feat(form-builder): wire PurposeGuardProvider per purpose (WS-6)

Adds PurposeGuardProvider as a parallel interface to PurposeDefinition
(value object stays untouched). Seven concrete providers, one per v1.0
purpose, each declaring its publish-guard list. Registry resolves and
caches providers via guards_class config key.

Universal guards (MaxOneIdentityKeyPerTargetEntity,
AppendStrategyRequiresCollectionTarget, NoAmbiguousTrustLevels,
IdentityKeyBindingsOnlyInFirstSection) wire into every purpose. The
section guard is a cheap no-op when section_level_submit=false.

ArtistAdvanceGuards omits RequiresIdentityKeyBinding because the
artist subject is resolved via portal token, not form data. Same
reasoning for supplier_intake (production_request) and the auth-based
purposes.

Includes a cross-cutting BindingTypeRegistryConsistencyTest that
verifies tasks 5/7/8 do not contradict each other (registry ↔ guards ↔
purpose required_bindings).

Refs: RFC-WS-6.md §3 (Q9, Q13)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

api/app/FormBuilder/Purposes/PurposeRegistry.php

@@ -13,6 +13,12 @@ final class PurposeRegistry
     /** @var array<string, PurposeDefinition>|null */
     private ?array $cache = null;
 
+    /** @var array<string, class-string<PurposeGuardProvider>>|null */
+    private ?array $guardClassCache = null;
+
+    /** @var array<string, PurposeGuardProvider> */
+    private array $guardProviderCache = [];
+
     public function __construct(private readonly ConfigRepository $config) {}
 
     /** @return array<string, PurposeDefinition> keyed by slug */
@@ -26,6 +32,7 @@ final class PurposeRegistry
         $raw = (array) $this->config->get('form_builder.purposes', []);
 
         $definitions = [];
+        $guardClasses = [];
         foreach ($raw as $slug => $attrs) {
             $mode = $attrs['default_submission_mode'] ?? null;
             if (! $mode instanceof FormSubmissionMode) {
@@ -34,6 +41,13 @@ final class PurposeRegistry
                 );
             }
 
+            $guardsClass = $attrs['guards_class'] ?? null;
+            if (! is_string($guardsClass) || ! is_subclass_of($guardsClass, PurposeGuardProvider::class)) {
+                throw new \InvalidArgumentException(
+                    "Purpose '{$slug}' has invalid guards_class; expected class-string implementing PurposeGuardProvider."
+                );
+            }
+
             $definitions[(string) $slug] = new PurposeDefinition(
                 slug: (string) $slug,
                 label: (string) ($attrs['label'] ?? ''),
@@ -42,11 +56,34 @@ final class PurposeRegistry
                 allowsPublicAccess: (bool) ($attrs['allows_public_access'] ?? false),
                 requiredBindings: array_values((array) ($attrs['required_bindings'] ?? [])),
             );
+            $guardClasses[(string) $slug] = $guardsClass;
         }
 
+        $this->guardClassCache = $guardClasses;
+
         return $this->cache = $definitions;
     }
 
+    public function guardProviderFor(string $slug): PurposeGuardProvider
+    {
+        if (! $this->has($slug)) {
+            throw Exceptions\PurposeNotFoundException::forSlug($slug);
+        }
+
+        if (isset($this->guardProviderCache[$slug])) {
+            return $this->guardProviderCache[$slug];
+        }
+
+        /** @var array<string, class-string<PurposeGuardProvider>> $classes */
+        $classes = $this->guardClassCache ?? [];
+        $class = $classes[$slug];
+
+        /** @var PurposeGuardProvider $instance */
+        $instance = resolve($class);
+
+        return $this->guardProviderCache[$slug] = $instance;
+    }
+
     public function get(string $slug): PurposeDefinition
     {
         $all = $this->all();