Exc1D · Exc1D · Apr 17, 2026 · Apr 17, 2026 · Apr 17, 2026 · Apr 17, 2026
diff --git a/.claude/plans/exxeed-task13-rtdb-rules-report.md b/.claude/plans/exxeed-task13-rtdb-rules-report.md
@@ -0,0 +1,56 @@
+# Exxeed Implementation Report — task13-rtdb-rules
+
+Date: 2026-04-17
+
+## What was built
+
+Replaced the placeholder `database.rules.json` (deny-all) with the §5.8 production rule set covering responder telemetry writes (capturedAt bounds, role/accountStatus guards, field validation), granular read access by role and responder_index cross-references, client-deny on `responder_index`, and shared_projection read/write controls. Created `rtdb.rules.test.ts` with 17 test cases exercising every positive and negative path.
+
+## Requirements coverage
+
+| ID  | Requirement                                         | Status | Notes                   |
+| --- | --------------------------------------------------- | ------ | ----------------------- |
+| R01 | Responder writes own location with valid capturedAt | ✅     | Test passes             |
+| R02 | capturedAt > now + 60000 fails                      | ✅     | +70 000 ms case         |
+| R03 | capturedAt < now - 600000 fails                     | ✅     | -700 000 ms case        |
+| R04 | Non-responder role write fails                      | ✅     | citizen role tested     |
+| R05 | Responder writes to another uid fails               | ✅     | Cross-uid guard         |
+| R06 | Suspended responder write fails                     | ✅     | accountStatus=suspended |
+| R07 | Responder reads own location                        | ✅     | Self-read               |
+| R08 | Superadmin reads any responder                      | ✅     | provincial_superadmin   |
+| R09 | Muni admin matching municipalityId reads            | ✅     | responder_index seeded  |
+| R10 | Muni admin mismatch fails                           | ✅     | san-vicente vs daet     |
+| R11 | Agency admin matching agencyId reads                | ✅     | pdrrmo match            |
+| R12 | Agency admin mismatch fails                         | ✅     | bfp vs pdrrmo           |
+| R13 | responder_index client read always fails            | ✅     | Even superadmin         |
+| R14 | responder_index client write always fails           | ✅     | Even superadmin         |
+| R15 | shared_projection matching muni admin reads         | ✅     | daet match              |
+| R16 | Mismatched muni admin fails on shared_projection    | ✅     | san-vicente vs daet     |
+| R17 | Any client write to shared_projection fails         | ✅     | superadmin denied       |
+
+## Files changed
+
+| File                                       | Change type | Reason                                 |
+| ------------------------------------------ | ----------- | -------------------------------------- |
+| infra/firebase/database.rules.json         | modified    | Replace placeholder with §5.8 rule set |
+| functions/src/**tests**/rtdb.rules.test.ts | created     | 17 RTDB rules test cases               |
+
+## Baseline vs final test state
+
+- Baseline: No rtdb.rules.test.ts → vitest exits with code 1 (no files found)
+- Final: 17/17 tests passing
+- Delta: +17 new passing tests, zero regressions
+
+## Open items
+
+- None
+
+## Divergences encountered
+
+- **Storage emulator not running (port 9199):** The shared `createTestEnv` helper requires all three emulators (firestore, database, storage). Storage returned ECONNREFUSED. Resolution: initialized test environment directly in the test file with only firestore + database emulators, which are all that RTDB rule testing requires.
+
+## Notes on test design
+
+- `validPayload(capturedAt)` helper ensures all 7 `.validate` fields are present in every write test, so the only variable is `capturedAt`.
+- `responder_index/$uid` is seeded via `withSecurityRulesDisabled` so the muni/agency admin read path tests exercise the actual database cross-reference in the rule.
