@prmichaelsen/firebase-admin-sdk-v8 2.4.0 → 2.5.0

package/AGENT.md

@@ -1,9 +1,9 @@
 # Agent Context Protocol (ACP)
 
-**Also Known As**: The Agent Directory Pattern  
-**Version**: 1.0.3
-**Created**: 2026-02-11  
-**Status**: Production Pattern  
+**Also Known As**: The Agent Directory Pattern
+**Version**: 1.4.3
+**Created**: 2026-02-11
+**Status**: Production Pattern
 
 ---
 
@@ -81,6 +81,14 @@ ACP solves these by:
 project-root/
 ├── AGENT.md                        # This file - ACP documentation
 ├── agent/                          # Agent directory (ACP structure)
+│   ├── commands/                   # Command system
+│   │   ├── .gitkeep
+│   │   ├── command.template.md     # Command template
+│   │   ├── acp.init.md             # @acp-init
+│   │   ├── acp.proceed.md          # @acp-proceed
+│   │   ├── acp.status.md           # @acp-status
+│   │   └── ...                     # More commands
+│   │
 │   ├── design/                     # Design documents
 │   │   ├── .gitkeep
 │   │   ├── requirements.md         # Core requirements
@@ -551,6 +559,91 @@ The Agent Pattern represents a **paradigm shift** in how we approach AI-assisted
 
 ---
 
+## ACP Commands
+
+ACP supports a command system for common workflows. Commands are file-based triggers that provide standardized, discoverable interfaces for ACP operations.
+
+### What are ACP Commands?
+
+Commands are markdown files in [`agent/commands/`](agent/commands/) that contain step-by-step instructions for AI agents. Instead of typing long prompts like "AGENT.md: Initialize", you can reference command files like `@acp.init` to trigger specific workflows.
+
+**Benefits**:
+- **Discoverable**: Browse [`agent/commands/`](agent/commands/) to see all available commands
+- **Consistent**: All commands follow the same structure
+- **Extensible**: Create custom commands for your project
+- **Self-Documenting**: Each command file contains complete documentation
+- **Autocomplete-Friendly**: Type `@acp.` to see all ACP commands
+
+### Core Commands
+
+Core ACP commands use the `acp.` prefix and are available in [`agent/commands/`](agent/commands/):
+
+- **[`@acp.init`](agent/commands/acp.init.md)** - Initialize agent context (replaces "AGENT.md: Initialize")
+- **[`@acp.proceed`](agent/commands/acp.proceed.md)** - Continue with next task (replaces "AGENT.md: Proceed")
+- **[`@acp.status`](agent/commands/acp.status.md)** - Display project status
+- **[`@acp.version-check`](agent/commands/acp.version-check.md)** - Show current ACP version
+- **[`@acp.version-check-for-updates`](agent/commands/acp.version-check-for-updates.md)** - Check for ACP updates
+- **[`@acp.version-update`](agent/commands/acp.version-update.md)** - Update ACP to latest version
+
+### Command Invocation
+
+Commands are invoked using the `@` syntax with dot notation:
+
+```
+@acp.init                    → agent/commands/acp.init.md
+@acp.proceed                 → agent/commands/acp.proceed.md
+@acp.status                  → agent/commands/acp.status.md
+@deploy.production           → agent/commands/deploy.production.md
+```
+
+**Format**: `@{namespace}.{action}` resolves to `agent/commands/{namespace}.{action}.md`
+
+### Creating Custom Commands
+
+To create custom commands for your project:
+
+1. **Choose a namespace** (e.g., `deploy`, `test`, `custom`)
+   - ⚠️ The `acp` namespace is reserved for core commands
+   - Use descriptive, single-word namespaces
+
+2. **Copy the command template**:
+   ```bash
+   cp agent/commands/command.template.md agent/commands/{namespace}.{action}.md
+   ```
+
+3. **Fill in the template sections**:
+   - Purpose and description
+   - Prerequisites
+   - Step-by-step instructions
+   - Verification checklist
+   - Examples and troubleshooting
+
+4. **Invoke your command**: `@{namespace}.{action}`
+
+**Example**: Creating a deployment command:
+```bash
+# Create the command file
+cp agent/commands/command.template.md agent/commands/deploy.production.md
+
+# Edit the file with your deployment steps
+# ...
+
+# Invoke it
+@deploy.production
+```
+
+### Command Template
+
+See [`agent/commands/command.template.md`](agent/commands/command.template.md) for the complete command template with all sections and examples.
+
+### Installing Third-Party Commands
+
+Use `@acp.install` to install command packages from git repositories (available in future release).
+
+**Security Note**: Third-party commands can instruct agents to modify files and execute scripts. Always review command files before installation.
+
+---
+
 ## Sample Prompts for Using ACP
 
 ### Initialize Prompt
@@ -782,7 +875,17 @@ Run ./agent/scripts/uninstall.sh to remove all ACP files (agent/ directory and A
    - Update percentages
    - Add recent work notes
 
-7. **NEVER handle secrets or sensitive data**
+7. **CRITICAL: Always update CHANGELOG.md for version changes**
+   - ❌ **DO NOT** commit version changes without updating CHANGELOG.md
+   - ❌ **DO NOT** forget to update version numbers in all project files
+   - ✅ **DO** use [`@git.commit`](agent/commands/git.commit.md) for version-aware commits
+   - ✅ **DO** detect version impact: major (breaking), minor (features), patch (fixes)
+   - ✅ **DO** update CHANGELOG.md with clear, user-focused descriptions
+   - ✅ **DO** update all version files (package.json, AGENT.md, etc.)
+   - ✅ **DO** use Conventional Commits format for commit messages
+   - **Rationale**: CHANGELOG.md is the primary communication tool for users. Every version change must be documented with clear descriptions of what changed, why it changed, and how it affects users. Forgetting to update CHANGELOG.md breaks the project's version history and makes it impossible for users to understand what changed between versions.
+
+8. **NEVER handle secrets or sensitive data**
    - ❌ **DO NOT** read `.env` files, `.env.local`, or any environment files
    - ❌ **DO NOT** read files containing API keys, tokens, passwords, or credentials
    - ❌ **DO NOT** include secrets in messages, documentation, or code examples
@@ -793,6 +896,14 @@ Run ./agent/scripts/uninstall.sh to remove all ACP files (agent/ directory and A
    - ✅ **DO** create `.env.example` files with placeholder values only
    - **Rationale**: Secrets must never be exposed in chat logs, documentation, or version control. Agents should treat all credential files as off-limits to prevent accidental exposure.
 
