Nzila — "O Caminho" / "The Path" in Kimbundu
EN: Production-grade, multi-tenant gym management platform. 21 modules, 67 database tables, enterprise security with Row-Level Security on every table. Built for Angolan and Portuguese markets.
PT: Plataforma de gestão de ginásios multi-tenant de nível profissional. 21 módulos, 67 tabelas de base de dados, segurança empresarial com Row-Level Security em todas as tabelas. Construída para os mercados angolano e português.
EN: Most gym software is designed for global defaults and only partial localization. Nzila is built for Angolan operational realities (Multicaixa, local connectivity constraints, and Lusophone workflows).
PT: A maioria do software de ginásio é desenhada para padrões globais e localização parcial. O Nzila foi criado para realidades operacionais angolanas (Multicaixa, limitações locais de conectividade e fluxos lusófonos).
Nzila is currently best suited for:
- Small to mid-sized gyms in Angola
- Operators comfortable with controlled rollout
- Teams that can validate financial flows during setup
Not yet optimized for:
- Large multi-location chains
- Fully offline environments
- Strict enterprise compliance environments
# Clone & run / Clonar e executar
git clone <repo-url>
cd nzila-gym-manager
# Install / Instalar
bun install # or: npm install
# Run / Executar
bun dev # or: npm run dev
# → http://localhost:5173Copy .env.example to .env — auto-generated by Lovable Cloud:
VITE_SUPABASE_URL=https://your-project.supabase.co
VITE_SUPABASE_PUBLISHABLE_KEY=your-anon-key
VITE_SUPABASE_PROJECT_ID=your-project-idSee .env.example for all available variables.
EN: Nzila uses Lovable -> GitHub -> Vercel and Codex -> GitHub -> Vercel in parallel. GitHub is the source of truth, Vercel Preview is the review gate, and main deploys to Vercel production.
PT: O Nzila usa Lovable -> GitHub -> Vercel e Codex -> GitHub -> Vercel em paralelo. O GitHub é a fonte de verdade, o Vercel Preview é o gate de review, e a branch main faz deploy para produção no Vercel.
See CI.md and docs/PRODUCTION_READINESS.md for the production workflow.
graph TB
subgraph Presentation["Presentation Layer / Camada de Apresentação"]
UI["React 19 + TypeScript 5.9 + Vite"]
Components["50+ shadcn/ui Components"]
Modules["21 Feature Modules<br/><em>Lazy Loaded</em>"]
I18n["i18n — EN / PT"]
end
subgraph State["State Management / Gestão de Estado"]
TQ["TanStack Query<br/><em>Server State + Cache</em>"]
RC["React Context<br/><em>AuthContext · GymContext</em>"]
end
subgraph Backend["Backend Layer / Camada Backend"]
Auth["Auth — JWT + Sessions + Rate Limiting"]
DB["PostgreSQL 15 — 67 Tables + RLS"]
EF["Edge Functions — Deno Runtime"]
Storage["Storage — Files, Proofs, Logos"]
end
subgraph Security["Security Layer / Camada de Segurança"]
RLS["RLS on ALL 67 Tables"]
Tenant["Multi-Tenant Isolation via gym_id"]
Audit["Immutable Audit Logging"]
end
UI --> TQ
UI --> RC
Components --> UI
Modules --> UI
I18n --> UI
TQ --> Auth
TQ --> DB
TQ --> EF
TQ --> Storage
DB --> RLS
DB --> Tenant
DB --> Audit
graph TB
subgraph Tier1["TIER 1 — DISCIPLINES<br/><em>Catálogo de Atividades / Activity Catalog</em>"]
D1["Activity Types<br/>BJJ · Yoga · CrossFit · Boxing"]
D2["Rank Systems<br/>Belts · Stripes · Criteria"]
D3["Category Taxonomy<br/>Combat · Wellness · Strength"]
end
subgraph Tier2["TIER 2 — CALENDAR<br/><em>Motor de Agendamento / Scheduling Engine</em>"]
C1["Class Scheduling<br/>Visual Calendar · Time Slots"]
C2["Recurring Series<br/>RRULE · Exceptions · Auto-generate"]
C3["Booking System<br/>Waitlist FIFO · Promotions"]
end
subgraph Tier3["TIER 3 — TRAINING<br/><em>Programação de Membros / Member Programming</em>"]
T1["Exercise Library<br/>14 Categories · Equipment · Difficulty"]
