From ab84850089ad773d67e53b35416c58222f281918 Mon Sep 17 00:00:00 2001
From: "bert.hausmans" <bert@hausmans.nl>
Date: Fri, 17 Apr 2026 21:08:49 +0200
Subject: [PATCH] feat(form-builder): policies and form requests with scoped
 exists rules
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Phase 3 of S2b. Six policies and fifteen form requests for the universal
form builder. Every exists: rule is scoped to the route's organisation
or form_schema to close the A01-5..18 findings from SECURITY_AUDIT.md.

Policies (api/app/Policies/FormBuilder/):
- FormSchemaPolicy, FormFieldPolicy, FormFieldLibraryPolicy,
  FormTemplatePolicy, FormSubmissionPolicy, FormSchemaWebhookPolicy.
- FormSubmissionPolicy honours subject-self (user / person.user_id
  match / submitted_by_user_id) and active delegations, per §18.3.
- No `return true` placeholders — each method checks org membership and
  role via Spatie's hasRole().

Form Requests (api/app/Http/Requests/Api/V1/FormBuilder/):
- Schema: Store/UpdateFormSchemaRequest, RotatePublicTokenRequest.
- Fields: Store/UpdateFormFieldRequest, ReorderFormFieldsRequest (field
  ids scoped to the route schema), InsertLibraryFieldRequest (library
  scoped to the route organisation).
- Templates: Store/UpdateFormTemplateRequest.
- Field library: Store/UpdateFormFieldLibraryRequest.
- Submissions: CreateFormSubmissionRequest, UpsertFormValuesRequest
  (slug allow-list derived from schema), SubmitFormSubmissionRequest,
  ReviewFormSubmissionRequest, DelegateFormSubmissionRequest (delegatee
  scoped to organisation pivot).
- Webhooks: Store/UpdateFormSchemaWebhookRequest.
- Public: PublicSubmissionRequest (captcha_token collected here,
  enforcement in controller per config('form_builder.captcha')).

All enum validation routes through the existing PHP enums from S1.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../CreateFormSubmissionRequest.php           |  34 +++++
 .../DelegateFormSubmissionRequest.php         |  34 +++++
 .../FormBuilder/InsertLibraryFieldRequest.php |  38 ++++++
 .../FormBuilder/PublicSubmissionRequest.php   |  29 ++++
 .../FormBuilder/ReorderFormFieldsRequest.php  |  34 +++++
 .../ReviewFormSubmissionRequest.php           |  28 ++++
 .../FormBuilder/RotatePublicTokenRequest.php  |  25 ++++
 .../StoreFormFieldLibraryRequest.php          |  46 +++++++
 .../V1/FormBuilder/StoreFormFieldRequest.php  |  67 +++++++++
 .../V1/FormBuilder/StoreFormSchemaRequest.php |  51 +++++++
 .../StoreFormSchemaWebhookRequest.php         |  35 +++++
 .../FormBuilder/StoreFormTemplateRequest.php  |  34 +++++
 .../SubmitFormSubmissionRequest.php           |  26 ++++
 .../UpdateFormFieldLibraryRequest.php         |  46 +++++++
 .../V1/FormBuilder/UpdateFormFieldRequest.php |  64 +++++++++
 .../FormBuilder/UpdateFormSchemaRequest.php   |  46 +++++++
 .../UpdateFormSchemaWebhookRequest.php        |  35 +++++
 .../FormBuilder/UpdateFormTemplateRequest.php |  31 +++++
 .../FormBuilder/UpsertFormValuesRequest.php   |  53 ++++++++
 .../FormBuilder/FormFieldLibraryPolicy.php    |  64 +++++++++
 .../Policies/FormBuilder/FormFieldPolicy.php  |  42 ++++++
 .../Policies/FormBuilder/FormSchemaPolicy.php |  91 +++++++++++++
 .../FormBuilder/FormSchemaWebhookPolicy.php   |  37 +++++
 .../FormBuilder/FormSubmissionPolicy.php      | 127 ++++++++++++++++++
 .../FormBuilder/FormTemplatePolicy.php        |  78 +++++++++++
 25 files changed, 1195 insertions(+)
 create mode 100644 api/app/Http/Requests/Api/V1/FormBuilder/CreateFormSubmissionRequest.php
 create mode 100644 api/app/Http/Requests/Api/V1/FormBuilder/DelegateFormSubmissionRequest.php
 create mode 100644 api/app/Http/Requests/Api/V1/FormBuilder/InsertLibraryFieldRequest.php
 create mode 100644 api/app/Http/Requests/Api/V1/FormBuilder/PublicSubmissionRequest.php
 create mode 100644 api/app/Http/Requests/Api/V1/FormBuilder/ReorderFormFieldsRequest.php
 create mode 100644 api/app/Http/Requests/Api/V1/FormBuilder/ReviewFormSubmissionRequest.php
 create mode 100644 api/app/Http/Requests/Api/V1/FormBuilder/RotatePublicTokenRequest.php
 create mode 100644 api/app/Http/Requests/Api/V1/FormBuilder/StoreFormFieldLibraryRequest.php
 create mode 100644 api/app/Http/Requests/Api/V1/FormBuilder/StoreFormFieldRequest.php
 create mode 100644 api/app/Http/Requests/Api/V1/FormBuilder/StoreFormSchemaRequest.php
 create mode 100644 api/app/Http/Requests/Api/V1/FormBuilder/StoreFormSchemaWebhookRequest.php
 create mode 100644 api/app/Http/Requests/Api/V1/FormBuilder/StoreFormTemplateRequest.php
 create mode 100644 api/app/Http/Requests/Api/V1/FormBuilder/SubmitFormSubmissionRequest.php
 create mode 100644 api/app/Http/Requests/Api/V1/FormBuilder/UpdateFormFieldLibraryRequest.php
 create mode 100644 api/app/Http/Requests/Api/V1/FormBuilder/UpdateFormFieldRequest.php
 create mode 100644 api/app/Http/Requests/Api/V1/FormBuilder/UpdateFormSchemaRequest.php
 create mode 100644 api/app/Http/Requests/Api/V1/FormBuilder/UpdateFormSchemaWebhookRequest.php
 create mode 100644 api/app/Http/Requests/Api/V1/FormBuilder/UpdateFormTemplateRequest.php
 create mode 100644 api/app/Http/Requests/Api/V1/FormBuilder/UpsertFormValuesRequest.php
 create mode 100644 api/app/Policies/FormBuilder/FormFieldLibraryPolicy.php
 create mode 100644 api/app/Policies/FormBuilder/FormFieldPolicy.php
 create mode 100644 api/app/Policies/FormBuilder/FormSchemaPolicy.php
 create mode 100644 api/app/Policies/FormBuilder/FormSchemaWebhookPolicy.php
 create mode 100644 api/app/Policies/FormBuilder/FormSubmissionPolicy.php
 create mode 100644 api/app/Policies/FormBuilder/FormTemplatePolicy.php

