Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@apps/citizen-pwa/public/sw.js`:
- Around line 101-123: The submitDraft serializer is using fields that don't
exist on the queued Draft shape: replace references to draft.publicLocation with
draft.location and stop forcing reporterUid to an empty string; instead read the
actual reporter identifier provided on the Draft (e.g. draft.reporterId or the
correct reporter field from your Draft type) and only include reporterUid when
present. Update the submitDraft function to use draft.location for the payload's
location property and to read/omit the reporter UID using the real Draft field
name so the background-sync payload matches writeWithTimeout(...) in
useSubmissionMachine.
- Around line 131-137: The fetch URL is targeting a document path and the body
uses raw JSON; change the URL in the fetch call that builds the Firestore REST
request so it posts to the collection path (remove /${draft.id} so use
.../documents/report_inbox?documentId=${draft.id}) and transform inboxDoc into
Firestore's Document format before JSON.stringify: wrap the payload in a
top-level "fields" object and convert each field value into Firestore Value
objects (e.g., stringValue, integerValue, mapValue) so the fetch body is a valid
Firestore Document; update the fetch invocation that references projectId,
draft.id and inboxDoc accordingly.
- Around line 64-78: The service worker assumes the 'syncState' index exists but
if the DB was created earlier by localforage it won't trigger onupgradeneeded
and the index/store will be missing; update openDraftsDB to open with a bumped
version (e.g., indexedDB.open(DB_NAME, 2)) and in the onupgradeneeded handler
check if the object store exists via
req.result.objectStoreNames.contains(DB_STORE) and create the DB_STORE if
missing, then create the 'syncState' index only if
!store.indexNames.contains('syncState'); also harden submitQueuedDrafts (and any
callers) to check that the object store and index exist before calling
store.index('syncState') and gracefully handle the missing index (e.g., skip
sync or return early). Ensure references to DB_NAME, DB_STORE, openDraftsDB,
submitQueuedDrafts, and the 'syncState' index are updated accordingly.

In `@apps/citizen-pwa/src/components/RevealSheet.tsx`:
- Around line 214-216: The SMS fallback currently interpolates
contact.smsShortCode raw in handleSmsFallback; sanitize/normalize the shortcode
the same way the hotline normalization does (e.g., strip all non-digits except
an optional leading '+', or call the existing helper used for hotline numbers)
before composing the `sms:` URI, and if the sanitized value is empty/invalid,
bail out and surface an error (e.g., processLogger/console.warn or show a toast)
instead of navigating. Ensure you reference handleSmsFallback and
contact.smsShortCode when making this change so the fallback uses the normalized
recipient.

In `@apps/citizen-pwa/src/components/SubmitReportForm/index.tsx`:
- Around line 80-82: When creating the photo variable in SubmitReportForm, don't
let compressImage(...) rejections abort submission; wrap the await
compressImage(formData.step1.photoFile) call in a try/catch and on any error set
photo to the original formData.step1.photoFile (or undefined if none) and log
the error; this preserves the existing client-side validation while falling back
safely when compressImage fails so draft creation continues.

In `@apps/citizen-pwa/src/components/SubmitReportForm/Step1Evidence.test.tsx`:
- Around line 43-50: The test currently only checks absence of an alert, which
doesn't prove the file was accepted; after calling renderStep1() and
fireEvent.change(input, { target: { files: [goodFile] } }) assert a positive UI
change that indicates setPhotoFile(file) ran — e.g. expect the uploaded filename
to be rendered (getByText('photo.jpg')) or a preview image is present
(getByAltText(/preview/i)), or the "Next"/submit button becomes enabled
(getByRole('button', { name: /next/i }).toBeEnabled()). Update
Step1Evidence.test.tsx to assert one of these success signals after using
makeFile and firing the change.

