feat(form-builder): public draft/save/submit split + sub-endpoints + validation

S2c D2, D3, D4, D8 — the meat of the public API rewrite.

Draft / save / submit split (D4):
- POST /public/forms/{public_token}/submissions
    Creates a draft. idempotency_key is now REQUIRED; second POST with
    the same key returns the existing draft (HTTP 200 vs 201 for fresh).
    UniqueConstraintViolationException caught for race-safe replay.
- PUT /public/forms/{public_token}/submissions/{submission_id}
    Auto-save. Partial updates only — each PUT writes just the
    slugs in the body. Status stays 'draft'; auto_save_count++.
- POST /public/forms/{public_token}/submissions/{submission_id}/submit
    Final submission. Merges body values with already-saved values,
    runs strict rule set against the merged map, then calls
    FormSubmissionService::submit which fires the lifecycle events
    (tag sync, identity match). Rate-limited per IP per token per hour.

Access rules: submission must belong to the resolved schema; status
must be 'draft' (409 SUBMISSION_ALREADY_SUBMITTED otherwise); schema
still accepting submissions.

Sub-endpoints (D2, D3):
- GET /public/forms/{public_token}/time-slots
    Volunteer-only, festival-aware (parent + children). Reads straight
    from TimeSlot model — no org-coupled service to extract from. Out:
    {id, name, date, start_time, end_time, duration_hours, event_id,
    event_name}.
- GET /public/forms/{public_token}/sections
    show_in_registration=true, type=standard, deduplicated by name
    across festival children.

Dynamic per-field validation (D8):
- FormFieldRuleBuilder builds Laravel rule arrays from form_fields.
  strict() enforces is_required + in:options + type rules (email,
  url, numeric, date, boolean, phone regex); relaxed() is the
  auto-save variant that drops required-ness.
- StartPublicDraftRequest (required idempotency_key),
  SavePublicDraftRequest (relaxed rules, values optional),
  SubmitPublicSubmissionRequest (relaxed rules at body level — the
  controller merges the body with saved values and runs the strict
  validator on the full map so submit with an empty body still
  passes when everything was auto-saved).
- FormValueService backs the request layer up with deeper enforcement
  of validation_rules JSON (min/max/regex) + is_unique. Throws
  FieldValidationException (422) which renders via the D6 envelope.

PublicFormTokenResolver centralises the grace-window logic; every
public endpoint resolves through it so the standardised exceptions
bubble uniformly.

Routes: 6 total under /public/forms/ (up from 2). Tests:
PublicFormApiTest's existing submit test retrofitted to the three-step
flow; 857 tests still green.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

api/app/Http/Requests/Api/V1/FormBuilder/SavePublicDraftRequest.php

@@ -0,0 +1,57 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Requests\Api\V1\FormBuilder;
+
+use App\Models\FormBuilder\FormSchema;
+use App\Services\FormBuilder\FormFieldRuleBuilder;
+use App\Services\FormBuilder\PublicFormTokenResolver;
+use Illuminate\Foundation\Http\FormRequest;
+
+/**
+ * Body for `PUT /api/v1/public/forms/{public_token}/submissions/{id}`.
+ * Auto-save endpoint — relaxed rule set per S2c D8. Only the field
+ * slugs present in the body are written; everything is nullable.
+ */
+final class SavePublicDraftRequest extends FormRequest
+{
+    public function authorize(): bool
+    {
+        return true;
+    }
+
+    /**
+     * @return array<string, mixed>
+     */
+    public function rules(): array
+    {
+        $base = [
+            'values' => ['sometimes', 'array'],
+            'first_interacted_at' => ['nullable', 'date'],
+        ];
+
+        $schema = $this->resolveSchema();
+        if (! $schema instanceof FormSchema) {
+            return $base;
+        }
+
+        return array_merge(
+            $base,
+            app(FormFieldRuleBuilder::class)->relaxed($schema),
+        );
+    }
+
+    private function resolveSchema(): ?FormSchema
+    {
+        $token = (string) $this->route('public_token');
+        if ($token === '') {
+            return null;
+        }
+        try {
+            return app(PublicFormTokenResolver::class)->resolve($token);
+        } catch (\Throwable) {
+            return null;
+        }
+    }
+}

api/app/Http/Requests/Api/V1/FormBuilder/StartPublicDraftRequest.php

@@ -0,0 +1,37 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Requests\Api\V1\FormBuilder;
+
+use Illuminate\Foundation\Http\FormRequest;
+
+/**
+ * Body for `POST /api/v1/public/forms/{public_token}/submissions` (S2c D4).
+ * Creates a draft. Contains no field values — values are written later
+ * via PUT (auto-save) or POST /submit.
+ *
+ * `idempotency_key` is REQUIRED: duplicate POSTs with the same key must
+ * return the existing draft rather than create a second one.
+ */
+final class StartPublicDraftRequest extends FormRequest
+{
+    public function authorize(): bool
+    {
+        return true;
+    }
+
+    /**
+     * @return array<string, mixed>
+     */
+    public function rules(): array
+    {
+        return [
+            'idempotency_key' => ['required', 'string', 'min:6', 'max:30'],
+            'opened_at' => ['nullable', 'date'],
+            'submitted_in_locale' => ['nullable', 'string', 'max:10'],
+            'public_submitter_name' => ['nullable', 'string', 'max:150'],
+            'public_submitter_email' => ['nullable', 'email', 'max:255'],
+        ];
+    }
+}

api/app/Http/Requests/Api/V1/FormBuilder/SubmitPublicSubmissionRequest.php

@@ -0,0 +1,63 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Requests\Api\V1\FormBuilder;
+
+use App\Models\FormBuilder\FormSchema;
+use App\Services\FormBuilder\FormFieldRuleBuilder;
+use App\Services\FormBuilder\PublicFormTokenResolver;
+use Illuminate\Foundation\Http\FormRequest;
+
+/**
+ * Body for `POST /api/v1/public/forms/{public_token}/submissions/{id}/submit`.
+ *
+ * The FormRequest validates the request body in isolation using the
+ * *relaxed* rule set, because the controller merges the body with any
+ * values already saved via earlier PUT calls and runs the strict rule
+ * set on the merged value map before actually submitting.
+ *
+ * Upshot: a submit call with an empty body but all values auto-saved
+ * during drafting still passes at the request layer.
+ */
+final class SubmitPublicSubmissionRequest extends FormRequest
+{
+    public function authorize(): bool
+    {
+        return true;
+    }
+
+    /**
+     * @return array<string, mixed>
+     */
+    public function rules(): array
+    {
+        $base = [
+            'values' => ['sometimes', 'array'],
+            'captcha_token' => ['nullable', 'string', 'max:2000'],
+        ];
+
+        $schema = $this->resolveSchema();
+        if (! $schema instanceof FormSchema) {
+            return $base;
+        }
+
+        return array_merge(
+            $base,
+            app(FormFieldRuleBuilder::class)->relaxed($schema),
+        );
+    }
+
+    private function resolveSchema(): ?FormSchema
+    {
+        $token = (string) $this->route('public_token');
+        if ($token === '') {
+            return null;
+        }
+        try {
+            return app(PublicFormTokenResolver::class)->resolve($token);
+        } catch (\Throwable) {
+            return null;
+        }
+    }
+}