diff --git a/api/app/Http/Requests/Api/V1/FormBuilder/CreateFormSubmissionRequest.php b/api/app/Http/Requests/Api/V1/FormBuilder/CreateFormSubmissionRequest.php
new file mode 100644
index 00000000..99cbb55a
--- /dev/null
+++ b/api/app/Http/Requests/Api/V1/FormBuilder/CreateFormSubmissionRequest.php
@@ -0,0 +1,34 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Requests\Api\V1\FormBuilder;
+
+use Illuminate\Foundation\Http\FormRequest;
+use Illuminate\Validation\Rule;
+
+final class CreateFormSubmissionRequest extends FormRequest
+{
+    public function authorize(): bool
+    {
+        return true;
+    }
+
+    /**
+     * @return array<string, mixed>
+     */
+    public function rules(): array
+    {
+        $allowedSubjects = array_keys((array) config('form_subjects', []));
+
+        return [
+            'subject_type' => ['nullable', Rule::in($allowedSubjects)],
+            'subject_id' => ['nullable', 'string', 'max:30', 'required_with:subject_type'],
+            'idempotency_key' => ['nullable', 'string', 'max:30'],
+            'is_test' => ['boolean'],
+            'opened_at' => ['nullable', 'date'],
+            'public_submitter_name' => ['nullable', 'string', 'max:150'],
+            'public_submitter_email' => ['nullable', 'email', 'max:255'],
+        ];
+    }
+}
diff --git a/api/app/Http/Requests/Api/V1/FormBuilder/DelegateFormSubmissionRequest.php b/api/app/Http/Requests/Api/V1/FormBuilder/DelegateFormSubmissionRequest.php
new file mode 100644
index 00000000..df9dbbea
--- /dev/null
+++ b/api/app/Http/Requests/Api/V1/FormBuilder/DelegateFormSubmissionRequest.php
@@ -0,0 +1,34 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Requests\Api\V1\FormBuilder;
+
+use App\Models\Organisation;
+use Illuminate\Foundation\Http\FormRequest;
+use Illuminate\Validation\Rule;
+
+final class DelegateFormSubmissionRequest extends FormRequest
+{
+    public function authorize(): bool
+    {
+        return true;
+    }
+
+    /**
+     * @return array<string, mixed>
+     */
+    public function rules(): array
+    {
+        $organisation = $this->route('organisation');
+        $orgId = $organisation instanceof Organisation ? $organisation->id : (string) $organisation;
+
+        return [
+            'delegated_to_user_id' => [
+                'required', 'string',
+                Rule::exists('organisation_user', 'user_id')->where('organisation_id', $orgId),
+            ],
+            'message' => ['nullable', 'string', 'max:1000'],
+        ];
+    }
+}
diff --git a/api/app/Http/Requests/Api/V1/FormBuilder/InsertLibraryFieldRequest.php b/api/app/Http/Requests/Api/V1/FormBuilder/InsertLibraryFieldRequest.php
new file mode 100644
index 00000000..0765e3d7
--- /dev/null
+++ b/api/app/Http/Requests/Api/V1/FormBuilder/InsertLibraryFieldRequest.php
@@ -0,0 +1,38 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Requests\Api\V1\FormBuilder;
+
+use App\Models\Organisation;
+use Illuminate\Foundation\Http\FormRequest;
+use Illuminate\Validation\Rule;
+
+final class InsertLibraryFieldRequest extends FormRequest
+{
+    public function authorize(): bool
+    {
+        return true;
+    }
+
+    /**
+     * @return array<string, mixed>
+     */
+    public function rules(): array
+    {
+        $organisation = $this->route('organisation');
+        $orgId = $organisation instanceof Organisation ? $organisation->id : (string) $organisation;
+
+        return [
+            'library_field_id' => [
+                'required', 'string',
+                Rule::exists('form_field_library', 'id')->where('organisation_id', $orgId),
+            ],
+            'overrides' => ['nullable', 'array'],
+            'overrides.label' => ['sometimes', 'string', 'max:255'],
+            'overrides.slug' => ['sometimes', 'string', 'max:100'],
+            'overrides.is_required' => ['sometimes', 'boolean'],
+            'overrides.sort_order' => ['sometimes', 'integer'],
+        ];
+    }
+}
diff --git a/api/app/Http/Requests/Api/V1/FormBuilder/PublicSubmissionRequest.php b/api/app/Http/Requests/Api/V1/FormBuilder/PublicSubmissionRequest.php
new file mode 100644
index 00000000..7d055fe4
--- /dev/null
+++ b/api/app/Http/Requests/Api/V1/FormBuilder/PublicSubmissionRequest.php
@@ -0,0 +1,29 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Requests\Api\V1\FormBuilder;
+
+use Illuminate\Foundation\Http\FormRequest;
+
+final class PublicSubmissionRequest extends FormRequest
+{
+    public function authorize(): bool
+    {
+        return true;
+    }
+
+    /**
+     * @return array<string, mixed>
+     */
+    public function rules(): array
+    {
+        return [
+            'values' => ['required', 'array'],
+            'public_submitter_name' => ['nullable', 'string', 'max:150'],
+            'public_submitter_email' => ['nullable', 'email', 'max:255'],
+            'captcha_token' => ['nullable', 'string', 'max:2000'],
+            'idempotency_key' => ['nullable', 'string', 'max:30'],
+        ];
+    }
+}
diff --git a/api/app/Http/Requests/Api/V1/FormBuilder/ReorderFormFieldsRequest.php b/api/app/Http/Requests/Api/V1/FormBuilder/ReorderFormFieldsRequest.php
new file mode 100644
index 00000000..12b95ae8
--- /dev/null
+++ b/api/app/Http/Requests/Api/V1/FormBuilder/ReorderFormFieldsRequest.php
@@ -0,0 +1,34 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Requests\Api\V1\FormBuilder;
+
+use App\Models\FormBuilder\FormSchema;
+use Illuminate\Foundation\Http\FormRequest;
+use Illuminate\Validation\Rule;
+
+final class ReorderFormFieldsRequest extends FormRequest
+{
+    public function authorize(): bool
+    {
+        return true;
+    }
+
+    /**
+     * @return array<string, mixed>
+     */