+9. **CRITICAL: Respect user's intentional file edits**
+   - ❌ **DO NOT** assume missing content needs to be added back
+   - ❌ **DO NOT** revert changes without confirming with user
+   - ✅ **DO** read files before editing to see current state
+   - ✅ **DO** ask user if unexpected changes were intentional
+   - ✅ **DO** confirm before reverting user's manual edits
+   - **Rationale**: If you read a file and it is missing contents or has changed contents (i.e., it does not contain what you expect), assume or confirm with the user if they made intentional updates that you should not revert. Do not assume "The file is missing <xyz>, I need to add it back". The user may have edited files manually with intention.
+
 ---
 
 ## Best Practices
@@ -882,7 +993,7 @@ This repository is actively maintained with improvements to the ACP methodology
 ./agent/scripts/update.sh
 
 # Or download and run directly
-curl -fsSL https://raw.githubusercontent.com/prmichaelsen/agent-context-protocol/mainlin./agent/scripts/update.sh | bash
+curl -fsSL https://raw.githubusercontent.com/prmichaelsen/agent-context-protocol/mainline/agent/scripts/update.sh | bash
 ```
 
 The update script will:

package/CHANGELOG.md

@@ -7,6 +7,31 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [2.5.0] - 2026-02-19
+
+### Added
+- **User Management APIs**: Complete user management functionality via Firebase Identity Toolkit REST API
+  - `getUserByEmail()` - Look up users by email address
+  - `getUserByUid()` - Look up users by UID
+  - `createUser()` - Create new Firebase users with email, password, display name, etc.
+  - `updateUser()` - Update existing user properties (email, password, display name, photo URL, etc.)
+  - `deleteUser()` - Delete Firebase users
+  - `listUsers()` - List all users with pagination support (up to 1000 per page)
+  - `setCustomUserClaims()` - Set custom claims for role-based access control
+- New type definitions: `UserRecord`, `CreateUserRequest`, `UpdateUserRequest`, `ListUsersResult`
+- 30 comprehensive unit tests for user management (91.66% coverage)
+- 18 E2E tests for user management (complete lifecycle testing)
+- Complete user management documentation in README with examples
+- Feature comparison table updated to show user management support
+
+### Changed
+- Total unit tests increased from 433 to 463 (+30 tests)
+- Total E2E tests increased from 105 to 123 (+18 tests)
+- Updated feature list to include user management
+
+### Notes
+- `listUsers()` E2E tests are skipped as the REST API endpoint availability varies by Firebase project configuration
+
 ## [2.4.0] - 2026-02-15
 
 ### Added

package/README.md

@@ -16,6 +16,7 @@ This library provides Firebase Admin SDK functionality for Cloudflare Workers an
 - ✅ **JWT Token Generation** - Service account authentication
 - ✅ **ID Token Verification** - Verify Firebase ID tokens (supports v9 and v10 formats)
 - ✅ **Session Cookies** - Create and verify long-lived session cookies (up to 14 days)
+- ✅ **User Management** - Create, read, update, delete users via Admin API
 - ✅ **Firebase v10 Compatible** - Supports both old and new token issuer formats
 - ✅ **Firestore REST API** - Full CRUD operations via REST
 - ✅ **Field Value Operations** - increment, arrayUnion, arrayRemove, serverTimestamp, delete
@@ -173,6 +174,97 @@ const user = await getUserFromToken(idToken);
 // Returns: { uid, email, emailVerified, displayName, photoURL }
 ```
 
+### User Management
+
+#### `getUserByEmail(email: string): Promise<UserRecord | null>`
+
+Look up a Firebase user by email address.
+
+```typescript
+const user = await getUserByEmail('user@example.com');
+if (user) {
+  console.log('User ID:', user.uid);
+  console.log('Email verified:', user.emailVerified);
+}
+```
+
+#### `getUserByUid(uid: string): Promise<UserRecord | null>`
+
+Look up a Firebase user by UID.
+
+```typescript
+const user = await getUserByUid('user123');
+if (user) {
+  console.log('Email:', user.email);
+  console.log('Display name:', user.displayName);
+}
+```
+
+#### `createUser(properties: CreateUserRequest): Promise<UserRecord>`
+
+Create a new Firebase user.
+
+```typescript
+const newUser = await createUser({
+  email: 'newuser@example.com',
+  password: 'securePassword123',
+  displayName: 'New User',
+  emailVerified: false,
+});
+console.log('Created user:', newUser.uid);
+```
+
+#### `updateUser(uid: string, properties: UpdateUserRequest): Promise<UserRecord>`
+
+Update an existing Firebase user.
+
+```typescript
+const updatedUser = await updateUser('user123', {
+  displayName: 'Updated Name',
+  photoURL: 'https://example.com/photo.jpg',
+  emailVerified: true,
+});
+```
+
+#### `deleteUser(uid: string): Promise<void>`
+
+Delete a Firebase user.
+
+```typescript
+await deleteUser('user123');
+```
+
+#### `listUsers(maxResults?: number, pageToken?: string): Promise<ListUsersResult>`
+
+List all users with pagination.
+
+```typescript
+// List first 100 users
+const result = await listUsers(100);
+console.log('Users:', result.users.length);
+
+// Get next page
+if (result.pageToken) {
+  const nextPage = await listUsers(100, result.pageToken);
+}
+```
+
+#### `setCustomUserClaims(uid: string, customClaims: Record<string, any> | null): Promise<void>`
+
+Set custom claims on a user's ID token for role-based access control.
+
+```typescript
+// Set custom claims
+await setCustomUserClaims('user123', {
+  role: 'admin',
+  premium: true,
+  permissions: ['read', 'write', 'delete'],
+});
+
+// Clear custom claims
+await setCustomUserClaims('user123', null);
+```
+
 ### Firestore - Basic Operations
 
