---
phase: 01-database-schema-backend-api
plan: 02
type: execute
wave: 2
depends_on: ["01-01"]
files_modified:
  - app/Http/Controllers/Admin/MemberNoteController.php
  - app/Http/Requests/StoreNoteRequest.php
  - routes/web.php
  - app/Http/Controllers/AdminMemberController.php
  - tests/Feature/Admin/MemberNoteTest.php
autonomous: true

must_haves:
  truths:
    - "Admin can create a note for a member via POST /admin/members/{member}/notes with text content"
    - "Admin can retrieve all notes for a member via GET /admin/members/{member}/notes with author names and timestamps"
    - "Member list at /admin/members shows accurate note count per member without N+1 queries"
    - "Note creation is wrapped in DB::transaction with AuditLogger::log call"
    - "Non-admin users receive 403 when attempting to create notes"
    - "Feature tests pass covering CRUD, authorization, audit logging, and N+1 prevention"
  artifacts:
    - path: "app/Http/Controllers/Admin/MemberNoteController.php"
      provides: "Note store and index endpoints"
      exports: ["MemberNoteController"]
      min_lines: 30
    - path: "app/Http/Requests/StoreNoteRequest.php"
      provides: "Validation for note creation with Traditional Chinese error messages"
      exports: ["StoreNoteRequest"]
      min_lines: 15
    - path: "routes/web.php"
      provides: "Admin routes for member notes (store + index)"
      contains: "members.notes"
    - path: "app/Http/Controllers/AdminMemberController.php"
      provides: "withCount('notes') added to member list query"
      contains: "withCount"
    - path: "tests/Feature/Admin/MemberNoteTest.php"
      provides: "Feature tests for note creation, retrieval, auth, audit, N+1"
      min_lines: 80
  key_links:
    - from: "app/Http/Controllers/Admin/MemberNoteController.php"
      to: "app/Models/Note.php"
      via: "Creates notes via Member morphMany relationship"
      pattern: "notes\\(\\)->create"
    - from: "app/Http/Controllers/Admin/MemberNoteController.php"
      to: "app/Support/AuditLogger.php"
      via: "Logs note creation in audit trail"
      pattern: "AuditLogger::log.*note\\.created"
    - from: "app/Http/Controllers/AdminMemberController.php"
      to: "app/Models/Note.php"
      via: "withCount('notes') for N+1 prevention"
      pattern: "withCount.*notes"
    - from: "routes/web.php"
      to: "app/Http/Controllers/Admin/MemberNoteController.php"
      via: "Route registration for store and index"
      pattern: "MemberNoteController"
---

<objective>
Create the backend API endpoints for member notes: controller with store/index actions, form request validation, route registration, member list note count integration, and comprehensive feature tests.

Purpose: Provides the backend API that Phase 2 (inline UI) will consume. After this plan, notes can be created and retrieved via HTTP endpoints, and the member list shows note counts.
Output: Working POST/GET endpoints for member notes, StoreNoteRequest validation, note count on member list, feature tests.
</objective>

<execution_context>
@/Users/gbanyan/.claude/get-shit-done/workflows/execute-plan.md
@/Users/gbanyan/.claude/get-shit-done/templates/summary.md
</execution_context>

<context>
@.planning/PROJECT.md
@.planning/ROADMAP.md
@.planning/STATE.md
@.planning/phases/01-database-schema-backend-api/01-RESEARCH.md
@.planning/phases/01-database-schema-backend-api/01-01-SUMMARY.md

@app/Http/Controllers/AdminMemberController.php
@app/Http/Controllers/Admin/ArticleController.php
@app/Http/Requests/StoreMemberRequest.php
@app/Support/AuditLogger.php
@routes/web.php
@tests/Feature/MemberRegistrationTest.php
</context>

