Product
Status & Roadmap
Status & Roadmap
Source of truth for what is live and what remains. Updated 2026-06-13.
SoConnective is a self-hosted, AI-native, multi-tenant, white-label agency platform (a GoHighLevel competitor) for SoConnective. Three-tier tenancy: Platform (master) → Agencies → Sub-accounts.
Stack: apps/cms (Payload CMS 3.85 + Postgres schema payload, multi-tenant plugin), apps/crm (Next 16 / React 19 / Tailwind v4 / shadcn), apps/docs (this site). Deployed on a VPS via Coolify + Traefik; git on Forgejo; Redis cache. CRM ↔ CMS over the Payload REST API; auth via the fs_session cookie.
Live and verified
| Area | What |
|---|---|
| Tenancy | 3-tier accounts; server-side active account (ITP-proof); account switcher; cross-account isolation enforced in the app layer (list + by-id) |
| Security — master untouchable | Platform admins can't be deleted, can't lose the super-admin flag or be assigned a role; promotion is DB-only |
| Security — platform blinding | The Platform account is invisible to agencies/sub-accounts; sub-accounts have no access to Accounts (nav + URL) |
| Security — service account | Server-only Payload API key for privileged invite operations; never reaches the browser |
| Security — de-identification | Neutral fs_session cookie; X-Powered-By off; baseline security headers |
| RLS | Enabled + forced on all 24 tenant tables; fail-closed policy; proven against a non-superuser role. Armed; live cutover documented (ADR 0011) |
| Audit log | Immutable, tenant-scoped audit-logs; forgery-proof service-key writes; admin Activity page |
| AI Operator | Single platform key; onboarding/config operator (not a chatbot); real scoped tools incl. marketplace install + custom fields; Markdown + history; token-metered |
| Inbox AI | Marketplace module; per-account BYOK; 360° contact context; brand-voice persona |
| Marketplace | Modules + Starter Packs (single applyStarterPack path) + dynamic Integration Providers catalog (7 providers) |
| Integrations | Dynamic catalog → install with key prompt (paste or where-to-find) → Settings manages keys + test |
| Roles | Granular per-section level + action flags; enforced server-side |
| Invites | Tokenized invite link → set password → member + auto-login; rate-limited |
| NFRs (Redis) | Rate-limiting, caching, token metering + monthly cap, error tracking — all fail-open and surfaced in System Health |
| System Health | Platform board: connections, token usage, recent errors, Redis status |
Recently shipped (2026-06-13)
- Dynamic Integrations marketplace (provider catalog with logo + where-to-find-the-key; install prompts for the key; Settings manages keys).
- AI Operator proactive setup: a
setup_statuschecklist pluscreate_pipeline,create_template,create_automation,connect_channeltools and clickable deep-links. - Agency-managed modules per sub-account (enable/disable from the Accounts view).
- Public API at
/api/v1(per-account keys, tenant-scoped, rate-limited) with a Settings page to create/revoke keys. - RLS armed + forced on all 25 tenant tables (dynamic, self-maintaining) and enforcing for any non-superuser connection.
- Hardening:
push:falsein production, unique(tenant, provider)index, CMS security headers +noindex, code-review fixes (catalog/audit locks, invite rate-limit). - Documentation auto-published to docs.soconnective.com from
docs/.
Roadmap (remaining)
- RLS - done (full per-request enforcement). The app runs as the non-superuser
app_user, and every authenticated request is scoped to its tenant at the database level (AsyncLocalStorage + a global hook + a patched pg pool setapp.current_tenant/app.is_platformper request). A forgotten application-layer filter can no longer leak cross-tenant data; RLS is armed + forced on all 25 tenant tables. See ADR 0011. - Background queue (generalized) — Redis is ready; wire BullMQ-style jobs when the first real async consumer exists (email polling already runs on a cron).
- Anthropic key rotation — the platform AI key was shared in chat during setup; rotate it in the Anthropic console and update the env (user action).
Documentation
Documentation is auto-generated from the canonical Markdown in docs/ (and infra/runbooks/) and published to docs.soconnective.com on every push. To document something, add or edit a Markdown file under docs/ with a short frontmatter header (title, section, order) — it appears on the site automatically; no navigation or manifest editing required.