feat(phase-28/29): tenant feature flags and user preferences

Phase 28: Tenant Feature Flags
- TenantFeature model: feature key, is_enabled, config (json)
- 10 built-in features: recurring_invoices, customer_portal, webhooks, 2fa, audit_log, etc.
- isEnabled() with 5-minute cache (auto-invalidated on toggle)
- toggle() uses updateOrCreate to avoid duplicates
- TenantFeatureController: index (list with defaults), toggle, check by name
- 9 feature tests: listing, defaults, toggling on/off, validation, config, cache invalidation

Phase 29: User Preferences
- UserPreference model: user_id + key-value pairs
- 10 default preferences: timezone, date_format, time_format, language, currency_display, items_per_page, compact_mode, sidebar_collapsed, notifications_email, notifications_push
- getAllForUser() merges stored values over defaults
- setForUser() uses updateOrCreate for idempotent setting
- UserPreferenceController: index (get all), update (patch multiple), reset (delete all)
- Unknown keys silently ignored for safety
- 6 feature tests: defaults, update, unknown keys, reset, user scoping, auth

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01RdUGwo74JXChRCF88Yu27d

Author: claude

erp/app/Http/Controllers/Api/V1/TenantFeatureController.php

@@ -0,0 +1,68 @@
+<?php
+
+namespace App\Http\Controllers\Api\V1;
+
+use App\Models\TenantFeature;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
+use Illuminate\Validation\Rule;
+
+class TenantFeatureController extends ApiController
+{
+    public function index(Request $request): JsonResponse
+    {
+        $tenantId = $this->tenantId($request);
+
+        $configured = TenantFeature::where('tenant_id', $tenantId)
+            ->get()
+            ->keyBy('feature');
+
+        $features = collect(TenantFeature::$availableFeatures)->map(function ($meta, $key) use ($configured) {
+            $record = $configured->get($key);
+            return [
+                'feature'     => $key,
+                'description' => $meta['description'],
+                'is_enabled'  => $record ? $record->is_enabled : true,
+                'config'      => $record?->config,
+            ];
+        })->values();
+
+        return $this->success($features);
+    }
+
+    public function toggle(Request $request): JsonResponse
+    {
+        $tenantId = $this->tenantId($request);
+
+        $data = $request->validate([
+            'feature'    => ['required', Rule::in(array_keys(TenantFeature::$availableFeatures))],
+            'is_enabled' => ['required', 'boolean'],
+            'config'     => ['nullable', 'array'],
+        ]);
+
+        $instance = TenantFeature::toggle(
+            $tenantId,
+            $data['feature'],
+            $data['is_enabled'],
+            $data['config'] ?? null
+        );
+
+        return $this->success($instance);
+    }
+
+    public function check(Request $request, string $feature): JsonResponse
+    {
+        $tenantId  = $this->tenantId($request);
+        $isEnabled = TenantFeature::isEnabled($tenantId, $feature);
+
+        return $this->success([
+            'feature'    => $feature,
+            'is_enabled' => $isEnabled,
+        ]);
+    }
+
+    private function tenantId(Request $request): int
+    {
+        return app()->has('tenant') ? app('tenant')->id : $request->user()->tenant_id;
+    }
+}

erp/app/Http/Controllers/Api/V1/UserPreferenceController.php

@@ -0,0 +1,47 @@
+<?php
+
+namespace App\Http\Controllers\Api\V1;
+
+use App\Models\UserPreference;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
+use Illuminate\Validation\Rule;
+
+class UserPreferenceController extends ApiController
+{
+    public function index(Request $request): JsonResponse
+    {
+        $prefs = UserPreference::getAllForUser($request->user()->id);
+        return $this->success($prefs);
+    }
+
+    public function update(Request $request): JsonResponse
+    {
+        $allowedKeys = array_keys(UserPreference::$defaults);
+
+        $data = $request->validate([
+            'preferences'   => ['required', 'array'],
+            'preferences.*' => ['nullable', 'string', 'max:255'],
+        ]);
+
+        $updated = [];
+        foreach ($data['preferences'] as $key => $value) {
+            if (! in_array($key, $allowedKeys, true)) {
+                continue;
+            }
+            UserPreference::setForUser($request->user()->id, $key, (string) $value);
+            $updated[$key] = $value;
+        }
+
+        return $this->success([
+            'updated'     => $updated,
+            'preferences' => UserPreference::getAllForUser($request->user()->id),
+        ]);
+    }
+
+    public function reset(Request $request): JsonResponse
+    {
+        UserPreference::where('user_id', $request->user()->id)->delete();
+        return $this->success(UserPreference::$defaults);
+    }
+}

