@flarequery/firebase 0.1.0

package/dist/index.cjs

@@ -0,0 +1,564 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  createFunction: () => createFunction,
+  createOnRequest: () => createOnRequest,
+  createServerlessApp: () => createServerlessApp
+});
+module.exports = __toCommonJS(index_exports);
+
+// ../core/src/parser/index.ts
+var ParseError = class extends Error {
+  constructor(message, position) {
+    super(`Parse error at ${position}: ${message}`);
+    this.position = position;
+    this.name = "ParseError";
+  }
+};
+function tokenize(input) {
+  const tokens = [];
+  let i = 0;
+  while (i < input.length) {
+    if (/\s/.test(input[i]) || input[i] === ",") {
+      i++;
+      continue;
+    }
+    if (input[i] === "#") {
+      while (i < input.length && input[i] !== "\n") i++;
+      continue;
+    }
+    if (input[i] === "{") {
+      tokens.push({ kind: "lbrace", value: "{", position: i });
+      i++;
+      continue;
+    }
+    if (input[i] === "}") {
+      tokens.push({ kind: "rbrace", value: "}", position: i });
+      i++;
+      continue;
+    }
+    if (input[i] === "(") {
+      tokens.push({ kind: "lparen", value: "(", position: i });
+      i++;
+      continue;
+    }
+    if (input[i] === ")") {
+      tokens.push({ kind: "rparen", value: ")", position: i });
+      i++;
+      continue;
+    }
+    if (input[i] === ":") {
+      tokens.push({ kind: "colon", value: ":", position: i });
+      i++;
+      continue;
+    }
+    if (input[i] === '"') {
+      const start = i;
+      i++;
+      let str = "";
+      while (i < input.length && input[i] !== '"') {
+        str += input[i];
+        i++;
+      }
+      if (i >= input.length) throw new ParseError("unterminated string literal", start);
+      i++;
+      tokens.push({ kind: "string", value: str, position: start });
+      continue;
+    }
+    if (/[a-zA-Z_]/.test(input[i])) {
+      const start = i;
+      let word = "";
+      while (i < input.length && /[a-zA-Z0-9_]/.test(input[i])) {
+        word += input[i];
+        i++;
+      }
+      tokens.push({ kind: "word", value: word, position: start });
+      continue;
+    }
+    throw new ParseError(`unexpected character '${input[i]}'`, i);
+  }
+  tokens.push({ kind: "eof", value: "", position: i });
+  return tokens;
+}
+var Parser = class {
+  constructor(tokens) {
+    this.tokens = tokens;
+    this.pos = 0;
+  }
+  peek() {
+    return this.tokens[this.pos];
+  }
+  consume(expectedKind) {
+    const token = this.tokens[this.pos];
+    if (expectedKind && token.kind !== expectedKind) {
+      throw new ParseError(`expected ${expectedKind}, got ${token.kind}`, token.position);
+    }
+    this.pos++;
+    return token;
+  }
+  consumeWord(expectedVal) {
+    const token = this.consume("word");
+    if (expectedVal !== void 0 && token.value !== expectedVal) {
+      throw new ParseError(`expected ${expectedVal}, got ${token.value}`, token.position);
+    }
+    return token;
+  }
+  parseQuery() {
+    if (this.peek().kind === "word" && this.peek().value === "query") {
+      this.consume("word");
+    }
+    this.consume("lbrace");
+    const node = this.parseModelSelection();
+    this.consume("rbrace");
+    if (this.peek().kind !== "eof") {
+      throw new ParseError("expected end of query", this.peek().position);
+    }
+    return node;
+  }
+  parseModelSelection() {
+    const modelToken = this.consumeWord();
+    const model = modelToken.value;
+    this.consume("lparen");
+    this.consumeWord("id");
+    this.consume("colon");
+    const idToken = this.consume("string");
+    this.consume("rparen");
+    this.consume("lbrace");
+    const selections = this.parseFieldList();
+    this.consume("rbrace");
+    return { model, id: idToken.value, selections };
+  }
+  parseFieldList() {
+    const fields = [];
+    while (this.peek().kind !== "rbrace" && this.peek().kind !== "eof") {
+      fields.push(this.parseField());
+    }
+    if (fields.length === 0) {
+      throw new ParseError("selection set cannot be empty", this.peek().position);
+    }
+    return fields;
+  }
+  parseField() {
+    const nameToken = this.consumeWord();
+    const name = nameToken.value;
+    if (this.peek().kind === "lbrace") {
+      this.consume("lbrace");
+      const children = this.parseFieldList();
+      this.consume("rbrace");
+      return { name, children };
+    }
+    return { name, children: [] };
+  }
+};
+function parseQuery(input) {
+  const token = tokenize(input);
+  const parse = new Parser(token);
+  return parse.parseQuery();
+}
+
+// ../core/src/planner/index.ts
+var PlanError = class extends Error {
+  constructor(message) {
