Free Builder Kit — illustrated PDF + reference codebase

Free Builder · Kit Documentation

The 13 modules of the kit.

Every system the Free Builder kit installs, mapped to the file paths that implement it. Models, controllers, routes, middlewares, frontend pages, reducers, actions, plus the full REST endpoint surface. This is the canonical source of truth, served identically to AI agents via the token-gated kit endpoints and walked through chapter by chapter in the PDF course.

What's inside

  • 01
    User Management
    Chapter 06 — User Management
    Auth, accounts, invites, roles, capabilities, suspension, API keys, password reset. The substrate every other module rests on.
    Complete
  • 02
    Permission Management
    Chapter 07 — Permission Management
    Role-based access via a flat capability catalog. Same mechanism gates roles and plan tiers. Custom roles override defaults, per-user overrides override roles.
    Complete
  • 03
    Core Object & CRUD
    Chapter 08 — Project Management & Admin Tools
    The domain CRUD layer that owns whatever your customer creates and edits. Status enum for lifecycle (draft → active → archived). View counter, search, filter, pagination.
    Complete
  • 04
    Admin Operations
    Chapter 08 — Project Management & Admin Tools
    The operator cockpit. System probe, idempotent demo seeding, recent activity feed, impersonation hooks. Every action audit-logged.
    Complete
  • 05
    Analytics & Measurement
    Chapter 09 — Analytics & Measurement
    Three-layer measurement: traffic (sessions in), revenue (Stripe), events (activity log). Dashboard summary runs five count queries in parallel. Activity log doubles as audit trail.
    Complete
  • 06
    Leads & Sales Funnel
    Chapter 12 — Growth Engine
    Public lead capture (no auth required) plus staff list/update with status pipeline (new → contacted → qualified → converted/lost). Notes thread, assignment, source attribution.
    Complete
  • 07
    Billing & Plans
    Chapter 11 — Billing, Stripe Integration
    Stripe Checkout integration with stub mode for demos. Three endpoints: plan list, checkout session, webhook. Plan tier becomes a capability bundle reusing the permission middleware.
    Complete
  • 08
    Programmatic Access (API Keys)
    Chapter 06 — User Management (PATs subsystem)
    Personal access tokens à la GitHub. Hashed on create, plaintext returned exactly once, prefix-only in UI, last-used tracking, rotate without revoke, scopes (read/write/admin).
    Complete
  • 09
    Notifications
    Chapter 12 — Growth Engine (support layer)
    In-app notifications plus email digest scaffolding. Stubs for the broadcaster, per-user preferences, and the email-template engine.
    Stub / Roadmap
  • 10
    Support & Knowledge Base
    Chapter 12 — Growth Engine (support pyramid)
    The support pyramid: docs > AI chat > human escalation. Stubs for conversation threads, knowledge articles, AI deflection, and operator escalation queue.
    Stub / Roadmap
  • 11
    Content & SEO
    Chapter 04 — SEO from Day One
    Public blog and content surface. The Article system (model, /api/articles, editor, draft/publish, likes and comments) is now fully implemented — see the Community module. Sitemaps, redirects, schema.org markup and an SEO audit report remain roadmap.
    Partial
  • 12
    Integrations & Webhooks
    Chapter 11 — Billing + extensions
    Outbound webhooks to customer endpoints. Stubs for webhook destinations, retry queue, signed delivery, replay UI. API keys (built) cover inbound.
    Stub / Roadmap
  • 13
    Community — Q&A, Articles & Voting
    Community layer (on top of Ch.05 Portal / Ch.06 Users)
    A Stack-Overflow-style community on top of the shared JWT auth: questions with embedded answers, per-user up/down voting (score = upvotes - downvotes, one vote per user) and asker-accepted answers, plus a blog with per-user likes and comments. The Next.js PORTAL kit (storefront-portal-kit) can run HEADLESS against these endpoints (the prigmar-portal / prigmar-app and bidlight-portal / bidlight-mern pattern), or use its own self-contained copy.
    Complete
  • P
    The Portal kit (Next.js)
    Chapter 05 — Portal Layer · storefront-portal-kit
    The marketing + community surface — runs standalone or headless on the app kit.
    Complete

1. User Management

Chapter 06 — User Management

Complete

Auth, accounts, invites, roles, capabilities, suspension, API keys, password reset. The substrate every other module rests on.

