fix(api): group-scoped forms unreachable on public route

## Summary

`GET /forms/:slug` and `POST /forms/:slug/submissions` collapse `scope='group'` to the same handling as `scope='staff_only'` — only staff (`systemTier >= 1`) can read or submit. A group-scoped form should be visible to chairs/members of the attached group, not just staff.

## Requirements

- [ ] Decide intentional or fix: per spec §5.5, group scope is "restricted to a specific group's members"
- [ ] If fixing: when `form.scope === 'group'`, plumb a group-membership check using `actor.chairedGroupIds` + a query for `group_memberships` against the attached group_id
- [ ] If intentional (admin-only by design), document in the spec
- [ ] Update tests in `packages/api/src/routes/forms.test.ts` to cover the group-scoped path

## Context

Surfaced in the Plan 4 review (PR #2011). The events route has parallel logic for group scope; forms should match.

## Files

- `packages/api/src/routes/forms.ts:38-42, 92-99`

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(api): group-scoped forms unreachable on public route #2012

Summary

Requirements

Context

Files

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

fix(api): group-scoped forms unreachable on public route #2012

Description

Summary

Requirements

Context

Files

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions