NexcurAI
Talk to us Start a project
S7 Sample · SaaS starter spec

← Samples

SaaS starter spec.

What we ship in a 4-week Growth-tier SaaS build. Anonymized from a Cloudwrit-class client. Files, tests, handover artifacts, and what is out of scope.

Fictional - representative

Engagement summary

  • Client: Cloudwrit (fictional stand-in)
  • Tier: Growth ($45k fixed scope)
  • Window: 4 weeks (Monday to Friday, not counting post-launch window)
  • Post-launch window: 60 days, included
  • Team: 1 operator (senior) + Claude Opus 4.6
  • Stack: Next.js 15 (App Router), Postgres, Prisma, Stripe, Clerk, Tailwind, shadcn/ui, Vercel

Scope (what ships by week 4)

1. Authentication

  • Email + password with magic-link fallback (Clerk)
  • OAuth: Google, Microsoft, GitHub
  • Mandatory MFA for admin roles
  • Session management, account deletion flow, password reset

2. Multi-tenant data model

  • OrganizationMembershipUser
  • All domain tables scoped by organization_id
  • Row-level security enforced at Postgres; server-side tenant resolution (no trusting client-supplied tenant IDs)
  • Invitation flow for adding members

3. RBAC

  • Three baseline roles: owner, admin, member
  • Policy checks in a single can() helper, used in route handlers and UI
  • Server-enforced; UI hides actions but is not the security boundary

4. Billing

  • Stripe Checkout for upgrade, Customer Portal for self-serve plan changes
  • Webhook handlers for checkout.session.completed, customer.subscription.updated, customer.subscription.deleted, invoice.payment_failed
  • Idempotent webhook processing with a replay table
  • Plan-gate middleware: non-paying orgs hit a usage cap; paying orgs pass through

5. Admin panel

  • Separate route namespace /admin
  • IP allowlist + mandatory MFA at route level
  • Org lookup, member impersonation (audited), subscription adjustments, feature flag overrides
  • Every admin action writes to an append-only audit_log table

6. Product analytics + CWV monitoring

  • PostHog events: signup, upgrade, churn, 4 product-specific key events client chooses during kickoff
  • Vercel Web Analytics for CWV on real users
  • Sentry for errors and performance

7. Performance + accessibility

  • Lighthouse 95+ on every route (mobile, throttled)
  • WCAG 2.2 AA verified manually + axe
  • See the checklist

8. Testing

  • Unit tests on business logic (Vitest), target 70 percent coverage on non-UI code
  • End-to-end tests on critical paths: signup, upgrade, invite member, core feature (Playwright)
  • Tests run in CI on every PR

9. Security hygiene

  • CSP, HSTS, X-Frame-Options, COOP set
  • Secrets in Vercel / Doppler (not in code)
  • Dependency audit passes at ship (npm audit, snyk or equivalent)
  • Row-level security on all tenant tables
  • IAM/secret hygiene per our IAM checklist

10. Handover documentation

  • README.md for repo structure
  • DEPLOY.md for ops (how to deploy, rollback, add envs)
  • DECISIONS.md (ADRs) for why we chose each piece
  • Loom walkthrough of the codebase (30 min) for client eng team
  • One post-ship operator transition call

Timeline (4 weeks)

Week 1: Foundation

  • Kickoff, intake, clarifying questions closed
  • Stack setup, CI, staging env
  • Auth (Clerk wired up, all flows working)
  • Base multi-tenant schema
  • Ship: private staging URL, team can sign up and create orgs

Week 2: RBAC, billing, admin

  • RBAC model + UI
  • Stripe wiring (test mode)
  • Admin panel skeleton
  • Ship: paying workflow works end-to-end in staging

Week 3: Product features

  • Client-specific features (defined in kickoff intake)
  • UI polish, empty states, error states
  • Mobile responsive pass
  • Ship: feature-complete in staging

Week 4: Hardening + launch

  • Test suite: unit + E2E
  • Lighthouse audit; fix to 95+
  • A11y audit; fix to WCAG 2.2 AA
  • Security headers, secret audit, dependency audit
  • Prod domain cutover, monitoring in place
  • Handover (docs + Loom + transition call)
  • Ship: in production, client team trained

Post-launch (60 days included)

  • Bug fixes on anything in scope
  • Two performance + a11y re-audits (30 day, 60 day)
  • Slack channel for rapid response
  • Beyond 60 days: retainer or fresh engagement

Out of scope (intentionally)

  • Real-time collaboration features (websockets, CRDTs)
  • Complex billing (usage-based, metered)
  • Mobile native apps
  • Full i18n or RTL support
  • Custom SSO integrations per enterprise customer
  • Complex integrations beyond Stripe + PostHog + Sentry

Any of these can be added as a follow-on engagement once the starter is in place.

Deliverables on day 28

  • Production SaaS at the client domain
  • Source repo (client owns)
  • Handover docs (README, DEPLOY, DECISIONS, Loom)
  • Test suite passing, CI green
  • Lighthouse report on 10 representative routes
  • axe + manual a11y report
  • Security header and dependency audit
  • 60-day support Slack + retest commitment

What shipped has to earn

“Done” means: a stranger who signs up can go from zero to paying customer without hitting any of our known issue list. A stranger who is an admin can log in, impersonate a user for support, adjust a subscription, and roll back a feature flag without breaking anything. A stranger on a low-end Android phone on 4G can use the app without rage-quitting.

Every launch of a Growth-tier SaaS in our engagements is tested against those three strangers before we call it shipped.