@dereekb/firebase 13.11.17 → 13.12.0

package/eslint/package.json

@@ -1,11 +1,13 @@
 {
   "name": "@dereekb/firebase/eslint",
-  "version": "13.11.17",
+  "version": "13.12.0",
   "peerDependencies": {
+    "@marcbachmann/cel-js": "^7.6.1",
     "@typescript-eslint/utils": "8.59.3"
   },
   "devDependencies": {
-    "@dereekb/util": "13.11.17",
+    "@dereekb/util": "13.12.0",
+    "@marcbachmann/cel-js": "^7.6.1",
     "@typescript-eslint/parser": "8.59.3",
     "eslint": "10.4.0"
   },

package/eslint/rollup.alias-internal.config.d.ts

@@ -0,0 +1 @@
+export default function applyInternalAliases(config: any, _options: any): Promise<any>;

package/eslint/src/lib/firebase-rules-text.d.ts

@@ -0,0 +1,121 @@
+import type { Maybe } from '@dereekb/util';
+/**
+ * One brace-delimited block extracted by {@link extractTopLevelBlocks}: a `match`, a
+ * `function`, a `service`, or any other `<header> { ... }` shape in a Firebase rules
+ * source. Offsets are relative to the body that was scanned.
+ */
+export interface RawBlock {
+    readonly header: string;
+    readonly body: string;
+    readonly headerStart: number;
+    readonly bodyStart: number;
+}
+/**
+ * Strips `//`-style line comments from a Firebase rules source string so the brace
+ * walker doesn't trip on braces / semicolons embedded in comments.
+ *
+ * @param source - Raw rules source.
+ * @returns The source with line comments replaced by equal-length whitespace (so offsets are preserved).
+ */
+export declare function stripLineComments(source: string): string;
+/**
+ * Masks `{name}` and `{name=**}` path-variable braces with private-use characters so the
+ * brace walker never confuses them with block braces. Same-length substitution preserves
+ * offsets. Catch-all deny patterns retain a recognizable shape because the inner text
+ * (e.g. `allPaths=**`) is untouched.
+ *
+ * @param source - The (comment-stripped) source.
+ * @returns The source with path-variable braces masked.
+ */
+export declare function maskPathVariables(source: string): string;
+/**
+ * Reverses {@link maskPathVariables} so header / path text reported to callers shows the
+ * original `{name}` form.
+ *
+ * @param text - Text containing masked path variables.
+ * @returns The text with `{name}` braces restored.
+ */
+export declare function unmaskPathVariables(text: string): string;
+/**
+ * Resolves the 1-based line and 1-based column of a character offset in the source string.
+ *
+ * @param source - The original source.
+ * @param index - Zero-based character offset.
+ * @returns The line/column pair.
+ */
+export declare function indexToLineColumn(source: string, index: number): {
+    line: number;
+    column: number;
+};
+/**
+ * Finds the matching closing brace for the opening brace at `openIndex` in `source`,
+ * respecting nesting. Returns the index of the closing brace, or -1 when unbalanced.
+ * `source` must be the masked version so path-variable braces don't pollute the count.
+ *
+ * @param source - The masked source string.
+ * @param openIndex - Index of an opening brace.
+ * @returns Index of the matching closing brace, or -1.
+ */
+export declare function findMatchingBrace(source: string, openIndex: number): number;
+/**
+ * Walks backward from `openIndex` to find where this block's header starts: just past the
+ * previous `;` or `}` (now always a true block-sibling close, since path-variable braces
+ * are masked), then forward through whitespace to the first significant char.
+ *
+ * @param body - The masked source slice being scanned.
+ * @param cursor - The search start position (right after the previous sibling's `}`).
+ * @param openIndex - Index of this block's opening brace.
+ * @returns Start index of the header.
+ */
+export declare function findHeaderStart(body: string, cursor: number, openIndex: number): number;
+/**
+ * Extracts top-level brace-delimited blocks inside `body` (path-variable-masked). Each
+ * block carries its header text (with masking still applied — callers unmask when
+ * reporting) and the inner body. Function definitions, match blocks, and `service` /
+ * bucket-root wrappers are all returned as raw blocks.
+ *
+ * @param body - The masked source slice to scan.
+ * @returns The list of top-level child blocks.
+ */
+export declare function extractTopLevelBlocks(body: string): RawBlock[];
+/**
+ * Pulls the match-path segment out of a `match /<segment> { ... }` header. The segment is
+ * unmasked before being returned so callers see original `{name}` braces.
+ *
+ * @param header - The (still-masked) header text.
+ * @returns The path segment with the leading `/`, or null when the header is not a match.
+ */
+export declare function matchHeaderPath(header: string): Maybe<string>;
+/**
+ * Pulls the function name out of a `function <name>() { ... }` header.
+ *
+ * @param header - The header text.
+ * @returns The function name, or null when the header is not a function definition.
+ */
+export declare function functionHeaderName(header: string): Maybe<string>;
+/**
+ * Pulls the `return <expression>` body out of a function definition's inner block. The
+ * body may span multiple lines (CEL expressions wrap freely across newlines); we capture
+ * everything from after `return ` to the closing `}`-relative end of `body`, then strip
+ * an optional trailing `;` and surrounding whitespace.
+ *
+ * @param body - The inner body of a function block (already line-comment-stripped).
+ * @returns The expression text after `return`, or null when no `return` is present.
+ */
+export declare function functionReturnExpression(body: string): Maybe<string>;
+/**
+ * Joins a child match segment onto a parent path so nested matches resolve to absolute paths.
+ *
+ * @param parentPath - The accumulated parent path (e.g. `/uploads/u/{uid}`).
+ * @param childSegment - The child match's segment (e.g. `/avatar.img`).
+ * @returns The combined path.
+ */
+export declare function joinMatchPath(parentPath: string, childSegment: string): string;
+/**
+ * Returns true when the unmasked segment is the catch-all `{var=**}` wildcard that means
+ * "any path" (used for deny rules like `match /{allPaths=**} { allow read, write: if false; }`).
+ *
+ * @param segment - The unmasked match segment to test.
+ * @returns True for catch-all wildcards.
+ */
+export declare function isCatchAllSegment(segment: string): boolean;

