@theihtisham/mcp-server-firebase 1.0.0

package/tests/errors.test.ts

@@ -0,0 +1,132 @@
+import { describe, it, expect } from 'vitest';
+import { FirebaseToolError, handleFirebaseError, formatSuccess, formatListResult } from '../src/utils/errors.js';
+
+describe('FirebaseToolError', () => {
+  it('creates error with context', () => {
+    const err = new FirebaseToolError('test error', {
+      service: 'firestore',
+      operation: 'query',
+    });
+    expect(err.message).toBe('test error');
+    expect(err.context.service).toBe('firestore');
+    expect(err.context.operation).toBe('query');
+  });
+
+  it('formats structured message with suggestion', () => {
+    const err = new FirebaseToolError('not found', {
+      service: 'firestore',
+      operation: 'get_document',
+      suggestion: 'Check the document path.',
+      details: 'Document does not exist.',
+    });
+    const msg = err.toStructuredMessage();
+    expect(msg).toContain('[firestore/get_document]');
+    expect(msg).toContain('not found');
+    expect(msg).toContain('Suggestion: Check the document path.');
+    expect(msg).toContain('Details: Document does not exist.');
+  });
+
+  it('formats structured message without optional fields', () => {
+    const err = new FirebaseToolError('simple error', {
+      service: 'auth',
+      operation: 'create_user',
+    });
+    const msg = err.toStructuredMessage();
+    expect(msg).toContain('[auth/create_user]');
+    expect(msg).toContain('simple error');
+    expect(msg).not.toContain('Suggestion:');
+    expect(msg).not.toContain('Details:');
+  });
+});
+
+describe('handleFirebaseError', () => {
+  it('re-throws FirebaseToolError as-is', () => {
+    const original = new FirebaseToolError('original', {
+      service: 'firestore',
+      operation: 'query',
+    });
+    expect(() => handleFirebaseError(original, 'auth', 'create')).toThrow(original);
+  });
+
+  it('wraps permission-denied errors with suggestion', () => {
+    try {
+      handleFirebaseError(
+        Object.assign(new Error('Permission denied'), { code: 'permission-denied' }),
+        'firestore',
+        'query'
+      );
+    } catch (err) {
+      expect(err).toBeInstanceOf(FirebaseToolError);
+      const fte = err as FirebaseToolError;
+      expect(fte.context.suggestion).toContain('IAM permissions');
+    }
+  });
+
+  it('wraps not-found errors with suggestion', () => {
+    try {
+      handleFirebaseError(
+        Object.assign(new Error('Not found'), { code: 'not-found' }),
+        'firestore',
+        'get'
+      );
+    } catch (err) {
+      expect(err).toBeInstanceOf(FirebaseToolError);
+      const fte = err as FirebaseToolError;
+      expect(fte.context.suggestion).toContain('Verify that the resource');
+    }
+  });
+
+  it('wraps unauthenticated errors with suggestion', () => {
+    try {
+      handleFirebaseError(
+        Object.assign(new Error('Unauthenticated'), { code: 'unauthenticated' }),
+        'firestore',
+        'get'
+      );
+    } catch (err) {
+      expect(err).toBeInstanceOf(FirebaseToolError);
+      const fte = err as FirebaseToolError;
+      expect(fte.context.suggestion).toContain('Service account');
+    }
+  });
+
+  it('wraps unknown errors without specific suggestion', () => {
+    try {
+      handleFirebaseError(new Error('Something went wrong'), 'firestore', 'query');
+    } catch (err) {
+      expect(err).toBeInstanceOf(FirebaseToolError);
+      const fte = err as FirebaseToolError;
+      expect(fte.context.suggestion).toBeUndefined();
+    }
+  });
+});
+
+describe('formatSuccess', () => {
+  it('formats success response', () => {
+    const result = formatSuccess({ id: '123' }, 'create');
+    const parsed = JSON.parse(result);
+    expect(parsed.success).toBe(true);
+    expect(parsed.operation).toBe('create');
+    expect(parsed.data).toEqual({ id: '123' });
+    expect(parsed.timestamp).toBeDefined();
+  });
+});
+
+describe('formatListResult', () => {
+  it('formats list response without pagination', () => {
+    const result = formatListResult([{ id: '1' }, { id: '2' }]);
+    const parsed = JSON.parse(result);
+    expect(parsed.success).toBe(true);
+    expect(parsed.count).toBe(2);
+    expect(parsed.items).toHaveLength(2);
+    expect(parsed.nextPageToken).toBeUndefined();
+  });
+
+  it('formats list response with pagination', () => {
+    const result = formatListResult([{ id: '1' }], 'next_token', 100);
+    const parsed = JSON.parse(result);
+    expect(parsed.count).toBe(1);
+    expect(parsed.nextPageToken).toBe('next_token');
+    expect(parsed.totalCount).toBe(100);
+  });
+});

