The features already built into your app
Auth, payments, offline sync, push, analytics, and more come wired into every app Goodspeed generates. Not starter stubs you finish at 2am: production-grade, tested code you own from the first build.
THE CATALOG
Every built-in feature, ready on day one
Each one is real code in the generated app. Open any feature to see how it is wired, the config flag that controls it, and the source file it ships from.
- Dark ModeLight and dark themes ship in every app behind one config flag. useTheme persists a light/dark/system preference to AsyncStorage and resolves 'system' live against the OS setting, and both palettes are generated from gas.config.ts design tokens.CoreUi
- AuthenticationEmail/password, Google, Apple, and other OAuth providers are pre-wired on Supabase Auth with a PKCE flow. Session JWTs live in the device keychain via expo-secure-store, refresh on every foreground, and drive an automatic navigation guard.CoreAuth
- AnalyticsPostHog is wired through a consent-gated lazy singleton: when GDPR consent is on, no client is created until the user grants it. captureEvent, identify, and automatic $screen tracking on every expo-router navigation are then available, with offline events queued and flushed by t…CoreAnalytics
- OTA Auto-Update on LaunchOn every app launch the template checks for an available EAS Update in the background and silently applies it on next restart, so users always run the latest JS without needing to visit the App Store.CoreDistribution
- EAS Build + OTA Update Channelseas.json ships pre-configured profiles for preview, staging, and production EAS Update channels with a runtime version policy, so teams can push over-the-air JS fixes to production users in a single iteration without a new App Store review.CoreDistribution
- Supabase Auth with PKCE + SecureStoreAuth tokens are stored in the device keychain via ExpoSecureStore and the PKCE flow is pre-wired, so sessions survive app restarts without storing credentials in AsyncStorage.CoreAuth
- Realtime Broadcast SubscriptionsA broadcast helper fans an arbitrary JSON payload to every client subscribed to a named Supabase Realtime channel, and a React hook subscribes with automatic cleanup. A refcounted cache shares one WebSocket per channel name. Messages are ephemeral: nothing is written to Postgres.CoreData Layer
- Row-Level Security (RLS) Baked InEvery Supabase query is scoped to the authenticated user at the database layer via RLS policies, so a bug in app code can never accidentally return another tenant's data.CoreData Layer
- Optimistic MutationsA generic hook applies a local state change instantly on user action and automatically rolls back to the previous state if the server call fails, making every mutation feel instant without custom try/catch boilerplate.CoreData Layer
- Minimum Version GateA MinVersionGate component wraps the entire app tree and shows a blocking update prompt when the client runtime version is below the configured floor, preventing users on incompatible old builds from hitting backend breaking changes.CoreDistribution
- Feature Flags + Kill SwitchServer-controlled feature flags stored in a Supabase table support per-user rollout percentages and segment targeting via a useFlag hook that re-polls once a minute; any flag prefixed kill_ acts as an instant kill switch that propagates under a minute.CoreInfrastructure
- PostHog Analytics + Feature FlagsPostHog is initialized null-safe at boot (no crash when the key is absent in dev), with auto screen tracking, user identification on sign-in, and a useFlag hook that polls once a minute for server-controlled feature flags with deterministic rollout bucketing.CoreObservability
- Cost Guardrails (Per-Scope Budgets)A per-(scope, key, period) budget system with three enforcement modes (throttle, block, or alert_only) prevents any single user or feature from running up uncapped LLM or API spend in production.CoreInfrastructure
- DB-Backed Job Queue with RetryA Postgres-backed job queue with exponential backoff retry handles any work too slow for a synchronous Edge Function (image processing, email sends, LLM calls), ensuring no job is silently dropped even if the worker crashes mid-execution.CoreInfrastructure
- Append-Only Audit LogEvery write to sensitive tables and admin action lands in an append-only audit_log table with a pii_class column for SOC 2 and HIPAA-overlay compliance.CoreObservability
- Push Notifications (End-to-End)The full push pipeline is pre-built: lazy permission prompt triggered at the 'aha moment', token registration to push_tokens, server-side fan-out via Expo Push API in batches of 100, automatic deletion of DeviceNotRegistered tokens, and per-category opt-out (transactional/produc…CommonNative Capabilities