+    public function rules(): array
+    {
+        $schema = $this->route('form_schema');
+        $schemaId = $schema instanceof FormSchema ? $schema->id : (string) $schema;
+
+        return [
+            'field_ids' => ['required', 'array', 'min:1'],
+            'field_ids.*' => [
+                'string',
+                Rule::exists('form_fields', 'id')->where('form_schema_id', $schemaId),
+            ],
+        ];
+    }
+}
diff --git a/api/app/Http/Requests/Api/V1/FormBuilder/ReviewFormSubmissionRequest.php b/api/app/Http/Requests/Api/V1/FormBuilder/ReviewFormSubmissionRequest.php
new file mode 100644
index 00000000..d4be531d
--- /dev/null
+++ b/api/app/Http/Requests/Api/V1/FormBuilder/ReviewFormSubmissionRequest.php
@@ -0,0 +1,28 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Requests\Api\V1\FormBuilder;
+
+use App\Enums\FormBuilder\FormSubmissionReviewStatus;
+use Illuminate\Foundation\Http\FormRequest;
+use Illuminate\Validation\Rule;
+
+final class ReviewFormSubmissionRequest extends FormRequest
+{
+    public function authorize(): bool
+    {
+        return true;
+    }
+
+    /**
+     * @return array<string, mixed>
+     */
+    public function rules(): array
+    {
+        return [
+            'status' => ['required', Rule::in(array_map(fn ($c) => $c->value, FormSubmissionReviewStatus::cases()))],
+            'review_notes' => ['nullable', 'string'],
+        ];
+    }
+}
diff --git a/api/app/Http/Requests/Api/V1/FormBuilder/RotatePublicTokenRequest.php b/api/app/Http/Requests/Api/V1/FormBuilder/RotatePublicTokenRequest.php
new file mode 100644
index 00000000..ce4b0990
--- /dev/null
+++ b/api/app/Http/Requests/Api/V1/FormBuilder/RotatePublicTokenRequest.php
@@ -0,0 +1,25 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Requests\Api\V1\FormBuilder;
+
+use Illuminate\Foundation\Http\FormRequest;
+
+final class RotatePublicTokenRequest extends FormRequest
+{
+    public function authorize(): bool
+    {
+        return true;
+    }
+
+    /**
+     * @return array<string, mixed>
+     */
+    public function rules(): array
+    {
+        return [
+            'grace_days' => ['nullable', 'integer', 'min:0', 'max:30'],
+        ];
+    }
+}
diff --git a/api/app/Http/Requests/Api/V1/FormBuilder/StoreFormFieldLibraryRequest.php b/api/app/Http/Requests/Api/V1/FormBuilder/StoreFormFieldLibraryRequest.php
new file mode 100644
index 00000000..134495f6
--- /dev/null
+++ b/api/app/Http/Requests/Api/V1/FormBuilder/StoreFormFieldLibraryRequest.php
@@ -0,0 +1,46 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Requests\Api\V1\FormBuilder;
+
+use App\Enums\FormBuilder\FormFieldType;
+use Illuminate\Foundation\Http\FormRequest;
+use Illuminate\Validation\Rule;
+
+final class StoreFormFieldLibraryRequest extends FormRequest
+{
+    public function authorize(): bool
+    {
+        return true;
+    }
+
+    /**
+     * @return array<string, mixed>
+     */
+    public function rules(): array
+    {
+        $types = array_merge(
+            array_map(fn ($c) => $c->value, FormFieldType::cases()),
+            array_keys((array) config('form_builder.custom_field_types', [])),
+        );
+
+        return [
+            'name' => ['required', 'string', 'max:150'],
+            'slug' => ['nullable', 'string', 'max:150'],
+            'field_type' => ['required', Rule::in($types)],
+            'label' => ['required', 'string', 'max:255'],
+            'help_text' => ['nullable', 'string'],
+            'options' => ['nullable', 'array'],
+            'validation_rules' => ['nullable', 'array'],
+            'default_is_required' => ['boolean'],
+            'default_is_filterable' => ['boolean'],
+            'default_binding' => ['nullable', 'array'],
+            'translations' => ['nullable', 'array'],
+            'description' => ['nullable', 'string'],
+            'is_active' => ['boolean'],
+            'organisation_id' => ['prohibited'],
+            'is_system' => ['prohibited'],
+        ];
+    }
+}
diff --git a/api/app/Http/Requests/Api/V1/FormBuilder/StoreFormFieldRequest.php b/api/app/Http/Requests/Api/V1/FormBuilder/StoreFormFieldRequest.php
new file mode 100644
index 00000000..5c55e02c
--- /dev/null
+++ b/api/app/Http/Requests/Api/V1/FormBuilder/StoreFormFieldRequest.php
@@ -0,0 +1,67 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Requests\Api\V1\FormBuilder;
+
+use App\Enums\FormBuilder\FormFieldDisplayWidth;
+use App\Enums\FormBuilder\FormFieldType;
+use App\Enums\FormBuilder\FormValueStorageHint;
+use App\Models\FormBuilder\FormSchema;
+use Illuminate\Foundation\Http\FormRequest;
+use Illuminate\Validation\Rule;
+
+final class StoreFormFieldRequest extends FormRequest
+{
+    public function authorize(): bool
+    {
+        return true;
+    }
+
+    /**
+     * @return array<string, mixed>
+     */
+    public function rules(): array
+    {
+        $schema = $this->route('form_schema');
+        $schemaId = $schema instanceof FormSchema ? $schema->id : (string) $schema;
+
+        $types = array_merge(
+            array_map(fn ($c) => $c->value, FormFieldType::cases()),
+            array_keys((array) config('form_builder.custom_field_types', [])),
+        );
+
+        return [
+            'field_type' => ['required', Rule::in($types)],
+            'slug' => ['required', 'string', 'max:100'],
+            'label' => ['required', 'string', 'max:255'],
+            'help_text' => ['nullable', 'string'],
+            'section' => ['nullable', 'string', 'max:100'],
+            'form_schema_section_id' => [
+                'nullable',
+                Rule::exists('form_schema_sections', 'id')->where('form_schema_id', $schemaId),
