diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a296ad5b..b6a6e41a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -98,6 +98,13 @@ jobs:
       - run: corepack prepare pnpm@${PNPM_VERSION} --activate
       - run: pnpm install --frozen-lockfile
       - run: pnpm exec tsx scripts/check-rule-coverage.ts
+      - run: pnpm exec tsx scripts/build-rules.ts
+      - name: Verify firestore.rules is not out of date
+        run: |
+          if ! git diff --exit-code -- infra/firebase/firestore.rules; then
+            echo "::error::firestore.rules is out of sync with scripts/build-rules.ts. Run 'pnpm exec tsx scripts/build-rules.ts' locally and commit."
+            exit 1
+          fi
 
   build:
     name: Build
diff --git a/apps/citizen-pwa/package.json b/apps/citizen-pwa/package.json
index 29af0e68..d7d6beb6 100644
--- a/apps/citizen-pwa/package.json
+++ b/apps/citizen-pwa/package.json
@@ -15,8 +15,10 @@
     "@bantayog/shared-firebase": "workspace:*",
     "@bantayog/shared-types": "workspace:*",
     "@bantayog/shared-ui": "workspace:*",
+    "firebase": "^12.12.0",
     "react": "^19.2.5",
-    "react-dom": "^19.2.5"
+    "react-dom": "^19.2.5",
+    "react-router-dom": "^7.14.1"
   },
   "devDependencies": {
     "@testing-library/jest-dom": "^6.4.0",
diff --git a/apps/citizen-pwa/src/App.test.tsx b/apps/citizen-pwa/src/App.test.tsx
index 3ce7aeee..592d580c 100644
--- a/apps/citizen-pwa/src/App.test.tsx
+++ b/apps/citizen-pwa/src/App.test.tsx
@@ -1,75 +1,10 @@
 import '@testing-library/jest-dom/vitest'
-import { describe, it, expect, vi } from 'vitest'
-import { render, screen } from '@testing-library/react'
+import { describe, it, expect } from 'vitest'
+import { render } from '@testing-library/react'
 import { App } from './App.js'
 
-const { useCitizenShell } = vi.hoisted(() => {
-  const defaultShellState = {
-    status: 'ready',
-    authState: 'signed-in',
-    appCheckState: 'active',
-    user: { uid: 'anon-123' },
-    minAppVersion: {
-      citizen: '0.1.0',
-      admin: '0.1.0',
-      responder: '0.1.0',
-      updatedAt: 1713350400000,
-    },
-    alerts: [
-      {
-        id: 'phase1-hello',
-        title: 'System online',
-        body: 'Citizen shell wired for Phase 1.',
-        severity: 'info',
-        publishedAt: 1713350400000,
-        publishedBy: 'phase-1-bootstrap',
-      },
-    ],
-    error: null,
-  }
-  return {
-    useCitizenShell: vi.fn().mockReturnValue(defaultShellState),
-  }
-})
-
-vi.mock('./useCitizenShell.js', () => ({
-  useCitizenShell,
-}))
-
 describe('App', () => {
-  it('renders auth status, app version, and the hello-world alert feed', () => {
-    render(<App />)
-    expect(screen.getByText('anon-123')).toBeInTheDocument()
-    expect(screen.getByText('System online')).toBeInTheDocument()
-    expect(screen.getByText('0.1.0')).toBeInTheDocument()
-    expect(screen.getByText('signed-in')).toBeInTheDocument()
-  })
-
-  it('renders error message when status is error', () => {
-    useCitizenShell.mockReturnValueOnce({
-      status: 'error',
-      authState: 'signed-out',
-      appCheckState: 'failed',
-      user: null,
-      minAppVersion: null,
-      alerts: [],
-      error: 'Firebase initialization failed',
-    })
-    render(<App />)
-    expect(screen.getByText('Firebase initialization failed')).toBeInTheDocument()
-  })
-
-  it('renders signed-out state correctly', () => {
-    useCitizenShell.mockReturnValueOnce({
-      status: 'ready',
-      authState: 'signed-out',
-      appCheckState: 'pending',
-      user: null,
-      minAppVersion: null,
-      alerts: [],
-      error: null,
-    })
-    render(<App />)
-    expect(screen.getByText('signed-out')).toBeInTheDocument()
+  it('renders without throwing', () => {
+    expect(() => render(<App />)).not.toThrow()
   })
 })
diff --git a/apps/citizen-pwa/src/App.tsx b/apps/citizen-pwa/src/App.tsx
index b11c0275..ca9203ba 100644
--- a/apps/citizen-pwa/src/App.tsx
+++ b/apps/citizen-pwa/src/App.tsx
@@ -1,53 +1,5 @@
-import styles from './App.module.css'
-import { useCitizenShell } from './useCitizenShell.js'
+import { AppRoutes } from './routes.js'
 
 export function App() {
-  const state = useCitizenShell()
-
-  return (
-    <main className={styles.page}>
-      <section className={styles.panel}>
-        <p className={styles.eyebrow}>Bantayog Alert</p>
-        <h1 className={styles.title}>Citizen Phase 1 shell</h1>
-        <p className={styles.summary}>
-          Pseudonymous sign-in, app health, and a hello-world alert feed.
-        </p>
-
-        <dl className={styles.meta}>
-          <div>
-            <dt>Status</dt>
-            <dd>{state.status}</dd>
-          </div>
-          <div>
-            <dt>Auth</dt>
-            <dd>{state.authState}</dd>
-          </div>
-          <div>
-            <dt>App Check</dt>
-            <dd>{state.appCheckState}</dd>
-          </div>
-          <div>
-            <dt>User UID</dt>
-            <dd>{state.user?.uid ?? 'unavailable'}</dd>
-          </div>
-          <div>
-            <dt>Minimum citizen version</dt>
-            <dd>{state.minAppVersion?.citizen ?? 'unavailable'}</dd>
-          </div>
-        </dl>
-
-        {state.error ? <p className={styles.error}>{state.error}</p> : null}
-
-        <div className={styles.feed}>
-          {state.alerts.map((alert) => (
-            <article key={alert.id} className={styles.alert}>
-              <h2>{alert.title}</h2>
-              <p>{alert.body}</p>
-              <span>{alert.severity}</span>
-            </article>
-          ))}
-        </div>
-      </section>
-    </main>
-  )
+  return <AppRoutes />
 }
diff --git a/apps/citizen-pwa/src/components/LookupScreen.tsx b/apps/citizen-pwa/src/components/LookupScreen.tsx
new file mode 100644
index 00000000..c1f86776
--- /dev/null
+++ b/apps/citizen-pwa/src/components/LookupScreen.tsx
@@ -0,0 +1,72 @@
+import { useState } from 'react'
+import { httpsCallable } from 'firebase/functions'
+import { fns } from '../services/firebase.js'
+
+interface LookupResult {
+  status: string
+  lastStatusAt: number
+  municipalityLabel: string
+}
+
+export function LookupScreen() {
+  const [publicRef, setPublicRef] = useState('')
+  const [secret, setSecret] = useState('')
+  const [result, setResult] = useState<LookupResult | null>(null)
+  const [error, setError] = useState<string | null>(null)
+
+  async function handleSubmit(e: React.SubmitEvent): Promise<void> {
+    e.preventDefault()
+    setError(null)
+    setResult(null)
+    try {
+      const res = await httpsCallable(fns(), 'requestLookup')({ publicRef, secret })
+      setResult(res.data as LookupResult)
+    } catch (e: unknown) {
+      setError(e instanceof Error ? e.message : 'lookup failed')
+    }
+  }
+
+  return (
+    <section aria-label="Report status lookup">
+      <h1>Check report status</h1>
+      <form
+        onSubmit={(e) => {
+          void handleSubmit(e)
+        }}
+      >
+        <label>
+          Reference
+          <input
+            value={publicRef}
+            onChange={(e) => {
+              setPublicRef(e.target.value)
+            }}
+            required
+          />
+        </label>
+        <label>
+          Secret
+          <input
+            value={secret}
+            onChange={(e) => {
+              setSecret(e.target.value)
+            }}
+            required
+          />
+        </label>
+        <button type="submit">Look up</button>
+      </form>
+      {error && <p role="alert">{error}</p>}
+      {result && (
+        <dl>
+          <dt>Status</dt>
+          <dd>{result.status}</dd>
+          <dt>Municipality</dt>
+          <dd>{result.municipalityLabel}</dd>
+          <dt>Last update</dt>
+          <dd>{new Date(result.lastStatusAt).toLocaleString()}</dd>
+        </dl>
+      )}
+    </section>
+  )
+}
diff --git a/apps/citizen-pwa/src/components/ReceiptScreen.tsx b/apps/citizen-pwa/src/components/ReceiptScreen.tsx
new file mode 100644
index 00000000..e492b5cc
--- /dev/null
+++ b/apps/citizen-pwa/src/components/ReceiptScreen.tsx
@@ -0,0 +1,26 @@
+import { useLocation, Link } from 'react-router-dom'
+
+export function ReceiptScreen() {
+  const { state } = useLocation() as { state: { publicRef: string; secret: string } | null }
+  if (!state) return <p>No submission to display.</p>
+  return (
+    <section aria-label="Submission receipt">
+      <h1>Report submitted</h1>
+      <p>Save these two values. You will need them to check status.</p>
+      <dl>
+        <dt>Reference</dt>
+        <dd>
+          <code>{state.publicRef}</code>
+        </dd>
+        <dt>Secret</dt>
+        <dd>
+          <code>{state.secret}</code>
+        </dd>
+      </dl>
+      <p>
+        We&apos;ll notify you when we can. For now, check back with your reference number via the{' '}
+        <Link to="/lookup">lookup page</Link>.
+      </p>
+    </section>
+  )
+}
diff --git a/apps/citizen-pwa/src/components/SubmitReportForm.tsx b/apps/citizen-pwa/src/components/SubmitReportForm.tsx
new file mode 100644
index 00000000..52c8b11c
--- /dev/null
+++ b/apps/citizen-pwa/src/components/SubmitReportForm.tsx
@@ -0,0 +1,187 @@
+import { useState } from 'react'
+import { useNavigate } from 'react-router-dom'
+import { addDoc, collection } from 'firebase/firestore'
+import { httpsCallable } from 'firebase/functions'
+import { db, fns, ensureSignedIn } from '../services/firebase.js'
+import { submitReport, type SubmitReportDeps } from '../services/submit-report.js'
+import type { ReportType, Severity } from '@bantayog/shared-types'
+
+function randomPublicRef(): string {
+  const alphabet = 'abcdefghijklmnopqrstuvwxyz0123456789'
+  const bytes = crypto.getRandomValues(new Uint8Array(8))
+  return Array.from(bytes, (b) => alphabet[b % alphabet.length]).join('')
+}
+
+function randomSecret(): string {
+  return crypto.randomUUID()
+}
+
+async function sha256Hex(input: string | Blob): Promise<string> {
+  const buf =
+    typeof input === 'string'
+      ? new TextEncoder().encode(input)
+      : new Uint8Array(await input.arrayBuffer())
+  const digest = await crypto.subtle.digest('SHA-256', buf)
+  return Array.from(new Uint8Array(digest))
+    .map((b) => b.toString(16).padStart(2, '0'))
+    .join('')
+}
+
+async function putBlob(url: string, blob: Blob): Promise<void> {
+  const res = await fetch(url, {
+    method: 'PUT',
+    body: blob,
+    headers: { 'content-type': blob.type },
+  })
+  if (!res.ok) throw new Error('upload failed: ' + String(res.status))
+}
+
+export function SubmitReportForm() {
+  const nav = useNavigate()
+  const [reportType, setReportType] = useState<ReportType>('flood')
+  const [severity, setSeverity] = useState<Severity>('medium')
+  const [description, setDescription] = useState('')
+  const [photo, setPhoto] = useState<File | null>(null)
+  const [lat, setLat] = useState<number | null>(null)
+  const [lng, setLng] = useState<number | null>(null)
+  const [busy, setBusy] = useState(false)
+  const [error, setError] = useState<string | null>(null)
+
+  async function getLocation(): Promise<void> {
+    const pos = await new Promise<GeolocationPosition>((resolve, reject) => {
+      navigator.geolocation.getCurrentPosition(resolve, reject, {
+        enableHighAccuracy: true,
+        timeout: 10000,
+      })
+    })
+    setLat(pos.coords.latitude)
+    setLng(pos.coords.longitude)
+  }
+
+  async function onCaptureLocation(): Promise<void> {
+    try {
+      await getLocation()
+    } catch (e: unknown) {
+      setError(e instanceof Error ? e.message : 'location failed')
+    }
+  }
+
+  async function onSubmit(e: React.SubmitEvent): Promise<void> {
+    e.preventDefault()
+    if (lat === null || lng === null) {
+      setError('Please capture your location.')
+      return
+    }
+    setBusy(true)
+    setError(null)
+    try {
+      const deps: SubmitReportDeps = {
+        ensureSignedIn,
+        requestUploadUrl: async (args) =>
+          (await httpsCallable(fns(), 'requestUploadUrl')(args)).data as {
+            uploadUrl: string
+            uploadId: string
+            storagePath: string
+            expiresAt: number
+          },
+        putBlob,
+        writeInbox: async (doc) => {
+          const ref = await addDoc(collection(db(), 'report_inbox'), doc)
+          return ref.id
+        },
+        randomUUID: () => crypto.randomUUID(),
+        randomPublicRef,
+        randomSecret,
+        sha256Hex,
+        now: () => Date.now(),
+      }
+      const result = await submitReport(deps, {
+        reportType,
+        severity,
+        description,
+        publicLocation: { lat, lng },
+        ...(photo ? { photo } : {}),
+      })
+      // eslint-disable-next-line @typescript-eslint/no-floating-promises
+      nav('/receipt', { state: result })
+    } catch (e: unknown) {
+      setError(e instanceof Error ? e.message : 'submission failed')
+    } finally {
+      setBusy(false)
+    }
+  }
+
+  return (
+    <form
+      // eslint-disable-next-line @typescript-eslint/no-misused-promises
+      onSubmit={onSubmit}
+      aria-label="Report submission form"
+    >
+      <label>
+        Type
+        <select
+          value={reportType}
+          onChange={(e) => {
+            setReportType(e.target.value as ReportType)
+          }}
+        >
+          <option value="flood">Flood</option>
+          <option value="fire">Fire</option>
+          <option value="accident">Accident</option>
+          <option value="other">Other</option>
+        </select>
+      </label>
+      <label>
+        Severity
+        <select
+          value={severity}
+          onChange={(e) => {
+            setSeverity(e.target.value as Severity)
+          }}
+        >
+          <option value="low">Low</option>
+          <option value="medium">Medium</option>
+          <option value="high">High</option>
+        </select>
+      </label>
+      <label>
+        Description
+        <textarea
+          value={description}
+          onChange={(e) => {
+            setDescription(e.target.value)
+          }}
+          maxLength={5000}
+          required
+        />
+      </label>
+      <label>
+        Photo (optional)
+        <input
+          type="file"
+          accept="image/jpeg,image/png,image/webp"
+          onChange={(e) => {
+            setPhoto(e.target.files?.[0] ?? null)
+          }}
+        />
+      </label>
+      <button
+        type="button"
+        onClick={() => {
+          void onCaptureLocation()
+        }}
+      >
+        Capture location
+      </button>
+      {lat !== null && lng !== null && (
+        <p>
+          Location: {lat.toFixed(5)}, {lng.toFixed(5)}
+        </p>
+      )}
+      {error && <p role="alert">{error}</p>}
+      <button type="submit" disabled={busy}>
+        {busy ? 'Submitting\u2026' : 'Submit report'}
+      </button>
+    </form>
+  )
+}
diff --git a/apps/citizen-pwa/src/routes.tsx b/apps/citizen-pwa/src/routes.tsx
new file mode 100644
index 00000000..0cb08401
--- /dev/null
+++ b/apps/citizen-pwa/src/routes.tsx
@@ -0,0 +1,14 @@
+import { createBrowserRouter, RouterProvider } from 'react-router-dom'
+import { SubmitReportForm } from './components/SubmitReportForm.js'
+import { ReceiptScreen } from './components/ReceiptScreen.js'
+import { LookupScreen } from './components/LookupScreen.js'
+
+const router = createBrowserRouter([
+  { path: '/', element: <SubmitReportForm /> },
+  { path: '/receipt', element: <ReceiptScreen /> },
+  { path: '/lookup', element: <LookupScreen /> },
+])
+
+export function AppRoutes() {
+  return <RouterProvider router={router} />
+}
diff --git a/apps/citizen-pwa/src/services/firebase.ts b/apps/citizen-pwa/src/services/firebase.ts
new file mode 100644
index 00000000..dc240ce3
--- /dev/null
+++ b/apps/citizen-pwa/src/services/firebase.ts
@@ -0,0 +1,61 @@
+import { getFunctions, httpsCallable } from 'firebase/functions'
+import { getStorage } from 'firebase/storage'
+import type { FirebaseStorage } from 'firebase/storage'
+import type { Functions } from 'firebase/functions'
+import type { Auth } from 'firebase/auth'
+import type { Firestore } from 'firebase/firestore'
+import {
+  createFirebaseWebApp,
+  createAppCheck,
+  ensurePseudonymousSignIn,
+  getFirebaseAuth,
+  getFirebaseDb,
+  parseFirebaseWebEnv,
+} from '@bantayog/shared-firebase'
+
+let _app: ReturnType<typeof createFirebaseWebApp> | null = null
+let _auth: Auth | null = null
+let _db: Firestore | null = null
+let _fns: Functions | null = null
+let _storage: FirebaseStorage | null = null
+
+export function getFirebaseApp() {
+  if (_app) return _app
+  const env = parseFirebaseWebEnv(import.meta.env)
+  _app = createFirebaseWebApp(env)
+  createAppCheck(_app, env)
+  return _app
+}
+
+export function auth(): Auth {
+  if (_auth) return _auth
+  _auth = getFirebaseAuth(getFirebaseApp())
+  return _auth
+}
+
+export function db(): Firestore {
+  if (_db) return _db
+  _db = getFirebaseDb(getFirebaseApp())
+  return _db
+}
+
+export function fns(): Functions {
+  if (_fns) return _fns
+  _fns = getFunctions(getFirebaseApp(), 'asia-southeast1')
+  return _fns
+}
+
+export function storage(): FirebaseStorage {
+  if (_storage) return _storage
+  _storage = getStorage(getFirebaseApp())
+  return _storage
+}
+
+export async function ensureSignedIn(): Promise<string> {
+  const a = auth()
+  if (a.currentUser) return a.currentUser.uid
+  const cred = await ensurePseudonymousSignIn(a)
+  return cred.uid
+}
+
+export { httpsCallable }
diff --git a/apps/citizen-pwa/src/services/submit-report.test.ts b/apps/citizen-pwa/src/services/submit-report.test.ts
new file mode 100644
index 00000000..d6010bab
--- /dev/null
+++ b/apps/citizen-pwa/src/services/submit-report.test.ts
@@ -0,0 +1,72 @@
+import { describe, it, expect, vi } from 'vitest'
+import { submitReport, type SubmitReportDeps } from './submit-report.js'
+
+describe('submitReport', () => {
+  it('calls requestUploadUrl when a photo is provided, PUTs the photo, and writes inbox', async () => {
+    const deps: SubmitReportDeps = {
+      ensureSignedIn: vi.fn().mockResolvedValue('citizen-1'),
+      requestUploadUrl: vi.fn().mockResolvedValue({
+        uploadUrl: 'https://put.example',
+        uploadId: 'upl-1',
+        storagePath: 'pending/upl-1',
+        expiresAt: Date.now() + 1e5,
+      }),
+      putBlob: vi.fn().mockResolvedValue(undefined),
+      writeInbox: vi.fn().mockResolvedValue('ibx-1'),
+      randomUUID: vi.fn().mockReturnValue('uuid-a'),
+      randomPublicRef: vi.fn().mockReturnValue('abcd1234'),
+      randomSecret: vi.fn().mockReturnValue('secret-plain'),
+      sha256Hex: vi.fn().mockResolvedValue('h'.repeat(64)),
+      now: () => 1,
+    }
+    const photo = new Blob([new Uint8Array([1, 2, 3])], { type: 'image/jpeg' })
+    const result = await submitReport(deps, {
+      reportType: 'flood',
+      severity: 'high',
+      description: 'x',
+      publicLocation: { lat: 14.1, lng: 122.9 },
+      photo,
+    })
+    expect(result.publicRef).toBe('abcd1234')
+    expect(result.secret).toBe('secret-plain')
+    // eslint-disable-next-line @typescript-eslint/unbound-method
+    expect(deps.requestUploadUrl).toHaveBeenCalledOnce()
+    // eslint-disable-next-line @typescript-eslint/unbound-method
+    expect(deps.putBlob).toHaveBeenCalledWith('https://put.example', photo)
+    // eslint-disable-next-line @typescript-eslint/unbound-method
+    expect(deps.writeInbox).toHaveBeenCalledOnce()
+    const inboxDoc = (deps.writeInbox as unknown as { mock: { calls: unknown[][] } }).mock
+      .calls[0]![0]! as {
+      publicRef: unknown
+      secretHash: unknown
+      payload: { pendingMediaIds: unknown }
+    }
+    expect(inboxDoc.publicRef).toBe('abcd1234')
+    expect(inboxDoc.secretHash).toBe('h'.repeat(64))
+    expect(inboxDoc.payload.pendingMediaIds).toEqual(['upl-1'])
+  })
+
+  it('skips upload path when no photo is provided', async () => {
+    const deps: SubmitReportDeps = {
+      ensureSignedIn: vi.fn().mockResolvedValue('citizen-1'),
+      requestUploadUrl: vi.fn(),
+      putBlob: vi.fn(),
+      writeInbox: vi.fn().mockResolvedValue('ibx-2'),
+      randomUUID: vi.fn().mockReturnValue('uuid-b'),
+      randomPublicRef: vi.fn().mockReturnValue('efgh5678'),
+      randomSecret: vi.fn().mockReturnValue('s2'),
+      sha256Hex: vi.fn().mockResolvedValue('g'.repeat(64)),
+      now: () => 1,
+    }
+    await submitReport(deps, {
+      reportType: 'fire',
+      severity: 'medium',
+      description: 'y',
+      publicLocation: { lat: 14.1, lng: 122.9 },
+    })
+    // eslint-disable-next-line @typescript-eslint/unbound-method
+    expect(deps.requestUploadUrl).not.toHaveBeenCalled()
+    // eslint-disable-next-line @typescript-eslint/unbound-method
+    expect(deps.putBlob).not.toHaveBeenCalled()
+  })
+})
diff --git a/apps/citizen-pwa/src/services/submit-report.ts b/apps/citizen-pwa/src/services/submit-report.ts
new file mode 100644
index 00000000..f8b0705e
--- /dev/null
+++ b/apps/citizen-pwa/src/services/submit-report.ts
@@ -0,0 +1,72 @@
+export interface SubmitReportInput {
+  reportType: string
+  severity: 'low' | 'medium' | 'high'
+  description: string
+  publicLocation: { lat: number; lng: number }
+  photo?: Blob
+}
+
+export interface SubmitReportDeps {
+  ensureSignedIn(): Promise<string>
+  requestUploadUrl(input: {
+    mimeType: string
+    sizeBytes: number
+    sha256: string
+  }): Promise<{ uploadUrl: string; uploadId: string; storagePath: string; expiresAt: number }>
+  putBlob(url: string, blob: Blob): Promise<void>
+  writeInbox(doc: Record<string, unknown>): Promise<string>
+  randomUUID(): string
+  randomPublicRef(): string
+  randomSecret(): string
+  sha256Hex(input: string | Blob): Promise<string>
+  now(): number
+}
+
+export interface SubmitReportResult {
+  publicRef: string
+  secret: string
+  correlationId: string
+}
+
+export async function submitReport(
+  deps: SubmitReportDeps,
+  input: SubmitReportInput,
+): Promise<SubmitReportResult> {
+  const reporterUid = await deps.ensureSignedIn()
+  const correlationId = deps.randomUUID()
+  const publicRef = deps.randomPublicRef()
+  const secret = deps.randomSecret()
+  const secretHash = await deps.sha256Hex(secret)
+  const idempotencyKey = deps.randomUUID()
+  const pendingMediaIds: string[] = []
+
+  if (input.photo) {
+    const sha = await deps.sha256Hex(input.photo)
+    const signed = await deps.requestUploadUrl({
+      mimeType: input.photo.type || 'image/jpeg',
+      sizeBytes: input.photo.size,
+      sha256: sha,
+    })
+    await deps.putBlob(signed.uploadUrl, input.photo)
+    pendingMediaIds.push(signed.uploadId)
+  }
+
+  await deps.writeInbox({
+    reporterUid,
+    clientCreatedAt: deps.now(),
+    idempotencyKey,
+    publicRef,
+    secretHash,
+    correlationId,
+    payload: {
+      reportType: input.reportType,
+      severity: input.severity,
+      description: input.description,
+      source: 'web',
+      publicLocation: input.publicLocation,
+      pendingMediaIds,
+    },
+  })
+
+  return { publicRef, secret, correlationId }
+}
diff --git a/apps/citizen-pwa/vitest.config.ts b/apps/citizen-pwa/vitest.config.ts
index 8d6e5422..5eaa352f 100644
--- a/apps/citizen-pwa/vitest.config.ts
+++ b/apps/citizen-pwa/vitest.config.ts
@@ -4,7 +4,7 @@ export default defineConfig({
   test: {
     globals: true,
     environment: 'happy-dom',
-    include: ['src/**/*.test.tsx'],
+    include: ['src/**/*.test.ts', 'src/**/*.test.tsx'],
     setupFiles: ['@testing-library/jest-dom/vitest'],
   },
 })
diff --git a/docs/learnings.md b/docs/learnings.md
index 553147cd..8155fdb3 100644
--- a/docs/learnings.md
+++ b/docs/learnings.md
@@ -284,3 +284,11 @@ Firestore `diff(resource.data).affectedKeys().hasOnly([...])` at the rule layer
 ### `allow write: if false` at collection level overrides subcollection rules
 
