Phoenix Suite — Technical Specification

Version: 1.0.0

Last Updated: 11 April 2026

Document Type: Comprehensive Technical Specification

1. Executive Summary

Phoenix Suite is a multi-tenant Software-as-a-Service (SaaS) platform for managing gyms, dojos, martial arts schools, and fitness studios. It provides a complete business management solution including student/member management, class scheduling, attendance tracking, point of sale, subscription billing, marketing, public websites, grading/belt progression, exercise program design, accounting integration, and reporting.

The platform is built with a modular licensing architecture where organisations selectively purchase modules based on their needs, managed through a centralised license portal.

2. Architecture Overview

2.1 System Components

Component

Technology

Port

Purpose

Database	PostgreSQL 16	5432	Primary data store
API Server	Node.js + Express	4000	REST API backend
Admin Portal	React 18	3002	Staff/admin web application
License Portal	React 18	3001	Super-admin license management
Public Site	React 18	3003	Per-org public websites

2.2 Technology Stack

Backend:

Runtime: Node.js 20 (Alpine)
Framework: Express.js 4.21
Database: PostgreSQL 16 with native pg driver (no ORM)
Authentication: JWT (access + refresh tokens)
Password Hashing: bcryptjs (12 rounds)
Payment Processing: Stripe (scaffolded)
Email: SMTP2GO REST API
SMS: Twilio REST API
Containerisation: Docker + Docker Compose

Frontend:

Framework: React 18.3 with React Router 6
HTTP Client: Axios with token refresh interceptor
Charts: Recharts (installed, available)
SEO: react-helmet-async
Build: Create React App (react-scripts 5.0)
Serving: Nginx (Alpine) in production

2.3 Multi-Tenancy Model

Every data table includes an org_id column referencing the organizations table. The scopeToOrg middleware extracts the org ID from the JWT token and attaches it to req.orgId. All queries filter by org_id to ensure complete data isolation between organisations.

2.4 Authentication & Authorisation

Token Strategy:

Access Token: JWT, 24-hour expiry, contains userId, orgId, role
Refresh Token: JWT, 30-day expiry, stored in database, revocable
Query Parameter Token: Supported for download/export endpoints

User Roles:

super_admin: Platform owner, manages licenses across all orgs
admin: Organisation owner, full org management
staff: Instructor/trainer, limited by permission tags
student: Member, self-service portal access

Permission Tags (staff_permissions table):

admin: Full organisation access
personal_trainer: Fitness programs, client management
discipline_instructor: Per-discipline class/grading management

Additional Auth:

Practitioner Access: Temporary coded access for medical professionals
Kiosk Auth: Device-level token for check-in screens

3. Module System

3.1 Licensable Modules

Module

Enum Value

Description

Base	`base`	Always included. Students, classes, payments, messaging, contracts, forms, inventory, equipment
Martial Arts	`martial_arts`	Multi-discipline rank progression, gradings, syllabus, belt/sash/patch systems
Fitness	`fitness`	Exercise library, plan builder, programs, body metrics, training goals
Marketing	`marketing`	Email/SMS campaigns, events, templates, notification log
Website	`website`	Public-facing website CMS, blog, trial signup, contact forms

Modules are gated by the requireModule(moduleType) middleware. The License Portal (super_admin) issues module licenses per organisation with configurable student/staff caps, pricing, and expiry dates.

