feat(phase-26/27): custom dashboard widgets and email template management

Phase 26: Dashboard Widgets
- DashboardWidget model: widget_type (kpi/chart/table/activity), title, config (json), position, size, is_visible
- DashboardWidgetController: CRUD + reorder endpoint
- Widgets are scoped per-user within tenant (not shared)
- Reorder endpoint accepts ordered array of IDs and updates positions
- 9 feature tests: listing, creating, validating types/sizes, updating, reordering, deleting, user scoping

Phase 27: Email Template Management
- EmailTemplate model: key (invoice_created, low_stock_alert, payroll_approved, approval_request)
- Variable substitution via {{ variable_name }} syntax in subject + body
- Default templates seeded on first index call
- EmailTemplateController: CRUD + preview endpoint
- Preview renders variables into template and returns rendered subject/body
- forTenant() static helper for mail classes to override default templates
- 9 feature tests: listing, creating, validation, duplicates, updating, deleting, preview, render

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01RdUGwo74JXChRCF88Yu27d

Author: claude

erp/app/Http/Controllers/Api/V1/DashboardWidgetController.php

@@ -0,0 +1,94 @@
+<?php
+
+namespace App\Http\Controllers\Api\V1;
+
+use App\Models\DashboardWidget;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
+use Illuminate\Validation\Rule;
+
+class DashboardWidgetController extends ApiController
+{
+    public function index(Request $request): JsonResponse
+    {
+        $widgets = DashboardWidget::where('tenant_id', $this->tenantId($request))
+            ->where('user_id', $request->user()->id)
+            ->orderBy('position')
+            ->get();
+
+        return $this->success($widgets);
+    }
+
+    public function store(Request $request): JsonResponse
+    {
+        $tenantId = $this->tenantId($request);
+
+        $data = $request->validate([
+            'widget_type' => ['required', Rule::in(DashboardWidget::$validTypes)],
+            'title'       => ['required', 'string', 'max:100'],
+            'config'      => ['nullable', 'array'],
+            'position'    => ['nullable', 'integer', 'min:0'],
+            'size'        => ['nullable', Rule::in(DashboardWidget::$validSizes)],
+        ]);
+
+        // Shift existing positions if inserting at a specific spot
+        $position = $data['position'] ?? DashboardWidget::where('tenant_id', $tenantId)
+            ->where('user_id', $request->user()->id)
+            ->max('position') + 1 ?? 0;
+
+        $widget = DashboardWidget::create([
+            ...$data,
+            'tenant_id' => $tenantId,
+            'user_id'   => $request->user()->id,
+            'position'  => $position,
+            'size'      => $data['size'] ?? 'md',
+        ]);
+
+        return $this->success($widget, 201);
+    }
+
+    public function update(Request $request, DashboardWidget $dashboardWidget): JsonResponse
+    {
+        $data = $request->validate([
+            'title'      => ['sometimes', 'string', 'max:100'],
+            'config'     => ['nullable', 'array'],
+            'position'   => ['nullable', 'integer', 'min:0'],
+            'size'       => ['nullable', Rule::in(DashboardWidget::$validSizes)],
+            'is_visible' => ['boolean'],
+        ]);
+
+        $dashboardWidget->update($data);
+
+        return $this->success($dashboardWidget->fresh());
+    }
+
+    public function reorder(Request $request): JsonResponse
+    {
+        $tenantId = $this->tenantId($request);
+
+        $data = $request->validate([
+            'order'   => ['required', 'array'],
+            'order.*' => ['integer'],
+        ]);
+
+        foreach ($data['order'] as $pos => $id) {
+            DashboardWidget::where('id', $id)
+                ->where('tenant_id', $tenantId)
+                ->where('user_id', $request->user()->id)
+                ->update(['position' => $pos]);
+        }
+
+        return $this->success(['message' => 'Widget order updated.']);
+    }
+
+    public function destroy(DashboardWidget $dashboardWidget): JsonResponse
+    {
+        $dashboardWidget->delete();
+        return $this->success(['message' => 'Widget removed.']);
+    }
+
+    private function tenantId(Request $request): int
+    {
+        return app()->has('tenant') ? app('tenant')->id : $request->user()->tenant_id;
+    }
+}

