Full-Stack Developer Needed for OpenAI API Staff Assistant Web App MVP

Developer Brief — API-Based AI Staff Assistant Web Portal MVP Project Overview I am building a web-based AI staff assistant platform for small businesses. The product will allow each client business to give its staff access to a private AI assistant trained only on that business’s approved internal documents, procedures, FAQs, onboarding material and SOPs. The goal is to create a secure, lean MVP that can support multiple business clients, each with their own separate documents, AI assistant, usage logs and admin access. This is not intended to be a general chatbot. It is an internal staff-support and onboarding assistant. Example use case: A gym uploads approved procedures such as: • Membership sign-up process • Cancellation process • Opening and closing checklist • Cleaning checklist • Complaint handling script • Incident escalation process • Staff FAQ A staff member opens the business’s private staff assistant link or scans a workplace QR code and asks: “What do I do if someone wants to cancel their membership?” The AI assistant should search only that gym’s approved knowledge base and provide a concise, practical answer based on the uploaded material. If the answer is not found in the approved documents, the assistant should not guess. It should say it cannot find an approved answer and tell the staff member to ask a manager. Core Product Requirement The platform must operate using the OpenAI API. The OpenAI API key must be stored securely on the backend only. The frontend/browser must never call OpenAI directly or expose the API key. The intended architecture is: Staff user → private staff portal link/QR code → web portal frontend → secure backend/server layer → correct business knowledge base → OpenAI API → answer returned to staff user. The developer must create or configure the backend layer required for this. I do not want a solution where the OpenAI API key is exposed in browser-side code. Important Access Decision For the MVP, I do not want every staff member to have an individual account. This is to reduce: • backend complexity • client IT/admin requests • password reset issues • onboarding friction • support requests • unnecessary user-management overhead Instead, each client business should have a simplified staff access method. Acceptable MVP staff access options include: • a private business-specific staff assistant link • a QR code that opens that business’s staff assistant • a shared staff PIN/password • a business access code • a protected staff portal page for that business The exact method can be recommended by the developer, but the staff experience should be simple. Ideal staff workflow: 1. Staff member scans QR code or opens private staff link. 2. Staff member enters business PIN/code if required. 3. Staff member lands directly on that business’s AI staff assistant. 4. Staff member asks a question. 5. Assistant answers using only that business’s approved documents. 6. Individual staff accounts may be considered in a later version, but they are out of scope for the MVP. Preferred Build Approach I am open to technical recommendations, but the preferred MVP stack is: • Frontend: Next.js / React • Backend: Next.js API routes, Node.js, or equivalent secure backend • Hosting: Vercel, Render, Railway or similar • Database/Auth/Storage: Supabase or Firebase • AI: OpenAI API • Knowledge retrieval: OpenAI vector stores/file search or equivalent secure RAG setup • File storage: Supabase storage, Firebase storage, or another secure option • Admin/user management: custom dashboard within the web app Suggested stack preference: Next.js + Supabase + OpenAI API + Vercel However, I am open to another stack if you can clearly explain why it is better for this MVP. Important Scope Clarification This job is for the functional web app / client portal / backend system. It does not need to include a full marketing website. I may build the public marketing website separately using Wix, Google Sites, Webflow, WordPress or similar. The app should eventually be able to sit on a subdomain, for example: app.businessname.com.au The public marketing website may sit separately at: businessname.com.au MVP Objectives The MVP needs to allow me to onboard real beta clients. At minimum, the MVP should support: 1. Multiple separate business clients. 2. Each business having its own private staff assistant access link or QR code. 3. Staff being able to ask live questions without needing individual staff accounts. 4. Each business having its own separate approved knowledge base. 5. The assistant answering only from that business’s approved documents. 6. The assistant refusing/escalating when the answer is not found. 7. Super admin dashboard. 8. Client admin dashboard. 9. Conversation logging by business. 10. Usage tracking by business. 11. Secure OpenAI API implementation. 