The product OS for the AI age
Only the prepared survive.
Ship like you mean it.
AI is rewriting every rule in software. The teams that win aren't the biggest — they're the ones with the strongest foundation. This is that foundation.
The inflection point
AI is killing SaaS. Good.
The companies still piecing together ten SaaS tools per product, still deploying from laptops, still telling the board that AI is “next quarter” — they're the ones getting disrupted. A small team with the right foundation now outships organizations a hundred times their size — and the gap is only widening.
Whether you've just closed a funding round, you're launching a new product line, or modernizing a legacy stack — Epoch is the foundation that lets your team focus on product, not plumbing.
You ship product. Not infrastructure.
Your 3-person team ships like a 30-person org. You deploy on day one, serve enterprise customers on day thirty, and never rewrite your foundation. Here's what makes that possible.
features you don't build
Auth, billing, AI agents, MCP, multi-tenancy, notifications, webhooks, search, observability, GDPR. Every one integrated and tested — so you build product, not plumbing.
tests run every commit
Refactor fearlessly. Ship confidently. Your CI catches what you miss — backend, E2E, a11y, and visual regression on every push.
rewrites to scale
Production Kubernetes from commit one. The same architecture serves your first customer and your thousandth — no rewrite, no migration, no re-platform.
per month, full stack
Enterprise architecture at indie cost. Kubernetes on Hetzner + Cloudflare CDN + free-tier services. Scale horizontally when revenue justifies it.
How you get there
224 features, 2,300+ tests, architecture docs, and a Definition of Done — everything wired together so your team (and Claude Code) can ship with confidence, not just speed.
AI Agents & MCP
Your product speaks agent from day one. Five agent types with auto-routing, streaming, human-in-the-loop, and persistent cross-conversation memory. Every API endpoint is an MCP tool — so Claude, Copilot, and custom agents can use your product natively.
Your AI remembers
Cross-thread memory with two scopes — facts your team shares (brand voice, ICP, team structure) and preferences just for you. Stored as embeddings, RAG-injected at the thread root for cache-stable replies that don't start cold.
Multi-tenancy & RBAC
Serve enterprise customers from week one. Full tenant isolation, four roles, team management, whitelabel branding, and onboarding checklists — all built in.
Stripe Billing
Revenue flowing before your trial ends. Checkout, customer portal, trials with auto-expiry, subscription gates, and usage tracking — webhook-driven with 25+ behavioral tests.
Production Kubernetes
Deploy without a platform team. One-command push to k3s with Helm charts, OpenTofu IaC, rolling deploys, and horizontal scaling. Cloud-agnostic. Under €10/month.
Full Observability
Know everything. Fix anything. OpenTelemetry APM, Sentry error tracking, structured logging, audit trail, PostHog analytics — and a public status page hosted off-cluster so customers see the truth even during an outage.
60+ Design Primitives
Beautiful by default. Accessible by design. shadcn/ui components, Storybook, WCAG 2.1 AA, dark mode, i18n in 6 languages, PWA — mobile-first from 320px.
CI Quality Gate
Refactor fearlessly. Ship confidently. 2,300+ tests, visual regression, and accessibility audits run on every commit — quality enforced in the pipeline, not in code review.
Agentic Development
Claude Code ships features, not just code. Architecture docs, Definition of Done, specialized review agents — every workflow designed for AI-augmented development.
Every feature. No asterisks.
224 production features across 13 categories. Expand any section to see the full list.