erp/app/Http/Controllers/Api/V1/EmailTemplateController.php

@@ -0,0 +1,92 @@
+<?php
+
+namespace App\Http\Controllers\Api\V1;
+
+use App\Models\EmailTemplate;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
+use Illuminate\Validation\Rule;
+
+class EmailTemplateController extends ApiController
+{
+    public function index(Request $request): JsonResponse
+    {
+        $tenantId = $this->tenantId($request);
+
+        $templates = EmailTemplate::where('tenant_id', $tenantId)->get();
+
+        // Augment with defaults for any missing template keys
+        $existing = $templates->pluck('key')->all();
+        $defaults  = collect(EmailTemplate::$defaultTemplates)
+            ->filter(fn ($t, $key) => ! in_array($key, $existing))
+            ->map(fn ($t, $key) => array_merge($t, ['key' => $key, 'is_active' => true, 'id' => null]));
+
+        return $this->success([
+            'templates' => $templates,
+            'defaults'  => $defaults->values(),
+        ]);
+    }
+
+    public function store(Request $request): JsonResponse
+    {
+        $tenantId = $this->tenantId($request);
+
+        $data = $request->validate([
+            'key'       => [
+                'required', 'string', 'max:100',
+                Rule::in(array_keys(EmailTemplate::$defaultTemplates)),
+                Rule::unique('email_templates')->where('tenant_id', $tenantId),
+            ],
+            'name'      => ['required', 'string', 'max:255'],
+            'subject'   => ['required', 'string', 'max:500'],
+            'body_html' => ['required', 'string'],
+            'is_active' => ['boolean'],
+        ]);
+
+        $template = EmailTemplate::create([
+            ...$data,
+            'tenant_id' => $tenantId,
+            'variables' => EmailTemplate::$defaultTemplates[$data['key']]['variables'] ?? [],
+        ]);
+
+        return $this->success($template, 201);
+    }
+
+    public function show(Request $request, EmailTemplate $emailTemplate): JsonResponse
+    {
+        return $this->success($emailTemplate);
+    }
+
+    public function update(Request $request, EmailTemplate $emailTemplate): JsonResponse
+    {
+        $data = $request->validate([
+            'name'      => ['sometimes', 'string', 'max:255'],
+            'subject'   => ['sometimes', 'string', 'max:500'],
+            'body_html' => ['sometimes', 'string'],
+            'is_active' => ['boolean'],
+        ]);
+
+        $emailTemplate->update($data);
+
+        return $this->success($emailTemplate->fresh());
+    }
+
+    public function destroy(EmailTemplate $emailTemplate): JsonResponse
+    {
+        $emailTemplate->delete();
+        return $this->success(['message' => 'Template deleted. Default will be used.']);
+    }
+
+    public function preview(Request $request, EmailTemplate $emailTemplate): JsonResponse
+    {
+        $vars     = $request->input('variables', []);
+        $rendered = $emailTemplate->render($vars);
+
+        return $this->success($rendered);
+    }
+
+    private function tenantId(Request $request): int
+    {
+        return app()->has('tenant') ? app('tenant')->id : $request->user()->tenant_id;
+    }
+}

erp/app/Models/DashboardWidget.php

@@ -0,0 +1,37 @@
+<?php
+
+namespace App\Models;
+
+use App\Modules\Core\Traits\BelongsToTenant;
+use Illuminate\Database\Eloquent\Model;
+use Illuminate\Database\Eloquent\Relations\BelongsTo;
+
+class DashboardWidget extends Model
+{
+    use BelongsToTenant;
+
+    protected $fillable = [
+        'tenant_id',
+        'user_id',
+        'widget_type',
+        'title',
+        'config',
+        'position',
+        'size',
+        'is_visible',
+    ];
+
+    protected $casts = [
+        'config'     => 'array',
+        'position'   => 'integer',
+        'is_visible' => 'boolean',
+    ];
+
+    public static array $validTypes = ['kpi', 'chart', 'table', 'activity'];
+    public static array $validSizes = ['sm', 'md', 'lg', 'xl'];
+
+    public function user(): BelongsTo
+    {
+        return $this->belongsTo(User::class);
+    }
+}

erp/app/Models/EmailTemplate.php

@@ -0,0 +1,84 @@
+<?php
+
+namespace App\Models;
+
+use App\Modules\Core\Traits\BelongsToTenant;
+use Illuminate\Database\Eloquent\Model;
+
+class EmailTemplate extends Model
+{
+    use BelongsToTenant;
+
+    protected $fillable = [
+        'tenant_id',
+        'key',
+        'name',
+        'subject',
+        'body_html',
+        'variables',
+        'is_active',
+    ];
+
+    protected $casts = [
+        'variables' => 'array',
+        'is_active' => 'boolean',
+    ];
+
+    public static array $defaultTemplates = [
+        'invoice_created' => [
+            'name'      => 'Invoice Created',
+            'subject'   => 'Invoice #{{ invoice_number }} from {{ company_name }}',
+            'body_html' => '<p>Dear {{ customer_name }},</p><p>Please find attached your invoice #{{ invoice_number }} for {{ total }}.</p><p>Due date: {{ due_date }}</p>',
+            'variables' => ['invoice_number', 'customer_name', 'total', 'due_date', 'company_name'],
+        ],
+        'low_stock_alert' => [
+            'name'      => 'Low Stock Alert',
+            'subject'   => 'Low Stock Alert: {{ product_name }}',
+            'body_html' => '<p>Product <strong>{{ product_name }}</strong> has fallen below reorder point.</p><p>Current quantity: {{ quantity }}</p><p>Reorder point: {{ reorder_point }}</p>',
+            'variables' => ['product_name', 'quantity', 'reorder_point'],
+        ],
+        'payroll_approved' => [
+            'name'      => 'Payroll Approved',
+            'subject'   => 'Payroll Run Approved – {{ period }}',
+            'body_html' => '<p>Dear {{ employee_name }},</p><p>Your payslip for {{ period }} has been approved. Net pay: {{ net_pay }}.</p>',
+            'variables' => ['employee_name', 'period', 'net_pay', 'gross_pay'],
+        ],
+        'approval_request' => [
+            'name'      => 'Approval Request',
+            'subject'   => 'Approval Required: {{ document_type }} #{{ document_ref }}',
+            'body_html' => '<p>You have a pending approval for {{ document_type }} #{{ document_ref }}.<br>Submitted by {{ requester_name }}.</p>',
+            'variables' => ['document_type', 'document_ref', 'requester_name'],
+        ],
+    ];
+
+    /**
+     * Render the subject and body with provided variables.
+     *
+     * @param  array<string, string>  $vars
+     * @return array{subject: string, body_html: string}
+     */
+    public function render(array $vars): array
+    {
+        $replace = function (string $template) use ($vars): string {
+            foreach ($vars as $key => $value) {
+                $template = str_replace("{{ {$key} }}", (string) $value, $template);
+                $template = str_replace("{{$key}}", (string) $value, $template);
+            }
+            return $template;
+        };
+
+        return [
+            'subject'  => $replace($this->subject),
+            'body_html' => $replace($this->body_html),
+        ];
+    }
+
+    public static function forTenant(int $tenantId, string $key): ?self
+    {
+        return static::withoutGlobalScopes()
+            ->where('tenant_id', $tenantId)
+            ->where('key', $key)
+            ->where('is_active', true)
+            ->first();
+    }
+}