 #### `setDocument(collectionPath, documentId, data, options?): Promise<void>`
@@ -619,7 +711,7 @@ For better query performance:
 | ID Token Verification | ✅ | Supports v9 and v10 token formats |
 | Custom Token Creation | ✅ | createCustomToken() |
 | Custom Token Exchange | ✅ | signInWithCustomToken() |
-| User Management | ❌ | Not yet implemented |
+| User Management | ✅ | Create, read, update, delete, list users |
 | Firestore CRUD | ✅ | Full support |
 | Firestore Queries | ✅ | where, orderBy, limit, cursors |
 | Firestore Batch | ✅ | Up to 500 operations |

package/dist/index.d.mts

@@ -183,6 +183,81 @@ interface BatchWriteResult {
         updateTime: string;
     }>;
 }
+/**
+ * Firebase user record
+ */
+interface UserRecord {
+    /** User's unique ID */
+    uid: string;
+    /** User's email address */
+    email?: string;
+    /** Whether the email is verified */
+    emailVerified: boolean;
+    /** User's display name */
+    displayName?: string;
+    /** User's photo URL */
+    photoURL?: string;
+    /** User's phone number */
+    phoneNumber?: string;
+    /** Whether the user is disabled */
+    disabled: boolean;
+    /** User metadata (creation and last sign-in times) */
+    metadata: {
+        creationTime: string;
+        lastSignInTime: string;
+    };
+    /** Provider-specific user information */
+    providerData: UserInfo[];
+    /** Custom claims set on the user */
+    customClaims?: Record<string, any>;
+}
+/**
+ * Request to create a new user
+ */
+interface CreateUserRequest {
+    /** User's email address */
+    email?: string;
+    /** Whether the email should be marked as verified */
+    emailVerified?: boolean;
+    /** User's phone number */
+    phoneNumber?: string;
+    /** User's password */
+    password?: string;
+    /** User's display name */
+    displayName?: string;
+    /** User's photo URL */
+    photoURL?: string;
+    /** Whether the user should be disabled */
+    disabled?: boolean;
+}
+/**
+ * Request to update an existing user
+ */
+interface UpdateUserRequest {
+    /** User's email address */
+    email?: string;
+    /** Whether the email should be marked as verified */
+    emailVerified?: boolean;
+    /** User's phone number */
+    phoneNumber?: string;
+    /** User's password */
+    password?: string;
+    /** User's display name */
+    displayName?: string;
+    /** User's photo URL */
+    photoURL?: string;
+    /** Whether the user should be disabled */
+    disabled?: boolean;
+}
+/**
+ * Result of listing users
+ */
+interface ListUsersResult {
+    /** Array of user records */
+    users: UserRecord[];
+    /** Token for fetching the next page (if available) */
+    pageToken?: string;
+}
 
 /**
  * Firebase Admin SDK v8 - Configuration
@@ -395,6 +470,55 @@ declare function verifySessionCookie(sessionCookie: string, checkRevoked?: boole
  */
 declare function getAuth(): any;
 
+/**
+ * Firebase User Management APIs
+ * Provides user management operations using Firebase Identity Toolkit REST API
+ */
+
+/**
+ * Look up a Firebase user by email address
+ * @param email - User's email address
+ * @returns User record or null if not found
+ */
+declare function getUserByEmail(email: string): Promise<UserRecord | null>;
+/**
+ * Look up a Firebase user by UID
+ * @param uid - User's unique ID
+ * @returns User record or null if not found
+ */
+declare function getUserByUid(uid: string): Promise<UserRecord | null>;
+/**
+ * Create a new Firebase user
+ * @param properties - User properties (email, password, displayName, etc.)
+ * @returns Created user record
+ */
+declare function createUser(properties: CreateUserRequest): Promise<UserRecord>;
+/**
+ * Update an existing Firebase user
+ * @param uid - User's unique ID
+ * @param properties - Properties to update (email, password, displayName, etc.)
+ * @returns Updated user record
+ */
+declare function updateUser(uid: string, properties: UpdateUserRequest): Promise<UserRecord>;
+/**
+ * Delete a Firebase user
+ * @param uid - User's unique ID
+ */
+declare function deleteUser(uid: string): Promise<void>;
+/**
+ * List all users with pagination
+ * @param maxResults - Maximum number of users to return (default: 1000, max: 1000)
+ * @param pageToken - Token for next page
+ * @returns List of users and next page token
+ */
+declare function listUsers(maxResults?: number, pageToken?: string): Promise<ListUsersResult>;
+/**
+ * Set custom claims on a user's ID token
+ * @param uid - User's unique ID
+ * @param customClaims - Custom claims object (max 1000 bytes when serialized)
+ */
+declare function setCustomUserClaims(uid: string, customClaims: Record<string, any> | null): Promise<void>;
+
 /**
  * Firebase Admin SDK v8 - Firestore CRUD Operations
  * All Firestore document operations using REST API
@@ -979,4 +1103,4 @@ declare function getAdminAccessToken(): Promise<string>;
  */
 declare function clearTokenCache(): void;
 
-export { type BatchWrite, type BatchWriteResult, type CustomClaims, type CustomTokenSignInResponse, type DataObject, type DecodedIdToken, type DocumentReference, type DownloadOptions, FieldValue, type FieldValue$1 as FieldValueSentinel, FieldValueType, type FileMetadata, type FirestoreDocument, type FirestoreValue, type ListFilesResult, type ListOptions, type QueryFilter, type QueryOptions, type QueryOrder, type ResumableUploadOptions, type ServiceAccount, type SessionCookieOptions, type SetOptions, type SignedUrlOptions, type TokenResponse, type UpdateOptions, type UploadOptions, type UserInfo, type WhereFilterOp, addDocument, batchWrite, clearConfig, clearTokenCache, countDocuments, createCustomToken, createSessionCookie, deleteDocument, deleteFile, downloadFile, fileExists, generateSignedUrl, getAdminAccessToken, getAuth, getConfig, getDocument, getFileMetadata, getProjectId, getServiceAccount, getUserFromToken, initializeApp, iterateCollection, listDocuments, listFiles, queryDocuments, setDocument, signInWithCustomToken, updateDocument, uploadFile, uploadFileResumable, verifyIdToken, verifySessionCookie };
+export { type BatchWrite, type BatchWriteResult, type CreateUserRequest, type CustomClaims, type CustomTokenSignInResponse, type DataObject, type DecodedIdToken, type DocumentReference, type DownloadOptions, FieldValue, type FieldValue$1 as FieldValueSentinel, FieldValueType, type FileMetadata, type FirestoreDocument, type FirestoreValue, type ListFilesResult, type ListOptions, type ListUsersResult, type QueryFilter, type QueryOptions, type QueryOrder, type ResumableUploadOptions, type ServiceAccount, type SessionCookieOptions, type SetOptions, type SignedUrlOptions, type TokenResponse, type UpdateOptions, type UpdateUserRequest, type UploadOptions, type UserInfo, type UserRecord, type WhereFilterOp, addDocument, batchWrite, clearConfig, clearTokenCache, countDocuments, createCustomToken, createSessionCookie, createUser, deleteDocument, deleteFile, deleteUser, downloadFile, fileExists, generateSignedUrl, getAdminAccessToken, getAuth, getConfig, getDocument, getFileMetadata, getProjectId, getServiceAccount, getUserByEmail, getUserByUid, getUserFromToken, initializeApp, iterateCollection, listDocuments, listFiles, listUsers, queryDocuments, setCustomUserClaims, setDocument, signInWithCustomToken, updateDocument, updateUser, uploadFile, uploadFileResumable, verifyIdToken, verifySessionCookie };