package/tests/firebase-service.test.ts

@@ -0,0 +1,46 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { validateRtdbPath } from '../src/tools/realtime-db.js';
+
+// We can't test the actual Firebase initialization without credentials,
+// but we test the validation functions that are exported from tool files.
+
+describe('Realtime DB path validation', () => {
+  it('accepts valid paths', () => {
+    expect(validateRtdbPath('/users')).toBe('/users');
+    expect(validateRtdbPath('/users/uid123')).toBe('/users/uid123');
+    expect(validateRtdbPath('/')).toBe('/');
+  });
+
+  it('rejects empty path', () => {
+    expect(() => validateRtdbPath('')).toThrow('cannot be empty');
+    expect(() => validateRtdbPath('  ')).toThrow('cannot be empty');
+  });
+
+  it('rejects paths without leading slash', () => {
+    expect(() => validateRtdbPath('users')).toThrow('must start with "/"');
+  });
+
+  it('rejects paths with double slashes', () => {
+    expect(() => validateRtdbPath('/users//uid')).toThrow('must not contain "//"');
+  });
+
+  it('rejects path traversal', () => {
+    expect(() => validateRtdbPath('/users/../admin')).toThrow('must not contain ".."');
+  });
+
+  it('rejects segments with dots', () => {
+    expect(() => validateRtdbPath('/users/name.test')).toThrow('must not contain "."');
+  });
+
+  it('rejects segments with dollar signs', () => {
+    expect(() => validateRtdbPath('/users/$uid')).toThrow('must not contain "$"');
+  });
+
+  it('rejects segments with hash', () => {
+    expect(() => validateRtdbPath('/users/#priority')).toThrow('must not contain "#"');
+  });
+
+  it('rejects segments with brackets', () => {
+    expect(() => validateRtdbPath('/users/[uid]')).toThrow('must not contain "["');
+  });
+});

package/tests/pagination.test.ts

@@ -0,0 +1,26 @@
+import { describe, it, expect } from 'vitest';
+import { encodePageToken, decodePageToken } from '../src/utils/pagination.js';
+
+describe('encodePageToken / decodePageToken', () => {
+  it('round-trips a document path', () => {
+    const path = 'users/uid123/orders/order456';
+    const token = encodePageToken(path);
+    expect(decodePageToken(token)).toBe(path);
+  });
+
+  it('produces base64 strings', () => {
+    const token = encodePageToken('users/abc');
+    // Base64 strings only contain A-Z, a-z, 0-9, +, /, =
+    expect(/^[A-Za-z0-9+/=]+$/.test(token)).toBe(true);
+  });
+
+  it('handles paths with special characters', () => {
+    const path = 'my-collection/doc_123';
+    expect(decodePageToken(encodePageToken(path))).toBe(path);
+  });
+
+  it('handles empty path', () => {
+    const path = '';
+    expect(decodePageToken(encodePageToken(path))).toBe(path);
+  });
+});