erp/app/Models/TenantFeature.php

@@ -0,0 +1,58 @@
+<?php
+
+namespace App\Models;
+
+use Illuminate\Database\Eloquent\Model;
+use Illuminate\Support\Facades\Cache;
+
+class TenantFeature extends Model
+{
+    protected $fillable = [
+        'tenant_id',
+        'feature',
+        'is_enabled',
+        'config',
+    ];
+
+    protected $casts = [
+        'is_enabled' => 'boolean',
+        'config'     => 'array',
+    ];
+
+    public static array $availableFeatures = [
+        'recurring_invoices'   => ['description' => 'Auto-generate invoices on a schedule'],
+        'customer_portal'      => ['description' => 'Customer self-service portal'],
+        'webhooks'             => ['description' => 'Outbound webhook integrations'],
+        'two_factor_auth'      => ['description' => 'Two-factor authentication for users'],
+        'audit_log'            => ['description' => 'Track all model changes'],
+        'email_templates'      => ['description' => 'Customise email templates'],
+        'report_schedules'     => ['description' => 'Schedule automatic report delivery'],
+        'api_access'           => ['description' => 'REST API access for external apps'],
+        'sso'                  => ['description' => 'Single sign-on via SAML/OAuth'],
+        'advanced_analytics'   => ['description' => 'Enhanced analytics and reporting'],
+    ];
+
+    public static function isEnabled(int $tenantId, string $feature): bool
+    {
+        return Cache::remember("tenant_feature_{$tenantId}_{$feature}", 300, function () use ($tenantId, $feature) {
+            $record = static::where('tenant_id', $tenantId)
+                ->where('feature', $feature)
+                ->first();
+
+            // Default: enabled if no explicit record (opt-in by default)
+            return $record === null ? true : $record->is_enabled;
+        });
+    }
+
+    public static function toggle(int $tenantId, string $feature, bool $enabled, ?array $config = null): self
+    {
+        $instance = static::updateOrCreate(
+            ['tenant_id' => $tenantId, 'feature' => $feature],
+            ['is_enabled' => $enabled, 'config' => $config]
+        );
+
+        Cache::forget("tenant_feature_{$tenantId}_{$feature}");
+
+        return $instance;
+    }
+}

erp/app/Models/UserPreference.php

@@ -0,0 +1,53 @@
+<?php
+
+namespace App\Models;
+
+use Illuminate\Database\Eloquent\Model;
+use Illuminate\Database\Eloquent\Relations\BelongsTo;
+
+class UserPreference extends Model
+{
+    protected $fillable = ['user_id', 'key', 'value'];
+
+    public static array $defaults = [
+        'timezone'         => 'UTC',
+        'date_format'      => 'Y-m-d',
+        'time_format'      => 'H:i',
+        'language'         => 'en',
+        'currency_display' => 'code', // code | symbol
+        'items_per_page'   => '25',
+        'compact_mode'     => 'false',
+        'sidebar_collapsed' => 'false',
+        'notifications_email' => 'true',
+        'notifications_push'  => 'true',
+    ];
+
+    public function user(): BelongsTo
+    {
+        return $this->belongsTo(User::class);
+    }
+
+    public static function getForUser(int $userId, string $key): mixed
+    {
+        $pref = static::where('user_id', $userId)->where('key', $key)->first();
+        return $pref ? $pref->value : (static::$defaults[$key] ?? null);
+    }
+
+    public static function getAllForUser(int $userId): array
+    {
+        $stored = static::where('user_id', $userId)
+            ->get()
+            ->pluck('value', 'key')
+            ->toArray();
+
+        return array_merge(static::$defaults, $stored);
+    }
+
+    public static function setForUser(int $userId, string $key, string $value): self
+    {
+        return static::updateOrCreate(
+            ['user_id' => $userId, 'key' => $key],
+            ['value' => $value]
+        );
+    }
+}

erp/database/migrations/2027_06_19_000004_create_tenant_features_table.php

@@ -0,0 +1,26 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration {
+    public function up(): void
+    {
+        Schema::create('tenant_features', function (Blueprint $table) {
+            $table->id();
+            $table->foreignId('tenant_id')->constrained('tenants')->cascadeOnDelete();
+            $table->string('feature');
+            $table->boolean('is_enabled')->default(true);
+            $table->json('config')->nullable();
+            $table->timestamps();
+
+            $table->unique(['tenant_id', 'feature']);
+        });
+    }
+
+    public function down(): void
+    {
+        Schema::dropIfExists('tenant_features');
+    }
+};

erp/database/migrations/2027_06_19_000005_create_user_preferences_table.php

@@ -0,0 +1,25 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration {
+    public function up(): void
+    {
+        Schema::create('user_preferences', function (Blueprint $table) {
+            $table->id();
+            $table->foreignId('user_id')->constrained('users')->cascadeOnDelete();
+            $table->string('key');
+            $table->text('value')->nullable();
+            $table->timestamps();
+
+            $table->unique(['user_id', 'key']);
+        });
+    }
+
+    public function down(): void
+    {
+        Schema::dropIfExists('user_preferences');
+    }
+};

erp/routes/api.php

@@ -356,6 +356,20 @@
             Route::delete('/{dashboardWidget}', [\App\Http\Controllers\Api\V1\DashboardWidgetController::class, 'destroy']);
         });
 
+        // User Preferences
+        Route::prefix('preferences')->group(function () {
+            Route::get('/',    [\App\Http\Controllers\Api\V1\UserPreferenceController::class, 'index']);
+            Route::put('/',    [\App\Http\Controllers\Api\V1\UserPreferenceController::class, 'update']);
+            Route::delete('/', [\App\Http\Controllers\Api\V1\UserPreferenceController::class, 'reset']);
+        });
+
+        // Tenant Feature Flags
+        Route::prefix('features')->group(function () {
+            Route::get('/',                   [\App\Http\Controllers\Api\V1\TenantFeatureController::class, 'index']);
+            Route::post('/toggle',            [\App\Http\Controllers\Api\V1\TenantFeatureController::class, 'toggle']);
+            Route::get('/{feature}/check',    [\App\Http\Controllers\Api\V1\TenantFeatureController::class, 'check']);
+        });
+
         // Email Templates
         Route::prefix('email-templates')->group(function () {
             Route::get('/',                        [\App\Http\Controllers\Api\V1\EmailTemplateController::class, 'index']);