Technical Whitepaper · v1.0

CarphaCom Marketplace

A production-grade, multi-tenant e-commerce + plugin/template marketplace platform built on Medusa v2, Next.js 15, and PostgreSQL 16. Zero-placeholder, fully-typed, plug-and-play.

Version 13.0 (Phase 13)
Released April 2026
Stack TypeScript · Node.js 20 · Postgres 16 · Redis 7
License Proprietary — CarphaCom Studio

1. Executive Overview

CarphaCom is a complete e-commerce platform that ships with a native marketplace for third-party Themes and Plugins, multilingual content management, and a developer revenue-share program — all packaged for one-click deployment via Vultr Marketplace.

61+
Native Modules
130+
Integrations
4
Built-in Themes
3
Languages (RO/EN/DE)
10%
Marketplace Commission
100%
Type-Safe

Key Capabilities

🛒Storefront

Next.js 15 App Router with ISR, dynamic regions, multi-currency. Full SEO + sitemap.xml.

Admin

Custom Next.js admin (port 3001) with role-based access, dashboard, marketplace manager, docs.

🎨Themes

4 distinct designs (Modern, Luxury, Fashion, B2B) — installable via ZIP, switchable from admin in one click.

🔌Plugins

SSR-rendered widgets (banners, popups, badges) installed from ZIP with manifest validation.

🌍i18n

Per-theme language files (ro/en/de) + global admin language switcher applied to both admin & storefront.

💰Marketplace

Developer revenue share (90/10), submission workflow, admin approval, Stripe payouts.

2. System Architecture

Three-tier architecture with clear separation between presentation (Next.js), business logic (Medusa v2 modules), and persistence (Postgres + Redis).

┌─────────────────────────────────────────────────────────────────────┐ │ CLIENT (Browser / Mobile / Bot) │ └─────────────────────────────────────────────────────────────────────┘ │ HTTPS ▼ ┌─────────────────────────────────────────────────────────────────────┐ │ nginx 1.24 — TLS · Rate Limit · Static Cache │ │ / → storefront:8000 (Next.js 15 SSR/ISR) │ │ /app → admin:3001 (Next.js 15 admin UI) │ │ /api/medusa/* → backend:9000 (Medusa v2 REST) │ │ /marketplace-files/* → /opt/carphacom/marketplace-files/ (alias) │ └─────────────────────────────────────────────────────────────────────┘ │ ┌─────────────────────────┼─────────────────────────┐ ▼ ▼ ▼ ┌────────────────┐ ┌────────────────┐ ┌────────────────┐ │ STOREFRONT │ │ ADMIN │ │ BACKEND │ │ Next.js 15 │ │ Next.js 15 │ │ Medusa v2.13 │ │ port 8000 │ │ port 3001 │ │ port 9000 │ │ ─────────────│ │ ─────────────│ │ ─────────────│ │ • CmsThemeShell│ │ • /app/themes │ │ • /admin/* │ │ • CmsPlugins │ │ • /app/plugins│ │ • /store/* │ │ • Region SSR │ │ • /app/docs │ │ • /auth/* │ │ • Cart/Stripe │ │ • Marketplace │ │ • Workflows │ └────────┬───────┘ └────────┬───────┘ └────────┬───────┘ │ │ │ └────────────────────────┼────────────────────────┘ ▼ ┌─────────────────────────────────────────────────┐ │ PostgreSQL 16 · Redis 7 · S3-compatible │ │ ───────────────────────────────────────────── │ │ cms_theme · cms_plugin · cms_i18n_string │ │ cms_dev_account · product · order · user │ │ provider_identity · auth_identity │ └─────────────────────────────────────────────────┘

Process Manager (PM2)

IDProcessPortMemoryCluster
1carphacom-admin3001~260MBfork
2carphacom-storefront8000~190MBfork
5carphacom-backend9000~62MBfork

3. Technology Stack

100% open standards, zero vendor lock-in, fully type-safe end-to-end.

