backend-manager 5.6.4 → 5.7.0

package/plans/mcp2.md

@@ -0,0 +1,247 @@
+# MCP Role-Based Tool Scoping + Consumer Extensibility
+
+## Context
+
+The BEM MCP server currently works only for admins — a single `BACKEND_MANAGER_KEY` grants access to all 19 tools. Regular users can't connect at all, and consumer BEM projects have no way to add custom MCP tools. This plan adds:
+
+1. **Role-based tool scoping** — tools tagged `admin`, `user`, or `public`; connections only see tools matching their role
+2. **User authentication** — seamless OAuth sign-in flow + API key as long-lived credential
+3. **Consumer MCP tools** — a single `functions/mcp.js` file in consumer projects
+
+## Architecture
+
+### Role Model
+
+Every tool gets a `role` field:
+
+| Role | Who sees it | Examples |
+|------|-------------|---------|
+| `admin` | Admin key connections only | firestore_read, send_email, run_cron |
+| `user` | Authenticated users + admins | get_user, get_subscription, cancel_subscription |
+| `public` | Everyone (including unauthenticated) | generate_uuid, health_check |
+
+Admin sees ALL tools. User sees `user` + `public`. Unauthenticated sees only `public`. Defense-in-depth — even if someone calls an admin tool by name, the route still rejects with 403.
+
+### Auth: How Users Connect (OAuth + Consumer's Website)
+
+**The key insight:** users already have an API key (`api.privateKey`) on their Firestore account doc. It's long-lived, already works with `assistant.authenticate()`, and already encodes identity + access level. This is the credential.
+
+**The UX:** Claude Code/Desktop opens a browser → user signs in on their familiar site → redirected back to Claude. Done. No copy-pasting tokens.
+
+**The OAuth flow (step by step):**
+
+```
+1. Claude discovers endpoints:
+   GET /.well-known/oauth-authorization-server
+   → { authorization_endpoint, token_endpoint, ... }
+
+2. Claude opens browser to BEM authorize endpoint:
+   GET /backend-manager/mcp/authorize?redirect_uri=CLAUDE_CALLBACK&state=STATE
+
+3. BEM authorize checks the request:
+   - If client_id === BACKEND_MANAGER_KEY → auto-redirect (admin, unchanged)
+   - Otherwise → redirect to consumer's /token page:
+     https://app.example.com/token?redirect_uri=CLAUDE_CALLBACK&state=STATE
+
+4. User lands on their familiar website sign-in page.
+   Signs in with Google / email+password / whatever.
+   After sign-in, page gets Firebase ID token via webManager.auth().getIdToken()
+
+5. Consumer's /token page redirects to CLAUDE_CALLBACK:
+   CLAUDE_CALLBACK?code=FIREBASE_ID_TOKEN&state=STATE
+
+6. Claude exchanges code for access token:
+   POST /backend-manager/mcp/token
+   { code: FIREBASE_ID_TOKEN }
+
+7. BEM token endpoint:
+   - If code === BACKEND_MANAGER_KEY → return it as access_token (admin, unchanged)
+   - Otherwise → verify Firebase ID token with admin.auth().verifyIdToken()
+     → look up user doc → return user's api.privateKey as access_token
+
+8. Claude uses the API key for all future MCP requests:
+   Authorization: Bearer {api.privateKey}
+```
+
+**Why API key, not JWT:**
+- Firebase ID tokens expire in 1 hour — MCP connection would break constantly
+- The API key never expires (until regenerated)
+- `assistant.authenticate()` already handles API key → user lookup
+- User can revoke by regenerating from account settings
+
+**Why redirect to consumer's website instead of embedding Firebase Auth:**
+- User sees their familiar sign-in page (branded, trusted)
+- No need to embed Firebase Auth SDK in BEM's authorize HTML
+- UJM already has a `/token` page — just needs a small update to support `redirect_uri` param
+- Works with any auth provider the consumer has configured
+
+### Auth Classification (Fast, No DB Call)
+
+`resolveAuthInfo(token)` classifies the Bearer token for tool filtering:
+
