Docs / Modules

The module system

Every Alleex Cloud app is composition, not freeform codegen. You pick modules from a vetted registry; the engine combines them into a working Next.js app that is correct by construction.

Browse templates →Start composing

The model

What a module is

A module is a self-contained unit of functionality with a machine-readable manifest: module.json. The manifest declares everything the composition engine needs to combine modules safely: the database schema fragment, the server actions, the UI components, the API routes, the secrets, the compliance obligations, the MCP tools, and the audit events it emits.

The engine reads every module's manifest before generating code. It validates composition constraints (dependsOn / conflictsWith), enforces compliance gates (analytics requires compliance-eu), merges schema fragments into @alleex-cloud/canonical-schema, and wires the MCP spine to expose each module's tools. The app you get out is a coherent whole — not patched fragments.

This is the difference between Alleex Cloud and a prompt-to-code tool. Modules are contracts. The engine can reason about them. Free-form codegen cannot.

The manifest

module.json — field reference

Field	Type	Purpose
`id`	string	Unique slug used in templates, CLI, and the registry.
`category`	string	Composition group: auth, compliance, payments, ai, notifications, …
`schemaFragment`	object	Drizzle table definitions and RLS policies the module contributes to @alleex-cloud/canonical-schema.
`serverActions`	array	Next.js server actions the module exposes: name, file, public/user scope.
`uiComponents`	array	React components generated into the app (e.g. CookieBanner).
`routes`	array	API route handlers contributed to the generated app (path, method, handler file).
`secrets`	array	Required and optional env vars the module needs at runtime.
`compliance`	object	Compliance tag: personalDataCollected, dsarHandler, deletionHandler, subprocessors, aiActImpact.
`mcp`	object	MCP tools this module exposes — name, description, scopes, humanApprovalRequired.
`auditEvents`	string[]	Event names the module emits to the hash-chained audit log (e.g. auth.user.created).
`dependsOn / conflictsWith`	array	Composition constraints the engine enforces: a module may require or exclude another.
`hooks`	object	Lifecycle scripts run by the composition engine: onInstall, onUninstall.

Compliance

The compliance tag

Every module that touches personal data carries a compliance block in its manifest. It declares what personal data the module collects, which file handles DSAR export, which file handles erasure, which subprocessors the module introduces, and the EU AI Act impact classification.

This is not a self-attestation field — the composition engine reads it. When a DSAR request arrives, the engine calls each installed module's dsarHandler in turn and assembles a complete export. When a user requests erasure, each module's deletionHandler is called. The compliance-eu module orchestrates the 30-day window and surfaces overdue requests in the dashboard.

The EU AI Act risk register is generated at compose time: every module with aiActImpact set to anything other than none contributes a row to the register. The register is readable via the MCP tool compliance_get_risk_register.

Example — compliance tag (compliance-eu module.json)

"compliance": {
  "personalDataCollected": [
    "cookie_consent_choices",
    "ip_hash",
    "user_agent_hash",
    "dsar_request_metadata"
  ],
  "dsarHandler": "compliance/dsar.ts",
  "deletionHandler": "compliance/delete.ts",
  "subprocessors": [],
  "aiActImpact": "none"
}

MCP

Modules expose MCP tools

Each module declares its MCP tools in the mcp block of its manifest: name, description, required scopes, and whether the tool requires explicit human approval before execution. The hosted MCP spine wires every installed module's tools into a single endpoint your agents and CLI tools can call.

Destructive or sensitive tools (cancelling a subscription, revoking a session, initiating a DSAR export) carry humanApprovalRequired: true in the manifest. The spine enforces this — it is not a convention, it is a gate the module author cannot skip.

Read-only informational tools (who_am_i, compliance_get_model_card, compliance_get_risk_register) run without approval. The distinction is declared in the manifest and enforced at runtime.

Auditability

Modules emit named audit events

Every module lists its audit event names in auditEvents. These names are the exact strings written to the hash-chained audit log when those operations happen (for example, auth.user.created, compliance.dsar.completed, compliance.consent.recorded).

Each audit row is hash-chained to the previous row via a server-side Postgres trigger. Chain heads are periodically witnessed in Sigstore Rekor — a public, append-only transparency log — so retroactive alteration is detectable by any third party. This is not opt-in: the audit table and trigger are part of @alleex-cloud/canonical-schema and present in every generated app.

For the full compliance picture — what the audit log covers, how to export it, and how Rekor witnessing works — see the compliance docs.

Registry

Modules in the registry

The following modules are in the registry as of this writing. The registry is the source of truth — if a module appears here, its module.json is live in the codebase.

auth

Better Auth

auth-better

Email + password, sessions, passkeys, TOTP 2FA, magic links.

Apple Sign-In

auth-oauth-apple

OAuth2 sign-in via Apple.

GitHub OAuth

auth-oauth-github

OAuth2 sign-in via GitHub.

Google OAuth

auth-oauth-google

OAuth2 sign-in via Google.

compliance

EU Compliance

compliance-eu

GDPR cookie consent, DSAR portal, erasure orchestration, EU AI Act risk register, auto-generated privacy policy.

US Compliance

compliance-us

US-facing compliance primitives.

Age Verification

age-verification

Age gate for regulated content.

payments

Stripe Subscriptions

stripe-subscriptions

Recurring subscriptions via Stripe Checkout; x402 on Base for agent payments.

One-time Payments

stripe-onetime

One-time Stripe charge with x402 support.

Stripe Connect Marketplace

stripe-connect-marketplace

Multi-party payouts via Stripe Connect.

Stripe Tax (EU VAT)

stripe-tax

EU VAT calculation and collection.

commerce

Booking & Scheduling

booking

Availability editor, slot booking, deposit via Stripe.

AI Chat (BYOK)

ai-chat

LLM chat with bring-your-own-key; EU AI Act model card generated at install.

notifications

Web Push

push

Self-hosted push notifications via the Web Push API.

cli

CLI Config

cli-config

Persistent user config for CLI-first apps.

platform

Desktop Auto-Updater

desktop-auto-updater

Tauri / Electron update channel.

browser-extension

Extension Storage

extension-storage

Synced storage layer for browser extensions.

Registry growth: New modules are added when their module.json, implementation, tests, and compliance tag are all complete. We do not list modules before they ship.

Constraints

How the engine enforces composition

Modules can declare hard composition rules. The engine validates these before generating any code:

dependsOn

stripe-subscriptions requires auth-better ≥ 1.0.0

If the required module is not in the plan, the engine rejects the composition with a clear error — it does not silently add the dependency.

conflictsWith

auth-better conflicts with auth-clerk-customer, auth-supabase

Two conflicting modules cannot appear in the same plan. The engine surfaces the conflict at compose time.

Compliance gate (implicit)

Any module that collects personal data requires compliance-eu in EU-targeted plans

The engine rejects a plan that adds an analytics or data-processing module without compliance-eu. This constraint is architectural, not user-configurable.

See modules in action

Every template in the gallery is a composition of real modules. Pick a template to see which modules it uses, what they require, and what the generated app includes.

Browse the gallery Compliance docs