firebase
diff --git a/‎CHANGELOG.md‎
Lines changed: 0 additions & 1 deletion b/‎CHANGELOG.md‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎npm-shrinkwrap.json‎
Lines changed: 2 additions & 2 deletions b/‎npm-shrinkwrap.json‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎package.json‎
Lines changed: 1 addition & 1 deletion b/‎package.json‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎scripts/publish/cloudbuild.yaml‎
Lines changed: 3 additions & 2 deletions b/‎scripts/publish/cloudbuild.yaml‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎src/apiv2.spec.ts‎
Lines changed: 74 additions & 0 deletions b/‎src/apiv2.spec.ts‎
Lines changed: 74 additions & 0 deletions
diff --git a/‎src/apiv2.ts‎
Lines changed: 71 additions & 1 deletion b/‎src/apiv2.ts‎
Lines changed: 71 additions & 1 deletion
diff --git a/‎src/deploy/functions/services/authEventarc.spec.ts‎
Lines changed: 47 additions & 0 deletions b/‎src/deploy/functions/services/authEventarc.spec.ts‎
Lines changed: 47 additions & 0 deletions
diff --git a/‎src/deploy/functions/services/authEventarc.ts‎
Lines changed: 20 additions & 0 deletions b/‎src/deploy/functions/services/authEventarc.ts‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎src/deploy/functions/services/index.ts‎
Lines changed: 17 additions & 1 deletion b/‎src/deploy/functions/services/index.ts‎
Lines changed: 17 additions & 1 deletion
@@ -1 +0,0 @@
-- Upgrade `zod` to v4 and drop the deprecated `zod-to-json-schema` dependency in favor of zod v4's built-in `z.toJSONSchema()`.
@@ -1,6 +1,6 @@
 {
   "name": "firebase-tools",
-  "version": "15.22.1",
+  "version": "15.22.3",
   "description": "Command-Line Interface for Firebase",
   "main": "./lib/index.js",
   "mcpName": "io.github.firebase/firebase-mcp",
 
@@ -134,16 +134,17 @@ steps:
         sleep 60
         echo "Package firebase-tools@$(cat /workspace/version_number.txt) is now available on npm."
 
-  # Set up the hub credentials for firepit-builder.
+  # Set up the hub and npm credentials for firepit-builder.
   - name: "gcr.io/$PROJECT_ID/firepit-builder"
     entrypoint: "bash"
     args:
       - "-c"
       - |
         if [ "${_VERSION}" != "preview" ]; then
           mkdir -vp ~/.config && cp -v hub ~/.config/hub
+          cp -v npmrc ~/.npmrc
         else
-          echo "Skipping hub credentials for firepit-builder for preview."
+          echo "Skipping credentials for firepit-builder for preview."
         fi
 
   # Publish the firepit builds.
 
@@ -2,6 +2,7 @@ import { createServer, Server } from "http";
 import { expect } from "chai";
 import * as nock from "nock";
 import AbortController from "abort-controller";
+import * as FormData from "form-data";
 const proxySetup = require("proxy");
 
 import { Client, CLI_OAUTH_PROJECT_NUMBER } from "./apiv2";
@@ -109,6 +110,79 @@ describe("apiv2", () => {
       expect(nock.isDone()).to.be.true;
     });
 