+    super(`PlanError: ${message}`);
+    this.name = "PlanError";
+  }
+};
+function isRelationField(def) {
+  return typeof def === "object" && "relation" in def;
+}
+function resolveSelections(selections, model, models, ctx, allOps) {
+  const scalarMask = [];
+  const dependents = [];
+  for (const selection of selections) {
+    const fieldDef = model.fields[selection.name];
+    if (fieldDef === void 0) {
+      throw new PlanError(
+        `field '${selection.name}' does not exist on model '${model.source.path}'`
+      );
+    }
+    if (isRelationField(fieldDef)) {
+      if (selection.children.length === 0) {
+        throw new PlanError(
+          `relation field '${selection.name}' must have a selection set`
+        );
+      }
+      const dependent = planRelationField(
+        selection,
+        fieldDef,
+        models,
+        ctx,
+        allOps
+      );
+      dependents.push(dependent);
+    } else {
+      scalarMask.push(selection.name);
+    }
+  }
+  return { scalarMask, dependents };
+}
+function planRelationField(selection, fieldDef, models, ctx, allOps) {
+  const { relation, select: allowedSelects } = fieldDef;
+  const targetModel = models.get(relation.to);
+  if (targetModel === void 0) {
+    throw new PlanError(`relation target model '${relation.to}' is not registered`);
+  }
+  if (allowedSelects !== void 0) {
+    for (const child of selection.children) {
+      if (!allowedSelects.includes(child.name)) {
+        throw new PlanError(
+          `field '${child.name}' is not selectable through relation '${selection.name}'. allowed: [${allowedSelects.join(", ")}]`
+        );
+      }
+    }
+  }
+  if (targetModel.auth !== void 0 && !targetModel.auth(ctx)) {
+    throw new PlanError(`unauthorized access to relation target '${relation.to}'`);
+  }
+  const { scalarMask, dependents: nestedDependents } = resolveSelections(
+    selection.children,
+    targetModel,
+    models,
+    ctx,
+    allOps
+  );
+  const nestedRelationKeys = nestedDependents.map((d) => d.foreignKey);
+  const fieldMask = Array.from(/* @__PURE__ */ new Set([...scalarMask, ...nestedRelationKeys]));
+  let op;
+  if (relation.type === "one") {
+    const getOneOp = {
+      kind: "getOne",
+      collection: targetModel.source.path,
+      id: `$ref:${relation.from}`,
+      fieldMask,
+      dependents: nestedDependents
+    };
+    op = getOneOp;
+  } else {
+    const getManyOp = {
+      kind: "getMany",
+      collection: targetModel.source.path,
+      idsFrom: relation.from,
+      fieldMask,
+      dependents: nestedDependents
+    };
+    op = getManyOp;
+  }
+  allOps.push(op);
+  return {
+    fieldName: selection.name,
+    foreignKey: relation.from,
+    relationType: relation.type,
+    op
+  };
+}
+function planModelSelection(modelName, id, selections, models, ctx, allOps) {
+  const model = models.get(modelName);
+  if (model === void 0) {
+    throw new PlanError(`model '${modelName}' is not registered`);
+  }
+  if (model.auth !== void 0 && !model.auth(ctx)) {
+    throw new PlanError(`unauthorized access to model '${modelName}'`);
+  }
+  const { scalarMask, dependents } = resolveSelections(
+    selections,
+    model,
+    models,
+    ctx,
+    allOps
+  );
+  const relationForeignKeys = dependents.map((d) => d.foreignKey);
+  const fieldMask = Array.from(/* @__PURE__ */ new Set([...scalarMask, ...relationForeignKeys]));
+  const op = {
+    kind: "getOne",
+    collection: model.source.path,
+    id,
+    fieldMask,
+    dependents
+  };
+  allOps.push(op);
+  return op;
+}
+function buildExecutionPlan(queryNode, models, ctx) {
+  const allOps = [];
+  const rootOp = planModelSelection(
+    queryNode.model,
+    queryNode.id,
+    queryNode.selections,
+    models,
+    ctx,
+    allOps
+  );
+  return { root: rootOp, ops: allOps };
+}
+
+// ../core/src/executor/index.ts
+var ExecutionError = class extends Error {
+  constructor(message) {
+    super(`ExecutionError: ${message}`);
+    this.name = "ExecutionError";
+  }
+};
+async function resolveDependents(dependents, docData, adapter) {
+  if (dependents.length === 0) return {};
+  const resolved = await Promise.all(
+    dependents.map(async (dependent) => {
+      const value = await executeOp(dependent.op, docData, adapter);
+      return { fieldName: dependent.fieldName, value };
+    })
+  );
+  const result = {};
+  for (const { fieldName, value } of resolved) {
+    result[fieldName] = value;
+  }
+  return result;
+}
+function resolveId(id, parentDoc) {
+  if (!id.startsWith("$ref:")) return id;
+  const fieldName = id.slice("$ref:".length);
+  if (parentDoc === null) {
+    throw new ExecutionError(
