Free Builder Kit — illustrated PDF + reference codebase

Free Builder · Kit Documentation

The 12 modules of the kit.

Every system the Free Builder kit installs, mapped to the file paths that implement it. Models, controllers, routes, middlewares, frontend pages, reducers, actions, plus the full REST endpoint surface. This is the canonical source of truth, served identically to AI agents via the token-gated kit endpoints and walked through chapter by chapter in the PDF course.

Download the PDF course → Get an AI access token

What's inside

  • 01
    User Management
    Chapter 06 — User Management
    Auth, accounts, invites, roles, capabilities, suspension, API keys, password reset. The substrate every other module rests on.
    Complete
  • 02
    Permission Management
    Chapter 07 — Permission Management
    Role-based access via a flat capability catalog. Same mechanism gates roles and plan tiers. Custom roles override defaults, per-user overrides override roles.
    Complete
  • 03
    Core Object & CRUD
    Chapter 08 — Project Management & Admin Tools
    The domain CRUD layer that owns whatever your customer creates and edits. Status enum for lifecycle (draft → active → archived). View counter, search, filter, pagination.
    Complete
  • 04
    Admin Operations
    Chapter 08 — Project Management & Admin Tools
    The operator cockpit. System probe, idempotent demo seeding, recent activity feed, impersonation hooks. Every action audit-logged.
    Complete
  • 05
    Analytics & Measurement
    Chapter 09 — Analytics & Measurement
    Three-layer measurement: traffic (sessions in), revenue (Stripe), events (activity log). Dashboard summary runs five count queries in parallel. Activity log doubles as audit trail.
    Complete
  • 06
    Leads & Sales Funnel
    Chapter 12 — Growth Engine
    Public lead capture (no auth required) plus staff list/update with status pipeline (new → contacted → qualified → converted/lost). Notes thread, assignment, source attribution.
    Complete
  • 07
    Billing & Plans
    Chapter 11 — Billing, Stripe Integration
    Stripe Checkout integration with stub mode for demos. Three endpoints: plan list, checkout session, webhook. Plan tier becomes a capability bundle reusing the permission middleware.
    Complete
  • 08
    Programmatic Access (API Keys)
    Chapter 06 — User Management (PATs subsystem)
    Personal access tokens à la GitHub. Hashed on create, plaintext returned exactly once, prefix-only in UI, last-used tracking, rotate without revoke, scopes (read/write/admin).
    Complete
  • 09
    Notifications
    Chapter 12 — Growth Engine (support layer)
    In-app notifications plus email digest scaffolding. Stubs for the broadcaster, per-user preferences, and the email-template engine.
    Stub / Roadmap
  • 10
    Support & Knowledge Base
    Chapter 12 — Growth Engine (support pyramid)
    The support pyramid: docs > AI chat > human escalation. Stubs for conversation threads, knowledge articles, AI deflection, and operator escalation queue.
    Stub / Roadmap
  • 11
    Content & SEO
    Chapter 04 — SEO from Day One
    Public blog and content surface: posts, sitemaps, schema.org markup, redirects. Stubs for an editor, draft/publish flow, and SEO audit report.
    Stub / Roadmap
  • 12
    Integrations & Webhooks
    Chapter 11 — Billing + extensions
    Outbound webhooks to customer endpoints. Stubs for webhook destinations, retry queue, signed delivery, replay UI. API keys (built) cover inbound.
    Stub / Roadmap

1. User Management

Chapter 06 — User Management

Complete

Auth, accounts, invites, roles, capabilities, suspension, API keys, password reset. The substrate every other module rests on.

Backend

models

  • User
  • Role
  • Invite
  • AccessToken

controllers

  • user.ctrl.js
  • invite.ctrl.js
  • role.ctrl.js
  • accessToken.ctrl.js

routes

  • /api/auth
  • /api/users
  • /api/invites
  • /api/roles
  • /api/access-tokens

middlewares

  • requireAuth
  • requireCapability

utils

  • authentication.js (JWT)
  • capabilities.js (catalog)
  • email.js (provider stub)

Frontend

pages

  • Login
  • Signup
  • ForgotPassword
  • ResetPassword/:token
  • VerifyEmail/:token
  • AcceptInvite/:token
  • Profile
  • admin/Users
  • admin/Invites
  • admin/Roles
  • account/ApiKeys

reducers

  • authReducer
  • usersAdminReducer
  • invitesReducer
  • rolesReducer
  • apiKeysReducer

actions

  • authActions
  • userAdminActions
  • inviteActions
  • roleActions
  • apiKeyActions

constants

  • AUTH
  • USERS_ADMIN
  • INVITES
  • ROLES
  • APIKEYS

API endpoints (35)