package/eslint/src/lib/firestore-rules-parser.d.ts

@@ -0,0 +1,61 @@
+import type { Maybe } from '@dereekb/util';
+/**
+ * One `match /<segment>` block in `firestore.rules`. Nested matches appear as `children`.
+ * `collectionName` is the first bare-identifier segment of the match path (e.g. `pr`,
+ * `gbe`, `sys`); it is `null` only when the match path is purely a `{path=**}` wildcard
+ * with no following collection segment.
+ */
+export interface ParsedFirestoreMatchBlock {
+    /**
+     * Raw unmasked path segment from `match /<segment>` (e.g. `/pr/{profile}`,
+     * `/{path=**}/gbe/{guestbookEntry}`, `/sys/hellosubscheckhqcompany`).
+     */
+    readonly pathSegment: string;
+    /**
+     * First bare-identifier collection token in the path, or `null` when none. Used to pair
+     * a model identity's `collectionName` (e.g. `gb`, `gbe`) against a rules block.
+     */
+    readonly collectionName: Maybe<string>;
+    /**
+     * True when the match path starts with `/{path=**}/` — a collection-group rule that
+     * matches the collection at any depth.
+     */
+    readonly isCollectionGroup: boolean;
+    /**
+     * Children nested inside this block's body, in source order.
+     */
+    readonly children: readonly ParsedFirestoreMatchBlock[];
+    /**
+     * Raw allow directive names declared on this block (e.g. `get`, `list`, `read`, `write`,
+     * `create`, `update`, `delete`). Empty when the block declares no `allow` statements at
+     * its own scope (children may still declare their own).
+     */
+    readonly allowDirectives: readonly string[];
+    readonly sourceLine: number;
+    readonly sourceColumn: number;
+}
+/**
+ * Parses a `firestore.rules` source string and returns the tree of `match` blocks rooted
+ * at the implicit `match /databases/{database}/documents` envelope. Each block's
+ * `collectionName` is the first bare-identifier segment of its match path; nested
+ * subcollection matches appear as `children`.
+ *
+ * @param source - The raw rules source text.
+ * @returns The list of top-level match blocks in source order.
+ *
+ * @example
+ * ```ts
+ * const blocks = parseFirestoreRules(`
+ *   service cloud.firestore {
+ *     match /databases/{database}/documents {
+ *       match /gb/{guestbook} {
+ *         match /gbe/{guestbookEntry} { allow get: if false; }
+ *       }
+ *     }
+ *   }
+ * `);
+ * // blocks[0].collectionName === 'gb'
+ * // blocks[0].children[0].collectionName === 'gbe'
+ * ```
+ */
+export declare function parseFirestoreRules(source: string): ParsedFirestoreMatchBlock[];

