[WHIT-3020] Make preview token generation opt-in

[TonyGDS]

Part 3 of 3 for WHIT-3020. Stacked on #11543

Jira

What

Makes preview-token generation opt-in. Previously every draft edition was auto-assigned a JWT auth-bypass token on creation, and the draft Content Store evaluates that token before access limits — granting access and skipping the allow-list if a token is present — so a document locked to named users was still viewable by anyone holding the share link. This removes the auto-generation, so a draft has no token until a publisher generates one (the generate/delete UI landed in #11543).

How

• Remove the before_create :set_auth_bypass_id callback on Edition — a new draft no longer gets a token, and none is sent to the Publishing API.
• Exclude auth_bypass_id from the attributes Edition#create_draft copies, so redrafting a published document no longer carries its token forward — the new draft starts token-less.
• Move the factory's auth_bypass_id into a :with_auth_bypass_id trait so test editions match production (no token by default), applying it only where a token must be present.
• Update the affected tests for the token-less default (presenter payloads assert an empty auth_bypass_ids array; dedicated presence tests cover the token case).

Acceptance criteria

• New draft → no token generated, none sent to Publishing API ✓
• Redraft of a published document → new draft starts token-less (the previous token is not copied over) ✓
• No token → the share section shows a "Generate link" button and no link ✓ (UI in [WHIT-3020] Allow publishers to delete a document preview link #11543)
• Token present → copyable link, with regenerate and delete ✓ ([WHIT-3020] Allow publishers to delete a document preview link #11543)
• Delete/regenerate → previous token removed from Whitehall, Publishing API and Asset Manager; old link 403s for unauthorised users ✓ ([WHIT-3020] Allow publishers to delete a document preview link #11543)

Screenshots

Before — a brand-new draft auto-shows a generated preview link

After — a brand-new draft shows the empty state

Test plan

Run against integration with two sessions: a signed-in publisher and a signed-out browser (incognito) for the preview links. "403" below means the signed-out browser is refused.

A. Token lifecycle (once, on a Publication — representative of all types)

1. Create a new draft → the share section shows only "Generate link" (no link, no Copy/Delete). (opt-in default)
2. Click Generate link → a copy box with a preview link appears, plus Generate new link and Delete link.
3. Open the link signed-out → the draft renders. (token grants preview)
4. Click Generate new link, copy the new link. Old link signed-out → 403; new link → renders. (regenerate supersedes)
5. Click Delete link → back to the empty state. Previous link signed-out → 403. (delete revokes)

B. Document-type coverage (section renders + generate/delete behave as in A)

• Publication
• Speech
• Consultation
• Call for evidence
• Detailed guide
• Document collection
• Fatality notice
• Statistical data set
• Corporate information page
• Plan for change page
• Standard edition
• Worldwide organisation

C. Access limiting

1. Create an access-limited draft (limited to an org you are not in) with no token → a user outside the org / signed-out cannot preview it.
2. Generate a token, then delete it → the old link 403s and access limiting is back in force.

D. Asset propagation (upload to a draft with a token, then delete the token and re-check signed-out)

• File attachment — gated (draft: true): with a token, signed-out can fetch the asset; after delete → 403. (token enforced)
• HTML attachment — inherits the edition's token: with a token renders the attachment; after delete → 403.
• Consultation / call-for-evidence response form — live asset (draft: false): confirm the token (or []) is sent to Asset Manager, but see the limitation below.
• Edition image (Images tab) — live asset (draft: false): as above.
• Featured image / organisation logo — default storage, no token applied (always live).

⚠️ Known limitation (WHIT-3580): edition images and response documents are stored as live assets (draft: false), so the preview token is sent but not enforced — they stay reachable signed-out regardless of the token. Verify the payloads carry the right auth_bypass_ids, but do not expect a 403 on these until the live-asset ticket is fixed.

E. Other checks

• After regenerate/delete, confirm the Publishing API draft and Asset Manager assets carry the updated auth_bypass_ids ([token] or []).
• Redraft a published document that had a preview link → the new draft starts in the empty state (no token, no copyable link).

Follow-ups (separate tickets/stories)

• Images & response documents are stored as live assets even for draft editions, so the preview token doesn't gate them (WHIT-3580).
• Drop auth_bypass_ids on publish — Currently if an edition has an auth_bypass_id it is propagated when the Edition is published. Once published the auth_bypass_id has no effect on the display of the content. Therefore auth_bypass_id should be removed from the edition and downstream services when the edition is published. (WHIT-3585)