+            ],
+            'library_field_id' => [
+                'nullable',
+                Rule::exists('form_field_library', 'id'),
+            ],
+            'options' => ['nullable', 'array'],
+            'validation_rules' => ['nullable', 'array'],
+            'is_required' => ['boolean'],
+            'is_filterable' => ['boolean'],
+            'is_portal_visible' => ['boolean'],
+            'is_admin_only' => ['boolean'],
+            'is_unique' => ['boolean'],
+            'is_pii' => ['boolean'],
+            'display_width' => ['nullable', Rule::in(array_map(fn ($c) => $c->value, FormFieldDisplayWidth::cases()))],
+            'binding' => ['nullable', 'array'],
+            'conditional_logic' => ['nullable', 'array'],
+            'role_restrictions' => ['nullable', 'array'],
+            'translations' => ['nullable', 'array'],
+            'value_storage_hint' => ['nullable', Rule::in(array_map(fn ($c) => $c->value, FormValueStorageHint::cases()))],
+            'review_required' => ['boolean'],
+            'sort_order' => ['nullable', 'integer'],
+            'form_schema_id' => ['prohibited'],
+        ];
+    }
+}
diff --git a/api/app/Http/Requests/Api/V1/FormBuilder/StoreFormSchemaRequest.php b/api/app/Http/Requests/Api/V1/FormBuilder/StoreFormSchemaRequest.php
new file mode 100644
index 00000000..578cca90
--- /dev/null
+++ b/api/app/Http/Requests/Api/V1/FormBuilder/StoreFormSchemaRequest.php
@@ -0,0 +1,51 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Requests\Api\V1\FormBuilder;
+
+use App\Enums\FormBuilder\FormPurpose;
+use App\Enums\FormBuilder\FormSchemaSnapshotMode;
+use App\Enums\FormBuilder\FormSubmissionMode;
+use App\Models\Organisation;
+use Illuminate\Foundation\Http\FormRequest;
+use Illuminate\Validation\Rule;
+
+final class StoreFormSchemaRequest extends FormRequest
+{
+    public function authorize(): bool
+    {
+        return true;
+    }
+
+    /**
+     * @return array<string, mixed>
+     */
+    public function rules(): array
+    {
+        $organisation = $this->route('organisation');
+        $orgId = $organisation instanceof Organisation ? $organisation->id : (string) $organisation;
+
+        return [
+            'name' => ['required', 'string', 'max:150'],
+            'slug' => ['nullable', 'string', 'max:150'],
+            'purpose' => ['required', Rule::in(FormPurpose::values())],
+            'custom_purpose_slug' => ['nullable', 'string', 'max:150', 'required_if:purpose,custom'],
+            'description' => ['nullable', 'string'],
+            'is_published' => ['boolean'],
+            'submission_mode' => ['nullable', Rule::in(FormSubmissionMode::cases() ? array_map(fn ($c) => $c->value, FormSubmissionMode::cases()) : [])],
+            'locale' => ['nullable', 'string', 'max:10'],
+            'settings' => ['nullable', 'array'],
+            'snapshot_mode' => ['nullable', Rule::in(array_map(fn ($c) => $c->value, FormSchemaSnapshotMode::cases()))],
+            'freeze_on_submit' => ['boolean'],
+            'retention_days' => ['nullable', 'integer', 'min:1'],
+            'consent_version' => ['nullable', 'string', 'max:50'],
+            'section_level_submit' => ['boolean'],
+            'auto_save_enabled' => ['boolean'],
+            'max_submissions' => ['nullable', 'integer', 'min:1'],
+            'owner_type' => ['nullable', 'string', 'max:50'],
+            'owner_id' => ['nullable', 'string', 'max:30'],
+            'organisation_id' => ['prohibited'],
+        ];
+    }
+}
diff --git a/api/app/Http/Requests/Api/V1/FormBuilder/StoreFormSchemaWebhookRequest.php b/api/app/Http/Requests/Api/V1/FormBuilder/StoreFormSchemaWebhookRequest.php
new file mode 100644
index 00000000..d782779a
--- /dev/null
+++ b/api/app/Http/Requests/Api/V1/FormBuilder/StoreFormSchemaWebhookRequest.php
@@ -0,0 +1,35 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Requests\Api\V1\FormBuilder;
+
+use Illuminate\Foundation\Http\FormRequest;
+use Illuminate\Validation\Rule;
+
+final class StoreFormSchemaWebhookRequest extends FormRequest
+{
+    public function authorize(): bool
+    {
+        return true;
+    }
+
+    /**
+     * @return array<string, mixed>
+     */
+    public function rules(): array
+    {
+        $triggers = [
+            'submission_created', 'submission_submitted', 'submission_reviewed',
+            'section_submitted', 'section_approved', 'section_rejected',
+        ];
+
+        return [
+            'name' => ['required', 'string', 'max:150'],
+            'trigger_event' => ['required', Rule::in($triggers)],
+            'url' => ['required', 'string', 'max:500', 'url'],
+            'secret' => ['nullable', 'string', 'max:200'],
+            'is_active' => ['boolean'],
+        ];
+    }
+}
diff --git a/api/app/Http/Requests/Api/V1/FormBuilder/StoreFormTemplateRequest.php b/api/app/Http/Requests/Api/V1/FormBuilder/StoreFormTemplateRequest.php
new file mode 100644
index 00000000..f505e158
--- /dev/null
+++ b/api/app/Http/Requests/Api/V1/FormBuilder/StoreFormTemplateRequest.php
@@ -0,0 +1,34 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Requests\Api\V1\FormBuilder;
+
+use App\Enums\FormBuilder\FormPurpose;
+use Illuminate\Foundation\Http\FormRequest;
+use Illuminate\Validation\Rule;
+
+final class StoreFormTemplateRequest extends FormRequest
+{
+    public function authorize(): bool
+    {
+        return true;
+    }
+
+    /**
+     * @return array<string, mixed>
+     */
+    public function rules(): array
+    {
+        return [
+            'name' => ['required', 'string', 'max:150'],
+            'slug' => ['nullable', 'string', 'max:150'],
