Desktop view:

Mobile browser + PWA install prompt:

PWA standalone + navigation:

The frontend uses Next.js with MUI and global React contexts for auth, layout, dialogs, and WebSocket state. The backend uses Express with Sequelize, Redis, and Socket.io. Both stacks share Zod schemas for type-safe validation.

• Clone your working copy and run the setup script — it handles env files, database migrations, and dependency installation.

• Google OAuth via Passport.js with HttpOnly cookie sessions stored in Redis.
• Passwordless email login
• Profile management with avatar uploads via R2.
• Per-user notification preference syncing.
• Active session tracking — users can view and revoke their sessions.
• Account deletion with a configurable grace period before permanent removal.

• VAPID-based push notifications — users get native browser push even when the app is closed.
• Service worker persists on tab close. Push logic creates an encrypted link to FCM/APNs for delivery.
• In-app notification center with read/unread states.
• Login alerts — users are notified when their account is accessed from a new device.

• Users can report bugs and flag content directly from the UI.
• Bug reports support optional screenshots and categorization.
• Content reports target specific users or items for admin review.

• Users can submit feature ideas from the app; requests sync with a GitHub-backed workflow for triage.
• Admins see a board-style view similar to GitHub projects board view (can also be used as an alternative for GitHub issues); users get a simple submit form and a thread of responses.

User — submit a feature request:

Admin — Feature Requests view:

Admin — reply / message on a request:

User — what they see (responses / thread):

• Configurable account restriction modes: invitation-only (whitelist) and banned states.
• Full-screen gate UI blocks banned and whitelist-restricted users from accessing the app.
• Moderation states are configurable at runtime from the admin settings panel.

• Cloudflare R2 (S3-compatible) for production storage, local PostgreSQL blobs for dev.
• Multer handles multipart uploads with Zod validation on file types and sizes.
• Multiple upload UI variants: dropzone and stealth/button-only.
• Automated garbage collector runs as a separate Docker worker — sweeps orphan files from storage when their DB references are deleted.
• Resource limit scripts on the GC worker container so it doesn't affect the main API server.

• Admin dashboard with system health overview and quick-access to all admin tools.
• Logging with Correlation IDs: every HTTP request gets a unique ID that follows it through every middleware, service call, and database query. Search by one ID to get the full trace of any request.
• Structured JSON logs stored in the database — viewable through the admin logs UI with filtering.
• Database telemetry: connection pool stats, query performance, and storage usage in real-time.
• Moderation tools: user lookup by ID/email/username, ban/unban management, and report review.
• User activity stats and active user tracking.
• Admin settings panel for runtime configuration changes.

• Single App configuration surface: most knobs apply instantly across backend instances (no restart), with everything audited.
• Branding — app icon URL, support email, social links, and visibility toggles for Instagram, X/Twitter, and a custom external link.
• Feature flags — coarse switches (whitelist, invite-only gate, welcome email, reporting, bug/content reports, feature requests, media GC, etc.).
• Rate & upload limits — max upload size, per-minute/day upload caps, report and feature-request throttles, account deletion grace period.
• Usage dashboard limits — display-only soft limits for DB, auth sign-ups, email, and media storage; optional “hard limit” toggles for gauges only.
• Alert webhooks — Telegram, Discord, Slack, and generic HTTP hooks for errors, audit events, and reports (multi-provider).
• Reporting extras & blast tuning — report CC emails, reply-to behaviour, and concurrency/delay for admin email blasts.
• Media garbage collector — enable/dry-run, intervals, retention, batch sizes for mark/delete/recover passes.
• Log mirroring & usage snapshot — Postgres log mirror for the admin logs UI (row caps, retention, cleanup, search limit) and usage snapshot worker timing.
• Admin management — env-defined master admins vs DB-backed regular admins, with a security reminder before granting access.

Branding (app icon, support email, social links, link visibility):

Feature flags (major behaviour toggles):

Rate and upload limits (uploads, reports, feature requests, deletion grace):

Usage dashboard — provider soft limits and display-only hard-limit toggles:

Alert webhooks (errors, audit, reports across Telegram / Discord / Slack / HTTP):

Reporting extras and admin blast throughput (CC list, reply-to, batch concurrency and delay):

Media garbage collector (schedule, retention, batch sizes, dry run):

Log mirroring for the admin logs UI and usage snapshot worker timing:

Admin management (master vs regular admins):

• Direct email sending to individual users via Nodemailer/Resend.
• Bulk email blasts with recipient filtering (all users, active in last N days, etc.).
• HTML template preview before sending.

• OpenAPI/Swagger docs for all REST endpoints — admin-only access.
• AsyncAPI docs for all WebSocket events — admin-only access.
• Both are auto-generated from route and event definitions.

• Zero-exposure deployment: database and internal services are never exposed to the public internet.
• All traffic proxied through Cloudflare Tunnels — no open ports on the server.
• Built on top of my VPS Deploy Template base, with GitHub Actions handling CI/CD automatically on push, no $ spent on Vercel or AWS.
• External database access for admin use is proxied through a secure tunnel.
• Dev environment uses /dev/ routes with production build exclusion and visible console warnings.