fix(promo-codes): address Task 6 review follow-ups

- Replace 'sometimes|json' with custom AllowedEmailDomainsArray rule for
  allowed_email_domains validation — accepts pre-decoded PHP array and
  validates each entry against @domain.com/.tld/user@email formats
- Remove json_decode() from factory populate for both domain-authorized
  types — value is already a PHP array after request decoding
- Fix expand=allowed_ticket_types silently dropping field on
  DomainAuthorizedSummitRegistrationDiscountCodeSerializer — extend
  re-add guard to check both $relations and $expand
- Rename json_array → json_string_array in both new serializers

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

Author: caseylocker

app/Http/Controllers/Apis/Protected/Summit/Factories/Registration/PromoCodesValidationRulesFactory.php

@@ -22,6 +22,7 @@
 use models\summit\SpeakerSummitRegistrationPromoCode;
 use models\summit\DomainAuthorizedSummitRegistrationDiscountCode;
 use models\summit\DomainAuthorizedSummitRegistrationPromoCode;
+use App\Rules\AllowedEmailDomainsArray;
 use models\summit\SponsorSummitRegistrationDiscountCode;
 use models\summit\SponsorSummitRegistrationPromoCode;
 /**
@@ -147,7 +148,7 @@ public static function buildForAdd(array $payload = []): array
             case DomainAuthorizedSummitRegistrationDiscountCode::ClassName:
                 {
                     $specific_rules = array_merge([
-                        'allowed_email_domains' => 'sometimes|json',
+                        'allowed_email_domains' => ['sometimes', new AllowedEmailDomainsArray()],
                         'quantity_per_account'  => 'sometimes|integer|min:0',
                         'auto_apply'            => 'sometimes|boolean',
                     ], $discount_code_rules);
@@ -156,7 +157,7 @@ public static function buildForAdd(array $payload = []): array
             case DomainAuthorizedSummitRegistrationPromoCode::ClassName:
                 {
                     $specific_rules = [
-                        'allowed_email_domains' => 'sometimes|json',
+                        'allowed_email_domains' => ['sometimes', new AllowedEmailDomainsArray()],
                         'quantity_per_account'  => 'sometimes|integer|min:0',
                         'auto_apply'            => 'sometimes|boolean',
                     ];
@@ -285,7 +286,7 @@ public static function buildForUpdate(array $payload = []): array
             case DomainAuthorizedSummitRegistrationDiscountCode::ClassName:
                 {
                     $specific_rules = array_merge([
-                        'allowed_email_domains' => 'sometimes|json',
+                        'allowed_email_domains' => ['sometimes', new AllowedEmailDomainsArray()],
                         'quantity_per_account'  => 'sometimes|integer|min:0',
                         'auto_apply'            => 'sometimes|boolean',
                     ], $discount_code_rules);
@@ -294,7 +295,7 @@ public static function buildForUpdate(array $payload = []): array
             case DomainAuthorizedSummitRegistrationPromoCode::ClassName:
                 {
                     $specific_rules = [
-                        'allowed_email_domains' => 'sometimes|json',
+                        'allowed_email_domains' => ['sometimes', new AllowedEmailDomainsArray()],
                         'quantity_per_account'  => 'sometimes|integer|min:0',
                         'auto_apply'            => 'sometimes|boolean',
                     ];

app/ModelSerializers/Summit/Registration/PromoCodes/DomainAuthorizedSummitRegistrationDiscountCodeSerializer.php

@@ -22,7 +22,7 @@ class DomainAuthorizedSummitRegistrationDiscountCodeSerializer
     extends SummitRegistrationDiscountCodeSerializer
 {
     protected static $array_mappings = [
-        'AllowedEmailDomains'  => 'allowed_email_domains:json_array',
+        'AllowedEmailDomains'  => 'allowed_email_domains:json_string_array',
         'QuantityPerAccount'   => 'quantity_per_account:json_int',
         'AutoApply'            => 'auto_apply:json_boolean',
     ];
@@ -44,8 +44,11 @@ public function serialize($expand = null, array $fields = [], array $relations =
         if (!$code instanceof DomainAuthorizedSummitRegistrationDiscountCode) return [];
         $values = parent::serialize($expand, $fields, $relations, $params);
 
-        // RE-ADD allowed_ticket_types (parent discount serializer unsets it)
-        if (in_array('allowed_ticket_types', $relations) && !isset($values['allowed_ticket_types'])) {
+        // RE-ADD allowed_ticket_types (parent discount serializer unsets it).
+        // Check both relations (default serialization) and expand (explicit ?expand= request).
+        $needs_allowed_ticket_types = in_array('allowed_ticket_types', $relations)
+            || (!empty($expand) && str_contains($expand, 'allowed_ticket_types'));
+        if ($needs_allowed_ticket_types && !isset($values['allowed_ticket_types'])) {
             $ticket_types = [];
             foreach ($code->getAllowedTicketTypes() as $ticket_type) {
                 $ticket_types[] = $ticket_type->getId();

app/ModelSerializers/Summit/Registration/PromoCodes/DomainAuthorizedSummitRegistrationPromoCodeSerializer.php