package/eslint/src/lib/index.d.ts

@@ -2,5 +2,15 @@ export { FIREBASE_REQUIRE_TAGGED_FIRESTORE_CONSTRAINTS_RULE, type FirebaseRequir
 export { FIREBASE_REQUIRE_DBX_MODEL_FIREBASE_INDEX_QUERY_SUFFIX_RULE, type FirebaseRequireDbxModelFirebaseIndexQuerySuffixRuleOptions, type FirebaseRequireDbxModelFirebaseIndexQuerySuffixRuleDefinition } from './require-dbx-model-firebase-index-query-suffix.rule';
 export { FIREBASE_REQUIRE_DBX_MODEL_FIREBASE_INDEX_COMPANION_TAGS_RULE, type FirebaseRequireDbxModelFirebaseIndexCompanionTagsRuleOptions, type FirebaseRequireDbxModelFirebaseIndexCompanionTagsRuleDefinition } from './require-dbx-model-firebase-index-companion-tags.rule';
 export { FIREBASE_REQUIRE_DBX_MODEL_FIREBASE_INDEX_VALID_DISPATCHER_RULE, type FirebaseRequireDbxModelFirebaseIndexValidDispatcherRuleOptions, type FirebaseRequireDbxModelFirebaseIndexValidDispatcherRuleDefinition } from './require-dbx-model-firebase-index-valid-dispatcher.rule';
+export { FIREBASE_REQUIRE_FIRESTORE_CONSTRAINT_TYPE_PARAMETER_RULE, type FirebaseRequireFirestoreConstraintTypeParameterRuleOptions, type FirebaseRequireFirestoreConstraintTypeParameterRuleDefinition } from './require-firestore-constraint-type-parameter.rule';
+export { FIREBASE_REQUIRE_COMPLETE_CRUD_FUNCTION_CONFIG_MAP_RULE, DEFAULT_CRUD_VERB_NAMES, MODEL_FIREBASE_CRUD_FUNCTION_CONFIG_MAP_TYPE_NAME, type FirebaseRequireCompleteCrudFunctionConfigMapRuleOptions, type FirebaseRequireCompleteCrudFunctionConfigMapRuleDefinition } from './require-complete-crud-function-config-map.rule';
+export { FIREBASE_REQUIRE_API_DETAILS_FOR_CRUD_FUNCTION_RULE, DEFAULT_CRUD_FUNCTION_TYPE_VERBS, DEFAULT_API_DETAILS_FACTORY_NAME, type FirebaseRequireApiDetailsForCrudFunctionRuleOptions, type FirebaseRequireApiDetailsForCrudFunctionRuleDefinition } from './require-api-details-for-crud-function.rule';
+export { FIREBASE_REQUIRE_STORAGEFILE_POLICY_MATCHES_RULES_RULE, DEFAULT_STORAGE_FILE_UPLOAD_POLICY_TYPE_NAME, DEFAULT_STORAGE_RULES_FILENAME, type FirebaseRequireStorageFilePolicyMatchesRulesRuleOptions, type FirebaseRequireStorageFilePolicyMatchesRulesRuleDefinition } from './require-storagefile-policy-matches-rules.rule';
+export { FIREBASE_REQUIRE_FIRESTORE_RULE_FOR_SERVICE_MODEL_RULE, DEFAULT_FIRESTORE_RULES_FILENAME, DEFAULT_REGISTRY_FACTORY_CALL_NAME, DEFAULT_IDENTITY_FACTORY_NAME, DEFAULT_MODEL_SEARCH_ROOTS, type FirebaseRequireFirestoreRuleForServiceModelRuleOptions, type FirebaseRequireFirestoreRuleForServiceModelRuleDefinition, type VirtualModelIdentity } from './require-firestore-rule-for-service-model.rule';
+export { FIREBASE_REQUIRE_DBX_MODEL_SERVICE_FACTORY_TAG_RULE, FIREBASE_MODEL_SERVICE_FACTORY_NAME, FIREBASE_MODEL_SERVICE_FACTORY_MODULE, DBX_MODEL_SERVICE_FACTORY_TAG, type FirebaseRequireDbxModelServiceFactoryTagRuleOptions, type FirebaseRequireDbxModelServiceFactoryTagRuleDefinition } from './require-dbx-model-service-factory-tag.rule';
+export { FIREBASE_REQUIRE_SERVICE_FACTORY_FOR_DBX_MODEL_RULE, DEFAULT_FACTORY_SEARCH_ROOTS, DEFAULT_MODEL_MARKER_TAG, DEFAULT_FACTORY_TAG, type FirebaseRequireServiceFactoryForDbxModelRuleOptions, type FirebaseRequireServiceFactoryForDbxModelRuleDefinition } from './require-service-factory-for-dbx-model.rule';
+export { FIREBASE_REQUIRE_DBX_MODEL_COMPANION_TAGS_RULE, type FirebaseRequireDbxModelCompanionTagsRuleOptions, type FirebaseRequireDbxModelCompanionTagsRuleDefinition } from './require-dbx-model-companion-tags.rule';
+export { parseStorageRules, MIRRORS_POLICY_KEY_MARKER_REGEX, type ParsedRuleBranch, type ParsedStorageRulesBlock } from './storage-rules-parser';
+export { parseFirestoreRules, type ParsedFirestoreMatchBlock } from './firestore-rules-parser';
 export { FIREBASE_ESLINT_PLUGIN, firebaseESLintPlugin, type FirebaseEslintPlugin } from './plugin';
 export { DBX_MODEL_FIREBASE_INDEX_MARKER, DEFAULT_CONSTRAINT_FACTORY_NAMES, DEFAULT_INDEX_AFFECTING_CONSTRAINT_NAMES, DEFAULT_PAGINATION_CONSTRAINT_NAMES, FIREBASE_MODULE, QUERY_SUFFIX } from './util';