4. Database Schema

4.1 Migration History

The database evolves through numbered migration files (001-025) applied in order:

Migration

Tables/Changes

001	Core: organizations, users, student_profiles, subscriptions, payments, account_ledger, classes, class_enrollments, class_attendance, belt_records, gradings, body_measurements, training_programs, access_tokens, equipment, inventory, conversations, messages, contracts, forms, licenses
002	Exercise library: exercises, exercise_plans, exercise_plan_sections, exercise_plan_items, student_exercise_plans, student_exercise_log
003	Class sessions: class_sessions, class_session_attendance, waitlist support on enrollments
004	Belt progression: belt_requirements, syllabus_items, student_syllabus_progress
005	Class plan history
006	Multi-discipline: martial_art_disciplines, discipline_ranks, student_disciplines. Renamed belt_records→rank_records, belt_requirements→rank_requirements. Dropped belt_rank enum.
007	Programs: programs, program_plans, program_assignments, practitioner_access
008	Exercise groups: exercise_item_groups (supersets, circuits)
009	Rank dan/bar field
010	Rank stripe field
011	Subscription plans: subscription_plans, plan_discount_rules
012	Plan-class linking: plan_classes, class enrollment source tracking
013	Staff permissions: staff_permissions with permission tags
014	Inventory variants: inventory_variants (size/stock breakdown)
015	Shop/POS: org_order_sequences, orders, order_items, refunds, refund_items. GST/account settings on org.
016	Grading invitations: testing_fee, invitation_status, payment linking
017	Tenancy hardening: added org_id to all join tables missing it
018	Per-org rate limiting settings
019	Attendance & metrics: student_preferences, kiosk_sessions, measurement_goals, enhanced body measurements
020	Stripe integration: Stripe config on org, payment references across tables
021	Public site: site_settings, blog_posts, trial_signups, contact_submissions, instructor_profiles
022	Marketing: notification_log, notification_templates, marketing_campaigns, special_events, event_bookings
023	Enhanced contracts: merge fields, witness/guardian, form field types
024	Contract/form assignments
025	Accounting: accounting_config, account_mappings, journal_entries, depreciation_schedules

4.2 Key Relationships


organizations
├── users (role: super_admin, admin, staff, student)
│   └── staff_permissions
├── student_profiles
│   ├── student_subscriptions → subscription_plans
│   ├── student_disciplines → martial_art_disciplines → discipline_ranks
│   ├── rank_records (progression history)
│   ├── class_enrollments → classes → class_sessions → class_session_attendance
│   ├── program_assignments → programs → program_plans → exercise_plans
│   ├── body_measurements, measurement_goals
│   ├── grading_candidates → gradings
│   ├── contract_signatures, form_submissions
│   ├── event_bookings → special_events
│   └── orders → order_items → inventory → inventory_variants
├── martial_art_disciplines → discipline_ranks
├── classes → class_sessions → class_session_attendance
├── subscription_plans → plan_discount_rules, plan_classes
├── programs → program_plans → exercise_plans → sections → groups → items → exercises
├── inventory → inventory_variants, inventory_transactions
├── marketing_campaigns → notification_log
├── site_settings, blog_posts, trial_signups, contact_submissions
├── accounting_config, account_mappings, journal_entries, depreciation_schedules
└── licenses (per-module with caps, pricing, expiry)





5. API Architecture

5.1 Route Files

File Mount Point Auth Purpose

auth.js /api/auth Public/Auth Login, register, refresh, logout, me
students.js /api/students Auth+Staff Student CRUD with subscription management
resources.js /api/* Auth Equipment, inventory, classes, contracts, forms, messages, payments, martial arts, fitness, org settings, staff management
exercises.js /api/exercises, /api/exercise-plans Auth Exercise library, plan builder with sections/groups/items
disciplines.js /api/disciplines Auth+MA Discipline and rank CRUD, student enrollment
belt-progression.js /api/belt-progression Auth+MA Requirements, syllabus, eligibility, readiness, gradings with invitations
programs.js /api/programs Auth Program CRUD, plan linking, student assignment
subscription-plans.js /api/subscription-plans Auth Plan templates, discount rules, class linking, price calculation
shop.js /api/shop Auth POS orders, products, refunds, receipts, account balance
stripe.js /api/stripe Auth/Webhook Checkout sessions, subscription billing, customer portal, webhooks
checkin.js /api/checkin Auth/Kiosk Kiosk management, photo-tap check-in, token scan, self check-in, attendance dashboard, access tokens, body metrics, measurement goals, student preferences
marketing.js /api/marketing Auth+Mkt Campaigns, events, bookings, templates, notification log, quick send
public.js /api/public Public Site data, blog, trial signup, contact forms
site-admin.js /api/site-admin Auth+Web CMS content, blog CRUD, trial leads, contacts, instructors
contracts-forms.js /api/cf Auth Contract signing with merge fields, form submission with field validation, assignments, outstanding tracking, template seeding
reports.js /api/reports Auth+Admin 7 report types, CSV export, PDF export
accounting.js /api/accounting Auth+Admin Config, mappings, journal generation, sync, depreciation
practitioner-auth.js /api/practitioner Public/Auth Code generation, practitioner login, therapeutic program access
licenses.js /api/licenses SuperAdmin License management across all organisations