POST /api/auth/signup
POST /api/auth/login
POST /api/auth/logout
GET  /api/auth/me
PUT  /api/auth/me
POST /api/auth/me/change-password
POST /api/auth/me/resend-verification
DELETE /api/auth/me
POST /api/auth/request-password-reset
POST /api/auth/reset-password
GET  /api/auth/verify-email/:token
POST /api/auth/verify-username
GET  /api/users (admin list)
PUT  /api/users/:id/role
PUT  /api/users/:id/suspend
PUT  /api/users/:id/capabilities
DELETE /api/users/:id
POST /api/invites (create)
POST /api/invites/bulk
GET  /api/invites
GET  /api/invites/by-token/:token
POST /api/invites/accept
POST /api/invites/decline/:token
POST /api/invites/:id/resend
DELETE /api/invites/:id
GET  /api/roles
POST /api/roles
PUT  /api/roles/:id
DELETE /api/roles/:id
POST /api/roles/ensure-system
GET  /api/roles/capabilities
GET  /api/access-tokens
POST /api/access-tokens
POST /api/access-tokens/:id/rotate
DELETE /api/access-tokens/:id

2. Permission Management

Chapter 07 — Permission Management

Complete

Role-based access via a flat capability catalog. Same mechanism gates roles and plan tiers. Custom roles override defaults, per-user overrides override roles.

Backend

models

  • Role (with capabilities array)

controllers

  • role.ctrl.js (manages role bundles + per-user capability overrides)

routes

  • /api/roles/*
  • /api/users/:id/capabilities

middlewares

  • requireAuth
  • requirePermission(roles[])
  • requireCapability(key)

utils

  • capabilities.js — catalog (CATALOG[]) and role defaults (DEFAULTS{})

Frontend

pages

  • admin/Roles (matrix UI)
  • admin/Users → capability override panel

reducers

  • rolesReducer

actions

  • roleActions (loadRoles, createRole, updateRole, deleteRole, ensureSystemRoles)

constants

  • ROLES

API endpoints (8)

GET  /api/roles                    (list custom + built-in roles)
POST /api/roles                    (create custom role)
PUT  /api/roles/:id                (update capabilities)
DELETE /api/roles/:id              (cannot delete built-ins)
POST /api/roles/ensure-system      (idempotent seed: customer/sales/manager/admin)
GET  /api/roles/capabilities       (the public capability catalog)
PUT  /api/users/:id/role           (admin sets role)
PUT  /api/users/:id/capabilities   (per-user grant/revoke overrides)

3. Core Object & CRUD

Chapter 08 — Project Management & Admin Tools

Complete

The domain CRUD layer that owns whatever your customer creates and edits. Status enum for lifecycle (draft → active → archived). View counter, search, filter, pagination.

Backend

models

  • CoreObject (named for your domain — Car, Project, Brand, Document, etc.)
  • Tenant / Workspace

controllers

  • core.ctrl.js (list/get/create/update/remove + status transitions)

routes

  • /api/core

middlewares

  • requireAuth
  • requirePermission(["staff","admin"])

utils

  • activityLogs.js (every mutation logged)

Frontend

pages

  • Home (featured)
  • Listing (search/filter/list)
  • Detail (public)
  • admin/CRUD
  • Dashboard

reducers

  • coreReducer (list, detail, filters, pagination)

actions

  • coreActions (load, loadOne, create, update, remove, setFilter)

constants

  • CORE

API endpoints (5)

GET    /api/core              (public — list, search, filter, paginate)
GET    /api/core/:id          (public — detail, increments view count)
POST   /api/core              (staff — create)
PUT    /api/core/:id          (staff — update or status change)
DELETE /api/core/:id          (manager+ — soft-delete via status=archived)

4. Admin Operations

Chapter 08 — Project Management & Admin Tools

Complete

The operator cockpit. System probe, idempotent demo seeding, recent activity feed, impersonation hooks. Every action audit-logged.

Backend

models

  • ActivityLog

controllers

  • (admin actions inline in routes/adminPanel.js)

routes

  • /api/admin/system
  • /api/admin/seed-demo
  • /api/admin/impersonate

middlewares

  • requireAuth
  • requirePermission(["admin"])

utils

  • activityLogs.js

Frontend

pages

  • Admin (cockpit: stats + activity feed + seed button)

reducers

  • (consumes analyticsSummary state from coreReducer)

actions

  • adminActions (seedDemo, fetchSystemInfo, impersonate)

constants

  • ADMIN

API endpoints (3)

GET  /api/admin/system        (env probe — db, node version, uptime)
POST /api/admin/seed-demo     (idempotent — seeds when the resource collection is empty)
POST /api/admin/impersonate   (super-admin only — start an audited impersonation session)

5. Analytics & Measurement

Chapter 09 — Analytics & Measurement

Complete

Three-layer measurement: traffic (sessions in), revenue (Stripe), events (activity log). Dashboard summary runs five count queries in parallel. Activity log doubles as audit trail.

