Refactor: Combine Rules Validation and Get Rules MCP Tools (#9157)

* refactor: combine firestore, storage, and database validate rules tools

Combines the firestore_validate_rules, storage_validate_rules, and database_validate_rules MCP tools into a single validate_rules MCP tool in the core feature group.

This new tool takes an additional required argument 'type', which can be either 'firestore', 'rtdb', or 'storage', and then triggers the appropriate behavior based on that.

* Format

* Remove unneeded comment

* PR fixes and RTDB cleanup

* feat(mcp): combine get_rules tools (#9158)

* feat(mcp): combine get_rules tools into a single core_get_rules tool

Combines the firestore_get_rules, storage_get_rules, and
database_get_rules tools into a single get_rules tool in the core
tool group.

This new tool takes an additional required argument 'type', which can be
either 'firestore', 'rtdb', or 'storage', and then triggers the
appropriate behavior based on that.

It also adds a validation check to ensure that the `databaseUrl`
argument is only provided when the type is 'rtdb'.

* one last file

* PR fixes

* GCA suggestions

* Formats

---------

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
Co-authored-by: Joe Hanley <[email protected]>

---------

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
Co-authored-by: Joe Hanley <[email protected]>

Author: google-labs-jules[bot]

src/commands/database-instances-create.ts

@@ -25,7 +25,7 @@ export const command = new Command("database:instances:create <instanceName>")
   // eslint-disable-next-line @typescript-eslint/no-explicit-any
   .action(async (instanceName: string, options: any) => {
     const projectId = needProjectId(options);
-    const defaultDatabaseInstance = await getDefaultDatabaseInstance({ project: projectId });
+    const defaultDatabaseInstance = await getDefaultDatabaseInstance(projectId);
     if (defaultDatabaseInstance === "") {
       throw new FirebaseError(MISSING_DEFAULT_INSTANCE_ERROR_MESSAGE);
     }

src/emulator/controller.ts

@@ -754,7 +754,7 @@ export async function startAll(
     // can't because the user may be using a fake project.
     try {
       if (!options.instance) {
-        options.instance = await getDefaultDatabaseInstance(options);
+        options.instance = await getDefaultDatabaseInstance(projectId);
       }
     } catch (e: any) {
       databaseLogger.log(

src/getDefaultDatabaseInstance.ts

@@ -5,7 +5,7 @@ import { getFirebaseProject } from "./management/projects";
  * @param options The command-line options object
  * @return The instance ID, empty if it doesn't exist.
  */
-export async function getDefaultDatabaseInstance(options: any): Promise<string> {
-  const projectDetails = await getFirebaseProject(options.project);
+export async function getDefaultDatabaseInstance(project: string): Promise<string> {
+  const projectDetails = await getFirebaseProject(project);
   return projectDetails.resources?.realtimeDatabaseInstance || "";
 }

src/init/features/database.ts

@@ -110,7 +110,7 @@ async function initializeDatabaseInstance(projectId: string): Promise<DatabaseIn
   await ensure(projectId, rtdbManagementOrigin(), "database", false);
   logger.info();
 
-  const instance = await getDefaultDatabaseInstance({ project: projectId });
+  const instance = await getDefaultDatabaseInstance(projectId);
   if (instance !== "") {
     return await getDatabaseInstanceDetails(projectId, instance);
   }

