ENG-3140: Onboarding flow for PBAC

[kruulik]

Ticket ENG-3140

Description Of Changes

Add an onboarding form that appears as the empty state of the access policies list page. When no policies exist, users see a setup form where they select their industry and operating geographies, pick relevant data use categories, and optionally provide privacy policy documents. Submitting generates tailored access policies that populate the list.

Data use cards pull labels from the fideslang taxonomy via useTaxonomies() so they stay in sync with the API. Mock handlers return industry-specific data use sets (7 per industry) with geography modifiers (EEA adds cookie/consent management, US adds targeted advertising).

Also adds a "Policy config" modal accessible from the list page header for updating geographies and re-generating policies after initial setup.

Code Changes

• OnboardingForm.tsx — New form component with industry/geography selects, data use card grid, policy URL/file upload, and generate button
• DataUseCard.tsx — Selectable card displaying a data use with icon and label from fideslang taxonomy
• PolicySettingsModal.tsx — Modal for updating geographies and uploading new policy docs post-setup
• PoliciesContainer.tsx — Show loading spinner during fetch, render onboarding form when no policies exist
• pages/access-policies/index.tsx — Always show page description, conditionally show "Policy config" and "New policy" buttons
• access-policies.slice.ts — Add getOnboardingDataUses, getOnboardingConfig, and generatePolicies endpoints
• constants.ts — Add INDUSTRY_OPTIONS and DATA_USE_ICON map
• types.ts — Add OnboardingFormState, OnboardingDataUsesResponse, OnboardingConfigResponse, GeneratePoliciesResponse
• mocks/onboarding-data.ts — Industry-to-fideslang data use mapping + geography modifiers
• mocks/generated-policies.ts — Mock generated policies with YAML
• mocks/handlers.ts — MSW handlers for config, data-uses, and generate endpoints; policies start empty

Steps to Confirm

1. Navigate to /access-policies with no existing policies — onboarding form should render inside the page content
2. Select an industry (e.g. "Fintech") and a geography (e.g. "EEA") — data use cards appear with fideslang-sourced labels
3. Change industry — cards update to show different data uses
4. Add EEA → "Cookie & Consent Management" card appears; add US → "Targeted Advertising" card appears
5. Select some data uses, click "Generate policies" — policies populate and the list view replaces the form
6. Click "Policy config" in the header — modal opens pre-populated with saved geographies

Pre-Merge Checklist

• Issue requirements met
• All CI pipelines succeeded
• CHANGELOG.md updated
  • Add a db-migration This indicates that a change includes a database migration label to the entry if your change includes a DB migration
  • Add a high-risk This issue suggests changes that have a high-probability of breaking existing code label to the entry if your change includes a high-risk change (i.e. potential for performance impact or unexpected regression) that should be flagged
  • Updates unreleased work already in Changelog, no new entry necessary
• UX feedback:
  • All UX related changes have been reviewed by a designer
  • No UX review needed
• Followup issues:
  • Followup issues created
  • No followup issues
• Database migrations:
  • Ensure that your downrev is up to date with the latest revision on main
  • Ensure that your downgrade() migration is correct and works
    • If a downgrade migration is not possible for this change, please call this out in the PR description!
  • No migrations
• Documentation:
  • Documentation complete, PR opened in fidesdocs
  • Documentation issue created in fidesdocs
  • If there are any new client scopes created as part of the pull request, remember to update public-facing documentation that references our scope registry
  • No documentation updates required

[lucanovera]

Nice work! The onboarding page looks good. I left a few comments about code improvements and to consider how to demo the feature.