+- `FIREBASE_DATABASE_EMULATOR_HOST=127.0.0.1:9000` must be set in the environment when running these tests.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -85,6 +85,20 @@ jobs:
           restore-keys: turbo-test-
       - run: pnpm test
 
+  rule-coverage:
+    name: Rule Coverage Check
+    needs: setup
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: .nvmrc
+      - run: corepack enable
+      - run: corepack prepare pnpm@${PNPM_VERSION} --activate
+      - run: pnpm install --frozen-lockfile
+      - run: pnpm exec tsx scripts/check-rule-coverage.ts
+
   build:
     name: Build
     needs: setup

diff --git a/docs/learnings.md b/docs/learnings.md
@@ -252,3 +252,35 @@ Vitest auto-discovers `vitest.config.ts` but NOT `vitest.workspace.ts`. Use `vit
 ### Terraform: `google_project_iam_member` vs `google_service_account_iam_member`
 
 When a service account needs to impersonate another SA, always use `google_service_account_iam_member` scoped to the _specific_ target SA — not `google_project_iam_member` at project level. Project-level `roles/iam.serviceAccountUser` grants impersonation of _every_ SA in the project, violating least privilege. The `google_service_account_iam_member` resource requires `service_account_id = google_service_account.target.name` (not email) and grants impersonation rights on that specific SA only.
+
+---
+
+## Phase 2: Data Model and Security Rules
+
+### Firestore rules: `resource.data.__reportId` does not exist
+
+Firestore rules do not expose a synthetic `__reportId` on `resource.data`. Cross-document sharing checks (e.g., `canReadReportDoc` helper used for report subcollections) must be implemented per-collection using the document ID from the path, not a hypothetical field on `resource.data`. The helper `canReadReportDoc(data)` was kept narrow; sharing logic lives at each collection's `match` block.
+
+### Rule coverage checker regex must match at path segment boundaries
+
+The regex `['"\`]<collection>[/'\`"]`must only match`match /<collection>/`at the start of a path segment. If the collection name appears as a substring inside another path (e.g.,`hazard_zones_history`containing`hazard_zones`), the checker produces false negatives. Use `match\s+/` prefix in the regex.
+
+### Subagent commit reports are unreliable — always verify with git log
+
+Subagent implementers sometimes report commits that don't exist in the actual git history (due to hook failures, revert operations, or self-review issues). Always run `git log --oneline -3` to confirm the actual commit state before proceeding to review. The file on disk is the only source of truth.
+
+### Firebase RTDB `.validate` rules require all children at once
+
+A `.validate` rule like `newData.hasChildren([...])` only checks that those keys exist — not their types or values. It does not cascade to nested validation. For required field validation, the rule checks presence only; type validation must be done in Cloud Functions or security rules with explicit field-by-field checks.
+
+### RTDB and Storage emulators need explicit initialization in test harness
+
+The `initializeTestEnvironment` from `@firebase/rules-unit-testing` accepts an options object with `firestore`, `database`, and `storage` entries. When testing only one emulator (e.g., RTDB), you can omit storage — but if `createTestEnv` is called with all three emulators configured and only one is running, tests hang. Use `initializeTestEnvironment` directly with only the emulators you need for the test file.
+
+### Every `strict()` Zod object rejects unknown keys — critical for rule alignment
+
+Firestore `diff(resource.data).affectedKeys().hasOnly([...])` at the rule layer rejects any unknown key the same way a strict Zod schema does. If the Zod schema allows extra keys but the rules don't, production writes will be denied. Always use `.strict()` on Zod schemas that map to Firestore documents.
+
+### `allow write: if false` at collection level overrides subcollection rules
+
+When a parent collection has `allow write: if false` and a nested subcollection is defined after it, the subcollection inherits the parent rule unless explicitly overridden. To give a subcollection write access while keeping the parent deny-all, define both explicitly. Note: this inheritance is per-Firestore-rule-file structure, not a general Firestore behavior.
diff --git a/docs/progress.md b/docs/progress.md
@@ -167,3 +167,83 @@ See `docs/learnings.md` for detailed technical decisions and lessons learned.
 - `pnpm typecheck` PASS
 - `pnpm test` PASS
 - `pnpm format:check` PASS
+
+---
+
+## Phase 2 Data Model and Security Rules Foundation (Complete)
+
+**Branch:** `feature/phase-2-data-model-rules`
+**Plan:** See `docs/superpowers/plans/2026-04-17-phase-2-data-model-security-rules.md`
+**Status:** All implementation and verification tasks complete.