In `@apps/citizen-pwa/src/hooks/__tests__/backoff.test.ts`:
- Around line 4-19: Add an end-to-end hook test that exercises the useEffect in
useSubmissionMachine (not just backoffDelay) using fake timers: mount/use
renderHook on useSubmissionMachine (or a minimal component that calls it),
configure the submission to fail so the retry path runs, advance timers with
jest.useFakeTimers()/advanceTimersByTime and assert the retries are scheduled
with delays matching backoffDelay (2_000 then 4_000 then 8_000 ... capped at
30_000); this verifies the setTimeout scheduling inside the useEffect and
ensures the timing regression is covered.

In `@apps/citizen-pwa/src/hooks/useFcmToken.ts`:
- Around line 106-110: The Firestore updates set fcmToken but when
revoking/rolling back they only clear fcmToken, leaving stale fcmTokenUpdatedAt;
update every write that clears or nulls the token to also clear
fcmTokenUpdatedAt so both fields are set together; locate the calls to
setDoc/doc(db(), 'users', user.uid) (e.g., in useFcmToken's success path and the
rollback/disable paths) and ensure the payload sets { fcmToken: null,
fcmTokenUpdatedAt: null } (or omits both) consistently whenever the token is
removed.

In `@apps/citizen-pwa/src/hooks/useMunicipalityContact.ts`:
- Around line 28-37: The pickString helper currently treats strings of only
whitespace as valid; update pickString to trim the input before checking length
so whitespace-only values return undefined and fall back in toContact;
specifically modify pickString (used by toContact) to accept unknown, coerce to
string when typeof value === 'string', call value.trim(), and only return the
original (or trimmed) string if trimmed.length > 0, otherwise return undefined
so toContact's label, hotline, and smsShortCode fall back to their defaults.

In `@apps/citizen-pwa/src/hooks/useResumeRegistration.ts`:
- Around line 25-41: The current code uses only "active" to avoid acting after
unmount, but a stale getDoc() can still complete after auth changes and redirect
the new session; introduce a "latestUid" (or similar) variable outside the
onAuthStateChanged handler, set it to user.uid immediately when the callback
runs, then before calling getDoc capture that uid in a local constant (e.g.,
currentUid) and after the promise resolves or in the catch verify currentUid ===
latestUid (and active) before calling navigate or logging; update references to
user.uid/currentUid in the then/catch branches so only the most-recent auth
session can trigger navigate(`/register?${RESUME_QUERY}`, { replace: true }) or
log errors.

In `@apps/citizen-pwa/src/hooks/useSubmissionMachine.ts`:
- Around line 223-232: The retry delay uses backoffDelay(retryCountRef.current)
but retryCountRef.current is already incremented before scheduling, making the
first retry use index 1; change the calculation to use a zero-based retry index
by calling backoffDelay(Math.max(0, retryCountRef.current - 1)) where delay is
computed (around the setTimeout block in useSubmissionMachine.ts) so the first
retry uses backoffDelay(0) and subsequent retries map correctly; keep doSubmit,
setTimeout, and retryCountRef.current usage unchanged except for this index
adjustment.
- Around line 171-186: Replace the current ServiceWorker registration logic in
useSubmissionMachine so it awaits navigator.serviceWorker.ready (not
self.registration) and only attempts reg.sync.register('submit-report') when the
submission outcome/state from doSubmit() is one that should be retried by the
ServiceWorker (i.e., when the machine/state is 'queued' or 'failed_retryable'
and not when it's 'failed_terminal'); also guard for reg.sync availability and
swallow/register errors as a best-effort fallback. Ensure you update the code
paths around doSubmit()/submission state checks in useSubmissionMachine to
perform this conditional background-sync registration.

In `@apps/citizen-pwa/src/lib/__tests__/imageCompress.test.ts`:
- Around line 13-35: The tests currently only assert compressImage returns a
Promise or passes through small files, so update each spec to await
compressImage and assert the resolved value and behavior: for "returns a Blob
for files larger than 200KB" await the result from compressImage(largeFile) and
assert the resolved value is a Blob and not the original File (or that its size
is < original to indicate compression); for "accepts optional maxEdge and
quality parameters" await compressImage(file, { maxEdge: 800, quality: 0.5 })
and assert the result is a Blob and that size/metadata reflect the options
(e.g., different size than default); and for "defaults maxEdge to 1080 and
quality to 0.8" await compressImage(smallFile) and assert the resolved value
equals the input only when compression is a no-op otherwise verify expected Blob
properties. Use controlled image/canvas stubs or create deterministic image data
so canvas-based resizing runs reliably when invoking compressImage.