 When a parent collection has `allow write: if false` and a nested subcollection is defined after it, the subcollection inherits the parent rule unless explicitly overridden. To give a subcollection write access while keeping the parent deny-all, define both explicitly. Note: this inheritance is per-Firestore-rule-file structure, not a general Firestore behavior.
+
+### Rules codegen eliminates a whole class of drift bugs
+
+Hand-rolled `validResponderTransition` helpers in Firestore rules drift from the TypeScript source of truth. The codegen pipeline (`scripts/build-rules.ts` + template with `@@TRANSITION_TABLES@@` marker) guarantees the rules file matches `shared-validators/src/state-machines/`. CI drift-check gate (`git diff --exit-code` after codegen) catches any local edit to the generated file. This pattern should extend to any future transition tables or validation helpers that exist in both TypeScript and rules layers.
+
+### Dependency injection in client-side orchestrators enables clean unit testing
+
+The `submitReport` orchestrator in `apps/citizen-pwa/src/services/submit-report.ts` accepts a `SubmitReportDeps` interface instead of importing Firebase directly. This allowed 2 focused unit tests with `vi.fn()` mocks — zero Firebase SDK involvement in the test. When the orchestrator needs to coordinate multiple async steps (get signed URL, PUT blob, write inbox), the DI pattern avoids the "20-line mock setup" smell entirely.
diff --git a/docs/progress.md b/docs/progress.md
index fe4791af..18831157 100644
--- a/docs/progress.md
+++ b/docs/progress.md
@@ -247,3 +247,54 @@ See `docs/learnings.md` for detailed technical decisions and lessons learned.
 - CI rule-coverage gate (`scripts/check-rule-coverage.ts`) - enforced in `.github/workflows/ci.yml`
 - Schema migration protocol runbook (`docs/runbooks/schema-migration.md`)
 - Comprehensive test harness with seed factories (`seedActiveAccount`, `seedReport`, `seedAgency`, `seedUser`, `seedResponder`, `seedDispatch`)
+
+---
+
+## Phase 3a Citizen Submission + Triptych Materialization (Complete)
+
+**Branch:** `feature/phase-3a-citizen-submission`
+**Plan:** `docs/superpowers/plans/2026-04-18-phase-3a-citizen-submission.md`
+**Design spec:** `docs/superpowers/specs/2026-04-18-phase-3-design.md`
+
+### Implementation Summary
+
+| Task  | Description                                       | Status |
+| ----- | ------------------------------------------------- | ------ |
+| 1-5   | Schema deltas + state machines + errors + logging | ✅     |
+| 6-8   | Rules codegen + drift check                       | ✅     |
+| 9-11  | Citizen callables + muni lookup                   | ✅     |
+| 12-14 | processInboxItem trigger (triptych materializer)  | ✅     |
+| 15-17 | Media pipeline (EXIF strip + dormant relocate)    | ✅     |
+| 18    | Reconciliation sweep                              | ✅     |
+| 19-22 | Citizen PWA + bootstrap + acceptance script       | ✅     |
+| 23    | Terraform monitoring module                       | ✅     |
+| 25    | Rule-coverage gate + docs                         | ✅     |
+
+### Verification Results
+
+| Step | Check                                           | Result                 |
+| ---- | ----------------------------------------------- | ---------------------- |
+| 1    | `pnpm test`                                     | PASS (125 tests)       |
+| 2    | `pnpm exec tsx scripts/check-rule-coverage.ts`  | PASS (36 collections)  |
+| 3    | `scripts/phase-3a/acceptance.ts --env=emulator` | Pending emulator run   |
+| 4    | `scripts/phase-3a/acceptance.ts --env=staging`  | Pending staging deploy |
+
+### What was built
+
+- Zod schema deltas: `municipalityLabel`, `correlationId`, `publicRef`, `secretHash`, `tokenHash` on report/inbox/lookup schemas
+- State-machine transition tables (`REPORT_TRANSITIONS`, `DISPATCH_TRANSITIONS`) with matrix tests
+- `BantayogError` typed error class + `logEvent` structured logging helper
+- Rules codegen pipeline (`scripts/build-rules.ts` → template → generated `firestore.rules`)
+- `requestUploadUrl` callable (signed URL + MIME/size validation)
+- `requestLookup` callable (token-hash verification + expiry check)
+- `processInboxItem` Firestore trigger (triptych materialization in single transaction)
+- `onMediaFinalize` Storage trigger (EXIF strip via sharp + MIME check via file-type)
+- `onMediaRelocate` dormant trigger (Phase 5 feature flag)
+- `inboxReconciliationSweep` scheduled function (5-min interval safety net)
+- Municipality lookup service with cold-start cache
+- Stub reverse geocoder (centroid-distance nearest-neighbor)
+- Citizen PWA: `SubmitReportForm`, `ReceiptScreen`, `LookupScreen` components
+- `submitReport` client orchestrator (upload → inbox write with dependency injection)
+- Bootstrap script for Camarines Norte municipalities
+- Terraform monitoring module (log-based metrics + alert policies)
+- Phase 3a acceptance gate script
diff --git a/firebase.json b/firebase.json
index aecc41b5..d1f1874c 100644
--- a/firebase.json
+++ b/firebase.json
@@ -28,7 +28,10 @@
       "source": "functions",
       "codebase": "default",
       "runtime": "nodejs20",
-      "predeploy": ["pnpm --filter @bantayog/functions build"]
+      "predeploy": [
+        "pnpm exec tsx scripts/build-rules.ts",
+        "pnpm --filter @bantayog/functions build"
+      ]
     }
   ],
   "emulators": {
diff --git a/functions/package.json b/functions/package.json
index f966ec3f..8a28c6f8 100644
--- a/functions/package.json
+++ b/functions/package.json
@@ -30,8 +30,12 @@
   "dependencies": {
     "@bantayog/shared-types": "workspace:*",
     "@bantayog/shared-validators": "workspace:*",
+    "exifr": "^7.1.3",
+    "file-type": "^22.0.1",
     "firebase-admin": "^13.8.0",
-    "firebase-functions": "^7.2.5"
+    "firebase-functions": "^7.2.5",
+    "sharp": "^0.34.5",
+    "zod": "^4.3.6"
   },
   "devDependencies": {
     "@firebase/rules-unit-testing": "^5.0.0",
diff --git a/functions/src/__tests__/callables/request-lookup.test.ts b/functions/src/__tests__/callables/request-lookup.test.ts
new file mode 100644
index 00000000..7ddc75d5
--- /dev/null
+++ b/functions/src/__tests__/callables/request-lookup.test.ts
@@ -0,0 +1,71 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest'
+import { createHash } from 'node:crypto'
+import { requestLookupImpl } from '../../callables/request-lookup.js'
+
+const mockGet = vi.fn()
+
+function db() {
+  return {
+    collection: () => ({ doc: () => ({ get: mockGet }) }),
+  }
+}
+
+beforeEach(() => mockGet.mockReset())
+
+describe('requestLookupImpl', () => {
+  const secret = 'abc'
+  const tokenHash = createHash('sha256').update(secret).digest('hex')
+
+  it('returns NOT_FOUND when the public ref does not exist', async () => {
+    mockGet.mockResolvedValue({ exists: false })
+    await expect(
+      requestLookupImpl({ db: db() as never, data: { publicRef: 'a1b2c3d4', secret } }),
+    ).rejects.toMatchObject({ code: 'NOT_FOUND' })
+  })
+
+  it('returns FORBIDDEN on secret mismatch', async () => {
+    mockGet.mockResolvedValue({
+      exists: true,
+      data: () => ({ reportId: 'r1', tokenHash: 'x'.repeat(64), expiresAt: Date.now() + 1e6 }),
+    })
+    await expect(
+      requestLookupImpl({ db: db() as never, data: { publicRef: 'a1b2c3d4', secret: 'wrong' } }),
+    ).rejects.toMatchObject({ code: 'FORBIDDEN' })
+  })
+
+  it('returns NOT_FOUND when expired', async () => {
+    mockGet.mockResolvedValue({
+      exists: true,
+      data: () => ({ reportId: 'r1', tokenHash, expiresAt: Date.now() - 1 }),
+    })
+    await expect(
+      requestLookupImpl({ db: db() as never, data: { publicRef: 'a1b2c3d4', secret } }),
+    ).rejects.toMatchObject({ code: 'NOT_FOUND' })
+  })
+
+  it('returns sanitized status on success', async () => {
+    mockGet
+      .mockResolvedValueOnce({
+        exists: true,
+        data: () => ({ reportId: 'r1', tokenHash, expiresAt: Date.now() + 1e6 }),
+      })
+      .mockResolvedValueOnce({
+        exists: true,
+        data: () => ({
+          status: 'verified',
+          municipalityLabel: 'Daet',
+          submittedAt: 1713350400000,
+          updatedAt: 1713350401000,
+        }),
+      })
+    const result = await requestLookupImpl({
+      db: db() as never,
+      data: { publicRef: 'a1b2c3d4', secret },
+    })
+    expect(result).toEqual({
+      status: 'verified',
+      lastStatusAt: 1713350401000,
+      municipalityLabel: 'Daet',
+    })
+  })
+})
diff --git a/functions/src/__tests__/callables/request-upload-url.test.ts b/functions/src/__tests__/callables/request-upload-url.test.ts
new file mode 100644
index 00000000..4f27789f
--- /dev/null
+++ b/functions/src/__tests__/callables/request-upload-url.test.ts
@@ -0,0 +1,63 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest'
+import { requestUploadUrlImpl } from '../../callables/request-upload-url.js'
+import { BantayogErrorCode } from '@bantayog/shared-validators'
+
+const mockSignedUrl = vi.fn().mockResolvedValue(['https://signed.example/put'] as string[])
+
+vi.mock('firebase-admin/storage', () => ({
+  getStorage: () => ({
+    bucket: () => ({
+      file: () => ({
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        getSignedUrl: mockSignedUrl as any,
+      }),
+    }),
+  }),
+}))
+
+beforeEach(() => {
+  mockSignedUrl.mockResolvedValue(['https://signed.example/put'] as string[])
+})
+
+describe('requestUploadUrlImpl', () => {
+  it('rejects unauthenticated callers', async () => {
+    await expect(
+      requestUploadUrlImpl({
+        auth: undefined,
+        data: { mimeType: 'image/jpeg', sizeBytes: 1024, sha256: 'a'.repeat(64) },
+        bucket: 'test-bucket',
+      }),
+    ).rejects.toMatchObject({ code: BantayogErrorCode.UNAUTHORIZED })
+  })
+
+  it('rejects disallowed MIME types', async () => {
+    await expect(
+      requestUploadUrlImpl({
+        auth: { uid: 'c1' },
+        data: { mimeType: 'application/pdf', sizeBytes: 1024, sha256: 'a'.repeat(64) },
+        bucket: 'test-bucket',
+      }),
+    ).rejects.toMatchObject({ code: BantayogErrorCode.INVALID_ARGUMENT })
+  })
+
+  it('rejects oversized uploads', async () => {
+    await expect(
+      requestUploadUrlImpl({
+        auth: { uid: 'c1' },
+        data: { mimeType: 'image/jpeg', sizeBytes: 11 * 1024 * 1024, sha256: 'a'.repeat(64) },
+        bucket: 'test-bucket',
+      }),
+    ).rejects.toMatchObject({ code: BantayogErrorCode.INVALID_ARGUMENT })
+  })
+
+  it('returns a signed URL and uploadId for a valid request', async () => {
+    const result = await requestUploadUrlImpl({
+      auth: { uid: 'c1' },
+      data: { mimeType: 'image/jpeg', sizeBytes: 1024, sha256: 'a'.repeat(64) },
+      bucket: 'test-bucket',
+    })
+    expect(result.uploadUrl).toBe('https://signed.example/put')
+    expect(result.uploadId).toMatch(/^[0-9a-f-]{36}$/)
+    expect(result.storagePath).toBe(`pending/${result.uploadId}`)
+  })
+})
diff --git a/functions/src/__tests__/fixtures/sample.jpg b/functions/src/__tests__/fixtures/sample.jpg
new file mode 100644
index 00000000..9dfa10e3
Binary files /dev/null and b/functions/src/__tests__/fixtures/sample.jpg differ
diff --git a/functions/src/__tests__/idempotency/guard.test.ts b/functions/src/__tests__/idempotency/guard.test.ts
index eaec50ab..0a1813e7 100644
--- a/functions/src/__tests__/idempotency/guard.test.ts
+++ b/functions/src/__tests__/idempotency/guard.test.ts
@@ -51,7 +51,7 @@ describe('withIdempotency', () => {
   it('runs the operation and writes the key on first call', async () => {
     // eslint-disable-next-line @typescript-eslint/require-await
     const op = vi.fn(async () => ({ resultId: 'x1' }))
-    const result = await withIdempotency(
+    const { result, fromCache } = await withIdempotency(
       db,
       {
         key: 'cb:verifyReport:u1',
@@ -61,6 +61,7 @@ describe('withIdempotency', () => {
       op,
     )
     expect(result).toEqual({ resultId: 'x1' })
+    expect(fromCache).toBe(false)
     expect(op).toHaveBeenCalledTimes(1)
     expect(db._store.has('idempotency_keys/cb:verifyReport:u1')).toBe(true)
   })
@@ -77,7 +78,7 @@ describe('withIdempotency', () => {
       },
       op,
     )
-    const replay = await withIdempotency(
+    const { result: cachedResult, fromCache } = await withIdempotency(
       db,
       {
         key: 'cb:verifyReport:u1',
@@ -87,7 +88,8 @@ describe('withIdempotency', () => {
       op,
     )
     expect(op).toHaveBeenCalledTimes(1)
-    expect(replay).toEqual({ resultId: 'x1' })
+    expect(cachedResult).toEqual({ resultId: 'x1' })
+    expect(fromCache).toBe(true)
   })
 