+
+### Implementation Summary (Tasks 7-18)
+
+| Task    | Description                                   | Status |
+| ------- | --------------------------------------------- | ------ |
+| Task 7  | Dispatches, Users, Responders Firestore rules | ✅     |
+| Task 8  | Public, Audit, Event Collections rules        | ✅     |
+| Task 9  | SMS Layer rules                               | ✅     |
+| Task 10 | Coordination Collections rules                | ✅     |
+| Task 11 | Hazard Zones rules                            | ✅     |
+| Task 12 | Final Rules Cleanup + Default-Deny Audit      | ✅     |
+| Task 13 | RTDB Rules + Tests                            | ✅     |
+| Task 14 | Storage Rules + Tests                         | ✅     |
+| Task 15 | Composite Indexes deployed (30 indexes)       | ✅     |
+| Task 16 | Idempotency Guard Cloud Function helper       | ✅     |
+| Task 17 | Rule Coverage CI Gate                         | ✅     |
+| Task 18 | Schema Migration Runbook                      | ✅     |
+| Task 19 | Phase Verification and Progress Capture       | ✅     |
+
+### Verification Results (2026-04-18)
+
+| Step | Check                                          | Result                                               |
+| ---- | ---------------------------------------------- | ---------------------------------------------------- |
+| 1    | `pnpm lint`                                    | PASS (14 tasks)                                      |
+| 2    | `pnpm typecheck`                               | PASS (14 tasks)                                      |
+| 3    | `pnpm test`                                    | PASS (94 tests)                                      |
+| 4    | `pnpm exec tsx scripts/check-rule-coverage.ts` | PASS (35 collections with positive + negative tests) |
+| 5    | `pnpm build`                                   | PASS (10 tasks, all artifacts present)               |
+
+### Test Coverage Summary
+
+**Firestore Rule Tests Created (13 test files, 52 tests):**
+
+- `report-inbox.rules.test.ts` - Citizen inbox creation with reporterUid validation
+- `reports.rules.test.ts` - VisibilityClass-based access, municipality boundaries, immutable fields
+- `report-private.rules.test.ts` - Reporter pseudonymity, public tracking refs
+- `report-ops.rules.test.ts` - Agency ops access, mutable field validation
+- `report-sharing.rules.test.ts` - Cross-municipality sharing, visibility controls
+- `report-contacts.rules.test.ts` - Contact field access control
+- `report-lookup.rules.test.ts` - Public report lookup access
+- `report-events.rules.test.ts` - Event history access, status transitions
+- `dispatches.rules.test.ts` - Responder assignment, status transitions, cross-municipality denial
+- `users-responders.rules.test.ts` - Self-read, municipality admin access, callable-only writes
+- `responders.rules.test.ts` - Responder profile access, municipality boundaries
+- `public-collections.rules.test.ts` - Agencies, emergencies, audit logs, privileged read tests
+- `sms.rules.test.ts` - SMS inbox, outbox, sessions, provider health (callable-only)
+- `coordination.rules.test.ts` - Command threads, shift handoffs, mass alerts
+- `hazard-zones.rules.test.ts` - Hazard zones, signals, history, superadmin access
+
+**Schema Validation Tests Created (3 test files, 42 tests):**
+
+- `sms.test.ts` - SMS inbox, outbox, session, provider health schemas
+- `coordination.test.ts` - Shift handoffs, mass alerts, command channels, agency assistance
+- `hazard.test.ts` - Hazard zones, signals, and history schemas
+
+**Total:** 94 tests passing across 16 test files covering:
+
+- 35 Firestore collections with positive + negative security rule tests
+- All major Zod schemas with type validation and strict mode enforcement
+
+### What was built
+
+- Full Zod schema coverage for every collection in Arch Spec §5.5
+- Reconciled enum literals (ReportStatus 15 states, VisibilityClass `internal`/`public_alertable`, HazardType bare literals)
+- Firestore rules for inbox, triptych, dispatches, users, responders, public collections, SMS, coordination, hazards, events
+- RTDB rules for responder_locations, responder_index, shared_projection
+- Storage rules locked to callable-only uploads with admin-read paths
+- 30 composite indexes in `firestore.indexes.json` per §5.9
+- Idempotency guard Cloud Function helper (`withIdempotency`) with payload-hash deduplication
+- CI rule-coverage gate (`scripts/check-rule-coverage.ts`) - enforced in `.github/workflows/ci.yml`
+- Schema migration protocol runbook (`docs/runbooks/schema-migration.md`)
+- Comprehensive test harness with seed factories (`seedActiveAccount`, `seedReport`, `seedAgency`, `seedUser`, `seedResponder`, `seedDispatch`)