What's inside
-
01
User Management
Chapter 06 — User Management
Auth, accounts, invites, roles, capabilities, suspension, API keys, password reset. The substrate every other module rests on.
Complete
-
02
Permission Management
Chapter 07 — Permission Management
Role-based access via a flat capability catalog. Same mechanism gates roles and plan tiers. Custom roles override defaults, per-user overrides override roles.
Complete
-
03
Core Object & CRUD
Chapter 08 — Project Management & Admin Tools
The domain CRUD layer that owns whatever your customer creates and edits. Status enum for lifecycle (draft → active → archived). View counter, search, filter, pagination.
Complete
-
04
Admin Operations
Chapter 08 — Project Management & Admin Tools
The operator cockpit. System probe, idempotent demo seeding, recent activity feed, impersonation hooks. Every action audit-logged.
Complete
-
05
Analytics & Measurement
Chapter 09 — Analytics & Measurement
Three-layer measurement: traffic (sessions in), revenue (Stripe), events (activity log). Dashboard summary runs five count queries in parallel. Activity log doubles as audit trail.
Complete
-
06
Leads & Sales Funnel
Chapter 12 — Growth Engine
Public lead capture (no auth required) plus staff list/update with status pipeline (new → contacted → qualified → converted/lost). Notes thread, assignment, source attribution.
Complete
-
07
Billing & Plans
Chapter 11 — Billing, Stripe Integration
Stripe Checkout integration with stub mode for demos. Three endpoints: plan list, checkout session, webhook. Plan tier becomes a capability bundle reusing the permission middleware.
Complete
-
08
Programmatic Access (API Keys)
Chapter 06 — User Management (PATs subsystem)
Personal access tokens à la GitHub. Hashed on create, plaintext returned exactly once, prefix-only in UI, last-used tracking, rotate without revoke, scopes (read/write/admin).
Complete
-
09
Notifications
Chapter 12 — Growth Engine (support layer)
In-app notifications plus email digest scaffolding. Stubs for the broadcaster, per-user preferences, and the email-template engine.
Stub / Roadmap
-
10
Support & Knowledge Base
Chapter 12 — Growth Engine (support pyramid)
The support pyramid: docs > AI chat > human escalation. Stubs for conversation threads, knowledge articles, AI deflection, and operator escalation queue.
Stub / Roadmap
-
11
Content & SEO
Chapter 04 — SEO from Day One
Public blog and content surface. The Article system (model, /api/articles, editor, draft/publish, likes and comments) is now fully implemented — see the Community module. Sitemaps, redirects, schema.org markup and an SEO audit report remain roadmap.
Partial
-
12
Integrations & Webhooks
Chapter 11 — Billing + extensions
Outbound webhooks to customer endpoints. Stubs for webhook destinations, retry queue, signed delivery, replay UI. API keys (built) cover inbound.
Stub / Roadmap
-
13
Community — Q&A, Articles & Voting
Community layer (on top of Ch.05 Portal / Ch.06 Users)
A Stack-Overflow-style community on top of the shared JWT auth: questions with embedded answers, per-user up/down voting (score = upvotes - downvotes, one vote per user) and asker-accepted answers, plus a blog with per-user likes and comments. The Next.js PORTAL kit (storefront-portal-kit) can run HEADLESS against these endpoints (the prigmar-portal / prigmar-app and bidlight-portal / bidlight-mern pattern), or use its own self-contained copy.
Complete
-
P
The Portal kit (Next.js)
Chapter 05 — Portal Layer · storefront-portal-kit
The marketing + community surface — runs standalone or headless on the app kit.
Complete
1. User Management
Chapter 06 — User Management
Complete
Auth, accounts, invites, roles, capabilities, suspension, API keys, password reset. The substrate every other module rests on.