+            'purpose' => ['required', Rule::in(FormPurpose::values())],
+            'description' => ['nullable', 'string'],
+            'schema_snapshot' => ['required', 'array'],
+            'is_active' => ['boolean'],
+            'organisation_id' => ['prohibited'],
+            'is_system' => ['prohibited'],
+        ];
+    }
+}
diff --git a/api/app/Http/Requests/Api/V1/FormBuilder/SubmitFormSubmissionRequest.php b/api/app/Http/Requests/Api/V1/FormBuilder/SubmitFormSubmissionRequest.php
new file mode 100644
index 00000000..29d7bcd8
--- /dev/null
+++ b/api/app/Http/Requests/Api/V1/FormBuilder/SubmitFormSubmissionRequest.php
@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Requests\Api\V1\FormBuilder;
+
+use Illuminate\Foundation\Http\FormRequest;
+
+final class SubmitFormSubmissionRequest extends FormRequest
+{
+    public function authorize(): bool
+    {
+        return true;
+    }
+
+    /**
+     * @return array<string, mixed>
+     */
+    public function rules(): array
+    {
+        return [
+            'idempotency_key' => ['nullable', 'string', 'max:30'],
+            'values' => ['nullable', 'array'],
+        ];
+    }
+}
diff --git a/api/app/Http/Requests/Api/V1/FormBuilder/UpdateFormFieldLibraryRequest.php b/api/app/Http/Requests/Api/V1/FormBuilder/UpdateFormFieldLibraryRequest.php
new file mode 100644
index 00000000..d061e996
--- /dev/null
+++ b/api/app/Http/Requests/Api/V1/FormBuilder/UpdateFormFieldLibraryRequest.php
@@ -0,0 +1,46 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Requests\Api\V1\FormBuilder;
+
+use App\Enums\FormBuilder\FormFieldType;
+use Illuminate\Foundation\Http\FormRequest;
+use Illuminate\Validation\Rule;
+
+final class UpdateFormFieldLibraryRequest extends FormRequest
+{
+    public function authorize(): bool
+    {
+        return true;
+    }
+
+    /**
+     * @return array<string, mixed>
+     */
+    public function rules(): array
+    {
+        $types = array_merge(
+            array_map(fn ($c) => $c->value, FormFieldType::cases()),
+            array_keys((array) config('form_builder.custom_field_types', [])),
+        );
+
+        return [
+            'name' => ['sometimes', 'string', 'max:150'],
+            'slug' => ['sometimes', 'string', 'max:150'],
+            'field_type' => ['sometimes', Rule::in($types)],
+            'label' => ['sometimes', 'string', 'max:255'],
+            'help_text' => ['sometimes', 'nullable', 'string'],
+            'options' => ['sometimes', 'nullable', 'array'],
+            'validation_rules' => ['sometimes', 'nullable', 'array'],
+            'default_is_required' => ['sometimes', 'boolean'],
+            'default_is_filterable' => ['sometimes', 'boolean'],
+            'default_binding' => ['sometimes', 'nullable', 'array'],
+            'translations' => ['sometimes', 'nullable', 'array'],
+            'description' => ['sometimes', 'nullable', 'string'],
+            'is_active' => ['sometimes', 'boolean'],
+            'organisation_id' => ['prohibited'],
+            'is_system' => ['prohibited'],
+        ];
+    }
+}
diff --git a/api/app/Http/Requests/Api/V1/FormBuilder/UpdateFormFieldRequest.php b/api/app/Http/Requests/Api/V1/FormBuilder/UpdateFormFieldRequest.php
new file mode 100644
index 00000000..00305dce
--- /dev/null
+++ b/api/app/Http/Requests/Api/V1/FormBuilder/UpdateFormFieldRequest.php
@@ -0,0 +1,64 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Requests\Api\V1\FormBuilder;
+
+use App\Enums\FormBuilder\FormFieldDisplayWidth;
+use App\Enums\FormBuilder\FormFieldType;
+use App\Enums\FormBuilder\FormValueStorageHint;
+use App\Models\FormBuilder\FormSchema;
+use Illuminate\Foundation\Http\FormRequest;
+use Illuminate\Validation\Rule;
+
+final class UpdateFormFieldRequest extends FormRequest
+{
+    public function authorize(): bool
+    {
+        return true;
+    }
+
+    /**
+     * @return array<string, mixed>
+     */
+    public function rules(): array
+    {
+        $schema = $this->route('form_schema');
+        $schemaId = $schema instanceof FormSchema ? $schema->id : (string) $schema;
+
+        $types = array_merge(
+            array_map(fn ($c) => $c->value, FormFieldType::cases()),
+            array_keys((array) config('form_builder.custom_field_types', [])),
+        );
+
+        return [
+            'field_type' => ['sometimes', Rule::in($types)],
+            'slug' => ['sometimes', 'string', 'max:100'],
+            'label' => ['sometimes', 'string', 'max:255'],
+            'help_text' => ['sometimes', 'nullable', 'string'],
+            'section' => ['sometimes', 'nullable', 'string', 'max:100'],
+            'form_schema_section_id' => [
+                'sometimes', 'nullable',
+                Rule::exists('form_schema_sections', 'id')->where('form_schema_id', $schemaId),
+            ],
+            'options' => ['sometimes', 'nullable', 'array'],
+            'validation_rules' => ['sometimes', 'nullable', 'array'],
+            'is_required' => ['sometimes', 'boolean'],
+            'is_filterable' => ['sometimes', 'boolean'],
+            'is_portal_visible' => ['sometimes', 'boolean'],
+            'is_admin_only' => ['sometimes', 'boolean'],
+            'is_unique' => ['sometimes', 'boolean'],
+            'is_pii' => ['sometimes', 'boolean'],
+            'display_width' => ['sometimes', Rule::in(array_map(fn ($c) => $c->value, FormFieldDisplayWidth::cases()))],
+            'binding' => ['sometimes', 'nullable', 'array'],
+            'conditional_logic' => ['sometimes', 'nullable', 'array'],
+            'role_restrictions' => ['sometimes', 'nullable', 'array'],
