fix(form-builder): canonicalize JSON for byte-stable storage (WS-6)

MySQL 8.0 JSON columns may reorder associative-array keys on round-trip. For audit-immutable values (schema snapshots, webhook payloads, activity log diffs), this is corrupting: re-emits produce different byte sequences for the same logical content. Introduced JsonCanonicalizer (recursive ksort on associative arrays; numeric-indexed lists preserve order) and applied at every writer site that produces byte-stable JSON: - FormSubmissionService: canonicalize the schema_snapshot array before storage (audit-immutable per ARCH §4.3, RFC-WS-6 v1.1). - FormField::logFieldChange / FormSchema::logSchemaChange: canonicalize activity-log properties before withProperties() so old/new diffs read back byte-stable. - BindingActivityLogger: canonicalize both the pass-level and per-binding activity properties. - FormWebhookDispatcher: canonicalize payload_snapshot before storage (delivery-time HMAC re-encodes the same canonical bytes). - DeliverFormWebhookJob: switched json_encode to JsonCanonicalizer::encode for the HMAC-signed body, so the signature is byte-stable across re-deliveries and reproducible by receivers from the same logical payload. Sites NOT canonicalized (deliberate): - form_schemas.settings — opaque UI config; key order has no semantic meaning, no byte-stability requirement. - form_schemas.translations / form_fields.translations — read by display layer; key order doesn't matter. - form_templates.schema_snapshot — user-supplied input via store/ update; user is the source of truth, not audit-immutable in the same way as form_submissions.schema_snapshot. Reverted the 7 assertEquals workarounds from session 2.6: - ConditionalLogicActivityLogPayloadTest - ConditionalLogicBackfillTest::test_rollback_reconstructs_canonical_json - FormFieldBindingMigrationTest::test_rollback_reconstructs_json_and_drops_table - FormFieldOptionServiceAndScopeTest::test_replace_options_emits_activity_log_on_field_only - FormFieldOptionsActivityLogTest::test_field_updated_payload_contains_options_diff_when_options_change - FormFieldOptionsBackfillTest::test_forward_migration_backfills_rows_strips_translations_and_rewrites_snapshot - FormFieldOptionsSnapshotAndStrictRequestTest::test_submission_snapshot_embeds_rich_shape_options Each now uses assertSame on JsonCanonicalizer::encode of both sides — byte-stable comparison meaningful regardless of MySQL JSON storage behavior. New regression test SchemaSnapshotByteStableAcrossReemitsTest exercises the contract end-to-end: complex schema with bindings, validation rules, options, conditional logic, submitted; reads schema_snapshot via three roads (Eloquent cast, fresh model, raw bytes) and asserts the canonical encode is identical. ARCH-FORM-BUILDER.md §4.6.1 gets a "Byte-stability" sub-section explaining what's canonicalized and why. Test count: 1388 → 1400 (+11 JsonCanonicalizer unit, +1 snapshot regression). Larastan clean. Rector dry-run unchanged at 355. Refs: WS-6 session 2.6 deviation #4 cleanup, RFC-WS-6 v1.1 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-28 13:51:38 +02:00
parent 0afbd36bf7
commit a791a276fa
17 changed files with 488 additions and 82 deletions
--- a/api/tests/Feature/FormBuilder/ConditionalLogic/ConditionalLogicActivityLogPayloadTest.php
+++ b/api/tests/Feature/FormBuilder/ConditionalLogic/ConditionalLogicActivityLogPayloadTest.php
@@ -10,6 +10,7 @@ use App\Models\Organisation;
 use App\Models\User;
 use App\Services\FormBuilder\FormFieldConditionalLogicService;
 use App\Services\FormBuilder\FormFieldService;
+use App\Support\Json\JsonCanonicalizer;
 use Illuminate\Foundation\Testing\RefreshDatabase;
 use Spatie\Activitylog\Models\Activity;
 use Tests\TestCase;
@@ -75,18 +76,17 @@ final class ConditionalLogicActivityLogPayloadTest extends TestCase
        $this->assertNotNull($updated, 'field.updated row must exist');

        $properties = $updated->properties;
-        // Structural comparison (assertEquals): MySQL JSON columns may
-        // return associative-array keys in a different order than they were
-        // inserted; semantically the data is unchanged, so use loose
-        // equality. Strict json_encode comparison would couple this test to
-        // a specific DB engine's JSON key-order normalization.
-        $this->assertEquals(
-            $oldShape,
-            $properties->get('old')['conditional_logic'] ?? null,
+        // RFC-WS-6 session 2.7: canonicalized writes give byte-stable
+        // round-trip; both sides go through JsonCanonicalizer::encode so
+        // assertSame compares bytes regardless of MySQL key-order
+        // normalization on the JSON column read.
+        $this->assertSame(
+            JsonCanonicalizer::encode($oldShape),
+            JsonCanonicalizer::encode($properties->get('old')['conditional_logic'] ?? null),
        );
-        $this->assertEquals(
-            $newShape,
-            $properties->get('new')['conditional_logic'] ?? null,
+        $this->assertSame(
+            JsonCanonicalizer::encode($newShape),
+            JsonCanonicalizer::encode($properties->get('new')['conditional_logic'] ?? null),
        );

        $semantic = Activity::query()
--- a/api/tests/Feature/FormBuilder/ConditionalLogic/ConditionalLogicBackfillTest.php
+++ b/api/tests/Feature/FormBuilder/ConditionalLogic/ConditionalLogicBackfillTest.php
@@ -6,6 +6,7 @@ namespace Tests\Feature\FormBuilder\ConditionalLogic;

 use App\Models\FormBuilder\FormSchema;
 use App\Models\Organisation;
+use App\Support\Json\JsonCanonicalizer;
 use Illuminate\Foundation\Testing\RefreshDatabaseState;
 use Illuminate\Support\Facades\Artisan;
 use Illuminate\Support\Facades\DB;
@@ -176,20 +177,24 @@ final class ConditionalLogicBackfillTest extends TestCase
            ->value('conditional_logic');
        $this->assertNotNull($reconstructed);
        $json = json_decode((string) $reconstructed, true);
-        // assertEquals: MySQL JSON columns may reorder associative-array
-        // keys on round-trip; structural equality is the contract here.
-        $this->assertEquals([
-            'show_when' => [
-                'all' => [
-                    ['field_slug' => 'gate', 'operator' => 'equals', 'value' => 'yes'],
-                    [
-                        'any' => [
-                            ['field_slug' => 'region', 'operator' => 'equals', 'value' => 'NL'],
+        // RFC-WS-6 session 2.7: migration's down() reconstructs JSON via
+        // raw DB writer (not the canonicalizing service). Compare on
+        // canonical form so the assertion is engine-agnostic.
+        $this->assertSame(
+            JsonCanonicalizer::encode([
+                'show_when' => [
+                    'all' => [
+                        ['field_slug' => 'gate', 'operator' => 'equals', 'value' => 'yes'],
+                        [
+                            'any' => [
+                                ['field_slug' => 'region', 'operator' => 'equals', 'value' => 'NL'],
+                            ],
                        ],
                    ],
                ],
-            ],
-        ], $json);
+            ]),
+            JsonCanonicalizer::encode($json),
+        );

        // Relational tables cleared after reconstruction.
        $this->assertSame(0, DB::table('form_field_conditional_logic_groups')->count());