+- Token matches `BACKEND_MANAGER_KEY` → `role: 'admin'`
+- Any other non-empty token → `role: 'user'` (API key from the OAuth flow)
+- No token → `role: 'public'`
+
+No DB call needed — actual validation happens at the route level when a tool is called.
+
+### Consumer MCP Tools
+
+Consumer tools live in a **single file**: `functions/mcp.js`. Keeps things simple since most consumer MCP tools are just route delegations pointing at routes already defined in `functions/routes/`.
+
+```js
+// functions/mcp.js
+module.exports = [
+  // Route delegation — points at an existing route (works on stdio + HTTP)
+  {
+    name: 'get_sponsorship',
+    description: 'Get sponsorship details by ID',
+    role: 'user',
+    method: 'GET',
+    path: 'sponsorship',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        id: { type: 'string', description: 'Sponsorship ID' },
+      },
+      required: ['id'],
+    },
+  },
+
+  // Handler mode — runs code directly (HTTP transport only, has full Manager context)
+  {
+    name: 'newsletter_stats',
+    description: 'Get newsletter stats for the past N days',
+    role: 'admin',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        days: { type: 'number', description: 'Days to look back', default: 30 },
+      },
+    },
+    handler: async ({ Manager, assistant, user, params, libraries }) => {
+      const cutoff = Date.now() - (params.days || 30) * 86400000;
+      const snapshot = await libraries.admin.firestore()
+        .collection('newsletters')
+        .where('metadata.created.timestampUNIX', '>=', Math.floor(cutoff / 1000))
+        .get();
+      return { total: snapshot.docs.length };
+    },
+  },
+];
+```
+
+Consumer tools with the same name as a built-in tool override it (same precedence as consumer routes).
+
+## File Changes
+
+### 1. `src/mcp/tools.js` — Add `role` to every tool
+
+| Tool | Role |
+|------|------|
+| `firestore_read/write/query` | `admin` |
+| `send_email`, `send_notification` | `admin` |
+| `sync_users`, `list_campaigns`, `create_campaign` | `admin` |
+| `get_stats`, `run_cron`, `create_post`, `create_backup`, `run_hook` | `admin` |
+| `get_user`, `get_subscription` | `user` |
+| `cancel_subscription`, `refund_payment` | `user` |
+| `generate_uuid`, `health_check` | `public` |
+
+### 2. NEW: `src/mcp/utils.js` — Shared utilities
+
+- **`resolveAuthInfo(token)`** — classifies token → `{ role, authType, token }`. Admin key check is instant; everything else = user.
+- **`filterToolsByRole(tools, role)`** — admin→all, user→user+public, public→public only.
+- **`loadConsumerTools(cwd)`** — checks for `${cwd}/mcp.js`, `require()`s it if it exists, validates shape, returns array.
+- **`buildToolMap(builtinTools, consumerTools)`** — merges into a Map; consumer tools override same-name built-ins.
+
+### 3. `src/mcp/client.js` — Support user auth tokens
+
+Extend constructor to accept `{ baseUrl, backendManagerKey, userToken }`.
+
+In `call()`:
+- Has `backendManagerKey` → current behavior (key in query/body)
+- Has `userToken` (no backendManagerKey) → put token in `Authorization: Bearer` header + `authenticationToken` query param for GET
+- Neither → unauthenticated request
+
+### 4. `src/mcp/index.js` — Stdio server with role filtering
+
+- Import utils, call `resolveAuthInfo()` to determine role
+- Call `loadConsumerTools(options.cwd)` if `cwd` is provided
+- Merge + filter tools by role in `ListToolsRequestSchema` handler
+- In `CallToolRequestSchema`: `path`-based tools via BEMClient. Handler-only tools return error explaining they require HTTP transport.
+- Accept new `options.token` for user connections
+
+### 5. `src/mcp/handler.js` — HTTP handler with OAuth user flow
+
+**`handleAuthorize()`** — the big change:
+- If `client_id` matches admin key → auto-redirect (current behavior, unchanged)
