# Entries CRUD Plan

## Focus
Implement entry CRUD (list/create/update/delete) scoped to active group. Ensure list endpoints never return receipt bytes.

## Goals
- Create, read, update, delete entries for active group only.
- Enforce server-side membership/authorization.
- Keep receipt bytes out of list responses.

## Planned changes
### Backend
Routes:
- `GET /api/entries` (list for active group)
- `POST /api/entries` (create)
- `PATCH /api/entries/:id` (update)
- `DELETE /api/entries/:id` (delete)

Helpers:
- `requireActiveGroup(userId)`
- `requireGroupMember(userId, groupId)`

### Frontend
- Basic entries list + create form on dashboard.

### Tests
- API tests for create/list/update/delete with group scoping.

## Files impacted
- `apps/web/app/api/entries/*`
- `apps/web/lib/server/entries.ts`
- `apps/web/lib/client/entries.ts`
- `apps/web/features/entries/hooks/use-entries.ts`
- `apps/web/features/entries/components/entries-panel.tsx`
- `apps/web/app/page.tsx`
- `apps/web/__tests__/entries.test.ts`

## Status
- Implemented

## Test output
- `entries CRUD`