feat(phase-42): project time tracking API with billable hours summary

- TimeTrackingController: list/create/update/delete time entries
- Project summary: total/billable/non-billable hours breakdown by user
- Filters: user_id, date from/to, is_billable
- Routes: /time-entries CRUD, GET /projects/{project}/time
- 8 feature tests covering logging, filtering, and project summaries

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01RdUGwo74JXChRCF88Yu27d

Author: claude

CLAUDE.md

@@ -173,6 +173,7 @@ beforeEach(function () {
 | 39    | Inventory Reorder Suggestions — deficit calc + urgency levels    | ✅     |
 | 40    | HR Leave Balance API — allocation, team view, year filters       | ✅     |
 | 41    | CRM Pipeline Analytics — funnel, win rate, velocity, leaderboard | ✅     |
+| 42    | Project Time Tracking API — log hours, project summaries by user | ✅     |
 
 ## File Locations Reference
 

erp/app/Http/Controllers/Api/V1/TimeTrackingController.php

@@ -0,0 +1,107 @@
+<?php
+
+namespace App\Http\Controllers\Api\V1;
+
+use App\Modules\PM\Models\Project;
+use App\Modules\PM\Models\Task;
+use App\Modules\PM\Models\TimeEntry;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
+
+class TimeTrackingController extends ApiController
+{
+    public function index(Request $request): JsonResponse
+    {
+        $tenantId = $this->tenantId($request);
+
+        $entries = TimeEntry::where('tenant_id', $tenantId)
+            ->when($request->user_id, fn ($q) => $q->where('user_id', $request->user_id))
+            ->when($request->from, fn ($q) => $q->whereDate('date', '>=', $request->from))
+            ->when($request->to, fn ($q) => $q->whereDate('date', '<=', $request->to))
+            ->when($request->is_billable !== null, fn ($q) => $q->where('is_billable', $request->boolean('is_billable')))
+            ->with(['user:id,name', 'task:id,name,project_id'])
+            ->orderByDesc('date')
+            ->paginate(25);
+
+        return $this->paginated($entries);
+    }
+
+    public function store(Request $request): JsonResponse
+    {
+        $tenantId = $this->tenantId($request);
+
+        $data = $request->validate([
+            'task_id'     => ['required', 'exists:tasks,id'],
+            'hours'       => ['required', 'numeric', 'min:0.1', 'max:24'],
+            'date'        => ['required', 'date'],
+            'description' => ['nullable', 'string', 'max:500'],
+            'is_billable' => ['sometimes', 'boolean'],
+        ]);
+
+        $entry = TimeEntry::create([
+            ...$data,
+            'tenant_id'  => $tenantId,
+            'user_id'    => $request->user()->id,
+            'created_by' => $request->user()->id,
+        ]);
+
+        return $this->success($entry->load('task:id,name,project_id'), 201);
+    }
+
+    public function update(Request $request, TimeEntry $timeEntry): JsonResponse
+    {
+        $data = $request->validate([
+            'hours'       => ['sometimes', 'numeric', 'min:0.1', 'max:24'],
+            'date'        => ['sometimes', 'date'],
+            'description' => ['nullable', 'string', 'max:500'],
+            'is_billable' => ['sometimes', 'boolean'],
+        ]);
+
+        $timeEntry->update($data);
+        return $this->success($timeEntry->fresh());
+    }
+
+    public function destroy(TimeEntry $timeEntry): JsonResponse
+    {
+        $timeEntry->delete();
+        return $this->success(['message' => 'Time entry deleted.']);
+    }
+
+    public function projectSummary(Request $request, Project $project): JsonResponse
+    {
+        $from     = $request->get('from', now()->startOfMonth()->toDateString());
+        $to       = $request->get('to', now()->toDateString());
+
+        $entries = $project->timeEntries()
+            ->whereDate('date', '>=', $from)
+            ->whereDate('date', '<=', $to)
+            ->with('user:id,name')
+            ->get();
+
+        $totalHours    = $entries->sum('hours');
+        $billableHours = $entries->where('is_billable', true)->sum('hours');
+
+        $byUser = $entries->groupBy('user_id')->map(fn ($group) => [
+            'user_id'        => $group->first()->user_id,
+            'name'           => $group->first()->user?->name ?? 'Unknown',
+            'total_hours'    => round($group->sum('hours'), 2),
+            'billable_hours' => round($group->where('is_billable', true)->sum('hours'), 2),
+        ])->values();
+
+        return $this->success([
+            'project_id'      => $project->id,
+            'project_name'    => $project->name,
+            'period'          => ['from' => $from, 'to' => $to],
+            'total_hours'     => round($totalHours, 2),
+            'billable_hours'  => round($billableHours, 2),
+            'non_billable'    => round($totalHours - $billableHours, 2),
+            'entries_count'   => $entries->count(),
+            'by_user'         => $byUser,
+        ]);
+    }
+
+    private function tenantId(Request $request): int
+    {
+        return app()->has('tenant') ? app('tenant')->id : $request->user()->tenant_id;
+    }
+}