+      `cannot resolve runtime ref '${id}' \u2014 no parent document available`
+    );
+  }
+  const value = parentDoc[fieldName];
+  if (typeof value !== "string") return null;
+  return value;
+}
+async function executeGetOne(op, parentDoc, adapter) {
+  const id = resolveId(op.id, parentDoc);
+  if (id === null) return null;
+  const snapshot = await adapter.getOne(op.collection, id, op.fieldMask);
+  if (!snapshot.exists) return null;
+  const docData = snapshot.data();
+  if (docData === void 0) return null;
+  const result = await resolveDependents(op.dependents, docData, adapter);
+  const foreignKeys = new Set(op.dependents.map((d) => d.foreignKey));
+  for (const [key, value] of Object.entries(docData)) {
+    if (!foreignKeys.has(key) && op.fieldMask.includes(key)) {
+      result[key] = value;
+    }
+  }
+  return result;
+}
+async function executeGetMany(op, parentDoc, adapter) {
+  if (parentDoc === null) {
+    throw new ExecutionError(
+      `getMany op for collection '${op.collection}' has no parent document`
+    );
+  }
+  const rawIds = parentDoc[op.idsFrom];
+  if (!Array.isArray(rawIds) || rawIds.length === 0) return null;
+  const ids = rawIds.filter((v) => typeof v === "string");
+  if (ids.length === 0) return null;
+  const snapshots = await adapter.getMany(op.collection, ids, op.fieldMask);
+  const results = await Promise.all(
+    snapshots.filter((snap) => snap.exists).map(async (snap) => {
+      const docData = snap.data();
+      if (docData === void 0) return null;
+      const result = await resolveDependents(op.dependents, docData, adapter);
+      const foreignKeys = new Set(op.dependents.map((d) => d.foreignKey));
+      for (const [key, value] of Object.entries(docData)) {
+        if (!foreignKeys.has(key) && op.fieldMask.includes(key)) {
+          result[key] = value;
+        }
+      }
+      return result;
+    })
+  );
+  return results.filter((r) => r !== null);
+}
+async function executeOp(op, parentDoc, adapter) {
+  if (op.kind === "getOne") {
+    return executeGetOne(op, parentDoc, adapter);
+  }
+  return executeGetMany(op, parentDoc, adapter);
+}
+async function executeplan(plan, adapter) {
+  try {
+    const data = await executeOp(plan.root, null, adapter);
+    return { data };
+  } catch (err) {
+    if (err instanceof ExecutionError) {
+      return { data: null, errors: [err.message] };
+    }
+    throw err;
+  }
+}
+
+// src/adapter.ts
+var FIRESTORE_GETALL_LIMIT = 300;
+function createFirestoreAdapter(db) {
+  return {
+    async getOne(collection, id, fieldMask) {
+      const ref = db.collection(collection).doc(id);
+      const snapshot = await ref.get();
+      return adaptSnapshot(snapshot, fieldMask);
+    },
+    async getMany(collection, ids, fieldMask) {
+      if (ids.length === 0) return [];
+      const chunks = chunkArray(ids, FIRESTORE_GETALL_LIMIT);
+      const chunkResults = await Promise.all(
+        chunks.map((chunk) => {
+          const refs = chunk.map((id) => db.collection(collection).doc(id));
+          return db.getAll(...refs, { fieldMask });
+        })
+      );
+      return chunkResults.flat().map((snap) => adaptSnapshot(snap, fieldMask));
+    }
+  };
+}
+function adaptSnapshot(snap, fieldMask) {
+  return {
+    id: snap.id,
+    exists: snap.exists,
+    data() {
+      if (!snap.exists) return void 0;
+      const raw = snap.data() ?? {};
+      const masked = {};
+      for (const field of fieldMask) {
+        if (field in raw) {
+          masked[field] = raw[field];
+        }
+      }
+      return masked;
+    }
+  };
+}
+function chunkArray(arr, size) {
+  const chunks = [];
+  for (let i = 0; i < arr.length; i += size) {
+    chunks.push(arr.slice(i, i + size));
+  }
+  return chunks;
+}
+
+// src/app.ts
+function createServerlessApp(options) {
+  const { firestore, auth: firebaseAuth } = options;
+  const models = /* @__PURE__ */ new Map();
+  const adapter = createFirestoreAdapter(firestore);
+  return {
+    model(name, definition) {
+      if (models.has(name)) {
+        throw new Error(`model '${name}' is already registered`);
+      }
+      models.set(name, definition);
+    },
+    async execute(query, ctx) {
+      const queryNode = parseQuery(query);
+      const plan = buildExecutionPlan(queryNode, models, ctx);
+      return executeplan(plan, adapter);
+    }
+  };
+}
+async function extractContext(authorization, auth) {
+  if (authorization === void 0 || !authorization.startsWith("Bearer ")) {
+    return { userId: null, token: null };
+  }
+  const idToken = authorization.slice("Bearer ".length);
+  try {
+    const decoded = await auth.verifyIdToken(idToken);