   it('throws IdempotencyMismatchError on same key with different payload', async () => {
diff --git a/functions/src/__tests__/rules/pending-media.rules.test.ts b/functions/src/__tests__/rules/pending-media.rules.test.ts
new file mode 100644
index 00000000..2fc5956a
--- /dev/null
+++ b/functions/src/__tests__/rules/pending-media.rules.test.ts
@@ -0,0 +1,35 @@
+import { assertFails } from '@firebase/rules-unit-testing'
+import { setDoc, doc, getDoc } from 'firebase/firestore'
+import { afterAll, beforeAll, describe, it } from 'vitest'
+import { authed, createTestEnv } from '../helpers/rules-harness.js'
+import { seedActiveAccount, staffClaims, ts } from '../helpers/seed-factories.js'
+
+let env: Awaited<ReturnType<typeof createTestEnv>>
+
+beforeAll(async () => {
+  env = await createTestEnv('demo-phase-3a-pending-media')
+  await seedActiveAccount(env, { uid: 'citizen-1', role: 'citizen' })
+})
+
+afterAll(async () => {
+  await env.cleanup()
+})
+
+describe('pending_media rules', () => {
+  it('rejects citizen writes', async () => {
+    const db = authed(env, 'citizen-1', staffClaims({ role: 'citizen' }))
+    await assertFails(
+      setDoc(doc(db, 'pending_media', 'upl-1'), {
+        uploadId: 'upl-1',
+        storagePath: 'pending/upl-1',
+        strippedAt: ts,
+        mimeType: 'image/jpeg',
+      }),
+    )
+  })
+
+  it('rejects citizen reads', async () => {
+    const db = authed(env, 'citizen-1', staffClaims({ role: 'citizen' }))
+    await assertFails(getDoc(doc(db, 'pending_media', 'upl-1')))
+  })
+})
diff --git a/functions/src/__tests__/services/municipality-lookup.test.ts b/functions/src/__tests__/services/municipality-lookup.test.ts
new file mode 100644
index 00000000..a15eebd5
--- /dev/null
+++ b/functions/src/__tests__/services/municipality-lookup.test.ts
@@ -0,0 +1,33 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest'
+import { createMunicipalityLookup } from '../../services/municipality-lookup.js'
+
+const mockGet = vi.fn()
+
+function db() {
+  return {
+    collection: () => ({ get: mockGet }),
+  }
+}
+
+beforeEach(() => mockGet.mockReset())
+
+describe('municipality lookup', () => {
+  it('loads the map once and caches it', async () => {
+    mockGet.mockResolvedValue({
+      docs: [
+        { id: 'daet', data: () => ({ label: 'Daet' }) },
+        { id: 'basud', data: () => ({ label: 'Basud' }) },
+      ],
+    })
+    const lookup = createMunicipalityLookup(db() as never)
+    expect(await lookup.label('daet')).toBe('Daet')
+    expect(await lookup.label('basud')).toBe('Basud')
+    expect(mockGet).toHaveBeenCalledTimes(1)
+  })
+
+  it('throws on unknown id', async () => {
+    mockGet.mockResolvedValue({ docs: [{ id: 'daet', data: () => ({ label: 'Daet' }) }] })
+    const lookup = createMunicipalityLookup(db() as never)
+    await expect(lookup.label('unknown')).rejects.toMatchObject({ code: 'FORBIDDEN' })
+  })
+})
diff --git a/functions/src/__tests__/triggers/inbox-reconciliation-sweep.test.ts b/functions/src/__tests__/triggers/inbox-reconciliation-sweep.test.ts
new file mode 100644
index 00000000..8691ab49
--- /dev/null
+++ b/functions/src/__tests__/triggers/inbox-reconciliation-sweep.test.ts
@@ -0,0 +1,102 @@
+import { initializeTestEnvironment, type RulesTestEnvironment } from '@firebase/rules-unit-testing'
+import { afterAll, beforeAll, beforeEach, describe, expect, it } from 'vitest'
+import { readFileSync } from 'node:fs'
+import { resolve } from 'node:path'
+import { doc, getDoc, setDoc } from 'firebase/firestore'
+import { inboxReconciliationSweepCore } from '../../triggers/inbox-reconciliation-sweep.js'
+
+const RULES_PATH = resolve(import.meta.dirname, '../../../../infra/firebase/firestore.rules')
+
+let env: RulesTestEnvironment | undefined
+beforeAll(async () => {
+  env = await initializeTestEnvironment({
+    projectId: 'demo-3a-sweep',
+    firestore: { rules: readFileSync(RULES_PATH, 'utf8') },
+  })
+  await env.withSecurityRulesDisabled(async (ctx) => {
+    await setDoc(doc(ctx.firestore(), 'municipalities', 'daet'), {
+      id: 'daet',
+      label: 'Daet',
+      provinceId: 'camarines-norte',
+      centroid: { lat: 14.11, lng: 122.95 },
+      schemaVersion: 1,
+    })
+  })
+})
+
+afterAll(async () => {
+  if (env) await env.cleanup()
+})
+
+beforeEach(async () => {
+  await env!.withSecurityRulesDisabled(async (ctx) => {
+    const db = ctx.firestore()
+    const collections = [
+      'report_inbox',
+      'reports',
+      'report_private',
+      'report_ops',
+      'report_events',
+      'report_lookup',
+      'moderation_incidents',
+      'idempotency_keys',
+      'pending_media',
+    ]
+    for (const col of collections) {
+      const docs = await db.collection(col).get()
+      for (const d of docs.docs) {
+        await d.ref.delete()
+      }
+    }
+  })
+})
+
+describe('inboxReconciliationSweepCore', () => {
+  it('picks up unprocessed inbox items older than the threshold', async () => {
+    await env!.withSecurityRulesDisabled(async (ctx) => {
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      const db = ctx.firestore() as any
+      const now = 1713350500000
+      // Stale (3 min old, unprocessed) — above 2 min threshold
+      await setDoc(doc(ctx.firestore(), 'report_inbox', 'stale-1'), {
+        reporterUid: 'c-1',
+        clientCreatedAt: now - 3 * 60 * 1000,
+        idempotencyKey: 'idem-s',
+        publicRef: 'sss11111',
+        secretHash: 'a'.repeat(64),
+        correlationId: '55555555-5555-4555-8555-555555555555',
+        payload: {
+          reportType: 'flood',
+          description: 'x',
+          severity: 'low',
+          source: 'web',
+          publicLocation: { lat: 14.11, lng: 122.95 },
+        },
+      })
+      // Fresh (unprocessed, under 2 min)
+      await setDoc(doc(ctx.firestore(), 'report_inbox', 'fresh-1'), {
+        reporterUid: 'c-1',
+        clientCreatedAt: now - 30 * 1000,
+        idempotencyKey: 'idem-f',
+        publicRef: 'fff11111',
+        secretHash: 'b'.repeat(64),
+        correlationId: '66666666-6666-4666-8666-666666666666',
+        payload: {
+          reportType: 'flood',
+          description: 'x',
+          severity: 'low',
+          source: 'web',
+          publicLocation: { lat: 14.11, lng: 122.95 },
+        },
+      })
+
+      const result = await inboxReconciliationSweepCore({ db, now: () => now })
+      expect(result.processed).toBe(1)
+
+      const stale = await getDoc(doc(ctx.firestore(), 'report_inbox', 'stale-1'))
+      expect(stale.data()?.processedAt).toBeDefined()
+      const fresh = await getDoc(doc(ctx.firestore(), 'report_inbox', 'fresh-1'))
+      expect(fresh.data()?.processedAt).toBeUndefined()
+    })
+  })
+})
diff --git a/functions/src/__tests__/triggers/on-media-finalize.test.ts b/functions/src/__tests__/triggers/on-media-finalize.test.ts
new file mode 100644
index 00000000..497593ff
--- /dev/null
+++ b/functions/src/__tests__/triggers/on-media-finalize.test.ts
@@ -0,0 +1,54 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest'
+import { onMediaFinalizeCore } from '../../triggers/on-media-finalize.js'
+
+const mockFile = {
+  download: vi.fn(),
+  save: vi.fn().mockResolvedValue(undefined),
+  delete: vi.fn().mockResolvedValue(undefined),
+  setMetadata: vi.fn().mockResolvedValue(undefined),
+}
+
+function bucket() {
+  return {
+    file: vi.fn(() => mockFile),
+  }
+}
+
+beforeEach(() => {
+  mockFile.download.mockReset()
+  mockFile.save.mockReset().mockResolvedValue(undefined)
+  mockFile.delete.mockReset().mockResolvedValue(undefined)
+  mockFile.setMetadata.mockReset().mockResolvedValue(undefined)
+})
+
+describe('onMediaFinalizeCore', () => {
+  it('rejects and deletes a non-image upload', async () => {
+    mockFile.download.mockResolvedValue([Buffer.from('%PDF-1.4\n', 'utf8')])
+    const writePending = vi.fn()
+    const result = await onMediaFinalizeCore({
+      bucket: bucket() as never,
+      objectName: 'pending/abc',
+      writePending,
+    })
+    expect(result.status).toBe('rejected_mime')
+    expect(mockFile.delete).toHaveBeenCalled()
+    expect(writePending).not.toHaveBeenCalled()
+  })
+
+  it('strips EXIF and writes pending_media record for a JPEG', async () => {
+    const jpeg = Buffer.from(
+      '/9j/4AAQSkZJRgABAQEASABIAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAABAAEDASIAAhEBAxEB/8QAFQABAQAAAAAAAAAAAAAAAAAAAAn/xAAUEAEAAAAAAAAAAAAAAAAAAAAA/8QAFQEBAQAAAAAAAAAAAAAAAAAAAAX/xAAUEQEAAAAAAAAAAAAAAAAAAAAA/9oADAMBAAIRAxEAPwCwAB//2Q==',
+      'base64',
+    )
+    mockFile.download.mockResolvedValue([jpeg])
+    const writePending = vi.fn()
+    const result = await onMediaFinalizeCore({
+      bucket: bucket() as never,
+      objectName: 'pending/upload-1',
+      writePending,
+    })
+    expect(result.status).toBe('accepted')
+    expect(writePending).toHaveBeenCalledTimes(1)
+    expect(mockFile.save).toHaveBeenCalled()
+  })
+})
diff --git a/functions/src/__tests__/triggers/process-inbox-item.test.ts b/functions/src/__tests__/triggers/process-inbox-item.test.ts
new file mode 100644
index 00000000..e0a4eeb5
--- /dev/null
+++ b/functions/src/__tests__/triggers/process-inbox-item.test.ts
@@ -0,0 +1,287 @@
+import { initializeTestEnvironment, type RulesTestEnvironment } from '@firebase/rules-unit-testing'
+import { afterAll, beforeAll, beforeEach, describe, expect, it } from 'vitest'
+import { readFileSync } from 'node:fs'
+import { resolve } from 'node:path'
+import { doc, getDoc, setDoc } from 'firebase/firestore'
+import { processInboxItemCore } from '../../triggers/process-inbox-item.js'
+
+const RULES_PATH = resolve(import.meta.dirname, '../../../../infra/firebase/firestore.rules')
+
+let env: RulesTestEnvironment | undefined
+beforeAll(async () => {
+  env = await initializeTestEnvironment({
+    projectId: 'demo-phase-3a-inbox',
+    firestore: { rules: readFileSync(RULES_PATH, 'utf8') },
+  })
+  await env.withSecurityRulesDisabled(async (ctx) => {
+    await setDoc(doc(ctx.firestore(), 'municipalities', 'daet'), {
+      id: 'daet',
+      label: 'Daet',
+      provinceId: 'camarines-norte',
+      centroid: { lat: 14.1, lng: 122.95 },
+      schemaVersion: 1,
+    })
+  })
+})
+
+afterAll(async () => {
+  if (env) await env.cleanup()
+})
+
+beforeEach(async () => {
+  await env!.withSecurityRulesDisabled(async (ctx) => {
+    const db = ctx.firestore()
+    const collections = [
+      'report_inbox',
+      'reports',
+      'report_private',
+      'report_ops',
+      'report_events',
+      'report_lookup',
+      'moderation_incidents',
+      'idempotency_keys',
+      'pending_media',
+    ]
+    for (const col of collections) {
+      const docs = await db.collection(col).get()
+      for (const d of docs.docs) {
+        await d.ref.delete()
+      }
+    }
+  })
+})
+
+describe('processInboxItemCore', () => {
+  it('materializes a complete triptych + event + lookup from a valid inbox doc', async () => {
+    await env!.withSecurityRulesDisabled(async (ctx) => {
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      const db = ctx.firestore() as any
+      await setDoc(doc(ctx.firestore(), 'report_inbox', 'ibx-1'), {
+        reporterUid: 'citizen-1',
+        clientCreatedAt: 1713350400000,
+        idempotencyKey: 'idem-1',
+        publicRef: 'a1b2c3d4',
+        secretHash: 'f'.repeat(64),
+        correlationId: '11111111-1111-4111-8111-111111111111',
+        payload: {
+          reportType: 'flood',
+          description: 'flooded street',
+          severity: 'high',
+          source: 'web',
+          publicLocation: { lat: 14.11, lng: 122.95 },
+        },
+      })
+
+      const result = await processInboxItemCore({
+        db,
+        inboxId: 'ibx-1',
+        now: () => 1713350401000,
+      })
+
+      expect(result.materialized).toBe(true)
+      const reportSnap = await getDoc(doc(ctx.firestore(), 'reports', result.reportId))
+      expect(reportSnap.exists()).toBe(true)
+      const report = reportSnap.data()
+      expect(report?.status).toBe('new')
+      expect(report?.municipalityId).toBe('daet')
+      expect(report?.municipalityLabel).toBe('Daet')
+      expect(report?.correlationId).toBe('11111111-1111-4111-8111-111111111111')
+
+      const privateSnap = await getDoc(doc(ctx.firestore(), 'report_private', result.reportId))
+      expect(privateSnap.exists()).toBe(true)
+      expect(privateSnap.data()?.reporterUid).toBe('citizen-1')
+
+      const opsSnap = await getDoc(doc(ctx.firestore(), 'report_ops', result.reportId))
+      expect(opsSnap.exists()).toBe(true)
+
+      const lookupSnap = await getDoc(doc(ctx.firestore(), 'report_lookup', 'a1b2c3d4'))
+      expect(lookupSnap.exists()).toBe(true)
+      expect(lookupSnap.data()?.reportId).toBe(result.reportId)
+      expect(lookupSnap.data()?.tokenHash).toBe('f'.repeat(64))
+    })
+  })
+
+  it('is idempotent — second invocation is a no-op', async () => {
+    await env!.withSecurityRulesDisabled(async (ctx) => {
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      const db = ctx.firestore() as any
+      await setDoc(doc(ctx.firestore(), 'report_inbox', 'ibx-2'), {
+        reporterUid: 'citizen-1',
+        clientCreatedAt: 1713350400000,
+        idempotencyKey: 'idem-2',
+        publicRef: 'b2c3d4e5',
+        secretHash: 'e'.repeat(64),
+        correlationId: '22222222-2222-4222-8222-222222222222',
+        payload: {
+          reportType: 'landslide',
+          description: 'debris on road',
+          severity: 'medium',
+          source: 'sms',
+          publicLocation: { lat: 14.11, lng: 122.95 },
+        },
+      })
+
+      const first = await processInboxItemCore({
+        db,
+        inboxId: 'ibx-2',
+        now: () => 1713350401000,
+      })
+      expect(first.materialized).toBe(true)
+
+      const second = await processInboxItemCore({
+        db,
+        inboxId: 'ibx-2',
+        now: () => 1713350402000,
+      })
+      expect(second.materialized).toBe(true)
+      expect(second.replayed).toBe(true)
+      expect(second.reportId).toBe(first.reportId)
+    })
+  })
+
+  it('moves pending_media references into reports/{id}/media', async () => {
+    await env!.withSecurityRulesDisabled(async (ctx) => {
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      const db = ctx.firestore() as any
+      await setDoc(doc(ctx.firestore(), 'pending_media', 'upload-x'), {
+        uploadId: 'upload-x',
+        storagePath: 'pending/upload-x',
+        strippedAt: 1713350400000,
+        mimeType: 'image/jpeg',
+      })
+      await setDoc(doc(ctx.firestore(), 'report_inbox', 'ibx-3'), {
+        reporterUid: 'citizen-1',
+        clientCreatedAt: 1713350400000,
+        idempotencyKey: 'idem-3',
+        publicRef: 'd4e5f607',
+        secretHash: 'c'.repeat(64),
+        correlationId: '44444444-4444-4444-8444-444444444444',
+        payload: {
+          reportType: 'flood',
+          description: 'x',
+          severity: 'low',
+          source: 'web',
+          publicLocation: { lat: 14.11, lng: 122.95 },
+          pendingMediaIds: ['upload-x'],
+        },
+      })
+      const result = await processInboxItemCore({
+        db,
+        inboxId: 'ibx-3',
+        now: () => 1713350401000,
+      })
+      const mediaSnap = await getDoc(
+        doc(ctx.firestore(), 'reports', result.reportId, 'media', 'upload-x'),
+      )
+      expect(mediaSnap.exists()).toBe(true)
+      expect(mediaSnap.data()?.storagePath).toBe('pending/upload-x')
+      const pendingSnap = await getDoc(doc(ctx.firestore(), 'pending_media', 'upload-x'))
+      expect(pendingSnap.exists()).toBe(false)
+    })
+  })
+
+  it('writes moderation_incident and throws when payload schema is invalid', async () => {
+    await env!.withSecurityRulesDisabled(async (ctx) => {
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      const db = ctx.firestore() as any
+      await setDoc(doc(ctx.firestore(), 'report_inbox', 'ibx-schema-bad'), {
+        reporterUid: 'citizen-1',
+        clientCreatedAt: 1713350400000,
+        idempotencyKey: 'idem-schema-bad',
+        publicRef: 'c3d4e5f6',
+        secretHash: 'f'.repeat(64),
+        correlationId: '33333333-3333-4333-8333-333333333333',
+        payload: {
+          reportType: 'flood',
+          // missing required fields — severity and source omitted
+          description: 'bad',
+          publicLocation: { lat: 14.11, lng: 122.95 },
+        },
+      })
+
+      await expect(
+        processInboxItemCore({ db, inboxId: 'ibx-schema-bad', now: () => 1713350401000 }),
+      ).rejects.toMatchObject({ code: 'INVALID_ARGUMENT' })
+
+      const incidentSnap = await getDoc(
+        doc(ctx.firestore(), 'moderation_incidents', 'ibx-schema-bad'),
+      )
+      expect(incidentSnap.exists()).toBe(true)
+      expect(incidentSnap.data()?.reason).toBe('payload_schema_invalid')
+    })
+  })
+
+  it('writes moderation_incident and throws when location is out of jurisdiction', async () => {
+    await env!.withSecurityRulesDisabled(async (ctx) => {
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      const db = ctx.firestore() as any
+      await setDoc(doc(ctx.firestore(), 'report_inbox', 'ibx-oog'), {
+        reporterUid: 'citizen-1',
+        clientCreatedAt: 1713350400000,
+        idempotencyKey: 'idem-oog',
+        publicRef: 'd4e5f6a7',
+        secretHash: 'f'.repeat(64),
+        correlationId: '44444444-4444-4444-8444-444444444444',
+        payload: {
+          reportType: 'flood',
+          description: 'somewhere far',
+          severity: 'high',
+          source: 'web',
+          publicLocation: { lat: 0.0, lng: 0.0 }, // way outside Camarines Norte
+        },
+      })
+
+      await expect(
+        processInboxItemCore({ db, inboxId: 'ibx-oog', now: () => 1713350401000 }),
+      ).rejects.toMatchObject({ code: 'INVALID_ARGUMENT' })
+
+      const incidentSnap = await getDoc(doc(ctx.firestore(), 'moderation_incidents', 'ibx-oog'))
+      expect(incidentSnap.exists()).toBe(true)
+      expect(incidentSnap.data()?.reason).toBe('out_of_jurisdiction')
+    })
+  })
+
+  it('throws NOT_FOUND when inbox doc does not exist', async () => {
+    await env!.withSecurityRulesDisabled(async (ctx) => {
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      const db = ctx.firestore() as any
+      await expect(
+        processInboxItemCore({ db, inboxId: 'ibx-missing', now: () => 1713350401000 }),
+      ).rejects.toMatchObject({ code: 'NOT_FOUND' })
+    })
+  })
+
+  it('throws CONFLICT when lookup doc exists with different reportId', async () => {
+    await env!.withSecurityRulesDisabled(async (ctx) => {
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      const db = ctx.firestore() as any
+      // Pre-write a conflicting lookup entry
+      await setDoc(doc(ctx.firestore(), 'report_lookup', 'conf1234'), {
+        reportId: 'some-other-report',
+        tokenHash: 'f'.repeat(64),
+        expiresAt: Date.now() + 90 * 24 * 60 * 60 * 1000,
+        createdAt: Date.now(),
+        schemaVersion: 1,
+      })
+      await setDoc(doc(ctx.firestore(), 'report_inbox', 'ibx-conflict'), {
+        reporterUid: 'citizen-1',
+        clientCreatedAt: 1713350400000,
+        idempotencyKey: 'idem-conflict',
+        publicRef: 'conf1234',
+        secretHash: 'f'.repeat(64),
+        correlationId: '55555555-5555-4555-8555-555555555555',
+        payload: {
+          reportType: 'flood',
+          description: 'conflict test',
+          severity: 'high',
+          source: 'web',
+          publicLocation: { lat: 14.11, lng: 122.95 },
+        },
+      })
+
+      await expect(
+        processInboxItemCore({ db, inboxId: 'ibx-conflict', now: () => 1713350401000 }),
+      ).rejects.toMatchObject({ code: 'CONFLICT' })
+    })
+  })
+})
diff --git a/functions/src/callables/https-error.ts b/functions/src/callables/https-error.ts
new file mode 100644
index 00000000..d12254a6
--- /dev/null
+++ b/functions/src/callables/https-error.ts
@@ -0,0 +1,34 @@
+import { HttpsError, type FunctionsErrorCode } from 'firebase-functions/v2/https'
+import { BantayogErrorCode, type BantayogError } from '@bantayog/shared-validators'
+
+export const BANTAYOG_TO_HTTPS_CODE: Record<BantayogErrorCode, FunctionsErrorCode> = {
+  // Validation errors — never retry without fixing input
+  VALIDATION_ERROR: 'invalid-argument',
+  INVALID_ARGUMENT: 'invalid-argument',
+  UNAUTHORIZED: 'unauthenticated',
+  FORBIDDEN: 'permission-denied',
+  NOT_FOUND: 'not-found',
+  CONFLICT: 'already-exists',
+
+  // Quota / rate limit errors — client should back off
+  RATE_LIMITED: 'resource-exhausted',
+  QUOTA_EXCEEDED: 'resource-exhausted',
+
+  // Transient errors — eligible for retry
+  DEADLINE_EXCEEDED: 'deadline-exceeded',
+  SERVICE_UNAVAILABLE: 'unavailable',
+  INTERNAL_ERROR: 'internal',
+
+  // Domain-specific codes
+  REPORT_NOT_FOUND: 'not-found',
+  DISPATCH_NOT_FOUND: 'not-found',
+  MUNICIPALITY_NOT_FOUND: 'not-found',
+  UPLOAD_URL_GENERATION_FAILED: 'internal',
+  MEDIA_PROCESSING_FAILED: 'internal',
+  INVALID_STATUS_TRANSITION: 'failed-precondition',
+  IDEMPOTENCY_KEY_CONFLICT: 'already-exists',
+}
+
+export function bantayogErrorToHttps(err: BantayogError): HttpsError {
+  return new HttpsError(BANTAYOG_TO_HTTPS_CODE[err.code], err.message, err.data)
+}
diff --git a/functions/src/callables/request-lookup.ts b/functions/src/callables/request-lookup.ts
new file mode 100644
index 00000000..a1783330
--- /dev/null
+++ b/functions/src/callables/request-lookup.ts
@@ -0,0 +1,85 @@
+import { createHash } from 'node:crypto'
+import { onCall, HttpsError } from 'firebase-functions/v2/https'
+import { getFirestore, type Firestore } from 'firebase-admin/firestore'
+import { z } from 'zod'
+import { BantayogError, BantayogErrorCode } from '@bantayog/shared-validators'
+import { bantayogErrorToHttps } from './https-error.js'
+
+const payloadSchema = z
+  .object({
+    publicRef: z.string().regex(/^[a-z0-9]{8}$/),
+    secret: z.string().min(1).max(64),
+  })
+  .strict()
+
+export interface RequestLookupInput {
+  db: Firestore
+  data: unknown
+}
+
+export interface RequestLookupResult {
+  status: string
+  lastStatusAt: number
+  municipalityLabel: string
+}
+
+export async function requestLookupImpl(input: RequestLookupInput): Promise<RequestLookupResult> {
+  const parsed = payloadSchema.safeParse(input.data)
+  if (!parsed.success) {
+    throw new BantayogError(BantayogErrorCode.INVALID_ARGUMENT, 'Invalid lookup request payload.')
+  }
+
+  const { publicRef, secret } = parsed.data
+
+  const lookupSnap = await input.db.collection('report_lookup').doc(publicRef).get()
+  if (!lookupSnap.exists) {
+    throw new BantayogError(BantayogErrorCode.NOT_FOUND, 'Unknown reference.')
+  }
+
+  const lookup = lookupSnap.data() as {
+    reportId: string
+    tokenHash: string
+    expiresAt: number
+  }
+
+  if (lookup.expiresAt < Date.now()) {
+    throw new BantayogError(BantayogErrorCode.NOT_FOUND, 'Reference expired.')
+  }
+
+  const secretHash = createHash('sha256').update(secret).digest('hex')
+  if (secretHash !== lookup.tokenHash) {
+    throw new BantayogError(BantayogErrorCode.FORBIDDEN, 'Secret mismatch.')
+  }
+
+  const reportSnap = await input.db.collection('reports').doc(lookup.reportId).get()
+  if (!reportSnap.exists) {
+    throw new BantayogError(BantayogErrorCode.NOT_FOUND, 'Report not found.')
+  }
+
+  const report = reportSnap.data() as {
+    status?: string
+    municipalityLabel?: string
+    submittedAt?: number
+    updatedAt?: number
+  }
+
+  return {
+    status: report.status ?? 'unknown',
+    lastStatusAt: report.updatedAt ?? report.submittedAt ?? 0,
+    municipalityLabel: report.municipalityLabel ?? 'Unknown',
+  }
+}
+
+export const requestLookup = onCall(async (request) => {
+  try {
+    return await requestLookupImpl({
+      db: getFirestore(),
+      data: request.data,
+    })
+  } catch (err: unknown) {
+    if (err instanceof BantayogError) {
+      throw bantayogErrorToHttps(err)
+    }
+    throw new HttpsError('internal', err instanceof Error ? err.message : 'Unknown error')
+  }
+})
diff --git a/functions/src/callables/request-upload-url.ts b/functions/src/callables/request-upload-url.ts
new file mode 100644
index 00000000..39be278e
--- /dev/null
+++ b/functions/src/callables/request-upload-url.ts
@@ -0,0 +1,103 @@
+import { randomUUID } from 'node:crypto'
+import { onCall, HttpsError } from 'firebase-functions/v2/https'
+import { getStorage } from 'firebase-admin/storage'
+import { z } from 'zod'
+import { BantayogError, BantayogErrorCode } from '@bantayog/shared-validators'
+import { bantayogErrorToHttps } from './https-error.js'
+
+const ALLOWED_MIME = new Set(['image/jpeg', 'image/png', 'image/webp'])
+const MAX_SIZE_BYTES = 10 * 1024 * 1024
+const SIGNED_URL_TTL_MS = 5 * 60 * 1000
+
+const payloadSchema = z
+  .object({
+    mimeType: z.string(),
+    sizeBytes: z.number().int().positive(),
+  })
+  .strict()
+
+export interface RequestUploadUrlInput {
+  auth: { uid: string } | undefined
+  data: unknown
+  bucket: string
+}
+
+export interface RequestUploadUrlResult {
+  uploadUrl: string
+  uploadId: string
+  storagePath: string
+  expiresAt: number
+}
+
+export async function requestUploadUrlImpl(
+  input: RequestUploadUrlInput,
+): Promise<RequestUploadUrlResult> {
+  if (!input.auth) {
+    throw new BantayogError(
+      BantayogErrorCode.UNAUTHORIZED,
+      'Must be authenticated to request an upload URL.',
+    )
+  }
+
+  const parsed = payloadSchema.safeParse(input.data)
+  if (!parsed.success) {
+    const issues = parsed.error.issues.map((issue) => ({
+      path: issue.path.join('.'),
+      message: issue.message,
+    }))
+    throw new BantayogError(BantayogErrorCode.INVALID_ARGUMENT, 'Invalid upload request payload.', {
+      errors: issues,
+    })
+  }
+
+  const { mimeType, sizeBytes } = parsed.data
+
+  if (!ALLOWED_MIME.has(mimeType)) {
+    throw new BantayogError(
+      BantayogErrorCode.INVALID_ARGUMENT,
+      `MIME type '${mimeType}' is not allowed. Allowed: ${[...ALLOWED_MIME].join(', ')}`,
+    )
+  }
+
+  if (sizeBytes > MAX_SIZE_BYTES) {
+    throw new BantayogError(
+      BantayogErrorCode.INVALID_ARGUMENT,
+      `File size ${String(sizeBytes)} exceeds maximum ${String(MAX_SIZE_BYTES)} bytes.`,
+    )
+  }
+
+  const storage = getStorage()
+  const uploadId = randomUUID()
+  const storagePath = `pending/${uploadId}`
+  const bucket = storage.bucket(input.bucket)
+  const file = bucket.file(storagePath)
+
+  const expiresAt = Date.now() + SIGNED_URL_TTL_MS
+  const [uploadUrl] = await file.getSignedUrl({
+    version: 'v4',
+    action: 'write',
+    expires: expiresAt,
+  })
+
+  return {
+    uploadUrl,
+    uploadId,
+    storagePath,
+    expiresAt,
+  }
+}
+
+export const requestUploadUrl = onCall(async (request) => {
+  try {
+    return await requestUploadUrlImpl({
+      auth: request.auth ?? undefined,
+      data: request.data,
+      bucket: process.env.STORAGE_BUCKET ?? 'bantayog-alert.appspot.com',
+    })
+  } catch (err: unknown) {
+    if (err instanceof BantayogError) {
+      throw bantayogErrorToHttps(err)
+    }
+    throw new HttpsError('internal', err instanceof Error ? err.message : 'Unknown error')
+  }
+})
diff --git a/functions/src/idempotency/guard.ts b/functions/src/idempotency/guard.ts
index 7a72b689..cdf26033 100644
--- a/functions/src/idempotency/guard.ts
+++ b/functions/src/idempotency/guard.ts
@@ -23,7 +23,7 @@ export async function withIdempotency<TPayload, TResult>(
   db: Firestore,
   opts: WithIdempotencyOptions<TPayload>,
   op: () => Promise<TResult>,
-): Promise<TResult> {
+): Promise<{ result: TResult; fromCache: boolean }> {
   const now = opts.now ?? (() => Date.now())
   const hash = canonicalPayloadHash(opts.payload)
   const keyRef = db.collection('idempotency_keys').doc(opts.key)
@@ -50,10 +50,10 @@ export async function withIdempotency<TPayload, TResult>(
   })
 
   if (cached != null) {
-    return cached
+    return { result: cached, fromCache: true }
   }
 
