Acme Approvals (Multi-tenant SaaS)

What it does

• Creates workspaces (orgs) with invites and role-based permissions
• Lets members create tasks, submit for approval, and track decisions
• Lets managers/admins approve/reject with reasons, comments, and history
• Shows dashboards: KPIs, pending approvals, and recent activity
• Preserves auditability with an append-only event log

Architecture

┌────────────────────────┐      ┌─────────────────────────┐
│  Next.js UI            │─────►│  Next.js Route Handlers │
│  /app/[orgSlug]/...    │      │  REST-ish API           │
└───────────┬────────────┘      └───────────┬─────────────┘
            │                               │
            │ auth session                  │ Prisma ORM
            ▼                               ▼
┌───────────────────────┐      ┌──────────────────────────┐
│  NextAuth             │      │  Postgres                │
│  OAuth (GH/GO)        │      │  orgs/members/tasks      │
└───────────────────────┘      │  comments/audit log      │
                               └──────────────────────────┘

Reliability & Guardrails

• Server-side RBAC + tenancy enforcement on every query/mutation (no client trust)
• State machine guardrails prevent invalid transitions (e.g., approve only when SUBMITTED)
• Audit events recorded for all mutations; activity feed is derived from event log
• Slug redirects prevent broken links in emails/bookmarks after org renames
• Rate limiting on sensitive endpoints and consistent error envelopes

How to demo in 2 minutes

1. Clone the repo and install deps: npm install
2. Start Postgres (docker compose up -d) and run migrations/seed
3. Run dev server: npm run dev
4. Login (demo OAuth or demo user) → create org → invite member
5. Create a task → submit → switch to approver → approve/reject
6. Open Activity feed and Task history to see the audit trail

Links