+- Otherwise → **redirect to consumer's website** for sign-in:
+  - Build consumer auth URL from `Manager.config.brand.url` (or a configurable `mcp.authUrl` in backend-manager-config.json)
+  - Redirect to: `{consumerUrl}/token?redirect_uri={originalRedirectUri}&state={state}`
+  - The consumer's `/token` page handles sign-in, gets Firebase ID token, redirects back to Claude's callback
+
+**`handleToken()`** — exchanges Firebase ID token for API key:
+- If code matches admin key → return as `access_token` (unchanged)
+- Otherwise → treat code as Firebase ID token:
+  1. `admin.auth().verifyIdToken(code)` to get UID
+  2. `admin.firestore().doc('users/{uid}').get()` to get user doc
+  3. Return `user.api.privateKey` as the `access_token`
+  4. If user has no API key, generate one and save it
+
+**`handleMcpProtocol()`** — role-based tool filtering:
+- Extract Bearer token, call `resolveAuthInfo()`
+- Allow public connections (no 401 for empty tokens — just show public tools)
+- Discover + merge consumer tools (cached at module scope)
+- Filter tools by role in `ListToolsRequestSchema`
+- In `CallToolRequestSchema`:
+  - `path`-based tools: BEMClient HTTP call (current behavior)
+  - `handler`-based tools: execute directly with `{ Manager, assistant, user, params, libraries }`
+
+**Rename `isValidKey()` → `isAdminKey()`** for clarity.
+
+### 6. `src/cli/commands/mcp.js` — New CLI flags
+
+- `--token` (`-t`): user's API key (for user-level connections)
+- Pass `cwd: functionsDir` to `startServer()` for consumer tool discovery
+- When `--token` is provided, create BEMClient with userToken instead of backendManagerKey
+
+### 7. Consumer's UJM `/token` page — Small update (separate repo)
+
+The UJM `/token` page needs to support the MCP OAuth redirect flow:
+- Detect `redirect_uri` and `state` query params
+- After sign-in, get Firebase ID token via `webManager.auth().getIdToken()`
+- Redirect to `redirect_uri?code={idToken}&state={state}`
+
+This is a small addition to the existing `/token` page layout. Files:
+- `ultimate-jekyll-manager/src/defaults/dist/_layouts/blueprint/auth/token.html`
+- `ultimate-jekyll-manager/src/defaults/dist/_layouts/themes/classy/frontend/pages/auth/token.html`
+
+### 8. `docs/mcp.md` — Documentation
+
+- Add "Roles" section explaining admin/user/public scoping
+- Add "User Authentication" section with the OAuth flow diagram
+- Add "Consumer MCP Tools" section with `functions/mcp.js` format + examples
+- Add CLI examples for user connections
+- Add guide for configuring the consumer auth URL
+
+## Implementation Order
+
+1. `src/mcp/utils.js` (new) — foundation utilities
+2. `src/mcp/tools.js` — add `role` to all 19 tools
+3. `src/mcp/client.js` — user token support
+4. `src/mcp/index.js` — stdio role filtering + consumer tools
+5. `src/cli/commands/mcp.js` — new CLI flags
+6. `src/mcp/handler.js` — HTTP role filtering + OAuth user flow + consumer tool handlers
+7. UJM `/token` page update (separate repo)
+8. `docs/mcp.md` — documentation
+
+## Verification
+
+1. **Existing admin flow**: `npx mgr mcp` with `BACKEND_MANAGER_KEY` → all 19 tools listed, all callable
+2. **User flow (stdio)**: `npx mgr mcp --token <api-key>` → only user+public tools listed
+3. **Public flow**: `npx mgr mcp` (no key, no token) → only public tools listed
+4. **Consumer tools**: Create `functions/mcp.js` in a consumer project → tools appear in listing
+5. **HTTP OAuth flow**: Connect from Claude Code/Desktop → redirected to consumer site → sign in → redirected back → user tools available
+6. **Token exchange**: POST to `/mcp/token` with Firebase ID token → returns API key as access_token
+7. **Role enforcement**: User calling an admin tool by name → unknown tool error (tool not in filtered list)
+8. **Run `npx mgr test`** to verify no regressions

