docs(api): refresh Form Builder public API surface notes

Updates API.md and S3a discovery doc to reflect submitter-details
handling and the draft/submit split.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

dev-docs/API.md

@@ -784,16 +784,34 @@ S2c contract for the unauthenticated portal. Six endpoints at
 `PublicFormTokenResolver` (7-day grace window on
 `public_token_previous`; BACKLOG FORM-04 makes this configurable).
 
-All errors use the standardised envelope:
+### Error envelope
+
+All public form endpoints return errors with this envelope:
 
 ```json
-{ "message": "Human text", "code": "MACHINE_CODE", "errors"?: {"values.slug": ["..."]} }
+{
+  "message": "Human-readable message",
+  "code": "MACHINE_READABLE_CODE",
+  "errors": { "field_name": ["validation message"] }
+}
 ```
 
-Codes: `SCHEMA_NOT_FOUND` (404), `TOKEN_EXPIRED` (410),
-`TOKEN_REVOKED` (410), `SCHEMA_UNPUBLISHED` (410),
-`SUBMISSION_ALREADY_SUBMITTED` (409), `RATE_LIMITED` (429, carries
-`Retry-After`), `VALIDATION_FAILED` (422).
+`errors` is only present on 422 validation failures (Laravel
+FormRequest shape).
+
+Codes:
+
+| Code                          | HTTP | Meaning                                        |
+| ----------------------------- | ---- | ---------------------------------------------- |
+| `TOKEN_EXPIRED`               | 410  | public token past grace window                 |
+| `TOKEN_REVOKED`               | 410  | token rotated without grace                    |
+| `SCHEMA_UNPUBLISHED`          | 410  | schema exists but not published                |
+| `SCHEMA_NOT_FOUND`            | 404  | public token does not resolve                  |
+| `SUBMISSION_ALREADY_SUBMITTED`| 409  | submit on finalised submission                 |
+| `RATE_LIMITED`                | 429  | includes `Retry-After` header                  |
+
+Authoritative source: `api/app/Exceptions/FormBuilder/PublicFormApiException.php`
+and its concrete subclasses.
 
 ### `GET /public/forms/{public_token}`