Comestare — Software Requirements Specification (SRS)
Grounded in the actual deployed architecture. Audience: engineers and technical/strategic investors performing technical diligence. Companion: PRD.
1. Introduction
1.1 Purpose
Define the functional and non-functional requirements and the system architecture of the Comestare platform.
1.2 Scope
A bilingual web platform with a customer-facing app, an admin platform, an API gateway, and supporting data stores, delivering AI marketing strategy generation plus self-serve and done-for-you monetization.
1.3 Definitions
- Universe / strategy — generated marketing strategy (map + roadmap).
- Gateway / middleware — the API edge that fronts the backends.
- Route registry — admin-owned config telling the gateway how to proxy/route.
2. System architecture (as built)
┌──────────────────────────┐
Customers ──────▶│ Frontend (Next.js 15) │ comestare.com (Cloudflare)
│ EN/AR, RTL, PLG funnel │
└─────────────┬──────────────┘
│ HTTPS (JSON)
┌─────────────▼──────────────┐
│ Middleware / API Gateway │ (NestJS + Fastify)
│ auth, JWT, rate-limit, │ + Redis (sessions,
│ caching, proxy, route reg, │ rate-limit, registry)
│ Google ID-token verify │
└───────┬───────────┬─────────┘
│ │ internal (X-Internal-Token)
┌─────────────▼──┐ ┌────▼───────────────┐
│ Customer-backend│ │ Admin-backend │
│ NestJS+Fastify │ │ NestJS+Fastify │
│ users/sessions/ │ │ routes/pricing/ │
│ OTP/auth │ │ finance/audit/admins│
│ Prisma │ │ Prisma (schema=admin)│
└────────┬────────┘ └─────────┬───────────┘
│ │
└──────────┬───────────┘
┌───────▼────────┐ ┌──────────────┐
│ PostgreSQL │ │ Admin Panel │
│ (public + admin │◀─────│ Next.js │
│ schemas) │ direct│ (cookie auth)│
└─────────────────┘ └──────────────┘
Components:
- Frontend — Next.js 15 (App Router), Tailwind, React Query, Zustand, custom i18n (EN/AR + RTL), Google Identity Services; deployed on Cloudflare.
- Middleware (gateway) — NestJS/Fastify; JWT access/refresh, rate-limiting, L1 in-memory + Redis caching, route-registry-driven proxy, Google ID-token verification (JWKS), CORS, Helmet.
- Customer-backend — NestJS/Fastify + Prisma/Postgres; users, sessions, OTP, password + Google auth, refresh-token records; exposes internal endpoints to the gateway (X-Internal-Token).
- Admin-backend — NestJS/Fastify + Prisma/Postgres (
adminschema); admins (owner/admin/viewer), route registry (/internal/routes), pricing (public pricing endpoint), finance/wallets, audit; admin JWT (HS256) via HttpOnly cookie. - Admin panel — Next.js; talks directly to admin-backend with cookie session.
- Data — PostgreSQL (shared instance, separate schemas); Redis (sessions, rotation, rate-limit, registry cache).
3. Functional requirements (system)
3.1 Auth & sessions
- SRS-AUTH-1 Email signup with OTP verification; password (argon2) login.
- SRS-AUTH-2 Google sign-in: frontend obtains a Google ID token; gateway verifies signature +
aud(=GOOGLE_CLIENT_ID) +issagainst Google JWKS; trusted claims passed to customer-backend. - SRS-AUTH-3 Issue JWT access (short TTL) + refresh (rotating, family-based theft detection) tokens; refresh stored hashed in backend + tracked in Redis.
- SRS-AUTH-4 Refresh cookie HttpOnly/Secure/SameSite; logout revokes family + blocklists access JTI.
- SRS-AUTH-5 Admin auth is separate (HS256 cookie, roles).
3.2 Gateway
- SRS-GW-1 Route requests per the admin-owned route registry (with bundled fallback).
- SRS-GW-2 Per-IP rate limiting with configurable windows; expose limit headers.
- SRS-GW-3 Cache cacheable upstream responses (L1 + Redis) with TTLs.
- SRS-GW-4 Normalize locale (URL prefix /en, /ar → Accept-Language) before forwarding.
- SRS-GW-5 Enforce CORS allow-list; security headers (Helmet).
3.3 Strategy generation
- SRS-GEN-1 Accept idea/URL; call AI provider; return structured universe + roadmap.
