Skip to main content
All Projects

CarCraft

web-appFeatured

CarCraft is a full-stack SaaS platform built for a real automotive interior restoration and exterior protection business. It handles the complete customer lifecycle — from initial quote request through service delivery — with separate interfaces for customers and administrators.

Loading live preview...

0
Passing Tests
0
Prisma Models
0 +
API Integrations
0 +
Admin Pages
Source Code

Supported App Ecosystem

User Apps

Customer App

Public-facing site with service pages, quote wizard, and scheduling

Customer Portal

Unique booking links for status tracking and progress photos

Admin Tools

Admin Dashboard

Full business management with 15+ operational pages

Campaign Engine

Email broadcasts via Tiptap editor and SMS automation via Twilio

Infrastructure

Cron Workers

Automated SMS reminders and follow-up email sequences

Faxas Hub auto-categorizes 89 services across 4 groups using Docker labels and a curated service registry.

Architecture

RSC-based dual-dashboard with 23 Prisma models

The architecture separates customer and admin concerns via Next.js route groups — (public), (customer), and admin — each with tailored layouts and auth requirements. Supabase Auth with SSR adapter handles magic links and RBAC role assignment.

1

Customer Frontend

Public-facing pages for services, quoting, scheduling, and customer accounts with magic link auth.

React 19Framer Motionshadcn/uiTailwind CSS 4
2

Admin Dashboard

Full business management interface with TanStack React Table, Tiptap editor, and real-time stats.

TanStack React TableTiptap 3Server Actions
3

API Layer

27 API routes handling quotes, bookings, payments, campaigns, and automated cron operations.

Next.js 16 App RouterServer ActionsVercel Cron
4

Data Layer

PostgreSQL via Prisma 7 ORM with 23 models covering core operations, marketing, and compliance.

Prisma 7PostgreSQLSupabase Auth

Security Boundaries

Credentials Server-Side

Upstream API keys never reach the browser. All credentials are managed in the BFF layer.

SSRF Protection

RFC 1918 blocklist prevents server-side requests to private network ranges.

HMAC Enablement Gates

SHA-256 HMAC gates validate adapter connectivity before exposing data paths.

Integration Intelligence

6+ external services orchestrated for business operations

The platform integrates Supabase Auth for authentication, Stripe for payments, Resend for transactional and broadcast email, Twilio for SMS with quiet hours, NHTSA API for vehicle lookup, and Google Reviews for social proof. Each integration is isolated in dedicated modules.

Supabase Auth

Authentication

Authentication with magic links, Google OAuth, and RBAC role assignment for admin team management.

Failure mode:

Auth redirect to login page; protected routes return 401

Normalization:

Supabase SSR adapter → session cookie with role claims

Stripe

Payments

Checkout sessions with configurable deposits, promo code redemption, and refund processing.

Failure mode:

Checkout creation fails gracefully; user sees retry prompt

Normalization:

Stripe webhook events → booking status updates via Prisma

Resend

Email

Transactional emails for booking confirmations and broadcast campaigns with audience segmentation.

Failure mode:

Email queued for retry; booking flow continues without blocking

Normalization:

React Email templates → Resend API with audience tagging

Twilio

SMS

SMS notifications for booking confirmations, 24-hour reminders, and status updates with quiet hours.

Failure mode:

SMS failure logged; booking flow continues without blocking

Normalization:

Booking events → SMS messages with quiet hours filtering

NHTSA API

Vehicle Data

Vehicle VIN decoding and year/make/model lookup for the multi-step quote wizard.

Failure mode:

Manual vehicle entry fallback when API unavailable

Normalization:

NHTSA response → normalized vehicle object for quote pricing

Google Reviews

Social Proof

Social proof widget displaying business reviews on the customer-facing site.

Failure mode:

Widget hidden when reviews unavailable; page layout unaffected

Normalization:

Google Places API → review cards with rating and attribution

Operational Readiness

405 tests, 23 models, and automated operations

The codebase maintains 405 passing tests across 65 test files covering API routes, server actions, components, and business logic. The database schema spans 23 Prisma models with 10 enums covering vehicle types, booking statuses, and campaign states.

405
Passing Tests
Across 65 test files
23
Prisma Models
10 enums covering all business domains
27
API Routes
REST + Server Actions
6+
API Integrations
Stripe, Supabase, Resend, Twilio, NHTSA, Google
15+
Admin Pages
Full business operations suite
6
Service Categories
Interior, Exterior, Cars, RVs, Aircraft, Marine

Security Hardening

  • SSRF protection with RFC 1918 blocklist
  • HMAC-SHA256 enablement gates
  • Rate-limited authentication endpoints
  • Encrypted session cookies (iron-session)
  • Docker socket proxy isolation

Live Preview

Explore the public-facing experience

Why no live demo?

Live deployment available — iframe shows public-facing pages; dashboard features require authentication.

Live iframe preview demonstrates the public experience; full capability is documented in the L1-L4 narrative sections.

Source Code