+    return {
+      userId: decoded.uid,
+      token: decoded
+    };
+  } catch {
+    return { userId: null, token: null };
+  }
+}
+
+// src/function.ts
+var functionsV1 = __toESM(require("firebase-functions/v1"), 1);
+var import_https = require("firebase-functions/v2/https");
+function createFunction(app, auth, options = {}) {
+  return functionsV1.https.onRequest(async (req, res) => {
+    if (options.cors) {
+      res.set("Access-Control-Allow-Origin", "*");
+      res.set("Access-Control-Allow-Methods", "POST");
+      res.set("Access-Control-Allow-Headers", "Authorization, Content-Type");
+      if (req.method === "OPTIONS") {
+        res.status(204).send("");
+        return;
+      }
+    }
+    if (req.method !== "POST") {
+      res.status(405).json({ error: "method not allowed \u2014 use POST" });
+      return;
+    }
+    const query = extractQuery(req.body);
+    if (query === null) {
+      res.status(400).json({ error: "request body must contain a 'query' string field" });
+      return;
+    }
+    const ctx = await extractContext(req.headers.authorization, auth);
+    const response = await app.execute(query, ctx);
+    res.status(200).json(response);
+  });
+}
+function createOnRequest(app, auth, options = {}) {
+  return (0, import_https.onRequest)(async (req, res) => {
+    if (options.cors) {
+      res.set("Access-Control-Allow-Origin", "*");
+      res.set("Access-Control-Allow-Methods", "POST");
+      res.set("Access-Control-Allow-Headers", "Authorization, Content-Type");
+      if (req.method === "OPTIONS") {
+        res.status(204).send("");
+        return;
+      }
+    }
+    if (req.method !== "POST") {
+      res.status(405).json({ error: "method not allowed \u2014 use POST" });
+      return;
+    }
+    const query = extractQuery(req.body);
+    if (query === null) {
+      res.status(400).json({ error: "request body must contain a 'query' string field" });
+      return;
+    }
+    const ctx = await extractContext(req.headers.authorization, auth);
+    const response = await app.execute(query, ctx);
+    res.status(200).json(response);
+  });
+}
+function extractQuery(body) {
+  if (typeof body === "string" && body.trim().length > 0) return body.trim();
+  if (typeof body === "object" && body !== null && "query" in body && typeof body["query"] === "string") {
+    return body["query"].trim();
+  }
+  return null;
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createFunction,
+  createOnRequest,
+  createServerlessApp
+});

package/dist/index.d.cts

@@ -0,0 +1,53 @@
+import { Auth } from 'firebase-admin/auth';
+import { Firestore } from 'firebase-admin/firestore';
+import * as firebase_functions_v2_https from 'firebase-functions/v2/https';
+import * as functionsV1 from 'firebase-functions/v1';
+
+type RelationType = "one" | "many";
+interface RelationDefinition {
+    from: string;
+    to: string;
+    type: RelationType;
+}
+type ScalarType = "string" | "number" | "boolean" | "timestamp";
+interface RelationFieldDefinition {
+    relation: RelationDefinition;
+    select?: string[];
+}
+type FieldDefinition = ScalarType | RelationFieldDefinition;
+interface ModelDefinition {
+    source: FirestoreCollectionRef;
+    fields: Record<string, FieldDefinition>;
+    auth?: AuthRule;
+}
+type AuthRule = (ctx: QueryContext) => boolean;
+interface QueryContext {
+    userId: string | null;
+    token: Record<string, unknown> | null;
+}
+interface FirestoreCollectionRef {
+    readonly path: string;
+}
+type FlareResult = Record<string, unknown>;
+interface FlareResponse {
+    data: FlareResult | null;
+    errors?: string[];
+}
+
+interface ServerlessAppOptions {
+    firestore: Firestore;
+    auth: Auth;
+}
+interface ServerlessApp {
+    model(name: string, definition: ModelDefinition): void;
+    execute(query: string, ctx: QueryContext): Promise<FlareResponse>;
+}
+declare function createServerlessApp(options: ServerlessAppOptions): ServerlessApp;
+
+interface FunctionOptions {
+    cors?: boolean;
+}
+declare function createFunction(app: ServerlessApp, auth: Auth, options?: FunctionOptions): functionsV1.HttpsFunction;
+declare function createOnRequest(app: ServerlessApp, auth: Auth, options?: FunctionOptions): firebase_functions_v2_https.HttpsFunction;
+
+export { type AuthRule, type FieldDefinition, type FlareResponse, type ModelDefinition, type QueryContext, type RelationDefinition, createFunction, createOnRequest, createServerlessApp };

package/dist/index.d.ts

@@ -0,0 +1,53 @@
+import { Auth } from 'firebase-admin/auth';
+import { Firestore } from 'firebase-admin/firestore';
+import * as firebase_functions_v2_https from 'firebase-functions/v2/https';