- Offline SyncWrites made while the device is offline are captured in a persistent AsyncStorage queue and replayed in insertion order on reconnect, each retried up to five times before it is dropped and logged. A stale-while-revalidate read cache keeps screens rendering with no network.CommonData
- In-App PurchasesRevenueCat runs the StoreKit and Play Billing purchase flow on iOS and Android, while the runtime access check reads profiles.subscription_tier from Supabase, so gating a feature is one indexed database read with no SDK round-trip. Restore purchases and a config-driven paywall a…CommonPayments
- Realtime Presence (Who's Online)A single hook tracks which users are currently active in a Supabase Realtime channel with join/leave events, enabling who's viewing indicators, multi-cursor collaboration, and live counts with no custom backend.CommonData Layer
- Sentry Error Monitoring + Crash-Free SLO GateSentry captures unhandled errors behind an app-wide boundary, with breadcrumbs and PII-redacted context. A CI helper queries the Sentry Sessions API and can block an EAS store submission when the 24-hour crash-free rate falls below the configured floor (99.5% iOS, 99.0% Android…CommonObservability
- Soft Paywall (Usage Gates)A usePaywall hook wraps any feature with a usage limit check that transparently redirects non-paying users to the paywall modal without requiring the feature code to know anything about subscription state.CommonPayments
- Anonymous Auth with Upgrade PathsignInAnonymously returns a real Supabase user in one round-trip, so people use the app before any signup. On register, upgradeAnonymousAccount promotes the same UUID and a server-side Edge Function re-points the user's rows across an allowlisted set of tables, recorded idempote…CommonAuth
- Push Receipt PollingA 5-minute cron Edge Function polls Expo's getReceipts API and settles every push delivery row to ok/error/expired, automatically purging dead device tokens so the push_tokens table never silently accumulates invalid entries.CommonNative Capabilities
- Biometric Lock (Face ID / Touch ID)A configurable re-authentication timeout gates the app behind Face ID or Touch ID on every foreground resume, with no extra backend calls. The check is local and completes in under 200ms.CommonAuth
- RevenueCat Subscriptions + PaywallRevenueCat is initialized at app boot with a config-driven paywall screen that reads pricing tiers and copy from gas.config, wiring the full purchase, restore, and trial flow without any custom App Store or Play Store receipt parsing.CommonPayments
- Transactional Email via ResendTemplated emails (welcome, password reset, receipt, trial-ending) are sent via Resend from a shared Edge Function with every send logged to a delivery table, so you have an audit trail and can replay failed sends without duplicating send logic across features.CommonGrowth
- LLM Client (OpenAI + Anthropic, Cost-Gated)A provider-agnostic LLM service exposes chat(), streamChat(), embed(), and transcribe() with OpenAI and Anthropic adapters; every call routes through a cost-budget RPC that can throttle, block, or alert when per-user or per-scope spend limits are exceeded.CommonAi Integration
- Offline-First Sync with Write QueueWrites made while offline are queued in AsyncStorage with TTL and automatically replayed in order when connectivity returns, so users never lose data or see failed-action errors on a flaky connection.CommonData Layer
- Native Share Sheet + Referral SystemA share() helper wraps the native share sheet cross-platform and returns whether the user completed the share (not just opened it); a referral system generates per-user codes and attributes sign-ups and purchases server-side on the referred user's first matching event.CommonGrowth
- Gamification (Streaks, Points, Badges)Streaks, a points system, and achievements/badges are all pre-built as Static components with a shared gamification.ts library, so apps get Day-1 retention mechanics without building the counter logic, streak-freeze, or celebration animations from scratch.CommonGrowth
- GDPR Data Export + Account Deletion LifecycleUser-initiated export emails a signed JSON download link. Account deletion has a configurable grace window, recovery flow, immediate-delete, and purge cron.CommonInfrastructure
- A/B Experiments (Stable Bucketing)useExperiment assigns users to variants by hashing their user ID, persists assignments in Supabase for stable cohorts, and exposes variant strings for any path.CommonGrowth
- Multi-Tenancy (Org-Scoped Queries)OrgProvider scopes every Supabase query through user_org_ids() SECURITY DEFINER, giving each org isolated data without the RLS recursion bug (42P17).CommonInfrastructure
- OAuth Third-Party Connections (Server-Side Token Vault)Third-party OAuth tokens are stored server-side in a pgsodium-encrypted column and auto-refreshed within a minute of expiry; the client never sees a raw access token; it calls an Edge Function that returns only the decrypted value for the calling user.SpecializedAuth
BUILT IN, NOT BOLTED ON