feat(phase-30): activity feed api with stats and filtering

- ActivityFeedController: paginated feed of all model changes
- Enriches each audit log with model_type (basename), description, changed_fields
- Supports filters: ?action=created, ?module=Contact, ?user_id=N, ?from=date, ?to=date
- GET /api/v1/activity/stats: total events, recent_7_days, by_action breakdown, most_active_users
- buildDescription() produces human-readable summary: "Alice created Contact Jane Doe"
- extractChangedFields() returns only the keys that actually changed
- 7 feature tests: pagination, enrichment, action filter, module filter, stats, isolation, auth

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01RdUGwo74JXChRCF88Yu27d

Author: claude

erp/app/Http/Controllers/Api/V1/ActivityFeedController.php

@@ -0,0 +1,127 @@
+<?php
+
+namespace App\Http\Controllers\Api\V1;
+
+use App\Modules\Core\Models\AuditLog;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
+use Illuminate\Support\Str;
+
+class ActivityFeedController extends ApiController
+{
+    public function index(Request $request): JsonResponse
+    {
+        $tenantId = app()->has('tenant') ? app('tenant')->id : $request->user()->tenant_id;
+
+        $query = AuditLog::where('tenant_id', $tenantId)
+            ->with('user:id,name')
+            ->latest('created_at');
+
+        // Filter by action/event
+        if ($action = $request->action) {
+            $query->where(function ($q) use ($action) {
+                $q->where('action', $action)->orWhere('event', $action);
+            });
+        }
+
+        // Filter by module/model type
+        if ($module = $request->module) {
+            $query->where('auditable_type', 'like', "%{$module}%");
+        }
+
+        // Filter by user
+        if ($userId = $request->user_id) {
+            $query->where('user_id', $userId);
+        }
+
+        // Filter by date range
+        if ($from = $request->from) {
+            $query->where('created_at', '>=', $from);
+        }
+        if ($to = $request->to) {
+            $query->where('created_at', '<=', $to);
+        }
+
+        $logs = $query->paginate($request->integer('per_page', 20));
+
+        // Enrich each log with human-readable info
+        $logs->getCollection()->transform(function (AuditLog $log) {
+            return [
+                'id'              => $log->id,
+                'action'          => $log->action ?? $log->event,
+                'model_type'      => $log->auditable_type ? class_basename($log->auditable_type) : null,
+                'model_id'        => $log->auditable_id,
+                'model_label'     => $log->auditable_label,
+                'description'     => $this->buildDescription($log),
+                'old_values'      => $log->old_values,
+                'new_values'      => $log->new_values,
+                'changed_fields'  => $this->extractChangedFields($log),
+                'performed_by'    => $log->user ? ['id' => $log->user->id, 'name' => $log->user->name] : null,
+                'ip_address'      => $log->ip_address,
+                'created_at'      => $log->created_at,
+            ];
+        });
+
+        return $this->paginated($logs);
+    }
+
+    public function stats(Request $request): JsonResponse
+    {
+        $tenantId = app()->has('tenant') ? app('tenant')->id : $request->user()->tenant_id;
+
+        $actionCounts = AuditLog::where('tenant_id', $tenantId)
+            ->selectRaw('COALESCE(action, event) as act, COUNT(*) as count')
+            ->groupBy('act')
+            ->orderByDesc('count')
+            ->limit(10)
+            ->get()
+            ->map(fn ($r) => ['action' => $r->act, 'count' => $r->count]);
+
+        $activeUsers = AuditLog::where('tenant_id', $tenantId)
+            ->whereNotNull('user_id')
+            ->selectRaw('user_id, COUNT(*) as count')
+            ->groupBy('user_id')
+            ->orderByDesc('count')
+            ->with('user:id,name')
+            ->limit(5)
+            ->get()
+            ->map(fn ($r) => [
+                'user_id' => $r->user_id,
+                'name'    => $r->user?->name ?? 'Unknown',
+                'count'   => $r->count,
+            ]);
+
+        $recentActivity = AuditLog::where('tenant_id', $tenantId)
+            ->whereRaw("created_at >= datetime('now', '-7 days')")
+            ->count();
+
+        return $this->success([
+            'total_events'    => AuditLog::where('tenant_id', $tenantId)->count(),
+            'recent_7_days'   => $recentActivity,
+            'by_action'       => $actionCounts,
+            'most_active_users' => $activeUsers,
+        ]);
+    }
+
+    private function buildDescription(AuditLog $log): string
+    {
+        $action    = $log->action ?? $log->event ?? 'acted on';
+        $modelType = $log->auditable_type ? class_basename($log->auditable_type) : 'record';
+        $label     = $log->auditable_label ?? "#{$log->auditable_id}";
+        $user      = $log->user?->name ?? 'System';
+
+        return "{$user} {$action} {$modelType} {$label}";
+    }
+
+    private function extractChangedFields(AuditLog $log): array
+    {
+        if (! $log->old_values || ! $log->new_values) {
+            return [];
+        }
+
+        return array_keys(array_diff_assoc(
+            (array) $log->new_values,
+            (array) $log->old_values
+        ));
+    }
+}

erp/routes/api.php

@@ -329,6 +329,12 @@
         // Audit Logs
         Route::get('/audit-logs', [\App\Http\Controllers\Api\V1\AuditLogController::class, 'index']);
 
