feat(form-builder): wire PurposeGuardProvider per purpose (WS-6)

Adds PurposeGuardProvider as a parallel interface to PurposeDefinition (value object stays untouched). Seven concrete providers, one per v1.0 purpose, each declaring its publish-guard list. Registry resolves and caches providers via guards_class config key. Universal guards (MaxOneIdentityKeyPerTargetEntity, AppendStrategyRequiresCollectionTarget, NoAmbiguousTrustLevels, IdentityKeyBindingsOnlyInFirstSection) wire into every purpose. The section guard is a cheap no-op when section_level_submit=false. ArtistAdvanceGuards omits RequiresIdentityKeyBinding because the artist subject is resolved via portal token, not form data. Same reasoning for supplier_intake (production_request) and the auth-based purposes. Includes a cross-cutting BindingTypeRegistryConsistencyTest that verifies tasks 5/7/8 do not contradict each other (registry ↔ guards ↔ purpose required_bindings). Refs: RFC-WS-6.md §3 (Q9, Q13) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-25 23:01:19 +02:00
parent 81a8120f98
commit e3c9211e3f
16 changed files with 763 additions and 0 deletions
--- a/api/config/form_builder/purposes.php
+++ b/api/config/form_builder/purposes.php
@@ -32,6 +32,7 @@ return [
        'default_submission_mode' => FormSubmissionMode::SINGLE,
        'allows_public_access' => true,
        'required_bindings' => ['person.email', 'person.first_name', 'person.last_name'],
+        'guards_class' => \App\FormBuilder\Purposes\Guards\EventRegistrationGuards::class,
    ],

    'artist_advance' => [
@@ -40,6 +41,7 @@ return [
        'default_submission_mode' => FormSubmissionMode::DRAFT_SINGLE,
        'allows_public_access' => false,
        'required_bindings' => [],
+        'guards_class' => \App\FormBuilder\Purposes\Guards\ArtistAdvanceGuards::class,
    ],

    'supplier_intake' => [
@@ -48,6 +50,7 @@ return [
        'default_submission_mode' => FormSubmissionMode::SINGLE,
        'allows_public_access' => false,
        'required_bindings' => ['company.name'],
+        'guards_class' => \App\FormBuilder\Purposes\Guards\SupplierIntakeGuards::class,
    ],

    'post_event_evaluation' => [
@@ -56,6 +59,7 @@ return [
        'default_submission_mode' => FormSubmissionMode::SINGLE,
        'allows_public_access' => false,
        'required_bindings' => [],
+        'guards_class' => \App\FormBuilder\Purposes\Guards\PostEventEvaluationGuards::class,
    ],

    'incident_report' => [
@@ -64,6 +68,7 @@ return [
        'default_submission_mode' => FormSubmissionMode::MULTIPLE,
        'allows_public_access' => false,
        'required_bindings' => [],
+        'guards_class' => \App\FormBuilder\Purposes\Guards\IncidentReportGuards::class,
    ],

    'signature_contract' => [
@@ -72,6 +77,7 @@ return [
        'default_submission_mode' => FormSubmissionMode::SINGLE,
        'allows_public_access' => false,
        'required_bindings' => [],
+        'guards_class' => \App\FormBuilder\Purposes\Guards\SignatureContractGuards::class,
    ],

    'user_profile' => [
@@ -80,6 +86,7 @@ return [
        'default_submission_mode' => FormSubmissionMode::SINGLE,
        'allows_public_access' => false,
        'required_bindings' => [],
+        'guards_class' => \App\FormBuilder\Purposes\Guards\UserProfileGuards::class,
    ],

 ];