T2["Workout Templates<br/>Block Builder · Polymorphic WODs"]
T3["Progress Tracking<br/>Performance · Rank History · PRs"]
end
Tier1 -- "FK: discipline_id" --> Tier2
Tier2 -- "FK: workout_template_id" --> Tier3
style Tier1 fill:#1a365d,color:#e2e8f0
style Tier2 fill:#2a4365,color:#e2e8f0
style Tier3 fill:#2c5282,color:#e2e8f0
sequenceDiagram
participant U as User / Utilizador
participant FE as Frontend (React)
participant TQ as TanStack Query
participant API as Supabase Client
participant DB as PostgreSQL + RLS
U->>FE: Action / Ação
FE->>FE: AuthContext — JWT validation
FE->>FE: GymContext — gym_id extraction
FE->>TQ: Query with gym_id filter
TQ->>API: Request + JWT token
API->>DB: Query
DB->>DB: RLS Policy Check<br/>auth.uid() = user_id<br/>gym_id = get_user_gym_id()
DB-->>API: Tenant-scoped data only
API-->>TQ: Response
TQ-->>FE: Cached result
FE-->>U: Rendered UI
EN: Nzila Gym Manager is a multi-tenant gym management platform focused on the Angolan market.
PT: O Nzila Gym Manager é uma plataforma de gestão de ginásios multi-tenant focada no mercado angolano.
EN: The platform includes core operational modules and is currently in a production-hardening phase, with ongoing improvements in reliability, verification, and user experience.
PT: A plataforma inclui módulos operacionais core e está numa fase de hardening de produção, com melhorias contínuas em fiabilidade, verificação e experiência de utilização.
- Multi-tenant gym isolation (RLS-based)
- Member profiles and memberships
- QR-based check-in
- PIN-based check-in (validation + rate limiting)
- Payment registration (cash, Multicaixa, bank transfer)
- Payment proof upload (secure storage with signed URLs)
- Pending vs completed payment states
- Financial reporting dashboards
- Reconciliation interface (manual/assisted)
- Full settings control panel (permissions, plans, communication, security)
- Role-based access control (12 roles)
- Subscription rules engine
- Row-Level Security across all tenant data
- GDPR export and deletion flows
- Secure edge functions with JWT validation
- CI security pipeline (SAST, dependency audit, secret scanning)
- CI/CD pipeline (lint, type-check, tests, build)
- Vercel deployment pipeline
- Supabase backend with edge functions
- PWA configuration (installable baseline)
- Automated proof validation (beyond manual/text parsing)
- End-to-end reconciliation confidence
- Invoice linkage visibility
- Offline check-in support
- Background sync
- Conflict resolution
- E2E test coverage (Playwright)
- Coverage reporting in CI
- Critical flow validation (payments, check-ins, onboarding)
EN:
- Finish production launch gate controls (environment validation, monitoring, release rehearsal).
- Harden abuse resilience for privileged communication workflows (rate limits + anomaly detection).
- Expand automated verification for critical flows (payments, kiosk, onboarding) with E2E coverage.
PT:
- Concluir os controlos do launch gate de produção (validação de ambientes, monitorização, ensaio de release).
- Reforçar a resiliência a abuso em fluxos privilegiados de comunicação (rate limits + deteção de anomalias).
- Expandir verificação automática dos fluxos críticos (pagamentos, quiosque, onboarding) com cobertura E2E.
EN: Nzila does not yet fully guarantee:
- Automated financial verification from uploaded proofs
- Offline-first operation across all flows
- Full end-to-end test coverage
- Complete enterprise integrations (Stripe, CRM, etc.)
PT: O Nzila ainda não garante totalmente:
- Verificação financeira automatizada a partir de comprovativos
- Operação offline-first em todos os fluxos
- Cobertura completa de testes end-to-end
- Integrações empresariais completas (Stripe, CRM, etc.)
