ChurchScroll
Christian community directory platform connecting churches, businesses, and individuals by location.
Christian community directory platform for browsing churches, businesses, and individual profiles by location. Claim and manage listings, access prayer walls and events, subscribe to tiered plans with premium features like analytics and featured placement.
Tech Stack
Build Log
Caught a partial-apply incident on a security migration when smoke tests failed — 31 of 45 production functions broke under an empty search_path that the original spec assumed wouldn't matter. Reverted within the same builder session before any user impact, then redesigned the migration with full body schema-qualification before re-attempting.
Added idempotency keys to four Stripe API calls — payout transfers, wave referral credits, Connect account onboarding — so webhook retries can no longer double-pay or duplicate accounts. Built a friendly Stripe error mapper that translates raw failure codes into actionable user-facing messages instead of generic 500s.
Refactored ChurchScroll's Termly Consent Management Platform integration to match the official Next.js App Router reference component. Lifted the website UUID into an environment variable for cleaner per-environment configuration and removed a stale comment about a hydration-error workaround that the new pattern handles cleanly.
Migrated three legal policy pages — privacy, terms, cookies — from 1,300 lines of hardcoded HTML to Termly's hosted embed pattern via a reusable React component. Ends the drift problem where local copies were five months out of sync with the actual published policies, and any future policy update flows automatically.
Rewrote 85 tables of Row-Level Security policies to wrap auth.uid() and auth.jwt() calls in init-plan SELECTs and consolidate overlapping permissive policies. Cleared 244 auth_rls_initplan and 480 multiple_permissive_policies advisor findings via per-table atomic transactions, with each table's original DDL preserved as a rollback comment block.
Schema-qualified the bodies of 45 PostgreSQL functions and locked their search_path to empty across the production Supabase database. Closes the privilege-escalation attack vector that bare search_path enables on SECURITY DEFINER functions, plus revoked PUBLIC EXECUTE on 15 of them with explicit role grants in its place.
Cleared 807 of 971 Supabase advisor findings (83%) on the ChurchScroll production database in a four-day pre-launch hardening sweep. Used a 7-phase architect-to-code agent pattern with atomic-transaction safety, post-apply smoke tests, and per-table rollback blocks on every change.
Completed 30-commit pre-launch hardening sprint — environment validation, observability pipeline, SEO infrastructure, and branded error pages.
GA4 tracking integration — Google Analytics 4 via next/script, gated behind environment variable for clean dev/prod separation
OpenGraph metadata across root layout and key pages — social share previews with logo, title, and description for referral link sharing
Wave management documentation — admin-friendly runbook for site owner to create and manage discount waves without developer involvement
Referral program terms page — legal coverage for eligibility, rewards, credit mechanics, wave-specific terms, abuse policy, and tax responsibility
Admin wave management UI — create, close, and reopen discount waves with auto-suggested settings and one-click Stripe coupon creation
Threshold-based referral reward engine — 1 paid referral earns a free month, 4 earns a free year, with Stripe customer balance credits and idempotent ledger tracking
Referral code generation and email blast system — 144 unique codes for beta signups, personalized email placeholders, staggered sending for free-tier email limits
Multi-wave founding member discount system — beta_waves table with per-wave lifetime discounts (50% → 40% → 30%), Stripe coupon integration, WaveMemberPrice display component across all pricing surfaces
Built email broadcast system with compose, recipient management, scheduling, and inline queue views for both newsletter subscribers and beta signups. Newsletter emails include HMAC one-click unsubscribe for compliance.
Completed evaluation sweep: integrated Sentry error monitoring with automatic capture and session replay, extended content moderation to all user-generated content types, and mapped auth errors to user-friendly messages — hardening the platform for beta launch.
Landing page generator with AI-assisted campaign builder, accordion-based editor with section visibility toggles, Cloudinary image uploads, and 11-block template system. Collapsible admin sidebar with fixed positioning. Three database migrations powering campaign scheduling, content storage, and quiz definitions.
Built smart review moderation ("Assume Good" model with profanity, spam, and drive-by heuristics), ran full codebase evaluation sweep resolving all high-priority and most medium-priority issues, added breadcrumbs to 20 My Hub pages, improved accessibility labels on directory search, and hardened newsletter security.
Added formatted PDF export for the prayer journal — cover page with branding, entries with mood/season labels and scripture references, automatic page overflow handling. Client-side generation keeps the bundle lean.
Added emoji picker to the messaging interface, letting users insert emojis directly from a lazy-loaded picker in the chat input.