package/src/cli/commands/mcp.js

@@ -18,14 +18,20 @@ class McpCommand extends BaseCommand {
       || process.env.BEM_URL
       || 'http://localhost:5002';
 
-    // Resolve the admin key
+    // Resolve auth credentials
     const backendManagerKey = self.argv.key
       || process.env.BACKEND_MANAGER_KEY
       || '';
+    const userToken = self.argv.token || '';
 
     const { startServer } = require('../../mcp/index.js');
 
-    await startServer({ baseUrl, backendManagerKey });
+    await startServer({
+      baseUrl,
+      backendManagerKey: userToken ? '' : backendManagerKey,
+      userToken,
+      cwd: functionsDir,
+    });
   }
 }
 

package/src/cli/commands/serve.js

@@ -3,6 +3,7 @@ const path = require('path');
 const fs = require('fs');
 const chalk = require('chalk').default;
 const powertools = require('node-powertools');
+const jetpack = require('fs-jetpack');
 const WatchCommand = require('./watch');
 
 class ServeCommand extends BaseCommand {
@@ -10,10 +11,18 @@ class ServeCommand extends BaseCommand {
     const self = this.main;
     const projectDir = self.firebaseProjectPath;
     const firebaseConfig = JSON.parse(fs.readFileSync(path.join(projectDir, 'firebase.json'), 'utf8'));
-    const port = self.argv.port || self.argv?._?.[1] || firebaseConfig?.emulators?.hosting?.port || '5000';
+    const port = parseInt(self.argv.port || self.argv?._?.[1] || firebaseConfig?.emulators?.hosting?.port || '5000', 10);
+
+    // HTTPS: proxy on the public port (5002), firebase serve on an internal port (5443).
+    // All services connect to https://localhost:5002. Disable with --no-https.
+    const httpsEnabled = self.argv.https !== false;
+    const internalPort = 5443;
 
     // Check for port conflicts before starting server
-    const canProceed = await this.checkAndKillBlockingProcesses({ serving: parseInt(port, 10) });
+    const portsToCheck = httpsEnabled
+      ? { 'HTTPS': port, 'internal': internalPort }
+      : { serving: port };
+    const canProceed = await this.checkAndKillBlockingProcesses(portsToCheck);
     if (!canProceed) {
       throw new Error('Port conflicts could not be resolved');
     }
@@ -29,29 +38,19 @@ class ServeCommand extends BaseCommand {
     // Start Stripe webhook forwarding in background
     this.startStripeWebhookForwarding();
 
+    // Start HTTPS proxy if enabled
+    if (httpsEnabled) {
+      await this._startHttpsProxy(port, internalPort, projectDir);
+    }
+
     // Set up log file in the project directory.
-    // Mirrors the emulator.js pattern: the file is truncated on boot and on every
-    // hot reload. Two reset signals are honored:
-    //   1. Sentinel file (dev.log.reset) — used by the BEM watcher when source
-    //      changes in backend-manager itself trigger a reload.
-    //   2. Reload marker on stdout (`Using node@22 from host.`) — catches reloads
-    //      triggered by firebase serve's own internal watcher (any change inside
-    //      the consumer's functions/ directory). MUST be the line firebase-tools
-    //      prints at the START of each reload cycle, not somewhere in the middle.
-    //      If we rolled mid-cycle (e.g. on "Loaded functions definitions"), the
-    //      tail of the reload sequence still gets captured into the fresh log;
-    //      but firebase serve sometimes only emits the trailing function-initialized
-    //      lines on the first cycle (subsequent cycles route those elsewhere), so
-    //      we'd end up with a near-empty log. Rolling at the START of the cycle
-    //      lets us capture whatever firebase-tools does emit, complete-or-not.
     const logPath = this.getLogsPath('dev.log');
     const resetSentinelPath = this.getTempPath('dev.log.reset');
-    // Match any node version: "Using node@22 from host.", "Using node@20 from host.", etc.
     const RELOAD_MARKER = /Using node@\d+ from host\./;
     const stripAnsi = (str) => str.replace(/\x1B\[[0-9;]*[a-zA-Z]/g, '');
 