Authentication & Security 21
- Session-based auth (httpOnly, SameSite, Secure)
- API key auth (SHA-256 hashed, shown once at creation)
- OAuth 2.1 with PKCE + dynamic client registration
- Google + Microsoft social login
- TOTP authenticator app MFA
- WebAuthn / Passkey support
- Recovery codes
- Email verification (mandatory)
- Password reset flow
- RBAC — Owner, Admin, Member, Viewer
- CSRF protection on all mutations
- Rate limiting on all endpoints (read, write, LLM tiers)
- RBAC role caching (Redis, signal-invalidated)
- LLM prompt injection prevention — active sanitization at the LLMFactory boundary
- Request body size limits (5MB)
- API key tenant mismatch detection
- Passkey-encouraged signup (progressive registration)
- Account enumeration prevention
- Security headers (HSTS, CSP, X-Frame-Options)
- Dependency vulnerability scanning (Dependabot, pip-audit, npm audit)
- Non-root container security contexts
Multi-tenancy & Teams 15
- Tenant-scoped data isolation (middleware + model layer)
- Team invitations with email + token hashing
- Member role management (change, remove)
- Extended member profiles (avatar, phone, timezone, title)
- Tenant branding — OKLCH color customization
- Tenant logo upload (presigned URLs)
- Tenant slug + display name
- Session version tracking (force re-auth on role change)
- Cross-tenant context safety via signals
- MFA enforcement per tenant
- Onboarding checklist (floating widget, progress ring, confetti)
- Configurable onboarding steps (admin-defined, auto-progress)
- APP_NAME whitelabel branding (emails, admin, MFA issuer)
- Public user profile popovers (click-to-view)
- Tenant data portability — `manage.py export_tenant` for customer handoff and exit
AI Agents & LLM 23
- Web search agent (Serper.dev + synthesis)
- KB support agent (RAG with citations)
- Project status agent (read-only analysis)
- Project creation agent (HITL confirmation)
- Project ideation agent (brainstorm + web search)
- Auto-routing via LLM classification
- Conversation threading (multi-turn)
- SSE streaming via Redis pub/sub
- Human-in-the-loop (pause/resume)
- Tool whitelisting per agent type
- Cost controls (max iterations + time limit)
- Agent eval harness — file-based test corpus, `/eval` slash command, side-effect-free runs (no quota burn)
- Provider-aware LLM caching on supported models
- LLM factory with multi-provider support (litellm)
- Model fallback chains
- Prompt injection sanitization (active filtering of user/tool messages before LLM dispatch)
- LLM usage tracking per call
- OpenAI function calling export
- AI provenance tracking (`<AiBadge>` + EU AI Act Article 50 compliance)
- Persistent AI memory (dual-scope: tenant-shared facts + user-private preferences, RAG-injected at thread root for cache-stable replies)
- AI Memory management UI — users curate the shared and personal memory store the agents draw from, with admin-only edit on shared rows
- Agent chat UI — threaded conversations, markdown rendering (GFM), live SSE streaming, mobile-first responsive (320px+), entered from the help widget or `/agents`
- Cross-conversation thread memory — replies replay the same memory fence verbatim so the system prompt stays byte-stable for prefix caching
MCP Server 10
- Streamable HTTP transport (JSON-RPC)
- OAuth 2.1 Bearer token auth
- API key auth (works alongside OAuth — backward-compatible Bearer tokens)
- Dynamic client registration (RFC 7591)
- PKCE + loopback redirect URIs
- Platform provisioning (ChatGPT, Copilot Studio, Vertex AI)
- Stateless per-request auth (horizontal scaling)
- Token lifecycle (1h access, 30-day refresh + rotation)
- Stale token + client cleanup (Celery Beat)
- Connected Apps management UI
Billing & Monetization 12
- Stripe integration via dj-stripe
- Checkout session creation
- Customer portal link
- Plan + PlanFeature models
- Trial auto-creation on signup
- Trial expiring + expired notifications
- Subscription gate (paywall component)
- LLM usage tracking per feature
- Webhook-driven sync (25+ behavioral tests)
- 3 fixture plans for development