   const result = await op()
   await keyRef.update({ resultPayload: result, completedAt: now() })
-  return result
+  return { result, fromCache: false }
 }
diff --git a/functions/src/index.ts b/functions/src/index.ts
index 736559a5..c61109f3 100644
--- a/functions/src/index.ts
+++ b/functions/src/index.ts
@@ -1,3 +1,81 @@
 // Cloud Functions v2 entry point.
 export { setStaffClaims, suspendStaffAccount } from './auth/account-lifecycle.js'
 export { withIdempotency, IdempotencyMismatchError } from './idempotency/guard.js'
+export { requestUploadUrl } from './callables/request-upload-url.js'
+export { requestLookup } from './callables/request-lookup.js'
+
+// onMediaFinalize is lazily instantiated to avoid triggering Firebase Functions v2
+// storage import-time env checks (FIREBASE_CONFIG) during unit testing.
+import { onObjectFinalized } from 'firebase-functions/v2/storage'
+import { onDocumentCreated } from 'firebase-functions/v2/firestore'
+import { getStorage } from 'firebase-admin/storage'
+import { getFirestore } from 'firebase-admin/firestore'
+import { onMediaFinalizeCore, type FileHandle } from './triggers/on-media-finalize.js'
+import { processInboxItemCore } from './triggers/process-inbox-item.js'
+import { BantayogError, logDimension } from '@bantayog/shared-validators'
+
+const log = logDimension('index')
+
+export const processInboxItem = onDocumentCreated(
+  {
+    document: 'report_inbox/{inboxId}',
+    region: 'asia-southeast1',
+    minInstances: 3,
+    maxInstances: 100,
+    timeoutSeconds: 30,
+    memory: '512MiB',
+  },
+  async (event) => {
+    try {
+      await processInboxItemCore({ db: getFirestore(), inboxId: event.params.inboxId })
+    } catch (err) {
+      if (err instanceof BantayogError) {
+        log({
+          severity: 'ERROR',
+          code: err.code,
+          message: `processInboxItem failed for inbox ${event.params.inboxId}: ${err.message}`,
+        })
+        return // terminal error — do not retry
+      }
+      throw err // unexpected error — retry
+    }
+  },
+)
+
+export const onMediaFinalize = onObjectFinalized(
+  {
+    region: 'asia-southeast1',
+    minInstances: 1,
+    maxInstances: 50,
+    timeoutSeconds: 60,
+    memory: '1GiB',
+  },
+  async (event) => {
+    const bucket = getStorage().bucket(event.data.bucket)
+    const db = getFirestore()
+    try {
+      await onMediaFinalizeCore({
+        bucket: bucket as unknown as { file(name: string): FileHandle },
+        objectName: event.data.name,
+        now: () => Date.now(),
+        writePending: async (payload) => {
+          await db.collection('pending_media').doc(payload.uploadId).set(payload)
+        },
+      })
+    } catch (err) {
+      const code = (err as { code?: string }).code
+      if (code === 'MEDIA_REJECTED_MIME' || code === 'MEDIA_REJECTED_CORRUPT') {
+        return
+      }
+      log({
+        severity: 'ERROR',
+        code: 'MEDIA_FINALIZE_FAILED',
+        message: `onMediaFinalize failed: ${(err as Error).message}`,
+      })
+      throw err
+    }
+  },
+)
+
+export { onMediaRelocate } from './triggers/on-media-relocate.js'
+export { inboxReconciliationSweep } from './triggers/inbox-reconciliation-sweep.js'
diff --git a/functions/src/services/geocode.ts b/functions/src/services/geocode.ts
new file mode 100644
index 00000000..40dc81a1
--- /dev/null
+++ b/functions/src/services/geocode.ts
@@ -0,0 +1,64 @@
+import type { Firestore } from 'firebase-admin/firestore'
+
+interface GeoPoint {
+  lat: number
+  lng: number
+}
+
+interface MunicipalityDoc {
+  id: string
+  label: string
+  centroid?: GeoPoint
+}
+
+export interface ReverseGeocodeResult {
+  municipalityId: string
+  municipalityLabel: string
+  barangayId: string
+}
+
+let cachedMunis: MunicipalityDoc[] | null = null
+
+async function loadMunicipalities(db: Firestore): Promise<MunicipalityDoc[]> {
+  if (cachedMunis) return cachedMunis
+  const snap = await db.collection('municipalities').get()
+  cachedMunis = snap.docs.map((d) => ({ id: d.id, ...(d.data() as Omit<MunicipalityDoc, 'id'>) }))
+  return cachedMunis
+}
+
+function squaredDistance(a: GeoPoint, b: GeoPoint): number {
+  const dLat = a.lat - b.lat
+  const dLng = a.lng - b.lng
+  return dLat * dLat + dLng * dLng
+}
+
+export async function reverseGeocodeToMunicipality(
+  db: Firestore,
+  location: GeoPoint,
+): Promise<ReverseGeocodeResult | null> {
+  const munis = await loadMunicipalities(db)
+  if (munis.length === 0) return null
+
+  let nearest: MunicipalityDoc | null = null
+  let nearestDist = Infinity
+
+  for (const m of munis) {
+    if (!m.centroid) continue
+    const dist = squaredDistance(location, m.centroid)
+    if (dist < nearestDist) {
+      nearestDist = dist
+      nearest = m
+    }
+  }
+
+  if (!nearest?.centroid) return null
+
+  const MAX_SQUARED_DIST = 1.0
+  if (nearestDist > MAX_SQUARED_DIST) return null
+
+  return {
+    municipalityId: nearest.id,
+    municipalityLabel: nearest.label,
+    barangayId: 'unknown',
+  }
+}
diff --git a/functions/src/services/municipality-lookup.ts b/functions/src/services/municipality-lookup.ts
new file mode 100644
index 00000000..a7c59690
--- /dev/null
+++ b/functions/src/services/municipality-lookup.ts
@@ -0,0 +1,36 @@
+import type { Firestore } from 'firebase-admin/firestore'
+import { BantayogError, BantayogErrorCode } from '@bantayog/shared-validators'
+
+export interface MunicipalityLookup {
+  label(id: string): Promise<string>
+}
+
+export function createMunicipalityLookup(db: Firestore): MunicipalityLookup {
+  let cache: Map<string, string> | null = null
+
+  async function ensureLoaded(): Promise<Map<string, string>> {
+    if (cache) return cache
+    const snap = await db.collection('municipalities').get()
+    const map = new Map<string, string>()
+    for (const d of snap.docs) {
+      const data = d.data() as { label: string }
+      map.set(d.id, data.label)
+    }
+    cache = map
+    return map
+  }
+
+  return {
+    async label(id: string): Promise<string> {
+      const map = await ensureLoaded()
+      const v = map.get(id)
+      if (v === undefined) {
+        throw new BantayogError(
+          BantayogErrorCode.MUNICIPALITY_NOT_FOUND,
+          `Municipality '${id}' is not in jurisdiction.`,
+        )
+      }
+      return v
+    },
+  }
+}
diff --git a/functions/src/triggers/inbox-reconciliation-sweep.ts b/functions/src/triggers/inbox-reconciliation-sweep.ts
new file mode 100644
index 00000000..7e8a1d14
--- /dev/null
+++ b/functions/src/triggers/inbox-reconciliation-sweep.ts
@@ -0,0 +1,81 @@
+import { onSchedule } from 'firebase-functions/v2/scheduler'
+import { getFirestore } from 'firebase-admin/firestore'
+import { logDimension } from '@bantayog/shared-validators'
+import { processInboxItemCore } from './process-inbox-item.js'
+
+const log = logDimension('inboxReconciliationSweep')
+
+const STALENESS_MS = 2 * 60 * 1000
+const BATCH = 100
+
+export interface SweepInput {
+  db: ReturnType<typeof getFirestore>
+  now?: () => number
+}
+
+export interface SweepResult {
+  candidates: number
+  processed: number
+  failed: number
+  oldestAgeMs: number
+}
+
+export async function inboxReconciliationSweepCore(input: SweepInput): Promise<SweepResult> {
+  const now = input.now ?? (() => Date.now())
+  const threshold = now() - STALENESS_MS
+  const snap = await input.db
+    .collection('report_inbox')
+    .where('clientCreatedAt', '<', threshold)
+    .orderBy('clientCreatedAt')
+    .limit(BATCH)
+    .get()
+
+  let processed = 0
+  let failed = 0
+  let oldestAgeMs = 0
+  for (const d of snap.docs) {
+    const data = d.data() as { processedAt?: number; clientCreatedAt: number }
+    if (data.processedAt) continue
+    oldestAgeMs = Math.max(oldestAgeMs, now() - data.clientCreatedAt)
+    try {
+      await processInboxItemCore({ db: input.db, inboxId: d.id, now })
+      processed++
+    } catch (err: unknown) {
+      failed++
+      // Check if a moderation incident was written (permanent failure) and mark processed
+      const incidentSnap = await input.db.collection('moderation_incidents').doc(d.id).get()
+      if (incidentSnap.exists) {
+        await d.ref.update({ processedAt: now() })
+      }
+      log({
+        severity: 'WARNING',
+        code: 'INBOX_RECONCILIATION_RETRY_FAILED',
+        message: `inbox ${d.id} retry failed: ${err instanceof Error ? err.message : String(err)}`,
+      })
+    }
+  }
+  return { candidates: snap.size, processed, failed, oldestAgeMs }
+}
+
+export const inboxReconciliationSweep = onSchedule(
+  {
+    schedule: 'every 5 minutes',
+    region: 'asia-southeast1',
+    timeoutSeconds: 540,
+    memory: '256MiB',
+  },
+  async () => {
+    const result = await inboxReconciliationSweepCore({ db: getFirestore() })
+    log({
+      severity: result.processed > 3 || result.oldestAgeMs > 15 * 60 * 1000 ? 'ERROR' : 'INFO',
+      code: 'INBOX_RECONCILIATION_SWEEP',
+      message:
+        'sweep completed: ' +
+        String(result.processed) +
+        ' processed, ' +
+        String(result.failed) +
+        ' failed',
+      data: result as unknown as Record<string, unknown>,
+    })
+  },
+)
diff --git a/functions/src/triggers/on-media-finalize.ts b/functions/src/triggers/on-media-finalize.ts
new file mode 100644
index 00000000..79e40088
--- /dev/null
+++ b/functions/src/triggers/on-media-finalize.ts
@@ -0,0 +1,78 @@
+import sharp from 'sharp'
+import { fileTypeFromBuffer } from 'file-type'
+import { logDimension } from '@bantayog/shared-validators'
+
+const log = logDimension('onMediaFinalize')
+
+const ALLOWED = new Set(['image/jpeg', 'image/png', 'image/webp'])
+
+export interface OnMediaFinalizeInput {
+  bucket: { file(name: string): FileHandle }
+  objectName: string
+  now?: () => number
+  writePending: (doc: {
+    uploadId: string
+    storagePath: string
+    strippedAt: number
+    mimeType: string
+  }) => Promise<void>
+}
+
+export interface OnMediaFinalizeResult {
+  status: 'accepted' | 'rejected_mime'
+}
+
+export async function onMediaFinalizeCore(
+  input: OnMediaFinalizeInput,
+): Promise<OnMediaFinalizeResult> {
+  if (!input.objectName.startsWith('pending/')) {
+    return { status: 'accepted' }
+  }
+  const file = input.bucket.file(input.objectName)
+  const [buf] = await file.download()
+  const ft = await fileTypeFromBuffer(buf)
+  if (!ft || !ALLOWED.has(ft.mime)) {
+    await file.delete()
+    log({
+      severity: 'WARNING',
+      code: 'MEDIA_REJECTED_MIME',
+      message: `Deleted non-image: ${input.objectName}`,
+    })
+    return { status: 'rejected_mime' }
+  }
+  let cleaned: Buffer
+  try {
+    cleaned = await sharp(buf).rotate().toBuffer()
+  } catch {
+    await file.delete()
+    log({
+      severity: 'WARNING',
+      code: 'MEDIA_REJECTED_CORRUPT',
+      message: `Deleted corrupt image: ${input.objectName}`,
+    })
+    return { status: 'rejected_mime' }
+  }
+  await file.save(cleaned, {
+    resumable: false,
+    contentType: ft.mime,
+    metadata: { cacheControl: 'private, no-transform' },
+  })
+  const uploadId = input.objectName.slice('pending/'.length)
+  const strippedAt = input.now ? input.now() : Date.now()
+  await input.writePending({
+    uploadId,
+    storagePath: input.objectName,
+    strippedAt,
+    mimeType: ft.mime,
+  })
+  return { status: 'accepted' }
+}
+
+export interface FileHandle {
+  download(): Promise<[Buffer]>
+  save(
+    buf: Buffer,
+    opts: { resumable: boolean; contentType: string; metadata: Record<string, string> },
+  ): Promise<void>
+  delete(): Promise<void>
+}
diff --git a/functions/src/triggers/on-media-relocate.ts b/functions/src/triggers/on-media-relocate.ts
new file mode 100644
index 00000000..49437b84
--- /dev/null
+++ b/functions/src/triggers/on-media-relocate.ts
@@ -0,0 +1,33 @@
+import { onObjectFinalized } from 'firebase-functions/v2/storage'
+import { getFirestore } from 'firebase-admin/firestore'
+import { logDimension } from '@bantayog/shared-validators'
+
+const log = logDimension('onMediaRelocate')
+
+export const onMediaRelocate = onObjectFinalized(
+  { region: 'asia-southeast1', minInstances: 0, maxInstances: 20, timeoutSeconds: 60 },
+  async (event) => {
+    const flagSnap = await getFirestore().collection('system_config').doc('features').get()
+    const enabled = flagSnap.exists
+      ? Boolean(
+          (flagSnap.data() as { media_canonical_migration?: { enabled?: unknown } } | undefined)
+            ?.media_canonical_migration?.enabled,
+        )
+      : false
+    if (!enabled) {
+      log({
+        severity: 'DEBUG',
+        code: 'MEDIA_RELOCATE_SKIPPED_DISABLED',
+        message: 'media_canonical_migration disabled, no-op',
+        data: { event: 'media_relocate' },
+      })
+      return
+    }
+    log({
+      severity: 'WARNING',
+      code: 'MEDIA_RELOCATE_FLAG_ON_BUT_IMPL_ABSENT',
+      message: 'flag enabled but relocation not implemented',
+      data: { event: 'media_relocate', objectName: event.data.name },
+    })
+  },
+)
diff --git a/functions/src/triggers/process-inbox-item.ts b/functions/src/triggers/process-inbox-item.ts
new file mode 100644
index 00000000..ce15738b
--- /dev/null
+++ b/functions/src/triggers/process-inbox-item.ts
@@ -0,0 +1,226 @@
+import { randomUUID } from 'node:crypto'
+import type { Firestore } from 'firebase-admin/firestore'
+import {
+  BantayogError,
+  BantayogErrorCode,
+  logDimension,
+  reportInboxDocSchema,
+  inboxPayloadSchema,
+} from '@bantayog/shared-validators'
+import { reverseGeocodeToMunicipality } from '../services/geocode.js'
+import { withIdempotency } from '../idempotency/guard.js'
+
+const log = logDimension('processInboxItem')
+
+export interface ProcessInboxItemCoreInput {
+  db: Firestore
+  inboxId: string
+  now?: () => number
+}
+
+export interface ProcessInboxItemCoreResult {
+  materialized: boolean
+  replayed: boolean
+  reportId: string
+}
+
+export async function processInboxItemCore(
+  input: ProcessInboxItemCoreInput,
+): Promise<ProcessInboxItemCoreResult> {
+  const { db, inboxId } = input
+  const now = input.now ?? (() => Date.now())
+
+  const inboxRef = db.collection('report_inbox').doc(inboxId)
+  const inboxSnap = await inboxRef.get()
+  if (!inboxSnap.exists) {
+    throw new BantayogError(BantayogErrorCode.NOT_FOUND, `inbox ${inboxId} missing`)
+  }
+
+  const parsed = reportInboxDocSchema.safeParse(inboxSnap.data())
+  if (!parsed.success) {
+    await db
+      .collection('moderation_incidents')
+      .doc(inboxId)
+      .set({
+        inboxId,
+        reason: 'schema_invalid',
+        detail: parsed.error.issues.map((i) => `${i.path.join('.')}: ${i.message}`).join('; '),
+        createdAt: now(),
+        schemaVersion: 1,
+      })
+    throw new BantayogError(
+      BantayogErrorCode.INVALID_ARGUMENT,
+      `inbox schema invalid: ${parsed.error.issues[0]?.message ?? 'unknown'}`,
+    )
+  }
+
+  const inbox = parsed.data
+  const payloadResult = inboxPayloadSchema.safeParse(inbox.payload)
+  if (!payloadResult.success) {
+    await db
+      .collection('moderation_incidents')
+      .doc(inboxId)
+      .set({
+        inboxId,
+        reason: 'payload_schema_invalid',
+        detail: payloadResult.error.issues
+          .map((i) => `${i.path.join('.')}: ${i.message}`)
+          .join('; '),
+        createdAt: now(),
+        schemaVersion: 1,
+      })
+    throw new BantayogError(
+      BantayogErrorCode.INVALID_ARGUMENT,
+      `payload schema invalid: ${payloadResult.error.issues[0]?.message ?? 'unknown'}`,
+    )
+  }
+  const payload = payloadResult.data
+
+  const geo = await reverseGeocodeToMunicipality(db, payload.publicLocation)
+  if (!geo) {
+    await db.collection('moderation_incidents').doc(inboxId).set({
+      inboxId,
+      reason: 'out_of_jurisdiction',
+      createdAt: now(),
+      schemaVersion: 1,
+    })
+    throw new BantayogError(BantayogErrorCode.INVALID_ARGUMENT, 'out of jurisdiction')
+  }
+
+  const createdAt = now()
+  const pendingMediaIds = payload.pendingMediaIds ?? []
+
+  const idempotencyResult = await withIdempotency<
+    { inboxId: string; publicRef: string },
+    { materialized: true; reportId: string }
+  >(
+    db,
+    { key: `processInboxItem:${inboxId}`, payload: { inboxId, publicRef: inbox.publicRef }, now },
+    async () => {
+      const reportId = randomUUID()
+
+      const pendingMediaDocs = new Map<
+        string,
+        { storagePath: string; mimeType: string; strippedAt: number }
+      >()
+      for (const uploadId of pendingMediaIds) {
+        const pendingSnap = await db.collection('pending_media').doc(uploadId).get()
+        if (pendingSnap.exists) {
+          pendingMediaDocs.set(
+            uploadId,
+            pendingSnap.data() as { storagePath: string; mimeType: string; strippedAt: number },
+          )
+        }
+      }
+
+      // pending_media docs are write-once by onMediaFinalize and only deleted here,
+      // so reads outside the transaction are safe by design.
+
+      await db.runTransaction(async (tx) => {
+        const lookupRef = db.collection('report_lookup').doc(inbox.publicRef)
+        const lookupSnap = await tx.get(lookupRef)
+        if (lookupSnap.exists && lookupSnap.data()?.reportId !== reportId) {
+          throw new BantayogError(BantayogErrorCode.CONFLICT, 'publicRef already exists')
+        }
+
+        tx.set(db.collection('reports').doc(reportId), {
+          municipalityId: geo.municipalityId,
+          municipalityLabel: geo.municipalityLabel,
+          barangayId: geo.barangayId,
+          reporterRole: 'citizen',
+          reportType: payload.reportType,
+          severity: payload.severity,
+          status: 'new',
+          publicLocation: payload.publicLocation,
+          mediaRefs: pendingMediaIds,
+          description: payload.description,
+          submittedAt: inbox.clientCreatedAt,
+          retentionExempt: false,
+          visibilityClass: 'internal',
+          visibility: { scope: 'municipality', sharedWith: [] },
+          source: payload.source,
+          hasPhotoAndGPS: false,
+          schemaVersion: 1,
+          correlationId: inbox.correlationId,
+        })
+
+        tx.set(db.collection('report_private').doc(reportId), {
+          municipalityId: geo.municipalityId,
+          reporterUid: inbox.reporterUid,
+          isPseudonymous: false,
+          publicTrackingRef: inbox.publicRef,
+          createdAt,
+          schemaVersion: 1,
+        })
+
+        tx.set(db.collection('report_ops').doc(reportId), {
+          municipalityId: geo.municipalityId,
+          status: 'new',
+          severity: payload.severity,
+          createdAt,
+          agencyIds: [],
+          activeResponderCount: 0,
+          requiresLocationFollowUp: false,
+          visibility: { scope: 'municipality', sharedWith: [] },
+          updatedAt: createdAt,
+          schemaVersion: 1,
+        })
+
+        tx.set(db.collection('reports').doc(reportId).collection('status_log').doc(), {
+          from: 'draft_inbox',
+          to: 'new',
+          actor: 'system:processInboxItem',
+          at: createdAt,
+          correlationId: inbox.correlationId,
+          schemaVersion: 1,
+        })
+
+        tx.set(db.collection('report_lookup').doc(inbox.publicRef), {
+          reportId,
+          tokenHash: inbox.secretHash,
+          expiresAt: createdAt + 90 * 24 * 60 * 60 * 1000,
+          createdAt,
+          schemaVersion: 1,
+        })
+
+        tx.set(db.collection('report_events').doc(), {
+          reportId,
+          correlationId: inbox.correlationId,
+          eventType: 'report_submitted',
+          municipalityId: geo.municipalityId,
+          actor: 'system',
+          at: createdAt,
+          schemaVersion: 1,
+        })
+
+        for (const uploadId of pendingMediaIds) {
+          const data = pendingMediaDocs.get(uploadId)
+          if (!data) continue
+          tx.set(db.collection('reports').doc(reportId).collection('media').doc(uploadId), {
+            uploadId,
+            storagePath: data.storagePath,
+            mimeType: data.mimeType,
+            strippedAt: data.strippedAt,
+            addedAt: createdAt,
+            schemaVersion: 1,
+          })
+          tx.delete(db.collection('pending_media').doc(uploadId))
+        }
+      })
+
+      await inboxRef.update({ processedAt: now() })
+
+      log({
+        severity: 'INFO',
+        code: 'INBOX_MATERIALIZED',
+        message: `Report ${reportId} created from inbox ${inboxId}`,
+        data: { reportId, inboxId, municipalityId: geo.municipalityId },
+      })
+
+      return { materialized: true, reportId }
+    },
+  )
+
+  const { result, fromCache } = idempotencyResult
+  return { materialized: result.materialized, replayed: fromCache, reportId: result.reportId }
+}
diff --git a/infra/firebase/firestore.rules b/infra/firebase/firestore.rules
index 40c3e7ce..66a158c9 100644
--- a/infra/firebase/firestore.rules
+++ b/infra/firebase/firestore.rules
@@ -47,10 +47,11 @@ service cloud.firestore {
               || (isAgencyAdmin() && data.agencyId == myAgency()));
     }
     function validResponderTransition(from, to) {
-      return (from == 'accepted'     && to == 'acknowledged')
-          || (from == 'acknowledged' && to == 'in_progress')
-          || (from == 'in_progress'  && to == 'resolved')
-          || (from == 'pending'      && to == 'declined');
+      return       (from == 'accepted' && to == 'acknowledged')
+          ||       (from == 'acknowledged' && to == 'in_progress')
+          ||       (from == 'in_progress' && to == 'resolved')
+          ||       (from == 'pending' && to == 'declined')
+          || false;
     }
 
     // ================================================================
@@ -59,7 +60,7 @@ service cloud.firestore {
 
     match /report_inbox/{inboxId} {
       allow read: if false;
-      allow create: if isCitizen() && request.resource.data.reportersUid == uid();
+      allow create: if isCitizen() && request.resource.data.reporterUid == uid();
       allow update, delete: if false;
     }
 
@@ -227,6 +228,10 @@ service cloud.firestore {
       allow write: if false;
     }
 
