feat(form-builder): public draft/save/submit split + sub-endpoints + validation

S2c D2, D3, D4, D8 — the meat of the public API rewrite.

Draft / save / submit split (D4):
- POST /public/forms/{public_token}/submissions
    Creates a draft. idempotency_key is now REQUIRED; second POST with
    the same key returns the existing draft (HTTP 200 vs 201 for fresh).
    UniqueConstraintViolationException caught for race-safe replay.
- PUT /public/forms/{public_token}/submissions/{submission_id}
    Auto-save. Partial updates only — each PUT writes just the
    slugs in the body. Status stays 'draft'; auto_save_count++.
- POST /public/forms/{public_token}/submissions/{submission_id}/submit
    Final submission. Merges body values with already-saved values,
    runs strict rule set against the merged map, then calls
    FormSubmissionService::submit which fires the lifecycle events
    (tag sync, identity match). Rate-limited per IP per token per hour.

Access rules: submission must belong to the resolved schema; status
must be 'draft' (409 SUBMISSION_ALREADY_SUBMITTED otherwise); schema
still accepting submissions.

Sub-endpoints (D2, D3):
- GET /public/forms/{public_token}/time-slots
    Volunteer-only, festival-aware (parent + children). Reads straight
    from TimeSlot model — no org-coupled service to extract from. Out:
    {id, name, date, start_time, end_time, duration_hours, event_id,
    event_name}.
- GET /public/forms/{public_token}/sections
    show_in_registration=true, type=standard, deduplicated by name
    across festival children.

Dynamic per-field validation (D8):
- FormFieldRuleBuilder builds Laravel rule arrays from form_fields.
  strict() enforces is_required + in:options + type rules (email,
  url, numeric, date, boolean, phone regex); relaxed() is the
  auto-save variant that drops required-ness.
- StartPublicDraftRequest (required idempotency_key),
  SavePublicDraftRequest (relaxed rules, values optional),
  SubmitPublicSubmissionRequest (relaxed rules at body level — the
  controller merges the body with saved values and runs the strict
  validator on the full map so submit with an empty body still
  passes when everything was auto-saved).
- FormValueService backs the request layer up with deeper enforcement
  of validation_rules JSON (min/max/regex) + is_unique. Throws
  FieldValidationException (422) which renders via the D6 envelope.

PublicFormTokenResolver centralises the grace-window logic; every
public endpoint resolves through it so the standardised exceptions
bubble uniformly.

Routes: 6 total under /public/forms/ (up from 2). Tests:
PublicFormApiTest's existing submit test retrofitted to the three-step
flow; 857 tests still green.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

api/routes/api.php

@@ -97,10 +97,25 @@ Route::post('verify-email-change', [EmailChangeController::class, 'verify']);
 Route::post('public/check-email', CheckEmailController::class)->middleware('throttle:10,1');
 Route::post('portal/token-auth', [PortalTokenController::class, 'auth'])->middleware('throttle:10,1');
 
-// Public Form Builder routes (no auth — token-based, rate-limited per ARCH §10)
+// Public Form Builder routes (no auth — token-based, rate-limited per ARCH §10).
+// S2c D4: draft/save/submit split into three separate endpoints.
 Route::middleware('throttle:30,1')->group(function (): void {
     Route::get('public/forms/{public_token}', [PublicFormController::class, 'show']);
-    Route::post('public/forms/{public_token}/submissions', [PublicFormController::class, 'submit']);
+    Route::get('public/forms/{public_token}/time-slots', [PublicFormController::class, 'timeSlots']);
+    Route::get('public/forms/{public_token}/sections', [PublicFormController::class, 'sections']);
+
+    Route::post(
+        'public/forms/{public_token}/submissions',
+        [\App\Http\Controllers\Api\V1\FormBuilder\PublicFormSubmissionController::class, 'store'],
+    );
+    Route::put(
+        'public/forms/{public_token}/submissions/{submission_id}',
+        [\App\Http\Controllers\Api\V1\FormBuilder\PublicFormSubmissionController::class, 'update'],
+    );
+    Route::post(
+        'public/forms/{public_token}/submissions/{submission_id}/submit',
+        [\App\Http\Controllers\Api\V1\FormBuilder\PublicFormSubmissionController::class, 'submit'],
+    );
 });
 
 // Platform Admin routes