package/dist/index.d.ts

@@ -183,6 +183,81 @@ interface BatchWriteResult {
         updateTime: string;
     }>;
 }
+/**
+ * Firebase user record
+ */
+interface UserRecord {
+    /** User's unique ID */
+    uid: string;
+    /** User's email address */
+    email?: string;
+    /** Whether the email is verified */
+    emailVerified: boolean;
+    /** User's display name */
+    displayName?: string;
+    /** User's photo URL */
+    photoURL?: string;
+    /** User's phone number */
+    phoneNumber?: string;
+    /** Whether the user is disabled */
+    disabled: boolean;
+    /** User metadata (creation and last sign-in times) */
+    metadata: {
+        creationTime: string;
+        lastSignInTime: string;
+    };
+    /** Provider-specific user information */
+    providerData: UserInfo[];
+    /** Custom claims set on the user */
+    customClaims?: Record<string, any>;
+}
+/**
+ * Request to create a new user
+ */
+interface CreateUserRequest {
+    /** User's email address */
+    email?: string;
+    /** Whether the email should be marked as verified */
+    emailVerified?: boolean;
+    /** User's phone number */
+    phoneNumber?: string;
+    /** User's password */
+    password?: string;
+    /** User's display name */
+    displayName?: string;
+    /** User's photo URL */
+    photoURL?: string;
+    /** Whether the user should be disabled */
+    disabled?: boolean;
+}
+/**
+ * Request to update an existing user
+ */
+interface UpdateUserRequest {
+    /** User's email address */
+    email?: string;
+    /** Whether the email should be marked as verified */
+    emailVerified?: boolean;
+    /** User's phone number */
+    phoneNumber?: string;
+    /** User's password */
+    password?: string;
+    /** User's display name */
+    displayName?: string;
+    /** User's photo URL */
+    photoURL?: string;
+    /** Whether the user should be disabled */
+    disabled?: boolean;
+}
+/**
+ * Result of listing users
+ */
+interface ListUsersResult {
+    /** Array of user records */
+    users: UserRecord[];
+    /** Token for fetching the next page (if available) */
+    pageToken?: string;
+}
 
 /**
  * Firebase Admin SDK v8 - Configuration
@@ -395,6 +470,55 @@ declare function verifySessionCookie(sessionCookie: string, checkRevoked?: boole
  */
 declare function getAuth(): any;
 
+/**
+ * Firebase User Management APIs
+ * Provides user management operations using Firebase Identity Toolkit REST API
+ */
+
+/**
+ * Look up a Firebase user by email address
+ * @param email - User's email address
+ * @returns User record or null if not found
+ */
+declare function getUserByEmail(email: string): Promise<UserRecord | null>;
+/**
+ * Look up a Firebase user by UID
+ * @param uid - User's unique ID
+ * @returns User record or null if not found
+ */
+declare function getUserByUid(uid: string): Promise<UserRecord | null>;
+/**
+ * Create a new Firebase user
+ * @param properties - User properties (email, password, displayName, etc.)
+ * @returns Created user record
+ */
+declare function createUser(properties: CreateUserRequest): Promise<UserRecord>;
+/**
+ * Update an existing Firebase user
+ * @param uid - User's unique ID
+ * @param properties - Properties to update (email, password, displayName, etc.)
+ * @returns Updated user record
+ */
+declare function updateUser(uid: string, properties: UpdateUserRequest): Promise<UserRecord>;
+/**
+ * Delete a Firebase user
+ * @param uid - User's unique ID
+ */
+declare function deleteUser(uid: string): Promise<void>;
+/**
+ * List all users with pagination
+ * @param maxResults - Maximum number of users to return (default: 1000, max: 1000)
+ * @param pageToken - Token for next page
+ * @returns List of users and next page token
+ */
+declare function listUsers(maxResults?: number, pageToken?: string): Promise<ListUsersResult>;
+/**
+ * Set custom claims on a user's ID token
+ * @param uid - User's unique ID
+ * @param customClaims - Custom claims object (max 1000 bytes when serialized)
+ */
+declare function setCustomUserClaims(uid: string, customClaims: Record<string, any> | null): Promise<void>;
+
 /**
  * Firebase Admin SDK v8 - Firestore CRUD Operations
  * All Firestore document operations using REST API
@@ -979,4 +1103,4 @@ declare function getAdminAccessToken(): Promise<string>;
  */
 declare function clearTokenCache(): void;
 
-export { type BatchWrite, type BatchWriteResult, type CustomClaims, type CustomTokenSignInResponse, type DataObject, type DecodedIdToken, type DocumentReference, type DownloadOptions, FieldValue, type FieldValue$1 as FieldValueSentinel, FieldValueType, type FileMetadata, type FirestoreDocument, type FirestoreValue, type ListFilesResult, type ListOptions, type QueryFilter, type QueryOptions, type QueryOrder, type ResumableUploadOptions, type ServiceAccount, type SessionCookieOptions, type SetOptions, type SignedUrlOptions, type TokenResponse, type UpdateOptions, type UploadOptions, type UserInfo, type WhereFilterOp, addDocument, batchWrite, clearConfig, clearTokenCache, countDocuments, createCustomToken, createSessionCookie, deleteDocument, deleteFile, downloadFile, fileExists, generateSignedUrl, getAdminAccessToken, getAuth, getConfig, getDocument, getFileMetadata, getProjectId, getServiceAccount, getUserFromToken, initializeApp, iterateCollection, listDocuments, listFiles, queryDocuments, setDocument, signInWithCustomToken, updateDocument, uploadFile, uploadFileResumable, verifyIdToken, verifySessionCookie };
+export { type BatchWrite, type BatchWriteResult, type CreateUserRequest, type CustomClaims, type CustomTokenSignInResponse, type DataObject, type DecodedIdToken, type DocumentReference, type DownloadOptions, FieldValue, type FieldValue$1 as FieldValueSentinel, FieldValueType, type FileMetadata, type FirestoreDocument, type FirestoreValue, type ListFilesResult, type ListOptions, type ListUsersResult, type QueryFilter, type QueryOptions, type QueryOrder, type ResumableUploadOptions, type ServiceAccount, type SessionCookieOptions, type SetOptions, type SignedUrlOptions, type TokenResponse, type UpdateOptions, type UpdateUserRequest, type UploadOptions, type UserInfo, type UserRecord, type WhereFilterOp, addDocument, batchWrite, clearConfig, clearTokenCache, countDocuments, createCustomToken, createSessionCookie, createUser, deleteDocument, deleteFile, deleteUser, downloadFile, fileExists, generateSignedUrl, getAdminAccessToken, getAuth, getConfig, getDocument, getFileMetadata, getProjectId, getServiceAccount, getUserByEmail, getUserByUid, getUserFromToken, initializeApp, iterateCollection, listDocuments, listFiles, listUsers, queryDocuments, setCustomUserClaims, setDocument, signInWithCustomToken, updateDocument, updateUser, uploadFile, uploadFileResumable, verifyIdToken, verifySessionCookie };