Backend

models

  • User
  • Role
  • Invite
  • AccessToken

controllers

  • user.ctrl.js
  • invite.ctrl.js
  • role.ctrl.js
  • accessToken.ctrl.js

routes

  • /api/auth
  • /api/users
  • /api/invites
  • /api/roles
  • /api/access-tokens

middlewares

  • requireAuth
  • requireCapability

utils

  • authentication.js (JWT)
  • capabilities.js (catalog)
  • email.js (provider stub)

Frontend

pages

  • Login
  • Signup
  • ForgotPassword
  • ResetPassword/:token
  • VerifyEmail/:token
  • AcceptInvite/:token
  • Profile
  • admin/Users
  • admin/Invites
  • admin/Roles
  • account/ApiKeys

reducers

  • authReducer
  • usersAdminReducer
  • invitesReducer
  • rolesReducer
  • apiKeysReducer

actions

  • authActions
  • userAdminActions
  • inviteActions
  • roleActions
  • apiKeyActions

constants

  • AUTH
  • USERS_ADMIN
  • INVITES
  • ROLES
  • APIKEYS

API endpoints (35)

POST /api/auth/signup
POST /api/auth/login
POST /api/auth/logout
GET  /api/auth/me
PUT  /api/auth/me
POST /api/auth/me/change-password
POST /api/auth/me/resend-verification
DELETE /api/auth/me
POST /api/auth/request-password-reset
POST /api/auth/reset-password
GET  /api/auth/verify-email/:token
POST /api/auth/verify-username
GET  /api/users (admin list)
PUT  /api/users/:id/role
PUT  /api/users/:id/suspend
PUT  /api/users/:id/capabilities
DELETE /api/users/:id
POST /api/invites (create)
POST /api/invites/bulk
GET  /api/invites
GET  /api/invites/by-token/:token
POST /api/invites/accept
POST /api/invites/decline/:token
POST /api/invites/:id/resend
DELETE /api/invites/:id
GET  /api/roles
POST /api/roles
PUT  /api/roles/:id
DELETE /api/roles/:id
POST /api/roles/ensure-system
GET  /api/roles/capabilities
GET  /api/access-tokens
POST /api/access-tokens
POST /api/access-tokens/:id/rotate
DELETE /api/access-tokens/:id

2. Permission Management

Chapter 07 — Permission Management

Complete

Role-based access via a flat capability catalog. Same mechanism gates roles and plan tiers. Custom roles override defaults, per-user overrides override roles.

Backend

models

  • Role (with capabilities array)

controllers

  • role.ctrl.js (manages role bundles + per-user capability overrides)

routes

  • /api/roles/*
  • /api/users/:id/capabilities

middlewares

  • requireAuth
  • requirePermission(roles[])
  • requireCapability(key)

utils

  • capabilities.js — catalog (CATALOG[]) and role defaults (DEFAULTS{})

Frontend

pages

  • admin/Roles (matrix UI)
  • admin/Users → capability override panel

reducers

  • rolesReducer

actions

  • roleActions (loadRoles, createRole, updateRole, deleteRole, ensureSystemRoles)

constants

  • ROLES

API endpoints (8)

GET  /api/roles                    (list custom + built-in roles)
POST /api/roles                    (create custom role)
PUT  /api/roles/:id                (update capabilities)
DELETE /api/roles/:id              (cannot delete built-ins)
POST /api/roles/ensure-system      (idempotent seed: customer/sales/manager/admin)
GET  /api/roles/capabilities       (the public capability catalog)
PUT  /api/users/:id/role           (admin sets role)
PUT  /api/users/:id/capabilities   (per-user grant/revoke overrides)

3. Core Object & CRUD

Chapter 08 — Project Management & Admin Tools

Complete

The domain CRUD layer that owns whatever your customer creates and edits. Status enum for lifecycle (draft → active → archived). View counter, search, filter, pagination.