In `@apps/citizen-pwa/src/lib/imageCompress.ts`:
- Around line 13-17: The image compressor currently rejects on failures
(img.onerror, missing 2d context, or missing canvas.toBlob) causing a hard
failure instead of the documented graceful fallback; update img.onerror to call
URL.revokeObjectURL(img.src) and resolve with the original source File, and
change the failure branches around canvas.getContext('2d') and canvas.toBlob to
resolve with the original source File instead of reject; ensure every early-exit
path (onerror, missing context, missing toBlob, and any catch) revokes the
created object URL and returns the original file so the caller can proceed with
the uncompressed image.

In `@apps/citizen-pwa/src/pages/SettingsPage.tsx`:
- Around line 92-98: The current flow uses the cross-origin signed downloadUrl
returned by requestDataExport and sets a.download on an anchor (downloadUrl /
created <a>), which browsers ignore for cross-origin URLs; change the client to
fetch the signed downloadUrl, convert the response to a Blob, create an object
URL via URL.createObjectURL(blob), set the created anchor's href to that object
URL and its download to "bantayog-export.json", click the anchor and then revoke
the object URL, or alternatively modify the server-side export generator to
include Content-Disposition: attachment when creating the signed URL so the
browser will download the file; update the code paths that reference
requestDataExport, downloadUrl and the created anchor element accordingly.

In `@apps/citizen-pwa/src/services/callables.ts`:
- Around line 12-18: The current return in the function that awaits callable()
blindly casts result.data to a specific shape (downloadUrl, expiresAt,
reportCount, mediaCount); validate result.data before returning by checking that
those keys exist and have the expected types (string for downloadUrl, number for
expiresAt/reportCount/mediaCount) and throw or return a clear error if
validation fails; follow the same validation pattern used by registerCitizen()
in this file and reference the awaited variable callable and the returned
payload shape when adding the checks so malformed backend responses are rejected
rather than blindly cast.

In `@docs/no-need-to-schedule-graceful-quasar.md`:
- Around line 75-78: The fenced code blocks containing the constants
MAX_PHOTO_BYTES and ALLOWED_MIME (and the other block at lines 276-297) need a
language tag to satisfy markdownlint MD040; update the opening triple-backtick
lines to specify a language (e.g., ```js or ```javascript) for the blocks that
show JavaScript/TypeScript code so the linter recognises the language and the
warning is resolved.
- Line 396: Update the stale test count string "313 tests pass" to the current
value "318 tests pass" in the document line that shows the command "pnpm lint &&
pnpm typecheck && npx vitest run"; also scan the document for any other
occurrences of "313 tests" or similar test-count mentions and replace them with
"318" so the checklist accurately reflects the branch verification summary.

In `@functions/src/callables/request-data-export.ts`:
- Around line 76-87: The current read-then-write rate limiting using
existingQuery is raceable; update requestDataExport to perform an atomic
check-and-reserve by using a Firestore transaction (or a deterministic per-user
limiter document) so two concurrent calls cannot both proceed: inside a
transaction, read the 'data_exports' (or a dedicated 'data_export_limiter' doc
keyed by actor.uid), check for any pending/ready exports within RATE_LIMIT_MS,
and if none, create the pending export tracker (status 'pending') before
continuing; ensure you reference existingQuery, RATE_LIMIT_MS, actor.uid and
throw the same HttpsError('resource-exhausted', ...) when the transaction finds
a recent export.
- Around line 210-214: The catch block in the wrapper around
requestDataExportImpl currently rethrows non-HttpsError failures with the
original error message, potentially leaking internal details; update the catch
to (1) log the original error server-side (e.g., using console.error or a
logger) including the full error object, (2) continue to rethrow existing
HttpsError instances unchanged, and (3) for all other errors throw a new
HttpsError('internal', 'Internal server error') (or another fixed generic
message) instead of using err.message; refer to requestDataExportImpl and the
existing catch that constructs new HttpsError to locate and modify the logic.
- Around line 121-126: The media lookup uses an unbounded reportIds array with a
single where('reportId', 'in', reportIds) call which will fail when reportIds >
30; modify the code in request-data-export.ts (the block building reportIds and
calling db.collection('report_media').where('reportId','in',...)) to split
reportIds into batches of max 30 (e.g., chunk the reportIds array), perform the
query for each batch (await each mediaSnap or run them in parallel),
collect/merge all resulting docs before mapping to ExportedMedia and appending
to mediaItems, and ensure the final mediaItems contains entries from all
batches.