+import * as functionsV1 from 'firebase-functions/v1';
+
+type RelationType = "one" | "many";
+interface RelationDefinition {
+    from: string;
+    to: string;
+    type: RelationType;
+}
+type ScalarType = "string" | "number" | "boolean" | "timestamp";
+interface RelationFieldDefinition {
+    relation: RelationDefinition;
+    select?: string[];
+}
+type FieldDefinition = ScalarType | RelationFieldDefinition;
+interface ModelDefinition {
+    source: FirestoreCollectionRef;
+    fields: Record<string, FieldDefinition>;
+    auth?: AuthRule;
+}
+type AuthRule = (ctx: QueryContext) => boolean;
+interface QueryContext {
+    userId: string | null;
+    token: Record<string, unknown> | null;
+}
+interface FirestoreCollectionRef {
+    readonly path: string;
+}
+type FlareResult = Record<string, unknown>;
+interface FlareResponse {
+    data: FlareResult | null;
+    errors?: string[];
+}
+
+interface ServerlessAppOptions {
+    firestore: Firestore;
+    auth: Auth;
+}
+interface ServerlessApp {
+    model(name: string, definition: ModelDefinition): void;
+    execute(query: string, ctx: QueryContext): Promise<FlareResponse>;
+}
+declare function createServerlessApp(options: ServerlessAppOptions): ServerlessApp;
+
+interface FunctionOptions {
+    cors?: boolean;
+}
+declare function createFunction(app: ServerlessApp, auth: Auth, options?: FunctionOptions): functionsV1.HttpsFunction;
+declare function createOnRequest(app: ServerlessApp, auth: Auth, options?: FunctionOptions): firebase_functions_v2_https.HttpsFunction;
+
+export { type AuthRule, type FieldDefinition, type FlareResponse, type ModelDefinition, type QueryContext, type RelationDefinition, createFunction, createOnRequest, createServerlessApp };

package/dist/index.js

@@ -0,0 +1,525 @@
+// ../core/src/parser/index.ts
+var ParseError = class extends Error {
+  constructor(message, position) {
+    super(`Parse error at ${position}: ${message}`);
+    this.position = position;
+    this.name = "ParseError";
+  }
+};
+function tokenize(input) {
+  const tokens = [];
+  let i = 0;
+  while (i < input.length) {
+    if (/\s/.test(input[i]) || input[i] === ",") {
+      i++;
+      continue;
+    }
+    if (input[i] === "#") {
+      while (i < input.length && input[i] !== "\n") i++;
+      continue;
+    }
+    if (input[i] === "{") {
+      tokens.push({ kind: "lbrace", value: "{", position: i });
+      i++;
+      continue;
+    }
+    if (input[i] === "}") {
+      tokens.push({ kind: "rbrace", value: "}", position: i });
+      i++;
+      continue;
+    }
+    if (input[i] === "(") {
+      tokens.push({ kind: "lparen", value: "(", position: i });
+      i++;
+      continue;
+    }
+    if (input[i] === ")") {
+      tokens.push({ kind: "rparen", value: ")", position: i });
+      i++;
+      continue;
+    }
+    if (input[i] === ":") {
+      tokens.push({ kind: "colon", value: ":", position: i });
+      i++;
+      continue;
+    }
+    if (input[i] === '"') {
+      const start = i;
+      i++;
+      let str = "";
+      while (i < input.length && input[i] !== '"') {
+        str += input[i];
+        i++;
+      }
+      if (i >= input.length) throw new ParseError("unterminated string literal", start);
+      i++;
+      tokens.push({ kind: "string", value: str, position: start });
+      continue;
+    }
+    if (/[a-zA-Z_]/.test(input[i])) {
+      const start = i;
+      let word = "";
+      while (i < input.length && /[a-zA-Z0-9_]/.test(input[i])) {
+        word += input[i];
+        i++;
+      }
+      tokens.push({ kind: "word", value: word, position: start });
+      continue;
+    }
+    throw new ParseError(`unexpected character '${input[i]}'`, i);
+  }
+  tokens.push({ kind: "eof", value: "", position: i });
+  return tokens;
+}
+var Parser = class {
+  constructor(tokens) {
+    this.tokens = tokens;
+    this.pos = 0;
+  }
+  peek() {
+    return this.tokens[this.pos];
+  }
+  consume(expectedKind) {
+    const token = this.tokens[this.pos];
+    if (expectedKind && token.kind !== expectedKind) {
+      throw new ParseError(`expected ${expectedKind}, got ${token.kind}`, token.position);
+    }
+    this.pos++;
+    return token;
+  }
+  consumeWord(expectedVal) {
+    const token = this.consume("word");
+    if (expectedVal !== void 0 && token.value !== expectedVal) {
+      throw new ParseError(`expected ${expectedVal}, got ${token.value}`, token.position);
+    }
+    return token;
+  }
+  parseQuery() {
+    if (this.peek().kind === "word" && this.peek().value === "query") {
+      this.consume("word");
+    }
+    this.consume("lbrace");
+    const node = this.parseModelSelection();
