chore(badges): remove legacy badge_id_only_search; sync remote badges config into badges_loc; docs update

src/routes/events/[event_id]/(badges)/badges/[badge_id]/review/+page.svelte

@@ -26,6 +26,11 @@ import { liveQuery } from 'dexie';
 import { ae_loc } from '$lib/stores/ae_stores';
 import { db_events } from '$lib/ae_events/db_events';
 import { events_loc } from '$lib/stores/ae_events_stores';
+import { events_func } from '$lib/ae_events/ae_events_functions';
+import {
+    default_authenticated_can_edit,
+    default_trusted_can_edit
+} from '$lib/stores/ae_events_stores__badges_defaults';
 import { page } from '$app/state';
 import {
     ArrowLeft,
@@ -57,50 +62,28 @@ $effect(() => {
     }
 });
 
-// TODO: Load event.mod_badges_json.edit_permissions for per-event field config.
-// Hardcoded defaults for now — revisit after basic flow is working.
-const default_authenticated_fields = [
-    'pronouns_override',
-    'full_name_override',
-    'professional_title_override',
-    'affiliations_override',
-    'phone_override',
-    'location_override',
-    'allow_tracking', // Exhibitor Leads opt-in
-    'agree_to_tc' // Terms & Conditions
-];
-const default_trusted_fields = [
-    'pronouns_override',
-    'full_name_override',
-    'professional_title_override',
-    'affiliations_override',
-    'email_override',
-    'phone_override',
-    'location_override',
-    'badge_type_code_override',
-    'registration_type_code_override',
-    'other_1_code',
-    'other_2_code',
-    'other_3_code',
-    'other_4_code',
-    'other_5_code',
-    'other_6_code',
-    'other_7_code',
-    'other_8_code',
-    'ticket_1_code',
-    'ticket_2_code',
-    'ticket_3_code',
-    'ticket_4_code',
-    'ticket_5_code',
-    'ticket_6_code',
-    'ticket_7_code',
-    'ticket_8_code',
-    'allow_tracking',
-    'agree_to_tc',
-    'hide',
-    'priority',
-    'notes'
-];
+// LiveQuery for the event object — needed to read mod_badges_json.edit_permissions.
+let lq__event_obj = $derived(
+    liveQuery(async () => {
+        if (!event_id) return null;
+        return await db_events.event.get(event_id);
+    })
+);
+
+// Mirror server-side badges config into the local persisted store when the
+// event object is available. This ensures pages that read badges_loc get the
+// authoritative event flags even when the review page is loaded directly.
+$effect(() => {
+    const remote_cfg = $lq__event_obj?.mod_badges_json;
+    if (remote_cfg) {
+        untrack(() => {
+            events_func.sync_config__event_badges({
+                badges_cfg_remote: remote_cfg,
+                log_lvl: log_lvl
+            });
+        });
+    }
+});
 
 // *** Passcode logic
 let url_passcode = $derived(page.url?.searchParams?.get('passcode') ?? '');
@@ -192,13 +175,24 @@ function send_review_email() {
     );
 }
 
-// *** Resolve editable field list based on access level
-// Uses $derived.by() to return the array directly (not a function).
-// TODO: Read from event.mod_badges_json.edit_permissions for per-event config.
+// *** Resolve editable field list based on access level.
+// Reads from event.mod_badges_json.edit_permissions when available;
+// falls back to module-level defaults from ae_events_stores__badges_defaults.
 let can_edit_fields: string[] = $derived.by(() => {
     if (is_administrator) return ['*'];
-    if (is_trusted) return default_trusted_fields;
-    if (has_attendee_access) return default_authenticated_fields;
+    const edit_permissions = $lq__event_obj?.mod_badges_json?.edit_permissions;
+    if (is_trusted) {
+        const cfg = edit_permissions?.trusted?.can_edit;
+        if (cfg === '*') return ['*'];
+        if (Array.isArray(cfg) && cfg.length > 0) return cfg;
+        return default_trusted_can_edit;
+    }
+    if (has_attendee_access) {
+        const cfg = edit_permissions?.authenticated?.can_edit;
+        if (cfg === '*') return ['*'];
+        if (Array.isArray(cfg) && cfg.length > 0) return cfg;
+        return default_authenticated_can_edit;
+    }
     return [];
 });
 </script>