erp/routes/api.php

@@ -448,6 +448,15 @@
         });
         Route::get('products/{product}/matrix', [\App\Http\Controllers\Api\V1\ProductVariantController::class, 'matrix']);
 
+        // Time Tracking
+        Route::prefix('time-entries')->group(function () {
+            Route::get('/',                  [\App\Http\Controllers\Api\V1\TimeTrackingController::class, 'index']);
+            Route::post('/',                 [\App\Http\Controllers\Api\V1\TimeTrackingController::class, 'store']);
+            Route::put('/{timeEntry}',       [\App\Http\Controllers\Api\V1\TimeTrackingController::class, 'update']);
+            Route::delete('/{timeEntry}',    [\App\Http\Controllers\Api\V1\TimeTrackingController::class, 'destroy']);
+        });
+        Route::get('projects/{project}/time', [\App\Http\Controllers\Api\V1\TimeTrackingController::class, 'projectSummary']);
+
         // CRM Pipeline Analytics
         Route::prefix('crm/pipeline')->group(function () {
             Route::get('/funnel',      [\App\Http\Controllers\Api\V1\CrmPipelineController::class, 'funnel']);

erp/tests/Feature/PM/TimeTrackingApiTest.php

@@ -0,0 +1,160 @@
+<?php
+
+use App\Models\User;
+use App\Modules\Core\Models\Tenant;
+use App\Modules\PM\Models\Project;
+use App\Modules\PM\Models\Task;
+use App\Modules\PM\Models\TimeEntry;
+use Database\Seeders\RolePermissionSeeder;
+
+beforeEach(function () {
+    $this->seed(RolePermissionSeeder::class);
+    $this->tenant = Tenant::create(['name' => 'Time Track Co', 'slug' => 'time-track-' . uniqid()]);
+    $this->user   = User::factory()->create(['tenant_id' => $this->tenant->id]);
+    $this->user->assignRole('super-admin');
+    $this->token  = $this->user->createToken('test')->plainTextToken;
+    app()->instance('tenant', $this->tenant);
+
+    $this->project = Project::create([
+        'tenant_id'  => $this->tenant->id,
+        'name'       => 'Test Project',
+        'status'     => 'active',
+        'created_by' => $this->user->id,
+    ]);
+
+    $this->task = Task::create([
+        'tenant_id'  => $this->tenant->id,
+        'project_id' => $this->project->id,
+        'title'      => 'Test Task',
+        'status'     => 'in_progress',
+        'created_by' => $this->user->id,
+    ]);
+});
+
+test('can list time entries', function () {
+    TimeEntry::create([
+        'tenant_id'  => $this->tenant->id,
+        'task_id'    => $this->task->id,
+        'user_id'    => $this->user->id,
+        'hours'      => 2.5,
+        'date'       => now()->toDateString(),
+        'is_billable' => true,
+        'created_by' => $this->user->id,
+    ]);
+
+    $this->withToken($this->token)
+        ->getJson('/api/v1/time-entries')
+        ->assertStatus(200);
+});
+
+test('can create a time entry', function () {
+    $this->withToken($this->token)
+        ->postJson('/api/v1/time-entries', [
+            'task_id'    => $this->task->id,
+            'hours'      => 3.0,
+            'date'       => now()->toDateString(),
+            'description' => 'Working on feature X',
+        ])
+        ->assertStatus(201);
+
+    expect(TimeEntry::where('task_id', $this->task->id)->exists())->toBeTrue();
+});
+
+test('store validates hours range', function () {
+    $this->withToken($this->token)
