Red Mage
III
Work
The Portfolio

BAM Virtual Academy

Backend Development

SupabaseStripeMuxClaude CodeGitHub

The outcome

  • 2
    Platforms live
  • 200+
    Users
  • 850+
    Drills
  • 8
    Vulnerabilities caught pre-launch

The situation

The challenge

Coleman Ayers is a basketball coach who builds. By the time he brought Red Mage in, he had already pushed significant frontend himself and knew exactly where his limits were. He needed a backend partner who could own what he couldn't: schema architecture, Stripe's full subscription lifecycle, Mux video delivery, and Row-Level Security done right.

The existing schema had patterns that would have caused real problems in production. Author fields stored as plain text instead of UUID foreign keys. Stripe data scattered across tables. No points ledger, no clean separation of habits from habit logs, no model for tracking video processing state through Mux. Building on top of that foundation wasn't an option. The first move was getting it right.

The work

What got built

A 60+ table backend supporting two separate platforms: a Coaches Platform and the BAM Virtual Academy player experience. Stripe billing end to end, verified with real transactions. Mux video with an admin approval queue and signed URLs protecting paid content. Realtime enabled selectively on habits, messages, posts, notifications, and the leaderboard.

The Virtual Academy schema covers a full content tree from programs down to individual cards, enrollment and billing tiers, workout sessions, habit streaks with trigger-based automation, a points ledger, community posts, direct messages, and notifications. The access control logic handles a specific wrinkle cleanly: a user gets content access if they're enrolled in a specific program or an all-access tier, without policy conflicts.

Before beta launch, a full security audit turned up eight issues that would have been serious in production. Admin tools publicly accessible without login. The leaderboard bypassing RLS with admin-level permissions. Eight tables with RLS enabled and no policies written, meaning habit tracking, certifications, and points history were silently broken. Storage folders browseable by anyone with a URL. Most were one or two line fixes. The value was finding them before users did.

The outcome

Results

Two platforms live. 200+ users. 850+ drills. 8 security vulnerabilities caught before launch. Coleman got the backend he needed to keep building without it breaking underneath him.

Want something
like this?