<tasks>

<task type="auto">
  <name>Task 1: Create MemberNoteController, StoreNoteRequest, and register routes</name>
  <files>
    app/Http/Controllers/Admin/MemberNoteController.php
    app/Http/Requests/StoreNoteRequest.php
    routes/web.php
  </files>
  <action>
    Create `app/Http/Requests/StoreNoteRequest.php`:
    - `authorize()` returns true (authorization is handled by the admin middleware on the route group; this matches the pattern where controllers in the admin route group rely on the middleware, not Form Request authorization)
    - `rules()`: content => 'required|string|min:1|max:65535'
    - `messages()`: Traditional Chinese error messages — 'content.required' => '備忘錄內容為必填欄位', 'content.min' => '備忘錄內容不可為空白'

    Create `app/Http/Controllers/Admin/MemberNoteController.php`:
    - Namespace: `App\Http\Controllers\Admin` (matches ArticleController pattern in Admin namespace)
    - Extends `App\Http\Controllers\Controller`

    **`index(Member $member)` method:**
    - Load notes with author: `$member->notes()->with('author')->get()`
    - Return JSON response: `response()->json(['notes' => $notes])` — This returns JSON because Phase 2 will consume it via AJAX/Axios from Alpine.js. This is NOT a public API endpoint; it's an admin endpoint returning JSON for inline UI consumption.
    - Each note in the response should include: id, content, created_at, author (with name)

    **`store(StoreNoteRequest $request, Member $member)` method:**
    - Wrap in `DB::transaction()` closure
    - Create note: `$member->notes()->create(['content' => $request->content, 'author_user_id' => $request->user()->id])`
    - Audit log: `AuditLogger::log('note.created', $note, ['member_id' => $member->id, 'member_name' => $member->full_name, 'author' => $request->user()->name])`
    - Return JSON: `response()->json(['note' => $note->load('author'), 'message' => '備忘錄已新增'], 201)` — JSON response for AJAX consumption in Phase 2

    In `routes/web.php`:
    - Inside the existing `Route::middleware(['auth', 'admin'])->prefix('admin')->name('admin.')->group(...)` block
    - Add these routes near the existing member routes (after line ~139 where member payment routes end):
    ```php
    // Member Notes (會員備忘錄)
    Route::get('/members/{member}/notes', [MemberNoteController::class, 'index'])->name('members.notes.index');
    Route::post('/members/{member}/notes', [MemberNoteController::class, 'store'])->name('members.notes.store');
    ```
    - Add the import at the top of web.php: `use App\Http\Controllers\Admin\MemberNoteController;`
  </action>
  <verify>
    Run `php artisan route:list --name=members.notes` and confirm both routes appear:
    - GET /admin/members/{member}/notes → admin.members.notes.index
    - POST /admin/members/{member}/notes → admin.members.notes.store
  </verify>
  <done>
    MemberNoteController exists with store() (JSON response, DB::transaction, AuditLogger) and index() (JSON with notes + author) methods. StoreNoteRequest validates content field with Traditional Chinese messages. Routes registered as admin.members.notes.store and admin.members.notes.index.
  </done>
</task>

<task type="auto">
  <name>Task 2: Add withCount to member list and create feature tests</name>
  <files>
    app/Http/Controllers/AdminMemberController.php
    tests/Feature/Admin/MemberNoteTest.php
  </files>
  <action>
    In `app/Http/Controllers/AdminMemberController.php`:
    - In the `index()` method, change line 18 from `$query = Member::query()->with('user');` to `$query = Member::query()->with('user')->withCount('notes');`
    - This adds a `notes_count` attribute to each member via a single subquery (no N+1)
    - The Blade view can access `$member->notes_count` — Phase 2 will use this for the badge

    Create `tests/Feature/Admin/MemberNoteTest.php`:
    - Namespace: `Tests\Feature\Admin`
    - Use `RefreshDatabase` trait
    - `setUp()`: seed roles via `$this->artisan('db:seed', ['--class' => 'RoleSeeder']);`
    - Create admin user helper: `$admin = User::factory()->create(); $admin->assignRole('admin');`