package/dist/index.js

@@ -208,8 +208,10 @@ __export(index_exports, {
   countDocuments: () => countDocuments,
   createCustomToken: () => createCustomToken,
   createSessionCookie: () => createSessionCookie,
+  createUser: () => createUser,
   deleteDocument: () => deleteDocument,
   deleteFile: () => deleteFile,
+  deleteUser: () => deleteUser,
   downloadFile: () => downloadFile,
   fileExists: () => fileExists,
   generateSignedUrl: () => generateSignedUrl,
@@ -220,15 +222,20 @@ __export(index_exports, {
   getFileMetadata: () => getFileMetadata,
   getProjectId: () => getProjectId,
   getServiceAccount: () => getServiceAccount,
+  getUserByEmail: () => getUserByEmail,
+  getUserByUid: () => getUserByUid,
   getUserFromToken: () => getUserFromToken,
   initializeApp: () => initializeApp,
   iterateCollection: () => iterateCollection,
   listDocuments: () => listDocuments,
   listFiles: () => listFiles,
+  listUsers: () => listUsers,
   queryDocuments: () => queryDocuments,
+  setCustomUserClaims: () => setCustomUserClaims,
   setDocument: () => setDocument,
   signInWithCustomToken: () => signInWithCustomToken,
   updateDocument: () => updateDocument,
+  updateUser: () => updateUser,
   uploadFile: () => uploadFile,
   uploadFileResumable: () => uploadFileResumable,
   verifyIdToken: () => verifyIdToken,
@@ -330,23 +337,41 @@ async function importPublicKeyFromX509(pem) {
 }
 
 // src/auth.ts
-var publicKeysCache = null;
-var publicKeysCacheExpiry = 0;
+var idTokenKeysCache = null;
+var idTokenKeysCacheExpiry = 0;
+var sessionKeysCache = null;
+var sessionKeysCacheExpiry = 0;
 async function fetchPublicKeys(issuer) {
-  let endpoint = "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com";
-  if (issuer && issuer.includes("session.firebase.google.com")) {
+  const isSessionCookie = issuer && issuer.includes("session.firebase.google.com");
+  let endpoint;
+  let cache;
+  let cacheExpiry;
+  if (isSessionCookie) {
     endpoint = "https://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys";
+    cache = sessionKeysCache;
+    cacheExpiry = sessionKeysCacheExpiry;
+  } else {
+    endpoint = "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com";
+    cache = idTokenKeysCache;
+    cacheExpiry = idTokenKeysCacheExpiry;
   }
-  if (publicKeysCache && Date.now() < publicKeysCacheExpiry) {
-    return publicKeysCache;
+  if (cache && Date.now() < cacheExpiry) {
+    return cache;
   }
   const response = await fetch(endpoint);
   if (!response.ok) {
     throw new Error(`Failed to fetch Firebase public keys from ${endpoint}`);
   }
-  publicKeysCache = await response.json();
-  publicKeysCacheExpiry = Date.now() + 36e5;
-  return publicKeysCache;
+  const keys = await response.json();
+  const newExpiry = Date.now() + 36e5;
+  if (isSessionCookie) {
+    sessionKeysCache = keys;
+    sessionKeysCacheExpiry = newExpiry;
+  } else {
+    idTokenKeysCache = keys;
+    idTokenKeysCacheExpiry = newExpiry;
+  }
+  return keys;
 }
 function base64UrlDecode(str) {
   let base64 = str.replace(/-/g, "+").replace(/_/g, "/");
@@ -421,8 +446,14 @@ async function verifyIdToken(idToken) {
     let publicKeys = await fetchPublicKeys(payload.iss);
     let publicKeyPem = publicKeys[header.kid];
     if (!publicKeyPem) {
-      publicKeysCache = null;
-      publicKeysCacheExpiry = 0;
+      const isSessionCookie = payload.iss && payload.iss.includes("session.firebase.google.com");
+      if (isSessionCookie) {
+        sessionKeysCache = null;
+        sessionKeysCacheExpiry = 0;
+      } else {
+        idTokenKeysCache = null;
+        idTokenKeysCacheExpiry = 0;
+      }
       publicKeys = await fetchPublicKeys(payload.iss);
       publicKeyPem = publicKeys[header.kid];
       if (!publicKeyPem) {
@@ -692,6 +723,233 @@ function getAuth() {
   };
 }
 
