I Built a Production-Grade E-Commerce Platform in 3 Months — GitHub Copilot Was My Co-Founder

This is a submission for the GitHub Finish-Up-A-Thon Challenge

What I Built

Let me be honest with you first — when I started Commerza, I genuinely didn't know if I would ever finish it.

I'm a 19-year-old software engineering student from Pakistan. Not from some well-funded university. Not from a bootcamp in San Francisco. I'm doing a 4-year BSE at HITMS and a 3-year Advanced Diploma in Software Engineering at Aptech Pakistan, side by side, trying to become a full-stack developer with real skills — not just tutorial-following muscle memory.

Commerza is a production-grade PHP + MySQL e-commerce platform. Full storefront. Full admin panel. Real payments (COD + Stripe). Enterprise-level security — CSRF protection, Google reCAPTCHA v2 and v3, rate limiting, audit logs, stock locking, SMTP failover, Argon2id password hashing, SQL injection defenses across every user-facing mutation path.

The kind of stuff you'd expect from a team. Not one broke student coding at 2am.

And no — it wasn't a "weekend project". This thing has:

• 80 PHP files
• 339 total tracked files
• 136 commits
• PHP 62.6% | JavaScript 20.8% | CSS 15.0% | PowerShell 1.6%

Stack: HTML · CSS · JavaScript · jQuery · Bootstrap · PHP · MySQL · JSON · XML · SEO

It has a dark mode (OrangeRed + Black) and a light mode (NavyBlue + White). It has Cloudinary integration, Redis/APCu caching layers, ClamAV upload scanning, sub-admin role management, a product trash bin, coupon campaigns, review eligibility enforcement, OAuth via Google and Facebook, customer blacklists, and a CI security gate that runs on every push.

This is Commerza.

And GitHub Copilot — with Claude Sonnet 4.6, Claude Opus 4.6, and GPT-5.2-Codex — built probably 78% of the backend alongside me.

Demo

🔗 GitHub: github.com/ahmershahdev/commerza

(Screenshots Below)

The Comeback Story

Where It Started

January 2026. I had the idea. I wanted to build something I could actually show to a client or employer — not a todo app, not a blog engine. Something real. An e-commerce platform from scratch. No Laravel, no framework crutch. Raw PHP. Because I wanted to understand every layer.

The first month? I was mostly doing frontend. HTML structure. CSS design system. Bootstrap grid. jQuery interactions. I wrote those by hand. Clean, methodical, slow. Every component manually. The product cards. The navbar. The cart page. The admin sidebar.

You can see it in my commit history. Slow, small, frontend commits. One file at a time.

Then I hit the backend wall.

I stared at the PHP folder for three days. I knew PHP basics. But production PHP is a different animal. PDO vs mysqli. Prepared statements everywhere, not just "when you feel like it". CSRF tokens — what are they, really, and where do they go? Argon2id vs bcrypt — does it matter for a student project? (Yes. It does.)

The stuff I thought would take me "a few days" started looking like months of work. Email automation — SMTP with a failover to a backup transport? Rate limiting that doesn't break normal users? reCAPTCHA v3 with score thresholds and action validation?

I'd have been done in 6-8 months. Maybe.

Enter Copilot

I'd been using GitHub Copilot casually for code completion. But sometime in early February 2026, I started actually talking to it. Using the agent mode. Giving it context. Describing what I needed. Letting it write entire systems.

The shift was dramatic.

Here's one of the first real "wow" moments. I needed SMTP failover. My plan was: try primary SMTP, if it fails, fail the email. Copilot suggested something I hadn't considered — a dual-route architecture where the primary and secondary share a duplicate-suppression check so you don't accidentally send the same email twice if both routes are responsive at once.

I did not know that was a real pattern. I learned it in the tool. Not from a YouTube tutorial. Not from StackOverflow. From watching Copilot write it and then asking it to explain why.

The final architecture for backend/mailer/mailer.php:

// Simplified illustration of the SMTP failover logic Copilot introduced
function send_mail(string $to, string $subject, string $html_body): bool {
    $primary   = smtp_transport('primary');
    $secondary = smtp_transport('fallback');

    // Suppress duplicate route — if both point to same host/account, skip fallback
    if (same_transport($primary, $secondary)) {
        return attempt_send($primary, $to, $subject, $html_body);
    }

    if (attempt_send($primary, $to, $subject, $html_body)) {
        return true;
    }

    // Primary failed — try fallback
    return attempt_send($secondary, $to, $subject, $html_body);
}

Small thing. But I would not have thought of the duplicate suppression check. That detail would have caused a real bug in production.

What Copilot Built

Let me be specific. Here's what GitHub Copilot generated — or heavily scaffolded — with me reviewing, testing, and iterating:

Email Automation System

• SMTP primary + fallback routing (mailer.php)
• Security code generation + 15-minute expiry OTP for 2FA and password resets
• Cart expiry reminder emails (send_engagement_reminders.php)
• Wishlist expiry reminder emails
• Monthly profit report emails (monthly_profit_report.php)
• Weekly analytics report emails (weekly_analytics_report.php)

Admin Panel Systems

• Coupon management (create, activate, validate, campaign control)
• Product review moderation with delivery-status eligibility enforcement
• Product trash bin with restore workflow and storefront exclusion logic
• Sub-admin lifecycle (invite, email verify, roles, suspend/reactivate, delete + immediate session revocation)
• Security event monitoring UI

