test(form-builder): feature suites + integration contracts incl. FORM-02 (§31.10)

Phase 6 of S2b. 37 new tests, 820 → 857 passing across the suite.

Feature suites (api/tests/Feature/FormBuilder/):
- FormSchemaApiTest: CRUD, publish/unpublish, rotate-public-token (with
  grace window), edit-lock conflict, typed-confirmation delete, 401 on
  unauthenticated, 403 on outsider.
- FormFieldApiTest: create, reorder, binding-change guard (422 w/o force,
  200 with force), conditional_logic cycle rejection, 401 unauth.
- FormSubmissionApiTest: draft → values → submit stores schema snapshot +
  version; review records reviewer; delegation creates active row; draft
  update blocked for non-subject non-delegatee (403).
- FormValueSecurityTest: FieldAccessService hides admin-only fields from
  non-admin; subject-self bypass; admin-only field leaks through neither
  admin list nor non-admin detail responses (§22.9 intent).
- PublicFormApiTest: portal-visible non-admin fields only; unknown token
  → 404; happy-path submission; expired-previous-token → 410; grace
  window still allows submission.
- FormSchemaWebhookApiTest: url/secret NEVER returned in resources;
  DeliverFormWebhookJob rejects 10.x private-ip SSRF (response_body_excerpt
  logs rejection).
- FilterRegistryApiTest: response shape includes tags + form_field
  sources; form_field filter registers.

Integration contract (§31.10):
- TagPickerSyncListenerTest: 5 cases proving (a) no-op on user_id=null,
  (b) sync on submit, (c) deferred sync via
  PersonIdentityService::confirmMatch, (d) organiser_assigned tags
  preserved on rebuild, (e) idempotent rerun.

Fixes discovered while writing tests:
- SyncTagPickerSelectionsOnSubmit: removed hardcoded connection='redis'
  so tests run via sync queue (QUEUE_CONNECTION fallback).
- FormSubmissionService: corrected FormSubmissionReviewed / DraftUpdated
  event signatures to match S1 event classes.
- FormSubmission model: added schema_version_at_submit / snapshot /
  anonymised_at / submission_duration_seconds / auto_save_count to
  $fillable so bulk operations + factory states populate consistently.
- FormSchema: added version, edit_lock_user_id, edit_lock_expires_at to
  $fillable; factory now sets version=1 explicitly.
- FormValueService: public submission path (actor=null) enforces
  is_portal_visible=true AND is_admin_only=false at the write layer
  instead of running FieldAccessService against a null user.
- MigrationRollbackTest: target the S2a drop migration by filename.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

api/app/Listeners/FormBuilder/SyncTagPickerSelectionsOnSubmit.php

@@ -31,8 +31,9 @@ final class SyncTagPickerSelectionsOnSubmit implements ShouldQueue
 {
     use InteractsWithQueue;
 
-    public string $connection = 'redis';
-
+    // Connection left unset so Laravel uses config('queue.default') — redis
+    // in production, sync in tests. Queue name is the default queue of the
+    // resolved connection.
     public string $queue = 'default';
 
     public function __construct(

api/app/Models/FormBuilder/FormSchema.php

@@ -52,6 +52,7 @@ final class FormSchema extends Model
         'submission_deadline',
         'locale',
         'settings',
+        'version',
         'snapshot_mode',
         'freeze_on_submit',
         'retention_days',
@@ -61,6 +62,8 @@ final class FormSchema extends Model
         'max_submissions',
         'created_by_user_id',
         'last_updated_by_user_id',
+        'edit_lock_user_id',
+        'edit_lock_expires_at',
     ];
 
     /** @var array<string, string> */

api/app/Models/FormBuilder/FormSubmission.php

@@ -40,7 +40,11 @@ final class FormSubmission extends Model
         'reviewed_at',
         'review_notes',
         'submitted_at',
+        'schema_version_at_submit',
         'schema_snapshot',
+        'submission_duration_seconds',
+        'auto_save_count',
+        'anonymised_at',
         'is_test',
         'submitted_in_locale',
         'opened_at',

api/app/Services/FormBuilder/FormSubmissionService.php

@@ -88,7 +88,7 @@ final class FormSubmissionService
             $submission->save();
         });
 
-        FormSubmissionDraftUpdated::dispatch($submission, array_keys($values));
+        FormSubmissionDraftUpdated::dispatch($submission);
 
         return $submission->refresh();
     }
@@ -132,7 +132,7 @@ final class FormSubmissionService
             $submission->reviewed_at = now();
             $submission->save();
 
-            FormSubmissionReviewed::dispatch($submission, $status->value);
+            FormSubmissionReviewed::dispatch($submission, $reviewer);
 
             return $submission->refresh();
         });

api/app/Services/FormBuilder/FormValueService.php

@@ -44,7 +44,12 @@ final class FormValueService
                     continue;
                 }
 
-                if (! $this->fieldAccess->canWrite($actor, $field, $submission)) {
+                if ($actor === null) {
+                    // Public submission path: portal-visible non-admin fields only.
+                    if (! (bool) $field->is_portal_visible || (bool) $field->is_admin_only) {
+                        throw new AuthorizationException(sprintf('Not allowed to write field "%s" on public submission.', $slug));
+                    }
+                } elseif (! $this->fieldAccess->canWrite($actor, $field, $submission)) {
                     throw new AuthorizationException(sprintf('Not allowed to write field "%s".', $slug));
                 }