Backend

models

  • CoreObject (named for your domain — Car, Project, Brand, Document, etc.)
  • Tenant / Workspace

controllers

  • core.ctrl.js (list/get/create/update/remove + status transitions)

routes

  • /api/core

middlewares

  • requireAuth
  • requirePermission(["staff","admin"])

utils

  • activityLogs.js (every mutation logged)

Frontend

pages

  • Home (featured)
  • Listing (search/filter/list)
  • Detail (public)
  • admin/CRUD
  • Dashboard

reducers

  • coreReducer (list, detail, filters, pagination)

actions

  • coreActions (load, loadOne, create, update, remove, setFilter)

constants

  • CORE

API endpoints (5)

GET    /api/core              (public — list, search, filter, paginate)
GET    /api/core/:id          (public — detail, increments view count)
POST   /api/core              (staff — create)
PUT    /api/core/:id          (staff — update or status change)
DELETE /api/core/:id          (manager+ — soft-delete via status=archived)

4. Admin Operations

Chapter 08 — Project Management & Admin Tools

Complete

The operator cockpit. System probe, idempotent demo seeding, recent activity feed, impersonation hooks. Every action audit-logged.

Backend

models

  • ActivityLog

controllers

  • (admin actions inline in routes/adminPanel.js)

routes

  • /api/admin/system
  • /api/admin/seed-demo
  • /api/admin/impersonate

middlewares

  • requireAuth
  • requirePermission(["admin"])

utils

  • activityLogs.js

Frontend

pages

  • Admin (cockpit: stats + activity feed + seed button)

reducers

  • (consumes analyticsSummary state from coreReducer)

actions

  • adminActions (seedDemo, fetchSystemInfo, impersonate)

constants

  • ADMIN

API endpoints (3)

GET  /api/admin/system        (env probe — db, node version, uptime)
POST /api/admin/seed-demo     (idempotent — seeds when the resource collection is empty)
POST /api/admin/impersonate   (super-admin only — start an audited impersonation session)

5. Analytics & Measurement

Chapter 09 — Analytics & Measurement

Complete

Three-layer measurement: traffic (sessions in), revenue (Stripe), events (activity log). Dashboard summary runs five count queries in parallel. Activity log doubles as audit trail.

Backend

models

  • ActivityLog (indexed on actor, action, createdAt)

controllers

  • (inline in routes/analytics.js)

routes

  • /api/analytics/summary
  • /api/analytics/activity

middlewares

  • requireAuth
  • requirePermission(["manager","admin"])

utils

  • activityLogs.record() — fire-and-forget logger

Frontend

pages

  • Admin (embeds summary + activity table)
  • Dashboard (per-user stats)

reducers

  • analyticsReducer (summary, activity)

actions

  • analyticsActions (loadSummary, loadActivity)

constants

  • ANALYTICS

API endpoints (2)

GET /api/analytics/summary       (30-day rollup: signups, leads, sales, MRR)
GET /api/analytics/activity      (paginated audit trail)

6. Leads & Sales Funnel

Chapter 12 — Growth Engine

Complete

Public lead capture (no auth required) plus staff list/update with status pipeline (new → contacted → qualified → converted/lost). Notes thread, assignment, source attribution.