+    this.consume("rbrace");
+    if (this.peek().kind !== "eof") {
+      throw new ParseError("expected end of query", this.peek().position);
+    }
+    return node;
+  }
+  parseModelSelection() {
+    const modelToken = this.consumeWord();
+    const model = modelToken.value;
+    this.consume("lparen");
+    this.consumeWord("id");
+    this.consume("colon");
+    const idToken = this.consume("string");
+    this.consume("rparen");
+    this.consume("lbrace");
+    const selections = this.parseFieldList();
+    this.consume("rbrace");
+    return { model, id: idToken.value, selections };
+  }
+  parseFieldList() {
+    const fields = [];
+    while (this.peek().kind !== "rbrace" && this.peek().kind !== "eof") {
+      fields.push(this.parseField());
+    }
+    if (fields.length === 0) {
+      throw new ParseError("selection set cannot be empty", this.peek().position);
+    }
+    return fields;
+  }
+  parseField() {
+    const nameToken = this.consumeWord();
+    const name = nameToken.value;
+    if (this.peek().kind === "lbrace") {
+      this.consume("lbrace");
+      const children = this.parseFieldList();
+      this.consume("rbrace");
+      return { name, children };
+    }
+    return { name, children: [] };
+  }
+};
+function parseQuery(input) {
+  const token = tokenize(input);
+  const parse = new Parser(token);
+  return parse.parseQuery();
+}
+
+// ../core/src/planner/index.ts
+var PlanError = class extends Error {
+  constructor(message) {
+    super(`PlanError: ${message}`);
+    this.name = "PlanError";
+  }
+};
+function isRelationField(def) {
+  return typeof def === "object" && "relation" in def;
+}
+function resolveSelections(selections, model, models, ctx, allOps) {
+  const scalarMask = [];
+  const dependents = [];
+  for (const selection of selections) {
+    const fieldDef = model.fields[selection.name];
+    if (fieldDef === void 0) {
+      throw new PlanError(
+        `field '${selection.name}' does not exist on model '${model.source.path}'`
+      );
+    }
+    if (isRelationField(fieldDef)) {
+      if (selection.children.length === 0) {
+        throw new PlanError(
+          `relation field '${selection.name}' must have a selection set`
+        );
+      }
+      const dependent = planRelationField(
+        selection,
+        fieldDef,
+        models,
+        ctx,
+        allOps
+      );
+      dependents.push(dependent);
+    } else {
+      scalarMask.push(selection.name);
+    }
+  }
+  return { scalarMask, dependents };
+}
+function planRelationField(selection, fieldDef, models, ctx, allOps) {
+  const { relation, select: allowedSelects } = fieldDef;
+  const targetModel = models.get(relation.to);
+  if (targetModel === void 0) {
+    throw new PlanError(`relation target model '${relation.to}' is not registered`);
+  }
+  if (allowedSelects !== void 0) {
+    for (const child of selection.children) {
+      if (!allowedSelects.includes(child.name)) {
+        throw new PlanError(
+          `field '${child.name}' is not selectable through relation '${selection.name}'. allowed: [${allowedSelects.join(", ")}]`
+        );
+      }
+    }
+  }
+  if (targetModel.auth !== void 0 && !targetModel.auth(ctx)) {
+    throw new PlanError(`unauthorized access to relation target '${relation.to}'`);
+  }
+  const { scalarMask, dependents: nestedDependents } = resolveSelections(
+    selection.children,
+    targetModel,
+    models,
+    ctx,
+    allOps
+  );
+  const nestedRelationKeys = nestedDependents.map((d) => d.foreignKey);
+  const fieldMask = Array.from(/* @__PURE__ */ new Set([...scalarMask, ...nestedRelationKeys]));
+  let op;
+  if (relation.type === "one") {
+    const getOneOp = {
+      kind: "getOne",
+      collection: targetModel.source.path,
+      id: `$ref:${relation.from}`,
+      fieldMask,
+      dependents: nestedDependents
+    };
+    op = getOneOp;
+  } else {
+    const getManyOp = {
+      kind: "getMany",
+      collection: targetModel.source.path,
+      idsFrom: relation.from,
+      fieldMask,
+      dependents: nestedDependents
+    };
+    op = getManyOp;
+  }
+  allOps.push(op);
+  return {
+    fieldName: selection.name,
+    foreignKey: relation.from,
+    relationType: relation.type,
+    op
+  };
+}
+function planModelSelection(modelName, id, selections, models, ctx, allOps) {
+  const model = models.get(modelName);
+  if (model === void 0) {
+    throw new PlanError(`model '${modelName}' is not registered`);
+  }
+  if (model.auth !== void 0 && !model.auth(ctx)) {
+    throw new PlanError(`unauthorized access to model '${modelName}'`);
+  }
+  const { scalarMask, dependents } = resolveSelections(