package/tests/tools.test.ts

@@ -0,0 +1,226 @@
+import { describe, it, expect } from 'vitest';
+import { allTools } from '../src/tools/index.js';
+import {
+  firestoreTools,
+  authTools,
+  storageTools,
+  realtimeDbTools,
+  functionsTools,
+  messagingTools,
+} from '../src/tools/index.js';
+
+describe('Tool registration', () => {
+  it('registers at least 30 tools total', () => {
+    expect(allTools.length).toBeGreaterThanOrEqual(30);
+  });
+
+  it('every tool has required fields', () => {
+    for (const tool of allTools) {
+      expect(tool.name).toBeTruthy();
+      expect(tool.description).toBeTruthy();
+      expect(tool.inputSchema).toBeDefined();
+      expect(tool.inputSchema.type).toBe('object');
+      expect(tool.inputSchema.properties).toBeDefined();
+      expect(typeof tool.handler).toBe('function');
+    }
+  });
+
+  it('tool names follow service prefix convention', () => {
+    const prefixes = ['firestore_', 'auth_', 'storage_', 'rtdb_', 'functions_', 'messaging_'];
+    for (const tool of allTools) {
+      const hasPrefix = prefixes.some((p) => tool.name.startsWith(p));
+      expect(hasPrefix, `Tool "${tool.name}" should start with a service prefix`).toBe(true);
+    }
+  });
+
+  it('no duplicate tool names', () => {
+    const names = allTools.map((t) => t.name);
+    const unique = new Set(names);
+    expect(unique.size).toBe(names.length);
+  });
+});
+
+describe('Firestore tools', () => {
+  it('has all required tools', () => {
+    const names = new Set(firestoreTools.map((t) => t.name));
+    expect(names.has('firestore_query')).toBe(true);
+    expect(names.has('firestore_get_document')).toBe(true);
+    expect(names.has('firestore_add_document')).toBe(true);
+    expect(names.has('firestore_set_document')).toBe(true);
+    expect(names.has('firestore_update_document')).toBe(true);
+    expect(names.has('firestore_delete_document')).toBe(true);
+    expect(names.has('firestore_batch_write')).toBe(true);
+    expect(names.has('firestore_transaction')).toBe(true);
+    expect(names.has('firestore_list_collections')).toBe(true);
+    expect(names.has('firestore_list_subcollections')).toBe(true);
+    expect(names.has('firestore_aggregate_query')).toBe(true);
+    expect(names.has('firestore_listen_changes')).toBe(true);
+    expect(names.has('firestore_infer_schema')).toBe(true);
+  });
+});
+
+describe('Auth tools', () => {
+  it('has all required tools', () => {
+    const names = new Set(authTools.map((t) => t.name));
+    expect(names.has('auth_create_user')).toBe(true);
+    expect(names.has('auth_get_user')).toBe(true);
+    expect(names.has('auth_list_users')).toBe(true);
+    expect(names.has('auth_update_user')).toBe(true);
+    expect(names.has('auth_delete_user')).toBe(true);
+    expect(names.has('auth_verify_token')).toBe(true);
+    expect(names.has('auth_set_custom_claims')).toBe(true);
+  });
+});
+
+describe('Storage tools', () => {
+  it('has all required tools', () => {
+    const names = new Set(storageTools.map((t) => t.name));
+    expect(names.has('storage_upload_file')).toBe(true);
+    expect(names.has('storage_download_file')).toBe(true);
+    expect(names.has('storage_list_files')).toBe(true);
+    expect(names.has('storage_delete_file')).toBe(true);
+    expect(names.has('storage_get_signed_url')).toBe(true);
+    expect(names.has('storage_get_metadata')).toBe(true);
+  });
+});
+
+describe('Realtime DB tools', () => {
+  it('has all required tools', () => {
+    const names = new Set(realtimeDbTools.map((t) => t.name));
+    expect(names.has('rtdb_get_data')).toBe(true);
+    expect(names.has('rtdb_set_data')).toBe(true);
+    expect(names.has('rtdb_push_data')).toBe(true);
+    expect(names.has('rtdb_update_data')).toBe(true);
+    expect(names.has('rtdb_remove_data')).toBe(true);
+    expect(names.has('rtdb_query_data')).toBe(true);
+  });
+});
+
+describe('Functions tools', () => {
+  it('has all required tools', () => {
+    const names = new Set(functionsTools.map((t) => t.name));
+    expect(names.has('functions_list')).toBe(true);
+    expect(names.has('functions_trigger')).toBe(true);
+    expect(names.has('functions_get_logs')).toBe(true);
+  });
+});
+
+describe('Messaging tools', () => {
+  it('has all required tools', () => {
+    const names = new Set(messagingTools.map((t) => t.name));
+    expect(names.has('messaging_send')).toBe(true);
+    expect(names.has('messaging_send_multicast')).toBe(true);
+    expect(names.has('messaging_subscribe_topic')).toBe(true);
+    expect(names.has('messaging_unsubscribe_topic')).toBe(true);
+  });
+});
+
+describe('Tool input validation (without Firebase connection)', () => {