EN: Nzila is production-capable with controlled rollout. Final operational hardening and monitoring are ongoing.
PT: O Nzila é apto para produção com rollout controlado. O hardening operacional final e a monitorização continuam em curso.
Recommended deployment approach:
- Controlled rollout per gym
- Monitoring enabled before scale
- Financial flows validated with real usage
- Create payment record.
- Upload proof when required (Multicaixa/bank transfer).
- Mark payment as
pendingfor review. - Operator verifies and approves/rejects.
- Approved payment moves to
completed. - Completed payments appear in reporting and reconciliation views.
- Member scans QR or enters PIN in kiosk mode.
- System validates member identity and gym scope.
- Rate limiting and lockout checks apply to PIN attempts.
- Successful check-in is recorded and visible in attendance views.
- Operator imports or reviews payment transaction data.
- System/manual matching links payments and reconciliation records.
- Matched items are confirmed and status is updated.
- Exceptions remain for assisted/manual review.
- CI pipeline runs on every push/PR (lint, type-check, tests, build).
- Security workflows include SAST, dependency audit, and secret scanning.
- Row-Level Security is enforced across tenant data.
- Privileged credentials are kept server-side (no
service_rolekey in client builds).
Current baseline:
- Unit tests for core services/utilities.
- Component tests for key UI paths.
Current focus:
- Expand coverage in financial and access-control flows.
Next milestones:
- E2E tests for kiosk, payments, and booking critical journeys.
graph LR
subgraph L1["Layer 1 — Frontend"]
FV["Zod Schema Validation"]
XSS["XSS Prevention<br/><em>HTML Encoding · URL Sanitize</em>"]
RP["Route Protection<br/><em>ProtectedRoute · RequirePermission</em>"]
end
subgraph L2["Layer 2 — API"]
JWT["JWT Authentication"]
RL["Rate Limiting<br/><em>Per IP/User · Exponential Backoff</em>"]
CORS["CORS Whitelist"]
end
subgraph L3["Layer 3 — Database"]
RLS["RLS on 67 Tables"]
MT["Multi-Tenant Isolation<br/><em>gym_id Foreign Key</em>"]
SD["Sensitive Data Protection<br/><em>member_sensitive_data</em>"]
end
subgraph L4["Layer 4 — Audit"]
AL["Immutable Audit Logs"]
AE["Auth Events Tracking"]
ET["Error Correlation IDs"]
end
L1 --> L2 --> L3 --> L4
| Factor / Fator | Score | Weight / Peso |
|---|---|---|
| RLS Coverage / Cobertura RLS | 10/10 | 25% |
| Auth Security / Segurança Auth | 9/10 | 20% |
| Data Protection / Proteção de Dados | 6/10 | 20% |
| Input Validation / Validação de Input | 9/10 | 15% |
| Audit Trail / Trilho de Auditoria | 10/10 | 10% |
| GDPR/RGPD Compliance | 8/10 | 10% |
| Overall / Geral | 8.0/10 |
graph TB
SA["1 — Super Admin<br/><em>Full platform / Plataforma completa</em>"]
GO["2 — Gym Owner<br/><em>Full gym + billing / Ginásio + faturação</em>"]
MG["3 — Manager<br/><em>Operations + reports / Operações + relatórios</em>"]
AD["4 — Admin<br/><em>Daily ops / Ops diárias</em>"]
HC["5 — Head Coach<br/><em>Training oversight / Supervisão de treino</em>"]
CT["6 — Coach/Trainer<br/><em>Classes + programming / Aulas + programação</em>"]
IN["7 — Instructor<br/><em>Lead classes / Liderar aulas</em>"]
