βββββββ βββββββ βββββββ βββββββββββ ββββββββββ βββββββββββββββ βββββββββββββββββ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββ βββ ββββββ βββββββββ ββββββ ββββββββββββββ ββββββββ βββ ββββββββ
βββ βββ ββββββ βββββββββ ββββββ βββββββ ββββββ ββββββββ βββ ββββββββ
βββββββββββββββββββββββββββββββββββββ ββββββ βββββββββββ βββ βββ ββββββββ
βββββββ βββββββ βββββββ βββββββββββ ββββββ βββββββββββ βββ βββ ββββββββ
The codeXperts Club official website β a members-only platform for a coding club at the University of Waterloo. Built end-to-end by a 7-person team following Agile practices over a 6-week sprint.
| Feature | Description |
|---|---|
| Google OAuth + RBAC | 4-tier role system (Public β Member β Executive β Admin) with Supabase RLS enforcement |
| Coding Problems | Weekly problems posted by execs, solved in a Monaco Editor (VSCode-style), executed via Piston API |
| QR Attendance | Admin generates a session token β members scan to check in β auto-expires |
| Schedule Page | Google Calendar API integration β synced events with subscribe/download for members |
| Member Directory | Filterable profile cards with cohort, school, role badges, and per-field visibility controls |
| Activity Heatmap | GitHub-style contribution graph per member, combining submissions and attendance |
| Events Page | Past and upcoming events; individual event detail pages with tracks, gallery, and prev/next nav |
| Member Profiles | Per-member profile page with bio, social links, and self-edit mode |
| Announcements | Public board with Post View (markdown, prev/next nav) and List View (table, pagination); admin/exec create and delete |
| Layer | Choice | Why |
|---|---|---|
| Frontend | Next.js 16 (App Router) | SSR for schedule/calendar pages; app router for per-route auth guards |
| Styling | Tailwind CSS | Rapid iteration across 7 contributors without CSS conflicts |
| Auth + DB | Supabase | Google OAuth out of the box; RLS policies enforce RBAC at the DB level β no leaking data through API mistakes |
| Backend | FastAPI (Heroku) | Lightweight proxy for Piston code execution and QR token validation; decoupled from Vercel edge |
| Deployment | Vercel + Heroku | Zero-config preview deploys per PR on Vercel; Heroku for persistent Python backend |
| Name | Role |
|---|---|
| Paul | PM / Full-Stack / UI/UX |
| Kai | Frontend |
| Dave | Backend (FastAPI / Heroku / Deployment) / Frontend |
| Gary | Backend (Supabase / DB & Auth) |
| Judy | Frontend |
| Andra | Frontend / Backend |
| Sid | Backend (Monaco Editor / Piston API) / UI/UX |
Frontend (Next.js β Vercel)
β
βββ Supabase
β βββ Auth (Google OAuth only)
β βββ PostgreSQL
β βββ profiles β id, name, email, role, school, cohort, status, bio,
β β linkedin, github, avatar_url, profile_visibility (JSONB)
β βββ problems β id, title, description, file_url, created_at
β βββ submissions β profile_id, problem_id, code, language, ai_feedback
β βββ sessions β token, expires_time, is_active
β βββ attendances β profile_id, session_id, checked_at
β βββ announcements β author_id, title, content, created_at
β
βββ FastAPI (Heroku)
βββ /health β service health check
βββ /execute β proxy to Piston API (code execution)
βββ /attendance/verify β QR token validation
Role-Based Access Control:
Public (Unauthenticated)
βββ Member (Approved)
βββ Executive
βββ Admin
| Role | Access |
|---|---|
| Public | Landing, public announcements |
| Member | Dashboard, member directory, problem submissions |
| Executive | Post problems, manage sessions |
| Admin | User approval, role management, full access |
Onboarding flow: Google Sign-In β pending β Admin approval β member
7-person team, weekly sprints, Saturday standups at 7:30 PM via Google Meet.
Each PR is reviewed before merging to develop; develop merges to main at sprint close.
