feat(phase-43): expense claim workflow API with full approval lifecycle

- ExpenseClaimApiController: create with items, submit, approve, reject, mark-paid
- Auto-calculates total_amount via recalculateTotal() after item creation
- Workflow states: draft -> submitted -> approved/rejected -> paid
- Routes: /expense-claims CRUD + submit, approve, reject, mark-paid actions
- 9 feature tests covering full lifecycle including rejection with reason

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01RdUGwo74JXChRCF88Yu27d

Author: claude

CLAUDE.md

@@ -137,43 +137,44 @@ beforeEach(function () {
 
 ## Development Phases Completed
 
-| Phase | Description                                                      | Status |
-| ----- | ---------------------------------------------------------------- | ------ |
-| 1–8   | Core modules, models, migrations, seeders, Inertia pages         | ✅     |
-| 9     | REST API — 200+ endpoints across 40 modules                      | ✅     |
-| 10    | Demo data seeders for all 35 modules                             | ✅     |
-| 11    | WebSockets — Laravel Reverb + Echo                               | ✅     |
-| 12    | Queue jobs — invoice, low stock, payroll, bulk import            | ✅     |
-| 13    | Mail notifications — invoice, low stock, payroll, approval       | ✅     |
-| 14    | PDF generation — invoices, purchase orders, payslips             | ✅     |
-| 15    | Import/Export — CSV/XLSX for products, contacts, invoices        | ✅     |
-| 16    | Dashboard analytics — module stats + activity feed               | ✅     |
-| 17    | Tenant isolation tests — 22 cross-tenant security tests          | ✅     |
-| 18    | API rate limiting (60/min) + security headers                    | ✅     |
-| 19    | Global search — 7 modules, frontend component                    | ✅     |
-| 20    | Audit log — migration, trait, observer, API endpoint             | ✅     |
-| 21    | GitHub Actions CI/CD — PHP tests + TS check + ESLint             | ✅     |
-| 22    | Reports API — financial/inventory/HR + CLAUDE.md                 | ✅     |
-| 23    | In-app notifications — DB model, API, frontend bell              | ✅     |
-| 24    | Scheduled Report Delivery — ReportSchedule model + job + mail    | ✅     |
-| 25    | Health Checks & Metrics — /api/v1/health + /api/v1/metrics       | ✅     |
-| 26    | Dashboard Widgets — per-user customizable widget layout          | ✅     |
-| 27    | Email Template Management — CRUD + variable preview              | ✅     |
-| 28    | Tenant Feature Flags — per-tenant feature toggle system          | ✅     |
-| 29    | User Preferences — timezone, locale, UI density, etc.            | ✅     |
-| 30    | Activity Feed API — filterable event stream from audit logs      | ✅     |
-| 31    | Unified Calendar API — tasks, leaves, events, invoices           | ✅     |
-| 32    | Financial Forecasting — revenue + cash-flow projections          | ✅     |
-| 33    | Smart Alert Rules — threshold monitoring + notifications         | ✅     |
-| 34    | Budget Management REST API — CRUD + activate + variance          | ✅     |
-| 35    | Customer Credit Limits — per-contact limits, hold, check API     | ✅     |
-| 36    | Product Variants REST API — attributes, variants, matrix view    | ✅     |
-| 37    | Webhook Management REST API — CRUD, delivery log, ping, HMAC     | ✅     |
-| 38    | API Token Management — named tokens with abilities and expiry    | ✅     |
-| 39    | Inventory Reorder Suggestions — deficit calc + urgency levels    | ✅     |
-| 40    | HR Leave Balance API — allocation, team view, year filters       | ✅     |
-| 41    | CRM Pipeline Analytics — funnel, win rate, velocity, leaderboard | ✅     |
-| 42    | Project Time Tracking API — log hours, project summaries by user | ✅     |
+| Phase | Description                                                       | Status |
+| ----- | ----------------------------------------------------------------- | ------ |
+| 1–8   | Core modules, models, migrations, seeders, Inertia pages          | ✅     |
+| 9     | REST API — 200+ endpoints across 40 modules                       | ✅     |
+| 10    | Demo data seeders for all 35 modules                              | ✅     |
+| 11    | WebSockets — Laravel Reverb + Echo                                | ✅     |
+| 12    | Queue jobs — invoice, low stock, payroll, bulk import             | ✅     |
+| 13    | Mail notifications — invoice, low stock, payroll, approval        | ✅     |
+| 14    | PDF generation — invoices, purchase orders, payslips              | ✅     |
+| 15    | Import/Export — CSV/XLSX for products, contacts, invoices         | ✅     |
+| 16    | Dashboard analytics — module stats + activity feed                | ✅     |
+| 17    | Tenant isolation tests — 22 cross-tenant security tests           | ✅     |
+| 18    | API rate limiting (60/min) + security headers                     | ✅     |
+| 19    | Global search — 7 modules, frontend component                     | ✅     |
+| 20    | Audit log — migration, trait, observer, API endpoint              | ✅     |
+| 21    | GitHub Actions CI/CD — PHP tests + TS check + ESLint              | ✅     |
+| 22    | Reports API — financial/inventory/HR + CLAUDE.md                  | ✅     |
+| 23    | In-app notifications — DB model, API, frontend bell               | ✅     |
+| 24    | Scheduled Report Delivery — ReportSchedule model + job + mail     | ✅     |
+| 25    | Health Checks & Metrics — /api/v1/health + /api/v1/metrics        | ✅     |
+| 26    | Dashboard Widgets — per-user customizable widget layout           | ✅     |
+| 27    | Email Template Management — CRUD + variable preview               | ✅     |
+| 28    | Tenant Feature Flags — per-tenant feature toggle system           | ✅     |
+| 29    | User Preferences — timezone, locale, UI density, etc.             | ✅     |
+| 30    | Activity Feed API — filterable event stream from audit logs       | ✅     |
+| 31    | Unified Calendar API — tasks, leaves, events, invoices            | ✅     |
+| 32    | Financial Forecasting — revenue + cash-flow projections           | ✅     |
+| 33    | Smart Alert Rules — threshold monitoring + notifications          | ✅     |
+| 34    | Budget Management REST API — CRUD + activate + variance           | ✅     |
+| 35    | Customer Credit Limits — per-contact limits, hold, check API      | ✅     |
+| 36    | Product Variants REST API — attributes, variants, matrix view     | ✅     |
+| 37    | Webhook Management REST API — CRUD, delivery log, ping, HMAC      | ✅     |
+| 38    | API Token Management — named tokens with abilities and expiry     | ✅     |
+| 39    | Inventory Reorder Suggestions — deficit calc + urgency levels     | ✅     |
+| 40    | HR Leave Balance API — allocation, team view, year filters        | ✅     |
+| 41    | CRM Pipeline Analytics — funnel, win rate, velocity, leaderboard  | ✅     |
+| 42    | Project Time Tracking API — log hours, project summaries by user  | ✅     |
+| 43    | Expense Claim Workflow API — submit, approve, reject, paid states | ✅     |
 
