Devlumiq ATS — Production-Ready Applicant Tracking System

A complete, database-backed hiring platform built with Next.js 15, React 19, TypeScript, and Prisma ORM. Every core feature reads from and writes to a real PostgreSQL database — no dummy data, no mocked screens. Includes a public marketing site, full RBAC auth, candidate CRM, interview scheduling, offer letters, billing, and optional OpenAI-powered enhancements.

What's Fully Working (End-to-End)

• Core ATS — Dashboard with live stats, candidate/job CRUD, Kanban pipeline (drag & drop persists to DB), calendar, analytics & reports with PDF export, inbox messaging
• Auth & RBAC — JWT + bcrypt session cookies. 5 roles: Admin, Recruiter, Hiring Manager, Interviewer, Viewer. Permission guards on every API route
• Marketing Site — Home, Features, Pricing, Contact, FAQ, Privacy, Terms, Careers
• i18n — 10 locales: EN, AR, ES, FR, DE, PT, HI, ZH, JA, RU
• Email System — Real Nodemailer SMTP. Templates: application confirmation, new-app notification, invite, password reset, email verification
• AI Features (Optional) — Real OpenAI GPT-4o-mini integration. Resume parsing, candidate ranking, candidate screening, job description generation, email drafting. All 5 features work without an API key using rule-based fallbacks; AI enhances quality when configured
• Resume Parser — Real PDF/DOCX text extraction via pdf-parse + mammoth. Optional AI semantic extraction
• File Storage — Configurable local (default), AWS S3, or Cloudflare R2 with AWS Signature V4 upload
• Checkr Background Checks — Real API calls to api.checkr.com. Candidate creation, invitation sending, status sync, webhook handling with HMAC verification
• WhatsApp Business API — Real Meta Graph API messaging to candidates
• Zapier — Real trigger endpoints, subscription DB model, event logging
• Custom Webhooks — Webhook endpoints with secret verification, retry logic, event DB logging
• Chrome Extension — Manifest V3 extension with content script that scrapes LinkedIn profiles and imports into the ATS
• Stripe Billing — Real checkout sessions, customer creation, subscription syncing, webhook handling
• Interview Scoring — Scorecard templates, weighted criteria, 1–5 star ratings, recommendations
• Offer Letters — HTML offer generation with templates and variable substitution
• Candidate Portal — Public careers portal with applications, saved jobs, activity logs
• Career Page Builder — Company branding (colors, fonts, CSS), team members, benefits
• Assessments — Templates, questions (MCQ, coding, open-ended), assignments, responses
• Referrals — Referral programs, reward tracking, status workflow
• Email Sequences — Automation triggers, steps, enrollments, scheduled sends

What's Partially Implemented

• DocuSign — OAuth flow, token refresh, webhook handler with HMAC, DB workflow. Actual envelope creation requires the DocuSign SDK (not included)
• Google Calendar — OAuth flow, token refresh, DB storage. Events are stored locally in DB only; external Calendar API sync requires additional OAuth setup
• Job Boards — DB records created, UI for tracking. No live posting to LinkedIn/Indeed/Glassdoor APIs yet
• S3/R2 Delete — Upload works perfectly. Delete is stubbed and does nothing for S3/R2
• Slack / Zoom / GraphQL — Listed in UI or marketing. No backend API code implemented yet

Tech Stack

• Next.js 15 (App Router) + React 19 + TypeScript
• Tailwind CSS + Framer Motion + Lucide React
• Prisma ORM + PostgreSQL
• JWT session auth + bcrypt
• Vitest + Playwright testing setup

Database Models (30+ tables)

User, Job, Candidate, Application, InterviewEvent, MessageThread, Message, Notification, ActivityLog, Announcement, CandidateNote, EmailTemplate, InterviewScore, OfferLetter, Comment, Resume, JobBoardIntegration, CandidatePortalUser, Assessment, Referral, EmailSequence, and more.

Security

• JWT + httpOnly session cookies
• bcrypt password hashing
• Rate limiting (Redis-ready)
• HMAC webhook verification (Checkr, DocuSign)
• API key hashing
• CSP headers + origin-based CSRF protection

Core ATS (Fully Working End-to-End)

• Dashboard — Live stats, pipeline counts, recent candidates, activity feed — all from PostgreSQL
• Candidates — Full CRUD: list, filter, paginate, export to PDF/Excel, profile pages with timeline
• Jobs — Create, edit, publish, and manage job postings with full DB persistence
• Kanban Pipeline — Drag-and-drop board; stage changes persist to the database in real time
• Calendar — FullCalendar integration; interview events stored in DB with scheduling UI
• Analytics & Reports — Visual charts (Chart.js) with PDF export via jsPDF
• Inbox & Messaging — Thread-based messaging UI with API backend

Authentication & Access Control

• JWT Session Auth — httpOnly cookies, bcrypt password hashing, email verification, password reset
• RBAC — 5 roles: Admin, Recruiter, Hiring Manager, Interviewer, Viewer
• Permission Guards — Every API route protected by permission middleware (withPermission)

AI Features (Optional — Work Without API Key)

• Resume Parsing — AI semantic extraction vs regex keyword fallback
• Candidate Ranking — AI scoring with reasoning vs simple skill-match fallback
• Candidate Screening — AI fit assessment vs rule-based verdict fallback
• Job Description Generator — AI-written inclusive JD vs structured template fallback
• Email Drafting — AI-composed outreach vs pre-built template fallback

