Add Firestore Rules to init prompt (#9207)

Author: samedson

firebase.json

@@ -24,8 +24,6 @@ export const init_auth = resource(
 
 **Implementation:**
 - Create sign-up and login pages using Firebase Authentication
-- Update Firestore security rules and deploy them to ensure only authenticated users can access their own data
-- Handle security rule updates automatically (do not ask developers to go to console)
 
 **Testing & Deployment:**
 - Test the complete sign-up and sign-in flow to verify authentication functionality

src/mcp/resources/guides/init_auth.ts

@@ -22,7 +22,8 @@ export const init_backend = resource(
 The user will likely need to setup Firestore, Authentication, and Hosting. Read the following guides in order. Do not run the app until you have completed all 3 guides.
  1. [Firestore](firebase://guides/init/firestore): read this to setup Firestore database
  2. [Authentication](firebase://guides/init/auth): read this to setup Firebase Authentication to support multi-user apps
- 3. [Hosting](firebase://guides/init/hosting): read this if the user would like to deploy to Firebase Hosting
+ 3. [Firestore Rules](firebase://guides/init/firestore_rules): read this to setup the \`firestore.rules\` file for securing your database
+ 4. [Hosting](firebase://guides/init/hosting): read this if the user would like to deploy to Firebase Hosting
 
 **firebase.json**
 The firebase.json file is used to deploy Firebase products with the firebase deploy command.

src/mcp/resources/guides/init_backend.ts

@@ -8,6 +8,7 @@ export const init_firestore = resource(
     description: "guides the coding agent through configuring Firestore in the current project",
   },
   async (uri) => {
+    const date = getTomorrowDate();
     return {
       contents: [
         {
@@ -18,6 +19,7 @@ export const init_firestore = resource(
 **Database Setup:**
 - Configure Firebase Firestore as the primary database for the application
 - Implement client code for basic CRUD operations using the Firestore SDK
+- Write the default \`firestore.rules\` file (see below)
 - Run \`firebase deploy --only firestore\` to provision the database automatically
 - Use production environment directly (avoid emulator for initial setup)
 
@@ -45,9 +47,31 @@ export const init_firestore = resource(
 - **Authentication**: Recommend implementing Firebase Authentication if the application handles sensitive user data or has open security rules
 - **User Management**: Implement user sign-up and login features with Firebase Authentication to establish proper data validation and access controls
 - **Security Rules**: Configure user-based security rules based on your application's specific requirements
+
+### Default \`firestore.rules\` file:
+
+\`\`\`
+// Allow reads and writes to all documents for authenticated users.
+// This rule will only be valid until tomorrow.
+rules_version = '2';
+service cloud.firestore {
+  match /databases/{database}/documents {
+    match /{document=**} {
+      allow read, write: if request.auth != null && request.time < timestamp.date(${date.year}, ${date.month}, ${date.day});
+    }
+  }
+}
+\`\`\`
 `.trim(),
         },
       ],
     };
   },
 );
+
+function getTomorrowDate() {
+  const tomorrow = new Date();
+  tomorrow.setDate(tomorrow.getDate() + 1);
+  // Month is 0-indexed, so add 1
+  return { year: tomorrow.getFullYear(), month: tomorrow.getMonth() + 1, day: tomorrow.getDate() };
+}

src/mcp/resources/guides/init_firestore.ts

@@ -0,0 +1,58 @@
+import { resource } from "../../resource";
+
+export const init_firestore_rules = resource(
+  {
+    uri: "firebase://guides/init/firestore_rules",
+    name: "firestore_rules_init_guide",
+    title: "Firestore Rules Init Guide",
+    description:
+      "guides the coding agent through setting up Firestore security rules in the project",
+  },
+  async (uri, { config }) => {
+    return {
+      contents: [
+        {
+          uri,
+          type: "text",
+          text: `
+# Firestore Rules
+This guide walks you through updating the Firestore security rules and deploying them to ensure only authenticated users can access their own data.
+
+Contents of the user's current \`firestore.rules\` file:
+
+\`\`\`
+${config.readProjectFile("firestore.rules", { fallback: "<FILE DOES NOT EXIST>" })}
+\`\`\`
+
+1. Create the personalData and publicData security rules (seen below). If they have existing \`firestore.rules\`, integrate these with the user's existing rules.
+2. Validate & fix the security rules using the \`validate_rules\` tool. Only continue to the next step when the \`validate_rules\` tool succeeds
+3. Update queries in the user's app to use the updated security rules
+4. Print the contents of the \`firestore.rules\` file. Ask the user for permission to deploy the rules. Do not continue until the user confirms. Deploy the security rules using \`firebase deploy --only firestore\` in the terminal. Do not tell the user to go to the console to deploy rules as this command will do it automatically.
+
+For database entities that neatly fall into the "personal" and "public categories, you can use the personalData and publicData rules. Use the following firestore.rules file, and add a comment above 'personalData' and 'publicData' to note what entities apply to each rule.
+
+\`\`\`
+rules_version = '2';
+
+service cloud.firestore {
+  match /databases/{database}/documents {
+    match /personalData/{appId}/users/{uid}/{collectionName}/{docId} {
+      allow get: if uid == request.auth.uid;
+      allow list: if uid == request.auth.uid && request.query.limit <= 100;
+      allow write: if uid == request.auth.uid;
+    }
+
+    match /publicData/{appId}/{collectionName}/{docId} {
+      allow get: if true;
+      allow list: request.query.limit <= 100;
+      allow write: if true;
+    }
+  }
+}
+\`\`\`
+`.trim(),
+        },
+      ],
+    };
+  },
+);

src/mcp/resources/guides/init_firestore_rules.ts

@@ -6,6 +6,7 @@ import { init_auth } from "./guides/init_auth";
 import { init_backend } from "./guides/init_backend";
 import { init_data_connect } from "./guides/init_data_connect";
 import { init_firestore } from "./guides/init_firestore";
+import { init_firestore_rules } from "./guides/init_firestore_rules";
 import { init_hosting } from "./guides/init_hosting";
 import { init_rtdb } from "./guides/init_rtdb";
 import { ServerResource, ServerResourceTemplate } from "../resource";
@@ -15,6 +16,7 @@ export const resources = [
   init_ai,
   init_data_connect,
   init_firestore,
+  init_firestore_rules,
   init_rtdb,
   init_auth,
   init_hosting,