+// src/user-management.ts
+init_token_generation();
+init_service_account();
+var IDENTITY_TOOLKIT_API = "https://identitytoolkit.googleapis.com/v1";
+function convertToUserRecord(user) {
+  return {
+    uid: user.localId,
+    email: user.email || void 0,
+    emailVerified: user.emailVerified || false,
+    displayName: user.displayName || void 0,
+    photoURL: user.photoUrl || void 0,
+    phoneNumber: user.phoneNumber || void 0,
+    disabled: user.disabled || false,
+    metadata: {
+      creationTime: user.createdAt ? new Date(parseInt(user.createdAt)).toISOString() : (/* @__PURE__ */ new Date()).toISOString(),
+      lastSignInTime: user.lastLoginAt ? new Date(parseInt(user.lastLoginAt)).toISOString() : (/* @__PURE__ */ new Date()).toISOString()
+    },
+    providerData: user.providerUserInfo || [],
+    customClaims: user.customAttributes ? JSON.parse(user.customAttributes) : void 0
+  };
+}
+async function getUserByEmail(email) {
+  if (!email || typeof email !== "string") {
+    throw new Error("email must be a non-empty string");
+  }
+  const projectId = getProjectId();
+  const accessToken = await getAdminAccessToken();
+  const response = await fetch(
+    `${IDENTITY_TOOLKIT_API}/projects/${projectId}/accounts:lookup`,
+    {
+      method: "POST",
+      headers: {
+        "Authorization": `Bearer ${accessToken}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({ email: [email] })
+    }
+  );
+  if (!response.ok) {
+    const errorText = await response.text();
+    throw new Error(`Failed to get user by email: ${response.status} ${errorText}`);
+  }
+  const data = await response.json();
+  if (!data.users || data.users.length === 0) {
+    return null;
+  }
+  return convertToUserRecord(data.users[0]);
+}
+async function getUserByUid(uid) {
+  if (!uid || typeof uid !== "string") {
+    throw new Error("uid must be a non-empty string");
+  }
+  const projectId = getProjectId();
+  const accessToken = await getAdminAccessToken();
+  const response = await fetch(
+    `${IDENTITY_TOOLKIT_API}/projects/${projectId}/accounts:lookup`,
+    {
+      method: "POST",
+      headers: {
+        "Authorization": `Bearer ${accessToken}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({ localId: [uid] })
+    }
+  );
+  if (!response.ok) {
+    const errorText = await response.text();
+    throw new Error(`Failed to get user by UID: ${response.status} ${errorText}`);
+  }
+  const data = await response.json();
+  if (!data.users || data.users.length === 0) {
+    return null;
+  }
+  return convertToUserRecord(data.users[0]);
+}
+async function createUser(properties) {
+  if (!properties || typeof properties !== "object") {
+    throw new Error("properties must be an object");
+  }
+  const projectId = getProjectId();
+  const accessToken = await getAdminAccessToken();
+  const requestBody = {};
+  if (properties.email) requestBody.email = properties.email;
+  if (properties.password) requestBody.password = properties.password;
+  if (properties.displayName) requestBody.displayName = properties.displayName;
+  if (properties.photoURL) requestBody.photoUrl = properties.photoURL;
+  if (properties.phoneNumber) requestBody.phoneNumber = properties.phoneNumber;
+  if (typeof properties.emailVerified === "boolean") requestBody.emailVerified = properties.emailVerified;
+  if (typeof properties.disabled === "boolean") requestBody.disabled = properties.disabled;
+  const response = await fetch(
+    `${IDENTITY_TOOLKIT_API}/projects/${projectId}/accounts`,
+    {
+      method: "POST",
+      headers: {
+        "Authorization": `Bearer ${accessToken}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify(requestBody)
+    }
+  );
+  if (!response.ok) {
+    const errorText = await response.text();
+    throw new Error(`Failed to create user: ${response.status} ${errorText}`);
+  }
+  const data = await response.json();
+  return getUserByUid(data.localId);
+}
+async function updateUser(uid, properties) {
+  if (!uid || typeof uid !== "string") {
+    throw new Error("uid must be a non-empty string");
+  }
+  if (!properties || typeof properties !== "object") {
+    throw new Error("properties must be an object");
+  }
+  const projectId = getProjectId();
+  const accessToken = await getAdminAccessToken();
+  const requestBody = { localId: uid };
+  if (properties.email) requestBody.email = properties.email;
+  if (properties.password) requestBody.password = properties.password;
+  if (properties.displayName !== void 0) requestBody.displayName = properties.displayName;
+  if (properties.photoURL !== void 0) requestBody.photoUrl = properties.photoURL;
+  if (properties.phoneNumber !== void 0) requestBody.phoneNumber = properties.phoneNumber;
+  if (typeof properties.emailVerified === "boolean") requestBody.emailVerified = properties.emailVerified;
+  if (typeof properties.disabled === "boolean") requestBody.disableUser = properties.disabled;
+  const response = await fetch(
+    `${IDENTITY_TOOLKIT_API}/projects/${projectId}/accounts:update`,
+    {
+      method: "POST",
+      headers: {
+        "Authorization": `Bearer ${accessToken}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify(requestBody)
+    }
+  );
+  if (!response.ok) {
+    const errorText = await response.text();
+    throw new Error(`Failed to update user: ${response.status} ${errorText}`);
+  }
+  return getUserByUid(uid);
+}
+async function deleteUser(uid) {
+  if (!uid || typeof uid !== "string") {
+    throw new Error("uid must be a non-empty string");
+  }
+  const projectId = getProjectId();
+  const accessToken = await getAdminAccessToken();
+  const response = await fetch(
+    `${IDENTITY_TOOLKIT_API}/projects/${projectId}/accounts:delete`,
+    {
+      method: "POST",
+      headers: {
+        "Authorization": `Bearer ${accessToken}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({ localId: uid })
+    }
+  );
+  if (!response.ok) {
+    const errorText = await response.text();
+    throw new Error(`Failed to delete user: ${response.status} ${errorText}`);
+  }
+}
+async function listUsers(maxResults = 1e3, pageToken) {
+  if (typeof maxResults !== "number" || maxResults < 1 || maxResults > 1e3) {
+    throw new Error("maxResults must be a number between 1 and 1000");
+  }
+  const projectId = getProjectId();
+  const accessToken = await getAdminAccessToken();
+  const params = new URLSearchParams({
+    maxResults: maxResults.toString()
+  });
+  if (pageToken) {
+    params.append("nextPageToken", pageToken);
+  }
+  const response = await fetch(
+    `${IDENTITY_TOOLKIT_API}/projects/${projectId}/accounts:query?${params.toString()}`,
+    {
+      method: "GET",
+      headers: {
+        "Authorization": `Bearer ${accessToken}`
+      }
+    }
+  );
+  if (!response.ok) {
+    const errorText = await response.text();
+    throw new Error(`Failed to list users: ${response.status} ${errorText}`);
+  }
+  const data = await response.json();
+  return {
+    users: (data.users || []).map(convertToUserRecord),
+    pageToken: data.nextPageToken
+  };
+}
+async function setCustomUserClaims(uid, customClaims) {
+  if (!uid || typeof uid !== "string") {
+    throw new Error("uid must be a non-empty string");
+  }
+  if (customClaims !== null) {
+    const serialized = JSON.stringify(customClaims);
+    if (new TextEncoder().encode(serialized).length > 1e3) {
+      throw new Error("customClaims must be less than 1000 bytes when serialized");
+    }
+  }
+  const projectId = getProjectId();
+  const accessToken = await getAdminAccessToken();
+  const requestBody = {
+    localId: uid,
+    customAttributes: customClaims ? JSON.stringify(customClaims) : "{}"
+  };
+  const response = await fetch(
+    `${IDENTITY_TOOLKIT_API}/projects/${projectId}/accounts:update`,
+    {
+      method: "POST",
+      headers: {
+        "Authorization": `Bearer ${accessToken}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify(requestBody)
+    }
+  );
+  if (!response.ok) {
+    const errorText = await response.text();
+    throw new Error(`Failed to set custom claims: ${response.status} ${errorText}`);
+  }
+}
+
 // src/field-value.ts
 function serverTimestamp() {
   return {
@@ -1872,8 +2130,10 @@ init_service_account();
   countDocuments,
   createCustomToken,
   createSessionCookie,
+  createUser,
   deleteDocument,
   deleteFile,
+  deleteUser,
   downloadFile,
   fileExists,
   generateSignedUrl,
@@ -1884,15 +2144,20 @@ init_service_account();
   getFileMetadata,
   getProjectId,
   getServiceAccount,
+  getUserByEmail,
+  getUserByUid,
   getUserFromToken,
   initializeApp,
   iterateCollection,
   listDocuments,
   listFiles,
+  listUsers,
   queryDocuments,
+  setCustomUserClaims,
   setDocument,
   signInWithCustomToken,
   updateDocument,
+  updateUser,
   uploadFile,
   uploadFileResumable,
   verifyIdToken,