PH["8 — Physiotherapist<br/><em>Medical data / Dados médicos</em>"]
NU["9 — Nutritionist<br/><em>Diet plans / Planos de dieta</em>"]
RE["10 — Receptionist<br/><em>Check-ins + info</em>"]
ST["11 — Staff<br/><em>Limited front desk / Receção limitada</em>"]
ME["12 — Member<br/><em>Self-service portal / Portal self-service</em>"]
SA --> GO --> MG --> AD
AD --> HC --> CT --> IN
AD --> PH
AD --> NU
AD --> RE --> ST
ST --> ME
| Technology / Tecnologia | Version / Versão | Purpose / Propósito |
|---|---|---|
| React | 19 | UI Framework |
| TypeScript | 5.9 | Type Safety / Segurança de Tipos |
| Vite | Latest | Build Tool / Ferramenta de Build |
| Tailwind CSS | 4.x | Styling / Estilização |
| shadcn/ui | Latest | Component Library / Biblioteca de Componentes (50+) |
| TanStack Query | 5.x | Server State / Estado do Servidor |
| React Router | 7.x | Client Routing / Routing do Cliente |
| React Hook Form + Zod | 7.x / 4.x | Form Validation / Validação de Formulários |
| react-i18next | 16.x | Internationalization / Internacionalização (EN/PT) |
| date-fns | 4.x | Date Utilities / Utilitários de Data |
| Recharts | 3.x | Charts & Analytics / Gráficos |
| jsPDF | 4.x | PDF Generation / Geração de PDF |
| Lucide React | Latest | Icon Library / Biblioteca de Ícones |
| Component / Componente | Purpose / Propósito |
|---|---|
| PostgreSQL 15 | Primary Database / Base de Dados Principal |
| Auth (JWT) | Authentication / Autenticação |
| Edge Functions (Deno) | Serverless Backend |
| Storage | File Storage / Armazenamento de Ficheiros |
| Realtime | Live Subscriptions / Subscrições em Tempo Real |
| Row-Level Security | Per-Table Access Control / Controlo de Acesso por Tabela |
| Function / Função | Purpose / Propósito |
|---|---|
auth-with-rate-limit |
Rate-limited auth / Auth com limite de taxa |
send-email |
Transactional email via Resend / Email transacional |
send-welcome-email |
Welcome templates / Templates de boas-vindas |
seed-super-admin |
Initial admin bootstrap with shared secret / Bootstrap inicial de admin com segredo partilhado |
seed-test-users |
Non-production test data generation / Geração de dados de teste fora de produção |
create-user-account |
Admin user creation / Criação de utilizador admin |
pre-register-gym-owner |
Owner pre-registration / Pré-registo de proprietário |
nzila-gym-manager/
├── .github/ # CI/CD workflows, templates
│ ├── workflows/ # CodeQL, njsscan, security-audit
│ ├── ISSUE_TEMPLATE/ # Bug report, feature request
│ └── PULL_REQUEST_TEMPLATE.md
├── docs/ # Full documentation / Documentação completa
│ ├── README.md # Documentation index / Índice
│ ├── ARCHITECTURE.md # System architecture / Arquitetura
│ ├── DATABASE.md # Schema & ERD / Esquema & ERD
│ ├── ADMIN_GUIDE.md # Owner/Manager guide / Guia do proprietário
│ ├── STAFF_GUIDE.md # Staff operations / Operações de staff
│ ├── USER_GUIDE.md # Member guide / Guia do membro
│ ├── ERROR_HANDLING.md # Error standards / Padrões de erros
│ ├── RUNBOOKS.md # Incident response / Resposta a incidentes
│ ├── MAINTENANCE.md # Maintenance / Manutenção
│ ├── GLOSSARY.md # Terminology EN/PT / Terminologia
│ ├── FAQ.md # Frequently asked / Perguntas frequentes
│ └── adr/ # Architectural Decision Records