package/eslint/src/lib/plugin.d.ts

@@ -2,6 +2,14 @@ import { FIREBASE_REQUIRE_TAGGED_FIRESTORE_CONSTRAINTS_RULE } from './require-ta
 import { FIREBASE_REQUIRE_DBX_MODEL_FIREBASE_INDEX_QUERY_SUFFIX_RULE } from './require-dbx-model-firebase-index-query-suffix.rule';
 import { FIREBASE_REQUIRE_DBX_MODEL_FIREBASE_INDEX_COMPANION_TAGS_RULE } from './require-dbx-model-firebase-index-companion-tags.rule';
 import { FIREBASE_REQUIRE_DBX_MODEL_FIREBASE_INDEX_VALID_DISPATCHER_RULE } from './require-dbx-model-firebase-index-valid-dispatcher.rule';
+import { FIREBASE_REQUIRE_FIRESTORE_CONSTRAINT_TYPE_PARAMETER_RULE } from './require-firestore-constraint-type-parameter.rule';
+import { FIREBASE_REQUIRE_COMPLETE_CRUD_FUNCTION_CONFIG_MAP_RULE } from './require-complete-crud-function-config-map.rule';
+import { FIREBASE_REQUIRE_API_DETAILS_FOR_CRUD_FUNCTION_RULE } from './require-api-details-for-crud-function.rule';
+import { FIREBASE_REQUIRE_STORAGEFILE_POLICY_MATCHES_RULES_RULE } from './require-storagefile-policy-matches-rules.rule';
+import { FIREBASE_REQUIRE_FIRESTORE_RULE_FOR_SERVICE_MODEL_RULE } from './require-firestore-rule-for-service-model.rule';
+import { FIREBASE_REQUIRE_DBX_MODEL_SERVICE_FACTORY_TAG_RULE } from './require-dbx-model-service-factory-tag.rule';
+import { FIREBASE_REQUIRE_SERVICE_FACTORY_FOR_DBX_MODEL_RULE } from './require-service-factory-for-dbx-model.rule';
+import { FIREBASE_REQUIRE_DBX_MODEL_COMPANION_TAGS_RULE } from './require-dbx-model-companion-tags.rule';
 /**
  * ESLint plugin interface for `@dereekb/firebase` rules.
  */
@@ -11,6 +19,14 @@ export interface FirebaseEslintPlugin {
         readonly 'require-dbx-model-firebase-index-query-suffix': typeof FIREBASE_REQUIRE_DBX_MODEL_FIREBASE_INDEX_QUERY_SUFFIX_RULE;
         readonly 'require-dbx-model-firebase-index-companion-tags': typeof FIREBASE_REQUIRE_DBX_MODEL_FIREBASE_INDEX_COMPANION_TAGS_RULE;
         readonly 'require-dbx-model-firebase-index-valid-dispatcher': typeof FIREBASE_REQUIRE_DBX_MODEL_FIREBASE_INDEX_VALID_DISPATCHER_RULE;
+        readonly 'require-firestore-constraint-type-parameter': typeof FIREBASE_REQUIRE_FIRESTORE_CONSTRAINT_TYPE_PARAMETER_RULE;
+        readonly 'require-complete-crud-function-config-map': typeof FIREBASE_REQUIRE_COMPLETE_CRUD_FUNCTION_CONFIG_MAP_RULE;
+        readonly 'require-api-details-for-crud-function': typeof FIREBASE_REQUIRE_API_DETAILS_FOR_CRUD_FUNCTION_RULE;
+        readonly 'require-storagefile-policy-matches-rules': typeof FIREBASE_REQUIRE_STORAGEFILE_POLICY_MATCHES_RULES_RULE;
+        readonly 'require-firestore-rule-for-service-model': typeof FIREBASE_REQUIRE_FIRESTORE_RULE_FOR_SERVICE_MODEL_RULE;
+        readonly 'require-dbx-model-service-factory-tag': typeof FIREBASE_REQUIRE_DBX_MODEL_SERVICE_FACTORY_TAG_RULE;
+        readonly 'require-service-factory-for-dbx-model': typeof FIREBASE_REQUIRE_SERVICE_FACTORY_FOR_DBX_MODEL_RULE;
+        readonly 'require-dbx-model-companion-tags': typeof FIREBASE_REQUIRE_DBX_MODEL_COMPANION_TAGS_RULE;
     };
 }
 /**