Backend

models

  • Lead (notes[], status enum, source, intent)

controllers

  • lead.ctrl.js (create, list, updateStatus, addNote, assign)

routes

  • /api/leads

middlewares

  • requireAuth (staff routes — public POST is open)
  • requirePermission(["sales","manager","admin"])

utils

  • activityLogs.js

Frontend

pages

  • LeadForm (embedded on detail pages)
  • admin/Leads (pipeline)

reducers

  • leadReducer (list, filters, currentLead)

actions

  • leadActions (submitLead, loadLeads, updateLeadStatus, addNote, assignLead)

constants

  • LEADS

API endpoints (4)

POST /api/leads             (public — capture from contact form)
GET  /api/leads             (staff — list, filter by status/source/assignedTo)
PUT  /api/leads/:id         (staff — change status or assign)
POST /api/leads/:id/notes   (staff — append note)

7. Billing & Plans

Chapter 11 — Billing, Stripe Integration

Complete

Stripe Checkout integration with stub mode for demos. Three endpoints: plan list, checkout session, webhook. Plan tier becomes a capability bundle reusing the permission middleware.

Backend

models

  • (plan/subscription state on Tenant or User doc)

controllers

  • (inline in routes/billing.js)

routes

  • /api/billing/plans
  • /api/billing/checkout
  • /api/billing/webhook

middlewares

  • requireAuth (checkout only)

utils

  • bin/config.js (stripeSecret, stripeWebhookSecret)

Frontend

pages

  • Pricing / Plans
  • account/Billing
  • billing/Success
  • billing/Cancel

reducers

  • billingReducer (plans, subscription, invoices)

actions

  • billingActions (loadPlans, startCheckout, loadSubscription)

constants

  • BILLING

API endpoints (3)

GET  /api/billing/plans         (public — catalog)
POST /api/billing/checkout      (auth — returns Stripe Checkout URL or stub)
POST /api/billing/webhook       (raw body — Stripe event handler)

8. Programmatic Access (API Keys)

Chapter 06 — User Management (PATs subsystem)

Complete

Personal access tokens à la GitHub. Hashed on create, plaintext returned exactly once, prefix-only in UI, last-used tracking, rotate without revoke, scopes (read/write/admin).

Backend

models

  • AccessToken (hashed, prefix, scopes[], lastUsedAt)

controllers

  • accessToken.ctrl.js (list, create, rotate, revoke)

routes

  • /api/access-tokens

middlewares

  • requireAuth (browser session)
  • API key auth (header → AccessToken lookup)

utils

  • authentication.js (Bearer token verify branch)

Frontend

pages

  • account/ApiKeys (list, create with one-time reveal, rotate, revoke)

reducers

  • apiKeysReducer

actions

  • apiKeyActions (loadKeys, createKey, rotateKey, revokeKey)

constants

  • APIKEYS

API endpoints (4)

GET    /api/access-tokens          (list your PATs — prefix only)
POST   /api/access-tokens          (create — returns plaintext once)
POST   /api/access-tokens/:id/rotate
DELETE /api/access-tokens/:id      (revoke)

9. Notifications

Chapter 12 — Growth Engine (support layer)

Stub / Roadmap

In-app notifications plus email digest scaffolding. Stubs for the broadcaster, per-user preferences, and the email-template engine.

Backend

models

  • Notification (recipient, type, body, readAt)
  • NotificationPreference

controllers

  • notification.ctrl.js (list, markRead, updatePrefs)

routes

  • /api/notifications
  • /api/notifications/prefs

middlewares

  • requireAuth

utils

  • email.js (provider stub — Resend / Postmark adapter)

Frontend

pages

  • Header bell dropdown
  • account/Notifications (preferences + history)

reducers

  • notificationsReducer (unreadCount, list)

actions

  • notificationActions (loadNotifications, markRead, updatePrefs)

constants

  • NOTIFICATIONS

API endpoints (5)

GET  /api/notifications              (paginated)
PUT  /api/notifications/:id/read
PUT  /api/notifications/read-all
GET  /api/notifications/prefs
PUT  /api/notifications/prefs

Roadmap module. The data model and route shape are reserved, the controllers and UI are scaffolded. The framework names this surface so your AI worker can grow into it without inventing a parallel structure.