     let currentStream = fs.createWriteStream(logPath, { flags: 'w' });
-    let reloadCount = 0; // skip rolling on the first marker (initial boot, not a reload)
+    let reloadCount = 0;
 
     function rollLog() {
       try {
@@ -59,7 +58,7 @@ class ServeCommand extends BaseCommand {
         currentStream = fs.createWriteStream(logPath, { flags: 'w' });
         oldStream.end();
       } catch (e) {
-        // Best-effort. If roll fails, serve keeps running with the existing stream.
+        // Best-effort.
       }
     }
 
@@ -72,7 +71,7 @@ class ServeCommand extends BaseCommand {
     // Clean up any stale sentinel from a prior crashed serve run
     try { fs.unlinkSync(resetSentinelPath); } catch (e) { /* not present, ok */ }
 
-    // Poll every 500ms for the reset sentinel — cheap, no fs.watch quirks
+    // Poll every 500ms for the reset sentinel
     const resetWatcher = setInterval(() => {
       if (!fs.existsSync(resetSentinelPath)) {
         return;
@@ -89,19 +88,27 @@ class ServeCommand extends BaseCommand {
     this.log(chalk.gray(`  Logs saving to: ${logPath}\n`));
 
     // Execute with tee to log file
+    const firebasePort = httpsEnabled ? internalPort : port;
+    const firebaseEnv = {
+      ...process.env,
+      FORCE_COLOR: '1',
+    };
+
+    if (httpsEnabled) {
+      // Internal calls (getApiUrl → BEMClient) loop through the HTTPS proxy with a self-signed cert
+      firebaseEnv.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+      firebaseEnv.BEM_HTTPS_PORT = String(port);
+    }
+
     try {
-      await powertools.execute(`firebase serve --port ${port}`, {
+      await powertools.execute(`firebase serve --port ${firebasePort}`, {
         log: false,
         cwd: projectDir,
         config: {
           stdio: ['inherit', 'pipe', 'pipe'],
-          env: { ...process.env, FORCE_COLOR: '1' },
+          env: firebaseEnv,
         },
       }, (child) => {
-        // Tee stdout to both console and log file (strip ANSI codes for clean log).
-        // Watch each chunk for the reload marker — when seen (after the initial boot),
-        // roll the log BEFORE writing this chunk so the marker becomes the first
-        // line of the fresh file.
         child.stdout.on('data', (data) => {
           process.stdout.write(data);
           const text = data.toString();
@@ -114,13 +121,11 @@ class ServeCommand extends BaseCommand {
           writeToLog(data);
         });
 
-        // Tee stderr to both console and log file (strip ANSI codes for clean log)
         child.stderr.on('data', (data) => {
           process.stderr.write(data);
           writeToLog(data);
         });
 