package/eslint/src/lib/predicate-evaluator.d.ts

@@ -0,0 +1,47 @@
+/**
+ * One disjunct of an `allow write: if ...` predicate after helper-function expansion
+ * and DNF conversion. Always carries a numeric byte cap plus at least one MIME constraint.
+ */
+export interface PredicateBranch {
+    readonly maxFileSizeBytes: number;
+    readonly allowedMimeLiterals: readonly string[];
+    readonly allowedMimeRegexes: readonly string[];
+}
+/**
+ * Result of evaluating a CEL `allow write` predicate. When the predicate cannot be reduced
+ * to at least one resource-constraining branch, {@link PredicateEvaluation.branches} is
+ * empty and `unsupported` carries a human-readable reason.
+ */
+export interface PredicateEvaluation {
+    readonly branches: readonly PredicateBranch[];
+    readonly unsupported?: string;
+}
+/**
+ * Map of helper-function names → return-expression text. Entries are sourced from the
+ * surrounding `storage.rules` scope (function definitions reachable from the `match` block).
+ */
+export interface HelperFunctionTable {
+    readonly definitions: ReadonlyMap<string, string>;
+}
+/**
+ * Evaluates a CEL `allow write` predicate into the list of `(size, MIME)` branches the
+ * `require-storagefile-policy-matches-rules` lint rule cross-checks against the TypeScript
+ * upload-policy registry.
+ *
+ * Pipeline: parse with `@marcbachmann/cel-js`, inline zero-arg helper calls at the AST
+ * level, expand to disjunctive normal form, then for each DNF clause harvest:
+ *
+ * - `request.resource.size < N` size caps,
+ * - `request.resource.contentType == '...'` literal MIMEs,
+ * - `request.resource.contentType.matches('...')` MIME regexes,
+ * - `request.resource.contentType in [...]` MIME-list literals.
+ *
+ * A clause becomes a {@link PredicateBranch} only when it has ≥1 size cap AND ≥1 MIME
+ * constraint. Auth-only clauses (e.g. `request.auth.token.a == 1`) are silently dropped —
+ * they don't restrict uploads from the storage perspective.
+ *
+ * @param predicate - The raw predicate text (everything between `if` and `;` in the rules file).
+ * @param helpers - Helper-function bodies in scope at the `match` block.
+ * @returns Reduced branches, plus an `unsupported` reason when reduction yields zero branches or the predicate fails to parse.
+ */
+export declare function evaluatePredicate(predicate: string, helpers: HelperFunctionTable): PredicateEvaluation;

