Sami Aktaş

9 entries · July 5, 2026

TR

Ledger by venture

Payda

9 entries — real, dated progress notes for Payda.

Big pre-launch sweep: 10 gaps, 10 fixes

Today I combed through Payda as if launching tomorrow: period filters, CSV export, full reverse entries when deleting a sale, KVKK (Turkish data-protection) pages, an account panel, a PWA manifest and more — found 10 gaps and closed all 10 the same day. The security pass also caught and fixed CSV formula injection and a double-delete race; test suite 68/68 green. Still one Claude session, still build in public.

KVKK/GDPR · PWA · CSV Export · Security Audit

Mini-CRM, a task system and recurring-expense automation

Payda got a real mini-CRM today: search a number and you see whether that person is a customer, what they bought and WHO entered the sale, line by line — with customer notes. Alongside it came a real task system (managers assign, workers complete from 'My Tasks'), a scheduled function that posts fixed monthly expenses automatically, and a profit-share bug fix. Test suite 84/84 green, all in a single Claude session.

Mini-CRM · Task System · Scheduled Functions

Payment approvals + backend split into modules

Today I added partial or one-shot payouts for partners paying workers/bankers; if there's a second partner, changes go to them for approval (four-eyes). Then I split the 800-line single-file backend into modules — lib/core + handlers/ (project, transaction, member, finance, tasks, sharing, scheduled) — behavior identical, all 104 tests still green. Removed the dead code too. Still one Claude session.

Cloud Functions · Modular Architecture · Tests

Customer records (mini-CRM) and modular permissions

Sales can now optionally include a customer number and product; search a number and you see who bought what and from which account. Customer data counts as personal data (PII), so only members with that permission can see it. Authorization is now fully modular: the role defines the screen, and every capability can be toggled one by one (a banker can do banking only — or ads too, if allowed). All 61 integration tests passed; backend and UI went live.

Cloud Functions · Firestore Rules · Security (PII) · Integration Tests

Three in one: design, security, SEO

Today I set three expert agents on Payda at once: the designer built an accessible, mobile-friendly design system with OKLCH tokens; the security expert tightened percentage fields and amount limits in an OWASP audit; the SEO agent added hreflang, a favicon and WebSite schema. In between, customer records (mini-CRM) and the fully modular permission system also went live — 61 security tests still green. All in one Claude session; I only steered.

Design System · OWASP Audit · SEO

Bot protection with reCAPTCHA

We added reCAPTCHA to Payda's sign-in and sign-up flows to protect against automated/bot abuse.

reCAPTCHA · Security

Role permissions and project management

We defined who can see and touch what: worker, partner and banker roles. Fixed the project create/delete flow with safe confirmations and applied the debugging and security-audit plan phase by phase.

Firebase · Roles/Permissions · Security

Bank-grade security and data isolation

We made sign-in, e-mail verification and password reset work, and wired every feature to a real backend. Most importantly, we built the architecture role-isolated — an employee cannot see or change anyone else's data — close to banking standards, with all writes server-side.

Firestore Rules · Firebase Auth · Security

The Payda journey begins

We set up Payda — a project management and accounting platform — on Firebase: database, authentication and hosting. Built the entire data layer from scratch.

Firebase · Firestore · Firebase Auth