-        // Clean up log stream + watcher when child exits
         child.on('close', () => {
           clearInterval(resetWatcher);
           if (currentStream && !currentStream.destroyed) {
@@ -130,10 +135,131 @@ class ServeCommand extends BaseCommand {
         });
       });
     } catch (error) {
-      // User pressed Ctrl+C - this is expected
       this.log(chalk.gray('\n  Server stopped.\n'));
     }
   }
+
+  async _startHttpsProxy(httpsPort, httpPort, projectDir) {
+    const https = require('https');
+    const http = require('http');
+
+    const certs = await this._getHttpsCerts(projectDir);
+
+    if (!certs) {
+      this.log(chalk.yellow('  HTTPS disabled — could not obtain certificates.'));
+      this.log(chalk.yellow('  Install mkcert for trusted local HTTPS: brew install mkcert && mkcert -install\n'));
+      return;
+    }
+
+    const options = {
+      key: fs.readFileSync(certs.key),
+      cert: fs.readFileSync(certs.cert),
+    };
+
+    const proxy = https.createServer(options, (clientReq, clientRes) => {
+      const proxyOpts = {
+        hostname: 'localhost',
+        port: httpPort,
+        path: clientReq.url,
+        method: clientReq.method,
+        headers: {
+          ...clientReq.headers,
+          'x-forwarded-proto': 'https',
+          'x-forwarded-host': clientReq.headers.host,
+        },
+      };
+
+      const proxyReq = http.request(proxyOpts, (proxyRes) => {
+        clientRes.writeHead(proxyRes.statusCode, proxyRes.headers);
+        proxyRes.pipe(clientRes, { end: true });
+      });
+
+      proxyReq.on('error', (err) => {
+        clientRes.writeHead(502);
+        clientRes.end(`Proxy error: ${err.message}`);
+      });
+
+      clientReq.pipe(proxyReq, { end: true });
+    });
+
+    proxy.listen(httpsPort, () => {
+      this.log(chalk.green(`  HTTPS proxy listening on https://localhost:${httpsPort}`));
+      this.log(chalk.gray(`  Forwarding to http://localhost:${httpPort} (firebase serve)\n`));
+    });
+
+    proxy.on('error', (err) => {
+      this.log(chalk.red(`  HTTPS proxy error: ${err.message}`));
+    });
+  }
+
+  async _getHttpsCerts(projectDir) {
+    const tempDir = this.getTempPath();
+
+    const certsDir = path.join(tempDir, 'certs');
+    jetpack.dir(certsDir);
+
+    // Check if mkcert certificates already exist
+    const certFiles = (jetpack.find(certsDir, { matching: 'localhost*.pem' }) || []);
+    const keyFile = certFiles.find((f) => f.includes('-key.pem'));
+    const certFile = certFiles.find((f) => !f.includes('-key.pem'));
+
+    if (keyFile && certFile) {
+      this.log(chalk.gray('  Using existing mkcert certificates from .temp/certs/'));
+      return { key: keyFile, cert: certFile };
+    }
+
+    // Try to generate with mkcert
+    return this._generateMkcertCerts(certsDir);
+  }
+
+  async _generateMkcertCerts(certsDir) {
+    try {
+      await powertools.execute('which mkcert', { log: false });
+    } catch (e) {
+      this.log(chalk.yellow('  mkcert not found. Install with: brew install mkcert && mkcert -install'));
+      return null;
+    }
+
+    try {
+      await powertools.execute('mkcert -install', { log: false });
+    } catch (e) {
+      // CA may already be installed
+    }
+
+    this.log(chalk.gray('  Generating mkcert certificates...'));
+
+    // Get local network IP for the cert SAN
+    const os = require('os');
+    const hosts = ['localhost', '127.0.0.1', '::1'];
+    const interfaces = os.networkInterfaces();
+
+    for (const name of Object.keys(interfaces)) {
+      for (const iface of interfaces[name]) {
+        if (!iface.internal && iface.family === 'IPv4') {
+          hosts.push(iface.address);
+          break;
+        }
+      }
+    }
+
+    try {
+      await powertools.execute(`cd "${certsDir}" && mkcert ${hosts.join(' ')}`, { log: false });
+
+      const certFiles = (jetpack.find(certsDir, { matching: 'localhost*.pem' }) || []);
+      const keyFile = certFiles.find((f) => f.includes('-key.pem'));
+      const certFile = certFiles.find((f) => !f.includes('-key.pem'));
+
+      if (keyFile && certFile) {
+        this.log(chalk.green('  Trusted HTTPS certificates generated in .temp/'));
+        return { key: keyFile, cert: certFile };
+      }
+
+      return null;
+    } catch (e) {
+      this.log(chalk.yellow(`  Failed to generate certificates: ${e.message}`));
+      return null;
+    }
+  }
 }
 
 module.exports = ServeCommand;

package/src/cli/commands/setup-tests/base-test.js

@@ -24,6 +24,14 @@ class BaseTest {
     throw new Error('No automatic fix available for this test');
   }
 