+        ->postJson('/api/v1/time-entries', [
+            'task_id' => $this->task->id,
+            'hours'   => 25,
+            'date'    => now()->toDateString(),
+        ])
+        ->assertStatus(422)
+        ->assertJsonValidationErrors(['hours']);
+});
+
+test('can update a time entry', function () {
+    $entry = TimeEntry::create([
+        'tenant_id'  => $this->tenant->id,
+        'task_id'    => $this->task->id,
+        'user_id'    => $this->user->id,
+        'hours'      => 1.0,
+        'date'       => now()->toDateString(),
+        'created_by' => $this->user->id,
+    ]);
+
+    $this->withToken($this->token)
+        ->putJson("/api/v1/time-entries/{$entry->id}", ['hours' => 2.5])
+        ->assertStatus(200)
+        ->assertJsonPath('data.hours', 2.5);
+});
+
+test('can delete a time entry', function () {
+    $entry = TimeEntry::create([
+        'tenant_id'  => $this->tenant->id,
+        'task_id'    => $this->task->id,
+        'user_id'    => $this->user->id,
+        'hours'      => 1.0,
+        'date'       => now()->toDateString(),
+        'created_by' => $this->user->id,
+    ]);
+
+    $this->withToken($this->token)
+        ->deleteJson("/api/v1/time-entries/{$entry->id}")
+        ->assertStatus(200);
+
+    expect(TimeEntry::find($entry->id))->toBeNull();
+});
+
+test('project time summary returns hours breakdown', function () {
+    TimeEntry::create([
+        'tenant_id'   => $this->tenant->id,
+        'task_id'     => $this->task->id,
+        'user_id'     => $this->user->id,
+        'hours'       => 4.0,
+        'date'        => now()->toDateString(),
+        'is_billable' => true,
+        'created_by'  => $this->user->id,
+    ]);
+
+    TimeEntry::create([
+        'tenant_id'   => $this->tenant->id,
+        'task_id'     => $this->task->id,
+        'user_id'     => $this->user->id,
+        'hours'       => 1.0,
+        'date'        => now()->toDateString(),
+        'is_billable' => false,
+        'created_by'  => $this->user->id,
+    ]);
+
+    $response = $this->withToken($this->token)
+        ->getJson("/api/v1/projects/{$this->project->id}/time")
+        ->assertStatus(200)
+        ->assertJsonStructure(['data' => ['project_id', 'total_hours', 'billable_hours', 'by_user']]);
+
+    expect($response->json('data.total_hours'))->toBe(5);
+    expect($response->json('data.billable_hours'))->toBe(4);
+});
+
+test('time list supports user filter', function () {
+    $other = User::factory()->create(['tenant_id' => $this->tenant->id]);
+
+    TimeEntry::create([
+        'tenant_id'  => $this->tenant->id,
+        'task_id'    => $this->task->id,
+        'user_id'    => $other->id,
+        'hours'      => 2.0,
+        'date'       => now()->toDateString(),
+        'created_by' => $this->user->id,
+    ]);
+
+    $response = $this->withToken($this->token)
+        ->getJson("/api/v1/time-entries?user_id={$this->user->id}")
+        ->assertStatus(200);
+
+    $entries = $response->json('data');
+    $userIds = collect($entries)->pluck('user_id')->unique()->values();
+    expect($userIds)->not->toContain($other->id);
+});
+
+test('requires authentication', function () {
+    $this->getJson('/api/v1/time-entries')->assertStatus(401);
+});