src/mcp/tools/core/get_rules.ts

@@ -0,0 +1,58 @@
+import { z } from "zod";
+import { Client } from "../../../apiv2";
+import { tool } from "../../tool";
+import { mcpError, toContent } from "../../util";
+import { getLatestRulesetName, getRulesetContent } from "../../../gcp/rules";
+import { getDefaultDatabaseInstance } from "../../../getDefaultDatabaseInstance";
+
+export const get_rules = tool(
+  {
+    name: "get_rules",
+    description: "Retrieves the security rules for a specified Firebase service.",
+    inputSchema: z.object({
+      type: z.enum(["firestore", "rtdb", "storage"]).describe("The service to get rules for."),
+      // TODO: Add a resourceID argument that lets you choose non default buckets/dbs.
+    }),
+    annotations: {
+      title: "Get Firebase Rules",
+      readOnlyHint: true,
+    },
+    _meta: {
+      requiresProject: true,
+      requiresAuth: true,
+    },
+  },
+  async ({ type }, { projectId }) => {
+    if (type === "rtdb") {
+      const dbUrl = await getDefaultDatabaseInstance(projectId);
+      if (dbUrl === "") {
+        return mcpError(`No default RTDB instance found for project ${projectId}`);
+      }
+      const client = new Client({ urlPrefix: dbUrl });
+      const response = await client.request<void, NodeJS.ReadableStream>({
+        method: "GET",
+        path: "/.settings/rules.json",
+        responseType: "stream",
+        resolveOnHTTPError: true,
+      });
+      if (response.status !== 200) {
+        return mcpError(`Failed to fetch current rules. Code: ${response.status}`);
+      }
+
+      const rules = await response.response.text();
+      return toContent(rules);
+    }
+
+    const serviceInfo = {
+      firestore: { productName: "Firestore", releaseName: "cloud.firestore" },
+      storage: { productName: "Storage", releaseName: "firebase.storage" },
+    };
+    const { productName, releaseName } = serviceInfo[type];
+
+    const rulesetName = await getLatestRulesetName(projectId, releaseName);
+    if (!rulesetName)
+      return mcpError(`No active ${productName} rules were found in project '${projectId}'`);
+    const rules = await getRulesetContent(rulesetName);
+    return toContent(rules?.[0].content ?? "Ruleset contains no rules files.");
+  },
+);

src/mcp/tools/core/index.ts

@@ -13,11 +13,14 @@ import { update_environment } from "./update_environment";
 import { list_projects } from "./list_projects";
 import { login } from "./login";
 import { logout } from "./logout";
+import { get_rules } from "./get_rules";
+import { validate_rules } from "./validate_rules";
 import { read_resources } from "./read_resources";
 
 export const coreTools: ServerTool[] = [
   login,
   logout,
+  validate_rules, // TODO (joehan): Only enable this tool when at least once of rtdb/storage/firestore is active.
   get_project,
   list_apps,
   get_admin_sdk_config,
@@ -29,5 +32,6 @@ export const coreTools: ServerTool[] = [
   get_environment,
   update_environment,
   init,
+  get_rules,
   read_resources,
 ];

