feat: add Firebase basic configuration for push notifications

[AndreaDiazCorreia]

This PR sets up the basic Firebase infrastructure for push notifications in the MostroP2P mobile app.

Changes

• Configure Firebase project mostro-mobile
• Add Firebase options for all platforms (Android, iOS, Web, macOS, Windows)
• Include google-services.json in Git (public credentials - safe to commit)
• Configure Android build.gradle for Firebase dependencies
• Add firebase_core and firebase_messaging dependencies
• Document Linux compatibility (Firebase not supported)

Implementation Notes

• Follows MIP-05 privacy-preserving approach with silent push notifications
• FCM only wakes the app; existing background notification system handles the rest
• Custom server (mostro-push-server) will handle token registration and notification delivery
• Initial Firebase Cloud Functions approach abandoned due to WebSocket limitations

Next Steps

See docs/FCM_IMPLEMENTATION.md for the complete 4-phase implementation plan.

Testing

• flutter analyze passes without errors
• App compiles on all supported platforms
• Firebase initialization skipped on Linux builds

Summary by CodeRabbit

• New Features

  • Added Firebase Cloud Messaging infrastructure to support push notifications across Android, iOS, Web, macOS, and Windows

• Documentation

  • Added FCM implementation documentation outlining the four-phase rollout plan
  • Added notes on Firebase platform support limitations

• Chores

  • Added Firebase configuration files and dependencies

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

This PR introduces Firebase and Firebase Cloud Messaging (FCM) integration to the Flutter mobile application, including platform-specific configuration, Android build setup, Dart helper code for Firebase initialization, and comprehensive documentation detailing a phased implementation strategy with privacy-preserving design principles.

Changes

Cohort / File(s)	Summary
Firebase Configuration & Project Setup .firebaserc, firebase.json	Establishes Firebase project mappings and platform-specific configuration for Flutter, setting default project to "mostro-mobile" and defining Android/iOS/Web/macOS/Windows configurations with fileOutput paths.
Android Build & Credentials android/settings.gradle, android/app/build.gradle, android/app/google-services.json	Adds Google Services Gradle plugin (version 4.3.15) to Android build chain and commits Firebase service configuration JSON containing project metadata, API keys, and app identifiers for Android.
Flutter Dependencies & Platform Support pubspec.yaml, lib/firebase_options.dart	Adds firebase_core (^3.8.0) and firebase_messaging (^15.1.4) dependencies; introduces DefaultFirebaseOptions class with platform-specific configuration selection (excludes Linux).
Documentation & Implementation Plan docs/FCM_IMPLEMENTATION.md, docs/FIREBASE_LINUX_NOTE.md	Comprehensive 4-phase FCM implementation roadmap with privacy-preserving architecture, local decryption strategy, separate notification server rationale, and platform support constraints (Firebase unsupported on Linux).
Git Configuration .gitignore	Removes explicit Firebase credential file ignores and adds clarifying comment about safe-to-commit public credentials.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

• Catrya
• grunch

Poem

🐰 A rabbit hops through Firebase flame,
Configuring tokens with careful aim,
Flutter and push through the Android glen,
Privacy guarded, encrypted then,
Linux skipped—alas!—but platforms run free!

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: adding Firebase basic configuration for push notifications, which aligns with the primary objective of this PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/firebase-fcm-setup

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (4)

android/app/google-services.json (1)

1-29: Firebase configuration is correctly structured.

This google-services.json file follows the standard Firebase Android configuration format. The API key flagged by Gitleaks is a Firebase client identifier designed for public distribution—Firebase security is enforced through server-side Security Rules, not API key secrecy. This is safe to commit as documented in Firebase best practices.

Optional: Add newline at end of file.

For consistency with POSIX standards, consider adding a trailing newline at the end of the file.

docs/FIREBASE_LINUX_NOTE.md (1)

11-27: Specify language identifier for code fence.