5.2 Middleware Stack

helmet() — Security headers

cors() — Configurable CORS origins


Stripe webhook raw body parser (before JSON)

express.json() — JSON body parsing (10MB limit)

morgan('combined') — Request logging

orgRateLimit('api') — Per-org rate limiting

Route-level: authenticate, scopeToOrg, requireRole(), requireModule()




6. Frontend Architecture

6.1 Admin Portal Pages

Page Route Description

DashboardPage /dashboard Overview stats and quick actions
StudentsPage /students Student list with plan-based subscription picker
StudentDetailPage /students/:id Profile, rank history, syllabus checklist, body metrics, subscriptions
PaymentsPage /payments Overview, subscription plans manager, subscriptions, transaction history
MessagesPage /messages 2-way messaging with auto-refresh
ContractsPage /contracts Contract templates with merge fields, signing, assignments
FormsPage /forms Form builder with 11 field types, submissions, review
ClassesPage /classes Class CRUD, weekly schedule, sessions, enrollment, attendance, workout assignment
ExerciseLibraryPage /exercises Searchable exercise catalog
MartialArtsPage /martial-arts/* Multi-discipline: ranks, readiness, gradings, syllabus, requirements, plans
FitnessPage /fitness/* Programs, exercise plans, body metrics
EquipmentPage /equipment Equipment lifecycle management
InventoryPage /inventory Stock with colour/brand/size variants
ShopPage /shop POS with cart, checkout, orders, refunds
ReportsPage /reports 7 report types with CSV/PDF export
AccountingPage /accounting Xero/MYOB/QBO/CSV, account mapping, journals, depreciation
MarketingPage /marketing/* Campaigns, events, templates, send log
WebsitePage /website CMS: branding, content, SEO, blog, instructors, leads
SettingsPage /settings Org details, GST, Stripe, email, SMS, attendance, rate limits, kiosk devices, staff management with permissions

6.2 Student Portal Pages

Page Route Description

StudentDashboard /student Overview
StudentClasses /student/classes Schedule, enrolled classes with self check-in, attendance history
StudentGradings /student/gradings Grading invitations, fee payment, results
StudentPrograms /student/programs Assigned exercise programs, practitioner access codes
StudentStore /student/store Browse/purchase inventory with cart
StudentDocuments /student/documents Pending contracts (sign with canvas), forms (fill with field types), submission history
StudentProfile /student/profile Personal details
StudentMessages /student/messages 2-way messaging with staff
StudentBilling /student/billing Payment history

6.3 Public/Kiosk Pages (no auth guard)

Page Route Description

LoginPage /login Email/password login
KioskPage /kiosk Photo-tap/RFID check-in screen
WorkoutDisplayPage /workout-display Group workout display + Tabata/AMRAP/EMOM/countdown timers

6.4 Shared Components

UI.js: Badge, Btn, Input, Table, Modal, Card, Stat, PageHeader, Tabs, FilterChips, SearchBar, Spinner, EmptyState, Avatar, Ic (SVG icons), RankChip, RankSwatch, ThemeToggle
PlanBuilder.js: Exercise plan editor with sections, groups (supersets/circuits), items
SubscriptionPlansManager.js: Plan templates with discount rules and class linking
WeeklySchedule.js: CSS Grid weekly timetable