+    it("should retry without keep-alive after a premature close error", async () => {
+      nock("https://example.com").get("/path/to/foo").once().replyWithError({
+        message:
+          "Invalid response body while trying to fetch https://example.com/path/to/foo: Premature close",
+        code: "ERR_STREAM_PREMATURE_CLOSE",
+      });
+      nock("https://example.com").get("/path/to/foo").once().reply(200, { foo: "bar" });
+
+      const c = new Client({ urlPrefix: "https://example.com" });
+      const r = await c.request({
+        method: "GET",
+        path: "/path/to/foo",
+        retries: 1,
+        retryMinTimeout: 10,
+        retryMaxTimeout: 15,
+      });
+      expect(r.body).to.deep.equal({ foo: "bar" });
+      expect(nock.isDone()).to.be.true;
+    });
+
+    it("should give up if the connection keeps closing prematurely", async () => {
+      nock("https://example.com").get("/path/to/foo").twice().replyWithError({
+        message:
+          "Invalid response body while trying to fetch https://example.com/path/to/foo: Premature close",
+        code: "ERR_STREAM_PREMATURE_CLOSE",
+      });
+
+      const c = new Client({ urlPrefix: "https://example.com" });
+      const r = c.request({
+        method: "GET",
+        path: "/path/to/foo",
+        retries: 1,
+        retryMinTimeout: 10,
+        retryMaxTimeout: 15,
+      });
+      await expect(r).to.eventually.be.rejectedWith(FirebaseError, /Failed to make request/);
+      expect(nock.isDone()).to.be.true;
+    });
+
+    it("should resend a multipart body when retrying after a premature close", async () => {
+      const sentBodies: string[] = [];
+      const capture = (b: unknown): boolean => {
+        sentBodies.push(typeof b === "string" ? b : JSON.stringify(b));
+        return true;
+      };
+      nock("https://example.com").post("/upload", capture).once().replyWithError({
+        message:
+          "Invalid response body while trying to fetch https://example.com/upload: Premature close",
+        code: "ERR_STREAM_PREMATURE_CLOSE",
+      });
+      nock("https://example.com").post("/upload", capture).once().reply(200, { ok: true });
+
+      const form = new FormData();
+      form.append("code", "secret-code-123");
+
+      const c = new Client({ urlPrefix: "https://example.com" });
+      const r = await c.request({
+        method: "POST",
+        path: "/upload",
+        body: form,
+        headers: form.getHeaders(),
+        retries: 1,
+        retryMinTimeout: 10,
+        retryMaxTimeout: 15,
+      });
+      expect(r.status).to.equal(200);
+      // Both the original attempt and the retry must carry the full body.
+      expect(sentBodies).to.have.length(2);
+      expect(sentBodies[0]).to.contain("secret-code-123");
+      expect(sentBodies[1]).to.contain("secret-code-123");
+      expect(nock.isDone()).to.be.true;
+    });
+
     it("should not allow resolving on http error when streaming", async () => {
       const c = new Client({ urlPrefix: "https://example.com" });
       const r = c.request<unknown, NodeJS.ReadableStream>({
 
@@ -5,6 +5,8 @@ import { ProxyAgent } from "proxy-agent";
 import * as retry from "retry";
 import AbortController from "abort-controller";
 import fetch, { HeadersInit, Response, RequestInit, Headers } from "node-fetch";
+import * as http from "http";
+import * as https from "https";
 import util from "util";
 
 import * as auth from "./auth";
@@ -157,6 +159,39 @@ function proxyURIFromEnv(): string | undefined {
   );
 }
 
+// Some networks (and recent Node.js security releases) interact badly with
+// node-fetch's keep-alive handling: a reused/closed keep-alive socket surfaces
+// as an "Invalid response body ...: Premature close" error while the response
+// body is being read, even though the response is otherwise valid. Retrying the
+// request once without keep-alive (Connection: close) reliably works around it.
+// See https://github.com/firebase/firebase-tools/issues/10692 and
+// https://github.com/node-fetch/node-fetch/issues/1767.
+const httpAgentNoKeepAlive = new http.Agent({ keepAlive: false });
+const httpsAgentNoKeepAlive = new https.Agent({ keepAlive: false });
+export function noKeepAliveAgent(parsedURL: URL): http.Agent | https.Agent {
+  return parsedURL.protocol === "https:" ? httpsAgentNoKeepAlive : httpAgentNoKeepAlive;
+}
+
+function isPrematureCloseError(err: unknown): boolean {
+  for (const candidate of [err, (err as { original?: unknown } | undefined)?.original]) {
+    if (!candidate) {
+      continue;
+    }
+    const e = candidate as { code?: string; errno?: string; message?: string };
+    const code = e.code || e.errno;
+    const message = typeof e.message === "string" ? e.message : "";
+    if (
+      code === "ERR_STREAM_PREMATURE_CLOSE" ||
+      code === "ECONNRESET" ||
+      /premature close/i.test(message) ||
+      /socket hang up/i.test(message)
+    ) {
+      return true;
+    }
+  }
+  return false;
+}
+
 export type ClientOptions = {
   urlPrefix: string;
   apiVersion?: string;
@@ -408,8 +443,18 @@ export class Client {
       fetchOptions.signal = signal;
     }
 