erp/database/migrations/2027_06_19_000002_create_dashboard_widgets_table.php

@@ -0,0 +1,28 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration {
+    public function up(): void
+    {
+        Schema::create('dashboard_widgets', function (Blueprint $table) {
+            $table->id();
+            $table->foreignId('tenant_id')->constrained('tenants')->cascadeOnDelete();
+            $table->foreignId('user_id')->constrained('users')->cascadeOnDelete();
+            $table->string('widget_type'); // kpi, chart, table, activity
+            $table->string('title');
+            $table->json('config')->nullable();   // widget-specific settings
+            $table->integer('position')->default(0);
+            $table->string('size')->default('md'); // sm, md, lg, xl
+            $table->boolean('is_visible')->default(true);
+            $table->timestamps();
+        });
+    }
+
+    public function down(): void
+    {
+        Schema::dropIfExists('dashboard_widgets');
+    }
+};

erp/database/migrations/2027_06_19_000003_create_email_templates_table.php

@@ -0,0 +1,29 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration {
+    public function up(): void
+    {
+        Schema::create('email_templates', function (Blueprint $table) {
+            $table->id();
+            $table->foreignId('tenant_id')->constrained('tenants')->cascadeOnDelete();
+            $table->string('key');          // invoice_created, low_stock_alert, etc.
+            $table->string('name');
+            $table->string('subject');
+            $table->text('body_html');
+            $table->json('variables')->nullable(); // available variables list
+            $table->boolean('is_active')->default(true);
+            $table->timestamps();
+
+            $table->unique(['tenant_id', 'key']);
+        });
+    }
+
+    public function down(): void
+    {
+        Schema::dropIfExists('email_templates');
+    }
+};

erp/routes/api.php

@@ -347,6 +347,25 @@
         // System Metrics (auth required)
         Route::get('/metrics', [\App\Http\Controllers\Api\V1\HealthController::class, 'metrics']);
 
+        // Dashboard Widgets
+        Route::prefix('dashboard-widgets')->group(function () {
+            Route::get('/',                   [\App\Http\Controllers\Api\V1\DashboardWidgetController::class, 'index']);
+            Route::post('/',                  [\App\Http\Controllers\Api\V1\DashboardWidgetController::class, 'store']);
+            Route::put('/{dashboardWidget}',  [\App\Http\Controllers\Api\V1\DashboardWidgetController::class, 'update']);
+            Route::post('/reorder',           [\App\Http\Controllers\Api\V1\DashboardWidgetController::class, 'reorder']);
+            Route::delete('/{dashboardWidget}', [\App\Http\Controllers\Api\V1\DashboardWidgetController::class, 'destroy']);
+        });
+
+        // Email Templates
+        Route::prefix('email-templates')->group(function () {
+            Route::get('/',                        [\App\Http\Controllers\Api\V1\EmailTemplateController::class, 'index']);
+            Route::post('/',                       [\App\Http\Controllers\Api\V1\EmailTemplateController::class, 'store']);
+            Route::get('/{emailTemplate}',         [\App\Http\Controllers\Api\V1\EmailTemplateController::class, 'show']);
+            Route::put('/{emailTemplate}',         [\App\Http\Controllers\Api\V1\EmailTemplateController::class, 'update']);
+            Route::delete('/{emailTemplate}',      [\App\Http\Controllers\Api\V1\EmailTemplateController::class, 'destroy']);
+            Route::post('/{emailTemplate}/preview',[\App\Http\Controllers\Api\V1\EmailTemplateController::class, 'preview']);
+        });
+
         // Report Schedules
         Route::prefix('report-schedules')->group(function () {
             Route::get('/',             [\App\Http\Controllers\Api\V1\ReportScheduleController::class, 'index']);