12. Mobile-friendly staff use. The MVP does not need to be a fully polished SaaS platform yet. It needs to be secure, functional, clean and reliable enough to test with paying beta businesses. Multi-Tenant Business Structure The app must support multiple businesses. Each business should have: • Business name • Unique business ID • Client admin users • Private staff assistant link • Optional shared staff access code/PIN • Separate uploaded documents • Separate knowledge base / vector store / equivalent retrieval index • Separate assistant settings • Separate conversation logs • Separate usage tracking • Ability to be disabled by super admin The most important requirement is strict data separation. Staff from Business A must never be able to access documents, answers, chat logs or data from Business B. When a staff member accesses a business’s staff assistant, the backend must identify the correct business and retrieve information only from that business’s approved knowledge base. User Roles The app needs two main account-based user roles for MVP. 1. Super Admin This is me / platform owner. Super admin can: • Create new client businesses • View all businesses • Add/remove client admins • Generate/reset staff access links or codes • Upload/manage documents for any business • View usage across all businesses • View conversation logs across all businesses • Disable businesses • Disable client admin users • Adjust usage limits • View failed/escalated questions • Manage system prompts/assistant instructions if required 2. Client Admin This is the business owner or manager. Client admin can: • View their own business only • View their business’s staff assistant access link or QR code • Reset staff access code/PIN if enabled • View uploaded documents for their business • Upload approved documents if enabled • View staff questions for their business • View basic usage for their business • View failed/escalated questions • Update or request updates to documents Client admin must not be able to access other businesses. 3. Staff Access — No Individual Account for MVP Staff do not need individual login accounts for MVP. Staff access should be via: • private business-specific link • QR code • shared PIN/password/code if required Staff can: • access their business’s staff assistant • ask questions • receive answers from their business’s approved documents Staff cannot: • access admin settings • upload documents • view business settings • access other businesses • view all conversation logs • manage users Conversation logs should be tracked by business, not necessarily by individual staff member. Optional anonymous/session-based tracking is acceptable. Login and Access The app needs login for: • Super admin • Client admin The staff assistant should be accessible through simplified business-specific access. Required admin login features: • Email/password or magic link login • Password reset • Role-based permissions • Client admins linked to one business • Super admin access to all businesses Required staff access features: • Business-specific assistant link • QR code generation or ability to generate a URL that can be made into a QR code • Optional shared PIN/password/code • Ability for super admin or client admin to reset staff access • Ability to disable staff access if needed Preferred but optional: • Expiring access links • Regeneratable access token • Simple access-code screen before the chat page • Rate limiting per business access link The staff experience should be as simple as possible. Staff Chat Interface The staff chat page should be simple and mobile-friendly. It should include: • Business name/logo if available • Chat conversation area • Input box • Clear disclaimer • Escalation guidance • Clean mobile layout • Fast response experience • Optional “common questions” starter prompts Example disclaimer: “Answers are based on approved internal staff documents. If the answer is unclear, missing or relates to a serious issue, ask your manager.” The interface does not need to look highly polished for MVP, but it must be professional enough to show beta clients. AI Assistant Behaviour The AI assistant must follow strict instructions. It should: • Answer only from the business’s approved knowledge base. • Not invent policies, prices, procedures or promises. • Not give legal, HR, payroll, medical, safety-critical or financial advice. • Say when the answer is not found. • Tell staff to ask a manager when unsure. • Keep answers clear and practical. • Prefer step-by-step answers when helpful. • Include the relevant source/procedure name if possible. • Use the tone of an internal staff guide: helpful, clear, calm and direct. The assistant should not sound overly casual or speculative. Required Escalation Behaviour The assistant must escalate rather than provide final advice for: • Injuries • Emergencies • Harassment • Discrimination • Payroll • Termination • Legal issues • Medical issues • Customer aggression • Safety incidents • Refunds outside approved policy • Complaints not covered by policy • Anything not found in the approved documents • Anything that could create liability for the business Example escalation answer: “I can’t find an approved answer for that in the current staff guide. Please ask your manager before taking action.” For urgent issues: “This may require immediate manager involvement. Please escalate this to your manager or the nominated emergency contact.” Knowledge Base / Document System Each business needs its own separate approved knowledge base. The system should allow documents to be uploaded and attached to the correct business. Supported MVP file types: • PDF • DOCX • TXT • Markdown • Plain text FAQ entries Optional