- Plan quota enforcement (HTTP, MCP, and agent paths)
- QuotaGate paywall with usage indicators
Notifications & Webhooks 14
- Email notifications (Resend / any SMTP)
- In-app SSE real-time notifications
- Per-category, per-channel preference management
- Mandatory notification flags
- HMAC-SHA256 signed webhooks
- Webhook signing secrets encrypted at rest
- Webhook retry with delivery log
- Curated event catalog (internal → public mapping)
- Branded email templates (dark mode, Outlook VML)
- Welcome email on verification
- Trial expiring / expired lifecycle emails
- Weekly changelog digest (Celery Beat)
- In-app product changelog page — categorised entries (feature / fix / improvement) with AI provenance badge per EU AI Act Article 50, accessed from the help widget
- Notification bell with SSE dropdown inbox
Search & Knowledge Base 16
- Hybrid search (vector + keyword, RRF fusion)
- pgvector embeddings (HNSW index)
- Stored tsvector with GIN index
- Keyword fallback (SQLite-compatible)
- Unified search dispatcher
- Knowledge base articles (Markdown + frontmatter)
- Heading-aware chunking (500-token sections)
- Help center (Docusaurus, Cloudflare Pages)
- Dual docs (user guides + developer docs)
- Client-side search (Pagefind)
- In-app help widget with KB search
- Contextual help links to articles
- "Ask AI" button → RAG support agent
- Cmd+K command palette (global search)
- 6 locales in app (help center English-only)
- Persistent AI memory — RAG over user-curated context (cross-listed with AI Agents)
Observability & Operations 19
- Sentry error tracking + structured logs
- OpenTelemetry distributed tracing + APM
- Automated error triage + GitHub issue creation (scheduled)
- Auto-instrumentors (Django, Celery, Redis, psycopg, httpx)
- Manual spans on LLM calls + tool execution
- Structured logging (JSON prod, text dev)
- Audit trail (EventLog with tenant + user attribution)
- Audit categories (billing, team, projects, agents, system)
- Audit log UI with filtering + date range picker
- django-simple-history (field-level change tracking)
- PostHog analytics (frontend events + tenant/user identity)
- Live dashboard (animated metrics, sparklines, activity feed)
- Celery Flower monitoring (opt-in Helm template)
- Analytics event retention policy (configurable, batch prune)
- GDPR-safe (no PII in errors or logs)
- Slow query logging (pg_stat_statements)
- PostHog feature flags (gradual rollout, A/B testing)
- Public status page (cloud-agnostic, off-cluster, 90-day uptime history)
- Live marketing footer status pill (green/amber/red, updates every 60s)
Infrastructure & Deployment 28
- Kubernetes deployment (k3s on Hetzner)
- Helm umbrella chart (app, worker, beat, migrations)
- OpenTofu infrastructure-as-code
- Cloud-agnostic (Hetzner, GCP, AWS — same Helm chart)
- Cloudflare CDN + DNS
- Cloudflare R2 for static/media storage
- Presigned URL file uploads (S3-compatible)
- GitHub Actions CI/CD pipeline
- Docker multi-platform builds (ARM64)
- Celery worker + dedicated agents queue
- Celery Beat for scheduled tasks
- PostgreSQL 16 with pgvector
- Redis 7 (cache + pub/sub + task broker)
- Horizontal scaling (stateless pods, shared-nothing)
- High availability (CloudNativePG, rolling updates)
- Zero-downtime rolling deploys (Helm + K8s)
- Under €10/month full-stack cost
- Marketing website (Astro + Cloudflare Pages)
- PgBouncer connection pooling (CloudNativePG)
- Automated database backups (Barman to R2, 6h schedule)
- Disaster recovery testing scripts
- Kubernetes liveness + readiness health probes
- HPA autoscaling templates (CPU/memory, configurable)
- Pod disruption budgets (rolling update safety)
- Staging environment config (on-demand deploy from any branch)
- Declarative backup configuration (Helm values)
- Redis Sentinel HA mode (documented, config-ready)
- Read-through Redis cache for hot role lookups — keeps tenant-scoped requests off the primary DB under load
Frontend & Design System 21
- 60+ shadcn/ui design system primitives
- Composed components (DataTable, FormField, Sidebar, etc.)