The Dart code example is well-structured and demonstrates the correct platform-check pattern. For consistency with markdown conventions, add dart language identifier to the opening code fence.

-```dart
+```
 import 'dart:io' show Platform;

docs/FCM_IMPLEMENTATION.md (2)

55-84: Specify language identifier for architecture diagram code fence.

The ASCII architecture diagram is clear and helpful. For consistency with markdown linting standards, add a language identifier (such as text or ascii) to the opening fence.

-```
+```text
 ┌─────────────────┐

---

88-91: Remove redundant phrase for clarity.

Line 90 contains a redundant phrase: "facilitate easier" should be simplified to "facilitate".

-The implementation is divided into multiple phases (Pull Requests) to facilitate easier code review and incremental testing.
+The implementation is divided into multiple phases (Pull Requests) to facilitate code review and incremental testing.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b594627 and 4ae10ed.

⛔ Files ignored due to path filters (1)

• pubspec.lock is excluded by !**/*.lock

📒 Files selected for processing (10)

• .firebaserc
• .gitignore
• android/app/build.gradle
• android/app/google-services.json
• android/settings.gradle
• docs/FCM_IMPLEMENTATION.md
• docs/FIREBASE_LINUX_NOTE.md
• firebase.json
• lib/firebase_options.dart
• pubspec.yaml

🧰 Additional context used

📓 Path-based instructions (2)

**/*.{dart,flutter}

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.{dart,flutter}: Run flutter analyze after any code change - Mandatory before commits to ensure zero linting issues
Run flutter test after any code change - Mandatory before commits to ensure all unit tests pass

Files:

• lib/firebase_options.dart

**/*.dart

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.dart: Use Riverpod for all state management - encapsulate business logic in Notifiers and access data only through repository classes
All code comments must be in English - use clear, concise English for variable names, function names, and comments
Always check mounted before using BuildContext after async operations to prevent errors on disposed widgets
Use const constructors where possible for better performance and immutability
Remove unused imports and dependencies to maintain code cleanliness and reduce build size

**/*.dart: Application code should be organized under lib/, grouped by domain with lib/features/<feature>/ structure, shared utilities in lib/shared/, dependency wiring in lib/core/, and services in lib/services/
Persistence, APIs, and background jobs should live in lib/data/ and lib/background/; generated localization output must be in lib/generated/ and must stay untouched
Apply flutter format . to enforce canonical Dart formatting (two-space indentation, trailing commas) before committing
Resolve every analyzer warning in Dart code
Name Riverpod providers using the <Feature>Provider or <Feature>Notifier convention
Localize all user-facing strings via ARB files and access them with S.of(context) rather than hard-coded literals

Files:

• lib/firebase_options.dart

🧠 Learnings (13)

📚 Learning: 2025-11-27T12:10:12.082Z

Learnt from: CR
Repo: MostroP2P/mobile PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-27T12:10:12.082Z
Learning: Applies to android/local.properties : Local file: git-ignored, generated by CI or locally, includes `flutter.minSdkVersion=23` to prevent build.gradle auto-modifications, never commit this file or secrets

Applied to files:

• android/settings.gradle
• android/app/build.gradle
• .gitignore
• firebase.json
• android/app/google-services.json

📚 Learning: 2025-09-17T20:45:32.468Z

Learnt from: grunch
Repo: MostroP2P/mobile PR: 306
File: docs/architecture/REQUEST_ID_ANALYSIS.md:176-183
Timestamp: 2025-09-17T20:45:32.468Z
Learning: For PR #306 in MostroP2P/mobile repository: This is a documentation-only PR intended to explain how the current requestId system works, not to fix any bugs or issues in the code. The documentation should accurately reflect existing behavior.