10. Support & Knowledge Base

Chapter 12 — Growth Engine (support pyramid)

Stub / Roadmap

The support pyramid: docs > AI chat > human escalation. Stubs for conversation threads, knowledge articles, AI deflection, and operator escalation queue.

Backend

models

  • Conversation
  • Message
  • KnowledgeArticle

controllers

  • conversation.ctrl.js
  • article.ctrl.js

routes

  • /api/conversations
  • /api/knowledge

middlewares

  • requireAuth (customer)
  • requirePermission (operator side)

utils

  • email.js

Frontend

pages

  • support/Inbox (customer)
  • admin/Support (operator queue)
  • KnowledgeBase (public)

reducers

  • supportReducer

actions

  • supportActions (loadConversations, postMessage, escalate)

constants

  • SUPPORT

API endpoints (5)

GET  /api/conversations            (customer — own threads)
POST /api/conversations            (start new)
POST /api/conversations/:id/messages
GET  /api/admin/conversations      (operator queue)
GET  /api/knowledge                (public articles)

Roadmap module. The data model and route shape are reserved, the controllers and UI are scaffolded. The framework names this surface so your AI worker can grow into it without inventing a parallel structure.

11. Content & SEO

Chapter 04 — SEO from Day One

Partial

Public blog and content surface. The Article system (model, /api/articles, editor, draft/publish, likes and comments) is now fully implemented — see the Community module. Sitemaps, redirects, schema.org markup and an SEO audit report remain roadmap.

Backend

models

  • Article
  • Redirect

controllers

  • article.ctrl.js

routes

  • /api/articles
  • /sitemap.xml
  • /robots.txt

middlewares

  • requirePermission(["marketing","admin"])

utils

  • (rendering helpers)

Frontend

pages

  • Blog (list)
  • Article (detail)
  • admin/Articles (editor)

reducers

  • articlesReducer

actions

  • articleActions

constants

  • ARTICLES

API endpoints (5)

GET  /api/articles                  (public — published)
GET  /api/articles/:slug            (public — detail)
POST /api/articles                  (admin — create draft)
PUT  /api/articles/:id              (admin — update / publish)
GET  /sitemap.xml

12. Integrations & Webhooks

Chapter 11 — Billing + extensions

Stub / Roadmap

Outbound webhooks to customer endpoints. Stubs for webhook destinations, retry queue, signed delivery, replay UI. API keys (built) cover inbound.

Backend

models

  • WebhookEndpoint
  • WebhookDelivery

controllers

  • webhook.ctrl.js

routes

  • /api/webhooks/endpoints
  • /api/webhooks/deliveries

middlewares

  • requireAuth
  • requireCapability("webhooks.manage")

utils

  • webhookSigner.js (HMAC-SHA256)

Frontend

pages

  • account/Webhooks (CRUD + delivery log + replay)

reducers

  • webhooksReducer

actions

  • webhookActions

constants

  • WEBHOOKS

API endpoints (6)

GET  /api/webhooks/endpoints
POST /api/webhooks/endpoints
PUT  /api/webhooks/endpoints/:id
DELETE /api/webhooks/endpoints/:id
GET  /api/webhooks/deliveries        (paginated, filter by status/endpoint)
POST /api/webhooks/deliveries/:id/replay

Roadmap module. The data model and route shape are reserved, the controllers and UI are scaffolded. The framework names this surface so your AI worker can grow into it without inventing a parallel structure.