Planning β Design β Development β Testing β Review & Release
β β
ββββββββββββββββββ next sprint ββββββββββββββββββ
Sprint Contribution Report β Total
βββββββββββββββββββββββββββββββββββ
Name Issues Contribution
βββββββββββββββββββββββββββββββββββ
Paul 28 ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Dave 8 ββββββββββββββββ
Kai 6 ββββββββββββ
Gary 6 ββββββββββββ
Sid 3 ββββββ
Andra 3 ββββββ
Judy 2 ββββ
βββββββββββββββββββββββββββββββββββ
Week 1 β Foundation & Setup
Planning
- Defined 6-week roadmap and MVP scope Β· Created GitHub Issues Β· Assigned tasks across FE/BE Β· Set up GitHub Projects Kanban board
Design
- Finalized sitemap and page visibility rules Β· Produced Figma wireframes for all 8 pages Β· Finalized DB schema (profiles, problems, submissions, sessions, attendances, announcements) Β· Defined navbar structure and social link config
Development
- Next.js + Tailwind project setup Β· Supabase project created + Google OAuth configured Β· RLS policies drafted Β· Vercel + Heroku pipelines connected Β· Placeholder pages scaffolded for all routes
Testing
- Google login β pending user flow tested end-to-end Β· Vercel preview deploy verified Β· Environment variable setup confirmed across team
Review & Release
- Sprint retrospective completed Β· Foundation merged to
developΒ· Preview URL shared with team
Sprint Contribution Report β Week 1
ββββββββββββββββββββββββββββββββββββββ
Name Done/All Contribution
ββββββββββββββββββββββββββββββββββββββ
Paul 6/6 ββββββββββββ
Gary 3/3 ββββββ
Dave 3/3 ββββββ
Sid 1/1 ββ
Kai 1/1 ββ
Andra 1/1 ββ
Judy 0
ββββββββββββββββββββββββββββββββββββββ
Week 2 β Auth Flow & Public Pages
Planning
- Sprint goal defined: complete auth flow and build all public-facing pages Β· Issues #14 (role-based navbar), #15 (Google OAuth login), #20 (Join Us modal) scoped and assigned Β· Design system tokens scoped as prerequisite for all UI work
Design
- Members page structure defined Β· Individual profile page spec (
/members/:id) Β· Self-edit mode with per-field visibility controls Β· Student/Graduate status toggle Β· Stitch wireframes finalized for all member-facing views
Development
- Design system initialized: color tokens, Inter/Montserrat fonts, base UI components (#64, #66, #67) Β· Role-based navbar with social hover dropdowns (#14) Β· Google OAuth login + pending screen (#15) Β· Homepage built: hero section, Elfsight Instagram embed, About section Β·
feature/auth-role-guard: ProtectedRoute middleware, PENDING/EXECUTIVE roles, RoleGuard refactored (#65) Β· RLS policies finalized for all Supabase tables (#70) Β·feature/join-modal-issue-20: Google OAuth signup modal with campus/cohort/phone fields and profile completion (#72)
Testing
- Google OAuth β pending screen β admin approval β member role flow tested end-to-end Β· Protected Route enforcement validated Β· RLS policy enforcement verified on Supabase Β· All public pages reviewed on Vercel preview
Review & Release
- 7 PRs reviewed and merged to develop (#64, #65, #66, #67, #70, #71, #72) Β· Sprint 2 retrospective completed Β· Auth flow and all public pages live on Vercel preview
Sprint Contribution Report β Week 2
ββββββββββββββββββββββββββββββββββββββ
Name Done/All Contribution
ββββββββββββββββββββββββββββββββββββββ
Paul 4/4 ββββββββ
Kai 3/4 ββββββββ
Dave 3/3 ββββββ
Andra 2/2 ββββ
Sid 1/1 ββ
Gary 1/1 ββ
Judy 0
ββββββββββββββββββββββββββββββββββββββ
Week 3 β Schedule Page & Timezone Bugs
Planning
- Issue #18 (Schedule page) scoped and carried forward Β· Judy onboarded as Frontend
Design
- 3-Layer Depth System designed (L0
#F9F9F9β L1#EAEAEAβ L2#DBDBDB) and documented in design-system.md Β· Schedule page spec fully rewritten to match implementation Β· Tailwind custom depth tokens defined (bg-bg-layer1/2/2Hover)
Development
feature/schedule-page-issue-18: server-side iCal parser (/api/calendar) with RRULE expansion and EXDATE support Β· Schedule page rebuilt with Google Calendar embed, custom month nav, event list with start/end time, and event detail modal (Google Maps link) Β· UTCβToronto timezone conversion Β· Join flow converted from dedicated route to Navbar modal (/joinβ redirect)
Testing
- EXDATE
VALUE=DATEtimezone day-shift bug found and fixed Β· UTC time offset bug (01:30 UTC displaying as 1:30 AM instead of 9:30 PM EDT) caught and fixed Β· Copilot AI review: 5 issues addressed (race condition, RRULE UNTIL boundary, dead code, React key, modal scroll lock) Β· Vercel preview QA passed
Review & Release
- PR #78 opened with Copilot automated review Β· All review comments triaged and addressed Β· Issue #18 implementation summary posted Β·
developmerge pending final approval
Sprint Contribution Report β Week 3
ββββββββββββββββββββββββββββββββββββββ
Name Done/All Contribution
ββββββββββββββββββββββββββββββββββββββ
Paul 2/2 ββββ
Dave 2/2 ββββ
Judy 2/2 ββββ
Sid 1/1 ββ
Kai 1/1 ββ
Gary 0/1 ββ
Andra 0
ββββββββββββββββββββββββββββββββββββββ
Week 4 β Auth Hardening, JoinModal Overhaul & DB Schema
Planning
- Sprint 4 scope locked: complete JoinModal signup flow, fix auth/navbar regressions, extend DB schema for members and problems Β· UserChip (avatar + role badge in navbar) scoped as auth UX milestone Β· Executive role admin access gap flagged
Design
- Signup flow redesigned: scrollable modal with fixed header, prefix-input pattern for GitHub/LinkedIn, cohort stored as ordinal Β· Navbar UserChip layout finalized:
[Avatar] [Role badge] [Log out]for desktop; avatar + hamburger on mobile top bar
Development
- JoinModal overhaul (#88): added
first_name,last_name,nickname,school,cohort,phone,status,company,occupation,linkedin,githubfields; GitHub/LinkedIn as prefix + username; auto-fills from Google OAuth metadata; cohort stored as ordinal - DB schema (#87): added
cohort,phone,status,occupationto profiles;difficulty,category,created_byto problems;updated_atto submissions β migrations run in Supabase - UserChip (#95):
UserChipcomponent added to navbar β Google profile photo with initials fallback, role badge (P/M/E/A), applied to desktop and mobile top bar - Navbar bug fixes (#97, #98): navbar buttons no longer disappear on interaction; user role now displays correctly after login; bfcache PKCE fix (back button after OAuth no longer breaks login state); duplicate click guard on Login button
- signOut reliability (#96): replaced
router.push('/')withwindow.location.hreffor full page reload β prevents Supabase token refresh timer surviving sign-out
Testing
- Google OAuth β pending β approval β member role flow re-validated after JoinModal changes Β· UserChip rendering tested across desktop and mobile breakpoints Β· DB migration applied and column presence verified in Supabase
Review & Release
- 5 issues closed (Paul: 4, Gary: 1) Β· Sprint 4 feature branch growing toward main merge Β· DB migrations committed to
supabase/migrations/
Sprint Contribution Report β Week 4
ββββββββββββββββββββββββββββββββββββββ
Name Done/All Contribution
ββββββββββββββββββββββββββββββββββββββ
Paul 4/5 ββββββββββ
Gary 1/1 ββ
Sid 0
Kai 0
Andra 0
Dave 0
Judy 0
ββββββββββββββββββββββββββββββββββββββ
Week 5 β Sprint 4 Merge, Events, Profile Page & Design Overhaul
Planning
- Sprint 4 merged to
main(PR #122) β 5 feature areas, 4 DB migrations, 0 build errors Β· Post-merge: Copilot security review triaged; 3 issues addressed in follow-up PRs Β· Events full implementation and Profile page scoped as W5 deliverables Β· Design token audit kicked off to unify all pages before launch Β· Custom domaincodexperts.capurchased via Cloudflare (#130) and configured on Vercel (apex + www)
Design
- Design system token cleanup: all hardcoded hex and default Tailwind colors replaced with semantic tokens across 22 files Β· Responsive container pattern (
max-w-6xl mx-auto px-4 sm:px-6) standardized across every page Β· Navbar flattened to direct links; social icons always visible on mobile Β· Badge system finalized: Graduate βbg-link-bg text-gold, Executive βbg-success-bg text-success; unified across Navbar, UserAvatar, MemberCard
Development
- Sprint 4 release (PR #122): Members Page (live Supabase data, combinable filters), Problems Page (Post + List view, Markdown, exec delete/download), Footer + Contact Form (Gmail SMTP via nodemailer), About Us page, Announcements layout
- Events Section: main events page redesigned (upcoming + past split); individual event detail page at
/events/[id]with description, date, location, tracks, gallery, prev/next nav;PastEventsCardscomponent - Profile Page (
/members/[id]): live Supabase fetch viafetchMemberById(); avatar with initials fallback, name, nickname, status badge, conditional LinkedIn/GitHub icons; bio section; edit button visible only to profile owner - Pending page: school-specific club signup prompt β Seneca live link, York Coming Soon; managed via
socialLinks.jsconfig (#133) - Executive role fix (#77):
canAccessAdminRoutesupdated to include Executive β admin routes no longer 403 for execs - Problems table columns (#107):
week,due_date,schoolcolumns added to problems table via migration - Security hardening: contact form HTML + SMTP header injection sanitized (
escapeHtml,sanitizeHeader);adminApprovalmoved to server-side/api/admin/approveusing service role key β client can no longer trigger RLS-bypassed updates directly
Testing
- Copilot review on PR #122: 3 security issues triaged β resolved in #123 (contact form injection), #124 (admin approval RLS), #125 (replyTo header sanitization) Β· Graduate badge dark-bg regression caught and fixed Β· JoinModal double-submit race condition guarded Β· Members cohort filter value mismatch (
"Fall 2024"vs DB"1") fixed Β· Status filter'graduate'β'graduated'DB value corrected
Review & Release
- Sprint 4 merged to
mainΒ· 17 follow-up PRs merged (security patches, Events, Profile, design overhaul, domain) Β·codexperts.caandwww.codexperts.calive
Sprint Contribution Report β Week 5
ββββββββββββββββββββββββββββββββββββββ
Name Done/All Contribution
ββββββββββββββββββββββββββββββββββββββ
Paul 3/3 ββββββ
Kai 1/1 ββ
Andra 0/1 ββ
Sid 0
Gary 0
Dave 0
Judy 0
ββββββββββββββββββββββββββββββββββββββ
| Column | Description |
|---|---|
Backlog |
Unscheduled items |
Ready |
Committed for current sprint |
In Progress |
Actively being developed |
In Review |
PR open, awaiting review |
Done |
Merged and deployed |
Issue & PR Convention
- Issue title format:
[Type] Short descriptionβ types:feat,fix,docs,refactor,chore - All PRs require at least 1 reviewer approval before merge
- PRs are linked to their corresponding issue
Branch Strategy
| Branch | Purpose |
|---|---|
main |
Production-ready code only |
develop |
Integration branch β all features merge here first |
feature/* |
Individual feature or fix branches |
Never commit directly to
main. All changes go throughdevelopvia reviewed PRs.