later: • Google Drive sync • Notion sync • CSV support • Website crawling • Automatic document versioning For MVP, manual document upload is acceptable. Each uploaded document should have: • Business ID • File name • Upload date • Uploaded by • Status: processing / active / failed / archived • Ability to delete or replace • Ability to re-index/retrain after update The system should support a separate OpenAI vector store per business or an equivalent isolated retrieval setup. The key requirement is: One business = one isolated knowledge base. Knowledge Base Safety Not all client documents should be used by the AI assistant. The system should be built around “approved documents” only. The client may provide raw documents, but the assistant should only be trained on documents that are marked as approved. For MVP, this approval process can be simple. Required document statuses: • Draft / uploaded • Approved • Archived Only approved documents should be available to the AI assistant. This prevents the assistant from using outdated, messy, private or unapproved information. AI Retrieval Requirement When a staff member asks a question, the system should: 1. Identify the business based on the staff assistant link, QR code, token or access code. 2. Search only that business’s approved knowledge base. 3. Retrieve the most relevant document sections. 4. Send the retrieved context and staff question to OpenAI through the backend. 5. Return a concise answer. 6. Log the question, answer, usage and outcome against that business. The assistant must not search across all client documents. The retrieval method should be explained by the developer before build. Acceptable approaches: • OpenAI vector stores/file search • Supabase pgvector • Pinecone or another vector database • Other RAG method recommended by developer Preference is for the simplest reliable MVP approach. Conversation Logging The app should store conversation logs. Each log should include: • Business ID • Staff access source/link/session ID if available • Staff question • AI answer • Timestamp • Retrieval sources used if possible • Whether the answer was successful or escalated • Estimated token usage if available • Estimated cost if available • Model used Conversation logs are important for: • Quality control • Client reporting • Improving knowledge bases • Identifying missing SOPs • Usage-based pricing later Client admins should be able to see conversation logs for their own business only. Super admin should be able to see logs across all businesses. Because individual staff accounts are not required for MVP, logs do not need to identify individual staff members. Usage Tracking The platform should track usage per business. Minimum usage tracking: • Number of staff questions this month • Number of AI responses this month • Number of escalated/missing answers • Approximate token usage if available • Approximate OpenAI API cost if available • Monthly usage reset The MVP should support simple usage caps. Example: • 500 questions/month included with the ability to change this from the super admin dashboard to allow for package upgrades • Warning when close to limit • Super admin can manually increase or reset limit Automatic billing is not required for MVP. However, the database should be structured so billing can be added later. Admin Dashboards Super Admin Dashboard The super admin dashboard should allow me to: • View all businesses • Create new business • Edit business • Disable business • View client admin users • Add/remove client admin users • Generate/reset staff assistant links/codes • View all usage • View all conversation logs • View failed/escalated questions • Upload/manage documents for any business • Set business usage limits • View approximate OpenAI costs if available Client Admin Dashboard The client admin dashboard should allow the business owner/manager to: • View their business settings • View their staff assistant link/QR code • Reset shared staff access code/PIN if enabled • View uploaded documents • Upload approved documents if enabled • View recent staff questions • View missing/escalated questions • View monthly usage • See what information may need to be added to the knowledge base The dashboard should be simple. It does not need advanced analytics for MVP. Staff User Dashboard For MVP, the staff dashboard can simply be the chat page. No individual staff dashboard is required. Optional: • Common questions • Quick links to staff guide sections • Contact manager button • Start new chat button Security Requirements Security is a critical part of this build. Required: • OpenAI API key stored server-side only • API key stored in environment variables or secure secrets manager • No OpenAI API calls from browser/client-side code • HTTPS deployment • Authentication required for super admin and client admin access • Protected business-specific staff assistant access • Role-based access control for admin users • Business-level data separation • Secure file storage permissions • Staff access links/codes can only access one business’s assistant • Input validation • Basic rate limiting • Error handling that does not expose sensitive technical information • No API keys committed to GitHub/source code • Source code repository access handed over to me Preferred: • Supabase