Recruitment Tools

• Smart Search — Advanced candidate search with filters for skills, experience, tags, source, and pipeline stage
• Email Studio — Templates with variable substitution ({{candidateName}}, {{position}}) and instant SMTP sending
• Interview Scoring — Scorecard templates, weighted criteria, 1–5 star ratings, recommendations
• Offer Letters — One-click HTML offer generation with salary, benefits, start date, and variable substitution
• Team Collaboration — Candidate comments with @mentions for team discussion
• Resume Parser — Real PDF/DOCX text extraction via pdf-parse + mammoth

Integrations (Real API Calls)

• Checkr Background Checks — Real api.checkr.com calls: candidate creation, invitation sending, status sync, webhooks with HMAC verification
• WhatsApp Business API — Real Meta Graph API messaging to candidates
• Stripe Billing — Checkout sessions, customer creation, subscription syncing, webhook handling
• Zapier — Real trigger endpoints, subscription DB model, event logging
• Custom Webhooks — Webhook endpoints with secret verification, retry logic, event DB logging
• Chrome Extension — Manifest V3 extension with content script that scrapes LinkedIn profiles and imports into the ATS

Candidate Experience

• Career Page Builder — Public careers portal with company branding (colors, fonts, CSS), team members, and benefits
• Candidate Portal — Public portal with applications, saved jobs, and activity logs (real CandidatePortalUser model)
• Referrals — Referral programs, reward tracking, status workflow
• Assessments — Templates, questions (MCQ, coding, open-ended), assignments, and responses
• Email Sequences — Automation triggers, steps, enrollments, and scheduled sends

Marketing & Internationalization

• Marketing Site — Home, Features, Pricing, Contact, FAQ, Privacy, Terms, Careers
• i18n — 10 locales: English, Arabic, Spanish, French, German, Portuguese, Hindi, Chinese, Japanese, Russian

File Storage

• Configurable: local (default), AWS S3, or Cloudflare R2 with AWS Signature V4 upload

Security

• JWT + httpOnly session cookies, bcrypt hashing
• Rate limiting (Redis-ready for multi-instance)
• HMAC webhook verification (Checkr, DocuSign)
• API key hashing, CSP headers, origin-based CSRF protection

Partially Implemented (Buyers Should Know)

• DocuSign — OAuth flow, token refresh, webhook handler with HMAC, DB workflow. Envelope creation requires SDK (not included)
• Google Calendar — OAuth flow, token refresh, DB storage. Events stored in DB only; external Calendar API sync not live
• Job Boards — DB records created, UI for tracking. No live posting to LinkedIn/Indeed/Glassdoor APIs
• S3/R2 Delete — Upload works. Delete function is stubbed

Not Implemented (UI Only / Marketing Mention)

• Slack integration — UI card only, no backend API code
• Zoom integration — UI card only, no backend API code
• GraphQL — Mentioned in marketing; only REST API exists
• Outlook Calendar — Mentioned as planned; no code

System Requirements

• Node.js 18 or higher
• npm (bundled with Node.js) or yarn
• PostgreSQL database (Neon, Supabase, Railway, or local Postgres)

Required Environment Variables

• DATABASE_URL — PostgreSQL connection string
• JWT_SECRET — strong random secret (64 chars recommended)
• NEXT_PUBLIC_APP_URL — public app URL

Optional But Recommended

• SMTP credentials — for real email delivery
• OpenAI API key — for enhanced AI features

Notes

• TypeScript compiles with zero errors (tsc --noEmit)
• All premium features are integrated into the main dashboard — no separate purchase required
• Code is strictly modular; removing an integration is a matter of deleting its API route folder

Installation & Setup

1. Extract the archive and open the project folder
2. Run npm install
3. Copy environment file: cp .env.example .env (Windows: copy .env.example .env)
4. Fill in the required variables in .env:
   • DATABASE_URL — PostgreSQL connection string
   • JWT_SECRET — 32+ character random string
   • NEXT_PUBLIC_APP_URL — your public URL
5. Generate Prisma client: npx prisma generate
6. Run migrations: npx prisma migrate deploy
7. Seed demo data: npm run seed
8. Start dev server: npm run dev
9. Open http://localhost:3000 and log in with [email protected] / Demo@1234

One-Command Setup (Alternative)

After step 3 (filling .env), run: npm run setup

Demo Accounts (seeded automatically)

• Admin: [email protected] / Demo@1234
• Recruiter: [email protected] / Demo@1234
• Hiring Manager: [email protected] / Demo@1234
• Interviewer: [email protected] / Demo@1234
• Viewer: [email protected] / Demo@1234

Optional Integrations

All features work without these. Add keys to .env to activate:

• OpenAI: OPENAI_API_KEY — enables smarter AI resume parsing, ranking, screening, JD generation, and email drafting
• Email SMTP: SMTP_HOST, SMTP_USER, SMTP_PASS — required for real email sending (password reset, invites, notifications)
• Checkr: CHECKR_API_KEY — background checks
• WhatsApp: WHATSAPP_TOKEN, WHATSAPP_PHONE_NUMBER_ID — candidate messaging
• Stripe: STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET — subscription billing
• DocuSign: DOCUSIGN_CLIENT_ID, DOCUSIGN_CLIENT_SECRET — e-signature workflow (OAuth works; envelope sending requires SDK)
• Google Calendar: GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET — OAuth setup only; no live calendar sync yet
• File Storage: Set FILE_STORAGE_PROVIDER to s3 or r2 and configure AWS/Cloudflare credentials

Deploy to Vercel (Production)

1. Connect your GitHub repo to Vercel
2. Add environment variables from .env in the Vercel dashboard
3. Push to deploy — build auto-runs Prisma generate + migrate
4. Run npx prisma db seed once after first deploy