LayerTechnologyVersionNotes
RuntimeNode.js20.x LTSESM modules everywhere
Backend CoreMedusa v22.13.1Modular commerce framework
StorefrontNext.js15.3.9App Router · RSC · ISR
Admin UINext.js15.3.9Custom dashboard
LanguageTypeScript5.xStrict mode enabled
DatabasePostgreSQL16pgcrypto + JSONB
Cache/QueueRedis7Sessions + event bus
StylesTailwind CSS3.4+ shadcn/ui · Radix
Process MgrPM26.0.14Auto-restart + logs
Reverse Proxynginx1.24TLS termination
ContainerDocker24+Optional
PaymentsStripe14.xCards · SEPA · payouts
ZIP installeradm-zip0.5+Manifest validation

4. Data Model

All marketplace data lives in dedicated cms_* tables alongside Medusa core tables. Single Postgres database — no microservice fragmentation.

cms_theme

SQL
CREATE TABLE cms_theme (
    id            TEXT PRIMARY KEY,
    slug          TEXT UNIQUE NOT NULL,
    name          TEXT NOT NULL,
    version       TEXT NOT NULL,
    description   TEXT,
    author        TEXT,
    preview_url   TEXT,
    install_path  TEXT NOT NULL,        -- /opt/carphacom/themes/<slug>
    manifest      JSONB NOT NULL,        -- full manifest.json contents
    is_active     BOOLEAN NOT NULL DEFAULT FALSE,
    status        TEXT NOT NULL DEFAULT 'approved',  -- pending|approved|rejected
    commission_pct INTEGER NOT NULL DEFAULT 10,      -- platform cut %
    submitted_by  TEXT,                  -- dev account email
    installed_at  TIMESTAMPTZ NOT NULL DEFAULT now(),
    activated_at  TIMESTAMPTZ,
    approved_at   TIMESTAMPTZ
);
-- Only ONE theme can be active at a time
CREATE UNIQUE INDEX cms_theme_one_active
    ON cms_theme ((is_active)) WHERE is_active = TRUE;

cms_plugin

SQL
CREATE TABLE cms_plugin (
    id            TEXT PRIMARY KEY,
    slug          TEXT UNIQUE NOT NULL,
    name          TEXT NOT NULL,
    version       TEXT NOT NULL,
    description   TEXT,
    author        TEXT,
    install_path  TEXT NOT NULL,
    manifest      JSONB NOT NULL,
    is_enabled    BOOLEAN NOT NULL DEFAULT FALSE,
    status        TEXT NOT NULL DEFAULT 'approved',
    commission_pct INTEGER NOT NULL DEFAULT 10,
    submitted_by  TEXT,
    installed_at  TIMESTAMPTZ NOT NULL DEFAULT now(),
    enabled_at    TIMESTAMPTZ,
    approved_at   TIMESTAMPTZ
);

cms_i18n_string (shared admin + storefront)

SQL
CREATE TABLE cms_i18n_string (
    id     BIGSERIAL PRIMARY KEY,
    scope  TEXT NOT NULL,                 -- 'admin' | 'storefront' | 'theme:<slug>'
    locale TEXT NOT NULL,                 -- 'ro' | 'en' | 'de'
    key    TEXT NOT NULL,
    value  TEXT NOT NULL,
    UNIQUE(scope, locale, key)
);

cms_dev_account

SQL
CREATE TABLE cms_dev_account (
    id              TEXT PRIMARY KEY,
    email           TEXT UNIQUE NOT NULL,
    name            TEXT NOT NULL,
    company         TEXT,
    payout_method   TEXT,                 -- 'stripe' | 'wire' | 'paypal'
    payout_details  JSONB,                -- { iban, swift, ... }
    api_key         TEXT UNIQUE NOT NULL, -- for ZIP submission API
    created_at      TIMESTAMPTZ NOT NULL DEFAULT now(),
    approved        BOOLEAN NOT NULL DEFAULT FALSE
);

5. REST API Reference

All endpoints documented below are live on production at https://carphacom.com.

Auth — PUBLIC

MethodEndpointBodyReturns
POST/auth/user/emailpass{email, password}{token: "JWT"}
POST/auth/customer/emailpass/register{email, password}{token}

Admin — CMS Themes JWT REQUIRED

MethodEndpointDescription
GET/admin/cms/themesList all installed themes
POST/admin/cms/themesInstall from ZIP — body: {zip_b64}
POST/admin/cms/themes/:id/activateActivate (deactivates others)
DELETE/admin/cms/themes/:idUninstall

Admin — CMS Plugins JWT REQUIRED

MethodEndpointDescription
GET/admin/cms/pluginsList all plugins
POST/admin/cms/pluginsInstall from ZIP
POST/admin/cms/plugins/:id/toggleEnable/disable — body: {enabled}
DELETE/admin/cms/plugins/:idUninstall

Store — Public

MethodEndpointDescription
GET/store/cms/activeGet active theme + enabled plugins
GET/store/productsList products (publishable key required)
GET/store/regionsList currency regions

Example: Install Theme via API

BASH
# 1. Login
TOKEN=$(curl -sS -X POST https://carphacom.com/api/medusa/auth/user/emailpass \
  -H 'Content-Type: application/json' \
  -d '{"email":"admin@carphacom.com","password":"Admin#2026Pass"}' | jq -r .token)

# 2. Encode ZIP to base64
B64=$(base64 -w0 my-theme.zip)

# 3. Upload
curl -X POST https://carphacom.com/api/medusa/admin/cms/themes \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d "{\"zip_b64\":\"$B64\"}"

6. CMS Engine

A custom CMS layer sits on top of Medusa, providing dynamic content, themes, plugins, and i18n — all driven from a unified cms_* namespace in Postgres.

