Compose Hybrid Spec

Pick features from multiple specs and mix them into a single build. Notifications from Slack + payments from e-commerce? Go.

Source specs

CRM Platform8 features

Audit Loggingmedium

What to Log*

Sign-in, sign-out, failed login, password reset, MFA enrollment, session revocation.

Role changes, permission grants, user invites, impersonation sessions, configuration changes.

Record who viewed or exported which records.

Record state changes to business records with before/after values.

Storage Backend*

An `audit_log` table with insert-only permissions; never updated or deleted.

Stream audit events to S3 Object Lock, AWS QLDB, or a dedicated audit platform.

Primary audit storage lives in the customer or your SIEM.

User-facing Surface

A searchable, filterable log in your admin panel showing recent events.

A paginated API or scheduled export letting customers ingest audit data themselves.

Tradeoffs

CostData access logging enabled

Read amplification — every authenticated read produces a log write

ComplexityImmutable store chosen

Two storage systems to operate and keep in sync; queries may need to federate

ComplexityAppend-only table only

Tamper-evidence relies on DB role permissions — insufficient for some compliance regimes

fromCRM Platform

File Storagemedium

Storage Backend*

Files stored on the server filesystem

AWS S3, Cloudflare R2, MinIO, etc.

Object storage + edge CDN for global delivery

File Processing

Scan uploads for malware before storing

Auto-generate thumbnails on upload

Verify file type matches declared MIME type

Tradeoffs

ScalabilityLocal disk selected

Not horizontally scalable; lost on server replacement without backup

CostCDN-backed storage selected

Higher monthly cost; requires cache invalidation strategy

LatencyVirus scanning selected

Upload latency increases; requires AV service integration

fromCRM Platform

Notificationsmedium

Delivery Method*

Push notifications instantly as events occur

Client polls server on a fixed interval

Send email when user is offline

Native push notifications for mobile apps

User Control

Simple global on/off toggle

Separate preferences per event category

Highly granular per-item preferences

Tradeoffs

CostReal-time delivery selected

Requires persistent connection infrastructure (e.g. Redis pub/sub, WebSocket server)

LatencyPolling selected

Higher server request volume; notifications may lag by poll interval

ComplexityMobile push selected

Requires APNs/FCM credentials and certificate management

ComplexityPer-source granularity selected

Significantly more complex preference storage and UI

fromCRM Platform

Onboarding & Activationmedium

Onboarding Format*

No dedicated onboarding UI — every empty screen contains a clear primary action pointing to the next step.

A dismissible checklist ("Invite teammate • Create project • Connect integration") visible until complete.

Step-through overlays point at UI elements on first use.

User cannot access the product until they complete N configuration screens.

Personalization Signals

Ask one or two questions to route the user to a tailored first experience.

Present starter templates ('Blank', 'Team docs', 'Marketing site') as the first interaction.

Every new workspace starts with an example project the user can play with.

Activation Support

Email nudges when a user signed up but has not yet hit the key activation action (e.g. created their first project).

A persistent help button that opens relevant docs or a short walkthrough based on the current page.

Intercom-style chat surface active for new users in their first few days.

Tradeoffs

UXSetup wizard as format

Controls first-experience but introduces sign-up drop-off proportional to wizard length

ComplexityActivation emails enabled

Requires event tracking + scheduled jobs + segmentation infrastructure

CostLive chat during onboarding

Staffing cost scales with signup volume — not viable for self-serve products below a certain ACV

fromCRM Platform

Roles & Permissionshigh

Authorization Model*

A fixed enum on the user record gates admin-only routes.

Users are assigned roles; roles bundle permissions; code checks permissions, not roles.

Permissions derived from attributes or graph relationships (owner, member, parent folder, etc.).

Permission Scope*

Permissions apply across the entire product.

A user has different roles in different workspaces or organizations.

Access lives on the resource itself — share a single document with specific users.

Custom Role Management

Roles (admin / member / viewer) are defined in code; customers cannot change them.

Admins can create roles and assign permissions.

Tradeoffs

ComplexitySimple roles chosen

Fast to build but every 'special case' access rule becomes bespoke code that's hard to audit

ComplexityABAC / ReBAC chosen

Requires a policy engine and relationship store kept in sync with primary data

LatencyPer-resource scope enabled

Every list/read query must filter by ACL — expect query-plan work and caching investment

CostCustomer-defined roles enabled

Support load increases substantially — each customer now has a unique permission configuration

fromCRM Platform

Searchmedium

Search Approach*

Structured filters on known fields; no free-text

SQLite FTS5 or Postgres tsvector; keyword matching

Embedding-based similarity search

Search Scope*

Search within one list or dataset

Search across multiple resource types simultaneously

Tradeoffs

ComplexityFull-text search selected

Requires FTS index maintenance; adds write-time overhead

CostSemantic search selected

Embedding generation adds latency and API cost per indexed document

ComplexityGlobal search selected

Results must be unified and ranked across disparate data models

fromCRM Platform

Transactional Emailmedium

Delivery Provider*

Third-party email API with APIs, templates, and deliverability monitoring.

Cheapest at volume; minimal tooling built in.

Your own MTA (Postfix, Haraka) on your own IPs.

Deliverability Setup*

Authenticate your sending domain; publish a DMARC policy; monitor reports.

Consume bounce and spam-complaint webhooks; suppress invalid or unsubscribed addresses.

Different sending domains / IPs for product email vs marketing campaigns.

Your own sending IP instead of a shared pool.

Templating Approach*

Email templates live in your repo, reviewed and tested like any other code.

Templates managed in the provider dashboard; non-engineers can edit.

Single service manages email, in-app, SMS, and push with per-user preferences.

Tradeoffs

CostManaged provider chosen

Vendor cost scales with volume; deliverability expertise comes included

ComplexitySES chosen

Low per-email cost but you own deliverability operations (reputation, bounces, suppression)

ComplexitySeparate streams for marketing vs transactional

Two sending configurations and domains to maintain — worth it for deliverability isolation

fromCRM Platform

User System & Authlow

Authentication Methods*

Classic credential-based login

One-click login via email link

Enterprise single sign-on

Access Control*

No roles — every authenticated user has the same access

Simple two-tier access control

Custom roles with fine-grained permissions

Multi-factor Authentication

Single-factor only

Time-based one-time passwords

Tradeoffs

ComplexityOAuth providers added

Each provider requires an OAuth app registration and key rotation policy

ComplexitySAML/SSO selected

Requires IdP partnership and XML-based protocol handling; significant integration work

ComplexityRBAC selected

Permission checks must be applied consistently across every data access path

fromCRM Platform

Summary

8 of 8 composed features enabled

Pulled from 1 source spec

Effort Estimate

10+ weeks

5+ engineers