13. Community — Q&A, Articles & Voting

Community layer (on top of Ch.05 Portal / Ch.06 Users)

Complete

A Stack-Overflow-style community on top of the shared JWT auth: questions with embedded answers, per-user up/down voting (score = upvotes - downvotes, one vote per user) and asker-accepted answers, plus a blog with per-user likes and comments. The Next.js PORTAL kit (storefront-portal-kit) can run HEADLESS against these endpoints (the prigmar-portal / prigmar-app and bidlight-portal / bidlight-mern pattern), or use its own self-contained copy.

Backend

models

  • Question (embedded answers, upvotes[]/downvotes[], accepted)
  • Article (likes[], comments[])

controllers

  • question.ctrl.js (list/get/create/answer/vote/voteAnswer/accept/remove)
  • article.ctrl.js (list/get/create/like/comment/remove)

routes

  • /api/questions
  • /api/articles

middlewares

  • requireAuth (reused)

utils

  • community.js — applyVote (one vote/user, up/down/clear), slugify, toHtml

Frontend

pages

  • Questions (sort/search/paginate)
  • QuestionDetail (vote widgets, post answer, accept)
  • AskQuestion (login-gated)
  • Articles (list)
  • ArticleDetail (like + comments)
  • WriteArticle (login-gated)

reducers

  • reuses authReducer (current user)

actions

  • direct api/client calls (client.get / client.post)

constants

  • endpoints.questions, endpoints.articles (api/client.js) + VoteButtons component

API endpoints (14)

GET    /api/questions                              (list — sort, search, tag, paginate)
GET    /api/questions/:slug                        (one — increments views)
POST   /api/questions                              (auth — ask)
POST   /api/questions/:slug/answers                (auth — answer)
POST   /api/questions/:slug/vote                   (auth — up/down the question)
POST   /api/questions/:slug/answers/:answerId/vote (auth — up/down an answer)
POST   /api/questions/:slug/accept                 (asker — accept an answer)
DELETE /api/questions/:slug                        (owner/admin)
GET    /api/articles                               (list — category, search, paginate)
GET    /api/articles/:slug                         (one — increments views)
POST   /api/articles                               (auth — write)
POST   /api/articles/:slug/like                    (auth — toggle like)
POST   /api/articles/:slug/comments                (auth — comment)
DELETE /api/articles/:slug                         (owner/admin)

The Portal kit (Next.js)

Chapter 05 — Portal Layer · storefront-portal-kit

Source: gitlab.com/Mouldi/storefront-portal-kit ↗

Complete

The second kit in the framework: a config-driven Next.js storefront that is the marketing + community surface in front of the MERN app above — the same way prigmar-portal sits in front of prigmar-app and bidlight-portal in front of the BidLight MERN app. Rebrand it by editing one file (lib/site.config.js) plus styles/variables.css; no component edits needed.

What it ships

Marketing surface

  • Home / hero, pricing, about
  • SEO + Open Graph + JSON-LD
  • Logo & colour rebrand via config

Demo & leads

  • Demo form → Mongo + email (nodemailer)
  • Calendly scheduling + webhook
  • Optional CRM forward

Knowledge

  • Engineered FAQ (categories, JSON-LD)
  • Learning / articles blog
  • Markdown editor

Community

  • Accounts (JWT auth)
  • Q&A with per-user voting + accept
  • Article likes + comments

Two run modes

Standalone

  • Own Next.js API routes + Mongo
  • httpOnly-cookie auth
  • NEXT_PUBLIC_API_BASE="/api"

Linked (headless)

  • Pure frontend on the MERN app kit
  • Bearer-token auth (the prigmar / bidlight pattern)
  • NEXT_PUBLIC_API_BASE → the app kit /api

Public routes

/                 marketing home
/pricing          plans
/faq              engineered FAQ
/articles         learning / blog        /articles/[slug]    /articles/new
/questions        community Q&A           /questions/[slug]   /questions/ask
/contact          demo + Calendly
/login   /register accounts

Both kits share one API contract, so the same portal runs on its own routes or headless against the app kit. Crawl or download it at the token-gated /kit/storefront/{tree,file,zip} endpoints.