-    if (typeof options.body === "string" || isStream(options.body)) {
+    // A request can only be safely retried if its body can be sent again.
+    // FormData is a single-use stream, so serialize it to a Buffer up front (the
+    // CLI only sends small string forms this way, e.g. the OAuth token request).
+    // Raw streams cannot be replayed and therefore disable the keep-alive retry.
+    let bodyReplayable = true;
+    if (typeof options.body === "string" || Buffer.isBuffer(options.body)) {
+      fetchOptions.body = options.body;
+    } else if (options.body instanceof FormData) {
+      fetchOptions.body = options.body.getBuffer();
+    } else if (isStream(options.body)) {
       fetchOptions.body = options.body;
+      bodyReplayable = false;
     } else if (options.body !== undefined) {
       fetchOptions.body = JSON.stringify(options.body);
     }
@@ -431,6 +476,10 @@ export class Client {
     }
     const operation = retry.operation(operationOptions);
 
+    // Tracks whether we've already downgraded this request to a non-keep-alive
+    // connection in response to a "Premature close" error (retried at most once).
+    let disabledKeepAlive = false;
+
     return await new Promise<ClientResponse<ResT>>((resolve, reject) => {
       // eslint-disable-next-line @typescript-eslint/no-misused-promises
       operation.attempt(async (currentAttempt): Promise<void> => {
@@ -490,6 +539,27 @@ export class Client {
             });
           }
         } catch (err: unknown) {
+          // Work around a node-fetch/Node.js keep-alive bug that surfaces as a
+          // "Premature close" error: retry the request once without keep-alive.
+          if (
+            !disabledKeepAlive &&
+            bodyReplayable &&
+            !proxyURIFromEnv() &&
+            isPrematureCloseError(err)
+          ) {
+            disabledKeepAlive = true;
+            fetchOptions.agent = noKeepAliveAgent;
+            // Use a fresh Headers instance so we don't mutate the shared options.
+            const closeHeaders = new Headers(fetchOptions.headers);
+            closeHeaders.set("Connection", "close");
+            fetchOptions.headers = closeHeaders;
+            logger.debug(
+              `*** [apiv2] retrying ${fetchURL} without keep-alive after a premature close error`,
+            );
+            if (operation.retry(err instanceof Error ? err : new Error(`${err}`))) {
+              return;
+            }
+          }
           return err instanceof FirebaseError ? reject(err) : reject(new FirebaseError(`${err}`));
         }
 