Backend
models
User
Role
Invite
AccessToken
controllers
user.ctrl.js
invite.ctrl.js
role.ctrl.js
accessToken.ctrl.js
routes
/api/auth
/api/users
/api/invites
/api/roles
/api/access-tokens
middlewares
requireAuth
requireCapability
utils
authentication.js (JWT)
capabilities.js (catalog)
email.js (provider stub)
Frontend
pages
Login
Signup
ForgotPassword
ResetPassword/:token
VerifyEmail/:token
AcceptInvite/:token
Profile
admin/Users
admin/Invites
admin/Roles
account/ApiKeys
reducers
authReducer
usersAdminReducer
invitesReducer
rolesReducer
apiKeysReducer
actions
authActions
userAdminActions
inviteActions
roleActions
apiKeyActions
constants
AUTH
USERS_ADMIN
INVITES
ROLES
APIKEYS
API endpoints (35)
POST /api/auth/signup
POST /api/auth/login
POST /api/auth/logout
GET /api/auth/me
PUT /api/auth/me
POST /api/auth/me/change-password
POST /api/auth/me/resend-verification
DELETE /api/auth/me
POST /api/auth/request-password-reset
POST /api/auth/reset-password
GET /api/auth/verify-email/:token
POST /api/auth/verify-username
GET /api/users (admin list)
PUT /api/users/:id/role
PUT /api/users/:id/suspend
PUT /api/users/:id/capabilities
DELETE /api/users/:id
POST /api/invites (create)
POST /api/invites/bulk
GET /api/invites
GET /api/invites/by-token/:token
POST /api/invites/accept
POST /api/invites/decline/:token
POST /api/invites/:id/resend
DELETE /api/invites/:id
GET /api/roles
POST /api/roles
PUT /api/roles/:id
DELETE /api/roles/:id
POST /api/roles/ensure-system
GET /api/roles/capabilities
GET /api/access-tokens
POST /api/access-tokens
POST /api/access-tokens/:id/rotate
DELETE /api/access-tokens/:id
2. Permission Management
Chapter 07 — Permission Management
Complete
Role-based access via a flat capability catalog. Same mechanism gates roles and plan tiers. Custom roles override defaults, per-user overrides override roles.
Backend
models
Role (with capabilities array)
controllers
role.ctrl.js (manages role bundles + per-user capability overrides)
routes
/api/roles/*
/api/users/:id/capabilities
middlewares
requireAuth
requirePermission(roles[])
requireCapability(key)
utils
capabilities.js — catalog (CATALOG[]) and role defaults (DEFAULTS{})
Frontend
pages
admin/Roles (matrix UI)
admin/Users → capability override panel
actions
roleActions (loadRoles, createRole, updateRole, deleteRole, ensureSystemRoles)
API endpoints (8)
GET /api/roles (list custom + built-in roles)
POST /api/roles (create custom role)
PUT /api/roles/:id (update capabilities)
DELETE /api/roles/:id (cannot delete built-ins)
POST /api/roles/ensure-system (idempotent seed: customer/sales/manager/admin)
GET /api/roles/capabilities (the public capability catalog)
PUT /api/users/:id/role (admin sets role)
PUT /api/users/:id/capabilities (per-user grant/revoke overrides)
3. Core Object & CRUD
Chapter 08 — Project Management & Admin Tools
Complete
The domain CRUD layer that owns whatever your customer creates and edits. Status enum for lifecycle (draft → active → archived). View counter, search, filter, pagination.
Backend
models
CoreObject (named for your domain — Car, Project, Brand, Document, etc.)
Tenant / Workspace
controllers
core.ctrl.js (list/get/create/update/remove + status transitions)
middlewares
requireAuth
requirePermission(["staff","admin"])
utils
activityLogs.js (every mutation logged)
Frontend
pages
Home (featured)
Listing (search/filter/list)
Detail (public)
admin/CRUD
Dashboard
reducers
coreReducer (list, detail, filters, pagination)
actions
coreActions (load, loadOne, create, update, remove, setFilter)
API endpoints (5)
GET /api/core (public — list, search, filter, paginate)
GET /api/core/:id (public — detail, increments view count)
POST /api/core (staff — create)
PUT /api/core/:id (staff — update or status change)
DELETE /api/core/:id (manager+ — soft-delete via status=archived)
4. Admin Operations
Chapter 08 — Project Management & Admin Tools
Complete
The operator cockpit. System probe, idempotent demo seeding, recent activity feed, impersonation hooks. Every action audit-logged.
Backend
controllers
(admin actions inline in routes/adminPanel.js)
routes
/api/admin/system
/api/admin/seed-demo
/api/admin/impersonate
middlewares
requireAuth
requirePermission(["admin"])
Frontend
pages
Admin (cockpit: stats + activity feed + seed button)
reducers
(consumes analyticsSummary state from coreReducer)
actions
adminActions (seedDemo, fetchSystemInfo, impersonate)
API endpoints (3)
GET /api/admin/system (env probe — db, node version, uptime)
POST /api/admin/seed-demo (idempotent — seeds when the resource collection is empty)
POST /api/admin/impersonate (super-admin only — start an audited impersonation session)
5. Analytics & Measurement
Chapter 09 — Analytics & Measurement
Complete
Three-layer measurement: traffic (sessions in), revenue (Stripe), events (activity log). Dashboard summary runs five count queries in parallel. Activity log doubles as audit trail.
