A serverless payments platform in the environmental sector (full-stack development; led the payment-reliability layer)

[Full-stack cross-cutting implementation] Implemented 4 frontends — the customer app (React 19 / Vite / MUI 7 / TanStack Query / AWS Amplify), merchant frontend (React 19 / MUI 6), admin frontend (React 18 / MUI 5), and internal dashboard (Next.js 16 / Mantine 8) — and 4 Python serverless backends (customer, merchant, admin, in-store terminal / AWS SAM, OpenAPI definitions). Owned feature groups across card payments, charging (with expiry), e-commerce (cart / order / shipping), J-Credits, regional currency, points, stamp rallies, lotteries, rankings, and coupons.

[Double-charge prevention via idempotency] A client-issued idempotency key is appended to the sort key card_op_idem#<op>#<key>, and conditional insertion with attribute_not_exists structurally excludes duplicate payments. Keys auto-expire via TTL (default 90 days). The Stripe webhook includes an event-ID-based idempotency marker within the same transaction, so if the handler fails the marker isn't written either — meaning Stripe's re-send correctly reprocesses.

[Atomic balance updates] Eliminated read-modify-write and prevented balance inconsistency under contention with ADD + ConditionExpression. Balance floor (balance ≥ amount) and charge cap (balance + amount ≤ cap) are expressed as condition expressions; on failure the whole transaction is rolled back and the cause is accurately classified into INSUFFICIENT / CAP_EXCEEDED / CONFLICT / THROTTLED and mapped to HTTP statuses.

[Retrying only transient conflicts] Only TransactionConflict from optimistic concurrency control is retried up to 3 times with exponential backoff (base 50ms × 2^n) + jitter (±50%). ConditionalCheckFailed (semantic failures such as insufficient balance or idempotency collision) is propagated immediately without retry. Reason-code judgment is SSoT'd in a shared module, and on conflict a CloudWatch metric fires so an alarm detects spikes.

[Zero-downtime migration (mirror writes)] Split the God Record into "dual write → read-switch & dedup → remove old data," performing 13+ phases without downtime. Each builder operates idempotently with atomic ADD / if_not_exists, and deletion intent is expressed with an explicit CLEAR sentinel distinct from None. When no write is needed it returns an empty array to no-op.

[Amount precision] Amounts and CO2 conversion (the rate is Decimal('0.01')) are processed consistently with Decimal, rejecting float at both the type and runtime levels. Eliminates accumulated rounding error, verified with unit tests including boundary conditions.

[Auth & security] Implemented Cognito custom auth (sign-up / post-confirmation hook / CUSTOM_AUTH challenges), with card PINs hashed by PBKDF2-HMAC (100,000 iterations, 32-byte CSPRNG salt, constant-time comparison). Input is validated at the boundary, and IAM is separated to least privilege per stack. Logs mask email and phone and never output PINs or tokens.

[Observability, resilience, idempotent async processing] Made production observable with 20+ CloudWatch alarms + composite alarms and structured logs (Slack notifications by severity). DR is multi-layered with AWS Backup + Vault Lock + PITR + a dedicated DR vault. Monthly bulk billing of employee cards and CO2 aggregation guarantee ordering, idempotency, and auto-reprocessing with SQS FIFO + a dead-letter queue.

[CI/CD, type safety, quality gates] GitHub Actions runs ruff / black / mypy --strict (disallow_untyped_defs) / pytest automatically, with pre-commit and a local CI script reproducing the same gate on dev machines. The backend eliminates the Any type and prevents regressions with golden-vector tests.