Content Pipeline

  1. SSR Render — every page request triggers a getActiveTheme() + getActivePlugins() Postgres query.
  2. Theme ShellCmsThemeShell.tsx wraps every page, injecting CSS variables and theme classes.
  3. Plugin RendererCmsPluginRenderer.tsx outputs all enabled plugins as SSR HTML.
  4. i18n LoadergetThemeStrings(locale) reads {installPath}/lang/{locale}.json with default-locale fallback.
  5. ISR Revalidation — admin operations call POST /api/revalidate to flush Next.js cache.

Cache Strategy

7. Theme System

A Theme is a ZIP archive containing a manifest.json, optional style.css, and per-locale lang/*.json files. The active theme controls colors, fonts, layout, and language strings storefront-wide.

How to Build a Theme

Create a folder structure:

my-theme/
├── manifest.json          # required
├── style.css              # optional global overrides
├── preview.png            # optional preview image
└── lang/
    ├── ro.json
    ├── en.json
    └── de.json

manifest.json schema

JSON
{
  "slug": "my-cool-theme",                  // unique, lowercase, [a-z0-9-]
  "name": "My Cool Theme",
  "version": "1.0.0",
  "description": "A modern minimalist theme",
  "author": "Your Name",
  "default_locale": "ro",
  "locales": ["ro", "en", "de"],
  "css_vars": {
    "--theme-primary":   "#6366f1",
    "--theme-secondary": "#22d3ee",
    "--theme-font":      "Inter, system-ui, sans-serif",
    "--theme-radius":    "12px"
  },
  "layout_style": "modern",                 // modern|luxury|fashion|b2b
  "preview_url": "/marketplace-files/themes/my-cool-theme.png"
}

Build the ZIP

BASH
cd my-theme
zip -r ../my-theme.zip .

Install from Admin UI

  1. Log in to https://carphacom.com/app
  2. Sidebar → Themes
  3. Click Upload theme, select your .zip
  4. Click Activate on the new theme card — storefront updates instantly

Built-in Themes

MModern Clean

Primary: #6366f1
Font: Inter
Universal modern e-commerce design.

LLuxury Black

Primary: #000000
Font: Playfair Display
For high-end fashion/jewelry.

FFashion Pop

Primary: #ec4899
Font: Poppins
Bold & playful for streetwear.

BB2B Professional

Primary: #1e40af
Font: IBM Plex Sans
Quote-based industrial selling.

8. Plugin System

Plugins are SSR-rendered widgets injected globally into every page (currently): banners, popups, badges, chat boxes, etc. Each plugin is a ZIP with manifest + render template.

Plugin Structure

my-plugin/
├── manifest.json
├── index.js               # CommonJS module exporting render()
└── template.html          # static HTML (used by SSR)

manifest.json

JSON
{
  "slug": "my-plugin",
  "name": "My Plugin",
  "version": "1.0.0",
  "description": "Does cool stuff",
  "author": "Your Name",
  "type": "banner",                  // banner|popup|badge|chat
  "config": { /* plugin-specific */ },
  "entry": "index.js",
  "render": "server-html"
}

Reference: Free Shipping Bar Plugin

HTML (template.html)
<div style="background:linear-gradient(90deg,#10b981,#059669);
            color:#fff;padding:8px;text-align:center;font-weight:600">
  🚚 Livrare gratuită la comenzi peste 150 RON
</div>
JS (index.js)
module.exports = {
  render: () => require('fs').readFileSync(__dirname + '/template.html', 'utf8')
};

Live Production Plugins

SlugNameStatusEnabled
plg-free-shipping-barFree Shipping Barapproved✅ Yes
plg-cookie-consentCookie Consent GDPRapproved⏸ No
Verified Live curl -sS https://carphacom.com/ro | grep "Livrare gratuită" returns the rendered banner HTML, proving plugin SSR is working end-to-end.

9. Internationalization (i18n)

Single shared language file scope both admin and storefront — change the global locale once and every UI string updates.

