[codex] phase5 pre-b schema and rules

docs/learnings.md

@@ -13,6 +13,13 @@ Durable rules worth keeping across sessions.
 - Idempotency hashing that runs in callable code must be async and Web Crypto-safe; a `require('node:crypto')` fallback can fail under ESM/browser bundling even when the code works in unit tests.
 - When a callable looks like an auth or App Check problem, verify the initialized functions region before chasing browser state; a region mismatch can produce misleading unauthenticated failures.
 - **Stale compiled functions binary is the first thing to check when `FirebaseError: internal` appears in E2E but unit tests pass.** The emulator runs `functions/lib/`, not `functions/src/`. If source was changed (e.g. `enforceAppCheck`) but `pnpm --filter @bantayog/functions build` was not re-run, the emulator silently enforces the old setting. Fix: rebuild before running `firebase emulators:exec`.
+- `createTestEnv()` in this repo expects Firestore, Database, and Storage emulators. If you only boot Firestore, rules tests that initialize the shared harness fail before they reach assertions.
+- When a payload schema is `strict()` and a field is truly transitional, strip that field before validation instead of widening the schema and accidentally allowing unrelated junk.
+- If a transitional field is part of the contract, model it explicitly in the schema instead of stripping it in the trigger. Stripping is only the fallback when the field is truly out-of-band.
+- Ops-facing document schemas should use ops-specific enums, not the broader public report enum, or the rules/tests will drift silently.
+- Do not assume `tsc --outDir lib` will refresh every checked-in declaration the way you expect; verify the emitted `.d.ts` against source and patch the artifact if the generator still leaves stale enum ordering behind.
+- `z.string().uuid()` trips `@typescript-eslint/no-deprecated` under the current lint config. Use `z.uuid()` in shared validators.
+- Collection query tests can fail on a rule that is really written for per-document access. If the rule uses `resource.data` in a way that doesn’t support `list`, switch the test to `getDoc` or rewrite the rule intentionally.
 
 ## Firestore
 

docs/progress.md

@@ -2,6 +2,32 @@
 
 ## Current
 
+### PR #63 CodeRabbit follow-up fixes (2026-04-24)
+
+- Status: DONE locally - resolved the remaining review comments on schema validation, inbox materialization, and Firestore rules
+- Scope:
+  - shared validators: derived responder FCM flag, widened persisted report type enum, runtime lookup expiry check
+  - inbox trigger: removed redundant exact-location guard, added `report_sms_consent.municipalityId`, strengthened geohash regression coverage
+  - Firestore rules: report messages, report sharing events, field mode sessions, and report notes authorization/data-consistency fixes
+- Verification:
+  - `pnpm --filter @bantayog/shared-validators test` - PASS
+  - `firebase emulators:exec --only firestore,database,storage "pnpm --filter @bantayog/functions exec vitest run src/__tests__/triggers/process-inbox-item.test.ts src/__tests__/rules/report-sharing.rules.test.ts src/__tests__/rules/report-notes.rules.test.ts src/__tests__/rules/report-messages.rules.test.ts src/__tests__/rules/field-mode-sessions.rules.test.ts"` - PASS
+  - `pnpm --filter @bantayog/shared-validators typecheck` - PASS
+  - `pnpm --filter @bantayog/functions lint` - PASS
+
+### Phase 5 PRE-B - Schema + Rules Foundation (2026-04-24)
+
+- Status: DONE locally - schema amendments, rules additions, and inbox materialization updates landed
+- Scope:
+  - shared validators: coordination, responders, users, reports, and export updates
+  - Firestore rules: field mode sessions, report notes, report messages, command channel map-key lookup, report sharing events, and shared report reads
+  - inbox trigger: `report_ops.reportType`, optional `locationGeohash`, and explicit `exactLocation` payload support derived from the inbox item
+- Verification:
+  - `pnpm --filter @bantayog/shared-validators exec vitest run src/coordination.test.ts src/responders.test.ts src/users.test.ts src/reports.test.ts` - PASS
+  - `firebase emulators:exec --only firestore,database,storage "pnpm --filter @bantayog/functions exec vitest run src/__tests__/rules/field-mode-sessions.rules.test.ts src/__tests__/rules/report-notes.rules.test.ts src/__tests__/rules/report-messages.rules.test.ts src/__tests__/rules/coordination.rules.test.ts src/__tests__/rules/report-sharing.rules.test.ts"` - PASS
+  - `firebase emulators:exec --only firestore "pnpm --filter @bantayog/functions exec vitest run src/__tests__/triggers/process-inbox-item.test.ts"` - PASS
+  - `npx turbo run lint typecheck` - PASS
+
 ### Refactor Audit 2026-04-23 — Implementation Continuation
 
 **Branch:** `refactor/audit-2026-04-23-continuation`