# What Slicekit includes > A map of what ships in the box: the foundations every SaaS needs, already assembled and tested, with a guide for each. ## The foundation, already built Slicekit is not an empty repo with a framework bolted on. It is a working system: the parts every SaaS needs are assembled, wired together and tested, so your first commit is a feature instead of plumbing. This page is the map. Each capability links to the guide that shows you how to use and extend it. ## Identity and access - **Cookie sessions with CSRF.** Server-side sessions backed by Redis, not bearer tokens in the browser. See [authentication](/docs/authentication). - **Roles and permissions.** A typed `Allow` permission catalogue enforced on endpoints and mirrored to the SPA. See [adding a permission](/docs/adding-a-permission) and [permissions in the UI](/docs/frontend-permissions). - **OAuth providers.** Sign in with external providers alongside the cookie session. See [adding an OAuth provider](/docs/oauth-provider). - **Two-factor authentication.** TOTP enrollment, verification and recovery codes. See [two-factor authentication](/docs/two-factor-auth). - **Admin impersonation.** Support staff can act as a user, with the action recorded. See [impersonation](/docs/impersonation). ## The architecture - **Vertical slices.** One feature, one folder; no layered free-for-all. See [adding a vertical slice](/docs/vertical-slices) and the [architecture overview](/docs/architecture). - **Domain-driven design.** Aggregates own their invariants and raise events. See [domain-driven design](/docs/domain-driven-design). - **CQRS over Wolverine.** Commands, queries and a message bus, with handlers discovered automatically. See [CQRS and domain events](/docs/cqrs-and-events). - **Reliable messaging.** A transactional outbox makes integration events safe to publish. See [domain and integration events](/docs/domain-events). - **A shared error taxonomy.** `Result` and `AppError` map cleanly onto ProblemDetails responses. See [error handling](/docs/error-handling). ## Data and operations on data - **PostgreSQL with EF Core.** Migrations apply on start in development and as a deploy step in production. See [adding a database migration](/docs/adding-a-migration). - **Pagination.** Shared primitives for paged, sortable lists end to end. See [pagination](/docs/pagination). - **File storage.** An S3-compatible abstraction, MinIO locally and any bucket in production. See [file storage](/docs/file-storage). - **Auditing.** Emit "who did what" events that flow to Loki and an admin audit log. See [auditing](/docs/auditing). - **GDPR tooling.** Per-user data export and erasure built in. See [data export and GDPR](/docs/data-export). ## The frontend - **A typed React SPA.** Vite, TanStack Router and Query, and shadcn/ui. See [frontend overview](/docs/frontend-overview). - **One typed API client.** Cookies and CSRF handled for you, wrapped in TanStack Query. See [the typed API client](/docs/api-client). - **Forms.** React Hook Form and Zod, wired to the client and its server-side validation errors. See [building a form](/docs/forms). - **Internationalisation.** Namespaced translations and a language switcher. See [adding a language](/docs/i18n). ## Production concerns - **Rate limiting.** Named policies you apply per endpoint. See [rate limiting](/docs/rate-limiting). - **API versioning.** Add a `v2` without breaking existing clients. See [adding an API version](/docs/api-versioning). - **Observability.** Traces, metrics and logs over OpenTelemetry into Grafana. See [observability](/docs/observability). - **Configuration by environment variable.** Placeholders in `appsettings.json`, secrets injected from the environment. See [configuration](/docs/configuration). - **Deployment and reverse proxy.** Standard images, OTLP exporters, forwarded-header support. See [deployment](/docs/deployment) and [reverse proxy](/docs/reverse-proxy). - **CI.** GitHub Actions builds, tests and lints both sides on every push. ## Working in it - **Testing.** A fast unit and architecture suite, plus Testcontainers integration tests. See [testing a feature](/docs/feature-testing). - **Removing what you do not need.** A clean recipe for deleting a slice across both sides. See [removing a feature](/docs/removing-a-feature). - **AI-assisted development.** `AGENTS.md` routers and per-side conventions so coding agents have the context they need. See [AI-assisted development](/docs/ai-assisted). Ready to run it? Start with [getting started](/docs/getting-started).