+            'translations' => ['sometimes', 'nullable', 'array'],
+            'value_storage_hint' => ['sometimes', Rule::in(array_map(fn ($c) => $c->value, FormValueStorageHint::cases()))],
+            'review_required' => ['sometimes', 'boolean'],
+            'sort_order' => ['sometimes', 'integer'],
+            'force_binding_change' => ['sometimes', 'boolean'],
+            'form_schema_id' => ['prohibited'],
+        ];
+    }
+}
diff --git a/api/app/Http/Requests/Api/V1/FormBuilder/UpdateFormSchemaRequest.php b/api/app/Http/Requests/Api/V1/FormBuilder/UpdateFormSchemaRequest.php
new file mode 100644
index 00000000..67d26863
--- /dev/null
+++ b/api/app/Http/Requests/Api/V1/FormBuilder/UpdateFormSchemaRequest.php
@@ -0,0 +1,46 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Requests\Api\V1\FormBuilder;
+
+use App\Enums\FormBuilder\FormPurpose;
+use App\Enums\FormBuilder\FormSchemaSnapshotMode;
+use App\Enums\FormBuilder\FormSubmissionMode;
+use Illuminate\Foundation\Http\FormRequest;
+use Illuminate\Validation\Rule;
+
+final class UpdateFormSchemaRequest extends FormRequest
+{
+    public function authorize(): bool
+    {
+        return true;
+    }
+
+    /**
+     * @return array<string, mixed>
+     */
+    public function rules(): array
+    {
+        return [
+            'name' => ['sometimes', 'string', 'max:150'],
+            'slug' => ['sometimes', 'string', 'max:150'],
+            'purpose' => ['sometimes', Rule::in(FormPurpose::values())],
+            'custom_purpose_slug' => ['nullable', 'string', 'max:150'],
+            'description' => ['nullable', 'string'],
+            'is_published' => ['sometimes', 'boolean'],
+            'submission_mode' => ['sometimes', Rule::in(array_map(fn ($c) => $c->value, FormSubmissionMode::cases()))],
+            'locale' => ['sometimes', 'string', 'max:10'],
+            'settings' => ['sometimes', 'array'],
+            'snapshot_mode' => ['sometimes', Rule::in(array_map(fn ($c) => $c->value, FormSchemaSnapshotMode::cases()))],
+            'freeze_on_submit' => ['sometimes', 'boolean'],
+            'retention_days' => ['sometimes', 'nullable', 'integer', 'min:1'],
+            'consent_version' => ['sometimes', 'nullable', 'string', 'max:50'],
+            'section_level_submit' => ['sometimes', 'boolean'],
+            'auto_save_enabled' => ['sometimes', 'boolean'],
+            'max_submissions' => ['sometimes', 'nullable', 'integer', 'min:1'],
+            'submission_deadline' => ['sometimes', 'nullable', 'date'],
+            'organisation_id' => ['prohibited'],
+        ];
+    }
+}
diff --git a/api/app/Http/Requests/Api/V1/FormBuilder/UpdateFormSchemaWebhookRequest.php b/api/app/Http/Requests/Api/V1/FormBuilder/UpdateFormSchemaWebhookRequest.php
new file mode 100644
index 00000000..d18de941
--- /dev/null
+++ b/api/app/Http/Requests/Api/V1/FormBuilder/UpdateFormSchemaWebhookRequest.php
@@ -0,0 +1,35 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Requests\Api\V1\FormBuilder;
+
+use Illuminate\Foundation\Http\FormRequest;
+use Illuminate\Validation\Rule;
+
+final class UpdateFormSchemaWebhookRequest extends FormRequest
+{
+    public function authorize(): bool
+    {
+        return true;
+    }
+
+    /**
+     * @return array<string, mixed>
+     */
+    public function rules(): array
+    {
+        $triggers = [
+            'submission_created', 'submission_submitted', 'submission_reviewed',
+            'section_submitted', 'section_approved', 'section_rejected',
+        ];
+
+        return [
+            'name' => ['sometimes', 'string', 'max:150'],
+            'trigger_event' => ['sometimes', Rule::in($triggers)],
+            'url' => ['sometimes', 'string', 'max:500', 'url'],
+            'secret' => ['sometimes', 'nullable', 'string', 'max:200'],
+            'is_active' => ['sometimes', 'boolean'],
+        ];
+    }
+}
diff --git a/api/app/Http/Requests/Api/V1/FormBuilder/UpdateFormTemplateRequest.php b/api/app/Http/Requests/Api/V1/FormBuilder/UpdateFormTemplateRequest.php
new file mode 100644
index 00000000..d09f3983
--- /dev/null
+++ b/api/app/Http/Requests/Api/V1/FormBuilder/UpdateFormTemplateRequest.php
@@ -0,0 +1,31 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Requests\Api\V1\FormBuilder;
+
+use Illuminate\Foundation\Http\FormRequest;
+
+final class UpdateFormTemplateRequest extends FormRequest
+{
+    public function authorize(): bool
+    {
+        return true;
+    }
+
+    /**
+     * @return array<string, mixed>
+     */
+    public function rules(): array
+    {
+        return [
+            'name' => ['sometimes', 'string', 'max:150'],
+            'slug' => ['sometimes', 'string', 'max:150'],
+            'description' => ['sometimes', 'nullable', 'string'],
+            'schema_snapshot' => ['sometimes', 'array'],
+            'is_active' => ['sometimes', 'boolean'],
+            'organisation_id' => ['prohibited'],
+            'is_system' => ['prohibited'],
+        ];
+    }
+}
diff --git a/api/app/Http/Requests/Api/V1/FormBuilder/UpsertFormValuesRequest.php b/api/app/Http/Requests/Api/V1/FormBuilder/UpsertFormValuesRequest.php
new file mode 100644
index 00000000..0da5a018
--- /dev/null
+++ b/api/app/Http/Requests/Api/V1/FormBuilder/UpsertFormValuesRequest.php
@@ -0,0 +1,53 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Requests\Api\V1\FormBuilder;
+
+use App\Models\FormBuilder\FormField;
+use App\Models\FormBuilder\FormSubmission;
+use Illuminate\Foundation\Http\FormRequest;
+
+/**
+ * Accepts { values: { <slug>: <value|[value...]> } }. Slugs must exist on
+ * the submission's schema. Per-type validation is driven by
+ * FormField.validation_rules.
