feat(form-builder): API resources with FieldAccessService filtering

Phase 4 of S2b. Nine resources that shape the universal form builder responses. FieldAccessService::filterVisibleFields gates every field array — the primary defence tested by FormResourceSecurityTest (§22.9). - FormSchemaResource: includes fields_count, submissions_count, has_submissions, is_locked (derived from edit_lock_*), public_form_url when public_token is set, and filtered fields collection. - FormSchemaSummaryResource: lean list-endpoint variant. - FormFieldResource: effective_label / help_text / options resolved via FormLocaleResolver + translations JSON, plus TAG_PICKER available_tags filtered by validation_rules.tag_categories. - FormSubmissionResource: values keyed by field slug with FieldAccessService filtering, section_statuses, active delegations, review_info, submitted_in_locale, submission_duration_seconds. - FormSubmissionSummaryResource: lean list variant. - FormTemplateResource, FormFieldLibraryResource. - PublicFormSchemaResource: strictly limited per §10 — only is_portal_visible=true AND is_admin_only=false fields, no PII hints, no role_restrictions, no submissions_count. - FormSchemaWebhookResource: url/secret never returned; only url_host + has_secret boolean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-17 21:13:40 +02:00
parent ab84850089
commit 4b7e66b83f
10 changed files with 596 additions and 0 deletions
--- a/api/app/Http/Resources/FormBuilder/FormFieldLibraryResource.php
+++ b/api/app/Http/Resources/FormBuilder/FormFieldLibraryResource.php
@@ -0,0 +1,41 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Resources\FormBuilder;
+
+use App\Models\FormBuilder\FormFieldLibrary;
+use Illuminate\Http\Request;
+use Illuminate\Http\Resources\Json\JsonResource;
+
+/**
+ * @mixin FormFieldLibrary
+ */
+final class FormFieldLibraryResource extends JsonResource
+{
+    /**
+     * @return array<string, mixed>
+     */
+    public function toArray(Request $request): array
+    {
+        return [
+            'id' => $this->id,
+            'organisation_id' => $this->organisation_id,
+            'name' => $this->name,
+            'slug' => $this->slug,
+            'field_type' => $this->field_type,
+            'label' => $this->label,
+            'help_text' => $this->help_text,
+            'options' => $this->options,
+            'validation_rules' => $this->validation_rules,
+            'default_is_required' => (bool) $this->default_is_required,
+            'default_is_filterable' => (bool) $this->default_is_filterable,
+            'default_binding' => $this->default_binding,
+            'translations' => $this->translations,
+            'description' => $this->description,
+            'usage_count' => (int) ($this->usage_count ?? 0),
+            'is_system' => (bool) $this->is_system,
+            'is_active' => (bool) $this->is_active,
+        ];
+    }
+}