src/mcp/tools/core/validate_rules.ts

@@ -0,0 +1,141 @@
+import { z } from "zod";
+import { tool } from "../../tool";
+import { mcpError, toContent } from "../../util";
+import { testRuleset } from "../../../gcp/rules";
+import { resolve } from "path";
+import { Client } from "../../../apiv2";
+import { updateRulesWithClient } from "../../../rtdb";
+import { getErrMsg } from "../../../error";
+import { getDefaultDatabaseInstance } from "../../../getDefaultDatabaseInstance";
+
+interface SourcePosition {
+  fileName?: string;
+  line?: number;
+  column?: number;
+  currentOffset?: number;
+  endOffset?: number;
+}
+
+interface Issue {
+  sourcePosition: SourcePosition;
+  description: string;
+  severity: string;
+}
+
+function formatRulesetIssues(issues: Issue[], rulesSource: string): string {
+  const sourceLines = rulesSource.split("\n");
+  const formattedOutput: string[] = [];
+
+  for (const issue of issues) {
+    const { sourcePosition, description, severity } = issue;
+
+    let issueString = `${severity}: ${description} [Ln ${sourcePosition.line}, Col ${sourcePosition.column}]`;
+
+    if (sourcePosition.line) {
+      const lineIndex = sourcePosition.line - 1;
+      if (lineIndex >= 0 && lineIndex < sourceLines.length) {
+        const errorLine = sourceLines[lineIndex];
+        issueString += `\n\`\`\`\n${errorLine}`;
+
+        if (
+          sourcePosition.column &&
+          sourcePosition.currentOffset &&
+          sourcePosition.endOffset &&
+          sourcePosition.column > 0 &&
+          sourcePosition.endOffset > sourcePosition.currentOffset
+        ) {
+          const startColumnOnLine = sourcePosition.column - 1;
+          const errorTokenLength = sourcePosition.endOffset - sourcePosition.currentOffset;
+
+          if (
+            startColumnOnLine >= 0 &&
+            errorTokenLength > 0 &&
+            startColumnOnLine <= errorLine.length
+          ) {
+            const padding = " ".repeat(startColumnOnLine);
+            const carets = "^".repeat(errorTokenLength);
+            issueString += `\n${padding}${carets}\n\`\`\``;
+          }
+        }
+      }
+    }
+    formattedOutput.push(issueString);
+  }
+  return formattedOutput.join("\n\n");
+}
+
+export const validate_rules = tool(
+  {
+    name: "validate_rules",
+    description:
+      "Use this to check Firebase Security Rules for Firestore, Storage, or Realtime Database for syntax and validation errors.",
+    inputSchema: z.object({
+      type: z.enum(["firestore", "storage", "rtdb"]),
+      source: z
+        .string()
+        .optional()
+        .describe("The rules source code to check. Provide either this or a path."),
+      source_file: z
+        .string()
+        .optional()
+        .describe(
+          "A file path, relative to the project root, to a file containing the rules source you want to validate. Provide this or source, not both.",
+        ),
+    }),
+    annotations: {
+      title: "Validate Firebase Security Rules",
+      readOnlyHint: true,
+    },
+    _meta: {
+      requiresProject: true,
+      requiresAuth: true,
+    },
+  },
+  async ({ type, source, source_file }, { projectId, config, host }) => {
+    let rulesSourceContent: string;
+    if (source && source_file) {
+      return mcpError("Must supply `source` or `source_file`, not both.");
+    } else if (source_file) {
+      try {
+        const filePath = resolve(source_file, host.cachedProjectDir!);
+        if (filePath.includes("../"))
+          return mcpError("Cannot read files outside of the project directory.");
+        rulesSourceContent = config.readProjectFile(source_file);
+      } catch (e: any) {
+        return mcpError(`Failed to read source_file '${source_file}': ${e.message}`);
+      }
+    } else if (source) {
+      rulesSourceContent = source;
+    } else {
+      return mcpError("Must supply at least one of `source` or `source_file`.");
+    }
+
+    if (type === "rtdb") {
+      const dbUrl = await getDefaultDatabaseInstance(projectId);
+      const client = new Client({ urlPrefix: dbUrl });
+      try {
+        await updateRulesWithClient(client, source, { dryRun: true });
+      } catch (e: unknown) {
+        host.logger.debug(`failed to validate rules at url ${dbUrl}`);
+        // TODO: This really should only return an MCP error if we couldn't validate
+        // If the rules are invalid, we should return that as content
+        return mcpError(getErrMsg(e));
+      }
+      return toContent("The inputted rules are valid!");
+    }
+
+    // Firestore and Storage
+    const result = await testRuleset(projectId, [
+      { name: "test.rules", content: rulesSourceContent },
+    ]);
+
+    if (result.body?.issues?.length) {
+      const issues = result.body.issues as unknown as Issue[];
+      let out = `Found ${issues.length} issues in rules source:\n\n`;
+      out += formatRulesetIssues(issues, rulesSourceContent);
+      return toContent(out);
+    }
+
+    return toContent("OK: No errors detected.");
+  },
+);

src/mcp/tools/database/get_rules.ts

@@ -1,7 +1,5 @@
 import type { ServerTool } from "../../tool";
-import { get_rules } from "./get_rules";
 import { get_data } from "./get_data";
 import { set_data } from "./set_data";
-import { validate_rules } from "./validate_rules";
 
-export const realtimeDatabaseTools: ServerTool[] = [get_data, set_data, get_rules, validate_rules];
+export const realtimeDatabaseTools: ServerTool[] = [get_data, set_data];