+ */
+final class UpsertFormValuesRequest extends FormRequest
+{
+    public function authorize(): bool
+    {
+        return true;
+    }
+
+    /**
+     * @return array<string, mixed>
+     */
+    public function rules(): array
+    {
+        $submission = $this->route('form_submission');
+        $schemaId = $submission instanceof FormSubmission ? $submission->form_schema_id : null;
+
+        $allowedSlugs = [];
+        if ($schemaId !== null) {
+            $allowedSlugs = FormField::query()
+                ->where('form_schema_id', $schemaId)
+                ->pluck('slug')
+                ->all();
+        }
+
+        return [
+            'values' => ['required', 'array', function ($attribute, $value, $fail) use ($allowedSlugs): void {
+                if (! is_array($value)) {
+                    return;
+                }
+                foreach (array_keys($value) as $slug) {
+                    if (! in_array($slug, $allowedSlugs, true)) {
+                        $fail(sprintf('values.%s is not a known field slug for this submission.', $slug));
+                    }
+                }
+            }],
+            'values.*' => ['nullable'],
+        ];
+    }
+}
diff --git a/api/app/Policies/FormBuilder/FormFieldLibraryPolicy.php b/api/app/Policies/FormBuilder/FormFieldLibraryPolicy.php
new file mode 100644
index 00000000..b116320a
--- /dev/null
+++ b/api/app/Policies/FormBuilder/FormFieldLibraryPolicy.php
@@ -0,0 +1,64 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Policies\FormBuilder;
+
+use App\Models\FormBuilder\FormFieldLibrary;
+use App\Models\Organisation;
+use App\Models\User;
+
+final class FormFieldLibraryPolicy
+{
+    public function viewAny(User $user, Organisation $organisation): bool
+    {
+        return $this->belongsToOrg($user, $organisation);
+    }
+
+    public function view(User $user, FormFieldLibrary $library): bool
+    {
+        return $this->belongsToOrg($user, $library->organisation);
+    }
+
+    public function create(User $user, Organisation $organisation): bool
+    {
+        return $this->canManage($user, $organisation);
+    }
+
+    public function update(User $user, FormFieldLibrary $library): bool
+    {
+        return $this->canManage($user, $library->organisation);
+    }
+
+    public function deactivate(User $user, FormFieldLibrary $library): bool
+    {
+        return $this->canManage($user, $library->organisation);
+    }
+
+    private function belongsToOrg(User $user, ?Organisation $organisation): bool
+    {
+        if ($user->hasRole('super_admin')) {
+            return true;
+        }
+        if ($organisation === null) {
+            return false;
+        }
+
+        return $organisation->users()->where('user_id', $user->id)->exists();
+    }
+
+    private function canManage(User $user, ?Organisation $organisation): bool
+    {
+        if ($user->hasRole('super_admin')) {
+            return true;
+        }
+        if ($organisation === null) {
+            return false;
+        }
+
+        return $organisation->users()
+            ->where('user_id', $user->id)
+            ->wherePivot('role', 'org_admin')
+            ->exists();
+    }
+}
diff --git a/api/app/Policies/FormBuilder/FormFieldPolicy.php b/api/app/Policies/FormBuilder/FormFieldPolicy.php
new file mode 100644
index 00000000..82164e52
--- /dev/null
+++ b/api/app/Policies/FormBuilder/FormFieldPolicy.php
@@ -0,0 +1,42 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Policies\FormBuilder;
+
+use App\Models\FormBuilder\FormField;
+use App\Models\FormBuilder\FormSchema;
+use App\Models\User;
+
+final class FormFieldPolicy
+{
+    public function view(User $user, FormField $field): bool
+    {
+        return app(FormSchemaPolicy::class)->view($user, $field->schema);
+    }
+
+    public function create(User $user, FormSchema $schema): bool
+    {
+        return app(FormSchemaPolicy::class)->update($user, $schema);
+    }
+
+    public function update(User $user, FormField $field): bool
+    {
+        return app(FormSchemaPolicy::class)->update($user, $field->schema);
+    }
+
+    public function delete(User $user, FormField $field): bool
+    {
+        return app(FormSchemaPolicy::class)->update($user, $field->schema);
+    }
+
+    public function reorder(User $user, FormSchema $schema): bool
+    {
+        return app(FormSchemaPolicy::class)->update($user, $schema);
+    }
+
+    public function insertFromLibrary(User $user, FormSchema $schema): bool
+    {
+        return app(FormSchemaPolicy::class)->update($user, $schema);
+    }
+}
diff --git a/api/app/Policies/FormBuilder/FormSchemaPolicy.php b/api/app/Policies/FormBuilder/FormSchemaPolicy.php
new file mode 100644
index 00000000..98e22f53
--- /dev/null
+++ b/api/app/Policies/FormBuilder/FormSchemaPolicy.php
@@ -0,0 +1,91 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Policies\FormBuilder;
+
+use App\Models\FormBuilder\FormSchema;
+use App\Models\Organisation;
+use App\Models\User;
+
+final class FormSchemaPolicy
+{
+    public function viewAny(User $user, Organisation $organisation): bool
+    {
+        return $this->belongsToOrg($user, $organisation);
+    }
+
+    public function view(User $user, FormSchema $schema): bool
+    {
+        return $this->sameOrg($user, $schema);
+    }
+
+    public function create(User $user, Organisation $organisation): bool
+    {
+        return $this->canManageOrg($user, $organisation);
+    }
+
+    public function update(User $user, FormSchema $schema): bool
+    {
+        return $this->sameOrg($user, $schema) && $this->canManage($user, $schema);
+    }
+
+    public function delete(User $user, FormSchema $schema): bool
+    {
+        return $this->sameOrg($user, $schema) && $this->canManage($user, $schema);
+    }
+
+    public function duplicate(User $user, FormSchema $schema): bool
+    {
+        return $this->update($user, $schema);
+    }
+
+    public function publish(User $user, FormSchema $schema): bool
+    {
+        return $this->update($user, $schema);
+    }
+
+    public function rotatePublicToken(User $user, FormSchema $schema): bool
+    {
+        return $this->update($user, $schema);
+    }
+
+    public function acquireEditLock(User $user, FormSchema $schema): bool
+    {
+        return $this->update($user, $schema);
+    }
+
+    private function sameOrg(User $user, FormSchema $schema): bool
+    {
+        return $this->belongsToOrg($user, $schema->organisation);
+    }
+
+    private function belongsToOrg(User $user, ?Organisation $organisation): bool
+    {
+        if ($user->hasRole('super_admin')) {
+            return true;
+        }
+        if ($organisation === null) {
+            return false;
+        }
+
+        return $organisation->users()->where('user_id', $user->id)->exists();
+    }
+
+    private function canManageOrg(User $user, Organisation $organisation): bool
+    {
+        if ($user->hasRole('super_admin')) {
+            return true;
+        }
+
+        return $organisation->users()
+            ->where('user_id', $user->id)
+            ->wherePivot('role', 'org_admin')
+            ->exists();
+    }
+
+    private function canManage(User $user, FormSchema $schema): bool
+    {
+        return $this->canManageOrg($user, $schema->organisation);
+    }
+}
diff --git a/api/app/Policies/FormBuilder/FormSchemaWebhookPolicy.php b/api/app/Policies/FormBuilder/FormSchemaWebhookPolicy.php
new file mode 100644
index 00000000..0ba49fb7
--- /dev/null
+++ b/api/app/Policies/FormBuilder/FormSchemaWebhookPolicy.php