row-level security if Supabase is used • Audit log for document uploads/deletions • Audit log for admin user creation/removal • Ability to rotate OpenAI API key • OpenAI project-level key or restricted key setup if suitable • Monthly usage alert/budget guardrail • Regeneratable staff access tokens • Ability to disable staff access link immediately Data and Privacy Considerations The platform should not require highly sensitive staff/customer data. The intended knowledge base should contain business procedures, SOPs, FAQs and training materials only. The system should avoid storing: • TFNs • Bank details • Payroll details • Medical information • Private employee disputes • Customer personal information • Passwords • Legal documents unless explicitly approved • Anything not required for onboarding/staff support The product should be designed around minimal necessary data. Because individual staff accounts are not being used in the MVP, the system should avoid collecting unnecessary individual staff data. MVP Pages Required The app should include the following pages: 1. Super admin login page 2. Client admin login page 3. Staff assistant access page 4. Staff chat page 5. Client admin dashboard 6. Document upload/manage page 7. Usage/logs page 8. Super admin dashboard 9. Business management page 10. Basic settings page Optional: • Public landing page • Pricing page • Help page • Staff FAQ quick link page The public website is not the main requirement for this job. Mobile Requirements The staff chat page must work well on mobile. Most staff will likely use it by phone while at work. Mobile requirements: • Easy QR code access • Simple PIN/code entry if required • Large readable text • Simple chat interface • No cluttered dashboard for staff • Fast load time • Works from QR code link The admin dashboards can be more desktop-focused, but should still be usable on mobile if possible. OpenAI API Requirements The developer should use the OpenAI API in a secure, scalable way. Required: • Backend/server-side OpenAI calls only • Model choice configurable by super admin or environment setting • Ability to use a cheaper model for normal staff questions • Ability to change model later without rebuilding the app • Retrieval from client-specific knowledge base • Clear system prompt/assistant instructions • Logging of usage where possible Preferred: • Use OpenAI Responses API • Use OpenAI vector stores/file search if suitable • Or provide a clear reason for using another RAG/vector approach The system must be built so that OpenAI costs can be monitored and controlled. Expected First Client Volume The MVP should be able to support at least: • 5 client businesses initially • 1–3 client admin users per business • Shared staff access per business • 500 staff questions per business per month with the ability to increase this from the super admin dashboard to allow for package upgrades • Separate document knowledge base per business It should be built in a way that can later scale to: • 15+ businesses • Optional individual staff accounts in a future version • More users • Higher monthly question volume • More advanced billing/reporting The first version does not need enterprise-scale architecture, but it should not be built in a way that prevents sensible growth. Out of Scope for MVP Please do not quote for these unless clearly marked optional: • Individual staff user accounts • Native iOS app • Native Android app • Full payment/subscription billing • Stripe integration • Complex analytics dashboard • White-label custom domains per client • Automated Google Drive sync • Full HR/compliance system • Payroll system • Roster integration • Voice assistant • Multi-language support • Advanced workflow automations • Enterprise SSO • Complex role hierarchy • Client self-service billing portal • Marketplace/app store submission These may be considered later after the MVP has been validated. Required Developer Skills Please only apply if you have experience with: • Full-stack web app development • Backend development • Authentication and role-based permissions • Multi-tenant database design • OpenAI API integration • RAG / vector search / document-based AI assistants • Secure API key handling • File upload and storage • Database design • Usage logging • Cloud deployment • Mobile-responsive frontend development Strongly preferred experience: • Next.js • React • Node.js • Supabase or Firebase • Vercel / Render / Railway deployment • OpenAI Responses API • OpenAI file search/vector stores • Supabase pgvector or equivalent • SaaS MVP builds • Internal business tools • AI chatbot or AI assistant products Developer Questions Please respond with answers to the following: 1. What tech stack would you recommend for this MVP and why? 2. Have you built a multi-tenant AI assistant or document-based chatbot before? 3. How would you keep each client business’s data separate? 4. How would you structure the database? 5. How would you implement shared staff access without individual staff accounts? 6. How would staff access be protected from public misuse? 7. How would you store and protect the OpenAI API key? 8. Would you use OpenAI vector stores/file search, Supabase pgvector, Pinecone or another retrieval method? 9. How would the assistant be prevented from answering outside approved documents? 