Project 3 · Done Checklist

If every box is ticked, your school SaaS is real. And you've completed the entire program.

This checklist is long because the project is. Every item is a real check — don't skip any.

Architecture

All 12 core tables created via numbered migrations in supabase/migrations/
Every table has branch_id (except profiles where it's nullable for super admins)
Every table has created_at and updated_at
Every table has deleted_at for soft delete
Every table has RLS enabled — verified via Supabase dashboard
is_super_admin() and current_branch_id() helper functions deployed
updated_at trigger function deployed and attached to every relevant table
TypeScript types regenerated after every schema change (pnpm supabase gen types)

Auth & Personas

Supabase Auth configured (email + password to start)
profiles row auto-created when a user signs up (use Supabase trigger or signup callback)
Test users seeded: 1 super admin, 1 branch admin per branch, 1 teacher, 2 parents
Middleware redirects unauthenticated requests to /login
Post-login routing by role works: super/branch → /admin, teacher → /teacher, parent → /parent
Each role can ONLY access its allowed routes (try logging in as parent, hitting /admin — should 403)

Module — Students

List page with search and filters works
Enrolment form validates and saves successfully
Profile page renders all student details
Edit form works and saves changes
Soft delete works and student can be restored
Branch admin sees only own branch's students
Teacher sees only own section's students
Parent sees only own child(ren) via parent dashboard

Module — Attendance

Teacher can mark daily attendance for their section in < 1 minute
"Mark all present" works as default
Re-marking the same day is idempotent (no duplicate rows)
Parent sees their child's attendance history
Admin sees per-section attendance % summary
marked_by and branch_id filled automatically via trigger

Module — Exams & Marks

Admin can schedule an exam with multiple subjects in one form
Teacher enters marks per subject for assigned section
Invalid marks (above max, negative) blocked client + server
Pass/fail indicator visible while entering marks
Admin can publish exam → parent sees report card
Parent CANNOT see marks before publish
Report card view shows all subjects, total, percentage, pass/fail

Module — Payments

Fee plans created per branch + grade
Fee payments generated per student per period
Parent can initiate payment via Razorpay (test mode)
Server-side amount verification (cannot pay less than owed)
Webhook signature verified — invalid signatures rejected
Idempotent — duplicate webhook does not double-mark
Receipt email sent within 30 seconds
Payment history visible to parent + admin

Module — Circulars

Admin can compose with rich text (markdown is enough for v1)
Audience picker: all / grade / section / individual parent
Live recipient count next to each audience option
Send triggers async email delivery
Per-recipient delivery status tracked
Failed sends don't block successful ones
Parent sees received circulars in reverse chronological order
Branch admin can resend a failed circular

Module — Branches

Super admin can create / edit / archive branches
Branch admin cannot access branch CRUD (UI hidden + RLS enforces)
Super admin's dashboard shows per-branch summary (students, fees, attendance %)
Branch switcher works for super admin
Branch admin auto-scoped (no switcher visible)

RLS Audit

Logged in as super admin → can see rows in every table across all branches
Logged in as branch admin → sees ONLY own branch rows for every relevant table
Logged in as teacher → sees ONLY assigned section students + attendance + marks
Logged in as parent → sees ONLY own children's records
Attempted cross-branch insert as branch admin → blocked by Postgres (RLS)
Attempted cross-parent read → blocked

Production Readiness

Sentry installed and capturing errors in production
Source maps uploaded to Sentry on deploy
UptimeRobot configured to ping public URLs + a health endpoint
All env vars set on Vercel (production + preview)
All edge function secrets set in Supabase (supabase secrets set)
Production CSP configured in next.config.ts
.env*.local confirmed in .gitignore
Service role key is NOT in any client code or NEXT_PUBLIC_* env
All credentials saved to VaultMate with "Production" labels
pnpm lint passes
pnpm tsc --noEmit passes

User Validation

One real person (teacher, principal, etc.) used the system for ≥ 15 minutes
Wrote down at least 5 pieces of feedback from that session
Fixed at least 2 of those pieces of feedback
Tested on a real phone (not just emulator) for the parent flows

Documentation

README.md at project root with stack, setup, deploy, architecture summary
CLAUDE.md updated with project-specific rules (RLS conventions, persona routing, etc.)
"Known Issues" section listing the edge cases you decided not to fully handle yet

Self-Reflection

Write your honest answers in a notebook or doc — these are for you, not for showing anyone.

What's the single hardest bug you fixed in Project 3? What did you learn from it?
One pattern you'll use on every future project? (Why?)
One thing you'd architect differently if starting over?
One module you'd prioritise differently? Either earlier or later.
One thing you genuinely don't understand yet that you want to learn next.

The last question is the most important. The end of Project 3 isn't the end of learning — it's the start of targeted learning, driven by what you ran into.

Congratulations

You finished.

You started not knowing the difference between a frontend and a backend. You're now able to:

Architect a multi-tenant SaaS with proper data isolation
Build a working Razorpay payments flow with verified webhooks
Write Row Level Security policies that protect real student data
Ship to production with monitoring, error tracking, and uptime alerts
Use AI as a serious technical partner — directing, reviewing, judging

Most people who say they want to learn to code stop at "ran a tutorial." You shipped three real projects, including one that a real school could actually use.

The next thing to build is whichever real problem in your life you most want to solve. The skills will transfer. The cycle is the same. Go ship.

Back to training home

Re-visit Project 1

Re-visit Project 2

This checklist is long because the project is. Every item is a real check — don't skip any.

