1. Public Pages
No authentication required. Marketing, onboarding entry, legal, and competitor lead-generation suite.
Landing and marketing
Homepage
Primary marketing landing page with hero, value props, pricing teaser, and demo widget.
AEO and LLM artifacts
robots.txt
Static robots file. Now allows the major LLM and AEO crawlers in addition to traditional search bots.
llms.txt
llmstxt.org standard file listing key topics, URLs, and a summary tailored for LLM crawlers and answer engines.
llms-full.txt
Extended llms.txt variant with the full context pack (expanded descriptions, FAQ answers, product details) for deep-crawl LLMs.
Authentication
Customer login
Email and password login with brute-force rate limit and optional Google OAuth.
Google OAuth login
Single sign-on via Google. Creates a business account if none exists for the address.
Forgot password
Sends a one-time reset link by email without revealing whether the address exists.
Reset password
Consumes a valid reset token and stores the new password hash.
Logout
Destroys the session and returns the user to the homepage.
Signup wizard
Multi-step onboarding wizard collecting business details and configuring the assistant.
Signup preview script
Generates a draft greeting script for the signup flow preview panel.
Competitor feature suite
Number porting
Collects current provider details and generates a porting request document.
Audit report
Printable report page accessed via tokenised URL after running an audit.
Missed-call rescue
Lets a visitor trigger an SMS/recap service for missed calls on their number.
Help and contact
Contact form
Public contact form that creates a submission record and sends an admin notification email.
2. Customer Features
Require customer login. Handled by DashboardController via Middleware::requireUser.
Dashboard
Customer dashboard home
Overview with call volume, usage, quick stats, and onboarding checklist.
Dismiss onboarding checklist
Hides the onboarding card by stamping onboarding_dismissed_at.
Calls
Call history
Paginated list of inbound and outbound calls with status and duration.
Call detail
Full transcript, recording, and metadata for a single call.
Call export CSV
Streams a CSV of the filtered call list for reporting.
Bookings
Bookings list
Appointments captured by the AI receptionist with ability to update status.
Update booking status
Marks a booking as confirmed, cancelled, or completed.
Connect Google Calendar
OAuth flow to link a calendar so bookings are created directly in Google Calendar.
Calendar OAuth callback
Receives the Google OAuth code and stores the calendar refresh token.
Disconnect calendar
Revokes the stored Google Calendar credentials.
Knowledge base
Business knowledge
Structured business facts (services, hours, policies) the AI uses when answering calls.
Support
Support ticket detail
Conversation thread for a single ticket with reply and reopen actions.
Create support ticket
Posts a new support request that notifies admins via email.
Reply to ticket
Adds a customer reply to an existing ticket.
Reopen ticket
Reopens a previously closed ticket.
Billing
Billing overview
Current plan, trial status, invoices, and call quota with upgrade and cancel actions.
Billing actions
Launches Stripe customer portal or triggers upgrade/cancel actions.
Owner reports
Weekly owner-facing report listing rescued calls, bookings, and revenue impact.
View single report
Detailed view of a specific weekly report with all source data.
Settings
Account settings
Business profile, contact details, greeting script, working hours, and voice selection.
Change password
Customer-initiated password change using the current password.
Onboarding and signup
See Signup wizard under Public pages for the initial account creation flow.
3. Admin Features
Require admin session. Handled by AdminController, OutreachController, ContactController behind Middleware::requireAdmin.
Dashboard
Customers
Customer detail
Individual account: calls, bookings, billing, support, activity log.
Customer action
Suspend, unsuspend, reset password, or impersonate a customer.
Customer export CSV
Full customer list download for reporting.
Call export CSV (admin)
Global call export across all customers.
Audits
Rescue
Update rescue status
Change the lifecycle status of a rescue record.
Revenue
Revenue dashboard
Monthly recurring revenue, churn, trial conversion, lifetime value.
At risk
At-risk customers
Accounts trending toward churn based on usage drop, failed payments, or support signals.
Email log
Audit log
Settings
System settings
Centralised form for all environment-overridable settings (app, email, OAuth, Vapi, Twilio, Stripe, plans, costs, outreach, branding).
Stripe setup wizard
Step-by-step wizard that creates products, prices, and webhook using the Stripe API.
Setup wizard
First-run checklist that validates database, Vapi, Twilio, Stripe, Google, and SMTP connectivity.