Applied to files:

• docs/FCM_IMPLEMENTATION.md

📚 Learning: 2025-09-17T20:45:07.179Z

Learnt from: grunch
Repo: MostroP2P/mobile PR: 306
File: docs/architecture/REQUEST_ID_ANALYSIS.md:114-118
Timestamp: 2025-09-17T20:45:07.179Z
Learning: For the MostroP2P/mobile project, grunch prefers to separate documentation PRs from code improvement PRs. Documentation PRs should focus on explaining how the current system works, while code fixes and improvements should be handled in separate PRs.

Applied to files:

• docs/FCM_IMPLEMENTATION.md

📚 Learning: 2025-11-27T12:10:12.082Z

Learnt from: CR
Repo: MostroP2P/mobile PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-27T12:10:12.082Z
Learning: All changes must pass `flutter analyze` with zero issues before committing to ensure code quality standards are maintained

Applied to files:

• pubspec.yaml

📚 Learning: 2025-11-27T12:10:12.082Z

Learnt from: CR
Repo: MostroP2P/mobile PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-27T12:10:12.082Z
Learning: Applies to **/*.dart : Remove unused imports and dependencies to maintain code cleanliness and reduce build size

Applied to files:

• pubspec.yaml

📚 Learning: 2025-11-27T12:10:12.082Z

Learnt from: CR
Repo: MostroP2P/mobile PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-27T12:10:12.082Z
Learning: Applies to **/*.{g.dart,mocks.dart} : Never manually edit generated files (`.g.dart`, `.mocks.dart`) or add individual ignore comments - regenerate with `dart run build_runner build -d` instead

Applied to files:

• .gitignore

📚 Learning: 2025-11-27T12:10:12.082Z

Learnt from: CR
Repo: MostroP2P/mobile PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-27T12:10:12.082Z
Learning: Applies to **/*.{js,ts,tsx,jsx} : This Flutter mobile project uses Dart and Flutter - JavaScript/TypeScript guidelines do not apply

Applied to files:

• .gitignore
• firebase.json

📚 Learning: 2025-11-27T12:10:26.407Z

Learnt from: CR
Repo: MostroP2P/mobile PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-27T12:10:26.407Z
Learning: Applies to **/*.dart : Persistence, APIs, and background jobs should live in `lib/data/` and `lib/background/`; generated localization output must be in `lib/generated/` and must stay untouched

Applied to files:

• .gitignore

📚 Learning: 2025-11-27T12:10:26.407Z

Learnt from: CR
Repo: MostroP2P/mobile PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-27T12:10:26.407Z
Learning: Applies to **/*.dart : Apply `flutter format .` to enforce canonical Dart formatting (two-space indentation, trailing commas) before committing

Applied to files:

• .gitignore

📚 Learning: 2025-11-27T12:10:12.082Z

Learnt from: CR
Repo: MostroP2P/mobile PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-27T12:10:12.082Z
Learning: Applies to **/*.{dart,flutter} : Run `flutter test` after any code change - Mandatory before commits to ensure all unit tests pass

Applied to files:

• .gitignore

📚 Learning: 2025-11-27T12:10:26.407Z

Learnt from: CR
Repo: MostroP2P/mobile PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-27T12:10:26.407Z
Learning: Applies to **/*.dart : Application code should be organized under `lib/`, grouped by domain with `lib/features/<feature>/` structure, shared utilities in `lib/shared/`, dependency wiring in `lib/core/`, and services in `lib/services/`

Applied to files:

• .gitignore

📚 Learning: 2025-11-27T12:10:12.082Z

Learnt from: CR
Repo: MostroP2P/mobile PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-27T12:10:12.082Z
Learning: Applies to **/*.{dart,flutter} : Run `flutter analyze` after any code change - Mandatory before commits to ensure zero linting issues

Applied to files:

• .gitignore

📚 Learning: 2025-08-15T01:37:12.243Z

Learnt from: Catrya
Repo: MostroP2P/mobile PR: 270
File: lib/shared/widgets/order_filter.dart:133-135
Timestamp: 2025-08-15T01:37:12.243Z
Learning: The MostroP2P/mobile project requires Flutter >=3.27.0 as specified in pubspec.yaml, which supports the Color.withValues() method, so usage of withValues() throughout the codebase is valid and should not be flagged as a compatibility issue.