10. How would usage be tracked per business? 11. How would document uploads and re-indexing work? 12. What parts of this brief would you include in the MVP? 13. What would you recommend leaving out for the MVP? 14. Estimated timeline? 15. Estimated fixed price? 16. Ongoing maintenance cost estimate? 17. Examples of similar work? Preferred Milestone Structure I want the project broken into milestones. Milestone 1 — Technical Plan and Architecture Deliverables: • Confirmed tech stack • Database schema • User role structure • Business/client separation structure • Shared staff access method • Retrieval/knowledge base approach • Hosting/backend approach • Security plan • Confirmed MVP scope Milestone 2 — Admin Authentication and Multi-Tenant Structure Deliverables: • Super admin login • Client admin login • Business creation • Client admin linked to business • Role-based admin access control • Business-level data separation Milestone 3 — Shared Staff Access Deliverables: • Business-specific staff assistant link • Optional access code/PIN • QR-code-compatible access URL • Ability to reset/regenerate access • Ability to disable staff access • Staff access limited to one business only Milestone 4 — Document Upload and Knowledge Base Deliverables: • Document upload • Business-specific document storage • Document status: draft/approved/archived • Indexing/retrieval setup • Ability to replace/delete documents • Each business has isolated knowledge base Milestone 5 — Staff Chat Assistant Deliverables: • Staff chat page • Backend OpenAI API integration • Business-specific retrieval • Strict assistant instructions • Escalation/refusal behaviour • Mobile-friendly chat interface • Basic source/procedure reference if possible Milestone 6 — Admin Dashboards and Usage Logs Deliverables: • Client admin dashboard • Super admin dashboard • Document management • Conversation logs by business • Usage tracking by business • Monthly question count • Escalated/missing answer reporting Milestone 7 — Testing, Deployment and Handover Deliverables: • Deployed MVP • Bug fixes • Mobile testing • Security check • Test with sample documents and questions • Source code handover • Environment variable documentation • Admin instructions • Handover video or written walkthrough Testing Requirements Before final handover, the system should be tested with realistic sample documents and at least 50 staff-style questions. I will provide the sample documents Test cases should include: • Questions clearly answered in documents • Questions not covered in documents • Sensitive topics requiring escalation • Staff access link for Business A attempting to access Business B data • Client admin access limits • Super admin access • Document replacement/re-indexing • Usage tracking • Mobile chat use • API key security • Basic error handling • Abuse/rate-limit testing for shared staff access link The assistant should pass the key requirement: Answer only from the correct business’s approved documents, or escalate. Handover Requirements At completion, I need: • Deployed working MVP • Admin login credentials • Source code repository ownership/access • Database access/admin access • Hosting account access or transfer • Environment variable list • Setup instructions • Instructions to add a new business • Instructions to add client admins • Instructions to generate/reset access links • Instructions to upload documents • Instructions to re-index/retrain documents • Instructions to view usage logs • Instructions to update assistant instructions • Basic troubleshooting notes Ownership Requirements I require ownership of: • Source code • App design/assets created for the project • Database schema • Deployment setup • Documentation • Admin access • Any custom prompts/system instructions created for the app The developer may use standard open-source libraries and frameworks, but any custom code written for this project should be handed over. Success Criteria The MVP is successful if: 1. I can create multiple client businesses. 2. Each business has its own separate documents and knowledge base. 3. Each business has a private staff assistant link or QR code. 4. Staff can ask live questions without individual accounts. 5. The AI assistant answers from only that business’s approved knowledge base. 6. The assistant does not invent answers when information is missing. 7. Sensitive or unclear questions are escalated. 8. Conversation logs are recorded by business. 9. Usage is tracked by business. 10. Admin dashboards work. 11. The OpenAI API key is secure and never exposed client-side. 12. The app works well on mobile. 13. I can onboard a real beta client without needing developer support for every small change. Final Note This should be built as a lean MVP, not an over-engineered enterprise SaaS platform. The immediate goal is to validate the business model with beta clients. I want the simplest secure version that supports: • Multiple client businesses • Separate knowledge bases • Shared staff access per business • Live AI question answering • Backend OpenAI API integration • Admin dashboards • Usage tracking • Conversation logs • Basic security and data separation Please quote for the MVP only and clearly identify anything you consider optional or better suited for a later version.