 
@@ -0,0 +1,47 @@
+import { expect } from "chai";
+import { Endpoint } from "../backend";
+import * as authEventarc from "./authEventarc";
+
+const projectNumber = "123456789";
+
+const endpoint: Endpoint = {
+  id: "endpoint",
+  region: "us-central1",
+  project: projectNumber,
+  eventTrigger: {
+    retry: false,
+    eventType: "google.firebase.auth.user.v2.created",
+    eventFilters: {},
+  },
+  entryPoint: "endpoint",
+  platform: "gcfv2",
+  runtime: "nodejs16",
+};
+
+describe("ensureAuthEventarcTriggerRegion", () => {
+  it("should set the trigger location to global", async () => {
+    const ep = { ...endpoint, eventTrigger: { ...endpoint.eventTrigger } };
+
+    await authEventarc.ensureAuthEventarcTriggerRegion(ep);
+
+    expect(ep.eventTrigger.region).to.eq("global");
+  });
+
+  it("should not error if the trigger location is global", async () => {
+    const ep = { ...endpoint, eventTrigger: { ...endpoint.eventTrigger } };
+    ep.eventTrigger.region = "global";
+
+    await authEventarc.ensureAuthEventarcTriggerRegion(ep);
+
+    expect(ep.eventTrigger.region).to.eq("global");
+  });
+
+  it("should error if the trigger location is not global", () => {
+    const ep = { ...endpoint, eventTrigger: { ...endpoint.eventTrigger } };
+    ep.eventTrigger.region = "us-west1";
+
+    expect(() => authEventarc.ensureAuthEventarcTriggerRegion(ep)).to.throw(
+      "A Firebase Auth Eventarc trigger must specify 'global' trigger location",
+    );
+  });
+});
@@ -0,0 +1,20 @@
+import * as backend from "../backend";
+import { FirebaseError } from "../../../error";
+
+/**
+ * Sets a Firebase Auth Eventarc event trigger's region to 'global' since the service is global.
+ * @param endpoint the auth eventarc endpoint
+ */
+export function ensureAuthEventarcTriggerRegion(
+  endpoint: backend.Endpoint & backend.EventTriggered,
+): Promise<void> {
+  if (!endpoint.eventTrigger.region) {
+    endpoint.eventTrigger.region = "global";
+  }
+  if (endpoint.eventTrigger.region !== "global") {
+    throw new FirebaseError(
+      "A Firebase Auth Eventarc trigger must specify 'global' trigger location",
+    );
+  }
+  return Promise.resolve();
+}
@@ -24,6 +24,7 @@ import {
   getDefaultRegion as ensureDataConnectDefaultRegion,
 } from "./dataconnect";
 import { AILogicService } from "./ailogic";
+import { ensureAuthEventarcTriggerRegion } from "./authEventarc";
 
 /** A standard void No Op */
 export const noop = (): Promise<void> => Promise.resolve();
@@ -49,7 +50,8 @@ export type Name =
   | "testlab"
   | "firestore"
   | "dataconnect"
-  | "ailogic";
+  | "ailogic"
+  | "autheventarc";
 
 /** A service interface for the underlying GCP event services */
 export interface Service {
@@ -177,6 +179,18 @@ const dataconnectService: Service = {
   getDefaultRegion: ensureDataConnectDefaultRegion,
 };
 
+/** A Firebase Auth Eventarc service object */
+const authEventarcService: Service = {
+  name: "autheventarc",
+  api: "eventarc.googleapis.com",
+  requiredProjectBindings: noopProjectBindings,
+  ensureTriggerRegion: ensureAuthEventarcTriggerRegion,
+  validateTrigger: noop,
+  registerTrigger: noop,
+  unregisterTrigger: noop,
+  getDefaultRegion: () => Promise.resolve(DEFAULT_GLOBAL_TRIGGER_REGION),
+};
+
 /** Mapping from event type string to service object */
 // TODO: See if there's a way to deduplicate these consts while still ensuring type safety and exhaustion
 const EVENT_SERVICE_MAPPING: Record<events.Event, Service> = {
@@ -207,6 +221,8 @@ const EVENT_SERVICE_MAPPING: Record<events.Event, Service> = {
   "google.firebase.dataconnect.connector.v1.mutationExecuted": dataconnectService,
   "google.firebase.ailogic.v1.beforeGenerate": aiLogicService,
   "google.firebase.ailogic.v1.afterGenerate": aiLogicService,
+  "google.firebase.auth.user.v2.created": authEventarcService,
+  "google.firebase.auth.user.v2.deleted": authEventarcService,
 };
 
 export function serviceForEndpoint(endpoint: backend.Endpoint | build.Endpoint): Service {
Original file line number	Diff line number	Diff line change
`@@ -1 +0,0 @@`
`1`		-- Upgrade `zod` to v4 and drop the deprecated `zod-to-json-schema` dependency in favor of zod v4's built-in `z.toJSONSchema()`.
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "firebase-tools",`
`3`		`- "version": "15.22.1",`
	`3`	`+ "version": "15.22.3",`
`4`	`4`	`"description": "Command-Line Interface for Firebase",`
`5`	`5`	`"main": "./lib/index.js",`
`6`	`6`	`"mcpName": "io.github.firebase/firebase-mcp",`