package/eslint/src/lib/require-api-details-for-crud-function.rule.d.ts

@@ -0,0 +1,83 @@
+import { type AstNode } from './util';
+/**
+ * Default CRUD verb names that combine with the `ModelFunction` suffix to form a type-name
+ * pattern this rule treats as a CRUD function declaration (e.g. `OnCallCreateModelFunction`,
+ * `DemoUpdateModelFunction`).
+ *
+ * Mirrors the verbs supported by `ModelFirebaseCrudFunctionConfigMap` — see
+ * `packages/firebase/src/lib/client/function/model.function.factory.ts`.
+ */
+export declare const DEFAULT_CRUD_FUNCTION_TYPE_VERBS: readonly string[];
+/**
+ * Default factory function name that wraps CRUD function declarations and attaches the
+ * `_apiDetails` metadata (`inputType`, `outputType`, `mcp.visibility`, `analytics`) consumed
+ * by the MCP manifest builder. Defined in `packages/firebase-server/src/lib/nest/model/api.details.ts`.
+ */
+export declare const DEFAULT_API_DETAILS_FACTORY_NAME: string;
+/**
+ * Options for the require-api-details-for-crud-function rule.
+ */
+export interface FirebaseRequireApiDetailsForCrudFunctionRuleOptions {
+    /**
+     * Verb fragments that pair with the `ModelFunction` suffix to identify a CRUD function
+     * type annotation. Defaults to {@link DEFAULT_CRUD_FUNCTION_TYPE_VERBS}.
+     */
+    readonly typeVerbs?: readonly string[];
+    /**
+     * Factory function name expected on the initializer. Defaults to {@link DEFAULT_API_DETAILS_FACTORY_NAME}.
+     */
+    readonly factoryName?: string;
+    /**
+     * Declarator names to exempt from the rule. Mainly an escape hatch for tests.
+     */
+    readonly ignoreNames?: readonly string[];
+}
+/**
+ * ESLint rule definition for require-api-details-for-crud-function.
+ */
+export interface FirebaseRequireApiDetailsForCrudFunctionRuleDefinition {
+    readonly meta: {
+        readonly type: 'problem';
+        readonly fixable: undefined;
+        readonly docs: {
+            readonly description: string;
+            readonly recommended: boolean;
+        };
+        readonly messages: Readonly<Record<string, string>>;
+        readonly schema: readonly object[];
+    };
+    create(context: {
+        options: FirebaseRequireApiDetailsForCrudFunctionRuleOptions[];
+        report: (descriptor: {
+            node: AstNode;
+            messageId: string;
+            data?: Record<string, string>;
+        }) => void;
+    }): Record<string, (node: AstNode) => void>;
+}
+/**
+ * ESLint rule that requires every CRUD function declaration — a variable typed as
+ * `On(?:Call)?<Verb>ModelFunction` (or any app-side alias ending with the same `<Verb>ModelFunction`
+ * suffix) — to be initialized with a call to `withApiDetails(...)`.
+ *
+ * Handlers that skip the wrapper compile fine but do not attach the `_apiDetails` metadata
+ * (`inputType`, `mcp.visibility`, `analytics`) that downstream tooling — especially the MCP
+ * manifest builder in `packages/firebase-server-mcp` — reads. The handler then silently fails
+ * to appear in the generated MCP server even though the runtime wires it up.
+ *
+ * The rule is purely syntactic: it inspects the declarator's TS type annotation and the
+ * initializer's `CallExpression` callee name. Type assertions (`as`, `<T>`) on the initializer
+ * are unwrapped before the check.
+ *
+ * @example
+ * ```ts
+ * // OK — wrapped, surfaces to MCP
+ * export const fooCreate: FooCreateModelFunction<X> = withApiDetails({
+ *   inputType, fn: async (req) => ({})
+ * });
+ *
+ * // WARN — missingApiDetails, never reaches MCP
+ * export const fooDelete: FooDeleteModelFunction<X> = async (req) => {};
+ * ```
+ */
+export declare const FIREBASE_REQUIRE_API_DETAILS_FOR_CRUD_FUNCTION_RULE: FirebaseRequireApiDetailsForCrudFunctionRuleDefinition;

