From e89537f217ff4458dff1b0a917c77dac8222c951 Mon Sep 17 00:00:00 2001 From: nxtkofi Date: Sat, 2 May 2026 16:10:43 +0200 Subject: [PATCH] docs: add comprehensive feature roadmap Add features.md with 118 potential features across 14 categories Includes implementation status, notes, and suggested priority order Co-authored-by: Sisyphus --- features.md | 267 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 267 insertions(+) create mode 100644 features.md diff --git a/features.md b/features.md new file mode 100644 index 0000000..e8e83f0 --- /dev/null +++ b/features.md @@ -0,0 +1,267 @@ +# Convex Next.js SaaS Template β€” Feature Roadmap + +> Comprehensive checklist of features, patterns, and integrations that a production-ready SaaS template should include. Use this as a north star for prioritizing work. + +--- + +## Legend + +| Symbol | Meaning | +|--------|---------| +| βœ… | Already implemented | +| πŸ”„ | Partial / needs refinement | +| πŸ“‹ | Planned / on the backlog | +| πŸ’‘ | Nice-to-have / stretch goal | + +--- + +## Core Platform + +| # | Feature | Status | Notes | +|---|---------|--------|-------| +| 1 | Next.js 16 App Router | βœ… | React 19, TypeScript 5, Tailwind CSS 4 | +| 2 | Convex self-hosted backend | βœ… | Docker on Coolify | +| 3 | Runtime env validation (Zod) | βœ… | `src/lib/env.ts` | +| 4 | Multi-tenant architecture | πŸ“‹ | Teams / orgs support | +| 5 | Custom domain support | πŸ’‘ | Vercel-style subdomain routing | +| 6 | Edge middleware | πŸ”„ | `src/proxy.ts` for locale only | +| 7 | API versioning | πŸ’‘ | `/api/v1/...` | +| 8 | Health checks / status | πŸ’‘ | `/api/health`, Convex ping | + +--- + +## Authentication & Authorization + +| # | Feature | Status | Notes | +|---|---------|--------|-------| +| 9 | Email/password auth | βœ… | Better Auth + Convex adapter | +| 10 | Password strength (HIBP) | βœ… | `haveIBeenPwned` plugin | +| 11 | Email verification | βœ… | Token-based, Resend emails | +| 12 | Forgot/reset password | βœ… | Secure token flow | +| 13 | Change password | βœ… | Authenticated users | +| 14 | Session management | βœ… | Better Auth sessions in Convex | +| 15 | OAuth providers (Google, GitHub) | πŸ“‹ | Sign in with Google/GitHub | +| 16 | 2FA / MFA (TOTP, SMS) | πŸ“‹ | Authenticator app, backup codes | +| 17 | Passkeys / WebAuthn | πŸ’‘ | FIDO2, passwordless | +| 18 | RBAC (Roles & Permissions) | πŸ“‹ | Admin, Member, Viewer roles | +| 19 | API keys (scoped) | πŸ“‹ | Per-user or per-team API keys | +| 20 | Impersonation / sudo mode | πŸ’‘ | Admin login-as-user for support | +| 21 | Account lockout / brute-force | πŸ“‹ | Rate limit failed logins | +| 22 | Device / session management | πŸ“‹ | List active sessions, revoke | + +--- + +## Billing & Subscriptions + +| # | Feature | Status | Notes | +|---|---------|--------|-------| +| 23 | Stripe Checkout | πŸ“‹ | Subscription + one-time payments | +| 24 | Subscription tiers (Free/Pro/Enterprise) | πŸ“‹ | Feature gating per plan | +| 25 | Usage-based billing | πŸ“‹ | Metered billing (API calls, storage) | +| 26 | Team billing | πŸ“‹ | One payment method per team | +| 27 | Invoice history | πŸ“‹ | Download PDF invoices | +| 28 | Tax handling (VAT, GST) | πŸ’‘ | Stripe Tax integration | +| 29 | Trial periods | πŸ“‹ | 14-day free trial logic | +| 30 | Self-serve upgrades/downgrades | πŸ“‹ | Prorated charges | +| 31 | Cancellation / retention flow | πŸ’‘ | Exit survey, pause subscription | + +--- + +## Team & Collaboration + +| # | Feature | Status | Notes | +|---|---------|--------|-------| +| 32 | Organizations / Teams | πŸ“‹ | Multi-user workspaces | +| 33 | Team invitations (email) | πŸ“‹ | Invite link with expiry | +| 34 | Role-based access within