t-convex-nextjs-saas/features.md

# Convex Next.js SaaS Template — Feature Roadmap

> Comprehensive checklist of features, patterns, and integrations that a production-ready SaaS template should include. Use this as a north star for prioritizing work.

---

## Legend

| Symbol | Meaning |
|--------|---------|
| ✅ | Already implemented |
| 🔄 | Partial / needs refinement |
| 📋 | Planned / on the backlog |
| 💡 | Nice-to-have / stretch goal |

---

## Core Platform

| # | Feature | Status | Notes |
|---|---------|--------|-------|
| 1 | Next.js 16 App Router | ✅ | React 19, TypeScript 5, Tailwind CSS 4 |
| 2 | Convex self-hosted backend | ✅ | Docker on Coolify |
| 3 | Runtime env validation (Zod) | ✅ | `src/lib/env.ts` |
| 4 | Multi-tenant architecture | 📋 | Teams / orgs support |
| 5 | Custom domain support | 💡 | Vercel-style subdomain routing |
| 6 | Edge middleware | 🔄 | `src/proxy.ts` for locale only |
| 7 | API versioning | 💡 | `/api/v1/...` |
| 8 | Health checks / status | 💡 | `/api/health`, Convex ping |

---

## Authentication & Authorization

| # | Feature | Status | Notes |
|---|---------|--------|-------|
| 9 | Email/password auth | ✅ | Better Auth + Convex adapter |
| 10 | Password strength (HIBP) | ✅ | `haveIBeenPwned` plugin |
| 11 | Email verification | ✅ | Token-based, Resend emails |
| 12 | Forgot/reset password | ✅ | Secure token flow |
| 13 | Change password | ✅ | Authenticated users |
| 14 | Session management | ✅ | Better Auth sessions in Convex |
| 15 | OAuth providers (Google, GitHub) | 📋 | Sign in with Google/GitHub |
| 16 | 2FA / MFA (TOTP, SMS) | 📋 | Authenticator app, backup codes |
| 17 | Passkeys / WebAuthn | 💡 | FIDO2, passwordless |
| 18 | RBAC (Roles & Permissions) | 📋 | Admin, Member, Viewer roles |
| 19 | API keys (scoped) | 📋 | Per-user or per-team API keys |
| 20 | Impersonation / sudo mode | 💡 | Admin login-as-user for support |
| 21 | Account lockout / brute-force | 📋 | Rate limit failed logins |
| 22 | Device / session management | 📋 | List active sessions, revoke |

---

## Billing & Subscriptions

| # | Feature | Status | Notes |
|---|---------|--------|-------|
| 23 | Stripe Checkout | 📋 | Subscription + one-time payments |
| 24 | Subscription tiers (Free/Pro/Enterprise) | 📋 | Feature gating per plan |
| 25 | Usage-based billing | 📋 | Metered billing (API calls, storage) |
| 26 | Team billing | 📋 | One payment method per team |
| 27 | Invoice history | 📋 | Download PDF invoices |
| 28 | Tax handling (VAT, GST) | 💡 | Stripe Tax integration |
| 29 | Trial periods | 📋 | 14-day free trial logic |
| 30 | Self-serve upgrades/downgrades | 📋 | Prorated charges |
| 31 | Cancellation / retention flow | 💡 | Exit survey, pause subscription |

## User Experience

| # | Feature | Status | Notes |
|---|---------|--------|-------|
| 39 | Locale routing (i18n) | ✅ | EN/PL with next-intl |
| 40 | Theme switching | ✅ | Dark/light/system |
| 41 | App shell with navigation | ✅ | Auth-aware nav header |
| 42 | Error boundaries | ✅ | `error.tsx` with retry |
| 43 | Loading states | ✅ | `loading.tsx` fallback |
| 44 | Not-found handling | ✅ | Localized + root 404 |
| 45 | Cookie consent (GDPR) | ✅ | Category-based consent |
| 46 | Onboarding wizard | 📋 | Multi-step first-run flow |
| 47 | In-app notifications | 📋 | Toast + bell icon dropdown |
| 48 | Command palette (Cmd+K) | 💡 | Spotlight-style search |
| 49 | Keyboard shortcuts | 💡 | `?` help modal |
| 50 | Guided tours | 💡 | Shepherd.js or similar |
| 51 | Changelog / What's new | 💡 | In-app announcement modal |
| 52 | Feedback widget | 💡 | Canny/Featurebase style |
| 53 | Help center / Docs | 💡 | MDX-based docs site |

---

## File & Media

| # | Feature | Status | Notes |
|---|---------|--------|-------|
| 54 | Avatar upload | 📋 | Profile picture, Convex storage |
| 55 | File uploads (documents, images) | 📋 | Drag & drop, progress bar |
| 56 | Image optimization | 💡 | Next.js `<Image>` presets |
| 57 | Export data (GDPR) | 📋 | JSON/CSV download |
| 58 | Bulk import | 💡 | CSV upload with validation |

