Everything inside BunShip
12 backend modules. 202 tests. Every connection wired.
How the modules connect
Each module owns its routes, services, migrations, Zod schemas, and tests. They connect at the middleware layer, auth checks billing state before granting access, teams enforce RBAC on every protected route, webhooks fire background jobs through BullMQ.
Auth
JWT access + refresh tokens, TOTP 2FA, magic link login, email verification, session management, brute-force lockout with progressive delays.
- JWT access + refresh tokens
- TOTP-based two-factor auth
- Magic link login
- Email verification
- Session management
- Brute-force lockout
- Progressive delays
- Password reset flow
Billing
Stripe subscriptions with trials, usage caps, customer portal redirect. Webhook sync keeps your database and Stripe in agreement.
- Stripe subscriptions
- Free trials
- Usage caps
- Customer portal
- Webhook state sync
- Plan enforcement
Teams & Permissions
Multi-tenant orgs with owner, admin, member, viewer roles. 20+ granular permissions enforced at the middleware. Invites and ownership transfer included.
- Owner, admin, member, viewer
- 20+ granular permissions
- Email invite flows
- Ownership transfer
- Middleware-level RBAC
- Multi-tenant architecture
Webhooks
HMAC-signed payloads, exponential backoff retries, delivery logs with status codes, manual resend from the API.
- HMAC-signed payloads
- Exponential backoff
- Delivery logs
- Status tracking
- Manual resend
Background Jobs
BullMQ queues backed by Redis. Retry logic, failure handling, dead letter queues, scheduled tasks.
- BullMQ queues
- Redis-backed
- Retry logic
- Dead letter queues
- Scheduled tasks
- Failure handling
API Keys
Scoped permissions, rate limiting, expiration, key rotation.
- Scoped permissions
- Rate limiting
- Expiration dates
- Key rotation
Emails
React Email templates via Resend. Verification, invites, billing alerts, password resets.
- React Email templates
- Sent via Resend
- Verification emails
- Team invites
- Billing alerts
- Password resets
OAuth
Google and GitHub sign-in with account linking. No duplicate accounts.
- Google sign-in
- GitHub sign-in
- Account linking
- No duplicates
File Uploads
S3-compatible presigned URLs with size and type restrictions. AWS S3, Cloudflare R2, MinIO.
- Presigned URLs
- Size limits
- Type restrictions
- AWS S3
- Cloudflare R2
- MinIO
Audit Logs
Before/after snapshots on every mutation. User, timestamp, IP address.
- Before/after snapshots
- User tracking
- IP recording
- Timestamps
- Mutation history
Security
Argon2id hashing, rate limiting, Zod validation, Helmet headers, CORS.
- Argon2id hashing
- Rate limiting
- Zod validation
- Helmet headers
- CORS configured
API Docs
Auto-generated OpenAPI from Elysia schemas. Swagger UI at /docs. Zero maintenance.
- Auto-generated OpenAPI
- Swagger UI at /docs
- Self-updating
- Zero maintenance
Why this stack
Every dependency eliminates a category of bugs or removes a build step.
Bun
Runs TypeScript natively. Built-in test runner. Installs dependencies in seconds.
Elysia
End-to-end type inference from handler to response. Auto-generates OpenAPI 3.1. Eden client gives typed API calls on the frontend.
Drizzle
SQL-like syntax that doesn't hide the query. Auto-generated migrations. Supports Turso, Postgres, MySQL, PlanetScale.
Turso
Managed SQLite with edge replicas. Zero connection pool issues. Swap to Postgres with one config change.
202 tests, CI/CD, Docker
Every module has tests. Auth flows, billing webhooks, team operations, API key scoping, upload validation, audit logs. Run bun test.
Tests
202 tests across 194 files. Auth, billing, teams, webhooks, API keys, uploads, audit logs. Run bun test.
Docker
Docker Compose for local development with Redis, database, and all services. Production Dockerfile included.
CI/CD
GitHub Actions pipeline. Lint, type-check, test, build. Ready to connect to your deployment target.