Backend
models
ActivityLog (indexed on actor, action, createdAt)
controllers
(inline in routes/analytics.js)
routes
/api/analytics/summary
/api/analytics/activity
middlewares
requireAuth
requirePermission(["manager","admin"])
utils
activityLogs.record() — fire-and-forget logger
Frontend
pages
Admin (embeds summary + activity table)
Dashboard (per-user stats)
reducers
analyticsReducer (summary, activity)
actions
analyticsActions (loadSummary, loadActivity)
API endpoints (2)
GET /api/analytics/summary (30-day rollup: signups, leads, sales, MRR)
GET /api/analytics/activity (paginated audit trail)
6. Leads & Sales Funnel
Chapter 12 — Growth Engine
Complete
Public lead capture (no auth required) plus staff list/update with status pipeline (new → contacted → qualified → converted/lost). Notes thread, assignment, source attribution.
Backend
models
Lead (notes[], status enum, source, intent)
controllers
lead.ctrl.js (create, list, updateStatus, addNote, assign)
middlewares
requireAuth (staff routes — public POST is open)
requirePermission(["sales","manager","admin"])
Frontend
pages
LeadForm (embedded on detail pages)
admin/Leads (pipeline)
reducers
leadReducer (list, filters, currentLead)
actions
leadActions (submitLead, loadLeads, updateLeadStatus, addNote, assignLead)
API endpoints (4)
POST /api/leads (public — capture from contact form)
GET /api/leads (staff — list, filter by status/source/assignedTo)
PUT /api/leads/:id (staff — change status or assign)
POST /api/leads/:id/notes (staff — append note)
7. Billing & Plans
Chapter 11 — Billing, Stripe Integration
Complete
Stripe Checkout integration with stub mode for demos. Three endpoints: plan list, checkout session, webhook. Plan tier becomes a capability bundle reusing the permission middleware.
Backend
models
(plan/subscription state on Tenant or User doc)
controllers
(inline in routes/billing.js)
routes
/api/billing/plans
/api/billing/checkout
/api/billing/webhook
middlewares
requireAuth (checkout only)
utils
bin/config.js (stripeSecret, stripeWebhookSecret)
Frontend
pages
Pricing / Plans
account/Billing
billing/Success
billing/Cancel
reducers
billingReducer (plans, subscription, invoices)
actions
billingActions (loadPlans, startCheckout, loadSubscription)
API endpoints (3)
GET /api/billing/plans (public — catalog)
POST /api/billing/checkout (auth — returns Stripe Checkout URL or stub)
POST /api/billing/webhook (raw body — Stripe event handler)
8. Programmatic Access (API Keys)
Chapter 06 — User Management (PATs subsystem)
Complete
Personal access tokens à la GitHub. Hashed on create, plaintext returned exactly once, prefix-only in UI, last-used tracking, rotate without revoke, scopes (read/write/admin).
Backend
models
AccessToken (hashed, prefix, scopes[], lastUsedAt)
controllers
accessToken.ctrl.js (list, create, rotate, revoke)
middlewares
requireAuth (browser session)
API key auth (header → AccessToken lookup)
utils
authentication.js (Bearer token verify branch)
Frontend
pages
account/ApiKeys (list, create with one-time reveal, rotate, revoke)
actions
apiKeyActions (loadKeys, createKey, rotateKey, revokeKey)
API endpoints (4)
GET /api/access-tokens (list your PATs — prefix only)
POST /api/access-tokens (create — returns plaintext once)
POST /api/access-tokens/:id/rotate
DELETE /api/access-tokens/:id (revoke)
9. Notifications
Chapter 12 — Growth Engine (support layer)
Stub / Roadmap
In-app notifications plus email digest scaffolding. Stubs for the broadcaster, per-user preferences, and the email-template engine.
Backend
models
Notification (recipient, type, body, readAt)
NotificationPreference
controllers
notification.ctrl.js (list, markRead, updatePrefs)
routes
/api/notifications
/api/notifications/prefs
utils
email.js (provider stub — Resend / Postmark adapter)
Frontend
pages
Header bell dropdown
account/Notifications (preferences + history)
reducers
notificationsReducer (unreadCount, list)
actions
notificationActions (loadNotifications, markRead, updatePrefs)
API endpoints (5)
GET /api/notifications (paginated)
PUT /api/notifications/:id/read
PUT /api/notifications/read-all
GET /api/notifications/prefs
PUT /api/notifications/prefs
Roadmap module. The data model and route shape are reserved, the controllers and UI are scaffolded. The framework names this surface so your AI worker can grow into it without inventing a parallel structure.