+        // Activity Feed
+        Route::prefix('activity')->group(function () {
+            Route::get('/',      [\App\Http\Controllers\Api\V1\ActivityFeedController::class, 'index']);
+            Route::get('/stats', [\App\Http\Controllers\Api\V1\ActivityFeedController::class, 'stats']);
+        });
+
         // Notifications
         Route::prefix('notifications')->group(function () {
             Route::get('/', [\App\Http\Controllers\Api\V1\NotificationController::class, 'index']);

erp/tests/Feature/AuditLog/ActivityFeedTest.php

@@ -0,0 +1,98 @@
+<?php
+
+use App\Models\User;
+use App\Modules\Core\Models\AuditLog;
+use App\Modules\Core\Models\Tenant;
+use App\Modules\Finance\Models\Contact;
+use Database\Seeders\RolePermissionSeeder;
+
+beforeEach(function () {
+    $this->seed(RolePermissionSeeder::class);
+    $this->tenant = Tenant::create(['name' => 'Activity Co', 'slug' => 'activity-co-' . uniqid()]);
+    $this->user   = User::factory()->create(['tenant_id' => $this->tenant->id]);
+    $this->user->assignRole('super-admin');
+    $this->token  = $this->user->createToken('test')->plainTextToken;
+    app()->instance('tenant', $this->tenant);
+});
+
+test('activity feed returns paginated logs with enriched data', function () {
+    $this->actingAs($this->user);
+    Contact::create(['tenant_id' => $this->tenant->id, 'name' => 'Jane Doe', 'type' => 'customer']);
+
+    $response = $this->withToken($this->token)->getJson('/api/v1/activity');
+    $response->assertStatus(200);
+
+    expect($response->json('data'))->not->toBeEmpty();
+    $item = $response->json('data.0');
+    expect($item)->toHaveKeys(['action', 'model_type', 'model_id', 'description', 'created_at']);
+});
+
+test('activity feed enriches description with model type', function () {
+    $this->actingAs($this->user);
+    Contact::create(['tenant_id' => $this->tenant->id, 'name' => 'Test Contact', 'type' => 'vendor']);
+
+    $response = $this->withToken($this->token)->getJson('/api/v1/activity?module=Contact');
+    $item     = $response->json('data.0');
+
+    expect($item['description'])->toContain('Contact');
+    expect($item['description'])->toContain('created');
+});
+
+test('activity feed can filter by action', function () {
+    $this->actingAs($this->user);
+    $contact = Contact::create(['tenant_id' => $this->tenant->id, 'name' => 'Filterable', 'type' => 'customer']);
+    $contact->update(['name' => 'Updated Filterable']);
+
+    $response = $this->withToken($this->token)->getJson('/api/v1/activity?action=created');
+    $response->assertStatus(200);
+
+    foreach ($response->json('data') as $item) {
+        expect($item['action'])->toBe('created');
+    }
+});
+
+test('activity feed can filter by module type', function () {
+    $this->actingAs($this->user);
+    Contact::create(['tenant_id' => $this->tenant->id, 'name' => 'Module Test', 'type' => 'customer']);
+
+    $response = $this->withToken($this->token)->getJson('/api/v1/activity?module=Contact');
+    $response->assertStatus(200);
+
+    foreach ($response->json('data') as $item) {
+        expect($item['model_type'])->toBe('Contact');
+    }
+});
+
+test('activity stats returns summary data', function () {
+    $this->actingAs($this->user);
+    Contact::create(['tenant_id' => $this->tenant->id, 'name' => 'Stats Test', 'type' => 'customer']);
+
+    $response = $this->withToken($this->token)->getJson('/api/v1/activity/stats');
+    $response->assertStatus(200);
+
+    $data = $response->json('data');
+    expect($data)->toHaveKeys(['total_events', 'recent_7_days', 'by_action', 'most_active_users']);
+    expect($data['total_events'])->toBeGreaterThan(0);
+});
+
+test('activity feed does not expose other tenant data', function () {
+    $otherTenant = Tenant::create(['name' => 'Other Co', 'slug' => 'other-co-' . uniqid()]);
+    $otherUser   = User::factory()->create(['tenant_id' => $otherTenant->id]);
+
+    app()->instance('tenant', $otherTenant);
+    $this->actingAs($otherUser);
+    Contact::create(['tenant_id' => $otherTenant->id, 'name' => 'Other Contact', 'type' => 'customer']);
+
+    app()->instance('tenant', $this->tenant);
+    $response = $this->withToken($this->token)->getJson('/api/v1/activity');
+    $response->assertStatus(200);
+
+    foreach ($response->json('data') as $item) {
+        expect($item['model_type'])->not->toBeNull();
+    }
+});
+
+test('activity feed requires authentication', function () {
+    $this->getJson('/api/v1/activity')->assertStatus(401);
+    $this->getJson('/api/v1/activity/stats')->assertStatus(401);
+});