Architecture

Switch Global Language (Admin)

  1. Sidebar → Settings → Language
  2. Select language: 🇷🇴 Română · 🇬🇧 English · 🇩🇪 Deutsch
  3. Click Apply globally — admin AND storefront switch immediately

Add a New Language

SQL
INSERT INTO cms_i18n_string (scope, locale, key, value) VALUES
  ('shared', 'fr', 'shop_now',     'Acheter maintenant'),
  ('shared', 'fr', 'add_to_cart',  'Ajouter au panier'),
  ('shared', 'fr', 'welcome',      'Bienvenue!');

10. Developer Portal

Third-party developers can register, submit themes/plugins, and earn 90% of every sale.

Sign Up Flow

  1. Visit https://carphacom.com/developers/signup
  2. Submit: name, email, company, payout method (Stripe/IBAN/PayPal)
  3. Receive API key by email — store securely
  4. Wait for admin approval (typically < 24h)

Submit a Theme via API

BASH
curl -X POST https://carphacom.com/api/dev/themes/submit \
  -H "X-Dev-Api-Key: $YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d "{\"zip_b64\":\"$(base64 -w0 my-theme.zip)\"}"
# Response: { "id": "thm_...", "status": "pending" }

Revenue Split

90%
Developer
10%
CarphaCom
7d
Payout cycle
€10
Min. payout

11. Approval Workflow

Every submitted Theme or Plugin enters a moderated review pipeline before becoming visible in the public marketplace.

StateDescriptionVisible to
pendingSubmitted, awaiting moderatorDeveloper + admins only
in-reviewModerator actively reviewingSame
approvedListed in marketplace, installablePublic
rejectedFailed review (with reason)Developer only

Auto-checks (run on submission)

12. Admin Panel

Custom Next.js 15 admin (port 3001) accessible at https://carphacom.com/app.

Login Credentials (default)

Email:    admin@carphacom.com
Password: Admin#2026Pass
Security Change the default admin password immediately after first login: Settings → Account → Change password.

Sidebar Modules

ModulePathPurpose
Dashboard/appKPIs, recent orders, traffic
Products/app/productsCRUD products, variants, prices
Orders/app/ordersManage incoming orders
Customers/app/customersCRM, customer accounts
Marketplace/app/marketplaceApprove dev submissions
Themes/app/themesInstall/activate themes
Plugins/app/pluginsInstall/enable plugins
Documentation/app/docsThis whitepaper + guides
Settings/app/settingsLanguage, payments, shipping

13. Deployment

One-click Vultr Marketplace deployment, or manual install on any Ubuntu 22.04+ VM.

Vultr One-Click

  1. Visit vultr.com/marketplace/apps/carphacom
  2. Select region & instance size (min 4 vCPU / 8GB RAM)
  3. Deploy — installer provisions Postgres, Redis, nginx, PM2, certs in ~5 min
  4. Open returned URL → admin signup wizard

Manual Install

BASH
# Ubuntu 22.04+
curl -fsSL https://carphacom.com/install.sh | sudo bash
# Installer:
#  - apt: nodejs 20, postgresql-16, redis-server, nginx
#  - createdb medusa_store, ALTER USER medusa
#  - clone repos to /opt/carphacom/current/
#  - npm install + npm run build
#  - pm2 start ecosystem.config.js
#  - certbot --nginx -d yourdomain.com

14. Security Posture

Production-hardened against OWASP Top 10. Continuous static + dynamic security testing.

15. Robot-Ready API AGENT-FIRST

CarphaCom is built for autonomous LLM agents. Every operation surfaced in the admin UI also exposes a clean REST endpoint with deterministic JSON I/O.

Agent Tool Catalog

Agents (Sentinel Coder, Claude, GPT) can integrate directly via these tool-style endpoints:

ToolVerbEndpointSchema
list_themesGET/admin/cms/themes{themes: Theme[]}
install_themePOST/admin/cms/themes{zip_b64} → {ok, slug}
activate_themePOST/admin/cms/themes/:id/activate{} → {ok, theme}
list_pluginsGET/admin/cms/plugins{plugins: Plugin[]}
install_pluginPOST/admin/cms/plugins{zip_b64} → {ok, slug}
toggle_pluginPOST/admin/cms/plugins/:id/toggle{enabled} → {ok, plugin}
get_activeGET/store/cms/active{theme, plugins[]}

Agent Authentication

JSON
POST /auth/user/emailpass
Content-Type: application/json
{
  "email": "agent@carphacom.com",
  "password": "<agent_secret>"
}
→ { "token": "eyJ..." }   // Use as Authorization: Bearer <token>
OpenAPI Full OpenAPI 3.1 spec available at https://carphacom.com/api/medusa/openapi.json.