+    selections,
+    model,
+    models,
+    ctx,
+    allOps
+  );
+  const relationForeignKeys = dependents.map((d) => d.foreignKey);
+  const fieldMask = Array.from(/* @__PURE__ */ new Set([...scalarMask, ...relationForeignKeys]));
+  const op = {
+    kind: "getOne",
+    collection: model.source.path,
+    id,
+    fieldMask,
+    dependents
+  };
+  allOps.push(op);
+  return op;
+}
+function buildExecutionPlan(queryNode, models, ctx) {
+  const allOps = [];
+  const rootOp = planModelSelection(
+    queryNode.model,
+    queryNode.id,
+    queryNode.selections,
+    models,
+    ctx,
+    allOps
+  );
+  return { root: rootOp, ops: allOps };
+}
+
+// ../core/src/executor/index.ts
+var ExecutionError = class extends Error {
+  constructor(message) {
+    super(`ExecutionError: ${message}`);
+    this.name = "ExecutionError";
+  }
+};
+async function resolveDependents(dependents, docData, adapter) {
+  if (dependents.length === 0) return {};
+  const resolved = await Promise.all(
+    dependents.map(async (dependent) => {
+      const value = await executeOp(dependent.op, docData, adapter);
+      return { fieldName: dependent.fieldName, value };
+    })
+  );
+  const result = {};
+  for (const { fieldName, value } of resolved) {
+    result[fieldName] = value;
+  }
+  return result;
+}
+function resolveId(id, parentDoc) {
+  if (!id.startsWith("$ref:")) return id;
+  const fieldName = id.slice("$ref:".length);
+  if (parentDoc === null) {
+    throw new ExecutionError(
+      `cannot resolve runtime ref '${id}' \u2014 no parent document available`
+    );
+  }
+  const value = parentDoc[fieldName];
+  if (typeof value !== "string") return null;
+  return value;
+}
+async function executeGetOne(op, parentDoc, adapter) {
+  const id = resolveId(op.id, parentDoc);
+  if (id === null) return null;
+  const snapshot = await adapter.getOne(op.collection, id, op.fieldMask);
+  if (!snapshot.exists) return null;
+  const docData = snapshot.data();
+  if (docData === void 0) return null;
+  const result = await resolveDependents(op.dependents, docData, adapter);
+  const foreignKeys = new Set(op.dependents.map((d) => d.foreignKey));
+  for (const [key, value] of Object.entries(docData)) {
+    if (!foreignKeys.has(key) && op.fieldMask.includes(key)) {
+      result[key] = value;
+    }
+  }
+  return result;
+}
+async function executeGetMany(op, parentDoc, adapter) {
+  if (parentDoc === null) {
+    throw new ExecutionError(
+      `getMany op for collection '${op.collection}' has no parent document`
+    );
+  }
+  const rawIds = parentDoc[op.idsFrom];
+  if (!Array.isArray(rawIds) || rawIds.length === 0) return null;
+  const ids = rawIds.filter((v) => typeof v === "string");
+  if (ids.length === 0) return null;
+  const snapshots = await adapter.getMany(op.collection, ids, op.fieldMask);
+  const results = await Promise.all(
+    snapshots.filter((snap) => snap.exists).map(async (snap) => {
+      const docData = snap.data();
+      if (docData === void 0) return null;
+      const result = await resolveDependents(op.dependents, docData, adapter);
+      const foreignKeys = new Set(op.dependents.map((d) => d.foreignKey));
+      for (const [key, value] of Object.entries(docData)) {
+        if (!foreignKeys.has(key) && op.fieldMask.includes(key)) {
+          result[key] = value;
+        }
+      }
+      return result;
+    })
+  );
+  return results.filter((r) => r !== null);
+}
+async function executeOp(op, parentDoc, adapter) {
+  if (op.kind === "getOne") {
+    return executeGetOne(op, parentDoc, adapter);
+  }
+  return executeGetMany(op, parentDoc, adapter);
+}
+async function executeplan(plan, adapter) {
+  try {
+    const data = await executeOp(plan.root, null, adapter);
+    return { data };
+  } catch (err) {
+    if (err instanceof ExecutionError) {
+      return { data: null, errors: [err.message] };
+    }
+    throw err;
+  }
+}
+
+// src/adapter.ts
+var FIRESTORE_GETALL_LIMIT = 300;
+function createFirestoreAdapter(db) {
+  return {
+    async getOne(collection, id, fieldMask) {
+      const ref = db.collection(collection).doc(id);
+      const snapshot = await ref.get();
+      return adaptSnapshot(snapshot, fieldMask);
+    },
+    async getMany(collection, ids, fieldMask) {
+      if (ids.length === 0) return [];
+      const chunks = chunkArray(ids, FIRESTORE_GETALL_LIMIT);
+      const chunkResults = await Promise.all(
+        chunks.map((chunk) => {
+          const refs = chunk.map((id) => db.collection(collection).doc(id));
+          return db.getAll(...refs, { fieldMask });
+        })
+      );
+      return chunkResults.flat().map((snap) => adaptSnapshot(snap, fieldMask));