+  /**
+   * Override to provide warning details when run() returns 'warn'.
+   * @returns {string[]}
+   */
+  getWarning() {
+    return [];
+  }
+
   /**
    * Get the test name (used for logging)
    * @returns {string}

package/src/cli/commands/setup-tests/firebase-auth.js

@@ -0,0 +1,26 @@
+const BaseTest = require('./base-test');
+const powertools = require('node-powertools');
+
+class FirebaseAuthTest extends BaseTest {
+  getName() {
+    return 'firebase CLI is authenticated';
+  }
+
+  getWarning() {
+    return [
+      'You are not logged in to Firebase.',
+      'Run: firebase login',
+    ];
+  }
+
+  async run() {
+    try {
+      await powertools.execute('firebase projects:list', { log: false });
+      return true;
+    } catch (error) {
+      return 'warn';
+    }
+  }
+}
+
+module.exports = FirebaseAuthTest;

package/src/cli/commands/setup-tests/firebase-cli.js

@@ -1,5 +1,4 @@
 const BaseTest = require('./base-test');
-const chalk = require('chalk').default;
 const powertools = require('node-powertools');
 
 class FirebaseCliTest extends BaseTest {
@@ -7,24 +6,21 @@ class FirebaseCliTest extends BaseTest {
     return 'firebase CLI is installed';
   }
 
+  getWarning() {
+    return [
+      'Firebase CLI is not installed.',
+      'Install with: npm install -g firebase-tools',
+    ];
+  }
+
   async run() {
     try {
-      const result = await powertools.execute('firebase --version', { log: false });
+      await powertools.execute('firebase --version', { log: false });
       return true;
     } catch (error) {
-      console.error(chalk.red('Firebase CLI is not installed or not accessible'));
-      console.error(chalk.red('Error: ' + error.message));
-      return false;
+      return 'warn';
     }
   }
-
-  async fix() {
-    console.log(chalk.red(`There is no automatic fix for this check.`));
-    console.log(chalk.red(`Firebase CLI is not installed. Please install it by running:`));
-    console.log(chalk.yellow(`npm install -g firebase-tools`));
-    console.log(chalk.red(`After installation, run ${chalk.bold('npx bm setup')} again.`));
-    throw new Error('Firebase CLI not installed');
-  }
 }
 
 module.exports = FirebaseCliTest;

package/src/cli/commands/setup-tests/index.js

@@ -8,6 +8,8 @@ const IsFirebaseProjectTest = require('./is-firebase-project');
 const NodeVersionTest = require('./node-version');
 const NvmrcVersionTest = require('./nvmrc-version');
 const FirebaseCLITest = require('./firebase-cli');
+const FirebaseAuthTest = require('./firebase-auth');
+const JavaInstalledTest = require('./java-installed');
 const FunctionsPackageTest = require('./functions-package');
 const FirebaseAdminTest = require('./firebase-admin');
 const FirebaseFunctionsTest = require('./firebase-functions');
@@ -51,6 +53,8 @@ function getTests(context) {
     new NodeVersionTest(context),
     new NvmrcVersionTest(context),
     new FirebaseCLITest(context),
+    new FirebaseAuthTest(context),
+    new JavaInstalledTest(context),
     new FunctionsPackageTest(context),
     new FirebaseAdminTest(context),
     new FirebaseFunctionsTest(context),

package/src/cli/commands/setup-tests/java-installed.js

@@ -0,0 +1,26 @@
+const BaseTest = require('./base-test');
+const powertools = require('node-powertools');
+
+class JavaInstalledTest extends BaseTest {
+  getName() {
+    return 'Java is installed (required by Firebase emulators)';
+  }
+
+  getWarning() {
+    return [
+      'Java is required by the Firebase Firestore emulator (used for testing).',
+      'Install with: brew install openjdk',
+    ];
+  }
+
+  async run() {
+    try {
+      await powertools.execute('java -version', { log: false });
+      return true;
+    } catch (error) {
+      return 'warn';
+    }
+  }
+}
+
+module.exports = JavaInstalledTest;

package/src/cli/commands/setup.js

@@ -291,7 +291,8 @@ class SetupCommand extends BaseCommand {
         },
         async () => {
           return await test.fix();
-        }
+        },
+        { details: () => test.getWarning() },
       );
     }
   }