+    match /pending_media/{uploadId} {
+      allow read, write: if false;
+    }
+
     match /moderation_incidents/{m} {
       allow read: if isActivePrivileged() && (isMuniAdmin() || isSuperadmin());
       allow write: if false;
diff --git a/infra/firebase/firestore.rules.template b/infra/firebase/firestore.rules.template
new file mode 100644
index 00000000..f74be910
--- /dev/null
+++ b/infra/firebase/firestore.rules.template
@@ -0,0 +1,349 @@
+rules_version = '2';
+service cloud.firestore {
+  match /databases/{database}/documents {
+
+    // ================================================================
+    // Helper functions — names and role literals match spec §5.7 exactly.
+    //
+    // DO NOT ADD: `dispatcher`, `provincial_admin`, or platform-level
+    // `super_admin` — those roles do not exist in the spec's 5-role model.
+    // The dispatcher concept is folded into municipal_admin's duties.
+    // Platform and provincial superadmin are one unified role.
+    // ================================================================
+
+    function isAuthed() {
+      return request.auth != null
+          && request.auth.token.accountStatus == 'active';
+    }
+    function role()           { return request.auth.token.role; }
+    function uid()            { return request.auth.uid; }
+    function myMunicipality() { return request.auth.token.municipalityId; }
+    function myAgency()       { return request.auth.token.agencyId; }
+    function permittedMunis() {
+      return request.auth.token.permittedMunicipalityIds != null
+        ? request.auth.token.permittedMunicipalityIds : [];
+    }
+    function isCitizen()    { return isAuthed() && role() == 'citizen'; }
+    function isResponder()  { return isAuthed() && role() == 'responder'; }
+    function isMuniAdmin()  { return isAuthed() && role() == 'municipal_admin'; }
+    function isAgencyAdmin(){ return isAuthed() && role() == 'agency_admin'; }
+    function isSuperadmin() { return isAuthed() && role() == 'provincial_superadmin'; }
+    function isActivePrivileged() {
+      return exists(/databases/$(database)/documents/active_accounts/$(uid()))
+          && get(/databases/$(database)/documents/active_accounts/$(uid()))
+             .data.accountStatus == 'active';
+    }
+    function adminOf(muniId) {
+      return (isMuniAdmin() && myMunicipality() == muniId)
+          || (isSuperadmin() && muniId in permittedMunis());
+    }
+    function canReadReportDoc(data) {
+      return (data.visibilityClass == 'public_alertable' && isAuthed())
+          || adminOf(data.municipalityId);
+    }
+    function canReadEventDoc(data) {
+      return isActivePrivileged()
+          && (isMuniAdmin() || isSuperadmin()
+              || (isAgencyAdmin() && data.agencyId == myAgency()));
+    }
+    // @@TRANSITION_TABLES@@
+
+    // ================================================================
+    // Phase 2: citizen inbox + triptych
+    // ================================================================
+
+    match /report_inbox/{inboxId} {
+      allow read: if false;
+      allow create: if isCitizen() && request.resource.data.reporterUid == uid();
+      allow update, delete: if false;
+    }
+
+    match /reports/{reportId} {
+      allow read: if canReadReportDoc(resource.data);
+      allow create: if false;
+      allow update: if adminOf(resource.data.municipalityId)
+                   && request.resource.data.diff(resource.data)
+                      .affectedKeys()
+                      .hasOnly(['status', 'updatedAt', 'verifiedAt', 'assignedAt', 'closedAt', 'rejectedAt', 'rejectedReason', 'barangayId', 'severity', 'mediaRefs', 'hazardTagList']);
+      allow delete: if false;
+
+      match /status_log/{e} {
+        allow read: if canReadReportDoc(get(/databases/$(database)/documents/reports/$(reportId)).data);
+        allow write: if false;
+      }
+      match /media/{m} {
+        allow read: if canReadReportDoc(get(/databases/$(database)/documents/reports/$(reportId)).data);
+        allow write: if false;
+      }
+      match /messages/{m} {
+        allow read: if isActivePrivileged()
+                    && (isMuniAdmin() || isSuperadmin()
+                        || (isResponder() && exists(/databases/$(database)/documents/dispatches/$(reportId + '_' + uid()))));
+        allow write: if false;
+      }
+      match /field_notes/{n} {
+        allow read: if isActivePrivileged()
+                    && (isMuniAdmin() || isSuperadmin()
+                        || (isResponder() && exists(/databases/$(database)/documents/dispatches/$(reportId + '_' + uid()))));
+        allow write: if false;
+      }
+    }
+
+    match /report_private/{r} {
+      allow read: if adminOf(resource.data.municipalityId);
+      allow write: if false;
+    }
+
+    match /report_ops/{r} {
+      allow read: if adminOf(resource.data.municipalityId)
+                  || (isAgencyAdmin() && myAgency() in resource.data.agencyIds);
+      allow write: if false;
+    }
+
+    match /report_sharing/{r} {
+      allow read: if adminOf(resource.data.ownerMunicipalityId)
+                  || (isSuperadmin() && resource.data.sharedWith.hasAny([myMunicipality()]));
+      allow write: if false;
+    }
+
+    match /report_contacts/{r} {
+      allow read: if adminOf(resource.data.municipalityId);
+      allow write: if false;
+    }
+
+    match /report_lookup/{publicRef} {
+      allow read: if isAuthed();
+      allow write: if false;
+    }
+
+    // ================================================================
+    // Phase 2: dispatches, responders, users
+    // ================================================================
+
+    // --- Dispatches ---
+    match /dispatches/{d} {
+      allow read: if isActivePrivileged() && (
+        (isResponder() && resource.data.responderId == uid())
+        || adminOf(resource.data.municipalityId)
+        || (isAgencyAdmin() && myAgency() == resource.data.agencyId)
+      );
+      allow update: if isResponder()
+                    && isActivePrivileged()
+                    && resource.data.responderId == uid()
+                    && validResponderTransition(resource.data.status, request.resource.data.status)
+                    && request.resource.data.diff(resource.data).affectedKeys()
+                       .hasOnly(['status','statusUpdatedAt','acknowledgedAt',
+                                 'inProgressAt','resolvedAt','declineReason',
+                                 'resolutionSummary','proofPhotoUrl']);
+      allow create, delete: if false;
+    }
+
+    // --- Responders and Users ---
+    match /responders/{rUid} {
+      allow read: if isAuthed() && (
+        uid() == rUid
+        || (isAgencyAdmin() && myAgency() == resource.data.agencyId)
+        || (isMuniAdmin() && myMunicipality() == resource.data.municipalityId)
+        || isSuperadmin()
+      );
+      allow update: if uid() == rUid
+                    && request.resource.data.diff(resource.data).affectedKeys()
+                       .hasOnly(['availabilityStatus']);
+      allow create, delete: if false;
+    }
+
+    match /users/{uUid} {
+      allow read: if isAuthed() && (
+        uid() == uUid
+        || (isMuniAdmin() && myMunicipality() == resource.data.municipalityId)
+        || isSuperadmin()
+      );
+      allow update: if uid() == uUid
+                    && request.resource.data.diff(resource.data).affectedKeys()
+                       .hasOnly(['displayName','phone','barangayId']);
+      allow create, delete: if false;
+    }
+
+    // ================================================================
+    // Phase 1: identity spine — alerts, system_config, active_accounts,
+    // claim_revocations, rate_limits.
+    // ================================================================
+
+    match /system_config/{configId} {
+      allow read: if isAuthed();
+      allow write: if isSuperadmin() && isActivePrivileged();
+    }
+
+    match /active_accounts/{accountUid} {
+      allow read: if isAuthed() && uid() == accountUid;
+      allow write: if false;
+    }
+
+    match /claim_revocations/{accountUid} {
+      allow read: if isAuthed() && uid() == accountUid;
+      allow write: if false;
+    }
+
+    match /rate_limits/{rateKey} {
+      allow read, write: if false;
+    }
+
+    // ================================================================
+    // Phase 2: public collections, audit, event streams
+    // ================================================================
+
+    match /alerts/{a} {
+      allow read: if isAuthed();
+      allow write: if false;
+    }
+
+    match /emergencies/{e} {
+      allow read: if isAuthed();
+      allow write: if false;
+    }
+
+    match /agencies/{a} {
+      allow read: if isAuthed();
+      allow write: if isSuperadmin() && isActivePrivileged();
+    }
+
+    match /audit_logs/{l} {
+      allow read: if isSuperadmin() && isActivePrivileged();
+      allow write: if false;
+    }
+
+    match /dead_letters/{d} {
+      allow read: if isSuperadmin() && isActivePrivileged();
+      allow write: if false;
+    }
+
+    match /hazard_signals/{s} {
+      allow read: if isAuthed();
+      allow write: if false;
+    }
+
+    match /pending_media/{uploadId} {
+      allow read, write: if false;
+    }
+
+    match /moderation_incidents/{m} {
+      allow read: if isActivePrivileged() && (isMuniAdmin() || isSuperadmin());
+      allow write: if false;
+    }
+
+    match /breakglass_events/{id} {
+      allow read: if isSuperadmin() && isActivePrivileged();
+      allow write: if false;
+    }
+
+    match /incident_response_events/{id} {
+      allow read: if isSuperadmin() && isActivePrivileged();
+      allow write: if false;
+    }
+
+    match /report_events/{eventId} {
+      allow read: if canReadEventDoc(resource.data);
+      allow write: if false;
+    }
+
+    match /dispatch_events/{eventId} {
+      allow read: if canReadEventDoc(resource.data);
+      allow write: if false;
+    }
+
+    // ================================================================
+    // Phase 2: SMS layer — sms_inbox, sms_outbox, sms_sessions,
+    // sms_provider_health.
+    // ================================================================
+
+    match /sms_inbox/{msgId} {
+      allow read, write: if false;
+    }
+
+    match /sms_outbox/{msgId} {
+      allow read: if isSuperadmin() && isActivePrivileged();
+      allow write: if false;
+    }
+
+    match /sms_sessions/{msisdnHash} {
+      allow read, write: if false;
+    }
+
+    match /sms_provider_health/{providerId} {
+      allow read: if isSuperadmin();
+      allow write: if false;
+    }
+
+    // ================================================================
+    // Phase 2: coordination — agency_assistance_requests,
+    // command_channel_threads, command_channel_messages,
+    // mass_alert_requests, shift_handoffs.
+    // ================================================================
+
+    match /agency_assistance_requests/{requestId} {
+      allow read: if isActivePrivileged()
+                  && ((isMuniAdmin() && myMunicipality() == resource.data.requestedByMunicipality)
+                      || (isAgencyAdmin() && myAgency() == resource.data.targetAgencyId)
+                      || isSuperadmin());
+      allow write: if false;
+    }
+
+    match /command_channel_threads/{threadId} {
+      allow read: if isActivePrivileged()
+                  && (isMuniAdmin() || isAgencyAdmin() || isSuperadmin())
+                  && request.auth.uid in resource.data.participantUids;
+      allow write: if false;
+    }
+
+    match /command_channel_messages/{messageId} {
+      allow read: if isActivePrivileged()
+                  && (isMuniAdmin() || isAgencyAdmin() || isSuperadmin())
+                  && request.auth.uid in get(/databases/$(database)/documents/command_channel_threads/$(resource.data.threadId)).data.participantUids;
+      allow write: if false;
+    }
+
+    match /mass_alert_requests/{requestId} {
+      allow read: if isActivePrivileged()
+                  && (isSuperadmin()
+                      || (isMuniAdmin() && myMunicipality() == resource.data.requestedByMunicipality));
+      allow write: if false;
+    }
+
+    match /shift_handoffs/{handoffId} {
+      allow read: if isActivePrivileged()
+                  && (request.auth.uid == resource.data.fromUid
+                      || request.auth.uid == resource.data.toUid
+                      || isSuperadmin());
+      allow write: if false;
+    }
+
+    // ================================================================
+    // Phase 2: hazard zones — read-only reference and custom flood zones
+    // ================================================================
+
+    match /hazard_zones/{zoneId} {
+      allow read: if isActivePrivileged()
+                  && (isSuperadmin()
+                      || (resource.data.zoneType == 'reference' && isMuniAdmin())
+                      || (resource.data.zoneType == 'custom' && resource.data.scope == 'municipality' && isMuniAdmin() && resource.data.municipalityId == myMunicipality()));
+      allow write: if false;
+      match /history/{version} {
+        allow read: if isActivePrivileged()
+                    && (isSuperadmin()
+                        || (resource.data.zoneType == 'reference' && isMuniAdmin())
+                        || (resource.data.zoneType == 'custom' && resource.data.scope == 'municipality' && isMuniAdmin() && resource.data.municipalityId == myMunicipality()));
+        allow write: if false;
+      }
+    }
+
+    // ================================================================
+    // Default deny — every collection not explicitly matched above.
+    // Phase 2+ will add specific match blocks for reports, report_private,
+    // report_ops, dispatches, responders, etc.
+    // ================================================================
+
+    match /{document=**} {
+      allow read, write: if false;
+    }
+  }
+}
diff --git a/infra/terraform/modules/monitoring/phase-3/main.tf b/infra/terraform/modules/monitoring/phase-3/main.tf
new file mode 100644
index 00000000..9fc1547e
--- /dev/null
+++ b/infra/terraform/modules/monitoring/phase-3/main.tf
@@ -0,0 +1,69 @@
+resource "google_logging_metric" "inbox_processed" {
+  name    = "phase3_inbox_processed_${var.environment}"
+  project = var.project_id
+  filter  = "jsonPayload.code=\"INBOX_MATERIALIZED\""
+  metric_descriptor {
+    metric_kind = "DELTA"
+    value_type  = "INT64"
+  }
+}
+
+resource "google_logging_metric" "function_errors" {
+  name    = "phase3_function_errors_${var.environment}"
+  project = var.project_id
+  filter  = "severity=\"ERROR\" AND jsonPayload.code:* AND (resource.type=\"cloud_function\" OR resource.type=\"cloud_run_revision\")"
+  metric_descriptor {
+    metric_kind = "DELTA"
+    value_type  = "INT64"
+  }
+}
+
+resource "google_logging_metric" "sweep_heavy" {
+  name    = "phase3_sweep_heavy_${var.environment}"
+  project = var.project_id
+  filter  = "jsonPayload.code=\"INBOX_RECONCILIATION_RETRY_FAILED\" AND severity=\"WARNING\""
+  metric_descriptor {
+    metric_kind = "DELTA"
+    value_type  = "INT64"
+  }
+}
+
+resource "google_monitoring_alert_policy" "function_error_rate" {
+  project      = var.project_id
+  display_name = "[P3] Function error rate high (${var.environment})"
+  combiner     = "OR"
+  conditions {
+    display_name = "errors > 1% sustained 10min"
+    condition_threshold {
+      filter          = "metric.type=\"logging.googleapis.com/user/${google_logging_metric.function_errors.name}\""
+      duration        = "600s"
+      comparison      = "COMPARISON_GT"
+      threshold_value = 5
+      aggregations {
+        alignment_period   = "60s"
+        per_series_aligner = "ALIGN_SUM"
+      }
+    }
+  }
+  notification_channels = var.notification_channel_ids
+}
+
+resource "google_monitoring_alert_policy" "sweep_alert" {
+  project      = var.project_id
+  display_name = "[P3] Inbox reconciliation sweep heavy (${var.environment})"
+  combiner     = "OR"
+  conditions {
+    display_name = "sweep flagged ERROR"
+    condition_threshold {
+      filter          = "metric.type=\"logging.googleapis.com/user/${google_logging_metric.sweep_heavy.name}\""
+      duration        = "0s"
+      comparison      = "COMPARISON_GT"
+      threshold_value = 0
+      aggregations {
+        alignment_period   = "60s"
+        per_series_aligner = "ALIGN_SUM"
+      }
+    }
+  }
+  notification_channels = var.notification_channel_ids
+}
diff --git a/infra/terraform/modules/monitoring/phase-3/outputs.tf b/infra/terraform/modules/monitoring/phase-3/outputs.tf
new file mode 100644
index 00000000..9ddd237b
--- /dev/null
+++ b/infra/terraform/modules/monitoring/phase-3/outputs.tf
@@ -0,0 +1,7 @@
+output "function_error_alert_id" {
+  value = google_monitoring_alert_policy.function_error_rate.id
+}
+
+output "sweep_alert_id" {
+  value = google_monitoring_alert_policy.sweep_alert.id
+}
diff --git a/infra/terraform/modules/monitoring/phase-3/variables.tf b/infra/terraform/modules/monitoring/phase-3/variables.tf
new file mode 100644
index 00000000..0cf5ebe6
--- /dev/null
+++ b/infra/terraform/modules/monitoring/phase-3/variables.tf
@@ -0,0 +1,15 @@
+variable "project_id" {
+  type        = string
+  description = "GCP project ID (staging or prod)."
+}
+
+variable "environment" {
+  type        = string
+  description = "Environment name (dev, staging, prod)."
+}
+
+variable "notification_channel_ids" {
+  type        = list(string)
+  description = "Cloud Monitoring notification channel IDs."
+  default     = []
+}
diff --git a/package.json b/package.json
index 5186028b..9693fb33 100644
--- a/package.json
+++ b/package.json
@@ -28,13 +28,14 @@
     "eslint-plugin-jsx-a11y": "^6.10.0",
     "eslint-plugin-react": "^7.37.1",
     "eslint-plugin-react-hooks": "^5.0.0",
+    "firebase-admin": "^13.8.0",
     "globals": "^15.10.0",
     "happy-dom": "^15.7.0",
     "husky": "^9.1.6",
     "lint-staged": "^15.2.10",
     "prettier": "^3.3.3",
-    "turbo": "^2.1.0",
     "tsx": "^4.19.0",
+    "turbo": "^2.1.0",
     "typescript": "^5.6.2",
     "typescript-eslint": "^8.8.0",
     "vitest": "^4.1.4"
diff --git a/packages/shared-validators/src/errors-and-logging.test.ts b/packages/shared-validators/src/errors-and-logging.test.ts
new file mode 100644
index 00000000..b0eac6dd
--- /dev/null
+++ b/packages/shared-validators/src/errors-and-logging.test.ts
@@ -0,0 +1,149 @@
+import { describe, it, expect } from 'vitest'
+import {
+  BantayogErrorCode,
+  isBantayogErrorCode,
+  isTerminalReportStatus,
+  isTerminalDispatchStatus,
+} from './errors.js'
+import type { ReportStatus, DispatchStatus } from './errors.js'
+import { logEvent, LOG_DIMENSION_MAX } from './logging.js'
+
+// ─── BantayogErrorCode enum ────────────────────────────────────────────────
+
+describe('BantayogErrorCode', () => {
+  it('has 18 named error codes', () => {
+    const codes = Object.values(BantayogErrorCode)
+    expect(codes).toHaveLength(18)
+  })
+
+  it('isBantayogErrorCode returns true for every enum member', () => {
+    for (const code of Object.values(BantayogErrorCode)) {
+      expect(isBantayogErrorCode(code), `${code} should be valid`).toBe(true)
+    }
+  })
+
+  it('isBantayogCode returns false for unknown strings', () => {
+    expect(isBantayogErrorCode('UNKNOWN_CODE')).toBe(false)
+    expect(isBantayogErrorCode('')).toBe(false)
+    expect(isBantayogErrorCode('validation_error')).toBe(false)
+  })
+})
+
+// ─── Terminal status helpers ─────────────────────────────────────────────────
+
+describe('isTerminalReportStatus', () => {
+  it('returns true for closed and resolved', () => {
+    expect(isTerminalReportStatus('closed')).toBe(true)
+    expect(isTerminalReportStatus('resolved')).toBe(true)
+  })
+
+  it('returns false for all other report statuses', () => {
+    const nonTerminal: ReportStatus[] = [
+      'draft_inbox',
+      'new',
+      'awaiting_verify',
+      'verified',
+      'assigned',
+      'acknowledged',
+      'en_route',
+      'on_scene',
+      'reopened',
+      'rejected',
+      'cancelled',
+      'cancelled_false_report',
+      'merged_as_duplicate',
+    ]
+    for (const s of nonTerminal) {
+      expect(isTerminalReportStatus(s), `${s} should not be terminal`).toBe(false)
+    }
+  })
+})
+
+describe('isTerminalDispatchStatus', () => {
+  it('returns true for resolved and declined', () => {
+    expect(isTerminalDispatchStatus('resolved')).toBe(true)
+    expect(isTerminalDispatchStatus('declined')).toBe(true)
+  })
+
+  it('returns false for all other dispatch statuses', () => {
+    const nonTerminal: DispatchStatus[] = [
+      'pending',
+      'accepted',
+      'acknowledged',
+      'in_progress',
+      'timed_out',
+      'cancelled',
+      'superseded',
+    ]
+    for (const s of nonTerminal) {
+      expect(isTerminalDispatchStatus(s), `${s} should not be terminal`).toBe(false)
+    }
+  })
+})
+
+// ─── logEvent dimension limits ───────────────────────────────────────────────
+
+describe('LOG_DIMENSION_MAX', () => {
+  it('is 128 characters', () => {
+    expect(LOG_DIMENSION_MAX).toBe(128)
+  })
+})
+
+// ─── logEvent structure ─────────────────────────────────────────────────────
+
+describe('logEvent', () => {
+  it('returns a structured plain object', () => {
+    const event = logEvent({
+      severity: 'INFO',
+      code: BantayogErrorCode.VALIDATION_ERROR,
+      message: 'Test event',
+      dimension: 'test_dimension',
+      data: { key: 'value' },
+    })
+    expect(event).toBeInstanceOf(Object)
+    expect(event.timestamp).toBeDefined()
+    expect(typeof event.timestamp).toBe('number')
+    expect(event.severity).toBe('INFO')
+    expect(event.code).toBe(BantayogErrorCode.VALIDATION_ERROR)
+    expect(event.message).toBe('Test event')
+    expect(event.dimension).toBe('test_dimension')
+    expect(event.data).toEqual({ key: 'value' })
+  })
+
+  it('truncates dimension to 128 chars', () => {
+    const longDimension = 'a'.repeat(200)
+    const event = logEvent({
+      severity: 'ERROR',
+      code: BantayogErrorCode.INTERNAL_ERROR,
+      message: 'msg',
+      dimension: longDimension,
+    })
+    expect(event.dimension.length).toBeLessThanOrEqual(LOG_DIMENSION_MAX)
+    expect(event.dimension).toBe('a'.repeat(LOG_DIMENSION_MAX))
+  })
+
+  it('omits data when not provided', () => {
+    const event = logEvent({
+      severity: 'WARNING',
+      code: BantayogErrorCode.INVALID_ARGUMENT,
+      message: 'Missing required field',
+      dimension: 'submit_report',
+    })
+    expect(event.data).toBeUndefined()
+  })
+
+  it('produces JSON-serializable output', () => {
+    const event = logEvent({
+      severity: 'DEBUG',
+      code: BantayogErrorCode.NOT_FOUND,
+      message: 'Report not found',
+      dimension: 'process_inbox_item',
+      data: { reportId: 'abc123', missingField: null, count: 0 },
+    })
+    const json = JSON.stringify(event)
+    const parsed = JSON.parse(json) as object
+    expect(parsed).toBeInstanceOf(Object)
+    expect(parsed).toHaveProperty('code')
+    expect(parsed).toHaveProperty('message')
+  })
+})
diff --git a/packages/shared-validators/src/errors.ts b/packages/shared-validators/src/errors.ts
new file mode 100644
index 00000000..52f59a2f
--- /dev/null
+++ b/packages/shared-validators/src/errors.ts
@@ -0,0 +1,125 @@
+/**
+ * Error types and status helpers for Bantayog Alert.
+ *
+ * BantayogError is a typed error class used across all Cloud Functions and
+ * callables. Structured error codes (BantayogErrorCode) enable front-end
+ * branch-on-error without string matching.
+ */
+import type { ReportStatus, DispatchStatus } from '@bantayog/shared-types'
+export type { ReportStatus, DispatchStatus }
+
+/**
+ * Error codes used across all Bantayog Alert services.
+ * These map to user-facing messages and determine retry behavior.
+ */
+export enum BantayogErrorCode {
+  // Validation errors — never retry without fixing input
+  VALIDATION_ERROR = 'VALIDATION_ERROR',
+  INVALID_ARGUMENT = 'INVALID_ARGUMENT',
+  UNAUTHORIZED = 'UNAUTHORIZED',
+  FORBIDDEN = 'FORBIDDEN',
+  NOT_FOUND = 'NOT_FOUND',
+  CONFLICT = 'CONFLICT',
+
+  // Quota / rate limit errors — client should back off
+  RATE_LIMITED = 'RATE_LIMITED',
+  QUOTA_EXCEEDED = 'QUOTA_EXCEEDED',
+
+  // Transient errors — eligible for retry
+  DEADLINE_EXCEEDED = 'DEADLINE_EXCEEDED',
+  SERVICE_UNAVAILABLE = 'SERVICE_UNAVAILABLE',
+  INTERNAL_ERROR = 'INTERNAL_ERROR',
+
+  // Domain-specific codes
+  REPORT_NOT_FOUND = 'REPORT_NOT_FOUND',
+  DISPATCH_NOT_FOUND = 'DISPATCH_NOT_FOUND',
+  MUNICIPALITY_NOT_FOUND = 'MUNICIPALITY_NOT_FOUND',
+  UPLOAD_URL_GENERATION_FAILED = 'UPLOAD_URL_GENERATION_FAILED',
+  MEDIA_PROCESSING_FAILED = 'MEDIA_PROCESSING_FAILED',
+  INVALID_STATUS_TRANSITION = 'INVALID_STATUS_TRANSITION',
+  IDEMPOTENCY_KEY_CONFLICT = 'IDEMPOTENCY_KEY_CONFLICT',
+}
+
+/**
+ * Returns true if the given string is a valid BantayogErrorCode.
+ * Useful for narrowing unknown error code values from external sources.
+ */
+export function isBantayogErrorCode(value: string): value is BantayogErrorCode {
+  return Object.values(BantayogErrorCode).includes(value as BantayogErrorCode)
+}
+
+/**
+ * Returns true if the given report status is terminal (no further transitions
+ * are valid — spec §5.3).
+ */
+export function isTerminalReportStatus(status: ReportStatus): boolean {
+  return status === 'closed' || status === 'resolved'
+}
+
+/**
+ * Returns true if the given dispatch status is terminal (no further transitions
+ * are valid for the responder — spec §5.4).
+ */
+export function isTerminalDispatchStatus(status: DispatchStatus): boolean {
+  return status === 'resolved' || status === 'declined'
+}
+
+/**
+ * BantayogError is a structured error with a machine-readable code, a safe
+ * user message, and an optional payload. It serializes safely to JSON and
+ * can be thrown across async boundaries without losing context.
+ */
+export class BantayogError extends Error {
+  constructor(
+    public readonly code: BantayogErrorCode,
+    message: string,
+    public readonly data?: Record<string, unknown>,
+  ) {
+    super(message)
+    this.name = 'BantayogError'
+    // captureStackTrace is only available in V8; keep conditional for test envs
+    if (typeof Error.captureStackTrace === 'function') {
+      Error.captureStackTrace(this, BantayogError)
+    }
+  }
+
+  toJSON(): object {
+    return {
+      name: this.name,
+      code: this.code,
+      message: this.message,
+      ...(this.data ? { data: this.data } : {}),
+    }
+  }
+}
+
+/**
+ * Create a BantayogError with a NOT_FOUND code and entity identifiers.
+ * Convenience factory used across callables and triggers.
+ */
+export function notFoundError(
+  entity: string,
+  id: string,
+  data?: Record<string, unknown>,
+): BantayogError {
+  return new BantayogError(BantayogErrorCode.NOT_FOUND, `${entity} '${id}' not found`, {
+    entityId: id,
+    entityType: entity,
+    ...data,
+  })
+}
+
+/**
+ * Create a BantayogError with a INVALID_STATUS_TRANSITION code.
+ */
+export function invalidTransitionError(
+  from: string,
+  to: string,
+  context?: Record<string, unknown>,
+): BantayogError {
+  return new BantayogError(
+    BantayogErrorCode.INVALID_STATUS_TRANSITION,
+    `Invalid transition: ${from} → ${to}`,
+    { from, to, ...context },
+  )
+}
diff --git a/packages/shared-validators/src/index.ts b/packages/shared-validators/src/index.ts
index fba267e7..b694af36 100644
--- a/packages/shared-validators/src/index.ts
+++ b/packages/shared-validators/src/index.ts
@@ -15,6 +15,7 @@ export {
   reportContactsDocSchema,
   reportLookupDocSchema,
   reportInboxDocSchema,
+  inboxPayloadSchema,
   hazardTagSchema,
 } from './reports.js'
 export type {
@@ -25,6 +26,7 @@ export type {
   ReportContactsDoc,
   ReportLookupDoc,
   ReportInboxDoc,
+  InboxPayload,
   HazardTag,
 } from './reports.js'
 export { dispatchDocSchema, dispatchStatusSchema } from './dispatches.js'
@@ -75,3 +77,28 @@ export { deadLetterDocSchema } from './dead-letters.js'
 export type { DeadLetterDoc } from './dead-letters.js'
 export { alertDocSchema, emergencyDocSchema } from './alerts-emergencies.js'
 export type { AlertDoc, EmergencyDoc } from './alerts-emergencies.js'
+export { municipalityDocSchema, CAMARINES_NORTE_MUNICIPALITIES } from './municipalities.js'
+export type { MunicipalityDoc } from './municipalities.js'
+export {
+  REPORT_STATES,
+  REPORT_TRANSITIONS,
+  isValidReportTransition,
+} from './state-machines/report-states.js'
+export {
+  DISPATCH_STATES,
+  DISPATCH_TRANSITIONS,
+  isValidDispatchTransition,
+} from './state-machines/dispatch-states.js'
+export type { ReportStatus } from './state-machines/report-states.js'
+export type { DispatchStatus } from './state-machines/dispatch-states.js'
+export {
+  BantayogErrorCode,
+  isBantayogErrorCode,
+  isTerminalReportStatus,
+  isTerminalDispatchStatus,
+  BantayogError,
+  notFoundError,
+  invalidTransitionError,
+} from './errors.js'
+export { logEvent, logDimension, LOG_DIMENSION_MAX } from './logging.js'
+export type { LogEntry, LogSeverity } from './logging.js'
diff --git a/packages/shared-validators/src/logging.ts b/packages/shared-validators/src/logging.ts
new file mode 100644
index 00000000..62a1f839
--- /dev/null
+++ b/packages/shared-validators/src/logging.ts
@@ -0,0 +1,108 @@
+/**
+ * Structured logging helpers for Bantayog Alert Cloud Functions.
+ *
+ * Cloud Logging accepts structured JSON payloads. Using a typed helper ensures
+ * every log entry has a consistent shape with machine-readable `code` and a
+ * human-readable `message`, enabling efficient log filtering and alerting.
+ */
+
+/** Maximum character length for log dimension values (Cloud Logging limit). */
+export const LOG_DIMENSION_MAX = 128
+
+/**
+ * Log event severity levels, matching Cloud Logging severity semantics.
+ */
+export type LogSeverity = 'DEBUG' | 'INFO' | 'WARNING' | 'ERROR' | 'CRITICAL'
+
+/**
+ * A structured log entry suitable for Cloud Logging ingestion.
+ * All string fields (message, dimension) are truncated to LOG_DIMENSION_MAX.
+ */
+export interface LogEntry {
+  /** Unix epoch milliseconds when the entry was created. */
+  timestamp: number
+  severity: LogSeverity
+  /**
+   * BantayogErrorCode or a service-specific string.
+   * Examples: 'VALIDATION_ERROR', 'requestUploadUrl.called'
+   */
+  code: string
+  /**
+   * Alias for monitoring filters expecting `event`.
+   * Duplicates `code` for backward compatibility with existing Terraform filters.
+   */
+  event: string
+  /** Human-readable description of the event. */
+  message: string
+  /**
+   * Logical grouping dimension (e.g. 'processInboxItem', 'requestLookup').
+   * Used for log-based alerting and log filtering in Cloud Console.
+   */
+  dimension: string
+  /**
+   * Optional structured payload. The contents are not pre-validated —
+   * callers are responsible for ensuring the data is serializable.
+   */
+  data?: Record<string, unknown>
+}
+
+/**
+ * Emit a structured log entry. In local development, serializes to console.
+ * In Cloud Functions (GCP), the structured logger writes directly to
+ * Cloud Logging with severity routing and log-based alerts.
+ *
+ * @param entry - Log entry fields (all except timestamp are required)
+ * @returns The complete LogEntry with timestamp populated
+ */
+export function logEvent(entry: {
+  severity: LogSeverity
+  code: string
+  message: string
+  dimension: string
+  data?: Record<string, unknown>
+}): LogEntry {
+  const dimension =
+    entry.dimension.length > LOG_DIMENSION_MAX
+      ? entry.dimension.substring(0, LOG_DIMENSION_MAX)
+      : entry.dimension
+
+  const logEntry: LogEntry = {
+    timestamp: Date.now(),
+    severity: entry.severity,
+    code: entry.code,
+    event: entry.code,
+    message: entry.message,
+    dimension,
+    ...(entry.data !== undefined ? { data: entry.data } : {}),
+  }
+
+  // Route to appropriate console method so Cloud Logging reads correct severity.
+  const json = JSON.stringify(logEntry)
+  if (entry.severity === 'ERROR' || entry.severity === 'CRITICAL') {
+    console.error(json)
+  } else if (entry.severity === 'WARNING') {
+    console.warn(json)
+  } else if (entry.severity === 'INFO') {
+    // eslint-disable-next-line no-console
+    console.log(json)
+  } else {
+    // DEBUG and any other value
+    // eslint-disable-next-line no-console
+    console.debug(json)
+  }
+
+  return logEntry
+}
+
+/**
+ * Factory for logEvent with pre-bound dimension. Use when a single operation
+ * (e.g. processInboxItem) emits multiple log entries.
+ *
+ * @example
+ * const log = logDimension('processInboxItem')
+ * log({ severity: 'INFO', code: 'PROCESS_START', message: 'Processing inbox item', data: { inboxId } })
+ */
+export function logDimension(dimension: string) {
+  return (entry: Omit<Parameters<typeof logEvent>[0], 'dimension'>): LogEntry =>
+    logEvent({ ...entry, dimension })
+}
diff --git a/packages/shared-validators/src/municipalities.ts b/packages/shared-validators/src/municipalities.ts
new file mode 100644
index 00000000..4639440d
--- /dev/null
+++ b/packages/shared-validators/src/municipalities.ts
@@ -0,0 +1,94 @@
+import { z } from 'zod'
+
+export const municipalityDocSchema = z
+  .object({
+    id: z.string().min(1).max(32),
+    label: z.string().min(1).max(64),
+    provinceId: z.string().min(1).max(32),
+    centroid: z
+      .object({
+        lat: z.number(),
+        lng: z.number(),
+      })
+      .strict(),
+    schemaVersion: z.number().int().positive(),
+  })
+  .strict()
+
+export type MunicipalityDoc = z.infer<typeof municipalityDocSchema>
+
+// Seed constant for the Phase 3 pilot province.
+export const CAMARINES_NORTE_MUNICIPALITIES: readonly Omit<MunicipalityDoc, 'schemaVersion'>[] = [
+  {
+    id: 'daet',
+    label: 'Daet',
+    provinceId: 'camarines-norte',
+    centroid: { lat: 14.1121, lng: 122.9554 },
+  },
+  {
+    id: 'basud',
+    label: 'Basud',
+    provinceId: 'camarines-norte',
+    centroid: { lat: 14.0661, lng: 122.9561 },
+  },
+  {
+    id: 'capalonga',
+    label: 'Capalonga',
+    provinceId: 'camarines-norte',
+    centroid: { lat: 14.3339, lng: 122.504 },
+  },
+  {
+    id: 'jose-panganiban',
+    label: 'Jose Panganiban',
+    provinceId: 'camarines-norte',
+    centroid: { lat: 14.293, lng: 122.69 },
+  },
+  {
+    id: 'labo',
+    label: 'Labo',
+    provinceId: 'camarines-norte',
+    centroid: { lat: 14.157, lng: 122.83 },
+  },
+  {
+    id: 'mercedes',
+    label: 'Mercedes',
+    provinceId: 'camarines-norte',
+    centroid: { lat: 14.1061, lng: 123.0125 },
+  },
+  {
+    id: 'paracale',
+    label: 'Paracale',
+    provinceId: 'camarines-norte',
+    centroid: { lat: 14.284, lng: 122.786 },
+  },
+  {
+    id: 'san-lorenzo-ruiz',
+    label: 'San Lorenzo Ruiz',
+    provinceId: 'camarines-norte',
+    centroid: { lat: 14.132, lng: 122.76 },
+  },
+  {
+    id: 'san-vicente',
+    label: 'San Vicente',
+    provinceId: 'camarines-norte',
+    centroid: { lat: 14.098, lng: 122.876 },
+  },
+  {
+    id: 'santa-elena',
+    label: 'Santa Elena',
+    provinceId: 'camarines-norte',
+    centroid: { lat: 14.213, lng: 122.381 },
+  },
+  {
+    id: 'talisay',
+    label: 'Talisay',
+    provinceId: 'camarines-norte',
+    centroid: { lat: 14.137, lng: 122.922 },
+  },
+  {
+    id: 'vinzons',
+    label: 'Vinzons',
+    provinceId: 'camarines-norte',
+    centroid: { lat: 14.172, lng: 122.908 },
+  },
+]
diff --git a/packages/shared-validators/src/reports.test.ts b/packages/shared-validators/src/reports.test.ts
index d417b9bc..08e04da8 100644
--- a/packages/shared-validators/src/reports.test.ts
+++ b/packages/shared-validators/src/reports.test.ts
@@ -17,6 +17,7 @@ describe('reportDocSchema', () => {
     expect(
       reportDocSchema.parse({
         municipalityId: 'daet',
+        municipalityLabel: 'Daet',
         barangayId: 'calasgasan',
         reporterRole: 'citizen',
         reportType: 'flood',
@@ -33,6 +34,7 @@ describe('reportDocSchema', () => {
         source: 'web',
         hasPhotoAndGPS: false,
         schemaVersion: 1,
+        correlationId: '11111111-1111-4111-8111-111111111111',
       }),
     ).toMatchObject({ status: 'verified' })
   })
@@ -41,10 +43,11 @@ describe('reportDocSchema', () => {
     expect(() =>
       reportDocSchema.parse({
         municipalityId: 'daet',
+        municipalityLabel: 'Daet',
         reporterRole: 'citizen',
         reportType: 'flood',
         severity: 'high',
-        status: 'triaged', // not a valid ReportStatus
+        status: 'triaged',
         mediaRefs: [],
         description: 'x',
         submittedAt: ts,
@@ -54,6 +57,7 @@ describe('reportDocSchema', () => {
         source: 'web',
         hasPhotoAndGPS: false,
         schemaVersion: 1,
+        correlationId: '11111111-1111-4111-8111-111111111111',
       }),
     ).toThrow()
   })
@@ -62,6 +66,7 @@ describe('reportDocSchema', () => {
     expect(() =>
       reportDocSchema.parse({
         municipalityId: 'daet',
+        municipalityLabel: 'Daet',
         reporterRole: 'citizen',
         reportType: 'flood',
         severity: 'high',
@@ -75,7 +80,8 @@ describe('reportDocSchema', () => {
         source: 'web',
         hasPhotoAndGPS: false,
         schemaVersion: 1,
-        unknownField: 'oops', // should be rejected
+        correlationId: '11111111-1111-4111-8111-111111111111',
+        unknownField: 'oops',
       }),
     ).toThrow()
   })
@@ -148,7 +154,7 @@ describe('reportSharingDocSchema', () => {
       reportSharingDocSchema.parse({
         ownerMunicipalityId: 'daet',
         reportId: 'r-1',
-        sharedWith: 'mercedes', // should be array
+        sharedWith: 'mercedes',
         createdAt: ts,
         updatedAt: ts,
         schemaVersion: 1,
@@ -176,12 +182,14 @@ describe('reportLookupDocSchema', () => {
   it('accepts a lookup doc', () => {
     expect(
       reportLookupDocSchema.parse({
-        publicTrackingRef: 'TRK-ABC-123',
+        publicTrackingRef: 'a1b2c3d4',
         reportId: 'r-1',
+        tokenHash: 'f'.repeat(64),
+        expiresAt: 1716000000000,
         createdAt: ts,
         schemaVersion: 1,
       }),
-    ).toMatchObject({ publicTrackingRef: 'TRK-ABC-123' })
+    ).toMatchObject({ publicTrackingRef: 'a1b2c3d4' })
   })
 })
 
