A bar, club, and restaurant POS platform — a domain-driven Laravel core, a Flutter floor app, and a Next.js front door, built and deployed solo across three codebases and a realtime sidecar.
OWLX is a management and point-of-sale SaaS for bars, clubs, and restaurants — table orders, billing, staff roles, thermal-printer receipts, and live floor notifications, built as one coherent system.
I built it end-to-end across three codebases and a realtime sidecar: a Laravel 10 backend designed strictly around Domain-Driven Design, a Flutter floor app for staff, a Next.js 14 marketing front door, and a Node.js Socket.IO service for live fan-out — deployed solo on a split-tier VPS architecture.
The backend is the spine — 25+ aggregates, 95+ migrations, four API versions, and a permission model with 80+ named grants. A POS this broad changes constantly; the discipline up front is what keeps it changeable.
Here is how it fits together. A Laravel 10 backend, built strictly around Domain-Driven Design, owns every rule. A Flutter app runs the floor; a Next.js site is the front door. A Node.js Socket.IO sidecar carries live notifications — all on a split-tier VPS setup I deploy myself.
31 screens · Riverpod · go_router auth-guard · ESC/POS thermal printing
App Router · shadcn/ui · 2-step OTP register · server-side reCAPTCHA BFF route
REST API · 25+ aggregates · 95+ migrations · v1–v4 versioning · 17 domain events
~1,600 LOC · Sanctum-token auth · MySQL polling · FCM + Socket.IO fan-out
A POS touches money, people, and a live floor at once. These four are the engineering that keeps that broad surface honest.
The backend is built on strict Domain-Driven Design — 25+ aggregates, 95+ migrations, and 17 domain events with listeners. The API is versioned v1 through v4, so an old app build in the field never breaks when the contract moves.
Role-based access runs on Spatie Permission plus a custom rbac:<permission> middleware — every route declares the exact grant it needs, scoped down to the action. Staff see only what their role allows, enforced in one place.
I integrated the 9Pay Vietnam SDK with HMAC request signing, and distributed checkout as short URLs — /p/{code} with a 30-minute TTL — so a bill can be opened and paid from any device, not just the one that rang it up.
A Node.js Socket.IO + Express service authenticates by parsing the Sanctum id|secret token, polls MySQL for new events, and fans them out over FCM and Socket.IO — kept separate from Laravel so the API stays a clean request/response surface.
Reported from the OWLX codebases — aggregate, migration, permission, and screen counts taken from the Laravel and Flutter projects. Snapshot taken May 2026.