Applied to files:

• firebase.json

🪛 Gitleaks (8.30.0)

lib/firebase_options.dart

[high] 47-47: Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches.

(gcp-api-key)

---

[high] 56-56: Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches.

(gcp-api-key)

---

[high] 64-64: Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches.

(gcp-api-key)

---

[high] 73-73: Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches.

(gcp-api-key)

---

[high] 82-82: Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches.

(gcp-api-key)

android/app/google-services.json

[high] 18-18: Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches.

(gcp-api-key)

🪛 LanguageTool

docs/FCM_IMPLEMENTATION.md

[style] ~90-~90: This phrase is redundant. Consider writing “facilitate”.
Context: ...into multiple phases (Pull Requests) to facilitate easier code review and incremental testing. -...

(FACILITATE_EASIER)

🪛 markdownlint-cli2 (0.18.1)

docs/FCM_IMPLEMENTATION.md

55-55: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build

🔇 Additional comments (7)

.firebaserc (1)

1-5: LGTM!

The Firebase project configuration is correctly formatted and aligns with the project setup across other Firebase configuration files.

android/app/build.gradle (1)

3-5: LGTM!

The Google Services plugin is correctly applied in the plugins block, completing the Firebase setup for Android. The placement and configuration align with FlutterFire CLI conventions.

firebase.json (1)

1-1: LGTM!

This FlutterFire configuration file is correctly generated and maps all supported platforms (Android, iOS, macOS, Web, Windows) to their respective Firebase configurations. As a generated file, it should not be manually edited—regenerate using FlutterFire CLI if changes are needed.

lib/firebase_options.dart (3)

1-9: LGTM! Generated file with appropriate metadata.

The file header correctly identifies this as FlutterFire CLI-generated code with proper lint suppression and a helpful note about Linux being unsupported. As a generated file, this should not be manually edited.

---

20-44: LGTM! Platform detection logic is sound.

The currentPlatform getter correctly handles web detection first (via kIsWeb) before switching on defaultTargetPlatform. The Linux case appropriately throws UnsupportedError with a helpful message, and the default case provides a safety net for unexpected platforms.

---

46-89: Firebase API keys are client identifiers, not secrets.

The five API keys flagged by Gitleaks are Firebase client identifiers designed for public distribution and safe to commit. Firebase security is enforced through server-side Security Rules, App Check, and other mechanisms—not through API key secrecy. This is standard Firebase practice and aligns with the PR's intention to commit "public credentials."

.gitignore (1)

48-48: Removing google-services.json and GoogleService-Info.plist from .gitignore aligns with Firebase best practices.

These files contain Firebase client-side API keys, which are identifiers designed for public distribution and safe to commit to repositories. Per current Firebase security guidance, the critical protections are server-side: ensure Cloud Firestore, Realtime Database, and Cloud Storage are secured with Firebase Security Rules, implement Firebase App Check to restrict which apps can call your backend, and monitor API key usage quotas. True secrets (server API keys, service account JSON) must be kept out of version control and stored in environment variables or secret managers instead.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

latest version com.google.gms.google-services gradle plugin

💡 Result:

Latest version: 4.4.4 (released Oct 9, 2025). Add to your project classpath as:

classpath 'com.google.gms:google-services:4.4.4'

Sources: [Google docs guide; Maven/Release notes]. [1][2]

References
[1] The Google Services Gradle Plugin — Google Developers. (developers.google.com)
[2] com.google.gms:google-services:4.4.4 — Maven Repository (release date Oct 9, 2025). (mvnrepository.com)

Citations:

• 1: https://developers.google.com/android/guides/google-services-plugin?utm_source=openai
• 2: https://mvnrepository.com/artifact/com.google.gms/google-services/4.4.4?utm_source=openai

---

Update Google Services plugin to the latest stable version.

