Project / Mar 2026 – Present
oppachikin.
Online ordering system for a Minsk-local fried chicken shop — a production-grade e-commerce system shipped from 0 to 1 in 5 weeks, by a self-taught dev using AI co-pilots.
Timeline
5 weeks
Code
9,850 lines
Pages / API
23 / 19
Commits
52
01
The problem
My sister runs a fried chicken shop in Minsk, Belarus. Unlike China's "everything-on-Meituan" delivery ecosystem, Minsk has weak local delivery platform coverage — most restaurant orders still come through walk-ins, phone calls, and the shop's own website. A website here isn't a bonus channel — it's the primary acquisition channel.
She hired me, paid me a development fee, and gave me my first real freelance gig.
02
My angle
I was a financial analyst at SF Tech with no formal frontend/backend experience. My bet going in: using Cursor + Claude Code, I could translate my understanding of business and users into working code. AI handles syntax, library choices, best practices; I handle product judgment, debugging intuition, and the feedback loop with a real customer (my sister).
03
Architecture & key decisions
| Layer | Choice | Why |
|---|---|---|
| Framework | Next.js 16 + React 19 | One codebase, FE + BE |
| UI | Tailwind v4 + shadcn/ui | Zero custom CSS to ship a clean look |
| DB | Supabase (Postgres) | Auth + RLS out of the box |
| Payments | Alfa Bank API | Local-market constraint, not a tech preference |
| Notifications | Telegram Bot | Russian-speaking customers all use Telegram |
| SMS | SMS.by | Local Belarus operator for OTP |
| Rate limit | Upstash Redis | Protect login + OTP endpoints |
A decision I'm proud of: loyalty points are stored as an append-only transaction log, not as a mutable balance.
Direct instinct from my finance background — anything money-shaped needs an audit trail. When something goes wrong, you can replay every change, not just stare at a wrong number.
04
The hardest (and proudest) parts
1. Idempotent payment callbacks
Gateway "success" callbacks get retried due to network issues. Without idempotency, a single payment can flip order state twice and double-credit points. Solution: gate state transitions on current order status — duplicates return 200 but do nothing.
2. Server-side total recomputation
The first version trusted the client-submitted total. Classic amount-tampering vulnerability — a user could change 25 to 1 in the request and eat for a buck. Fix: always recompute the final total server-side from item IDs.
3. Telegram webhook forgery protection
Used Telegram's secret_token
mechanism — validate the token in the webhook header, reject 401 on mismatch.
4. Auth & OTP rate limiting
SMS codes cost real money. Login is a classic brute-force target. Upstash Redis limiting on both IP and phone dimensions.
None of this was built up front — I dedicated a full week
near launch to a security audit and patched these one by one. The commit log shows
a week of consecutive security:
prefixed commits. This is the part of the project I'm most proud of.
05
AI collaboration workflow
Day-to-day coding in Cursor. Architecture-level decisions: discussed in Claude Code chat, weighing trade-offs, then generating code. Complex integrations (e.g. Alfa Bank): fed the gateway docs into Claude Code, had it produce a doc-grounded integration plan, then debugged together.
[Specific vibe-coding moment — TBD: one feature I had zero intuition for, that AI helped me decompose and ship.]
The biggest lesson: AI doesn't make product decisions for me. It makes the gap between "an idea I can articulate" and "a working implementation" 10x narrower. The bottleneck becomes how clearly I can think. That muscle came from finance, and it transferred cleanly.
06
Current status
- ✓Engineering: done
- ✓Security hardening: done
- ⏳Launch: awaiting SMS.by sender name approval (local compliance, not engineering)
07
What these 5 weeks taught me
- AI lowers the "can I do this" bar but raises the "have I thought it through" bar. My finance background turned into an asset — I'm trained to define problems before acting.
- Production-grade ≠ feature-complete. Features are the start; idempotency, validation, webhook signing, rate limiting, secret management — a long tail.
- A paying customer is the best product teacher. My sister's reactions to the UI taught me more than any tutorial.
- What's next: bring this "AI collaboration + business sense" combo into companies trying to use agents to improve internal workflows.
Want to talk?
If you're thinking about how to bring AI into a team's workflow — get in touch.
← Back to home