package/eslint/src/lib/require-complete-crud-function-config-map.rule.d.ts

@@ -0,0 +1,61 @@
+import { type AstNode } from './util';
+/**
+ * Type-reference name that triggers this rule. Variables whose declared type is
+ * `ModelFirebaseCrudFunctionConfigMap<ConfigType, Identity>` will have their
+ * initializer validated against the structure of `ConfigType`.
+ */
+export declare const MODEL_FIREBASE_CRUD_FUNCTION_CONFIG_MAP_TYPE_NAME = "ModelFirebaseCrudFunctionConfigMap";
+/**
+ * CRUD verb names supported by `ModelFirebaseCrudFunctionConfigMap`. Mirrors the
+ * `create | read | update | delete | query` verbs in the type definition at
+ * `packages/firebase/src/lib/client/function/model.function.factory.ts`.
+ */
+export declare const DEFAULT_CRUD_VERB_NAMES: readonly string[];
+/**
+ * Options for the require-complete-crud-function-config-map rule.
+ */
+export interface FirebaseRequireCompleteCrudFunctionConfigMapRuleOptions {
+    readonly typeName?: string;
+    readonly verbNames?: readonly string[];
+}
+/**
+ * ESLint rule definition for require-complete-crud-function-config-map.
+ */
+export interface FirebaseRequireCompleteCrudFunctionConfigMapRuleDefinition {
+    readonly meta: {
+        readonly type: 'problem';
+        readonly fixable: undefined;
+        readonly docs: {
+            readonly description: string;
+            readonly recommended: boolean;
+        };
+        readonly messages: Readonly<Record<string, string>>;
+        readonly schema: readonly object[];
+    };
+    create(context: {
+        options: FirebaseRequireCompleteCrudFunctionConfigMapRuleOptions[];
+        report: (descriptor: {
+            node: AstNode;
+            messageId: string;
+            data?: Record<string, string>;
+        }) => void;
+    }): Record<string, (node: AstNode) => void>;
+}
+/**
+ * ESLint rule that verifies every `ModelFirebaseCrudFunctionConfigMap<ConfigType, ...>`
+ * variable initializer is structurally complete against its companion `ConfigType`
+ * defined in the same file.
+ *
+ * The rule walks the type alias for `ConfigType` (e.g., `NotificationBoxModelCrudFunctionsConfig`),
+ * builds the expected set of model keys, verbs, and specifiers, and then compares it
+ * against the object-literal initializer of the variable. Each mismatch — missing model
+ * key, missing verb, missing specifier, disabled-but-present key, etc. — is reported as
+ * an error so the const stays in sync with its companion type even when the TypeScript
+ * mapped-type enforcement decays in larger codebases.
+ *
+ * Same-file resolution only: the companion type must be declared in the same source
+ * file as the const (matching the convention in `notification.api.ts`, `oidcmodel.api.ts`,
+ * `storagefile.api.ts`). When the type cannot be located, the rule reports
+ * `configTypeNotFound`.
+ */
+export declare const FIREBASE_REQUIRE_COMPLETE_CRUD_FUNCTION_CONFIG_MAP_RULE: FirebaseRequireCompleteCrudFunctionConfigMapRuleDefinition;

package/eslint/src/lib/require-dbx-model-companion-tags.rule.d.ts

@@ -0,0 +1,47 @@
+interface AstNode {
+    readonly type: string;
+    [key: string]: any;
+}
+/**
+ * Options for the require-dbx-model-companion-tags rule.
+ */
+export interface FirebaseRequireDbxModelCompanionTagsRuleOptions {
+    readonly allowedEncodings?: readonly string[];
+    readonly knownCompanions?: readonly string[];
+    readonly requireBareMarker?: boolean;
+    readonly requireRead?: boolean;
+}
+/**
+ * ESLint rule definition for require-dbx-model-companion-tags.
+ */
+export interface FirebaseRequireDbxModelCompanionTagsRuleDefinition {
+    readonly meta: {
+        readonly type: 'suggestion';
+        readonly fixable: 'code';
+        readonly docs: {
+            readonly description: string;
+            readonly recommended: boolean;
+        };
+        readonly messages: Readonly<Record<string, string>>;
+        readonly schema: readonly object[];
+    };
+    create(context: {
+        options: FirebaseRequireDbxModelCompanionTagsRuleOptions[];
+        report: (descriptor: {
+            loc?: AstNode;
+            messageId: string;
+            data?: Record<string, string>;
+        }) => void;
+        sourceCode: AstNode;
+    }): Record<string, (node: AstNode) => void>;
+}
+/**
+ * ESLint rule enforcing `@dbxModel` / `@dbxModelSubObject` / `@dbxModelOrganizationalGroupRoot`
+ * companion tags. Mirrors the scanner schema at
+ * `packages/dbx-cli/src/lib/mcp-scan/scan/extract-models/find-interfaces.ts`.
+ *
+ * Does NOT enforce a Slug / Category / Tags shape because the scanner does
+ * not consume those for this family.
+ */
+export declare const FIREBASE_REQUIRE_DBX_MODEL_COMPANION_TAGS_RULE: FirebaseRequireDbxModelCompanionTagsRuleDefinition;
+export {};