Version 4.3.15 is outdated. The latest stable release is 4.4.4 (released Oct 9, 2025). Update line 23 to id "com.google.gms.google-services" version "4.4.4" apply false.

🤖 Prompt for AI Agents

In android/settings.gradle around lines 22 to 24, the Google Services plugin
version is pinned to 4.3.15; update the plugin declaration to use the latest
stable version 4.4.4 by replacing the version string with "4.4.4" while keeping
apply false and surrounding comment markers unchanged so the build uses the
newer com.google.gms.google-services plugin.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check latest versions from pub.dev
echo "=== Checking firebase_core latest version ==="
firebase_core_latest=$(curl -s https://pub.dev/api/packages/firebase_core | jq -r '.latest.version')
echo "Latest version: $firebase_core_latest"

echo -e "\n=== Checking firebase_messaging latest version ==="
firebase_messaging_latest=$(curl -s https://pub.dev/api/packages/firebase_messaging | jq -r '.latest.version')
echo "Latest version: $firebase_messaging_latest"

# Show version comparison
echo -e "\n=== Version Comparison ==="
echo "firebase_core specified: 3.8.0, latest: $firebase_core_latest"
echo "firebase_messaging specified: 15.1.4, latest: $firebase_messaging_latest"

Repository: MostroP2P/mobile

Length of output: 329

---

🏁 Script executed:

#!/bin/bash
# Check for security advisories for the specified versions
echo "=== Checking pub.dev for advisories ==="

echo -e "\n--- firebase_core 3.8.0 ---"
curl -s "https://pub.dev/api/packages/firebase_core/versions/3.8.0" | jq -r '.advisory // "No advisories found"' 2>/dev/null || echo "Unable to fetch"

echo -e "\n--- firebase_messaging 15.1.4 ---"
curl -s "https://pub.dev/api/packages/firebase_messaging/versions/15.1.4" | jq -r '.advisory // "No advisories found"' 2>/dev/null || echo "Unable to fetch"

# Check changelog/breaking changes in newer versions
echo -e "\n=== Release info for newer versions ==="
echo "firebase_core 4.3.0:"
curl -s "https://pub.dev/api/packages/firebase_core/versions/4.3.0" | jq -r '.pubspec.environment // "N/A"' 2>/dev/null

echo -e "\nfirebase_messaging 16.1.0:"
curl -s "https://pub.dev/api/packages/firebase_messaging/versions/16.1.0" | jq -r '.pubspec.environment // "N/A"' 2>/dev/null

Repository: MostroP2P/mobile

Length of output: 401

---

🏁 Script executed:

#!/bin/bash
# Read the pubspec.yaml to see environment constraints
head -20 pubspec.yaml

echo -e "\n=== Full pubspec.yaml environment section ==="
rg "^environment:" -A 5 pubspec.yaml

Repository: MostroP2P/mobile

Length of output: 1579

---

Update Firebase packages to latest stable versions.

The Firebase dependencies are correctly added, but the specified versions are outdated: firebase_core: ^3.8.0 (latest: 4.3.0) and firebase_messaging: ^15.1.4 (latest: 16.1.0). While no security vulnerabilities were found in the specified versions, the newer releases are compatible with the project's environment constraints (SDK ^3.5.3, Flutter >=3.27.0). Update to the latest versions and ensure the code passes flutter analyze with zero issues before committing.

🤖 Prompt for AI Agents

In pubspec.yaml around lines 103 to 105, the Firebase package versions are
outdated; update firebase_core to ^4.3.0 and firebase_messaging to ^16.1.0 in
the dependencies, save the file, run flutter pub get, then run flutter analyze
and fix any analyzer issues (including updating any imports or null-safety/API
changes or conditional imports for Linux) until analysis is clean before
committing.