This repository holds code snippets used in security rules documentation on firebase.google.com.

This Gemini CLI extension helps you generate secure Firebase Security Rules and corresponding unit tests for your project.

Note: The rules are generated by AI and are NOT to be trusted without a human approval. Firebase Security team advises that you review the generated rules against the domain of your project and your security requirements. Additionally, also review the generated tests and execute them.

# Install the Firebase MCP extension (pre-requisite for syntactically correct rule-generation)
gemini extensions install https://github.com/gemini-cli-extensions/firebase

# Install the Firebase Rules extension
gemini extensions install https://github.com/firebase/snippets-rules --ref=master

This command automates the creation of firestore.rules and accompanying unit tests by performing a comprehensive analysis of your codebase.

# Generation of Firestore rules -- generates `firestore.rules` and `rules_test` directory
/firebase-rules:firestore Generate rules using PROJECT ID `<firebase-project-id>`.

Note: Allow any tool usage as you deem fit during the execution.

This command automates the creation of storage.rules and accompanying unit tests by performing a comprehensive analysis of your codebase.

# Generation of Firebase Storage rules -- generates `storage.rules` and `storage_rules_test` directory
/firebase-rules:storage Generate rules using PROJECT ID `<firebase-project-id>` and BUCKET NAME `<your bucket name>`.

Note: Allow any tool usage as you deem fit during the execution.

These command follows a rigorous, multi-phase process to ensure the generated rules are secure and reliable:

1. Codebase Analysis: It scans your entire project to understand your data models, collection paths, and how your application accesses Firestore.
2. Security Rule Generation: Based on the analysis, it crafts security rules following the principle of least privilege.
3. Security Audit (Devil's Advocate): It actively tries to find vulnerabilities in the generated rules by simulating attacks and unauthorized access attempts.
4. Syntax Validation: It uses Firebase tools to ensure the generated rules are syntactically correct.
5. Unit Test Generation: It creates a suite of unit tests in the same programming language as your project to verify the rules.
6. Test Validation: It runs the generated tests to ensure they accurately cover various scenarios, including authorized and unauthorized operations.

We love contributions! See CONTRIBUTING.md for guidelines.