7. Key Features Detail

7.1 Multi-Discipline Martial Arts

Unlimited disciplines per org (Karate, Krav Maga, Wing Chun, etc.)
Each discipline: name, style/lineage, grading system type (belts/sashes/patches/levels)
Custom rank progression per discipline with name, colour (auto-detected from name), centre stripe (white/black), dan/bar count with gold bar rendering
Students enrolled in one or more disciplines
Per-discipline: requirements (min classes, min months), syllabus (items with categories), grading readiness dashboard
Gradings: events with testing fees, bulk invite from readiness, payment tracking, result marking, auto-rank award on completion

7.2 Exercise Plan System


Exercise Library (shared catalog)
└── Exercise Plans
    └── Sections (Warmup, Main, Cooldown)
        ├── Exercise Groups (superset, circuit, straight)
        │   ├── Group config: rounds, rest between rounds, timed/reps
        │   └── Exercises: sets, reps, duration, rest, weight notes
        └── Standalone Exercises

Programs (containers)
├── Type: personal, group, therapeutic
├── Linked Plans via program_plans (day labels)
└── Assigned to students via program_assignments



7.3 Subscription Plans & Billing

Plan templates: module, discipline link, base price, frequency, session type, sessions/week
Conditional discount rules: discount when student has another module/discipline/plan
Auto-enrollment in linked classes when plan assigned
Auto-unenrollment when plan removed (only plan-sourced enrollments)
Price snapshot at assignment time (base, discount, final)
Stripe integration (scaffolded): checkout for shop/grading/subscriptions, webhooks, customer portal

7.4 Shop / Point of Sale

Product browser with size variant picker
Cart with quantity controls, running subtotal/GST/total
Customer: walk-in or select student
Payment: cash, card (Stripe if configured), account balance
Order numbering (ORD-0001)
HTML receipt with org branding (auto-print)
Refunds: refund/exchange/warranty types, per-item return-to-stock flag, auto stock adjustment
Student store: browse, cart, checkout, order history

7.5 Attendance System

4 check-in methods: manual (roll call), kiosk (photo tap), token scan (RFID/QR/PIN), self (student phone)
Kiosk: standalone page at /kiosk, token-authenticated, shows enrolled students for today
Session auto-creation for recurring classes
Attendance dashboard: overall stats, by-student, by-class, by check-in method

7.6 Accounting Integration

Providers: Xero, MYOB, QuickBooks Online (OAuth2 scaffolded), CSV (fully working)
12 configurable account mappings (Australian defaults)
Journal entry generator: 6 transaction types + depreciation
Double-entry balanced entries with JSONB lines
Depreciation: straight-line and ATO diminishing value
Sync tracking: pending → synced/failed with external ID

7.7 Public Website

Template-based per-org site with CSS custom property theming
8 sections (all toggleable): Hero, About, Programs, Schedule, Store, Blog, Trial Signup, Contact
SEO: title, meta description, keywords, Open Graph
Custom CSS override, Google Fonts selection
Blog CMS with slugs, excerpts, featured images, publishing workflow
Trial lead capture → admin lead pipeline
Contact form → admin inbox



8. Security

8.1 Implemented

JWT authentication with token refresh and revocation
bcrypt password hashing (12 rounds)
Parameterised SQL queries (SQL injection prevention)
Helmet.js security headers
CORS configuration
Per-org rate limiting (configurable)
Multi-tenant data isolation via org_id scoping
Role-based access control with granular permission tags
IP address logging on contract signatures
Practitioner access with time-limited codes
Kiosk device-level authentication

8.2 Recommended for Production

SSL/TLS termination (Nginx/Caddy with Let's Encrypt)
Environment variable encryption for secrets
Database connection pooling with SSL
Automated database backups
Content Security Policy headers
Input sanitisation for XSS prevention
Webhook signature verification (Stripe, Xero)
Session management for OAuth2 tokens