team | πŸ“‹ | Owner, Admin, Editor, Viewer | +| 35 | Member management | πŸ“‹ | Remove, change roles | +| 36 | Activity log / Audit trail | πŸ“‹ | Who did what, when | +| 37 | Shared resources | πŸ“‹ | Team-scoped data in Convex | +| 38 | Public/private projects | πŸ’‘ | Visibility toggle | + +--- + +## User Experience + +| # | Feature | Status | Notes | +|---|---------|--------|-------| +| 39 | Locale routing (i18n) | βœ… | EN/PL with next-intl | +| 40 | Theme switching | βœ… | Dark/light/system | +| 41 | App shell with navigation | βœ… | Auth-aware nav header | +| 42 | Error boundaries | βœ… | `error.tsx` with retry | +| 43 | Loading states | βœ… | `loading.tsx` fallback | +| 44 | Not-found handling | βœ… | Localized + root 404 | +| 45 | Cookie consent (GDPR) | βœ… | Category-based consent | +| 46 | Onboarding wizard | πŸ“‹ | Multi-step first-run flow | +| 47 | In-app notifications | πŸ“‹ | Toast + bell icon dropdown | +| 48 | Command palette (Cmd+K) | πŸ’‘ | Spotlight-style search | +| 49 | Keyboard shortcuts | πŸ’‘ | `?` help modal | +| 50 | Guided tours | πŸ’‘ | Shepherd.js or similar | +| 51 | Changelog / What's new | πŸ’‘ | In-app announcement modal | +| 52 | Feedback widget | πŸ’‘ | Canny/Featurebase style | +| 53 | Help center / Docs | πŸ’‘ | MDX-based docs site | + +--- + +## File & Media + +| # | Feature | Status | Notes | +|---|---------|--------|-------| +| 54 | Avatar upload | πŸ“‹ | Profile picture, Convex storage | +| 55 | File uploads (documents, images) | πŸ“‹ | Drag & drop, progress bar | +| 56 | Image optimization | πŸ’‘ | Next.js `` presets | +| 57 | Export data (GDPR) | πŸ“‹ | JSON/CSV download | +| 58 | Bulk import | πŸ’‘ | CSV upload with validation | + +--- + +## Communication + +| # | Feature | Status | Notes | +|---|---------|--------|-------| +| 59 | Transactional emails | βœ… | Resend (verification, reset) | +| 60 | Email templates | πŸ”„ | Basic HTML, needs design system | +| 61 | Welcome email sequence | πŸ“‹ | Post-signup drip campaign | +| 62 | In-app messaging | πŸ’‘ | Announcements, banners | +| 63 | Push notifications | πŸ’‘ | Web Push API | +| 64 | SMS notifications | πŸ’‘ | Twilio for 2FA/alerts | + +--- + +## Analytics & Monitoring + +| # | Feature | Status | Notes | +|---|---------|--------|-------| +| 65 | Analytics (Plausible/PostHog) | πŸ“‹ | Privacy-first, cookie-respecting | +| 66 | Error tracking (Sentry) | πŸ“‹ | Source maps, user context | +| 67 | Performance monitoring | πŸ’‘ | Web Vitals, Convex query timing | +| 68 | A/B testing | πŸ’‘ | Feature flags + split testing | +| 69 | Feature flags | πŸ’‘ | LaunchDarkly or simple env-based | +| 70 | Usage tracking | πŸ“‹ | Per-user, per-team quotas | +| 71 | Dashboard metrics | πŸ’‘ | Admin panel with charts | + +--- + +## API & Integrations + +| # | Feature | Status | Notes | +|---|---------|--------|-------| +| 72 | REST API | πŸ“‹ | Convex HTTP actions exposed | +| 73 | Webhooks | πŸ“‹ | Outgoing webhooks with signatures | +| 74 | API rate limiting | πŸ“‹ | Per-key, per-user throttling | +| 75 | API documentation (OpenAPI) | πŸ’‘ | Scalar or Swagger UI | +| 76 | Zapier/Make integration | πŸ’‘ | Trigger-based automations | +| 77 | CLI tool | πŸ’‘ | Node.js CLI for project scaffolding | +| 78 | SDK / Client library | πŸ’‘ | TypeScript client wrapper | +| 79 | GraphQL endpoint | πŸ’‘ | Optional GraphQL layer | + +--- + +## Security & Compliance + +| # | Feature | Status | Notes | +|---|---------|--------|-------| +| 80 | GDPR compliance | πŸ”„ | Cookie consent βœ…, DPA needed | +| 81 | Data deletion (right to be forgotten) | πŸ“‹ | Account wipe + cascade delete | +| 82 | Data portability | πŸ“‹ | Export all user data | +| 83 | Privacy policy / Terms | πŸ“‹ | Generated legal pages | +| 84 | CSP headers | πŸ’‘ | Content Security Policy | +| 85 | CORS configuration | πŸ“‹ | Strict origin whitelist | +| 86 | Request signing | πŸ’‘ | HMAC for webhooks/API | +| 87 | DDoS protection | πŸ’‘ | Cloudflare or Coolify WAF | +| 88 | Secrets rotation | πŸ’‘ | Automated key rotation | + +--- + +## SEO & Marketing + +| # | Feature | Status | Notes | +|---|---------|--------|-------| +| 89 | SEO metadata | πŸ”„ | Basic ``, needs per-page | +| 90 | Dynamic OG images | πŸ’‘ | `@vercel/og` or similar | +| 91 | Sitemap.xml | πŸ’‘ | Auto-generated sitemap | +| 92 | Robots.txt | πŸ’‘ | Dynamic robots rules | +| 93 | Canonical URLs | πŸ’‘ | Avoid duplicate content | +| 94 | Structured data (JSON-LD) | πŸ’‘ | Schema.org markup | +| 95 | Blog / CMS | πŸ’‘ | MDX blog or headless CMS | +| 96 | Landing page builder | πŸ’‘ | Reusable sections | +| 97 | Waitlist / Early access | πŸ’‘ | Pre-launch email capture | +| 98 | Referral program | πŸ’‘ | Invite links with rewards | +| 99 | Affiliate tracking | πŸ’‘ | UTM + commission logic | + +--- + +## DevOps & Deployment + +| # | Feature | Status | Notes | +|---|---------|--------|-------| +| 100 | GitHub Actions CI | βœ… | Lint + build | +| 101 | Automated deployments | πŸ“‹ | Coolify webhook deploy | +| 102 | Preview environments | πŸ’‘ | Per-PR staging | +| 103 | Database migrations | πŸ“‹ | Convex schema evolution | +| 104 | Backup strategy | πŸ’‘ | Convex data snapshots | +| 105 | Log aggregation | πŸ’‘ | Centralized logging | +| 106 | Uptime monitoring | πŸ’‘ | UptimeRobot / Pingdom | +| 107 | SSL auto-renewal | βœ… | Coolify / Let's Encrypt | + +--- + +## Mobile & PWA + +| # | Feature | Status | Notes | +|---|---------|--------|-------| +| 108 | PWA support | πŸ’‘ | Service worker, manifest | +| 109 | Offline mode | πŸ’‘ | Convex local cache | +| 110 | Mobile app (Expo) | πŸ’‘ | React Native companion | +| 111 | Responsive design | βœ… | Tailwind breakpoints | +| 112 | Touch gestures | πŸ’‘ | Swipe actions | + +--- + +## Admin & Internal + +| # | Feature | Status | Notes | +|---|---------|--------|-------| +| 113 | Admin dashboard | πŸ“‹ | User management, stats | +| 114 | User impersonation | πŸ’‘ | Login as any user | +| 115 | Feature flag console | πŸ’‘ | Toggle features per user | +| 116 | Support ticket system | πŸ’‘ | Intercom/Crisp integration | +| 117 | Abuse reporting | πŸ’‘ | Flag spam/abuse | +| 118 | Ban/suspend users | πŸ’‘ | Soft delete + block | + +--- + +## Summary + +| Category | Implemented | Planned | Total | +|----------|-------------|---------|-------| +| Core Platform | 4 | 3 | 8 | +| Auth & Security | 7 | 14 | 14 | +| Billing | 0 | 9 | 9 | +| Team & Collaboration | 0 | 7 | 7 | +| User Experience | 7 | 14 | 14 | +| File & Media | 0 | 5 | 5 | +| Communication | 2 | 5 | 6 | +| Analytics | 0 | 6 | 7 | +| API & Integrations | 0 | 8 | 8 | +| Security & Compliance | 1 | 8 | 9 | +| SEO & Marketing | 0 | 10 | 11 | +| DevOps | 2 | 5 | 7 | +| Mobile & PWA | 1 | 4 | 5 | +| Admin & Internal | 0 | 6 | 6 | +| **Total** | **24** | **104** | **118** | + +--- + +## Suggested Priority Order + +1. **Billing (Stripe)** β€” brak tego = brak monetyzacji +2. **OAuth providers** β€” zwiΔ™ksza konwersjΔ™ sign-up +3. **Organizations / Teams** β€” B2B SaaS bez tego nie istnieje +4. **RBAC** β€” musi iΕ›Δ‡ rΔ™ka w rΔ™kΔ™ z teamami +5. **Onboarding wizard** β€” redukcja churn na starcie +6. **Analytics (PostHog/Plausible)** β€” bez danych nie wiesz co dziaΕ‚a +7. **API keys + webhooks** β€” developer experience, integracje +8. **Admin dashboard** β€” support i operacje +9. **2FA** β€” enterprise security requirement +10. **PWA / offline** β€” konkurencyjna przewaga UX