+  it('firestore_query rejects invalid collection', async () => {
+    const tool = allTools.find((t) => t.name === 'firestore_query')!;
+    await expect(tool.handler({ collection: '' })).rejects.toThrow('cannot be empty');
+  });
+
+  it('firestore_get_document rejects invalid path', async () => {
+    const tool = allTools.find((t) => t.name === 'firestore_get_document')!;
+    await expect(tool.handler({ path: '' })).rejects.toThrow('cannot be empty');
+  });
+
+  it('firestore_add_document rejects empty collection', async () => {
+    const tool = allTools.find((t) => t.name === 'firestore_add_document')!;
+    await expect(tool.handler({ collection: '', data: {} })).rejects.toThrow('cannot be empty');
+  });
+
+  it('firestore_batch_write rejects empty operations', async () => {
+    const tool = allTools.find((t) => t.name === 'firestore_batch_write')!;
+    await expect(tool.handler({ operations: [] })).rejects.toThrow('cannot be empty');
+  });
+
+  it('firestore_batch_write rejects too many operations', async () => {
+    const tool = allTools.find((t) => t.name === 'firestore_batch_write')!;
+    const ops = Array.from({ length: 501 }, (_, i) => ({
+      type: 'delete' as const,
+      path: `col/doc${i}`,
+    }));
+    await expect(tool.handler({ operations: ops })).rejects.toThrow('exceeds maximum');
+  });
+
+  it('auth_create_user rejects short password', async () => {
+    const tool = allTools.find((t) => t.name === 'auth_create_user')!;
+    await expect(
+      tool.handler({ email: 'test@test.com', password: '12345' })
+    ).rejects.toThrow('at least 6 characters');
+  });
+
+  it('auth_delete_user rejects empty uid', async () => {
+    const tool = allTools.find((t) => t.name === 'auth_delete_user')!;
+    await expect(tool.handler({ uid: '' })).rejects.toThrow('cannot be empty');
+  });
+
+  it('storage_upload_file rejects empty base64', async () => {
+    const tool = allTools.find((t) => t.name === 'storage_upload_file')!;
+    await expect(
+      tool.handler({ path: 'test.txt', contentBase64: '  ' })
+    ).rejects.toThrow('cannot be empty');
+  });
+
+  it('storage_upload_file rejects path traversal', async () => {
+    const tool = allTools.find((t) => t.name === 'storage_upload_file')!;
+    await expect(
+      tool.handler({ path: '../secret', contentBase64: 'dGVzdA==' })
+    ).rejects.toThrow('must not start with ".."');
+  });
+
+  it('rtdb_get_data rejects path without leading slash', async () => {
+    const tool = allTools.find((t) => t.name === 'rtdb_get_data')!;
+    await expect(tool.handler({ path: 'no-slash' })).rejects.toThrow('must start with "/"');
+  });
+
+  it('rtdb_get_data rejects path with double slashes', async () => {
+    const tool = allTools.find((t) => t.name === 'rtdb_get_data')!;
+    await expect(tool.handler({ path: '/users//uid' })).rejects.toThrow('must not contain "//"');
+  });
+
+  it('messaging_send_multicast rejects too many tokens', async () => {
+    const tool = allTools.find((t) => t.name === 'messaging_send_multicast')!;
+    const tokens = Array.from({ length: 501 }, () => 'token');
+    await expect(
+      tool.handler({ tokens })
+    ).rejects.toThrow('Too many tokens');
+  });
+
+  it('messaging_subscribe_topic rejects invalid topic name', async () => {
+    const tool = allTools.find((t) => t.name === 'messaging_subscribe_topic')!;
+    await expect(
+      tool.handler({ tokens: ['tok'], topic: 'invalid topic!' })
+    ).rejects.toThrow('Invalid topic name');
+  });
+
+  it('firestore_aggregate_query rejects sum without field', async () => {
+    const tool = allTools.find((t) => t.name === 'firestore_aggregate_query')!;
+    await expect(
+      tool.handler({ collection: 'users', aggregations: [{ type: 'sum' }] })
+    ).rejects.toThrow('requires a "field" parameter');
+  });
+
+  it('firestore_aggregate_query rejects avg without field', async () => {
+    const tool = allTools.find((t) => t.name === 'firestore_aggregate_query')!;
+    await expect(
+      tool.handler({ collection: 'users', aggregations: [{ type: 'avg' }] })
+    ).rejects.toThrow('requires a "field" parameter');
+  });
+
+  it('storage_get_signed_url rejects too-short expiry', async () => {
+    const tool = allTools.find((t) => t.name === 'storage_get_signed_url')!;
+    await expect(
+      tool.handler({ path: 'test.txt', expiresInMs: 1000 })
+    ).rejects.toThrow('at least 60 seconds');
+  });
+
+  it('storage_get_signed_url rejects too-long expiry', async () => {
+    const tool = allTools.find((t) => t.name === 'storage_get_signed_url')!;
+    await expect(
+      tool.handler({ path: 'test.txt', expiresInMs: 8 * 24 * 3600000 })
+    ).rejects.toThrow('more than 7 days');
+  });
+});