9. Deployment

9.1 Docker Compose Services

5 containers: db (PostgreSQL 16), api (Node.js), frontend (Nginx), license-portal (Nginx), public-site (Nginx)

9.2 Environment Variables


DATABASE_URL, JWT_SECRET, JWT_EXPIRY, CORS_ORIGIN, PORT,
LICENSE_MASTER_KEY, XERO_CLIENT_ID, XERO_CLIENT_SECRET,
MYOB_CLIENT_ID, MYOB_CLIENT_SECRET, QBO_CLIENT_ID, QBO_CLIENT_SECRET



9.3 Minimum Requirements

2GB RAM, 2 vCPU, 20GB SSD. Estimated cost: $12-24/month on DigitalOcean/Vultr.



10. File Structure


phoenix-suite/
├── docker-compose.yml
├── .env.example
├── docs/
│   ├── TECHNICAL_SPECIFICATION.md
│   └── USER_GUIDE.md
├── backend/
│   ├── Dockerfile
│   ├── package.json
│   ├── migrations/          (001-025)
│   └── src/
│       ├── index.js
│       ├── config/db.js
│       ├── middleware/
│       │   ├── auth.js
│       │   ├── errors.js
│       │   └── rateLimiter.js
│       ├── routes/
│       │   ├── auth.js, students.js, resources.js
│       │   ├── exercises.js, disciplines.js, belt-progression.js
│       │   ├── programs.js, subscription-plans.js
│       │   ├── shop.js, stripe.js
│       │   ├── checkin.js, marketing.js
│       │   ├── public.js, site-admin.js
│       │   ├── contracts-forms.js, reports.js, accounting.js
│       │   ├── practitioner-auth.js, licenses.js
│       │   └── ...
│       └── utils/
│           ├── discount-calculator.js
│           ├── plan-enrollment.js
│           ├── stripe-client.js
│           ├── email-service.js
│           ├── sms-service.js
│           ├── journal-generator.js
│           └── accounting-client.js
├── frontend/
│   ├── Dockerfile, nginx.conf, package.json
│   ├── public/  (PhoenixLogo.png, favicons, index.html)
│   └── src/
│       ├── index.js, App.js, api.js, responsive.css
│       ├── context/  (AuthContext.js, ThemeContext.js)
│       ├── components/  (UI.js, PlanBuilder.js, SubscriptionPlansManager.js, WeeklySchedule.js)
│       └── pages/
│           ├── AdminLayout.js, StudentLayout.js, LoginPage.js
│           ├── AdminPages.js (Payments, Messages, Contracts, Forms, Inventory, Equipment, Classes, MartialArts, Fitness, Settings)
│           ├── DashboardPage.js, StudentsPage.js, StudentDetailPage.js
│           ├── ExerciseLibraryPage.js, ShopPage.js, ReportsPage.js
│           ├── AccountingPage.js, MarketingPage.js, WebsitePage.js
│           ├── KioskPage.js, WorkoutDisplayPage.js
│           └── student/  (Dashboard, Classes, Gradings, Programs, Store, Documents, Profile, Messages, Billing)
├── license-portal/  (separate React app)
│   └── src/  (App.js, api.js)
└── public-site/  (separate React app)
    └── src/  (App.js with template engine + SEO)

This document describes the complete system as built. For usage instructions, see the User Guide.