---

## Communication

| # | Feature | Status | Notes |
|---|---------|--------|-------|
| 59 | Transactional emails | ✅ | Resend (verification, reset) |
| 60 | Email templates | 🔄 | Basic HTML, needs design system |
| 61 | Welcome email sequence | 📋 | Post-signup drip campaign |
| 62 | In-app messaging | 💡 | Announcements, banners |
| 63 | Push notifications | 💡 | Web Push API |

## Analytics & Monitoring

| # | Feature | Status | Notes |
|---|---------|--------|-------|
| 65 | Analytics (Plausible/PostHog) | 📋 | Privacy-first, cookie-respecting |
| 66 | Error tracking (Sentry) | 📋 | Source maps, user context |
| 67 | Performance monitoring | 💡 | Web Vitals, Convex query timing |
| 68 | A/B testing | 💡 | Feature flags + split testing |
| 69 | Feature flags | 💡 | LaunchDarkly or simple env-based |
| 70 | Usage tracking | 📋 | Per-user, per-team quotas |
| 71 | Dashboard metrics | 💡 | Admin panel with charts |

---

| # | Feature | Status | Notes |
|---|---------|--------|-------|
| 80 | GDPR compliance | 🔄 | Cookie consent ✅, DPA needed |
| 81 | Data deletion (right to be forgotten) | 📋 | Account wipe + cascade delete |
| 82 | Data portability | 📋 | Export all user data |
| 83 | Privacy policy / Terms | 📋 | Generated legal pages |
| 84 | CSP headers | 💡 | Content Security Policy |
| 85 | CORS configuration | 📋 | Strict origin whitelist |
| 86 | Request signing | 💡 | HMAC for webhooks/API |
| 87 | DDoS protection | 💡 | Cloudflare or Coolify WAF |
| 88 | Secrets rotation | 💡 | Automated key rotation |

---

## SEO & Marketing

| # | Feature | Status | Notes |
|---|---------|--------|-------|
| 89 | SEO metadata | 🔄 | Basic `<Metadata>`, needs per-page |
| 90 | Dynamic OG images | 💡 | `@vercel/og` or similar |
| 91 | Sitemap.xml | 💡 | Auto-generated sitemap |
| 92 | Robots.txt | 💡 | Dynamic robots rules |
| 93 | Canonical URLs | 💡 | Avoid duplicate content |
| 94 | Structured data (JSON-LD) | 💡 | Schema.org markup |
| 95 | Blog / CMS | 💡 | MDX blog or headless CMS |
| 96 | Landing page builder | 💡 | Reusable sections |
| 97 | Waitlist / Early access | 💡 | Pre-launch email capture |
| 98 | Referral program | 💡 | Invite links with rewards |
| 99 | Affiliate tracking | 💡 | UTM + commission logic |

---

## DevOps & Deployment

| # | Feature | Status | Notes |
|---|---------|--------|-------|
| 100 | GitHub Actions CI | ✅ | Lint + build |
| 101 | Automated deployments | 📋 | Coolify webhook deploy |
| 102 | Preview environments | 💡 | Per-PR staging |
| 103 | Database migrations | 📋 | Convex schema evolution |
| 104 | Backup strategy | 💡 | Convex data snapshots |
| 105 | Log aggregation | 💡 | Centralized logging |
| 106 | Uptime monitoring | 💡 | UptimeRobot / Pingdom |
| 107 | SSL auto-renewal | ✅ | Coolify / Let's Encrypt |

---

## Mobile & PWA

| # | Feature | Status | Notes |
|---|---------|--------|-------|
| 108 | PWA support | 💡 | Service worker, manifest |
| 110 | Mobile app (Expo) | 💡 | React Native companion |
| 111 | Responsive design | ✅ | Tailwind breakpoints |
| 112 | Touch gestures | 💡 | Swipe actions |

---

## Admin & Internal

| # | Feature | Status | Notes |
|---|---------|--------|-------|
| 113 | Admin dashboard | 📋 | User management, stats |
| 114 | User impersonation | 💡 | Login as any user |
| 115 | Feature flag console | 💡 | Toggle features per user |
| 116 | Support ticket system | 💡 | Intercom/Crisp integration |
| 117 | Abuse reporting | 💡 | Flag spam/abuse |
| 118 | Ban/suspend users | 💡 | Soft delete + block |

---

## Suggested Priority Order

1. **Billing (Stripe)** — brak tego = brak monetyzacji
2. **OAuth providers** — zwiększa konwersję sign-up
4. **RBAC** — musi iść ręka w rękę z teamami
5. **Onboarding wizard** — redukcja churn na starcie
6. **Analytics (PostHog/Plausible)** — bez danych nie wiesz co działa
7. **API keys + webhooks** — developer experience, integracje
8. **Admin dashboard** — support i operacje
9. **2FA** — enterprise security requirement
10. **PWA / offline** — konkurencyjna przewaga UX