package/tests/validation.test.ts

@@ -0,0 +1,216 @@
+import { describe, it, expect } from 'vitest';
+import {
+  validateCollectionPath,
+  validateDocumentPath,
+  validateStoragePath,
+  validateEmail,
+  validateUid,
+  validateLimit,
+  validatePageSize,
+  validateWhereField,
+  validateOperator,
+  sanitizeData,
+} from '../src/utils/validation.js';
+
+describe('validateCollectionPath', () => {
+  it('accepts simple collection names', () => {
+    expect(validateCollectionPath('users')).toBe('users');
+    expect(validateCollectionPath('orders-2024')).toBe('orders-2024');
+    expect(validateCollectionPath('my_collection')).toBe('my_collection');
+  });
+
+  it('accepts nested collection paths', () => {
+    expect(validateCollectionPath('users/uid123/orders')).toBe('users/uid123/orders');
+    expect(validateCollectionPath('a/b/c')).toBe('a/b/c');
+  });
+
+  it('rejects empty path', () => {
+    expect(() => validateCollectionPath('')).toThrow('cannot be empty');
+    expect(() => validateCollectionPath('  ')).toThrow('cannot be empty');
+  });
+
+  it('rejects paths with special characters', () => {
+    expect(() => validateCollectionPath('users$')).toThrow('Invalid collection path');
+    expect(() => validateCollectionPath('my.collection')).toThrow('Invalid collection path');
+  });
+
+  it('rejects overly long paths', () => {
+    const longPath = 'a'.repeat(1501);
+    expect(() => validateCollectionPath(longPath)).toThrow('exceeds maximum length');
+  });
+});
+
+describe('validateDocumentPath', () => {
+  it('accepts valid document paths', () => {
+    expect(validateDocumentPath('users/uid123')).toBe('users/uid123');
+    expect(validateDocumentPath('users/uid123/orders/order1')).toBe('users/uid123/orders/order1');
+  });
+
+  it('rejects odd number of segments', () => {
+    expect(() => validateDocumentPath('users')).toThrow('even number of segments');
+    expect(() => validateDocumentPath('users/uid123/orders')).toThrow('even number of segments');
+  });
+
+  it('rejects empty path', () => {
+    expect(() => validateDocumentPath('')).toThrow('cannot be empty');
+  });
+
+  it('rejects paths with special characters', () => {
+    expect(() => validateDocumentPath('users/uid$123')).toThrow('Invalid segment');
+  });
+});
+
+describe('validateStoragePath', () => {
+  it('accepts valid storage paths', () => {
+    expect(validateStoragePath('images/photo.jpg')).toBe('images/photo.jpg');
+    expect(validateStoragePath('documents/report.pdf')).toBe('documents/report.pdf');
+  });
+
+  it('rejects paths starting with slash', () => {
+    expect(() => validateStoragePath('/etc/passwd')).toThrow('must not start with "/"');
+  });
+
+  it('rejects path traversal', () => {
+    expect(() => validateStoragePath('../secret')).toThrow('must not start with ".."');
+    expect(() => validateStoragePath('images/../secret')).toThrow('must not contain ".."');
+  });
+
+  it('rejects empty path', () => {
+    expect(() => validateStoragePath('')).toThrow('cannot be empty');
+  });
+});
+
+describe('validateEmail', () => {
+  it('accepts valid emails', () => {
+    expect(validateEmail('user@example.com')).toBe('user@example.com');
+    expect(validateEmail('User@Example.COM')).toBe('user@example.com');
+  });
+
+  it('rejects invalid emails', () => {
+    expect(() => validateEmail('notanemail')).toThrow('Invalid email');
+    expect(() => validateEmail('@example.com')).toThrow('Invalid email');
+    expect(() => validateEmail('user@')).toThrow('Invalid email');
+  });
+});
+
+describe('validateUid', () => {
+  it('accepts valid UIDs', () => {
+    expect(validateUid('abc123')).toBe('abc123');
+    expect(validateUid('a-b-c')).toBe('a-b-c');
+  });
+
+  it('rejects empty UIDs', () => {
+    expect(() => validateUid('')).toThrow('cannot be empty');
+    expect(() => validateUid('  ')).toThrow('cannot be empty');
+  });
+
+  it('rejects overly long UIDs', () => {
+    expect(() => validateUid('a'.repeat(129))).toThrow('exceeds maximum length');
+  });
+});
+
+describe('validateLimit', () => {