@@ -0,0 +1,37 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Policies\FormBuilder;
+
+use App\Models\FormBuilder\FormSchema;
+use App\Models\FormBuilder\FormSchemaWebhook;
+use App\Models\User;
+
+final class FormSchemaWebhookPolicy
+{
+    public function view(User $user, FormSchemaWebhook $webhook): bool
+    {
+        return app(FormSchemaPolicy::class)->view($user, $webhook->schema);
+    }
+
+    public function create(User $user, FormSchema $schema): bool
+    {
+        return app(FormSchemaPolicy::class)->update($user, $schema);
+    }
+
+    public function update(User $user, FormSchemaWebhook $webhook): bool
+    {
+        return app(FormSchemaPolicy::class)->update($user, $webhook->schema);
+    }
+
+    public function delete(User $user, FormSchemaWebhook $webhook): bool
+    {
+        return app(FormSchemaPolicy::class)->update($user, $webhook->schema);
+    }
+
+    public function test(User $user, FormSchemaWebhook $webhook): bool
+    {
+        return $this->update($user, $webhook);
+    }
+}
diff --git a/api/app/Policies/FormBuilder/FormSubmissionPolicy.php b/api/app/Policies/FormBuilder/FormSubmissionPolicy.php
new file mode 100644
index 00000000..e8318bf2
--- /dev/null
+++ b/api/app/Policies/FormBuilder/FormSubmissionPolicy.php
@@ -0,0 +1,127 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Policies\FormBuilder;
+
+use App\Models\FormBuilder\FormSchema;
+use App\Models\FormBuilder\FormSubmission;
+use App\Models\FormBuilder\FormSubmissionDelegation;
+use App\Models\Organisation;
+use App\Models\User;
+
+final class FormSubmissionPolicy
+{
+    public function viewAny(User $user, FormSchema $schema): bool
+    {
+        return app(FormSchemaPolicy::class)->view($user, $schema);
+    }
+
+    public function view(User $user, FormSubmission $submission): bool
+    {
+        if ($this->isSubjectSelf($user, $submission)) {
+            return true;
+        }
+
+        if ($this->isActiveDelegatee($user, $submission)) {
+            return true;
+        }
+
+        return $this->isOrgStaff($user, $submission->schema?->organisation);
+    }
+
+    public function create(User $user, FormSchema $schema): bool
+    {
+        return app(FormSchemaPolicy::class)->view($user, $schema);
+    }
+
+    public function update(User $user, FormSubmission $submission): bool
+    {
+        if ($submission->status !== \App\Enums\FormBuilder\FormSubmissionStatus::DRAFT) {
+            return false;
+        }
+
+        if ($this->isSubjectSelf($user, $submission)) {
+            return true;
+        }
+
+        return $this->isActiveDelegatee($user, $submission);
+    }
+
+    public function submit(User $user, FormSubmission $submission): bool
+    {
+        return $this->update($user, $submission);
+    }
+
+    public function review(User $user, FormSubmission $submission): bool
+    {
+        return $this->isOrgStaff($user, $submission->schema?->organisation);
+    }
+
+    public function delegate(User $user, FormSubmission $submission): bool
+    {
+        return $this->isSubjectSelf($user, $submission);
+    }
+
+    public function revokeDelegation(User $user, FormSubmissionDelegation $delegation): bool
+    {
+        $submission = $delegation->submission;
+        if ($submission === null) {
+            return false;
+        }
+
+        return $this->isSubjectSelf($user, $submission) || $delegation->delegated_by_user_id === $user->id;
+    }
+
+    public function delete(User $user, FormSubmission $submission): bool
+    {
+        return $this->isOrgStaff($user, $submission->schema?->organisation, adminOnly: true);
+    }
+
+    private function isSubjectSelf(User $user, FormSubmission $submission): bool
+    {
+        if ($submission->submitted_by_user_id === $user->id) {
+            return true;
+        }
+
+        if ($submission->subject_type === 'user' && $submission->subject_id === $user->id) {
+            return true;
+        }
+
+        if ($submission->subject_type === 'person' && $submission->subject_id !== null) {
+            $userId = \App\Models\Person::withoutGlobalScopes()
+                ->whereKey($submission->subject_id)
+                ->value('user_id');
+
+            return $userId === $user->id;
+        }
+
+        return false;
+    }
+
+    private function isActiveDelegatee(User $user, FormSubmission $submission): bool
+    {
+        return FormSubmissionDelegation::query()
+            ->where('form_submission_id', $submission->id)
+            ->where('delegated_to_user_id', $user->id)
+            ->whereNull('revoked_at')
+            ->exists();
+    }
+
+    private function isOrgStaff(User $user, ?Organisation $organisation, bool $adminOnly = false): bool
+    {
+        if ($user->hasRole('super_admin')) {
+            return true;
+        }
+        if ($organisation === null) {
+            return false;
+        }
+
+        $query = $organisation->users()->where('user_id', $user->id);
+        if ($adminOnly) {
+            $query->wherePivot('role', 'org_admin');
+        }
+
+        return $query->exists() || $user->hasRole('event_manager');
+    }
+}
diff --git a/api/app/Policies/FormBuilder/FormTemplatePolicy.php b/api/app/Policies/FormBuilder/FormTemplatePolicy.php
new file mode 100644
index 00000000..2392fae7
--- /dev/null
+++ b/api/app/Policies/FormBuilder/FormTemplatePolicy.php
@@ -0,0 +1,78 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Policies\FormBuilder;
+
+use App\Models\FormBuilder\FormSchema;
+use App\Models\FormBuilder\FormTemplate;
+use App\Models\Organisation;
+use App\Models\User;
+
+final class FormTemplatePolicy
+{
+    public function viewAny(User $user, Organisation $organisation): bool
+    {
+        return $this->belongsToOrg($user, $organisation);
+    }
+
+    public function view(User $user, FormTemplate $template): bool
+    {
+        return $this->belongsToOrg($user, $template->organisation);
+    }
+
+    public function create(User $user, Organisation $organisation): bool
+    {
+        return $this->canManage($user, $organisation);
+    }
+
+    public function update(User $user, FormTemplate $template): bool
+    {
+        if ($template->is_system && ! $user->hasRole('super_admin')) {
+            return false;
+        }
+
+        return $this->canManage($user, $template->organisation);
+    }
+
+    public function deactivate(User $user, FormTemplate $template): bool
+    {
+        return $this->canManage($user, $template->organisation);
+    }
+
+    public function applyToSchema(User $user, FormTemplate $template, FormSchema $schema): bool
+    {
+        if ($template->organisation_id !== $schema->organisation_id) {
+            return false;
+        }
+
+        return app(FormSchemaPolicy::class)->update($user, $schema);
+    }
+
+    private function belongsToOrg(User $user, ?Organisation $organisation): bool
+    {
+        if ($user->hasRole('super_admin')) {
+            return true;
+        }
+        if ($organisation === null) {
+            return false;
+        }
+
+        return $organisation->users()->where('user_id', $user->id)->exists();
+    }
+
+    private function canManage(User $user, ?Organisation $organisation): bool
+    {
+        if ($user->hasRole('super_admin')) {
+            return true;
+        }
+        if ($organisation === null) {
+            return false;
+        }
+
+        return $organisation->users()
+            ->where('user_id', $user->id)
+            ->wherePivot('role', 'org_admin')
+            ->exists();
+    }
+}