auth.js	/api/auth	Public/Auth	Login, register, refresh, logout, me
students.js	/api/students	Auth+Staff	Student CRUD with subscription management
resources.js	/api/*	Auth	Equipment, inventory, classes, contracts, forms, messages, payments, martial arts, fitness, org settings, staff management
exercises.js	/api/exercises, /api/exercise-plans	Auth	Exercise library, plan builder with sections/groups/items
disciplines.js	/api/disciplines	Auth+MA	Discipline and rank CRUD, student enrollment
belt-progression.js	/api/belt-progression	Auth+MA	Requirements, syllabus, eligibility, readiness, gradings with invitations
programs.js	/api/programs	Auth	Program CRUD, plan linking, student assignment
subscription-plans.js	/api/subscription-plans	Auth	Plan templates, discount rules, class linking, price calculation
shop.js	/api/shop	Auth	POS orders, products, refunds, receipts, account balance
stripe.js	/api/stripe	Auth/Webhook	Checkout sessions, subscription billing, customer portal, webhooks
checkin.js	/api/checkin	Auth/Kiosk	Kiosk management, photo-tap check-in, token scan, self check-in, attendance dashboard, access tokens, body metrics, measurement goals, student preferences
marketing.js	/api/marketing	Auth+Mkt	Campaigns, events, bookings, templates, notification log, quick send
public.js	/api/public	Public	Site data, blog, trial signup, contact forms
site-admin.js	/api/site-admin	Auth+Web	CMS content, blog CRUD, trial leads, contacts, instructors
contracts-forms.js	/api/cf	Auth	Contract signing with merge fields, form submission with field validation, assignments, outstanding tracking, template seeding
reports.js	/api/reports	Auth+Admin	7 report types, CSV export, PDF export
accounting.js	/api/accounting	Auth+Admin	Config, mappings, journal generation, sync, depreciation
practitioner-auth.js	/api/practitioner	Public/Auth	Code generation, practitioner login, therapeutic program access
licenses.js	/api/licenses	SuperAdmin	License management across all organisations

DashboardPage	/dashboard	Overview stats and quick actions
StudentsPage	/students	Student list with plan-based subscription picker
StudentDetailPage	/students/:id	Profile, rank history, syllabus checklist, body metrics, subscriptions
PaymentsPage	/payments	Overview, subscription plans manager, subscriptions, transaction history
MessagesPage	/messages	2-way messaging with auto-refresh
ContractsPage	/contracts	Contract templates with merge fields, signing, assignments
FormsPage	/forms	Form builder with 11 field types, submissions, review
ClassesPage	/classes	Class CRUD, weekly schedule, sessions, enrollment, attendance, workout assignment
ExerciseLibraryPage	/exercises	Searchable exercise catalog
MartialArtsPage	/martial-arts/*	Multi-discipline: ranks, readiness, gradings, syllabus, requirements, plans
FitnessPage	/fitness/*	Programs, exercise plans, body metrics
EquipmentPage	/equipment	Equipment lifecycle management
InventoryPage	/inventory	Stock with colour/brand/size variants
ShopPage	/shop	POS with cart, checkout, orders, refunds
ReportsPage	/reports	7 report types with CSV/PDF export
AccountingPage	/accounting	Xero/MYOB/QBO/CSV, account mapping, journals, depreciation
MarketingPage	/marketing/*	Campaigns, events, templates, send log
WebsitePage	/website	CMS: branding, content, SEO, blog, instructors, leads
SettingsPage	/settings	Org details, GST, Stripe, email, SMS, attendance, rate limits, kiosk devices, staff management with permissions

StudentDashboard	/student	Overview
StudentClasses	/student/classes	Schedule, enrolled classes with self check-in, attendance history
StudentGradings	/student/gradings	Grading invitations, fee payment, results
StudentPrograms	/student/programs	Assigned exercise programs, practitioner access codes
StudentStore	/student/store	Browse/purchase inventory with cart
StudentDocuments	/student/documents	Pending contracts (sign with canvas), forms (fill with field types), submission history
StudentProfile	/student/profile	Personal details
StudentMessages	/student/messages	2-way messaging with staff
StudentBilling	/student/billing	Payment history

LoginPage	/login	Email/password login
KioskPage	/kiosk	Photo-tap/RFID check-in screen
WorkoutDisplayPage	/workout-display	Group workout display + Tabata/AMRAP/EMOM/countdown timers