@@ -214,6 +222,88 @@ describe('reportInboxDocSchema', () => {
   })
 })
 
+describe('hazardTagSchema', () => {
+  it('accepts a hazard tag', () => {
+    expect(
+      hazardTagSchema.parse({
+        hazardZoneId: 'hz-1',
+        geohash: 'qxdsun',
+        hazardType: 'flood',
+      }),
+    ).toMatchObject({ geohash: 'qxdsun' })
+  })
+
+  it('rejects invalid hazardType', () => {
+    expect(() =>
+      hazardTagSchema.parse({
+        hazardZoneId: 'hz-1',
+        geohash: 'qxdsun',
+        hazardType: 'fire',
+      }),
+    ).toThrow()
+  })
+})
+
+describe('reportDocSchema Phase 3 deltas', () => {
+  const validBase = {
+    municipalityId: 'daet',
+    municipalityLabel: 'Daet',
+    barangayId: 'daet-1',
+    reporterRole: 'citizen' as const,
+    reportType: 'flood' as const,
+    severity: 'high' as const,
+    status: 'new' as const,
+    publicLocation: { lat: 14.1, lng: 122.9 },
+    mediaRefs: [],
+    description: 'flooded road',
+    submittedAt: 1713350400000,
+    retentionExempt: false,
+    visibilityClass: 'internal' as const,
+    visibility: { scope: 'municipality' as const, sharedWith: [] },
+    source: 'web' as const,
+    hasPhotoAndGPS: false,
+    schemaVersion: 1,
+    correlationId: '11111111-1111-4111-8111-111111111111',
+  }
+
+  it('accepts a valid report with municipalityLabel and correlationId', () => {
+    expect(() => reportDocSchema.parse(validBase)).not.toThrow()
+  })
+
+  it('rejects a missing municipalityLabel', () => {
+    const { municipalityLabel, ...rest } = validBase
+    void municipalityLabel
+    expect(() => reportDocSchema.parse(rest)).toThrow()
+  })
+
+  it('rejects a non-UUID correlationId', () => {
+    expect(() => reportDocSchema.parse({ ...validBase, correlationId: 'not-a-uuid' })).toThrow()
+  })
+
+  it('rejects an empty municipalityLabel', () => {
+    expect(() => reportDocSchema.parse({ ...validBase, municipalityLabel: '' })).toThrow()
+  })
+})
+
+describe('reportLookupDocSchema Phase 3 deltas', () => {
+  const valid = {
+    publicTrackingRef: 'a1b2c3d4',
+    reportId: 'rpt-1',
+    tokenHash: 'a'.repeat(64),
+    expiresAt: 1716000000000,
+    createdAt: 1713350400000,
+    schemaVersion: 1,
+  }
+
+  it('accepts a lookup with tokenHash and expiresAt', () => {
+    expect(() => reportLookupDocSchema.parse(valid)).not.toThrow()
+  })
+
+  it('rejects a non-hex tokenHash', () => {
+    expect(() => reportLookupDocSchema.parse({ ...valid, tokenHash: 'z'.repeat(64) })).toThrow()
+  })
+})
+
 describe('reportInboxDocSchema Phase 3 deltas', () => {
   const validInbox = {
     reporterUid: 'citizen-1',
@@ -245,25 +335,3 @@ describe('reportInboxDocSchema Phase 3 deltas', () => {
     expect(() => reportInboxDocSchema.parse({ ...validInbox, correlationId: 'x' })).toThrow()
   })
 })
-
-describe('hazardTagSchema', () => {
-  it('accepts a hazard tag', () => {
-    expect(
-      hazardTagSchema.parse({
-        hazardZoneId: 'hz-1',
-        geohash: 'qxdsun',
-        hazardType: 'flood',
-      }),
-    ).toMatchObject({ geohash: 'qxdsun' })
-  })
-
-  it('rejects invalid hazardType', () => {
-    expect(() =>
-      hazardTagSchema.parse({
-        hazardZoneId: 'hz-1',
-        geohash: 'qxdsun',
-        hazardType: 'fire', // not in HazardType enum
-      }),
-    ).toThrow()
-  })
-})
diff --git a/packages/shared-validators/src/reports.ts b/packages/shared-validators/src/reports.ts
index 5649d7b7..846c1ef1 100644
--- a/packages/shared-validators/src/reports.ts
+++ b/packages/shared-validators/src/reports.ts
@@ -67,6 +67,8 @@ export const reportDocSchema = z
     source: z.enum(['web', 'sms', 'responder_witness']),
     hasPhotoAndGPS: z.boolean().default(false),
     schemaVersion: z.number().int().positive(),
+    municipalityLabel: z.string().min(1).max(64),
+    correlationId: z.uuid(),
   })
   .strict()
 
@@ -146,8 +148,10 @@ export const reportContactsDocSchema = z
 // reportLookupDocSchema — lookup document
 export const reportLookupDocSchema = z
   .object({
-    publicTrackingRef: z.string().min(1),
+    publicTrackingRef: z.string().regex(/^[a-z0-9]{8}$/),
     reportId: z.string().min(1),
+    tokenHash: z.string().regex(/^[a-f0-9]{64}$/),
+    expiresAt: z.number().int(),
     createdAt: z.number().int(),
     schemaVersion: z.number().int().positive(),
   })
@@ -163,6 +167,7 @@ export const reportInboxDocSchema = z
     secretHash: z.string().regex(/^[a-f0-9]{64}$/),
     correlationId: z.uuid(),
     payload: z.record(z.string(), z.unknown()),
+    processedAt: z.number().int().optional(),
   })
   .strict()
 
@@ -174,3 +179,22 @@ export type ReportSharingDoc = z.infer<typeof reportSharingDocSchema>
 export type ReportContactsDoc = z.infer<typeof reportContactsDocSchema>
 export type ReportLookupDoc = z.infer<typeof reportLookupDocSchema>
 export type ReportInboxDoc = z.infer<typeof reportInboxDocSchema>
+
+// inboxPayloadSchema — validated payload inside report_inbox docs
+export const inboxPayloadSchema = z
+  .object({
+    reportType: z.string().min(1).max(32),
+    description: z.string().min(1).max(5000),
+    severity: z.enum(['low', 'medium', 'high']),
+    source: z.enum(['web', 'sms', 'responder_witness']),
+    publicLocation: z
+      .object({
+        lat: z.number().min(-90).max(90),
+        lng: z.number().min(-180).max(180),
+      })
+      .strict(),
+    pendingMediaIds: z.array(z.string().min(1)).optional(),
+  })
+  .strict()
+
+export type InboxPayload = z.infer<typeof inboxPayloadSchema>
diff --git a/packages/shared-validators/src/state-machines.test.ts b/packages/shared-validators/src/state-machines.test.ts
new file mode 100644
index 00000000..0ca9de62
--- /dev/null
+++ b/packages/shared-validators/src/state-machines.test.ts
@@ -0,0 +1,96 @@
+import { describe, it, expect } from 'vitest'
+import {
+  REPORT_STATES,
+  REPORT_TRANSITIONS,
+  DISPATCH_STATES,
+  DISPATCH_TRANSITIONS,
+  isValidReportTransition,
+  isValidDispatchTransition,
+} from './state-machines/index.js'
+import type { ReportStatus, DispatchStatus } from './state-machines/index.js'
+
+// Report state machine: exhaustive matrix — every declared transition valid, all
+// others invalid. This is the codegen source-of-truth for both TypeScript and
+// Firestore rules transition tables.
+describe('report state machine', () => {
+  it('REPORT_STATES has 15 members (spec §5.3)', () => {
+    expect(REPORT_STATES).toHaveLength(15)
+  })
+
+  it('REPORT_TRANSITIONS has 22 declared transitions (spec §5.3)', () => {
+    expect(REPORT_TRANSITIONS).toHaveLength(22)
+  })
+
+  it('every declared transition is valid', () => {
+    for (const [from, to] of REPORT_TRANSITIONS) {
+      expect(isValidReportTransition(from, to), `${from} → ${to} should be valid`).toBe(true)
+    }
+  })
+
+  it('all undeclared transitions are invalid (exhaustive matrix)', () => {
+    let invalidCount = 0
+    for (const from of REPORT_STATES) {
+      for (const to of REPORT_STATES) {
+        if (from === to) {
+          // Self-transitions are not declared — confirm they fail
+          expect(isValidReportTransition(from, to), `${from}→${to} self-transition`).toBe(false)
+          invalidCount++
+        } else {
+          const declared = REPORT_TRANSITIONS.some(([f, t]) => f === from && t === to)
+          if (!declared) {
+            expect(isValidReportTransition(from, to), `${from}→${to} should be invalid`).toBe(false)
+            invalidCount++
+          }
+        }
+      }
+    }
+    // 15 states × 15 states = 225 total; 22 declared valid means 203 invalid
+    expect(invalidCount).toBe(203)
+  })
+})
+
+// Dispatch state machine: only responder-direct transitions live in the rules
+// layer (spec §5.4). Server-authoritative transitions are enforced in callables.
+describe('dispatch state machine', () => {
+  it('DISPATCH_STATES has 9 members', () => {
+    expect(DISPATCH_STATES).toHaveLength(9)
+  })
+
+  it('DISPATCH_TRANSITIONS has 4 declared responder transitions', () => {
+    expect(DISPATCH_TRANSITIONS).toHaveLength(4)
+  })
+
+  it('every declared responder-direct transition is valid', () => {
+    for (const [from, to] of DISPATCH_TRANSITIONS) {
+      expect(isValidDispatchTransition(from, to), `${from} → ${to} should be valid`).toBe(true)
+    }
+  })
+
+  it('all undeclared responder transitions are invalid', () => {
+    for (const from of DISPATCH_STATES) {
+      for (const to of DISPATCH_STATES) {
+        if (from === to) {
+          expect(isValidDispatchTransition(from, to)).toBe(false)
+          continue
+        }
+        const declared = DISPATCH_TRANSITIONS.some(([f, t]) => f === from && t === to)
+        if (!declared) {
+          expect(isValidDispatchTransition(from, to), `${from}→${to} should be invalid`).toBe(false)
+        }
+      }
+    }
+  })
+})
+
+// Type exports are accessible
+describe('type exports', () => {
+  it('ReportStatus is exported and constructible as a literal', () => {
+    const s: ReportStatus = 'new'
+    expect(s).toBe('new')
+  })
+
+  it('DispatchStatus is exported and constructible as a literal', () => {
+    const s: DispatchStatus = 'accepted'
+    expect(s).toBe('accepted')
+  })
+})
diff --git a/packages/shared-validators/src/state-machines/dispatch-states.ts b/packages/shared-validators/src/state-machines/dispatch-states.ts
new file mode 100644
index 00000000..5ca5e3fc
--- /dev/null
+++ b/packages/shared-validators/src/state-machines/dispatch-states.ts
@@ -0,0 +1,14 @@
+/**
+ * Dispatch state machine — spec §5.4.
+ *
+ * Only responder-direct transitions are enforced at the Firestore rules layer.
+ * Server-authoritative transitions (e.g. incident closure cascading to dispatch
+ * resolution, or timeout → timed_out) live in Cloud Functions callables where
+ * the full business logic is available.
+ */
+export {
+  DISPATCH_STATES,
+  DISPATCH_TRANSITIONS,
+  isValidDispatchTransition,
+} from './report-states.js'
+export type { DispatchStatus } from '@bantayog/shared-types'
diff --git a/packages/shared-validators/src/state-machines/index.ts b/packages/shared-validators/src/state-machines/index.ts
new file mode 100644
index 00000000..5d6bc766
--- /dev/null
+++ b/packages/shared-validators/src/state-machines/index.ts
@@ -0,0 +1,13 @@
+/**
+ * State machine barrel — re-exports ReportStatus, DispatchStatus, and helpers
+ * so consumers get a single import point.
+ */
+export { REPORT_STATES, REPORT_TRANSITIONS, isValidReportTransition } from './report-states.js'
+export type { ReportStatus } from './report-states.js'
+
+export {
+  DISPATCH_STATES,
+  DISPATCH_TRANSITIONS,
+  isValidDispatchTransition,
+} from './dispatch-states.js'
+export type { DispatchStatus } from './dispatch-states.js'
diff --git a/packages/shared-validators/src/state-machines/report-states.ts b/packages/shared-validators/src/state-machines/report-states.ts
new file mode 100644
index 00000000..6e0e1701
--- /dev/null
+++ b/packages/shared-validators/src/state-machines/report-states.ts
@@ -0,0 +1,94 @@
+/**
+ * State machine transition tables.
+ *
+ * These are the codegen source-of-truth for both TypeScript and Firestore rules
+ * transition tables (see `scripts/build-rules.ts`). Any transition not in the
+ * declared set must be rejected at the rules layer.
+ */
+
+// Re-export enums so consumers don't need a direct dependency on shared-types.
+import type { ReportStatus, DispatchStatus } from '@bantayog/shared-types'
+export type { ReportStatus, DispatchStatus }
+
+// Spec §5.3 — all 15 report lifecycle states (includes `draft_inbox` pre-materialisation).
+export const REPORT_STATES = [
+  'draft_inbox',
+  'new',
+  'awaiting_verify',
+  'verified',
+  'assigned',
+  'acknowledged',
+  'en_route',
+  'on_scene',
+  'resolved',
+  'closed',
+  'reopened',
+  'rejected',
+  'cancelled',
+  'cancelled_false_report',
+  'merged_as_duplicate',
+] as const
+
+// Spec §5.3 — every valid report state transition.
+export const REPORT_TRANSITIONS: readonly [ReportStatus, ReportStatus][] = [
+  ['draft_inbox', 'new'],
+  ['draft_inbox', 'rejected'],
+  ['new', 'awaiting_verify'],
+  ['new', 'merged_as_duplicate'],
+  ['awaiting_verify', 'verified'],
+  ['awaiting_verify', 'merged_as_duplicate'],
+  ['awaiting_verify', 'cancelled_false_report'],
+  ['verified', 'assigned'],
+  ['assigned', 'acknowledged'],
+  ['acknowledged', 'en_route'],
+  ['en_route', 'on_scene'],
+  ['on_scene', 'resolved'],
+  ['resolved', 'closed'],
+  ['closed', 'reopened'],
+  ['reopened', 'assigned'],
+  // Admin cancellations from any active state
+  ['new', 'cancelled'],
+  ['awaiting_verify', 'cancelled'],
+  ['verified', 'cancelled'],
+  ['assigned', 'cancelled'],
+  ['acknowledged', 'cancelled'],
+  ['en_route', 'cancelled'],
+  ['on_scene', 'cancelled'],
+] as const
+
+// Spec §5.4 — dispatch lifecycle states.
+export const DISPATCH_STATES = [
+  'pending',
+  'accepted',
+  'acknowledged',
+  'in_progress',
+  'resolved',
+  'declined',
+  'timed_out',
+  'cancelled',
+  'superseded',
+] as const
+
+/**
+ * Only responder-direct transitions are enforced at the rules layer.
+ * Server-authoritative transitions (e.g. pending→resolved when incident is closed)
+ * are enforced in Cloud Functions callables.
+ */
+export const DISPATCH_TRANSITIONS: readonly [DispatchStatus, DispatchStatus][] = [
+  ['accepted', 'acknowledged'],
+  ['acknowledged', 'in_progress'],
+  ['in_progress', 'resolved'],
+  ['pending', 'declined'],
+] as const
+
+export function isValidReportTransition(from: ReportStatus, to: ReportStatus): boolean {
+  return (REPORT_TRANSITIONS as readonly [string, string][]).some(
+    ([f, t]) => f === from && t === to,
+  )
+}
+
+export function isValidDispatchTransition(from: DispatchStatus, to: DispatchStatus): boolean {
+  return (DISPATCH_TRANSITIONS as readonly [string, string][]).some(
+    ([f, t]) => f === from && t === to,
+  )
+}
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 027cf596..de4f0072 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -29,6 +29,9 @@ importers:
       eslint-plugin-react-hooks:
         specifier: ^5.0.0
         version: 5.2.0(eslint@9.39.4)
+      firebase-admin:
+        specifier: ^13.8.0
+        version: 13.8.0
       globals:
         specifier: ^15.10.0
         version: 15.15.0
@@ -99,12 +102,18 @@ importers:
       '@bantayog/shared-ui':
         specifier: workspace:*
         version: link:../../packages/shared-ui
+      firebase:
+        specifier: ^12.12.0
+        version: 12.12.0
       react:
         specifier: ^19.2.5
         version: 19.2.5
       react-dom:
         specifier: ^19.2.5
         version: 19.2.5(react@19.2.5)
+      react-router-dom:
+        specifier: ^7.14.1
+        version: 7.14.1(react-dom@19.2.5(react@19.2.5))(react@19.2.5)
     devDependencies:
       '@testing-library/jest-dom':
         specifier: ^6.4.0
@@ -167,12 +176,24 @@ importers:
       '@bantayog/shared-validators':
         specifier: workspace:*
         version: link:../packages/shared-validators
+      exifr:
+        specifier: ^7.1.3
+        version: 7.1.3
+      file-type:
+        specifier: ^22.0.1
+        version: 22.0.1
       firebase-admin:
         specifier: ^13.8.0
         version: 13.8.0
       firebase-functions:
         specifier: ^7.2.5
         version: 7.2.5(firebase-admin@13.8.0)
+      sharp:
+        specifier: ^0.34.5
+        version: 0.34.5
+      zod:
+        specifier: ^4.3.6
+        version: 4.3.6
     devDependencies:
       '@firebase/rules-unit-testing':
         specifier: ^5.0.0
@@ -409,6 +430,9 @@ packages:
     resolution: {integrity: sha512-6zABk/ECA/QYSCQ1NGiVwwbQerUCZ+TQbp64Q3AgmfNvurHH0j8TtXa1qbShXA6qqkpAj4V5W8pP6mLe1mcMqA==}
     engines: {node: '>=18'}
 
