Today I combed through Payda as if launching tomorrow: period filters, CSV export, full reverse entries when deleting a sale, KVKK (Turkish data-protection) pages, an account panel, a PWA manifest and more — found 10 gaps and closed all 10 the same day. The security pass also caught and fixed CSV formula injection and a double-delete race; test suite 68/68 green. Still one Claude session, still build in public.
KVKK/GDPR · PWA · CSV Export · Security Audit
Entry 15feature
Mini-CRM, a task system and recurring-expense automation
Payda got a real mini-CRM today: search a number and you see whether that person is a customer, what they bought and WHO entered the sale, line by line — with customer notes. Alongside it came a real task system (managers assign, workers complete from 'My Tasks'), a scheduled function that posts fixed monthly expenses automatically, and a profit-share bug fix. Test suite 84/84 green, all in a single Claude session.
Mini-CRM · Task System · Scheduled Functions
Entry 14refactor
Payment approvals + backend split into modules
Today I added partial or one-shot payouts for partners paying workers/bankers; if there's a second partner, changes go to them for approval (four-eyes). Then I split the 800-line single-file backend into modules — lib/core + handlers/ (project, transaction, member, finance, tasks, sharing, scheduled) — behavior identical, all 104 tests still green. Removed the dead code too. Still one Claude session.
Cloud Functions · Modular Architecture · Tests
Entry 12
Customer records (mini-CRM) and modular permissions
Sales can now optionally include a customer number and product; search a number and you see who bought what and from which account. Customer data counts as personal data (PII), so only members with that permission can see it. Authorization is now fully modular: the role defines the screen, and every capability can be toggled one by one (a banker can do banking only — or ads too, if allowed). All 61 integration tests passed; backend and UI went live.
Today I set three expert agents on Payda at once: the designer built an accessible, mobile-friendly design system with OKLCH tokens; the security expert tightened percentage fields and amount limits in an OWASP audit; the SEO agent added hreflang, a favicon and WebSite schema. In between, customer records (mini-CRM) and the fully modular permission system also went live — 61 security tests still green. All in one Claude session; I only steered.
Design System · OWASP Audit · SEO
Entry 07Bot protection
Bot protection with reCAPTCHA
We added reCAPTCHA to Payda's sign-in and sign-up flows to protect against automated/bot abuse.
reCAPTCHA · Security
Entry 05Roles & isolation
Role permissions and project management
We defined who can see and touch what: worker, partner and banker roles. Fixed the project create/delete flow with safe confirmations and applied the debugging and security-audit plan phase by phase.
Firebase · Roles/Permissions · Security
Entry 03Security
Bank-grade security and data isolation
We made sign-in, e-mail verification and password reset work, and wired every feature to a real backend. Most importantly, we built the architecture role-isolated — an employee cannot see or change anyone else's data — close to banking standards, with all writes server-side.
Firestore Rules · Firebase Auth · Security
Entry 01Founding
The Payda journey begins
We set up Payda — a project management and accounting platform — on Firebase: database, authentication and hosting. Built the entire data layer from scratch.