│ ├── 0001-choice-of-database.md
│ ├── 0002-frontend-framework.md
│ ├── 0003-multi-tenant-isolation.md
│ └── 0004-three-tier-module-separation.md
├── src/
│ ├── components/ # React components / Componentes React
│ │ ├── ui/ # shadcn/ui base (50+)
│ │ ├── layout/ # DashboardLayout, navigation
│ │ ├── common/ # ErrorBoundary, PageHeader, i18n
│ │ ├── auth/ # Auth components / Componentes de auth
│ │ ├── dashboard/ # Dashboard widgets
│ │ ├── calendar/ # Calendar, RecurringClassForm
│ │ ├── member/ # Member management + elite portal
│ │ ├── payments/ # Payment components / Componentes de pagamento
│ │ ├── training/ # Training hub / Hub de treino
│ │ ├── settings/ # Settings panels / Painéis de definições
│ │ ├── notifications/ # Alert components / Componentes de alerta
│ │ └── landing/ # Landing page
│ ├── contexts/ # AuthContext, GymContext
│ ├── hooks/ # 19 TanStack Query hooks + utilities
│ ├── modules/ # 21 feature modules (lazy loaded)
│ │ ├── auth/ # Authentication / Autenticação
│ │ ├── members/ # Member management / Gestão de membros
│ │ ├── payments/ # Payments + canonical reconciliation UI / Pagamentos
│ │ ├── calendar/ # Calendar + scheduling / Calendário
│ │ ├── booking/ # Class booking / Reservas de aulas
│ │ ├── invoices/ # Invoice management / Gestão de faturas
│ │ ├── leads/ # CRM leads
│ │ ├── pos/ # Point of sale / Ponto de venda
│ │ ├── inventory/ # Inventory / Inventário
│ │ ├── trainers/ # Trainer management / Gestão de treinadores
│ │ ├── staff/ # Staff management / Gestão de staff
│ │ ├── training/ # Training hub / Hub de treino
│ │ ├── checkins/ # Check-in system / Sistema de check-in
│ │ ├── kiosk/ # Kiosk mode / Modo quiosque
│ │ ├── gdpr/ # GDPR/RGPD compliance
│ │ ├── reporting/ # Financial reporting / Relatórios
│ │ ├── notifications/ # Email services / Serviços de email
│ │ ├── events/ # Event bus
│ │ ├── onboarding/ # Setup wizard / Assistente de configuração
│ │ ├── superadmin/ # Super admin
│ │ ├── saas-admin/ # SaaS administration / Administração SaaS
│ │ └── settings/ # Settings / Definições
│ ├── pages/ # Route pages / Páginas de rota
│ ├── lib/ # Utilities / Utilitários
│ ├── types/ # TypeScript types / Tipos
│ ├── integrations/supabase/ # Client + generated types
│ ├── i18n/locales/ # EN + PT-PT translations / Traduções
│ ├── App.tsx
│ ├── main.tsx
│ └── index.css
├── supabase/
│ ├── functions/ # Edge functions / Funções edge
│ │ ├── _shared/ # cors.ts, sanitize.ts, validation.ts
│ │ ├── auth-with-rate-limit/
│ │ ├── send-email/
│ │ ├── send-welcome-email/
│ │ ├── create-user-account/
│ │ ├── pre-register-gym-owner/
│ │ ├── seed-super-admin/
│ │ └── seed-test-users/
│ ├── migrations/ # Database migrations / Migrações
│ └── config.toml
├── README.md # This file / Este ficheiro
├── ROADMAP.md # Feature roadmap
├── TODO.md # Task tracking / Backlog
├── SECURITY.md # Security policy / Política de segurança
├── CONTRIBUTING.md # Contribution guidelines / Contribuição
├── CHANGELOG.md # Version history / Histórico de versões
├── PRIVACY.md # Data handling / Tratamento de dados
├── LICENSE # MIT License
└── package.json
See ROADMAP.md for the full roadmap / Ver ROADMAP.md para o roadmap completo.