SEO and content (legacy)
SEO Meta Editor (legacy)
Legacy - superseded by /admin/seo/content-audit and /admin/seo/settings. Original per-page meta title, description, OG tag, and sitemap inclusion editor.
Content blocks
Edit marketing copy (hero, feature list, pricing, FAQ) stored in the content service.
SEO and Marketing
SEO Dashboard
Overview of crawl stats, bot breakdown, top URLs, backlinks, audit scores, keyword count, and LLM citations this month.
Bot Crawl Log
Paginated log of crawler visits (Googlebot, Bingbot, GPTBot, ClaudeBot, PerplexityBot, CCBot, Google-Extended, Applebot). Supports filters and CSV export.
Backlinks
Manual backlink tracker with lost/active status, grouped by source domain.
Competitors
Competitor tracker with one-click scan via the SSRF-hardened fetcher and snapshot history.
Target Keywords
CRUD for target keywords. Seeded with 10 UK keywords on migration 035.
Content Audit
Runs SeoAuditService over every public URL and scores 0-100 on title, meta description, H1, word count, schema, canonical, OG, and internal links.
AEO and LLM Optimization
Status panel: llms.txt present, GPTBot allowed, homepage FAQ, schema emitted. Includes regenerate-llms.txt button and LLM citation log.
Schema Preview
Paste a URL to see the emitted JSON-LD schema.org structured data block.
SEO Settings
Central settings for search engine webmaster tools, third-party SEO APIs, and organisation/brand schema fields.
Outreach
Outreach dashboard
Outbound calling program overview: active campaigns, leads dialled, conversions.
Campaigns list
All outbound calling campaigns with status and progress.
New campaign
Create a campaign: target list, script, pacing, schedule.
Campaign detail
Per-campaign stats, lead status counts, and call log.
Save campaign
Persists create/update to the campaign record.
Campaign action
Start, pause, or archive a campaign.
Scripts list
Library of outbound call scripts and AI prompts.
Edit script
Edit or create an outbound script with variables and AI system prompt.
Save script
Persists script changes.
Delete script
Removes a script from the library.
Leads import
Upload a CSV of leads into the outreach queue.
Leads scrape
Search Google Places, Apollo, or Outscraper for new leads.
Import scraped leads
Move scraped results into the outreach lead table.
Lead detail
Individual lead record with call history and status.
Update lead status
Change lead disposition (contacted, converted, do-not-call).
Suppression list
Do-not-call phone numbers and domains to exclude from outreach.
Add suppression
Add a single entry to the suppression list.
Remove suppression
Remove an entry from the suppression list.
Import suppression CSV
Bulk import of suppression entries from a CSV.
Call schedules
Time-window definitions for when outbound campaigns may dial.
Save schedule
Create or update a call schedule.
Toggle schedule
Enable or disable a schedule without deleting it.
Delete schedule
Remove a schedule definition.
Support tickets and contact
Admin ticket detail
Conversation thread with admin reply, status, and priority controls.
Admin reply
Post an admin reply on a ticket and optionally notify the customer.
Change ticket status
Open, pending, solved, closed.
Change ticket priority
Low, normal, high, urgent.
Support FAQs
Maintain the public help center FAQ content.
Save FAQ
Create or update a FAQ entry.
Delete FAQ
Remove a FAQ entry.
Contact submissions
Public contact form submissions with assignment and status.
Update contact status
Update lifecycle of a contact submission.
Media and showcase
Upload media
Upload audio, images, or PDFs to the media library.
Showcase
Curated list of case studies or testimonials rendered on marketing pages.
Save showcase entry
Add or update a showcase record.
Delete showcase entry
Remove a showcase record.
4. API and Webhook Endpoints
Machine-to-machine endpoints used by Vapi, Stripe, Twilio, and the dashboard front-end.
Status
Liveness JSON.
Outbound booking API
Creates a booking off an outbound AI call.
Calendar check API
Returns free slots for the connected Google Calendar in a time window.
Calendar book API
Creates a Google Calendar event for a confirmed booking.
Vapi webhook
Receives call started, transcript, and ended events from Vapi.ai.
Stripe webhook
Receives subscription, invoice, and payment events from Stripe.