- Storybook with autodocs + accessibility addon
- Chromatic visual regression testing
- WCAG 2.1 AA accessibility (lint + dev + CI)
- Dark mode (system preference + manual toggle)
- Mobile-first responsive (320px minimum)
- OKLCH color tokens (perceptual uniformity)
- Tenant branding via CSS variable override
- React 19 with TanStack Query
- Type-safe API client (openapi-fetch + generated types)
- Single-RTT cold mount (`/api/bootstrap` collapses user + tenants into one request)
- i18n with 6 languages — ESLint guard blocks hardcoded JSX strings, per-key untranslated detection in CI (strict mode)
- Code splitting (route-level lazy loading)
- Route-level error boundaries
- PWA / service worker (offline-ready)
- One-command PWA icon generation (SVG → all PNG sizes)
- Brand hue sync across 6 surfaces (CI-enforced)
- Glassmorphism design system (centralized .glass utility)
- Drag-and-drop file upload component
- HEIC/HEIF mobile image support
Developer Experience 35
- 13 project-shipped Claude Code skills covering scaffolding, ship loop, deploy, ops, audits, evals, and i18n — listed below
- `/ship` — full implement loop: code → tests → local CI → DoD + parallel review subagents (security, code, UX, docs) → fix every finding → PR with standardized status report
- `/deploy` — one command: prod state diff → local CI → build + push + Helm upgrade for every changed surface → cluster health verify
- `/translate` skill — parallel subagent per locale, enforces glossary + per-locale register, runs after EN key changes or as a periodic sweep (plus CI auto-translate fallback)
- `/audit-marketing-website` — three-pass audit (strategic narrative → page-job fit → tactical voice/visual/technical) gating marketing copy and visual changes
- `/eval` — agent eval harness runner (file-based corpus, side-effect-free, scored against a rubric for prompt iteration without regressions)
- `/lighthouse` — perf + a11y + SEO + best-practices audits on the marketing site, also wired as a pre-deploy gate
- `/ops-runbook` — production maintenance ops (deploy, changelog, KB embeddings, collectstatic) via kubectl-based runbooks
- `/make-migrations` — Django migration creation + verification with tenant-scoped checks
- `/add-primitive` — adds a shadcn/ui primitive (CLI run + import fix + barrel export + autogenerated story + verification)
- `/generate-ui-component` — composed design-system component with CVA variants, JSDoc, colocated Storybook story, and barrel export
- `/generate-page` — new SPA page with i18n keys, design-system imports, route registration, and E2E test scaffold
- `/new-api-endpoint` — tenant-scoped Django Ninja CRUD endpoint with model, schemas, router, RBAC policy, and tests
- `/commit` — quick CI checks + conventional commit on a feature branch
- `/create-pr` — DoD verify, full CI, push, GitHub PR with summary + test plan, auto-labelled for the changelog
- Claude Code hooks + subagents
- Architecture docs + decision records
- dev.sh CLI for everything (setup, serve, test, deploy, lint, ci)
- Worktree-isolated development (parallel branches, isolated ports)
- `dev.sh worktree-cleanup` — 8-step safety gauntlet (clean tree → branch merged → no containers → confirm → remove)
- `_ensure_deps` preflight — auto-installs stale `.venv` / `node_modules` on fresh worktrees
- `dev.sh website` / `help-center` / `status-page` / `sites` — one command per ancillary surface, worktree-isolated ports, single Ctrl+C shutdown
- Automated changelog from PRs (LLM-rewritten)
- Management commands (seed, reindex, preview email, etc.)
- Definition of Done checklist (enforced in CI)
- Superuser management portal (branded Django admin)
- Email preview management command
- Engineering principles documentation (Musk, Beck, McKinley)
- PostgreSQL + pgvector in CI (real DB, not SQLite)
- 2,300+ automated tests (backend + E2E + a11y + visual)
- Agent eval harness for prompt iteration and regression testing
- `check-e2e-antipatterns.js` — 7-check ESM lint banning known E2E flake patterns (`waitForTimeout`, bare toast selectors, fallthrough route mocks, networkidle, etc.)