package/dist/index.mjs

@@ -98,23 +98,41 @@ async function importPublicKeyFromX509(pem) {
 }
 
 // src/auth.ts
-var publicKeysCache = null;
-var publicKeysCacheExpiry = 0;
+var idTokenKeysCache = null;
+var idTokenKeysCacheExpiry = 0;
+var sessionKeysCache = null;
+var sessionKeysCacheExpiry = 0;
 async function fetchPublicKeys(issuer) {
-  let endpoint = "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com";
-  if (issuer && issuer.includes("session.firebase.google.com")) {
+  const isSessionCookie = issuer && issuer.includes("session.firebase.google.com");
+  let endpoint;
+  let cache;
+  let cacheExpiry;
+  if (isSessionCookie) {
     endpoint = "https://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys";
+    cache = sessionKeysCache;
+    cacheExpiry = sessionKeysCacheExpiry;
+  } else {
+    endpoint = "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com";
+    cache = idTokenKeysCache;
+    cacheExpiry = idTokenKeysCacheExpiry;
   }
-  if (publicKeysCache && Date.now() < publicKeysCacheExpiry) {
-    return publicKeysCache;
+  if (cache && Date.now() < cacheExpiry) {
+    return cache;
   }
   const response = await fetch(endpoint);
   if (!response.ok) {
     throw new Error(`Failed to fetch Firebase public keys from ${endpoint}`);
   }
-  publicKeysCache = await response.json();
-  publicKeysCacheExpiry = Date.now() + 36e5;
-  return publicKeysCache;
+  const keys = await response.json();
+  const newExpiry = Date.now() + 36e5;
+  if (isSessionCookie) {
+    sessionKeysCache = keys;
+    sessionKeysCacheExpiry = newExpiry;
+  } else {
+    idTokenKeysCache = keys;
+    idTokenKeysCacheExpiry = newExpiry;
+  }
+  return keys;
 }
 function base64UrlDecode(str) {
   let base64 = str.replace(/-/g, "+").replace(/_/g, "/");
@@ -189,8 +207,14 @@ async function verifyIdToken(idToken) {
     let publicKeys = await fetchPublicKeys(payload.iss);
     let publicKeyPem = publicKeys[header.kid];
     if (!publicKeyPem) {
-      publicKeysCache = null;
-      publicKeysCacheExpiry = 0;
+      const isSessionCookie = payload.iss && payload.iss.includes("session.firebase.google.com");
+      if (isSessionCookie) {
+        sessionKeysCache = null;
+        sessionKeysCacheExpiry = 0;
+      } else {
+        idTokenKeysCache = null;
+        idTokenKeysCacheExpiry = 0;
+      }
       publicKeys = await fetchPublicKeys(payload.iss);
       publicKeyPem = publicKeys[header.kid];
       if (!publicKeyPem) {
@@ -460,6 +484,231 @@ function getAuth() {
   };
 }
 