 ## File Locations Reference
 

erp/app/Http/Controllers/Api/V1/ExpenseClaimApiController.php

@@ -0,0 +1,108 @@
+<?php
+
+namespace App\Http\Controllers\Api\V1;
+
+use App\Modules\HR\Models\ExpenseClaim;
+use App\Modules\HR\Models\ExpenseClaimItem;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
+
+class ExpenseClaimApiController extends ApiController
+{
+    public function index(Request $request): JsonResponse
+    {
+        $tenantId = $this->tenantId($request);
+
+        $claims = ExpenseClaim::where('tenant_id', $tenantId)
+            ->when($request->status, fn ($q) => $q->where('status', $request->status))
+            ->when($request->employee_id, fn ($q) => $q->where('employee_id', $request->employee_id))
+            ->with(['employee:id,first_name,last_name'])
+            ->orderByDesc('created_at')
+            ->paginate(20);
+
+        return $this->paginated($claims);
+    }
+
+    public function store(Request $request): JsonResponse
+    {
+        $tenantId = $this->tenantId($request);
+
+        $data = $request->validate([
+            'employee_id' => ['required', 'exists:employees,id'],
+            'title'       => ['required', 'string', 'max:255'],
+            'description' => ['nullable', 'string'],
+            'notes'       => ['nullable', 'string'],
+            'items'       => ['required', 'array', 'min:1'],
+            'items.*.category'     => ['required', 'string', 'max:50'],
+            'items.*.description'  => ['required', 'string'],
+            'items.*.amount'       => ['required', 'numeric', 'min:0.01'],
+            'items.*.expense_date' => ['required', 'date'],
+        ]);
+
+        $claim = ExpenseClaim::create([
+            'tenant_id'   => $tenantId,
+            'employee_id' => $data['employee_id'],
+            'title'       => $data['title'],
+            'description' => $data['description'] ?? null,
+            'notes'       => $data['notes'] ?? null,
+            'status'      => 'draft',
+            'total_amount' => 0,
+        ]);
+
+        foreach ($data['items'] as $item) {
+            ExpenseClaimItem::create([
+                'tenant_id'       => $tenantId,
+                'expense_claim_id' => $claim->id,
+                ...$item,
+            ]);
+        }
+
+        $claim->recalculateTotal();
+
+        return $this->success($claim->load('items'), 201);
+    }
+
+    public function show(ExpenseClaim $expenseClaim): JsonResponse
+    {
+        return $this->success($expenseClaim->load(['items', 'employee:id,first_name,last_name', 'approvedBy:id,name']));
+    }
+
+    public function submit(ExpenseClaim $expenseClaim): JsonResponse
+    {
+        $expenseClaim->submit();
+        return $this->success($expenseClaim->fresh());
+    }
+
+    public function approve(Request $request, ExpenseClaim $expenseClaim): JsonResponse
+    {
+        $expenseClaim->approve($request->user());
+        return $this->success($expenseClaim->fresh());
+    }
+
+    public function reject(Request $request, ExpenseClaim $expenseClaim): JsonResponse
+    {
+        $data = $request->validate([
+            'reason' => ['required', 'string', 'max:500'],
+        ]);
+
+        $expenseClaim->reject($data['reason']);
+        return $this->success($expenseClaim->fresh());
+    }
+
+    public function markPaid(ExpenseClaim $expenseClaim): JsonResponse
+    {
+        $expenseClaim->markPaid();
+        return $this->success($expenseClaim->fresh());
+    }
+
+    public function destroy(ExpenseClaim $expenseClaim): JsonResponse
+    {
+        $expenseClaim->delete();
+        return $this->success(['message' => 'Expense claim deleted.']);
+    }
+
+    private function tenantId(Request $request): int
+    {
+        return app()->has('tenant') ? app('tenant')->id : $request->user()->tenant_id;
+    }
+}