| Layer | Platform | Domain |
|---|---|---|
| Frontend | Vercel | codexperts.ca Β· www.codexperts.ca |
| Backend | Heroku | auto-assigned Heroku URL |
| Database & Auth | Supabase | managed |
Custom domain
codexperts.cais live. Both apex (codexperts.ca) andwww.codexperts.caresolve correctly.
codexperts-web/
βββ public/
βββ src/
β βββ app/ # Next.js App Router
β β βββ layout.js # Root layout (Navbar included)
β β βββ page.js # / Home
β β βββ about/ # /about
β β βββ schedule/ # /schedule
β β βββ api/ # Next.js API routes
β β β βββ calendar/ # GET /api/calendar β iCal fetch + parse (no API key)
β β βββ announcements/ # /announcements
β β βββ events/ # /events
β β βββ join/ # /join β redirects to / (join flow is Navbar modal)
β β βββ problems/ # /problems (member only)
β β βββ solutions/ # /solutions (member only)
β β βββ members/ # /members (member only)
β β βββ admin/ # /admin (admin only)
β βββ components/
β β βββ common/ # Navbar, Footer
β β βββ auth/ # ProtectedRoute, RoleGuard
β β βββ ui/ # Button, Card, Modal
β βββ config/
β β βββ socialLinks.js # Campus social media links config
β βββ lib/
β β βββ supabase.js # Supabase client singleton
β βββ hooks/ # useAuth, useRole
β βββ contexts/ # AuthContext
β βββ services/ # Supabase service modules
β βββ utils/ # Helper functions, constants
βββ docs/
β βββ design/ # Design system, sitemap, page-level specs
β βββ guidelines/ # code-conventions.md, git-workflow.md
β βββ meeting-notes/ # Sprint meeting records
β βββ sprints/ # Sprint plan + weekly specs
β βββ schema/ # Database schema definitions
βββ backend/
β βββ main.py # FastAPI entry point
β βββ requirements.txt
β βββ .env.example
β βββ routers/
βββ scripts/
β βββ sprint-report.js # CLI tool β GitHub Issue contribution report per member
βββ package.json
βββ README.md
Prerequisites: Node.js v18+, a Supabase project with Google OAuth and PostgreSQL enabled.
git clone https://github.com/codexperts2024/codexperts-web.git
cd codexperts-web
npm install
cp .env.example .env.local
# Fill in your Supabase config values
npm run devApp runs at http://localhost:3000.
Environment variables:
| Variable | Required | Description |
|---|---|---|
NEXT_PUBLIC_SUPABASE_URL |
Yes | Supabase project URL |
NEXT_PUBLIC_SUPABASE_ANON_KEY |
Yes | Supabase anon key |
SUPABASE_SERVICE_ROLE_KEY |
Backend only | Never expose to client |
NEXT_PUBLIC_API_URL |
Yes | Heroku FastAPI URL |
CONTACT_EMAIL_USER |
Yes | Gmail address for contact form SMTP |
CONTACT_EMAIL_PASS |
Yes | Gmail App Password (not your account password) β generate at myaccount.google.com/apppasswords |
To add York University's club signup link: open
src/config/socialLinks.jsand set theurlfield in theclubSignuparray forYork University.
Sprint contribution report:
npm run report # all-time closed issues per member
npm run report -- 4 # Week 4 breakdown (closed vs. open)Built with intention. Deployed with confidence.