gantt
title Nzila Roadmap 2026
dateFormat YYYY-MM
axisFormat %b %Y
section v1.0.x — Stabilization
Security Hardening (RLS PII) :active, s1, 2026-01, 2026-03
GDPR Completion :active, s2, 2026-01, 2026-03
Kiosk PIN Auth :s3, 2026-02, 2026-03
section v1.5 — Enhancement
PWA Offline Support :e1, 2026-04, 2026-06
SMS/WhatsApp Integration :e2, 2026-04, 2026-06
Advanced Analytics Dashboard :e3, 2026-05, 2026-06
section v2.0 — Expansion
React Native Mobile App :f1, 2026-07, 2026-10
Multi-Location Support :f2, 2026-08, 2026-10
AI Training Recommendations :f3, 2026-09, 2026-12
Wearables Integration :f4, 2026-10, 2026-12
| Phase / Fase | Version / Versão | Key Features / Funcionalidades |
|---|---|---|
| Current / Atual | v2.4.0 — Q1 2026 | 21 modules ✅ · Security hardening ✅ · GDPR ✅ · Full audit ✅ |
| Next / Próximo | v1.5 — Q2 2026 | PWA offline · SMS/WhatsApp · Advanced analytics |
| Future / Futuro | v2.0 — Q4 2026 | React Native mobile · Multi-location · AI recommendations |
| Document / Documento | Purpose / Propósito |
|---|---|
| docs/ARCHITECTURE.md | System architecture / Arquitetura do sistema |
| docs/DATABASE.md | Database schema & ERD / Esquema de BD & ERD |
| docs/ERROR_HANDLING.md | Error handling standards / Padrões de erros |
| docs/RUNBOOKS.md | Operational runbooks / Runbooks operacionais |
| docs/adr/ | Architectural Decision Records / Registos de Decisões |
| Document / Documento | Audience / Audiência |
|---|---|
| docs/ADMIN_GUIDE.md | Owners & Managers / Proprietários e Gestores |
| docs/STAFF_GUIDE.md | Staff & Receptionists / Staff e Rececionistas |
| docs/USER_GUIDE.md | Members / Membros |
| Document / Documento | Purpose / Propósito |
|---|---|
| ROADMAP.md | Feature roadmap through 2027 / Roadmap de funcionalidades até 2027 |
| TODO.md | Production backlog & sprint planning / Backlog e planeamento de sprints |
| CHANGELOG.md | Version history (Keep a Changelog) / Histórico de versões |
| RELEASE.md | Release process & semantic versioning / Processo de release |
| Document / Documento | Purpose / Propósito |
|---|---|
| SECURITY.md | Security policy & vulnerability reporting / Política de segurança |
| PRIVACY.md | Data handling, GDPR/RGPD compliance / Tratamento de dados |
| Document / Documento | Purpose / Propósito |
|---|---|
| CONTRIBUTING.md | Contribution guidelines / Diretrizes de contribuição |
| TESTING.md | Test setup & coverage / Testes e cobertura |
| CI.md | CI/CD pipeline documentation / Documentação CI/CD |
| PERFORMANCE.md | Benchmarks & tuning / Benchmarks e otimização |
| CODE_OF_CONDUCT.md | Community behaviour baseline / Código de conduta |
See CONTRIBUTING.md for guidelines / Ver CONTRIBUTING.md para diretrizes.
EN: We welcome contributions! Please read our contributing guidelines and code of conduct before submitting a PR.
PT: Aceitamos contribuições! Por favor leia as nossas diretrizes de contribuição e código de conduta antes de submeter um PR.
EN: This project follows a strict documentation-first policy. Any AI agent, contributor, or developer making changes to the codebase MUST update the relevant documentation files to reflect those changes. Documentation is the source of truth.
PT: Este projeto segue uma política rigorosa de documentação em primeiro lugar. Qualquer agente de IA, contribuidor ou programador que faça alterações ao código DEVE atualizar os ficheiros de documentação relevantes para refletir essas alterações. A documentação é a fonte de verdade.
When making changes, update the following as applicable / Ao fazer alterações, atualize o seguinte conforme aplicável:
- README.md — Module matrix, tech stack versions, project structure / Matriz de módulos, versões da stack, estrutura do projeto
- TODO.md — Mark completed tasks, add new ones / Marcar tarefas completas, adicionar novas
- ROADMAP.md — Update phase status and timelines / Atualizar estado das fases e cronogramas
- CHANGELOG.md — Add entry under
[Unreleased]/ Adicionar entrada em[Unreleased] - docs/ARCHITECTURE.md — If architectural changes were made / Se houve alterações arquiteturais
- docs/DATABASE.md — If schema was modified / Se o esquema foi modificado
- SECURITY.md — If security-related changes / Se alterações de segurança
- docs/adr/ — If a significant architectural decision was made / Se decisão arquitetural significativa
MIT License — see LICENSE
- Issues: GitHub Issues
- Docs / Documentação: docs/
- Security / Segurança: SECURITY.md
Version / Versão: 2.4.0 | Updated / Atualizado: March 13, 2026 | Security / Segurança: 8.0/10