erp/routes/api.php

@@ -448,6 +448,18 @@
         });
         Route::get('products/{product}/matrix', [\App\Http\Controllers\Api\V1\ProductVariantController::class, 'matrix']);
 
+        // Expense Claims Workflow
+        Route::prefix('expense-claims')->group(function () {
+            Route::get('/',                          [\App\Http\Controllers\Api\V1\ExpenseClaimApiController::class, 'index']);
+            Route::post('/',                         [\App\Http\Controllers\Api\V1\ExpenseClaimApiController::class, 'store']);
+            Route::get('/{expenseClaim}',            [\App\Http\Controllers\Api\V1\ExpenseClaimApiController::class, 'show']);
+            Route::delete('/{expenseClaim}',         [\App\Http\Controllers\Api\V1\ExpenseClaimApiController::class, 'destroy']);
+            Route::post('/{expenseClaim}/submit',    [\App\Http\Controllers\Api\V1\ExpenseClaimApiController::class, 'submit']);
+            Route::post('/{expenseClaim}/approve',   [\App\Http\Controllers\Api\V1\ExpenseClaimApiController::class, 'approve']);
+            Route::post('/{expenseClaim}/reject',    [\App\Http\Controllers\Api\V1\ExpenseClaimApiController::class, 'reject']);
+            Route::post('/{expenseClaim}/mark-paid', [\App\Http\Controllers\Api\V1\ExpenseClaimApiController::class, 'markPaid']);
+        });
+
         // Time Tracking
         Route::prefix('time-entries')->group(function () {
             Route::get('/',                  [\App\Http\Controllers\Api\V1\TimeTrackingController::class, 'index']);