@@ -22,7 +22,7 @@ class DomainAuthorizedSummitRegistrationPromoCodeSerializer
     extends SummitRegistrationPromoCodeSerializer
 {
     protected static $array_mappings = [
-        'AllowedEmailDomains'  => 'allowed_email_domains:json_array',
+        'AllowedEmailDomains'  => 'allowed_email_domains:json_string_array',
         'QuantityPerAccount'   => 'quantity_per_account:json_int',
         'AutoApply'            => 'auto_apply:json_boolean',
     ];

app/Models/Foundation/Summit/Factories/SummitPromoCodeFactory.php

@@ -293,7 +293,7 @@ public static function populate(SummitRegistrationPromoCode $promo_code, Summit
             break;
             case DomainAuthorizedSummitRegistrationDiscountCode::ClassName:{
                 if(isset($data['allowed_email_domains']))
-                    $promo_code->setAllowedEmailDomains(json_decode($data['allowed_email_domains'], true));
+                    $promo_code->setAllowedEmailDomains($data['allowed_email_domains']);
                 if(isset($data['quantity_per_account']))
                     $promo_code->setQuantityPerAccount(intval($data['quantity_per_account']));
                 if(isset($data['auto_apply']))
@@ -308,7 +308,7 @@ public static function populate(SummitRegistrationPromoCode $promo_code, Summit
             break;
             case DomainAuthorizedSummitRegistrationPromoCode::ClassName:{
                 if(isset($data['allowed_email_domains']))
-                    $promo_code->setAllowedEmailDomains(json_decode($data['allowed_email_domains'], true));
+                    $promo_code->setAllowedEmailDomains($data['allowed_email_domains']);
                 if(isset($data['quantity_per_account']))
                     $promo_code->setQuantityPerAccount(intval($data['quantity_per_account']));
                 if(isset($data['auto_apply']))

app/Rules/AllowedEmailDomainsArray.php

@@ -0,0 +1,74 @@
+<?php namespace App\Rules;
+/*
+ * Copyright 2026 OpenStack Foundation
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ **/
+
+use Illuminate\Contracts\Validation\Rule;
+
+/**
+ * Class AllowedEmailDomainsArray
+ * @package App\Rules
+ *
+ * Validates that the value is an array of allowed email domain patterns.
+ * Each entry must match one of:
+ *   - @domain.com  (exact domain match, starts with @)
+ *   - .tld         (TLD/suffix match, starts with .)
+ *   - user@example.com (exact email match)
+ */
+final class AllowedEmailDomainsArray implements Rule
+{
+    /**
+     * @param  string  $attribute
+     * @param  mixed  $value
+     * @return bool
+     */
+    public function passes($attribute, $value): bool
+    {
+        if (!is_array($value))
+            return false;
+
+        foreach ($value as $element) {
+            if (!is_string($element) || empty(trim($element)))
+                return false;
+
+            $element = trim($element);
+
+            // @domain.com — must have at least one char after @
+            if (str_starts_with($element, '@')) {
+                if (!preg_match('/^@[\w][\w.-]+$/', $element))
+                    return false;
+            }
+            // .tld — must have at least one char after .
+            elseif (str_starts_with($element, '.')) {
+                if (!preg_match('/^\.\w+$/', $element))
+                    return false;
+            }
+            // user@example.com — standard email-like pattern
+            elseif (str_contains($element, '@')) {
+                if (!preg_match('/^[^@\s]+@[\w][\w.-]+$/', $element))
+                    return false;
+            }
+            else {
+                return false;
+            }
+        }
+        return true;
+    }
+
+    /**
+     * @return string
+     */
+    public function message(): string
+    {
+        return trans('The :attribute must be an array of valid email domain patterns (@domain.com, .tld, or user@example.com).');
+    }
+}

doc/promo-codes-for-early-registration-access.md

@@ -484,7 +484,9 @@ Deviations from the SDS captured during implementation. Each entry is either **O
 - `php artisan clear-compiled`
 
 **Review Follow-ups:**
-- None
+- [x] **`allowed_email_domains` validation is broken for natural API usage (MUST-FIX):** `getJsonPayload()` calls `Request::json()->all()` which returns an already-decoded PHP array. Laravel's `'sometimes|json'` rule requires `is_string($value)` — it returns false for a PHP array, so every real request sending `"allowed_email_domains": ["@acme.com"]` (the natural representation) is rejected with a 422. Additionally, `SummitPromoCodeFactory::populate()` calls `json_decode($data['allowed_email_domains'], true)` on what is already a PHP array — a TypeError in PHP 8 if ever reached. Fix: replace `'sometimes|json'` with a custom `AllowedEmailDomainsRule` that accepts a pre-decoded PHP array and validates each entry matches `@domain`, `.tld`, or `user@email` format (per D3 resolution plan). Also remove the `json_decode()` call from the factory — the value is already an array. Apply in both `buildForAdd` and `buildForUpdate`.
+- [x] **`expand=allowed_ticket_types` silently drops field on discount variant (SHOULD-FIX):** `AbstractSerializer::_expand()` sets `$values['allowed_ticket_types']` from the expand mapping, then `SummitRegistrationDiscountCodeSerializer::serialize()` unconditionally does `unset($values['allowed_ticket_types'])`, then the child re-add guard in `DomainAuthorizedSummitRegistrationDiscountCodeSerializer::serialize()` checks `in_array('allowed_ticket_types', $relations)` — which is false when the field was requested via `?expand=`. Field disappears from the response. Fix: extend the re-add condition to also check `!empty($expand) && str_contains($expand, 'allowed_ticket_types')`.
+- [x] **`json_array` is not a recognized serializer type (NIT):** Both new serializers declare `'AllowedEmailDomains' => 'allowed_email_domains:json_array'` but `AbstractSerializer` has no `case 'json_array'` in its formatter switch — the mapping is a silent NOP. Works in practice because `getAllowedEmailDomains()` returns a PHP array which the response encoder serializes correctly. Fix: rename to `json_string_array` for correctness.
 
 ---