5. Required External Services and API Keys
Consolidated from Settings::getDefinitions() in src/Services/Settings.php. Admin-settable keys can be edited at /admin/settings; env-only keys must be set in the host environment.
| Service | Purpose | Keys | Admin group |
|---|---|---|---|
| Application | Core app identity and environment | APP_URL, APP_NAME, APP_ENV, ADMIN_EMAIL | Application |
| Database (MySQL) | Persistent storage | DB_HOST, DB_NAME, DB_USER, DB_PASS, DB_CHARSET (env-only) | Database |
| Security | Session and webhook integrity | ENCRYPTION_KEY (env-only), SESSION_SECRET, WEBHOOK_TOLERANCE_SECONDS | Security |
| Gmail SMTP | Transactional email delivery | GMAIL_USER, GMAIL_APP_PASSWORD, MAIL_FROM_ADDRESS, MAIL_FROM_NAME, CONTACT_FORM_RECIPIENT | |
| Google OAuth (customer login) | Customer SSO | GOOGLE_LOGIN_ENABLED, GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET, GOOGLE_REDIRECT_URI, GOOGLE_SCOPES | Google OAuth |
| Google Service Account | Admin demo calendar and system calendar operations | GOOGLE_SERVICE_ACCOUNT_JSON, ADMIN_CALENDAR_ID, ADMIN_DEMO_* | Google Service Account |
| Vapi.ai | Voice AI assistant and telephony bridge | VAPI_API_KEY, VAPI_SERVER_SECRET, VAPI_BASE_URL, VAPI_PHONE_NUMBER_ID, VAPI_PUBLIC_KEY, VAPI_DEMO_ASSISTANT_ID | Vapi.ai |
| Twilio | Phone numbers and SMS | TWILIO_ACCOUNT_SID, TWILIO_AUTH_TOKEN, TWILIO_SMS_FROM, TWILIO_DEFAULT_AREA_CODE | Twilio |
| Stripe | Billing and subscriptions | STRIPE_SECRET_KEY, STRIPE_PUBLISHABLE_KEY, STRIPE_WEBHOOK_SECRET, STRIPE_PRICE_STARTER, STRIPE_PRICE_PRO, STRIPE_PRICE_ENTERPRISE, STRIPE_TRIAL_DAYS | Stripe |
| Plans and costs | Quota limits and cost accounting | PLAN_*_CALLS, PLAN_*_PRICE, COST_VAPI_PER_MINUTE_PENCE, COST_TWILIO_* | Plan Limits, API Costs |
| Outreach | Outbound calling pacing | OUTREACH_MAX_CALLS_PER_DAY_DEFAULT, OUTREACH_RETRY_HOURS, OUTREACH_MAX_RETRIES, OUTBOUND_CALLER_ID | Outreach |
| Lead sources | Lead scraping providers | OUTSCRAPER_API_KEY, APOLLO_API_KEY, GOOGLE_PLACES_API_KEY | Lead Sources |
| Branding | Site chrome and demo widget copy | BRAND_LOGO_SVG, BRAND_FAVICON_SVG, BRAND_SITE_NAME, BRAND_ACCENT_COLOR, DEMO_*, COMPANIES_HOUSE_NUMBER, ICO_REGISTRATION, WHATSAPP_NUMBER | Branding |
| SerpAPI | SERP position tracking for target keywords | SERPAPI_KEY (from serpapi.com) | SEO |
| Ahrefs | Backlink and domain authority data | AHREFS_API_TOKEN (from ahrefs.com/api) | SEO |
| Google Search Console | Property verification and search performance | GOOGLE_SEARCH_CONSOLE_PROPERTY, GOOGLE_SITE_VERIFICATION_TOKEN | SEO |
| Bing Webmaster Tools | Bing index coverage and keyword data | BING_WEBMASTER_API_KEY, BING_SITE_VERIFICATION_TOKEN | SEO |
6. Known Residual Issues
- None observed during this pass. All PROD smoke-tested routes returned HTTP 200.
7. Audit Findings and Fixes Applied
- Enumerated every route in
public/index.php(103 route registrations) and cross-referenced against the controllers insrc/Controllers/. - Smoke tested 30 PROD routes (public, auth, industry landing, dashboard, and admin entry points). Every route returned HTTP 200.
- Reviewed
Settings::getDefinitions()to build the consolidated API key and service table. - No code defects were found that required a source fix during this pass.
- SEO/AEO/LLM admin system built and deployed (migration 035, 7 new tables, 22 new admin routes, schema.org JSON-LD on every public page, llms.txt standard file, LLM bot allow list in robots.txt).