erp/tests/Feature/HR/ExpenseClaimApiTest.php

@@ -0,0 +1,155 @@
+<?php
+
+use App\Models\User;
+use App\Modules\Core\Models\Tenant;
+use App\Modules\HR\Models\Employee;
+use App\Modules\HR\Models\ExpenseClaim;
+use App\Modules\HR\Models\ExpenseClaimItem;
+use Database\Seeders\RolePermissionSeeder;
+
+beforeEach(function () {
+    $this->seed(RolePermissionSeeder::class);
+    $this->tenant = Tenant::create(['name' => 'Expense Co', 'slug' => 'expense-co-' . uniqid()]);
+    $this->user   = User::factory()->create(['tenant_id' => $this->tenant->id]);
+    $this->user->assignRole('super-admin');
+    $this->token  = $this->user->createToken('test')->plainTextToken;
+    app()->instance('tenant', $this->tenant);
+
+    $this->employee = Employee::create([
+        'tenant_id'       => $this->tenant->id,
+        'first_name'      => 'Alice',
+        'last_name'       => 'Smith',
+        'employee_number' => 'EMP-EXP-' . uniqid(),
+        'email'           => 'alice-exp-' . uniqid() . '@example.com',
+        'position'        => 'Developer',
+        'status'          => 'active',
+        'hire_date'       => now()->subYear()->toDateString(),
+    ]);
+});
+
+function makeExpenseClaim(array $attrs = []): ExpenseClaim
+{
+    $claim = ExpenseClaim::create([
+        'tenant_id'    => test()->tenant->id,
+        'employee_id'  => test()->employee->id,
+        'title'        => 'Business Travel',
+        'status'       => 'draft',
+        'total_amount' => 0,
+        ...$attrs,
+    ]);
+
+    ExpenseClaimItem::create([
+        'tenant_id'       => test()->tenant->id,
+        'expense_claim_id' => $claim->id,
+        'category'        => 'travel',
+        'description'     => 'Flight ticket',
+        'amount'          => 250.00,
+        'expense_date'    => now()->toDateString(),
+    ]);
+
+    $claim->recalculateTotal();
+    return $claim;
+}
+
+test('can list expense claims', function () {
+    makeExpenseClaim();
+
+    $this->withToken($this->token)
+        ->getJson('/api/v1/expense-claims')
+        ->assertStatus(200);
+});
+
+test('can create an expense claim with items', function () {
+    $this->withToken($this->token)
+        ->postJson('/api/v1/expense-claims', [
+            'employee_id' => $this->employee->id,
+            'title'       => 'Conference Trip',
+            'items'       => [
+                [
+                    'category'     => 'travel',
+                    'description'  => 'Airfare',
+                    'amount'       => 400.00,
+                    'expense_date' => now()->toDateString(),
+                ],
+                [
+                    'category'     => 'accommodation',
+                    'description'  => 'Hotel 2 nights',
+                    'amount'       => 200.00,
+                    'expense_date' => now()->toDateString(),
+                ],
+            ],
+        ])
+        ->assertStatus(201);
+
+    expect(ExpenseClaim::where('title', 'Conference Trip')->exists())->toBeTrue();
+    $claim = ExpenseClaim::where('title', 'Conference Trip')->first();
+    expect((float) $claim->total_amount)->toBe(600.0);
+});
+
+test('can submit an expense claim', function () {
+    $claim = makeExpenseClaim();
+
+    $this->withToken($this->token)
+        ->postJson("/api/v1/expense-claims/{$claim->id}/submit")
+        ->assertStatus(200);
+
+    expect($claim->fresh()->status)->toBe('submitted');
+});
+
+test('can approve an expense claim', function () {
+    $claim = makeExpenseClaim(['status' => 'submitted']);
+
+    $this->withToken($this->token)
+        ->postJson("/api/v1/expense-claims/{$claim->id}/approve")
+        ->assertStatus(200);
+
+    $fresh = $claim->fresh();
+    expect($fresh->status)->toBe('approved');
+    expect($fresh->approved_by)->toBe($this->user->id);
+});
+
+test('can reject with reason', function () {
+    $claim = makeExpenseClaim(['status' => 'submitted']);
+
+    $this->withToken($this->token)
+        ->postJson("/api/v1/expense-claims/{$claim->id}/reject", [
+            'reason' => 'Missing receipts',
+        ])
+        ->assertStatus(200);
+
+    $fresh = $claim->fresh();
+    expect($fresh->status)->toBe('rejected');
+    expect($fresh->rejection_reason)->toBe('Missing receipts');
+});
+
+test('reject requires reason', function () {
+    $claim = makeExpenseClaim(['status' => 'submitted']);
+
+    $this->withToken($this->token)
+        ->postJson("/api/v1/expense-claims/{$claim->id}/reject", [])
+        ->assertStatus(422)
+        ->assertJsonValidationErrors(['reason']);
+});
+
+test('can mark expense claim as paid', function () {
+    $claim = makeExpenseClaim(['status' => 'approved']);
+
+    $this->withToken($this->token)
+        ->postJson("/api/v1/expense-claims/{$claim->id}/mark-paid")
+        ->assertStatus(200)
+        ->assertJsonPath('data.status', 'paid');
+});
+
+test('can soft delete an expense claim', function () {
+    $claim = makeExpenseClaim();
+
+    $this->withToken($this->token)
+        ->deleteJson("/api/v1/expense-claims/{$claim->id}")
+        ->assertStatus(200);
+
+    expect(ExpenseClaim::withTrashed()->find($claim->id)?->deleted_at)->not->toBeNull();
+});
+
+test('requires authentication', function () {
+    $this->getJson('/api/v1/expense-claims')->assertStatus(401);
+});