Codex-native operations workspace for Flutter and Firebase apps.
mobile-ops is a template repo for auditing Flutter + Firebase projects before release. It gives Codex repo-specific instructions, repeatable workflows, store metadata templates, and small shell scripts that perform real checks.
It can be used in two ways:
- as a
.mobile-ops/folder inside a Flutter app - as a local Codex plugin from this repo
- Firebase security audit
- Android release checklist
- iOS release checklist
- ASO review
- Privacy check
Each workflow follows the same idea: Codex reads project context, runs small signal-collection scripts, then writes a release-focused report.
Add this repo inside an existing app:
git submodule add https://github.com/mehmetfiskindal/mobile-ops .mobile-opsOr copy it without git history:
npx degit mehmetfiskindal/mobile-ops .mobile-opsThen ask Codex:
Use .mobile-ops/AGENTS.md and .mobile-ops/workflows/firebase-audit.md to audit this project.
If .mobile-ops was added as a git submodule, update it from the Flutter app root:
git submodule update --remote .mobile-ops
git add .mobile-ops
git commit -m "Update mobile-ops"If .mobile-ops was copied with degit, replace it with a fresh copy:
rm -rf .mobile-ops
npx degit mehmetfiskindal/mobile-ops .mobile-ops
git add .mobile-ops
git commit -m "Update mobile-ops"Before replacing a copied .mobile-ops folder, move any local custom reports, profiles, or store metadata you want to keep.
These are human-friendly prompts, not installed shell commands:
/mobile-ops firebase-audit
/mobile-ops android-release
/mobile-ops ios-release
/mobile-ops aso-review
/mobile-ops privacy-check
This repo includes a local Codex plugin scaffold:
.agents/plugins/marketplace.json
plugins/mobile-ops/.codex-plugin/plugin.json
plugins/mobile-ops/skills/mobile-ops/SKILL.md
To make Codex discover the local marketplace, add this block to ~/.codex/config.toml:
[marketplaces.mobile-ops-local]
source_type = "local"
source = "/Users/mehmetfiskindal/mobile-ops"Then enable the plugin:
[plugins."mobile-ops@mobile-ops-local"]
enabled = trueRestart Codex after changing the config. When the local plugin is enabled, use the same prompt shortcuts from the root of a Flutter app:
/mobile-ops firebase-audit
/mobile-ops android-release
/mobile-ops ios-release
/mobile-ops aso-review
/mobile-ops privacy-check
/mobil-ops ... is accepted as a typo-tolerant alias in the skill instructions, but /mobile-ops ... is the canonical form.
The plugin tells Codex to inspect standard Flutter, Firebase, Android, iOS, store metadata, and privacy files, then run matching scripts from .mobile-ops/scripts/ when this repo is embedded in the app. If you are working directly in this repo, it uses scripts/ instead.
From the root of a Flutter app:
.mobile-ops/scripts/firebase-audit.sh
.mobile-ops/scripts/check-secrets.sh
.mobile-ops/scripts/check-firebase-rules.sh
.mobile-ops/scripts/check-permissions.sh
.mobile-ops/scripts/check-store-metadata.sh
.mobile-ops/scripts/check-versioning.sh
.mobile-ops/scripts/flutter-doctor.sh
.mobile-ops/scripts/build-android.sh
.mobile-ops/scripts/build-ios.shThe scripts are intentionally conservative. They check common release and security signals, then Codex should interpret the output and suggest focused patches.
mobile-ops/
├── AGENTS.md
├── README.md
├── workflows/
├── templates/
├── scripts/
├── reports/
├── profiles/
├── prompts/
├── store/
├── .agents/plugins/
├── plugins/mobile-ops/
└── examples/
For app projects, keep store metadata in:
store/
├── app-store/
├── play-store/
└── privacy/
See store/README.md for the exact file names.
Profiles tune the risk posture without changing the core idea:
profiles/indie-app.mdprofiles/startup-production.mdprofiles/kids-app.mdprofiles/subscription-app.mdprofiles/ads-supported-app.mdprofiles/enterprise-app.md
Example prompt:
Use .mobile-ops/profiles/subscription-app.md while following .mobile-ops/workflows/privacy-check.md.
Do not commit private signing keys, Firebase service account JSON, .env files with production secrets, App Store Connect API keys, or Play Console credentials. If a workflow finds sensitive material, rotate it and move it to a secure secret manager or CI secret store.