- mypy strict mode end-to-end + Pydantic runtime validation at LLM, Celery, and HTTP boundaries
- axe-core a11y assertions in CI
- k6 load testing suite (auth, CRUD, search flows)
GDPR & Compliance 14
- Consent tracking (ConsentRecord + versioned legal terms)
- Terms of Service + Privacy Policy pages
- User data export (Art. 20 GDPR)
- Account deletion with anonymization
- Ownership guard (prevent orphaned tenants)
- Admin audit logging (AuditedModelAdmin)
- Admin tenant deletion with requester metadata
- No PII in error tracking or logs
- Session replays disabled
- No tracking cookies (mandatory-only, no consent banner needed)
- Tenant data portability export (customer-facing archive)
- Tenant data erasure (Art. 17 right to be forgotten)
- EU AI Act Article 50 transparency indicators
- Who-did-what audit trail — EventLog with full tenant + user attribution (incl. AI agent runs), exportable, retention-policy controlled
Automated Processes 17
- CI on every push (lint, test, build, type-check, a11y)
- Automated code, security, UX, and docs review on every PR
- Definition of Done verification before merge
- Automated root cause analysis from Sentry errors
- GitHub issue creation from production errors
- Automated changelog generation from merged PRs (LLM-rewritten release notes)
- Automated i18n translations (6 languages, on new keys)
- OpenAPI schema drift detection in CI
- Visual regression testing (Chromatic on every PR)
- API type generation (backend → frontend sync)
- Knowledge base article generation from PRs
- KB embedding sync (Markdown → vectors)
- Stale OAuth token + client cleanup (daily)
- Webhook delivery log pruning (daily)
- Analytics event retention pruning (daily, configurable)
- Trial expiry notifications (daily)
- Orphaned media file cleanup
Developer experience
The fastest feedback loop in software
Claude Code isn't just a tool — it's the development interface. Skills, hooks, subagents, architecture docs. Every workflow designed so AI ships production features, not just code.
AI knows the architecture
Decision records, architecture docs, and a Definition of Done — so Claude Code makes good choices, not just fast ones.
Automated quality gates
Security, code quality, UX, and documentation review agents run automatically on every PR.
One CLI for everything
./dev.sh — setup, serve, test, lint, deploy. Works in parallel worktrees with isolated ports.
Ship-ready automation
Changelog from PRs, i18n translations, API type sync, email previews — the boring stuff handled for you.
Built by Jesse Nieminen
Ex-bootstrapped PLG founder (exit) · Former CPO at scale-up
"This isn't a weekend project. It's the system I wish I had when I started my first company — 15 years of hard-won lessons distilled into every architecture decision, security guardrail, and operational workflow."
Built for teams that ship
Funded startups
You've raised capital and need to ship fast without burning runway on infrastructure. Skip months of setup and start building your product on day one — with enterprise-grade foundations your board will respect.
New ventures at scale
Your company is launching a new product line or business unit. You need production-grade infrastructure from day one — not a prototype that needs to be rewritten before it can serve real customers.
Legacy modernization
Your current stack is slowing you down while competitors ship AI features weekly. Replace years of technical debt with a modern, AI-native architecture — purpose-built for the speed the market now demands.
Frequently asked
What is Epoch?
Epoch is a production-ready SaaS foundation — a fully integrated platform with multi-tenancy, authentication, billing, AI agents, and all the infrastructure modern SaaS products need.
It is intentionally lightweight on business logic so it serves as a base that’s easy to expand upon and adapt to new business applications. Teams use it to skip the months of boilerplate engineering and go straight to building what makes their product unique.
The instance running at saas.jessenieminen.com is a live demo and showcase. You can explore the full platform — create workspaces, invite team members, manage projects, use AI agents, browse the help center — without needing to deploy your own instance.
