storage persistence conformance tests", () => {
         firebase.initializeApp(appConfig);
         if (!useProductionServers) {
           firebase.auth().useEmulator(authEmulatorHost);
-          const [storageHost, storagePort] = storageEmulatorHost.split(":") as string[];
+          const [storageHost, storagePort] = storageEmulatorHost.split(":");
           (firebase.storage() as any).useEmulator(storageHost, storagePort);
         }
       },

scripts/storage-emulator-integration/utils.ts

@@ -13,6 +13,9 @@ export const SMALL_FILE_SIZE = 200 * 1024; /* 200 kB */
 // Firebase Emulator config, for starting up emulators
 export const FIREBASE_EMULATOR_CONFIG = "firebase.json";
 
+/**
+ *
+ */
 export function readEmulatorConfig(config = FIREBASE_EMULATOR_CONFIG): FrameworkOptions {
   try {
     return readJson(config);
@@ -23,6 +26,9 @@ export function readEmulatorConfig(config = FIREBASE_EMULATOR_CONFIG): Framework
   }
 }
 
+/**
+ *
+ */
 export function getStorageEmulatorHost(emulatorConfig: FrameworkOptions) {
   const port = emulatorConfig.emulators?.storage?.port;
   if (port) {
@@ -31,6 +37,9 @@ export function getStorageEmulatorHost(emulatorConfig: FrameworkOptions) {
   throw new Error("Storage emulator config not found or invalid");
 }
 
+/**
+ *
+ */
 export function getAuthEmulatorHost(emulatorConfig: FrameworkOptions) {
   const port = emulatorConfig.emulators?.auth?.port;
   if (port) {
@@ -41,36 +50,53 @@ export function getAuthEmulatorHost(emulatorConfig: FrameworkOptions) {
 
 /**
  * Reads a JSON file in the current directory.
- *
  * @param filename name of the JSON file to be read. Must be in the current directory.
  */
 export function readJson(filename: string) {
   return JSON.parse(readFile(filename));
 }
 
+/**
+ *
+ */
 export function readAbsoluteJson(filename: string) {
   return JSON.parse(readAbsoluteFile(filename));
 }
 
+/**
+ *
+ */
 export function readFile(filename: string): string {
   const fullPath = path.join(__dirname, filename);
   return readAbsoluteFile(fullPath);
 }
+/**
+ *
+ */
 export function readAbsoluteFile(filename: string): string {
   if (!fs.existsSync(filename)) {
     throw new Error(`Can't find file at ${filename}`);
   }
   return fs.readFileSync(filename, "utf8");
 }
 
+/**
+ *
+ */
 export function getTmpDir(): string {
   return fs.mkdtempSync(path.join(os.tmpdir(), "storage-files"));
 }
 
+/**
+ *
+ */
 export function createRandomFile(filename: string, sizeInBytes: number, tmpDir: string): string {
   return writeToFile(filename, crypto.randomBytes(sizeInBytes), tmpDir);
 }
 
+/**
+ *
+ */
 export function writeToFile(filename: string, contents: Buffer, tmpDir: string): string {
   const fullPath = path.join(tmpDir, filename);
   fs.writeFileSync(fullPath, contents);
@@ -84,6 +110,9 @@ export async function resetStorageEmulator(emulatorHost: string) {
   await fetch(`${emulatorHost}/internal/reset`, { method: "POST" });
 }
 
+/**
+ *
+ */
 export async function getProdAccessToken(serviceAccountKey: any): Promise<string> {
   const jwtClient = new google.auth.JWT(
     serviceAccountKey.client_email,

src/accountExporter.ts

@@ -122,6 +122,9 @@ function transUserJson(user: any): any {
   return newUser;
 }
 
+/**
+ *
+ */
 export function validateOptions(options: any, fileName: string): any {
   const exportOptions: any = {};
   if (fileName === undefined) {
@@ -170,6 +173,9 @@ function createWriteUsersToFile(): (
   };
 }
 
+/**
+ *
+ */
 export async function serialExportUsers(projectId: string, options: any): Promise<any> {
   if (!options.writeUsersToFile) {
     options.writeUsersToFile = createWriteUsersToFile();

src/accountImporter.ts

@@ -110,6 +110,9 @@ function genUploadAccountPostBody(projectId: string, accounts: any[], hashOption
   return postBody;
 }
 
+/**
+ *
+ */
 export function transArrayToUser(arr: any[]): any {
   const user = {
     localId: arr[0],
@@ -144,6 +147,9 @@ export function transArrayToUser(arr: any[]): any {
   return user;
 }
 
+/**
+ *
+ */
 export function validateOptions(options: any): any {
   const hashOptions = validateRequiredParameters(options);
   if (!hashOptions.valid) {
@@ -271,6 +277,9 @@ function validateProviderUserInfo(providerUserInfo: { providerId: string; error?
   return {};
 }
 
+/**
+ *
+ */
 export function validateUserJson(userJson: any): { error?: string } {
   const keydiff = Object.keys(userJson).filter((k) => !ALLOWED_JSON_KEYS.includes(k));
   if (keydiff.length) {
@@ -325,6 +334,9 @@ async function sendRequest(projectId: string, userList: any[], hashOptions: any)
     });
 }
 
+/**
+ *
+ */
 export function serialImportUsers(
   projectId: string,
   hashOptions: any,

src/apiv2.ts

@@ -124,7 +124,7 @@ export function setAccessToken(token = ""): void {
 
 /**
  * Gets a singleton access token
- * @returns An access token
+ * @return An access token
  */
 export async function getAccessToken(): Promise<string> {
   const valid = auth.haveValidTokens(refreshToken, []);
@@ -228,9 +228,8 @@ export class Client {
   /**
    * Makes a request as specified by the options.
    * By default, this will:
-   *   - use content-type: application/json
-   *   - assume the HTTP GET method
-   *
+   * - use content-type: application/json
+   * - assume the HTTP GET method
    * @example
    * const res = apiv2.request<ResourceType>({
    *   method: "POST",

src/appdistribution/options-parser-util.ts

@@ -36,6 +36,9 @@ export function getEmails(emails: string[], file: string): string[] {
 }
 
 // Ensures a the file path that the user input is valid
+/**
+ *
+ */
 export function ensureFileExists(file: string, message = ""): void {
   if (!fs.existsSync(file)) {
     throw new FirebaseError(`File ${file} does not exist: ${message}`);
@@ -51,12 +54,18 @@ function splitter(value: string): string[] {
 }
 
 // Gets project name from project number
+/**
+ *
+ */
 export async function getProjectName(options: any): Promise<string> {
   const projectNumber = await needProjectNumber(options);
   return `projects/${projectNumber}`;
 }
 
 // Gets app name from appId
+/**
+ *
+ */
 export function getAppName(options: any): string {
   if (!options.app) {
     throw new FirebaseError("set the --app option to a valid Firebase app id and try again");

src/appdistribution/types.ts

@@ -100,6 +100,9 @@ export interface DeviceExecution {
   inconclusiveReason?: string;
 }
 
+/**
+ *
+ */
 export function mapDeviceToExecution(device: TestDevice): DeviceExecution {
   return {
     device: {