+  '@borewit/text-codec@0.2.2':
+    resolution: {integrity: sha512-DDaRehssg1aNrH4+2hnj1B7vnUGEjU6OIlyRdkMd0aUdIUvKXrJfXsy8LVtXAy7DRvYVluWbMspsRhz2lcW0mQ==}
+
   '@capacitor/cli@8.3.1':
     resolution: {integrity: sha512-1sPGW4THTDfR6YjXwZ0jM7oAfAtciPOHN00qs/3sNAQx1kKrrEYSfDPwCm1/xlAgi0OeL69SiRfw314Ans+1sw==}
     engines: {node: '>=22.0.0'}
@@ -899,6 +923,143 @@ packages:
     resolution: {integrity: sha512-bV0Tgo9K4hfPCek+aMAn81RppFKv2ySDQeMoSZuvTASywNTnVJCArCZE2FWqpvIatKu7VMRLWlR1EazvVhDyhQ==}
     engines: {node: '>=18.18'}
 
+  '@img/colour@1.1.0':
+    resolution: {integrity: sha512-Td76q7j57o/tLVdgS746cYARfSyxk8iEfRxewL9h4OMzYhbW4TAcppl0mT4eyqXddh6L/jwoM75mo7ixa/pCeQ==}
+    engines: {node: '>=18'}
+
+  '@img/sharp-darwin-arm64@0.34.5':
+    resolution: {integrity: sha512-imtQ3WMJXbMY4fxb/Ndp6HBTNVtWCUI0WdobyheGf5+ad6xX8VIDO8u2xE4qc/fr08CKG/7dDseFtn6M6g/r3w==}
+    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
+    cpu: [arm64]
+    os: [darwin]
+
+  '@img/sharp-darwin-x64@0.34.5':
+    resolution: {integrity: sha512-YNEFAF/4KQ/PeW0N+r+aVVsoIY0/qxxikF2SWdp+NRkmMB7y9LBZAVqQ4yhGCm/H3H270OSykqmQMKLBhBJDEw==}
+    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
+    cpu: [x64]
+    os: [darwin]
+
+  '@img/sharp-libvips-darwin-arm64@1.2.4':
+    resolution: {integrity: sha512-zqjjo7RatFfFoP0MkQ51jfuFZBnVE2pRiaydKJ1G/rHZvnsrHAOcQALIi9sA5co5xenQdTugCvtb1cuf78Vf4g==}
+    cpu: [arm64]
+    os: [darwin]
+
+  '@img/sharp-libvips-darwin-x64@1.2.4':
+    resolution: {integrity: sha512-1IOd5xfVhlGwX+zXv2N93k0yMONvUlANylbJw1eTah8K/Jtpi15KC+WSiaX/nBmbm2HxRM1gZ0nSdjSsrZbGKg==}
+    cpu: [x64]
+    os: [darwin]
+
+  '@img/sharp-libvips-linux-arm64@1.2.4':
+    resolution: {integrity: sha512-excjX8DfsIcJ10x1Kzr4RcWe1edC9PquDRRPx3YVCvQv+U5p7Yin2s32ftzikXojb1PIFc/9Mt28/y+iRklkrw==}
+    cpu: [arm64]
+    os: [linux]
+
+  '@img/sharp-libvips-linux-arm@1.2.4':
+    resolution: {integrity: sha512-bFI7xcKFELdiNCVov8e44Ia4u2byA+l3XtsAj+Q8tfCwO6BQ8iDojYdvoPMqsKDkuoOo+X6HZA0s0q11ANMQ8A==}
+    cpu: [arm]
+    os: [linux]
+
+  '@img/sharp-libvips-linux-ppc64@1.2.4':
+    resolution: {integrity: sha512-FMuvGijLDYG6lW+b/UvyilUWu5Ayu+3r2d1S8notiGCIyYU/76eig1UfMmkZ7vwgOrzKzlQbFSuQfgm7GYUPpA==}
+    cpu: [ppc64]
+    os: [linux]
+
+  '@img/sharp-libvips-linux-riscv64@1.2.4':
+    resolution: {integrity: sha512-oVDbcR4zUC0ce82teubSm+x6ETixtKZBh/qbREIOcI3cULzDyb18Sr/Wcyx7NRQeQzOiHTNbZFF1UwPS2scyGA==}
+    cpu: [riscv64]
+    os: [linux]
+
+  '@img/sharp-libvips-linux-s390x@1.2.4':
+    resolution: {integrity: sha512-qmp9VrzgPgMoGZyPvrQHqk02uyjA0/QrTO26Tqk6l4ZV0MPWIW6LTkqOIov+J1yEu7MbFQaDpwdwJKhbJvuRxQ==}
+    cpu: [s390x]
+    os: [linux]
+
+  '@img/sharp-libvips-linux-x64@1.2.4':
+    resolution: {integrity: sha512-tJxiiLsmHc9Ax1bz3oaOYBURTXGIRDODBqhveVHonrHJ9/+k89qbLl0bcJns+e4t4rvaNBxaEZsFtSfAdquPrw==}
+    cpu: [x64]
+    os: [linux]
+
+  '@img/sharp-libvips-linuxmusl-arm64@1.2.4':
+    resolution: {integrity: sha512-FVQHuwx1IIuNow9QAbYUzJ+En8KcVm9Lk5+uGUQJHaZmMECZmOlix9HnH7n1TRkXMS0pGxIJokIVB9SuqZGGXw==}
+    cpu: [arm64]
+    os: [linux]
+
+  '@img/sharp-libvips-linuxmusl-x64@1.2.4':
+    resolution: {integrity: sha512-+LpyBk7L44ZIXwz/VYfglaX/okxezESc6UxDSoyo2Ks6Jxc4Y7sGjpgU9s4PMgqgjj1gZCylTieNamqA1MF7Dg==}
+    cpu: [x64]
+    os: [linux]
+
+  '@img/sharp-linux-arm64@0.34.5':
+    resolution: {integrity: sha512-bKQzaJRY/bkPOXyKx5EVup7qkaojECG6NLYswgktOZjaXecSAeCWiZwwiFf3/Y+O1HrauiE3FVsGxFg8c24rZg==}
+    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
+    cpu: [arm64]
+    os: [linux]
+
+  '@img/sharp-linux-arm@0.34.5':
+    resolution: {integrity: sha512-9dLqsvwtg1uuXBGZKsxem9595+ujv0sJ6Vi8wcTANSFpwV/GONat5eCkzQo/1O6zRIkh0m/8+5BjrRr7jDUSZw==}
+    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
+    cpu: [arm]
+    os: [linux]
+
+  '@img/sharp-linux-ppc64@0.34.5':
+    resolution: {integrity: sha512-7zznwNaqW6YtsfrGGDA6BRkISKAAE1Jo0QdpNYXNMHu2+0dTrPflTLNkpc8l7MUP5M16ZJcUvysVWWrMefZquA==}
+    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
+    cpu: [ppc64]
+    os: [linux]
+
+  '@img/sharp-linux-riscv64@0.34.5':
+    resolution: {integrity: sha512-51gJuLPTKa7piYPaVs8GmByo7/U7/7TZOq+cnXJIHZKavIRHAP77e3N2HEl3dgiqdD/w0yUfiJnII77PuDDFdw==}
+    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
+    cpu: [riscv64]
+    os: [linux]
+
+  '@img/sharp-linux-s390x@0.34.5':
+    resolution: {integrity: sha512-nQtCk0PdKfho3eC5MrbQoigJ2gd1CgddUMkabUj+rBevs8tZ2cULOx46E7oyX+04WGfABgIwmMC0VqieTiR4jg==}
+    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
+    cpu: [s390x]
+    os: [linux]
+
+  '@img/sharp-linux-x64@0.34.5':
+    resolution: {integrity: sha512-MEzd8HPKxVxVenwAa+JRPwEC7QFjoPWuS5NZnBt6B3pu7EG2Ge0id1oLHZpPJdn3OQK+BQDiw9zStiHBTJQQQQ==}
+    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
+    cpu: [x64]
+    os: [linux]
+
+  '@img/sharp-linuxmusl-arm64@0.34.5':
+    resolution: {integrity: sha512-fprJR6GtRsMt6Kyfq44IsChVZeGN97gTD331weR1ex1c1rypDEABN6Tm2xa1wE6lYb5DdEnk03NZPqA7Id21yg==}
+    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
+    cpu: [arm64]
+    os: [linux]
+
+  '@img/sharp-linuxmusl-x64@0.34.5':
+    resolution: {integrity: sha512-Jg8wNT1MUzIvhBFxViqrEhWDGzqymo3sV7z7ZsaWbZNDLXRJZoRGrjulp60YYtV4wfY8VIKcWidjojlLcWrd8Q==}
+    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
+    cpu: [x64]
+    os: [linux]
+
+  '@img/sharp-wasm32@0.34.5':
+    resolution: {integrity: sha512-OdWTEiVkY2PHwqkbBI8frFxQQFekHaSSkUIJkwzclWZe64O1X4UlUjqqqLaPbUpMOQk6FBu/HtlGXNblIs0huw==}
+    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
+    cpu: [wasm32]
+
+  '@img/sharp-win32-arm64@0.34.5':
+    resolution: {integrity: sha512-WQ3AgWCWYSb2yt+IG8mnC6Jdk9Whs7O0gxphblsLvdhSpSTtmu69ZG1Gkb6NuvxsNACwiPV6cNSZNzt0KPsw7g==}
+    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
+    cpu: [arm64]
+    os: [win32]
+
+  '@img/sharp-win32-ia32@0.34.5':
+    resolution: {integrity: sha512-FV9m/7NmeCmSHDD5j4+4pNI8Cp3aW+JvLoXcTUo0IqyjSfAZJ8dIUmijx1qaJsIiU+Hosw6xM5KijAWRJCSgNg==}
+    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
+    cpu: [ia32]
+    os: [win32]
+
+  '@img/sharp-win32-x64@0.34.5':
+    resolution: {integrity: sha512-+29YMsqY2/9eFEiW93eqWnuLcWcufowXewwSNIT6UwZdUUCrM3oFjMWH/Z6/TMmb4hlFenmfAVbpWeup2jryCw==}
+    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
+    cpu: [x64]
+    os: [win32]
+
   '@ionic/cli-framework-output@2.2.8':
     resolution: {integrity: sha512-TshtaFQsovB4NWRBydbNFawql6yul7d5bMiW1WYYf17hd99V6xdDdk3vtF51bw6sLkxON3bDQpWsnUc9/hVo3g==}
     engines: {node: '>=16.0.0'}
@@ -1235,6 +1396,13 @@ packages:
       '@types/react-dom':
         optional: true
 
+  '@tokenizer/inflate@0.4.1':
+    resolution: {integrity: sha512-2mAv+8pkG6GIZiF1kNg1jAjh27IDxEPKwdGul3snfztFerfPGI1LjDezZp3i7BElXompqEtPmoPx6c2wgtWsOA==}
+    engines: {node: '>=18'}
+
+  '@tokenizer/token@0.3.0':
+    resolution: {integrity: sha512-OvjF+z51L3ov0OyAU0duzsYuvO01PH7x4t6DJx+guahgTnBHkhJdG7soQeTSFLWN3efnHyibZ4Z8l2EuWwJN3A==}
+
   '@tootallnate/once@2.0.0':
     resolution: {integrity: sha512-XCuKFP5PS55gnMVu3dty8KPatLqUoy/ZYzDzAGCQ8JNFCkLXzmI7vNHCR+XpbZaMWQK/vQubr7PkYq8g470J/A==}
     engines: {node: '>= 10'}
@@ -1961,6 +2129,10 @@ packages:
     resolution: {integrity: sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w==}
     engines: {node: '>= 0.6'}
 
+  cookie@1.1.1:
+    resolution: {integrity: sha512-ei8Aos7ja0weRpFzJnEA9UHJ/7XQmqglbRwnf2ATjcB9Wq874VKH9kfjjirM6UhU2/E5fFYadylyhFldcqSidQ==}
+    engines: {node: '>=18'}
+
   cors@2.8.6:
     resolution: {integrity: sha512-tJtZBBHA6vjIAaF6EnIaq6laBBP9aq/Y3ouVJjEfoHbRBcHBAHYcMh/w8LDrk2PvIMMq8gmopa5D4V8RmbrxGw==}
     engines: {node: '>= 0.10'}
@@ -2276,6 +2448,9 @@ packages:
     resolution: {integrity: sha512-VyhnebXciFV2DESc+p6B+y0LjSm0krU4OgJN44qFAhBY0TJ+1V61tYD2+wHusZ6F9n5K+vl8k0sTy7PEfV4qpg==}
     engines: {node: '>=16.17'}
 
+  exifr@7.1.3:
+    resolution: {integrity: sha512-g/aje2noHivrRSLbAUtBPWFbxKdKhgj/xr1vATDdUXPOFYJlQ62Ft0oy+72V6XLIpDJfHs6gXLbBLAolqOXYRw==}
+
   exit-x@0.2.2:
     resolution: {integrity: sha512-+I6B/IkJc1o/2tiURyz/ivu/O0nKNEArIUB5O7zBrlDVJr22SCLH3xTeEry428LvFhRzIA1g8izguxJ/gbNcVQ==}
     engines: {node: '>= 0.8.0'}
@@ -2342,6 +2517,10 @@ packages:
     resolution: {integrity: sha512-XXTUwCvisa5oacNGRP9SfNtYBNAMi+RPwBFmblZEF7N7swHYQS6/Zfk7SRwx4D5j3CH211YNRco1DEMNVfZCnQ==}
     engines: {node: '>=16.0.0'}
 
+  file-type@22.0.1:
+    resolution: {integrity: sha512-ww5Mhre0EE+jmBvOXTmXAbEMuZE7uX4a3+oRCQFNj8w++g3ev913N6tXQz0XTXbueQ5TWQfm6BdaViEHHn8bhA==}
+    engines: {node: '>=22'}
+
   fill-range@7.1.1:
     resolution: {integrity: sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==}
     engines: {node: '>=8'}
@@ -2645,6 +2824,9 @@ packages:
   idb@7.1.1:
     resolution: {integrity: sha512-gchesWBzyvGHRO9W8tzUWFDycow5gwjvFKfyV9FF32Y7F50yZMp7mP+T2mJIWFx49zicqyC4uefHM17o6xKIVQ==}
 
+  ieee754@1.2.1:
+    resolution: {integrity: sha512-dcyqhDvX1C46lXZcVqCpK+FtMRQVdIMN6/Df5js2zouUsqG7I6sFxitIC+7KYK29KdXOLHdu9zL4sFnoVQnqaA==}
+
   ignore@5.3.2:
     resolution: {integrity: sha512-hsBTNUqQTDwkWtcdYI2i06Y/nUBEsNEDJKjWdigLvegy8kDuJAS8uRlpkkcQpyEXL0Z/pjDy5HBmMjRCJ2gq+g==}
     engines: {node: '>= 4'}
@@ -3648,6 +3830,23 @@ packages:
   react-is@18.3.1:
     resolution: {integrity: sha512-/LLMVyas0ljjAtoYiPqYiL8VWXzUUdThrmU5+n20DZv+a+ClRoevUzw5JxU+Ieh5/c87ytoTBV9G1FiKfNJdmg==}
 
+  react-router-dom@7.14.1:
+    resolution: {integrity: sha512-ZkrQuwwhGibjQLqH1eCdyiZyLWglPxzxdl5tgwgKEyCSGC76vmAjleGocRe3J/MLfzMUIKwaFJWpFVJhK3d2xA==}
+    engines: {node: '>=20.0.0'}
+    peerDependencies:
+      react: '>=18'
+      react-dom: '>=18'
+
+  react-router@7.14.1:
+    resolution: {integrity: sha512-5BCvFskyAAVumqhEKh/iPhLOIkfxcEUz8WqFIARCkMg8hZZzDYX9CtwxXA0e+qT8zAxmMC0x3Ckb9iMONwc5jg==}
+    engines: {node: '>=20.0.0'}
+    peerDependencies:
+      react: '>=18'
+      react-dom: '>=18'
+    peerDependenciesMeta:
+      react-dom:
+        optional: true
+
   react@18.3.1:
     resolution: {integrity: sha512-wS+hAgJShR0KhEvPJArfuPVN1+Hz1t0Y6n5jLrGQbkb4urgPE/0Rve+1kMB1v/oWgHgm4WIcV+i7F2pTVj+2iQ==}
     engines: {node: '>=0.10.0'}
@@ -3769,6 +3968,9 @@ packages:
     resolution: {integrity: sha512-x0RTqQel6g5SY7Lg6ZreMmsOzncHFU7nhnRWkKgWuMTu5NN0DR5oruckMqRvacAN9d5w6ARnRBXl9xhDCgfMeA==}
     engines: {node: '>= 0.8.0'}
 
+  set-cookie-parser@2.7.2:
+    resolution: {integrity: sha512-oeM1lpU/UvhTxw+g3cIfxXHyJRc/uidd3yK1P242gzHds0udQBYzs3y8j4gCCW+ZJ7ad0yctld8RYO+bdurlvw==}
+
   set-function-length@1.2.2:
     resolution: {integrity: sha512-pgRc4hJ4/sNjWCSS9AmnS40x3bNMDTknHgL5UaMBTMyJnU90EgWh1Rz+MC9eFu4BuN/UwZjKQuY/1v3rM7HMfg==}
     engines: {node: '>= 0.4'}
@@ -3784,6 +3986,10 @@ packages:
   setprototypeof@1.2.0:
     resolution: {integrity: sha512-E5LDX7Wrp85Kil5bhZv46j8jOeboKq5JMmYM3gVGdGH8xFpPWXUMsNrlODCrkoxMEeNi/XZIwuRvY4XNwYMJpw==}
 
+  sharp@0.34.5:
+    resolution: {integrity: sha512-Ou9I5Ft9WNcCbXrU9cMgPBcCK8LiwLqcbywW3t4oDV37n1pzpuNLsYiAV8eODnjbtQlSDwZ2cUEeQz4E54Hltg==}
+    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
+
   shebang-command@2.0.0:
     resolution: {integrity: sha512-kHxr2zZpYtdmrN1qDjrrX/Z1rR1kG8Dx+gkpK1G4eXmvXswmcE1hTWBWYUzlraYw1/yZp6YuDY77YtvbN0dmDA==}
     engines: {node: '>=8'}
@@ -3956,6 +4162,10 @@ packages:
   strnum@2.2.3:
     resolution: {integrity: sha512-oKx6RUCuHfT3oyVjtnrmn19H1SiCqgJSg+54XqURKp5aCMbrXrhLjRN9TjuwMjiYstZ0MzDrHqkGZ5dFTKd+zg==}
 