What data does Epoch access from my Google or Microsoft account?
When you sign in with Google, Epoch requests the profile and email scopes only. This means we receive your email address, name, and profile picture — solely for authentication and creating your user account.
When you sign in with Microsoft, the same applies: email, name, and profile picture, plus optional fields (job title, department, phone number) if available in your Microsoft profile.
Epoch does not access Gmail, Google Drive, Google Calendar, Outlook, OneDrive, or any other service beyond sign-in. Profile data is imported only on first sign-up and does not overwrite information you later provide manually.
For full details, see our Privacy Policy.
Who is this for?
Founders, CTOs, and CPOs who believe AI is reshaping software — and want to be on the right side of that shift.
Specifically: funded startups that need to ship fast without burning runway on infrastructure, companies launching new product lines that need production-grade foundations from day one, and teams modernizing legacy stacks while competitors ship AI features weekly.
If you're evaluating SaaS boilerplates by feature checklist, this probably isn't for you. If you're looking for the strongest possible foundation for what comes next — it is.
Does this actually work? Why should I trust it?
Track record. Built by a former bootstrapped founder (exit) and CPO at scale — 15 years of shipping production SaaS, distilled into opinionated architectural choices. Every decision has a reason. Every trade-off is documented.
Good taste. This isn't a framework that tries to be everything. It's an opinionated system that makes strong choices — Django + React, Kubernetes over serverless, Postgres over NoSQL, session auth over JWT — and commits to them fully.
Try it yourself. The entire system is running live right now. Sign up, explore the UI, browse the help center and developer docs. The best way to evaluate Epoch is to use it.
Why this tech stack?
Every choice optimizes for the same things: enterprise-grade, battle-tested, AI-native, open source, and provider-agnostic.
Python + Django — the AI ecosystem's lingua franca. Async-ready, mature ORM, massive talent pool. Django Ninja adds type-safe APIs without the weight of DRF.
PostgreSQL + pgvector — one database for relational data, full-text search, and vector embeddings. No separate vector DB to manage. Battle-tested at every scale.
React + TypeScript — the largest ecosystem, the deepest talent pool. shadcn/ui gives you accessible primitives you own, not a dependency you rent.
Kubernetes + Helm — real infrastructure, not a platform lock-in. Runs on Hetzner at €10/month today, migrates to GCP or AWS tomorrow. Same Helm chart, zero rewrites.
Everything open source — no vendor lock-in at any layer. Swap email providers, cloud providers, or LLM providers without touching your application code.
Why not use another boilerplate?
Most boilerplates give you auth and a landing page. That's the easy 10%.
Epoch ships the hard 90%: multi-tenancy with real tenant isolation at every layer, AI agents with human-in-the-loop, an MCP server so your product works with Claude and Copilot natively, production Kubernetes you actually deploy to, 2,300+ automated tests, full observability, GDPR compliance, and 224 production features — all integrated and working together.
This isn't a starting point you outgrow in month three. It's the foundation you build your company on.
How does the AI remember context between conversations?
Epoch ships a dual-scope memory store for every tenant. Two kinds of facts the AI agents should know about — curated through a settings page, retrieved automatically per conversation:
Shared memories apply to the whole team — brand voice, ICP, team structure. They're stored at the tenant level, visible to every member, mutable by admins. Personal memories are private to one user — preferred tone, working style, individual goals. Even tenant admins cannot read other users' personal memories.
The relevant memories are RAG-injected into the system prompt at the start of every conversation thread (not on every reply). The injected fence is byte-stable across the thread, so prefix caching across providers actually hits — the AI gets cross-conversation continuity without paying for it on every turn.
Memories never leave the tenant. The endpoint is internal-only — not exposed via API keys, OAuth, MCP, or unified search. Memories are excluded from tenant exports for the same reason. See the help-center article for the full breakdown.
Only the prepared survive.
Be prepared.
You'll only hear from me when there's something worth reading or trying.