crewli

bert.hausmans/crewli

Fork 0

Commit Graph

Author	SHA1	Message	Date
bert.hausmans	4b7e66b83f	feat(form-builder): API resources with FieldAccessService filtering Phase 4 of S2b. Nine resources that shape the universal form builder responses. FieldAccessService::filterVisibleFields gates every field array — the primary defence tested by FormResourceSecurityTest (§22.9). - FormSchemaResource: includes fields_count, submissions_count, has_submissions, is_locked (derived from edit_lock_*), public_form_url when public_token is set, and filtered fields collection. - FormSchemaSummaryResource: lean list-endpoint variant. - FormFieldResource: effective_label / help_text / options resolved via FormLocaleResolver + translations JSON, plus TAG_PICKER available_tags filtered by validation_rules.tag_categories. - FormSubmissionResource: values keyed by field slug with FieldAccessService filtering, section_statuses, active delegations, review_info, submitted_in_locale, submission_duration_seconds. - FormSubmissionSummaryResource: lean list variant. - FormTemplateResource, FormFieldLibraryResource. - PublicFormSchemaResource: strictly limited per §10 — only is_portal_visible=true AND is_admin_only=false fields, no PII hints, no role_restrictions, no submissions_count. - FormSchemaWebhookResource: url/secret never returned; only url_host + has_secret boolean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-17 21:13:40 +02:00

Author

SHA1

Message

Date

bert.hausmans

4b7e66b83f

feat(form-builder): API resources with FieldAccessService filtering

Phase 4 of S2b. Nine resources that shape the universal form builder
responses. FieldAccessService::filterVisibleFields gates every field
array — the primary defence tested by FormResourceSecurityTest (§22.9).

- FormSchemaResource: includes fields_count, submissions_count,
  has_submissions, is_locked (derived from edit_lock_*), public_form_url
  when public_token is set, and filtered fields collection.
- FormSchemaSummaryResource: lean list-endpoint variant.
- FormFieldResource: effective_label / help_text / options resolved via
  FormLocaleResolver + translations JSON, plus TAG_PICKER available_tags
  filtered by validation_rules.tag_categories.
- FormSubmissionResource: values keyed by field slug with FieldAccessService
  filtering, section_statuses, active delegations, review_info,
  submitted_in_locale, submission_duration_seconds.
- FormSubmissionSummaryResource: lean list variant.
- FormTemplateResource, FormFieldLibraryResource.
- PublicFormSchemaResource: strictly limited per §10 — only
  is_portal_visible=true AND is_admin_only=false fields, no PII hints,
  no role_restrictions, no submissions_count.
- FormSchemaWebhookResource: url/secret never returned; only url_host +
  has_secret boolean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-17 21:13:40 +02:00

1 Commits