In `@infra/firebase/storage.rules`:
- Around line 37-39: The current rule for match /data_exports/{uid}/{file} uses
request.auth != null && request.auth.uid == uid which bypasses the shared
accountStatus == 'active' gate; replace that check with the shared helper by
changing the allow read condition to use isAuthed() (e.g., allow read: if
isAuthed() && request.auth.uid == uid or just isAuthed() if that helper already
enforces uid match) so suspended accounts are blocked and the accountStatus ==
'active' check is applied.

In `@packages/shared-validators/src/municipalities.ts`:
- Around line 19-21: The mdrrmoHotline zod validator (mdrrmoHotline) rejects
seeded numbers like "(054) 721-1216" because the regex requires the first
character to be '+' or a digit; update the regex to also accept a leading
parenthesis so the pattern allows phone numbers starting with '(', '+', or a
digit (e.g., adjust the start-of-string character class for mdrrmoHotline in the
municipalityDocSchema file to include '(') while preserving the rest of the
length/character checks.

---

Outside diff comments:
In `@apps/citizen-pwa/src/services/callables.ts`:
- Around line 19-23: The catch block in
apps/citizen-pwa/src/services/callables.ts currently throws a fresh Error
(`throw new Error("Data export request failed: ...", { cause: err })`) which
discards machine-readable details used by SettingsPage.tsx to branch on failure;
instead either re-throw the original callable error (throw err) or when
wrapping, copy the original error's discriminators (e.g. err.code or err.name)
onto the new Error and keep err as the cause so callers can inspect those
fields—update the throw site to preserve err.code (or rethrow) and ensure the
new error's cause remains the original error.

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@apps/citizen-pwa/public/sw.js`:
- Around line 145-149: The toFirestoreValue function currently encodes every JS
number as integerValue which breaks fractional coordinates; update to detect
integers vs non-integers (e.g., use Number.isInteger(value)) and return
integerValue (as String(value) to match existing style) for integers and
doubleValue for non-integers (fractional numbers like lat/lng), leaving other
branches (stringValue, booleanValue, nullValue) unchanged; locate the function
named toFirestoreValue and change the number-handling branch accordingly.

In `@apps/citizen-pwa/src/components/RevealSheet.tsx`:
- Around line 208-212: The handleCallHotline handler currently always navigates
even when contact.hotline normalizes to an empty/invalid string; update
handleCallHotline to validate the sanitized recipient before changing
window.location.href: compute telDigits as you already do
(contact.hotline.replace(/[^\d+]/g, '')), then if telDigits is falsy or does not
contain at least one digit (or only a leading '+') log a warning (e.g.,
console.warn) including the original contact.hotline and return early without
setting window.location.href; only call window.location.href =
`tel:${telDigits}` when the sanitized value passes validation.

In `@apps/citizen-pwa/src/hooks/useFcmToken.ts`:
- Around line 11-16: The empty catch blocks in useFcmToken around the alert
sound (the try/catch that constructs Audio and the .catch on audio.play())
silently swallow errors; update them to capture the error (e) and emit a short,
contextual diagnostic (e.g., process/local logger or console.warn/console.debug)
including the error message and that it occurred in useFcmToken alert sound
playback (and optionally add simple rate-limiting or debounce to avoid log
spam). Ensure you reference the Audio construction try/catch and the
audio.play().catch(...) in useFcmToken, pass the caught error into the logger,
and keep the user-facing behavior unchanged.

