feat(questionnaires): F8.3 anonymous-mode hardening + respondent profile

[JohnD-EE]

Summary

Turns anonymousMode from a loose "open / no-invitation" flag into a real PII contract honoured at every data boundary — and adds the previously-unbuilt respondent profile collection capability so there's a snapshot for that contract to gate. Gated by APP_QUESTIONNAIRES_ENABLED.

The canonical contract (invariant, per-surface gate table, snapshot rule, k-anonymity, erasure cascade) lives in .context/app/questionnaire/anonymous-mode.md.

What changed

Model + erasure

• New AppRespondentProfileSnapshot model (migration 20260609062611_app_respondent_profile_snapshot).
• Both the User FK and the session FK are onDelete: Cascade — eraseUser() removes snapshots via the native cascade, no cleanup hook. Schema test asserts both FKs cascade (the GDPR contract).

Capture seam (D1 — no row, not an empty row)

• createSessionFromInvitation validates and writes the snapshot only on the non-anonymous invitation path with profile values present.
• Anonymous, version-direct, and no-login paths never capture → anonymousMode = true means no PII is collected at all. A test asserts create is never called for anonymous.

Respondent form

• profile-start-form.tsx (react-hook-form + Zod + FieldHelp), gated onto the start page via loadStartContext — renders only for a non-anonymous version that declares profile fields.

Read-path redaction (defence in depth)

• Profile carried + nulled when anonymous across exports: results loader/serialize (respondent_profile column), session-export.ts, build-session-export-model.ts, and the session PDF document.

Analytics hardening

• K_ANONYMITY_THRESHOLD = 5 cohort suppression in cost / funnel / distributions; aggregate spend always returned (no identity).
• Cost additionally drops the per-session table whenever anonymous (session ids re-identify).
• New suppressed / topSessionsSuppressed result fields + a { kind: 'suppressed' } distribution variant; admin panels render the suppressed states.

Tests

• profile-snapshot.test.ts — capture invariants (anonymous never writes; invalid/empty rejected/skipped; no capture on resume).
• profile-values.test.ts — strict validator.
• analytics/{cost,funnel,distributions}.test.ts — suppression + anonymous guard.
• export tests + session-export.test.ts — profile surfaced when not anonymous, dropped when anonymous.
• app-questionnaire-schema.test.ts — model shape + both FKs ON DELETE CASCADE.

npm run validate passes (type-check + lint + format).

CHANGELOG

None — app-owned models/routes are outside the Sunrise platform surface, per the repo's platform-scoped CHANGELOG policy.

🤖 Generated with Claude Code