Backend

models

  • ActivityLog (indexed on actor, action, createdAt)

controllers

  • (inline in routes/analytics.js)

routes

  • /api/analytics/summary
  • /api/analytics/activity

middlewares

  • requireAuth
  • requirePermission(["manager","admin"])

utils

  • activityLogs.record() — fire-and-forget logger

Frontend

pages

  • Admin (embeds summary + activity table)
  • Dashboard (per-user stats)

reducers

  • analyticsReducer (summary, activity)

actions

  • analyticsActions (loadSummary, loadActivity)

constants

  • ANALYTICS

API endpoints (2)

GET /api/analytics/summary       (30-day rollup: signups, leads, sales, MRR)
GET /api/analytics/activity      (paginated audit trail)

6. Leads & Sales Funnel

Chapter 12 — Growth Engine

Complete

Public lead capture (no auth required) plus staff list/update with status pipeline (new → contacted → qualified → converted/lost). Notes thread, assignment, source attribution.

Backend

models

  • Lead (notes[], status enum, source, intent)

controllers

  • lead.ctrl.js (create, list, updateStatus, addNote, assign)

routes

  • /api/leads

middlewares

  • requireAuth (staff routes — public POST is open)
  • requirePermission(["sales","manager","admin"])

utils

  • activityLogs.js

Frontend

pages

  • LeadForm (embedded on detail pages)
  • admin/Leads (pipeline)

reducers

  • leadReducer (list, filters, currentLead)

actions

  • leadActions (submitLead, loadLeads, updateLeadStatus, addNote, assignLead)

constants

  • LEADS

API endpoints (4)

POST /api/leads             (public — capture from contact form)
GET  /api/leads             (staff — list, filter by status/source/assignedTo)
PUT  /api/leads/:id         (staff — change status or assign)
POST /api/leads/:id/notes   (staff — append note)

7. Billing & Plans

Chapter 11 — Billing, Stripe Integration

Complete

Stripe Checkout integration with stub mode for demos. Three endpoints: plan list, checkout session, webhook. Plan tier becomes a capability bundle reusing the permission middleware.

Backend

models

  • (plan/subscription state on Tenant or User doc)

controllers

  • (inline in routes/billing.js)

routes

  • /api/billing/plans
  • /api/billing/checkout
  • /api/billing/webhook

middlewares

  • requireAuth (checkout only)

utils

  • bin/config.js (stripeSecret, stripeWebhookSecret)

Frontend

pages

  • Pricing / Plans
  • account/Billing
  • billing/Success
  • billing/Cancel

reducers

  • billingReducer (plans, subscription, invoices)

actions

  • billingActions (loadPlans, startCheckout, loadSubscription)

constants

  • BILLING

API endpoints (3)

GET  /api/billing/plans         (public — catalog)
POST /api/billing/checkout      (auth — returns Stripe Checkout URL or stub)
POST /api/billing/webhook       (raw body — Stripe event handler)

8. Programmatic Access (API Keys)

Chapter 06 — User Management (PATs subsystem)

Complete

Personal access tokens à la GitHub. Hashed on create, plaintext returned exactly once, prefix-only in UI, last-used tracking, rotate without revoke, scopes (read/write/admin).

Backend

models

  • AccessToken (hashed, prefix, scopes[], lastUsedAt)

controllers

  • accessToken.ctrl.js (list, create, rotate, revoke)

routes

  • /api/access-tokens

middlewares

  • requireAuth (browser session)
  • API key auth (header → AccessToken lookup)

utils

  • authentication.js (Bearer token verify branch)

Frontend

pages

  • account/ApiKeys (list, create with one-time reveal, rotate, revoke)

reducers

  • apiKeysReducer

actions

  • apiKeyActions (loadKeys, createKey, rotateKey, revokeKey)

constants

  • APIKEYS

API endpoints (4)

GET    /api/access-tokens          (list your PATs — prefix only)
POST   /api/access-tokens          (create — returns plaintext once)
POST   /api/access-tokens/:id/rotate
DELETE /api/access-tokens/:id      (revoke)

9. Notifications

Chapter 12 — Growth Engine (support layer)

Stub / Roadmap

In-app notifications plus email digest scaffolding. Stubs for the broadcaster, per-user preferences, and the email-template engine.