+// src/user-management.ts
+var IDENTITY_TOOLKIT_API = "https://identitytoolkit.googleapis.com/v1";
+function convertToUserRecord(user) {
+  return {
+    uid: user.localId,
+    email: user.email || void 0,
+    emailVerified: user.emailVerified || false,
+    displayName: user.displayName || void 0,
+    photoURL: user.photoUrl || void 0,
+    phoneNumber: user.phoneNumber || void 0,
+    disabled: user.disabled || false,
+    metadata: {
+      creationTime: user.createdAt ? new Date(parseInt(user.createdAt)).toISOString() : (/* @__PURE__ */ new Date()).toISOString(),
+      lastSignInTime: user.lastLoginAt ? new Date(parseInt(user.lastLoginAt)).toISOString() : (/* @__PURE__ */ new Date()).toISOString()
+    },
+    providerData: user.providerUserInfo || [],
+    customClaims: user.customAttributes ? JSON.parse(user.customAttributes) : void 0
+  };
+}
+async function getUserByEmail(email) {
+  if (!email || typeof email !== "string") {
+    throw new Error("email must be a non-empty string");
+  }
+  const projectId = getProjectId();
+  const accessToken = await getAdminAccessToken();
+  const response = await fetch(
+    `${IDENTITY_TOOLKIT_API}/projects/${projectId}/accounts:lookup`,
+    {
+      method: "POST",
+      headers: {
+        "Authorization": `Bearer ${accessToken}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({ email: [email] })
+    }
+  );
+  if (!response.ok) {
+    const errorText = await response.text();
+    throw new Error(`Failed to get user by email: ${response.status} ${errorText}`);
+  }
+  const data = await response.json();
+  if (!data.users || data.users.length === 0) {
+    return null;
+  }
+  return convertToUserRecord(data.users[0]);
+}
+async function getUserByUid(uid) {
+  if (!uid || typeof uid !== "string") {
+    throw new Error("uid must be a non-empty string");
+  }
+  const projectId = getProjectId();
+  const accessToken = await getAdminAccessToken();
+  const response = await fetch(
+    `${IDENTITY_TOOLKIT_API}/projects/${projectId}/accounts:lookup`,
+    {
+      method: "POST",
+      headers: {
+        "Authorization": `Bearer ${accessToken}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({ localId: [uid] })
+    }
+  );
+  if (!response.ok) {
+    const errorText = await response.text();
+    throw new Error(`Failed to get user by UID: ${response.status} ${errorText}`);
+  }
+  const data = await response.json();
+  if (!data.users || data.users.length === 0) {
+    return null;
+  }
+  return convertToUserRecord(data.users[0]);
+}
+async function createUser(properties) {
+  if (!properties || typeof properties !== "object") {
+    throw new Error("properties must be an object");
+  }
+  const projectId = getProjectId();
+  const accessToken = await getAdminAccessToken();
+  const requestBody = {};
+  if (properties.email) requestBody.email = properties.email;
+  if (properties.password) requestBody.password = properties.password;
+  if (properties.displayName) requestBody.displayName = properties.displayName;
+  if (properties.photoURL) requestBody.photoUrl = properties.photoURL;
+  if (properties.phoneNumber) requestBody.phoneNumber = properties.phoneNumber;
+  if (typeof properties.emailVerified === "boolean") requestBody.emailVerified = properties.emailVerified;
+  if (typeof properties.disabled === "boolean") requestBody.disabled = properties.disabled;
+  const response = await fetch(
+    `${IDENTITY_TOOLKIT_API}/projects/${projectId}/accounts`,
+    {
+      method: "POST",
+      headers: {
+        "Authorization": `Bearer ${accessToken}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify(requestBody)
+    }
+  );
+  if (!response.ok) {
+    const errorText = await response.text();
+    throw new Error(`Failed to create user: ${response.status} ${errorText}`);
+  }
+  const data = await response.json();
+  return getUserByUid(data.localId);
+}
+async function updateUser(uid, properties) {
+  if (!uid || typeof uid !== "string") {
+    throw new Error("uid must be a non-empty string");
+  }
+  if (!properties || typeof properties !== "object") {
+    throw new Error("properties must be an object");
+  }
+  const projectId = getProjectId();
+  const accessToken = await getAdminAccessToken();
+  const requestBody = { localId: uid };
+  if (properties.email) requestBody.email = properties.email;
+  if (properties.password) requestBody.password = properties.password;
+  if (properties.displayName !== void 0) requestBody.displayName = properties.displayName;
+  if (properties.photoURL !== void 0) requestBody.photoUrl = properties.photoURL;
+  if (properties.phoneNumber !== void 0) requestBody.phoneNumber = properties.phoneNumber;
+  if (typeof properties.emailVerified === "boolean") requestBody.emailVerified = properties.emailVerified;
+  if (typeof properties.disabled === "boolean") requestBody.disableUser = properties.disabled;
+  const response = await fetch(
+    `${IDENTITY_TOOLKIT_API}/projects/${projectId}/accounts:update`,
+    {
+      method: "POST",
+      headers: {
+        "Authorization": `Bearer ${accessToken}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify(requestBody)
+    }
+  );
+  if (!response.ok) {
+    const errorText = await response.text();
+    throw new Error(`Failed to update user: ${response.status} ${errorText}`);
+  }
+  return getUserByUid(uid);
+}
+async function deleteUser(uid) {
+  if (!uid || typeof uid !== "string") {
+    throw new Error("uid must be a non-empty string");
+  }
+  const projectId = getProjectId();
+  const accessToken = await getAdminAccessToken();
+  const response = await fetch(
+    `${IDENTITY_TOOLKIT_API}/projects/${projectId}/accounts:delete`,
+    {
+      method: "POST",
+      headers: {
+        "Authorization": `Bearer ${accessToken}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({ localId: uid })
+    }
+  );
+  if (!response.ok) {
+    const errorText = await response.text();
+    throw new Error(`Failed to delete user: ${response.status} ${errorText}`);
+  }
+}
+async function listUsers(maxResults = 1e3, pageToken) {
+  if (typeof maxResults !== "number" || maxResults < 1 || maxResults > 1e3) {
+    throw new Error("maxResults must be a number between 1 and 1000");
+  }
+  const projectId = getProjectId();
+  const accessToken = await getAdminAccessToken();
+  const params = new URLSearchParams({
+    maxResults: maxResults.toString()
+  });
+  if (pageToken) {
+    params.append("nextPageToken", pageToken);
+  }
+  const response = await fetch(
+    `${IDENTITY_TOOLKIT_API}/projects/${projectId}/accounts:query?${params.toString()}`,
+    {
+      method: "GET",
+      headers: {
+        "Authorization": `Bearer ${accessToken}`
+      }
+    }
+  );
+  if (!response.ok) {
+    const errorText = await response.text();
+    throw new Error(`Failed to list users: ${response.status} ${errorText}`);
+  }
+  const data = await response.json();
+  return {
+    users: (data.users || []).map(convertToUserRecord),
+    pageToken: data.nextPageToken
+  };
+}
+async function setCustomUserClaims(uid, customClaims) {
+  if (!uid || typeof uid !== "string") {
+    throw new Error("uid must be a non-empty string");
+  }
+  if (customClaims !== null) {
+    const serialized = JSON.stringify(customClaims);
+    if (new TextEncoder().encode(serialized).length > 1e3) {
+      throw new Error("customClaims must be less than 1000 bytes when serialized");
+    }
+  }
+  const projectId = getProjectId();
+  const accessToken = await getAdminAccessToken();
+  const requestBody = {
+    localId: uid,
+    customAttributes: customClaims ? JSON.stringify(customClaims) : "{}"
+  };
+  const response = await fetch(
+    `${IDENTITY_TOOLKIT_API}/projects/${projectId}/accounts:update`,
+    {
+      method: "POST",
+      headers: {
+        "Authorization": `Bearer ${accessToken}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify(requestBody)
+    }
+  );
+  if (!response.ok) {
+    const errorText = await response.text();
+    throw new Error(`Failed to set custom claims: ${response.status} ${errorText}`);
+  }
+}
+
 // src/field-value.ts
 function serverTimestamp() {
   return {
@@ -1626,8 +1875,10 @@ export {
   countDocuments,
   createCustomToken,
   createSessionCookie,
+  createUser,
   deleteDocument,
   deleteFile,
+  deleteUser,
   downloadFile,
   fileExists,
   generateSignedUrl,
@@ -1638,15 +1889,20 @@ export {
   getFileMetadata,
   getProjectId,
   getServiceAccount,
+  getUserByEmail,
+  getUserByUid,
   getUserFromToken,
   initializeApp,
   iterateCollection,
   listDocuments,
   listFiles,
+  listUsers,
   queryDocuments,
+  setCustomUserClaims,
   setDocument,
   signInWithCustomToken,
   updateDocument,
+  updateUser,
   uploadFile,
   uploadFileResumable,
   verifyIdToken,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@prmichaelsen/firebase-admin-sdk-v8",
-  "version": "2.4.0",
+  "version": "2.5.0",
   "description": "Firebase Admin SDK for Cloudflare Workers and edge runtimes using REST APIs",
   "main": "dist/index.js",
   "module": "dist/index.mjs",
@@ -26,8 +26,8 @@
     "typecheck": "tsc --noEmit",
     "test": "jest",
     "test:watch": "jest --watch",
-    "test:e2e": "jest --config jest.e2e.config.js",
-    "test:e2e:watch": "jest --config jest.e2e.config.js --watch",
+    "test:e2e": "node --env-file=.env node_modules/.bin/jest --config jest.e2e.config.js",
+    "test:e2e:watch": "node --env-file=.env node_modules/.bin/jest --config jest.e2e.config.js --watch",
     "test:all": "npm test && npm run test:e2e",
     "prepublishOnly": "npm run build"
   },