+  strtok3@10.3.5:
+    resolution: {integrity: sha512-ki4hZQfh5rX0QDLLkOCj+h+CVNkqmp/CMf8v8kZpkNVK6jGQooMytqzLZYUVYIZcFZ6yDB70EfD8POcFXiF5oA==}
+    engines: {node: '>=18'}
+
   stubs@3.0.0:
     resolution: {integrity: sha512-PdHt7hHUJKxvTCgbKX9C1V/ftOcjJQgz8BZwNfV5c4B6dcGqlpelTbJ999jBGZ2jYiPAwcX5dP6oBwVlBlUbxw==}
 
@@ -4016,6 +4226,10 @@ packages:
     resolution: {integrity: sha512-o5sSPKEkg/DIQNmH43V0/uerLrpzVedkUh8tGNvaeXpfpuwjKenlSox/2O/BTlZUtEe+JG7s5YhEz608PlAHRA==}
     engines: {node: '>=0.6'}
 
+  token-types@6.1.2:
+    resolution: {integrity: sha512-dRXchy+C0IgK8WPC6xvCHFRIWYUbqqdEIKPaKo/AcTUNzwLTK6AH7RjdLWsEZcAN/TBdtfUw3PYEgPr5VPr6ww==}
+    engines: {node: '>=14.16'}
+
   tr46@0.0.3:
     resolution: {integrity: sha512-N3WMsuqV66lT30CrXNbEjx4GEwlow3v6rr4mCcv6prnfwhS01rkgyFdjPNBYd9br7LpXV1+Emh01fHnq2Gdgrw==}
 
@@ -4088,6 +4302,10 @@ packages:
     engines: {node: '>=14.17'}
     hasBin: true
 
+  uint8array-extras@1.5.0:
+    resolution: {integrity: sha512-rvKSBiC5zqCCiDZ9kAOszZcDvdAHwwIKJG33Ykj43OKcWsnmcBRL09YTU4nOeHZ8Y2a7l1MgTd08SBe9A8Qj6A==}
+    engines: {node: '>=18'}
+
   unbox-primitive@1.1.0:
     resolution: {integrity: sha512-nWJ91DjeOkej/TA8pXQ3myruKpKEYgqvpw9lz4OPHj/NWFNluYrjbz9j01CJ8yKQd2g4jFoOkINCTW2I5LEEyw==}
     engines: {node: '>= 0.4'}
@@ -4560,6 +4778,8 @@ snapshots:
 
   '@bcoe/v8-coverage@1.0.2': {}
 
+  '@borewit/text-codec@0.2.2': {}
+
   '@capacitor/cli@8.3.1':
     dependencies:
       '@ionic/cli-framework-output': 2.2.8
@@ -5146,6 +5366,102 @@ snapshots:
 
   '@humanwhocodes/retry@0.4.3': {}
 
+  '@img/colour@1.1.0': {}
+
+  '@img/sharp-darwin-arm64@0.34.5':
+    optionalDependencies:
+      '@img/sharp-libvips-darwin-arm64': 1.2.4
+    optional: true
+
+  '@img/sharp-darwin-x64@0.34.5':
+    optionalDependencies:
+      '@img/sharp-libvips-darwin-x64': 1.2.4
+    optional: true
+
+  '@img/sharp-libvips-darwin-arm64@1.2.4':
+    optional: true
+
+  '@img/sharp-libvips-darwin-x64@1.2.4':
+    optional: true
+
+  '@img/sharp-libvips-linux-arm64@1.2.4':
+    optional: true
+
+  '@img/sharp-libvips-linux-arm@1.2.4':
+    optional: true
+
+  '@img/sharp-libvips-linux-ppc64@1.2.4':
+    optional: true
+
+  '@img/sharp-libvips-linux-riscv64@1.2.4':
+    optional: true
+
+  '@img/sharp-libvips-linux-s390x@1.2.4':
+    optional: true
+
+  '@img/sharp-libvips-linux-x64@1.2.4':
+    optional: true
+
+  '@img/sharp-libvips-linuxmusl-arm64@1.2.4':
+    optional: true
+
+  '@img/sharp-libvips-linuxmusl-x64@1.2.4':
+    optional: true
+
+  '@img/sharp-linux-arm64@0.34.5':
+    optionalDependencies:
+      '@img/sharp-libvips-linux-arm64': 1.2.4
+    optional: true
+
+  '@img/sharp-linux-arm@0.34.5':
+    optionalDependencies:
+      '@img/sharp-libvips-linux-arm': 1.2.4
+    optional: true
+
+  '@img/sharp-linux-ppc64@0.34.5':
+    optionalDependencies:
+      '@img/sharp-libvips-linux-ppc64': 1.2.4
+    optional: true
+
+  '@img/sharp-linux-riscv64@0.34.5':
+    optionalDependencies:
+      '@img/sharp-libvips-linux-riscv64': 1.2.4
+    optional: true
+
+  '@img/sharp-linux-s390x@0.34.5':
+    optionalDependencies:
+      '@img/sharp-libvips-linux-s390x': 1.2.4
+    optional: true
+
+  '@img/sharp-linux-x64@0.34.5':
+    optionalDependencies:
+      '@img/sharp-libvips-linux-x64': 1.2.4
+    optional: true
+
+  '@img/sharp-linuxmusl-arm64@0.34.5':
+    optionalDependencies:
+      '@img/sharp-libvips-linuxmusl-arm64': 1.2.4
+    optional: true
+
+  '@img/sharp-linuxmusl-x64@0.34.5':
+    optionalDependencies:
+      '@img/sharp-libvips-linuxmusl-x64': 1.2.4
+    optional: true
+
+  '@img/sharp-wasm32@0.34.5':
+    dependencies:
+      '@emnapi/runtime': 1.10.0
+    optional: true
+
+  '@img/sharp-win32-arm64@0.34.5':
+    optional: true
+
+  '@img/sharp-win32-ia32@0.34.5':
+    optional: true
+
+  '@img/sharp-win32-x64@0.34.5':
+    optional: true
+
   '@ionic/cli-framework-output@2.2.8':
     dependencies:
       '@ionic/utils-terminal': 2.3.5
@@ -5589,6 +5905,15 @@ snapshots:
       '@types/react': 19.2.14
       '@types/react-dom': 19.2.3(@types/react@19.2.14)
 
+  '@tokenizer/inflate@0.4.1':
+    dependencies:
+      debug: 4.4.3
+      token-types: 6.1.2
+    transitivePeerDependencies:
+      - supports-color
+
+  '@tokenizer/token@0.3.0': {}
+
   '@tootallnate/once@2.0.0':
     optional: true
 
@@ -6357,6 +6682,8 @@ snapshots:
 
   cookie@0.7.2: {}
 
+  cookie@1.1.1: {}
+
   cors@2.8.6:
     dependencies:
       object-assign: 4.1.1
@@ -6786,6 +7113,8 @@ snapshots:
       signal-exit: 4.1.0
       strip-final-newline: 3.0.0
 
+  exifr@7.1.3: {}
+
   exit-x@0.2.2: {}
 
   expect-type@1.3.0: {}
@@ -6883,6 +7212,15 @@ snapshots:
     dependencies:
       flat-cache: 4.0.1
 
+  file-type@22.0.1:
+    dependencies:
+      '@tokenizer/inflate': 0.4.1
+      strtok3: 10.3.5
+      token-types: 6.1.2
+      uint8array-extras: 1.5.0
+    transitivePeerDependencies:
+      - supports-color
+
   fill-range@7.1.1:
     dependencies:
       to-regex-range: 5.0.1
@@ -7306,6 +7644,8 @@ snapshots:
 
   idb@7.1.1: {}
 
+  ieee754@1.2.1: {}
+
   ignore@5.3.2: {}
 
   ignore@7.0.5: {}
@@ -8464,6 +8804,20 @@ snapshots:
 
   react-is@18.3.1: {}
 
+  react-router-dom@7.14.1(react-dom@19.2.5(react@19.2.5))(react@19.2.5):
+    dependencies:
+      react: 19.2.5
+      react-dom: 19.2.5(react@19.2.5)
+      react-router: 7.14.1(react-dom@19.2.5(react@19.2.5))(react@19.2.5)
+
+  react-router@7.14.1(react-dom@19.2.5(react@19.2.5))(react@19.2.5):
+    dependencies:
+      cookie: 1.1.1
+      react: 19.2.5
+      set-cookie-parser: 2.7.2
+    optionalDependencies:
+      react-dom: 19.2.5(react@19.2.5)
+
   react@18.3.1:
     dependencies:
       loose-envify: 1.4.0
@@ -8632,6 +8986,8 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
+  set-cookie-parser@2.7.2: {}
+
   set-function-length@1.2.2:
     dependencies:
       define-data-property: 1.1.4
@@ -8656,6 +9012,37 @@ snapshots:
 
   setprototypeof@1.2.0: {}
 
+  sharp@0.34.5:
+    dependencies:
+      '@img/colour': 1.1.0
+      detect-libc: 2.1.2
+      semver: 7.7.4
+    optionalDependencies:
+      '@img/sharp-darwin-arm64': 0.34.5
+      '@img/sharp-darwin-x64': 0.34.5
+      '@img/sharp-libvips-darwin-arm64': 1.2.4
+      '@img/sharp-libvips-darwin-x64': 1.2.4
+      '@img/sharp-libvips-linux-arm': 1.2.4
+      '@img/sharp-libvips-linux-arm64': 1.2.4
+      '@img/sharp-libvips-linux-ppc64': 1.2.4
+      '@img/sharp-libvips-linux-riscv64': 1.2.4
+      '@img/sharp-libvips-linux-s390x': 1.2.4
+      '@img/sharp-libvips-linux-x64': 1.2.4
+      '@img/sharp-libvips-linuxmusl-arm64': 1.2.4
+      '@img/sharp-libvips-linuxmusl-x64': 1.2.4
+      '@img/sharp-linux-arm': 0.34.5
+      '@img/sharp-linux-arm64': 0.34.5
+      '@img/sharp-linux-ppc64': 0.34.5
+      '@img/sharp-linux-riscv64': 0.34.5
+      '@img/sharp-linux-s390x': 0.34.5
+      '@img/sharp-linux-x64': 0.34.5
+      '@img/sharp-linuxmusl-arm64': 0.34.5
+      '@img/sharp-linuxmusl-x64': 0.34.5
+      '@img/sharp-wasm32': 0.34.5
+      '@img/sharp-win32-arm64': 0.34.5
+      '@img/sharp-win32-ia32': 0.34.5
+      '@img/sharp-win32-x64': 0.34.5
+
   shebang-command@2.0.0:
     dependencies:
       shebang-regex: 3.0.0
@@ -8854,6 +9241,10 @@ snapshots:
   strnum@2.2.3:
     optional: true
 
+  strtok3@10.3.5:
+    dependencies:
+      '@tokenizer/token': 0.3.0
+
   stubs@3.0.0:
     optional: true
 
@@ -8920,6 +9311,12 @@ snapshots:
 
   toidentifier@1.0.1: {}
 
+  token-types@6.1.2:
+    dependencies:
+      '@borewit/text-codec': 0.2.2
+      '@tokenizer/token': 0.3.0
+      ieee754: 1.2.1
+
   tr46@0.0.3:
     optional: true
 
@@ -9008,6 +9405,8 @@ snapshots:
 
   typescript@5.9.3: {}
 
+  uint8array-extras@1.5.0: {}
+
   unbox-primitive@1.1.0:
     dependencies:
       call-bound: 1.0.4
diff --git a/scripts/bootstrap-municipalities.ts b/scripts/bootstrap-municipalities.ts
new file mode 100755
index 00000000..870a2e26
--- /dev/null
+++ b/scripts/bootstrap-municipalities.ts
@@ -0,0 +1,57 @@
+#!/usr/bin/env tsx
+/**
+ * Bootstrap Camarines Norte municipalities into Firestore.
+ *
+ * Usage (emulator):
+ *   firebase emulators:exec --only firestore \
+ *     "pnpm tsx scripts/bootstrap-municipalities.ts"
+ *
+ * Usage (staging/prod):
+ *   GOOGLE_APPLICATION_CREDENTIALS=./sa.json \
+ *     pnpm tsx scripts/bootstrap-municipalities.ts
+ */
+import { initializeApp, cert } from 'firebase-admin/app'
+import { getFirestore } from 'firebase-admin/firestore'
+import { CAMARINES_NORTE_MUNICIPALITIES } from '../packages/shared-validators/src/municipalities.js'
+
+async function main(): Promise<void> {
+  const env = process.env.FIRESTORE_EMULATOR_HOST ? 'emulator' : 'remote'
+  console.log(`Bootstrapping municipalities (env=${env})...`)
+
+  if (env === 'emulator') {
+    initializeApp({
+      projectId: process.env.FIRESTORE_EMULATOR_HOST?.includes(':8080')
+        ? 'bantayog-alert-dev'
+        : 'bantayog-alert-acceptance',
+    })
+  } else {
+    const keyPath = process.env.GOOGLE_APPLICATION_CREDENTIALS
+    if (!keyPath) {
+      throw new Error('Set GOOGLE_APPLICATION_CREDENTIALS to a service-account JSON path.')
+    }
+    initializeApp({ credential: cert(keyPath) })
+  }
+
+  const db = getFirestore()
+
+  const batch = db.batch()
+  for (const m of CAMARINES_NORTE_MUNICIPALITIES) {
+    const ref = db.collection('municipalities').doc(m.id)
+    batch.set(ref, { ...m, schemaVersion: 1 })
+  }
+
+  await batch.commit()
+  console.log(`✅ Seeded ${CAMARINES_NORTE_MUNICIPALITIES.length} municipalities.`)
+
+  // Verify
+  const snap = await db.collection('municipalities').limit(1).get()
+  if (snap.empty) {
+    throw new Error('Verification failed: no municipalities found after write.')
+  }
+  console.log('✅ Verification passed.')
+}
+
+main().catch((err) => {
+  console.error(err)
+  process.exit(1)
+})
diff --git a/scripts/build-rules.ts b/scripts/build-rules.ts
new file mode 100644
index 00000000..173779c3
--- /dev/null
+++ b/scripts/build-rules.ts
@@ -0,0 +1,82 @@
+/**
+ * Build rules codegen — generates firestore.rules from firestore.rules.template.
+ *
+ * Reads DISPATCH_TRANSITIONS from shared-validators and emits the
+ * validResponderTransition helper into the template's // @@TRANSITION_TABLES@@ marker.
+ *
+ * Run: pnpm exec tsx scripts/build-rules.ts
+ * Predeploy hook: firebase.json predeploys this via pnpm exec tsx scripts/build-rules.ts
+ */
+import { readFileSync, writeFileSync } from 'node:fs'
+import { resolve } from 'node:path'
+
+const TEMPLATE_PATH = resolve(import.meta.dirname, '../infra/firebase/firestore.rules.template')
+const OUTPUT_PATH = resolve(import.meta.dirname, '../infra/firebase/firestore.rules')
+const MARKER = '// @@TRANSITION_TABLES@@'
+
+interface Transition {
+  from: string
+  to: string
+}
+
+async function main() {
+  const template = readFileSync(TEMPLATE_PATH, 'utf8')
+  if (!template.includes(MARKER)) {
+    console.error(`ERROR: Marker '${MARKER}' not found in template at ${TEMPLATE_PATH}`)
+    process.exit(1)
+  }
+
+  const SHARED_VALIDATORS_PATH = resolve(
+    import.meta.dirname,
+    '../packages/shared-validators/src/state-machines/report-states.ts',
+  )
+  const source = readFileSync(SHARED_VALIDATORS_PATH, 'utf8')
+
+  const dispatchTransitions = extractTransitions(source, 'DISPATCH_TRANSITIONS')
+  if (dispatchTransitions.length === 0) {
+    console.error('ERROR: Could not extract DISPATCH_TRANSITIONS from shared-validators')
+    process.exit(1)
+  }
+
+  const validResponderTransitionFn = generateValidResponderTransitionFn(dispatchTransitions)
+  const result = template.replace(MARKER, validResponderTransitionFn)
+
+  writeFileSync(OUTPUT_PATH, result, 'utf8')
+  console.log(`✓ Rules codegen complete — wrote ${OUTPUT_PATH}`)
+  console.log(`  DISPATCH_TRANSITIONS: ${dispatchTransitions.length} entries`)
+}
+
+function extractTransitions(source: string, constantName: string): Transition[] {
+  // Match: export const DISPATCH_TRANSITIONS: readonly [DispatchStatus, DispatchStatus][] = [
+  //                                                    or: readonly [string, string][] = [
+  const regex = new RegExp(
+    `export\\s+const\\s+${constantName}\\s*:\\s*readonly\\s+\\[(?:DispatchStatus|string),\\s*(?:DispatchStatus|string)\\]\\[\\]\\s*=\\s*\\[([\\s\\S]*?)\\]\\s*as\\s*const`,
+    'm',
+  )
+  const match = source.match(regex)
+  if (!match) return []
+
+  const body = match[1]
+  const tupleRegex = /\[\s*'([^']+)'\s*,\s*'([^']+)'\s*\]/g
+  const transitions: Transition[] = []
+  let tupleMatch
+  while ((tupleMatch = tupleRegex.exec(body)) !== null) {
+    transitions.push({ from: tupleMatch[1], to: tupleMatch[2] })
+  }
+  return transitions
+}
+
+function generateValidResponderTransitionFn(transitions: Transition[]): string {
+  const base = '      '
+  const cont = '          || '
+  const arms = transitions.map(({ from, to }) => `${base}(from == '${from}' && to == '${to}')`)
+  const body = arms.length > 0 ? arms.join('\n' + cont) + '\n' + cont + 'false;' : 'false;'
+  return `function validResponderTransition(from, to) {
+      return ${body}
+    }`
+}
+
+main().catch((err) => {
+  console.error('build-rules.ts failed:', err)
+  process.exit(1)
+})
diff --git a/scripts/phase-3a/acceptance.ts b/scripts/phase-3a/acceptance.ts
new file mode 100755
index 00000000..d0848cab
--- /dev/null
+++ b/scripts/phase-3a/acceptance.ts
@@ -0,0 +1,154 @@
+#!/usr/bin/env tsx
+/**
+ * Phase 3a acceptance gate.
+ *
+ * Run against the local emulator:
+ *   firebase emulators:exec --only firestore,functions,storage \
+ *     "pnpm tsx scripts/phase-3a/acceptance.ts --env=emulator"
+ *
+ * Or against staging with credentials:
+ *   GOOGLE_APPLICATION_CREDENTIALS=./sa.json \
+ *     pnpm tsx scripts/phase-3a/acceptance.ts --env=staging
+ */
+import { initializeApp, cert } from 'firebase-admin/app'
+import { getFirestore } from 'firebase-admin/firestore'
+import { randomUUID, createHash } from 'node:crypto'
+import { processInboxItemCore } from '../../functions/src/triggers/process-inbox-item.js'
+
+interface Assertion {
+  name: string
+  ok: boolean
+  detail?: string
+}
+
+const results: Assertion[] = []
+function check(name: string, ok: boolean, detail?: string): void {
+  results.push({ name, ok, detail })
+  console.log(ok ? `✓ PASS ${name}` : `✗ FAIL ${name} — ${detail ?? ''}`)
+}
+
+async function main(): Promise<void> {
+  const env = process.argv.find((a) => a.startsWith('--env='))?.split('=')[1] ?? 'emulator'
+  if (env === 'emulator') {
+    process.env.FIRESTORE_EMULATOR_HOST = process.env.FIRESTORE_EMULATOR_HOST ?? 'localhost:8080'
+    initializeApp({
+      projectId: process.env.FIRESTORE_EMULATOR_HOST?.includes(':8080')
+        ? 'bantayog-alert-dev'
+        : 'bantayog-alert-acceptance',
+    })
+  } else {
+    initializeApp({ credential: cert(process.env.GOOGLE_APPLICATION_CREDENTIALS ?? '') })
+  }
+  const db = getFirestore()
+
+  console.log(`\n🧪 Phase 3a Acceptance Test (env=${env})\n`)
+
+  // 0. Ensure municipalities seeded
+  console.log('0. Checking municipalities...')
+  const muniSnap = await db.collection('municipalities').doc('daet').get()
+  check('municipalities:daet seeded', muniSnap.exists, 'run scripts/bootstrap-municipalities.ts')
+  if (!muniSnap.exists) {
+    console.error(
+      '\n❌ Municipalities not seeded. Run: pnpm tsx scripts/bootstrap-municipalities.ts',
+    )
+    process.exit(1)
+  }
+
+  // 1. Write an inbox doc directly (simulating the client write)
+  console.log('\n1. Writing inbox document...')
+  const correlationId = randomUUID()
+  const secret = randomUUID()
+  const secretHash = createHash('sha256').update(secret).digest('hex')
+  const publicRef = Math.random().toString(36).slice(2, 10)
+  const inboxId = randomUUID()
+  await db
+    .collection('report_inbox')
+    .doc(inboxId)
+    .set({
+      reporterUid: 'accept-citizen-1',
+      clientCreatedAt: Date.now(),
+      idempotencyKey: randomUUID(),
+      publicRef,
+      secretHash,
+      correlationId,
+      payload: {
+        reportType: 'flood',
+        description: 'acceptance test',
+        severity: 'medium',
+        source: 'web',
+        publicLocation: { lat: 14.11, lng: 122.95 },
+        pendingMediaIds: [],
+      },
+    })
+  console.log(`  → Inbox doc written: ${inboxId}`)
+
+  // 2. Invoke processInboxItemCore directly (bypasses trigger for emulator testing)
+  console.log('\n2. Invoking processInboxItemCore...')
+  let reportId: string | null = null
+  try {
+    const coreResult = await processInboxItemCore({ db, inboxId, now: () => Date.now() })
+    reportId = coreResult.reportId
+    console.log(`  → Report materialized: ${reportId} (materialized=${coreResult.materialized})`)
+  } catch (err: unknown) {
+    const msg = err instanceof Error ? err.message : String(err)
+    console.error(`  → processInboxItemCore failed: ${msg}`)
+    check('processInboxItemCore succeeded', false, msg)
+    console.error('\n❌ Triptych materialization failed. Check processInboxItemCore.')
+    process.exit(1)
+  }
+  check('processInboxItemCore succeeded', reportId !== null, reportId ?? 'undefined')
+
+  // 3. Verify triptych components
+  console.log('\n3. Verifying triptych components...')
+
+  const reportSnap = await db.collection('reports').doc(reportId).get()
+  check('reports/{id} exists', reportSnap.exists)
+  check('reports.status == new', reportSnap.data()?.status === 'new')
+  check('reports.correlationId propagated', reportSnap.data()?.correlationId === correlationId)
+  check(
+    'reports.municipalityLabel present',
+    typeof reportSnap.data()?.municipalityLabel === 'string',
+  )
+
+  const privateSnap = await db.collection('report_private').doc(reportId).get()
+  check('report_private/{id} exists', privateSnap.exists)
+  check(
+    'report_private.reporterUid matches',
+    privateSnap.data()?.reporterUid === 'accept-citizen-1',
+  )
+
+  const opsSnap = await db.collection('report_ops').doc(reportId).get()
+  check('report_ops/{id} exists', opsSnap.exists)
+
+  // 4. Verify events and lookup
+  console.log('\n4. Verifying events and lookup...')
+
+  const eventsSnap = await db.collection('reports').doc(reportId).collection('status_log').get()
+  check('status_log has >= 1 entry', eventsSnap.size >= 1)
+  check(
+    'first event is draft_inbox → new',
+    eventsSnap.docs[0]?.data().from === 'draft_inbox' && eventsSnap.docs[0]?.data().to === 'new',
+  )
+
+  const lookupSnap = await db.collection('report_lookup').doc(publicRef).get()
+  check('report_lookup/{publicRef} exists', lookupSnap.exists)
+  check('report_lookup.tokenHash matches', lookupSnap.data()?.tokenHash === secretHash)
+  check('report_lookup.expiresAt is future', (lookupSnap.data()?.expiresAt ?? 0) > Date.now())
+
+  // Summary
+  const passed = results.filter((r) => r.ok).length
+  const failed = results.filter((r) => !r.ok).length
+  console.log(`\n${'='.repeat(60)}`)
+  console.log(`Summary: ${passed}/${results.length} assertions passed`)
+  if (failed > 0) {
+    console.error(`\n❌ ${failed} assertion(s) failed. Phase 3a NOT complete.`)
+    process.exit(1)
+  }
+  console.log(`\n✅ Phase 3a acceptance test PASSED!`)
+  console.log(`\n🎉 A citizen submission successfully materializes as a correct triptych.`)
+}
+
+main().catch((err) => {
+  console.error(err)
+  process.exit(1)
+})