Building an Autonomous Auditor for Firebase Rules with Antigravity

Jul 9, 2026

FirebaseSecurityAI Agents

Firebase Security Rules are one of the most critical components of any application. A single misconfiguration, such as allow read, write: if true, can expose an entire database or storage bucket.

While manual reviews are valuable, maintaining consistent security audits becomes increasingly difficult as teams grow, environments multiply, and deployment frequency increases. With the arrival of Google Antigravity, a new opportunity emerged: using AI agents not only to generate code, but also to execute complete analysis and validation workflows.

With this idea in mind, I developed Firebase Rules Agent, an autonomous agent that audits Cloud Firestore and Cloud Storage security rules, identifies security risks, generates structured reports, and keeps developers in control throughout the entire decision-making process.

The Problem

In many projects, Firebase Security Rules evolve continuously. As new collections, routes, and features are introduced, it becomes common to encounter issues such as:

  • Accidental public access.
  • Inconsistent authentication validation.
  • Overly permissive authorization rules.
  • Configuration drift between the rules stored in Git and those deployed to production.

My goal was to build an agent capable of performing these security audits automatically while following the Principle of Least Privilege, without removing the developer from critical security decisions.

An Agent-Based Approach

Instead of using a Large Language Model as a simple text generator, the agent behaves as a specialized security auditor responsible for:

  • Inspecting Firestore and Cloud Storage security rules.
  • Verifying security and compliance policies.
  • Detecting insecure configurations.
  • Classifying findings by severity.
  • Generating remediation recommendations.

Agent Architecture

To solve this problem, I designed a workflow composed of independent stages. Each component has a well-defined responsibility, allowing the agent to analyze both local rule files and live production configurations.

Agent Architecture

1. Sandbox

Before any rule is sent to the language model, the agent performs a sanitization step.

Its purpose is to remove information that adds no value to the analysis, such as comments or internal development notes.

import * as fs from "fs";

const rules = fs.readFileSync(firestorePath, "utf8");
const sanitized = rules.replace(/\/\/.*/g, ""); // Remove comments

fs.writeFileSync(
    path.join(sandboxDir, "firestore_rules_check.txt"),
    sanitized
);

This layer reduces the accidental exposure of sensitive information while ensuring that the model focuses exclusively on authorization logic.

2. Orchestrator

The entry point of the agent is a Bash script (run.sh) that prepares the execution environment automatically. It detects the Firebase project, extracts the PROJECT_ID from .firebaserc, prepares the report directory, and launches the audit.

DATE=$(date +%Y-%m-%d_%H-%M-%S)

REPORT_DIR="reports/audit_$DATE"

mkdir -p "$REPORT_DIR"

npx ts-node scripts/automate-audit.ts "$TARGET_PROJECT"

3. Auditing with Antigravity

Once the environment is ready, the Antigravity CLI (agy) takes over.

The agent analyzes the sanitized rules, identifies insecure configurations, and generates a structured security report containing categorized findings and remediation recommendations.

4. Live Auditing with Firebase MCP

Unlike traditional approaches that only analyze local files, the agent can audit the actual production configuration using Model Context Protocol (MCP).

When executed in --live mode, the agent consumes tools exposed by the Firebase MCP server, such as firebase_get_security_rules, to retrieve the currently deployed security rules and analyze them directly.

{
  "mcpServers": {
    "firebase-mcp-server": {
      "command": "npx",
      "args": ["-y", "firebase-tools@latest", "mcp"]
    }
  }
}

This ensures that the audit reflects the real production state instead of relying solely on files available in the local repository.

Keeping Humans in Control: Human-in-the-Loop

Although the agent automates most of the auditing workflow, critical decisions remain under the developer's control.

After the analysis is completed, Antigravity presents a summary of the proposed changes and requests explicit approval before generating the final artifacts.

Before persisting any artifact, Antigravity presents a detailed diff and requests explicit approval.

At this point, the Human-in-the-Loop mechanism comes into action. Before persisting any report, Antigravity displays a detailed diff and waits for explicit confirmation.

Only after I manually review the proposed output and select "Yes, allow creation" does the agent write the audit report into the reports/audit_YYYY-MM-DD_HH-MM-SS/ directory.

This approval step guarantees that the developer always has the final decision, preserving the integrity of the governance workflow and preventing unintended writes.

A Real Audit Example

To demonstrate the agent in action, I recorded the complete auditing process—from executing the command to approving the generated report.

In the accompanying video, you can see how the agent detects security vulnerabilities in real time and presents the audit results for manual review.

The generated report not only identifies insecure configurations but also explains the associated privilege escalation risks and provides concrete remediation recommendations, all within a Human-in-the-Loop approval workflow.

Security audit report generated by Firebase Rules Agent, showing a table of critical risks in Firestore and Storage, along with a detailed vulnerability analysis.

Why Use an Agent?

The difference between a traditional LLM and a specialized AI agent is not simply text generation.

An agent is capable of executing an entire operational workflow.

Instead of acting as a conversational assistant, it actively participates in infrastructure governance by combining reasoning, tooling, and controlled execution.

Conclusion

This project demonstrated to me that AI agents can take on responsibilities far beyond code generation.

By combining Model Context Protocol, an isolated sandbox environment, and a Human-in-the-Loop approval process, it becomes possible to automate security audits without sacrificing control, transparency, or traceability.

Rather than replacing developers, AI agents can become reliable collaborators that automate repetitive engineering tasks while leaving architectural and security decisions firmly in human hands.

Source Code

You can explore the complete project, installation instructions, and implementation details in the Firebase Rules Agent repository.

GitHub: https://github.com/lperezp/firebase-rules-agent