package/eslint/src/lib/require-dbx-model-service-factory-tag.rule.d.ts

@@ -0,0 +1,56 @@
+import { type AstNode } from './util';
+/**
+ * Module that exports {@link FIREBASE_MODEL_SERVICE_FACTORY_NAME} — `@dereekb/firebase`.
+ */
+export declare const FIREBASE_MODEL_SERVICE_FACTORY_MODULE = "@dereekb/firebase";
+/**
+ * Imported name of the model-service factory whose calls trigger this rule.
+ */
+export declare const FIREBASE_MODEL_SERVICE_FACTORY_NAME = "firebaseModelServiceFactory";
+/**
+ * JSDoc tag that declares which Firestore model a `firebaseModelServiceFactory(...)` export
+ * implements. Value is the canonical `FirestoreModelIdentity.modelType` string
+ * (e.g. `guestbook`, `guestbookEntry`).
+ */
+export declare const DBX_MODEL_SERVICE_FACTORY_TAG = "dbxModelServiceFactory";
+/**
+ * Options for the require-dbx-model-service-factory-tag rule.
+ */
+export interface FirebaseRequireDbxModelServiceFactoryTagRuleOptions {
+    readonly factoryName?: string;
+    readonly allowedImportSources?: readonly string[];
+    readonly tagName?: string;
+}
+/**
+ * ESLint rule definition for require-dbx-model-service-factory-tag.
+ */
+export interface FirebaseRequireDbxModelServiceFactoryTagRuleDefinition {
+    readonly meta: {
+        readonly type: 'problem';
+        readonly fixable: undefined;
+        readonly docs: {
+            readonly description: string;
+            readonly recommended: boolean;
+        };
+        readonly messages: Readonly<Record<string, string>>;
+        readonly schema: readonly object[];
+    };
+    create(context: {
+        options: FirebaseRequireDbxModelServiceFactoryTagRuleOptions[];
+        report: (descriptor: {
+            node: AstNode;
+            messageId: string;
+            data?: Record<string, string>;
+        }) => void;
+        sourceCode: AstNode;
+    }): Record<string, (node: AstNode) => void>;
+}
+/**
+ * ESLint rule that requires every `firebaseModelServiceFactory(...)` export to carry a
+ * leading `@dbxModelServiceFactory <modelType>` JSDoc tag.
+ *
+ * The tag declares which Firestore model the factory implements, enabling the
+ * dbx-components-mcp model catalog to join factory metadata onto model entries and powering
+ * the orphan-model lint rule.
+ */
+export declare const FIREBASE_REQUIRE_DBX_MODEL_SERVICE_FACTORY_TAG_RULE: FirebaseRequireDbxModelServiceFactoryTagRuleDefinition;

package/eslint/src/lib/require-firestore-constraint-type-parameter.rule.d.ts

@@ -0,0 +1,45 @@
+import { type AstNode } from './util';
+/**
+ * Options for the require-firestore-constraint-type-parameter rule.
+ */
+export interface FirebaseRequireFirestoreConstraintTypeParameterRuleOptions {
+    readonly constraintNames?: readonly string[];
+    readonly additionalConstraintNames?: readonly string[];
+    readonly allowedImportSources?: readonly string[];
+}
+/**
+ * ESLint rule definition for require-firestore-constraint-type-parameter.
+ */
+export interface FirebaseRequireFirestoreConstraintTypeParameterRuleDefinition {
+    readonly meta: {
+        readonly type: 'suggestion';
+        readonly fixable: undefined;
+        readonly docs: {
+            readonly description: string;
+            readonly recommended: boolean;
+        };
+        readonly messages: Readonly<Record<string, string>>;
+        readonly schema: readonly object[];
+    };
+    create(context: {
+        options: FirebaseRequireFirestoreConstraintTypeParameterRuleOptions[];
+        report: (descriptor: {
+            node: AstNode;
+            messageId: string;
+            data?: Record<string, string>;
+        }) => void;
+    }): Record<string, (node: AstNode) => void>;
+}
+/**
+ * ESLint rule that warns when an `@dereekb/firebase` field-path-narrowing constraint factory
+ * (`where`, `orderBy`) is called without a generic type argument. Without `<Model>`, the
+ * overload falls back to a plain `FieldPathOrStringPath`, so field-name typos and renamed
+ * fields silently compile.
+ *
+ * The expected form is `where<Model>('field', '==', value)` / `orderBy<Model>('field')` so
+ * the field path is constrained to `StringKeyPropertyKeys<Model>`.
+ *
+ * Not auto-fixable: the rule cannot safely infer the correct model type from the surrounding
+ * function signature in an ESLint autofix.
+ */
+export declare const FIREBASE_REQUIRE_FIRESTORE_CONSTRAINT_TYPE_PARAMETER_RULE: FirebaseRequireFirestoreConstraintTypeParameterRuleDefinition;