Backend

models

  • Notification (recipient, type, body, readAt)
  • NotificationPreference

controllers

  • notification.ctrl.js (list, markRead, updatePrefs)

routes

  • /api/notifications
  • /api/notifications/prefs

middlewares

  • requireAuth

utils

  • email.js (provider stub — Resend / Postmark adapter)

Frontend

pages

  • Header bell dropdown
  • account/Notifications (preferences + history)

reducers

  • notificationsReducer (unreadCount, list)

actions

  • notificationActions (loadNotifications, markRead, updatePrefs)

constants

  • NOTIFICATIONS

API endpoints (5)

GET  /api/notifications              (paginated)
PUT  /api/notifications/:id/read
PUT  /api/notifications/read-all
GET  /api/notifications/prefs
PUT  /api/notifications/prefs

Roadmap module. The data model and route shape are reserved, the controllers and UI are scaffolded. The framework names this surface so your AI worker can grow into it without inventing a parallel structure.

10. Support & Knowledge Base

Chapter 12 — Growth Engine (support pyramid)

Stub / Roadmap

The support pyramid: docs > AI chat > human escalation. Stubs for conversation threads, knowledge articles, AI deflection, and operator escalation queue.

Backend

models

  • Conversation
  • Message
  • KnowledgeArticle

controllers

  • conversation.ctrl.js
  • article.ctrl.js

routes

  • /api/conversations
  • /api/knowledge

middlewares

  • requireAuth (customer)
  • requirePermission (operator side)

utils

  • email.js

Frontend

pages

  • support/Inbox (customer)
  • admin/Support (operator queue)
  • KnowledgeBase (public)

reducers

  • supportReducer

actions

  • supportActions (loadConversations, postMessage, escalate)

constants

  • SUPPORT

API endpoints (5)

GET  /api/conversations            (customer — own threads)
POST /api/conversations            (start new)
POST /api/conversations/:id/messages
GET  /api/admin/conversations      (operator queue)
GET  /api/knowledge                (public articles)

Roadmap module. The data model and route shape are reserved, the controllers and UI are scaffolded. The framework names this surface so your AI worker can grow into it without inventing a parallel structure.

11. Content & SEO

Chapter 04 — SEO from Day One

Stub / Roadmap

Public blog and content surface: posts, sitemaps, schema.org markup, redirects. Stubs for an editor, draft/publish flow, and SEO audit report.

Backend

models

  • Article
  • Redirect

controllers

  • article.ctrl.js

routes

  • /api/articles
  • /sitemap.xml
  • /robots.txt

middlewares

  • requirePermission(["marketing","admin"])

utils

  • (rendering helpers)

Frontend

pages

  • Blog (list)
  • Article (detail)
  • admin/Articles (editor)

reducers

  • articlesReducer

actions

  • articleActions

constants

  • ARTICLES

API endpoints (5)

GET  /api/articles                  (public — published)
GET  /api/articles/:slug            (public — detail)
POST /api/articles                  (admin — create draft)
PUT  /api/articles/:id              (admin — update / publish)
GET  /sitemap.xml

Roadmap module. The data model and route shape are reserved, the controllers and UI are scaffolded. The framework names this surface so your AI worker can grow into it without inventing a parallel structure.

12. Integrations & Webhooks

Chapter 11 — Billing + extensions

Stub / Roadmap

Outbound webhooks to customer endpoints. Stubs for webhook destinations, retry queue, signed delivery, replay UI. API keys (built) cover inbound.

Backend

models

  • WebhookEndpoint
  • WebhookDelivery

controllers

  • webhook.ctrl.js

routes

  • /api/webhooks/endpoints
  • /api/webhooks/deliveries

middlewares

  • requireAuth
  • requireCapability("webhooks.manage")

utils

  • webhookSigner.js (HMAC-SHA256)

Frontend

pages

  • account/Webhooks (CRUD + delivery log + replay)

reducers

  • webhooksReducer

actions

  • webhookActions

constants

  • WEBHOOKS

API endpoints (6)

GET  /api/webhooks/endpoints
POST /api/webhooks/endpoints
PUT  /api/webhooks/endpoints/:id
DELETE /api/webhooks/endpoints/:id
GET  /api/webhooks/deliveries        (paginated, filter by status/endpoint)
POST /api/webhooks/deliveries/:id/replay

Roadmap module. The data model and route shape are reserved, the controllers and UI are scaffolded. The framework names this surface so your AI worker can grow into it without inventing a parallel structure.

This same documentation is served to AI agents.

If you are building a SaaS and want your AI to crawl the kit directly while it scaffolds your codebase, get an access token and point it at the kit endpoints. The AI fetches every chapter, every module spec, and every file in the reference codebase on its own as it builds.

Get the AI access token →