- SRS-GEN-2 Enforce plan-based usage limits and watermarking.
- SRS-GEN-3 Persist generated strategies to the user account.
- SRS-GEN-4 Localize generation to EN/AR.
3.4 Billing & monetization
- SRS-BILL-1 Subscription management (Free/Starter/Pro/Agency) via Stripe (+ local GCC rails roadmap).
- SRS-BILL-2 Feature gating by tier.
- SRS-BILL-3 Services milestone billing; Ad Studio recurring + % of spend.
3.5 Admin
- SRS-ADM-1 Manage users/sessions/audit, pricing, routes, finance.
- SRS-ADM-2 Public pricing endpoint consumed by the marketing site.
- SRS-ADM-3 Push route-registry invalidations to the gateway.
3.6 Leads & analytics
- SRS-LEAD-1 Capture & store lead records + UTM/attribution + behavioral events.
- SRS-LEAD-2 Compute lead score and lifecycle stage; route hot leads.
4. Non-functional requirements
4.1 Performance
- NFR-PERF-1 P95 API latency (non-generation) < 300 ms server-side.
- NFR-PERF-2 Strategy generation streamed/progressive; perceived completion target < 30 s; show progress.
- NFR-PERF-3 Cache hot reads (pricing, registry) to protect backends.
4.2 Reliability & availability
- NFR-REL-1 Target 99.9% uptime for auth + generation paths.
- NFR-REL-2 Graceful degradation: gateway uses fallback routes if admin-backend unreachable.
- NFR-REL-3 No 5xx on the auth/sign-in path under normal operation (see Appendix A).
- NFR-REL-4 Health/readiness endpoints (
/healthz,/readyz) with DB checks.
4.3 Security & privacy
- NFR-SEC-1 All traffic TLS; secrets in env/secret store, never in VCS.
- NFR-SEC-2 Passwords argon2; JWTs signed; refresh rotation with reuse detection.
- NFR-SEC-3 Internal service calls authenticated via
X-Internal-Token(≥32 bytes). - NFR-SEC-4 Rate-limiting + Helmet + strict CORS allow-list.
- NFR-SEC-5 PDPL (Saudi) + GDPR compliance: explicit consent capture, data-subject rights, data-retention policy, and data-residency option for GCC (see Saudi/GCC Brief).
- NFR-SEC-6 PII access audited (admin audit trail exists).
4.4 Scalability & cost
- NFR-SCALE-1 Stateless gateway/back ends horizontally scalable; state in Postgres/Redis.
- NFR-SCALE-2 Control AI inference cost via free-tier caps, caching, and model tiering.
4.5 Internationalization & accessibility
- NFR-I18N-1 Full EN/AR parity incl. RTL, Arabic typography, locale-aware formatting.
- NFR-A11Y-1 WCAG-AA targets for the core funnel.
4.6 Maintainability & observability
- NFR-OBS-1 Structured logging (pino) with request IDs; optional OpenTelemetry tracing.
- NFR-OBS-2 Per-channel funnel analytics; error monitoring.
5. Deployment & environments
- Frontend: Cloudflare (Next.js / OpenNext).
- Backends & gateway: containerized; orchestrated via Coolify (Nixpacks); env injected per service.
- Data: managed PostgreSQL + Redis.
- Service-to-service over a private network by service name; secrets per environment.
6. Constraints & assumptions
- AI provider availability and pricing affect cost/latency.
- GCC data-residency may require a regional deployment.
- Cross-domain auth (frontend vs. gateway domains) constrains cookie strategy.
Appendix A — Known production issues (reliability backlog)
Surface these proactively in technical diligence; they're normal pre-launch hardening, and fixes are understood:
- Middleware ↔ customer-backend networking — gateway must reliably resolve the customer-backend service (observed
EAI_AGAIN); fix = shared private network + correct host:port. Until fixed, all backend-dependent auth returns 5xx. - Google sign-in config/session —
GOOGLE_CLIENT_IDmust be set on the gateway (must equal the frontend client ID); verify JWKS egress. - Cross-domain refresh cookie — frontend and gateway on different root domains; finalize cookie/session strategy (or align domains) so sessions persist.
- Client-side FedCM/third-party-cookie behavior — Google chooser depends on browser FedCM/cookie state; document supported configurations.
These are tracked, well-understood, and gated before scaling paid acquisition (NFR-REL-3). None require re-architecture.