10. Support & Knowledge Base
Chapter 12 — Growth Engine (support pyramid)
Stub / Roadmap
The support pyramid: docs > AI chat > human escalation. Stubs for conversation threads, knowledge articles, AI deflection, and operator escalation queue.
Backend
models
Conversation
Message
KnowledgeArticle
controllers
conversation.ctrl.js
article.ctrl.js
routes
/api/conversations
/api/knowledge
middlewares
requireAuth (customer)
requirePermission (operator side)
Frontend
pages
support/Inbox (customer)
admin/Support (operator queue)
KnowledgeBase (public)
actions
supportActions (loadConversations, postMessage, escalate)
API endpoints (5)
GET /api/conversations (customer — own threads)
POST /api/conversations (start new)
POST /api/conversations/:id/messages
GET /api/admin/conversations (operator queue)
GET /api/knowledge (public articles)
Roadmap module. The data model and route shape are reserved, the controllers and UI are scaffolded. The framework names this surface so your AI worker can grow into it without inventing a parallel structure.
11. Content & SEO
Chapter 04 — SEO from Day One
Partial
Public blog and content surface. The Article system (model, /api/articles, editor, draft/publish, likes and comments) is now fully implemented — see the Community module. Sitemaps, redirects, schema.org markup and an SEO audit report remain roadmap.
Backend
routes
/api/articles
/sitemap.xml
/robots.txt
middlewares
requirePermission(["marketing","admin"])
Frontend
pages
Blog (list)
Article (detail)
admin/Articles (editor)
API endpoints (5)
GET /api/articles (public — published)
GET /api/articles/:slug (public — detail)
POST /api/articles (admin — create draft)
PUT /api/articles/:id (admin — update / publish)
GET /sitemap.xml
12. Integrations & Webhooks
Chapter 11 — Billing + extensions
Stub / Roadmap
Outbound webhooks to customer endpoints. Stubs for webhook destinations, retry queue, signed delivery, replay UI. API keys (built) cover inbound.
Backend
models
WebhookEndpoint
WebhookDelivery
routes
/api/webhooks/endpoints
/api/webhooks/deliveries
middlewares
requireAuth
requireCapability("webhooks.manage")
utils
webhookSigner.js (HMAC-SHA256)
Frontend
pages
account/Webhooks (CRUD + delivery log + replay)
API endpoints (6)
GET /api/webhooks/endpoints
POST /api/webhooks/endpoints
PUT /api/webhooks/endpoints/:id
DELETE /api/webhooks/endpoints/:id
GET /api/webhooks/deliveries (paginated, filter by status/endpoint)
POST /api/webhooks/deliveries/:id/replay
Roadmap module. The data model and route shape are reserved, the controllers and UI are scaffolded. The framework names this surface so your AI worker can grow into it without inventing a parallel structure.
The second kit in the framework: a config-driven Next.js storefront that is the marketing + community surface in front of the MERN app above — the same way prigmar-portal sits in front of prigmar-app and bidlight-portal in front of the BidLight MERN app. Rebrand it by editing one file (lib/site.config.js) plus styles/variables.css; no component edits needed.
What it ships
Marketing surface
- Home / hero, pricing, about
- SEO + Open Graph + JSON-LD
- Logo & colour rebrand via config
Demo & leads
- Demo form → Mongo + email (nodemailer)
- Calendly scheduling + webhook
- Optional CRM forward
Knowledge
- Engineered FAQ (categories, JSON-LD)
- Learning / articles blog
- Markdown editor
Community
- Accounts (JWT auth)
- Q&A with per-user voting + accept
- Article likes + comments
Two run modes
Standalone
- Own Next.js API routes + Mongo
- httpOnly-cookie auth
NEXT_PUBLIC_API_BASE="/api"
Linked (headless)
- Pure frontend on the MERN app kit
- Bearer-token auth (the prigmar / bidlight pattern)
NEXT_PUBLIC_API_BASE → the app kit /api
Public routes
/ marketing home
/pricing plans
/faq engineered FAQ
/articles learning / blog /articles/[slug] /articles/new
/questions community Q&A /questions/[slug] /questions/ask
/contact demo + Calendly
/login /register accounts
Both kits share one API contract, so the same portal runs on its own routes or headless against the app kit. Crawl or download it at the token-gated /kit/storefront/{tree,file,zip} endpoints.