feat(admin): submissions JSON payload exposure — document sensitive-data guidance

[cdcore09]

Summary

GET /admin/forms/:id/submissions returns the raw payload jsonb for each submission. If a form author ever captures sensitive data (medical questions, contact info, etc.), this surfaces unredacted to anyone who can access the form's admin detail page (staff + the form author).

Requirements

• Decide whether to add a staff_only_submissions boolean column on forms (only staff with systemTier >= 2 see payloads when true) OR rely entirely on form scope for access control
• If keeping current behavior, document in the spec §5 that form authors must use `scope='staff_only'` for sensitive data
• Consider per-field marking in the schema (e.g., `sensitive: true` on a field) that triggers payload redaction on the JSON list (but not CSV export which staff can already access)

Context

Plan 4 review follow-up. Not a v1 blocker; raised because forms are the first artifact where user-submitted payloads bear on this question.

Files

• packages/api/src/routes/admin/forms/submissions.ts (JSON list response shape)
• packages/api/src/lib/forms/schemaTypes.ts (if adding per-field sensitive marker)
• docs/superpowers/specs/2026-05-20-events-announcements-forms-design.md §5