Client · Edge
▣ Browser dashboard
Agents in the shared inbox — React 19 UI, Supabase Realtime WSS for live messages & presence.
React 19
Tailwind v4
shadcn/ui
☎ WhatsApp customer
End user chatting via WhatsApp — never touches wacrm directly; traffic flows through Meta.
◈ Hostinger CDN / TLS
LiteSpeed edge + free Let’s Encrypt on the customer domain. HSTS + CSP-Report-Only baseline.
HSTS
CSP
DDoS
Application (Next.js 16)
◐ Auth middleware
Every request runs src/middleware.ts — Supabase SSR cookie session, refresh-token rotation, protected-path redirects.
@supabase/ssr
▤ App Router pages
Server-rendered dashboard: /inbox, /contacts, /pipelines, /broadcasts, /automations, /flows, /settings.
RSC
Server Actions
⇄ Internal API routes
/api/whatsapp/* send + templates + config, /api/ai/* drafts & knowledge, /api/automations, /api/flows, /api/account/*.
⚿ Public REST API
/api/v1/{contacts,conversations,messages,broadcasts,webhooks} — scoped, SHA-256-hashed API keys, per-account rate limit.
Bearer rate-limit
✦ Automations & Flows engines
In-process step runners — triggers on inbound / new contact / keyword / schedule; Flows drive interactive WhatsApp button & list replies.
@xyflow/react dagre
Data & Processing
◫ Supabase Postgres
30 idempotent migrations — accounts, contacts, conversations, messages, pipelines, broadcasts, automations, flows, api_keys, webhook_endpoints, ai_configs, ai_knowledge.
RLS on every table
pgvector
tsvector FTS
✎ Supabase Auth
Email/password + magic-link invites. Server routes use service-role key for webhook + engine writes that bypass RLS.
▦ Supabase Storage
Buckets chat-media, flow-media, profile-avatars — account-scoped RLS paths account-<uuid>/…, 16 MB cap.
◔ Cron pinger
GET /api/automations/cron drains pending Wait steps — external scheduler hits it with AUTOMATION_CRON_SECRET.
✧ Realtime channel
Supabase Realtime (postgres_changes) fans row updates to inbox, presence, notifications — best-effort with reconnect resync.
External services
◉ Meta Cloud API
graph.facebook.com/v22.0 — send messages, upload media, submit templates. Access token AES-256-GCM-encrypted at rest.
HMAC-SHA256 verify
✺ OpenAI
api.openai.com/v1/chat/completions + /embeddings — drafts, auto-reply, text-embedding-3-small for RAG.
BYO key
✺ Anthropic
api.anthropic.com/v1/messages — drafts + auto-reply. No embeddings API; lexical FTS path only.
BYO key
➜ Customer webhook receivers
Outbound event webhooks registered per account — HMAC-signed payloads, SSRF-guarded, secret encrypted at rest.