+  it('accepts valid limits', () => {
+    expect(validateLimit(1)).toBe(1);
+    expect(validateLimit(100)).toBe(100);
+    expect(validateLimit(10000, 10000)).toBe(10000);
+  });
+
+  it('rejects non-positive limits', () => {
+    expect(() => validateLimit(0)).toThrow('positive integer');
+    expect(() => validateLimit(-1)).toThrow('positive integer');
+    expect(() => validateLimit(1.5)).toThrow('positive integer');
+  });
+
+  it('rejects limits exceeding max', () => {
+    expect(() => validateLimit(10001)).toThrow('exceeds maximum');
+  });
+});
+
+describe('validatePageSize', () => {
+  it('accepts valid page sizes', () => {
+    expect(validatePageSize(1)).toBe(1);
+    expect(validatePageSize(100)).toBe(100);
+  });
+
+  it('rejects invalid page sizes', () => {
+    expect(() => validatePageSize(0)).toThrow('positive integer');
+    expect(() => validatePageSize(1001)).toThrow('exceeds maximum');
+  });
+});
+
+describe('validateWhereField', () => {
+  it('accepts valid field names', () => {
+    expect(validateWhereField('name')).toBe('name');
+    expect(validateWhereField('address.city')).toBe('address.city');
+  });
+
+  it('rejects fields starting with __', () => {
+    expect(() => validateWhereField('__internal')).toThrow('must not start with "__"');
+  });
+
+  it('rejects fields containing $', () => {
+    expect(() => validateWhereField('field$name')).toThrow('must not start with "__" or contain "$"');
+  });
+
+  it('rejects empty fields', () => {
+    expect(() => validateWhereField('')).toThrow('cannot be empty');
+  });
+});
+
+describe('validateOperator', () => {
+  it('accepts valid operators', () => {
+    const ops = ['==', '!=', '<', '<=', '>', '>=', 'array-contains', 'array-contains-any', 'in', 'not-in'];
+    for (const op of ops) {
+      expect(validateOperator(op)).toBe(op);
+    }
+  });
+
+  it('rejects invalid operators', () => {
+    expect(() => validateOperator('like')).toThrow('Invalid operator');
+    expect(() => validateOperator('=')).toThrow('Invalid operator');
+  });
+});
+
+describe('sanitizeData', () => {
+  it('passes through primitive values', () => {
+    expect(sanitizeData('hello')).toBe('hello');
+    expect(sanitizeData(42)).toBe(42);
+    expect(sanitizeData(true)).toBe(true);
+    expect(sanitizeData(null)).toBe(null);
+  });
+
+  it('sanitizes nested objects', () => {
+    const input = { name: 'test', count: 5 };
+    expect(sanitizeData(input)).toEqual({ name: 'test', count: 5 });
+  });
+
+  it('sanitizes arrays', () => {
+    const input = [1, 'two', { three: 3 }];
+    expect(sanitizeData(input)).toEqual([1, 'two', { three: 3 }]);
+  });
+
+  it('rejects keys starting with $', () => {
+    expect(() => sanitizeData({ $gt: 5 })).toThrow('must not start with "$"');
+  });
+
+  it('rejects keys containing dots', () => {
+    expect(() => sanitizeData({ 'a.b': 'value' })).toThrow('must not contain "."');
+  });
+
+  it('handles deeply nested objects', () => {
+    const input = {
+      user: {
+        profile: {
+          name: 'test',
+        },
+      },
+    };
+    expect(sanitizeData(input)).toEqual(input);
+  });
+
+  it('rejects nested injection attempts', () => {
+    const input = { data: { $where: 'evil' } };
+    expect(() => sanitizeData(input)).toThrow('must not start with "$"');
+  });
+});

package/tsconfig.json

@@ -0,0 +1,26 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "Node16",
+    "moduleResolution": "Node16",
+    "outDir": "./dist",
+    "rootDir": "./src",
+    "strict": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "forceConsistentCasingInFileNames": true,
+    "resolveJsonModule": true,
+    "declaration": true,
+    "declarationMap": true,
+    "sourceMap": true,
+    "noUnusedLocals": true,
+    "noUnusedParameters": true,
+    "noImplicitReturns": true,
+    "noFallthroughCasesInSwitch": true,
+    "exactOptionalPropertyTypes": false,
+    "noUncheckedIndexedAccess": true,
+    "lib": ["ES2022"]
+  },
+    "include": ["src/**/*"],
+    "exclude": ["node_modules", "dist", "tests"]
+  }