~/projects /shca-platform
shca.ca — community association platform with real money flows
~CA$20
monthly hosting
3-signature
expense approval
3 rounds
security audit
Community associations run on volunteers and spreadsheets. The Signal Hill Community Association (Calgary) needed real infrastructure: memberships, bookings, events, and board governance — without an enterprise budget. The whole platform runs at roughly CA$20/month.
Public side
- Stripe-direct memberships — auto-minted member IDs, renewal flows, no manual reconciliation
- Facility bookings — with damage-deposit holds via Stripe SetupIntents, so deposits are authorized but not charged
- Community programs — garage-sale map, Neighbour Day RSVPs, AGLC casino volunteer management
- Decap CMS — board members edit content through a friendly UI, git holds the truth
Board operations
The interesting engineering is in governance. Volunteer boards handle real money with high turnover and low trust in any single individual, so the platform enforces process in code:
- Three-signature expense-claim approvals — claims move through a state machine requiring three distinct board signatures before payout
- Full audit log — every sensitive action recorded
- Hardened auth — OTP and magic-link flows specifically engineered around Gmail and Outlook link-scanners that pre-click login links and silently burn one-time tokens (a genuinely annoying class of bug)
Security as a deliverable
Because this system touches payments and personal data for a real community, I ran a documented three-round security audit — sixteen migrations’ worth of hardening (RLS policies, token handling, permission scoping) with findings and fixes written up for the board. Small-budget software doesn’t have to mean small-discipline software.
stack: Cloudflare Pages · Supabase · Stripe · Decap CMS · Resend · Brevo · Gemini