    **Test cases (minimum required):**

    1. `test_admin_can_create_note_for_member()`:
       - Create admin user, create member
       - POST to `route('admin.members.notes.store', $member)` with `['content' => 'Test note content']`
       - Assert 201 status
       - Assert response JSON has note with content and author
       - Assert `assertDatabaseHas('notes', ['notable_type' => 'member', 'notable_id' => $member->id, 'content' => 'Test note content', 'author_user_id' => $admin->id])`

    2. `test_admin_can_retrieve_notes_for_member()`:
       - Create admin, member, and 3 notes using NoteFactory::forMember($member)->byAuthor($admin)
       - GET `route('admin.members.notes.index', $member)`
       - Assert 200 status
       - Assert response JSON has 'notes' array with 3 items
       - Assert each note has 'content', 'created_at', and 'author.name' keys

    3. `test_note_creation_requires_content()`:
       - POST with empty content
       - Assert 422 status (validation error)
       - Assert response JSON has errors for 'content' field

    4. `test_note_creation_logs_audit_trail()`:
       - Create note via POST
       - Assert `assertDatabaseHas('audit_logs', ['action' => 'note.created'])` with metadata containing member_id

    5. `test_non_admin_cannot_create_note()`:
       - Create regular user (no admin role, no permissions)
       - POST to create note
       - Assert 403 status

    6. `test_member_list_includes_notes_count()`:
       - Create admin, create 2 members
       - Create 3 notes for member 1, 0 notes for member 2
       - GET `route('admin.members.index')`
       - Assert 200 status
       - Assert view has 'members' data
       - Assert first member has notes_count attribute (verify it's 3 or 0 as expected)

    7. `test_notes_returned_newest_first()`:
       - Create member with 3 notes at different timestamps (use `created_at` overrides in factory)
       - GET index endpoint
       - Assert first note in response has the most recent created_at

    Follow existing test patterns from MemberRegistrationTest.php and CashierLedgerWorkflowTest.php.
  </action>
  <verify>
    Run `php artisan test --filter=MemberNoteTest` and confirm all 7 tests pass.
    Run `php artisan test` to confirm no existing tests are broken by the changes.
  </verify>
  <done>
    AdminMemberController index() includes withCount('notes') for N+1 prevention. MemberNoteTest.php has 7 passing feature tests covering: note creation, retrieval, validation, audit logging, authorization, member list note count, and chronological ordering. All existing tests still pass.
  </done>
</task>

</tasks>

<verification>
1. Run `php artisan test --filter=MemberNoteTest` — all 7 tests pass
2. Run `php artisan test` — no regressions in existing tests
3. Run `php artisan route:list --name=members.notes` — both routes (GET index, POST store) visible
4. Manual verification with tinker:
```php
// Create a note via the relationship
$admin = User::where('email', 'admin@test.com')->first();
$member = Member::first();
$note = $member->notes()->create(['content' => 'Manual test', 'author_user_id' => $admin->id]);
echo $note->notable_type; // Should print 'member' (not App\Models\Member)
echo $note->author->name; // Should print admin name

// Verify withCount works
$members = Member::withCount('notes')->get();
echo $members->first()->notes_count; // Should print integer
```
</verification>

<success_criteria>
1. POST /admin/members/{member}/notes creates a note and returns 201 JSON with note + author data
2. GET /admin/members/{member}/notes returns JSON array of notes with author names and timestamps
3. Note creation wrapped in DB::transaction with AuditLogger::log('note.created', ...)
4. StoreNoteRequest validates content (required, string, min:1) with Traditional Chinese messages
5. AdminMemberController index uses withCount('notes') — notes_count available on each member
6. All 7 feature tests pass
7. No regressions in existing test suite
</success_criteria>

<output>
After completion, create `.planning/phases/01-database-schema-backend-api/01-02-SUMMARY.md`
</output>