+    }
+  };
+}
+function adaptSnapshot(snap, fieldMask) {
+  return {
+    id: snap.id,
+    exists: snap.exists,
+    data() {
+      if (!snap.exists) return void 0;
+      const raw = snap.data() ?? {};
+      const masked = {};
+      for (const field of fieldMask) {
+        if (field in raw) {
+          masked[field] = raw[field];
+        }
+      }
+      return masked;
+    }
+  };
+}
+function chunkArray(arr, size) {
+  const chunks = [];
+  for (let i = 0; i < arr.length; i += size) {
+    chunks.push(arr.slice(i, i + size));
+  }
+  return chunks;
+}
+
+// src/app.ts
+function createServerlessApp(options) {
+  const { firestore, auth: firebaseAuth } = options;
+  const models = /* @__PURE__ */ new Map();
+  const adapter = createFirestoreAdapter(firestore);
+  return {
+    model(name, definition) {
+      if (models.has(name)) {
+        throw new Error(`model '${name}' is already registered`);
+      }
+      models.set(name, definition);
+    },
+    async execute(query, ctx) {
+      const queryNode = parseQuery(query);
+      const plan = buildExecutionPlan(queryNode, models, ctx);
+      return executeplan(plan, adapter);
+    }
+  };
+}
+async function extractContext(authorization, auth) {
+  if (authorization === void 0 || !authorization.startsWith("Bearer ")) {
+    return { userId: null, token: null };
+  }
+  const idToken = authorization.slice("Bearer ".length);
+  try {
+    const decoded = await auth.verifyIdToken(idToken);
+    return {
+      userId: decoded.uid,
+      token: decoded
+    };
+  } catch {
+    return { userId: null, token: null };
+  }
+}
+
+// src/function.ts
+import * as functionsV1 from "firebase-functions/v1";
+import { onRequest } from "firebase-functions/v2/https";
+function createFunction(app, auth, options = {}) {
+  return functionsV1.https.onRequest(async (req, res) => {
+    if (options.cors) {
+      res.set("Access-Control-Allow-Origin", "*");
+      res.set("Access-Control-Allow-Methods", "POST");
+      res.set("Access-Control-Allow-Headers", "Authorization, Content-Type");
+      if (req.method === "OPTIONS") {
+        res.status(204).send("");
+        return;
+      }
+    }
+    if (req.method !== "POST") {
+      res.status(405).json({ error: "method not allowed \u2014 use POST" });
+      return;
+    }
+    const query = extractQuery(req.body);
+    if (query === null) {
+      res.status(400).json({ error: "request body must contain a 'query' string field" });
+      return;
+    }
+    const ctx = await extractContext(req.headers.authorization, auth);
+    const response = await app.execute(query, ctx);
+    res.status(200).json(response);
+  });
+}
+function createOnRequest(app, auth, options = {}) {
+  return onRequest(async (req, res) => {
+    if (options.cors) {
+      res.set("Access-Control-Allow-Origin", "*");
+      res.set("Access-Control-Allow-Methods", "POST");
+      res.set("Access-Control-Allow-Headers", "Authorization, Content-Type");
+      if (req.method === "OPTIONS") {
+        res.status(204).send("");
+        return;
+      }
+    }
+    if (req.method !== "POST") {
+      res.status(405).json({ error: "method not allowed \u2014 use POST" });
+      return;
+    }
+    const query = extractQuery(req.body);
+    if (query === null) {
+      res.status(400).json({ error: "request body must contain a 'query' string field" });
+      return;
+    }
+    const ctx = await extractContext(req.headers.authorization, auth);
+    const response = await app.execute(query, ctx);
+    res.status(200).json(response);
+  });
+}
+function extractQuery(body) {
+  if (typeof body === "string" && body.trim().length > 0) return body.trim();
+  if (typeof body === "object" && body !== null && "query" in body && typeof body["query"] === "string") {
+    return body["query"].trim();
+  }
+  return null;
+}
+export {
+  createFunction,
+  createOnRequest,
+  createServerlessApp
+};

package/package.json

@@ -0,0 +1,34 @@
+{
+  "name": "@flarequery/firebase",
+  "version": "0.1.0",
+  "private": false,
+  "type": "module",
+  "main": "./dist/index.cjs",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "files": [
+    "dist"
+  ],
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "require": "./dist/index.cjs"
+    }
+  },
+  "scripts": {
+    "build": "tsup src/index.ts --format esm,cjs --dts --no-dts-resolve",
+    "test": "vitest run",
+    "typecheck": "tsc --noEmit"
+  },
+  "peerDependencies": {
+    "firebase-admin": ">=11.0.0"
+  },
+  "dependencies": {
+    "firebase-functions": "^7.0.5"
+  },
+  "devDependencies": {
+    "tsup": "^8.5.1",
+    "vitest": "^4.0.18"
+  }
+}