In `@apps/citizen-pwa/src/hooks/useSubmissionMachine.ts`:
- Around line 142-144: In useSubmissionMachine.ts, the empty catch after the
Background Sync registration swallows errors; update the catch in the Background
Sync registration block (the try/catch around registering sync) to log the
caught error with context instead of ignoring it — e.g., capture the thrown
error and call the project logger or console.error with a descriptive message
including that the Background Sync registration failed and include the error
object and any relevant state (e.g., scope or registration info) to aid
debugging.

In `@apps/citizen-pwa/src/services/callables.test.ts`:
- Around line 18-37: Add a negative test that simulates a malformed response
from the callable and asserts requestDataExport rejects/throws; specifically,
create a new it(...) that sets mockCall = vi.fn().mockResolvedValue({ data: { /*
missing or invalid fields, e.g. downloadUrl: null or missing expiresAt */ } })
and mockHttpsCallable.mockReturnValue(mockCall), then call await
expect(requestDataExport()).rejects.toThrow() (or the specific error your
validator throws) and also assert mockHttpsCallable was called with
('mocked-functions', 'requestDataExport') and mockCall was invoked; place this
alongside the existing happy-path test for requestDataExport.

In `@functions/src/callables/request-data-export.ts`:
- Around line 166-168: The empty catch in the media URL signing block inside
request-data-export.ts swallows all errors; update the try/catch to catch the
error (e.g., catch (err)), log the error with context (item id/storagePath and
operation like "signing media URL") using the existing logger (or
console.error), and only suppress/omit the URL for expected "not found" errors
while rethrowing or surfacing unexpected errors so regressions are visible;
locate the try/catch that attempts to sign storage URLs in the
request-data-export handler and replace the silent catch with this conditional
logging/handling.

---

Duplicate comments:
In `@apps/citizen-pwa/public/sw.js`:
- Line 116: The service worker is serializing reporterUid incorrectly and
usually falling back to '' because the Draft shape in
apps/citizen-pwa/src/services/draft-store.ts doesn't define
reporterUid/reporterId; update the mapping in sw.js to derive reporterUid from
the actual Draft reporter object first (e.g., check draft.reporter?.uid), then
fall back to draft.reporterUid and draft.reporterId, and finally an empty
string; update the line that sets reporterUid so it reads the reporter.uid when
available to keep queued payloads consistent with in-app submission payloads.

In `@apps/citizen-pwa/src/hooks/useResumeRegistration.ts`:
- Around line 27-45: When handling auth state in the onAuthStateChanged
callback, ensure you clear the shared latestUid before any early return so stale
UIDs can't pass later checks in the asynchronous getDoc()/then/catch handlers;
update the callback in useResumeRegistration to set latestUid = undefined (or
null/empty string as used elsewhere) immediately when returning for !user,
user.isAnonymous, or missing phoneNumber, keeping the assignment latestUid =
user.uid only for valid phone-linked users and leaving the getDoc()/navigate
logic unchanged.

In `@apps/citizen-pwa/src/lib/__tests__/imageCompress.test.ts`:
- Around line 13-28: The tests only assert that compressImage(...) returns a
Promise; update both cases to stub the environment (Image and canvas
drawImage/toBlob) so the compression path actually runs, await the Promise from
compressImage(largeFile) and assert the resolved value is a Blob or File (or has
a size and type), and specifically assert the compressed output size is smaller
than the original and the MIME type remains image/jpeg; do the same for the
variant call compressImage(file, { maxEdge: 800, quality: 0.5 }) to await and
assert resolved output matches expected shape and constraints; use the test
helpers/stubs appropriate for happy-dom so the image/canvas operations do not
hang and the assertions validate real compression behavior.