Architecture

All 12 core tables created via numbered migrations in supabase/migrations/
Every table has branch_id (except profiles where it's nullable for super admins)
Every table has created_at and updated_at
Every table has deleted_at for soft delete
Every table has RLS enabled — verified via Supabase dashboard
is_super_admin() and current_branch_id() helper functions deployed
updated_at trigger function deployed and attached to every relevant table
TypeScript types regenerated after every schema change (pnpm supabase gen types)

Auth & Personas

Supabase Auth configured (email + password to start)
profiles row auto-created when a user signs up (use Supabase trigger or signup callback)
Test users seeded: 1 super admin, 1 branch admin per branch, 1 teacher, 2 parents
Middleware redirects unauthenticated requests to /login
Post-login routing by role works: super/branch → /admin, teacher → /teacher, parent → /parent
Each role can ONLY access its allowed routes (try logging in as parent, hitting /admin — should 403)

Module — Students

List page with search and filters works
Enrolment form validates and saves successfully
Profile page renders all student details
Edit form works and saves changes
Soft delete works and student can be restored
Branch admin sees only own branch's students
Teacher sees only own section's students
Parent sees only own child(ren) via parent dashboard

Module — Attendance

Teacher can mark daily attendance for their section in < 1 minute
"Mark all present" works as default
Re-marking the same day is idempotent (no duplicate rows)
Parent sees their child's attendance history
Admin sees per-section attendance % summary
marked_by and branch_id filled automatically via trigger

Module — Exams & Marks

Admin can schedule an exam with multiple subjects in one form
Teacher enters marks per subject for assigned section
Invalid marks (above max, negative) blocked client + server
Pass/fail indicator visible while entering marks
Admin can publish exam → parent sees report card
Parent CANNOT see marks before publish
Report card view shows all subjects, total, percentage, pass/fail

Module — Payments

Fee plans created per branch + grade
Fee payments generated per student per period
Parent can initiate payment via Razorpay (test mode)
Server-side amount verification (cannot pay less than owed)
Webhook signature verified — invalid signatures rejected
Idempotent — duplicate webhook does not double-mark
Receipt email sent within 30 seconds
Payment history visible to parent + admin

Module — Circulars

Admin can compose with rich text (markdown is enough for v1)
Audience picker: all / grade / section / individual parent
Live recipient count next to each audience option
Send triggers async email delivery
Per-recipient delivery status tracked
Failed sends don't block successful ones
Parent sees received circulars in reverse chronological order
Branch admin can resend a failed circular

Module — Branches

Super admin can create / edit / archive branches
Branch admin cannot access branch CRUD (UI hidden + RLS enforces)
Super admin's dashboard shows per-branch summary (students, fees, attendance %)
Branch switcher works for super admin
Branch admin auto-scoped (no switcher visible)

RLS Audit

Logged in as super admin → can see rows in every table across all branches
Logged in as branch admin → sees ONLY own branch rows for every relevant table
Logged in as teacher → sees ONLY assigned section students + attendance + marks
Logged in as parent → sees ONLY own children's records
Attempted cross-branch insert as branch admin → blocked by Postgres (RLS)
Attempted cross-parent read → blocked

Production Readiness

Sentry installed and capturing errors in production
Source maps uploaded to Sentry on deploy
UptimeRobot configured to ping public URLs + a health endpoint
All env vars set on Vercel (production + preview)
All edge function secrets set in Supabase (supabase secrets set)
Production CSP configured in next.config.ts
.env*.local confirmed in .gitignore
Service role key is NOT in any client code or NEXT_PUBLIC_* env
All credentials saved to VaultMate with "Production" labels
pnpm lint passes
pnpm tsc --noEmit passes

User Validation

One real person (teacher, principal, etc.) used the system for ≥ 15 minutes
Wrote down at least 5 pieces of feedback from that session
Fixed at least 2 of those pieces of feedback
Tested on a real phone (not just emulator) for the parent flows

Documentation

README.md at project root with stack, setup, deploy, architecture summary
CLAUDE.md updated with project-specific rules (RLS conventions, persona routing, etc.)
"Known Issues" section listing the edge cases you decided not to fully handle yet

Self-Reflection

Write your honest answers in a notebook or doc — these are for you, not for showing anyone.

What's the single hardest bug you fixed in Project 3? What did you learn from it?
One pattern you'll use on every future project? (Why?)
One thing you'd architect differently if starting over?
One module you'd prioritise differently? Either earlier or later.
One thing you genuinely don't understand yet that you want to learn next.

The last question is the most important. The end of Project 3 isn't the end of learning — it's the start of targeted learning, driven by what you ran into.

Congratulations

You finished.

You started not knowing the difference between a frontend and a backend. You're now able to:

Architect a multi-tenant SaaS with proper data isolation
Build a working Razorpay payments flow with verified webhooks
Write Row Level Security policies that protect real student data
Ship to production with monitoring, error tracking, and uptime alerts
Use AI as a serious technical partner — directing, reviewing, judging

Most people who say they want to learn to code stop at "ran a tutorial." You shipped three real projects, including one that a real school could actually use.

The next thing to build is whichever real problem in your life you most want to solve. The skills will transfer. The cycle is the same. Go ship.

Project 3 · Done Checklist

Architecture

Auth & Personas

Module — Students

Module — Attendance

Module — Exams & Marks

Module — Payments

Module — Circulars

Module — Branches

RLS Audit

Production Readiness

User Validation

Documentation

Self-Reflection

Congratulations

Back to training home

Re-visit Project 1

Re-visit Project 2

On this page

Project 3 · Done Checklist

Architecture

Auth & Personas

Module — Students

Module — Attendance

Module — Exams & Marks

Module — Payments

Module — Circulars

Module — Branches

RLS Audit

Production Readiness

User Validation

Documentation

Self-Reflection

Congratulations

Back to training home

Re-visit Project 1

Re-visit Project 2

On this page