Security Infrastructure

• Google reCAPTCHA v3 verification with strict score threshold (0.65 default), action validation, hostname checking, challenge_ts freshness
• reCAPTCHA v2 fallback when v3 isn't active for a flow
• Honeypot field embedded in CAPTCHA widget
• Fallback CAPTCHA challenge (arithmetic + knowledge, hashed answer per nonce, attempt lockout)
• Rate limiting across all sensitive endpoints
• PDO helper layer for controlled incremental migration from mysqli prepared statements
• security_helpers.php — centralized Argon2id/bcrypt hashing, password policy enforcement, rehash logic
• CI security gate via .github/workflows/security-gate.yml — static checks on every push + dynamic probes when SECURITY_BASE_URL is configured

Checkout Hardening

• Stock locking with SELECT ... FOR UPDATE during order placement
• Idempotency key consumption to block duplicate form submissions
• High-value COD OTP threshold (email OTP for orders above configurable limit)
• Refund and review blacklist enforcement across all user-facing mutation paths

The Before vs. After

The last row is the real one. The things I didn't know I didn't know.

My Experience with GitHub Copilot

The Models Matter

I used three models across this project:

Claude Sonnet 4.6 — my daily workhorse. Fast, accurate for PHP, good at following context across multiple files. When I was iterating quickly on storefront logic or admin UI, Sonnet was my go-to. It understood my existing codebase structure without me re-explaining every time.

Claude Opus 4.6 — for the scary parts. When I needed the CAPTCHA hybrid system designed, or when I was trying to figure out the checkout security model (transaction boundaries, row locking, idempotency), I reached for Opus. Slower, but it reasoned through edge cases I wouldn't have caught. The "Level 1, Level 2, Level 3 security severity model" in my README — that framework came out of an Opus session.

GPT-5.2-Codex — I used this mostly for breakpoint testing, spotting logic flaws, checking SQL injection vectors, and validating security helpers. Different model, different angle on the same code. Like having a second pair of eyes that reads code differently. Copilot's multi-model architecture made this seamless — I could switch within the same workflow.

As of April 2026, GitHub Copilot supports model selection for both Claude and Codex agents, with Claude Sonnet 4.6 and Claude Opus 4.6 available for Anthropic tasks, and GPT-5.2-Codex, GPT-5.3-Codex, and GPT-5.4 available for OpenAI Codex tasks.

What Actually Happened in Practice

It wasn't magic. Let me be clear.

I wrote every single frontend file by hand. Copilot suggestions during HTML/CSS work were mostly noise — I ignored them. The jQuery interactions, the Bootstrap grid, the storefront layouts — that's mine, manually typed.

Where Copilot exploded in value was PHP systems logic. The kind of code where one missed edge case means a security hole or a race condition in checkout. The kind of code where you need to know patterns you've never been taught.

A real example: I knew I needed "CSRF protection." What I didn't know was where exactly to validate the token (before any database operation, not after), or that regenerating the token after each validated request is a meaningful hardening step. Copilot wrote it the right way. I read the code, asked it why, it explained. That's not just autocomplete — that's mentorship encoded into a tool.

What I Pushed Back On

Copilot is not always right. A few things I rejected or significantly modified:

• It initially generated SQL using string concatenation in a few helper queries — I pushed back and forced prepared statements everywhere
• One version of the reCAPTCHA logic didn't validate hostname or challenge_ts — I asked for hardening and got a stricter implementation
• The first version of the rate limiter didn't have burst tolerance — it would have flagged fast-typing legitimate users. I caught it in testing

The right model is: you're the architect. Copilot is a very fast contractor who sometimes cuts corners. Review everything.

On Learning While Using AI

Here's the thing people don't say enough: AI-assisted development taught me more than it replaced. I learned PDO, Argon2id, CSP nonces, idempotency keys, stock locking, Cloudinary server-side signing, APCu caching, and Redis connection pooling — all through reading, testing, and interrogating code that Copilot generated. If I'd been alone, I'd have written simpler code and never encountered these patterns at all.

The alternative wasn't "I would have learned this from scratch." The alternative was "I would have shipped something less secure and less complete."

Conclusion

Commerza is archived now — May 5, 2026. I archived it not because I abandoned it, but because it reached a state I'm actually satisfied with. 339 files. 80 PHP files. 136 commits. A CI security gate. A dual-SMTP mailer. An admin panel I'd actually use.

Is it perfect? No. There are things I'd change. The PDO migration is incomplete — the README says so honestly. Some admin UI pages are rougher than others. There's a lot of room to grow.

But it exists. It runs. It handles real security concerns that most tutorial-based PHP projects completely ignore.

That's the difference three months and GitHub Copilot made.

I'm not a "vibe coder." I'm not someone who just prompts and ships. Copilot was my accelerator, my pattern library, and — genuinely — my teacher on the backend. The frontend was mine. The architecture decisions were mine. The testing, the debugging, the "wait this doesn't make sense, let me re-read the generated code at 1am" — all mine.

If you're a student developer who thinks AI tools are "cheating": they're not. They're the closest thing to a senior developer pair-programming with you that most of us will ever get access to, for free. Use them intelligently. Read everything they generate. Push back when it's wrong. Ask why.

That's how you build a production-grade e-commerce platform in 3 months instead of 8.

Links:

• 🔗 GitHub: github.com/ahmershahdev/commerza

Built by Syed Ahmer Shah — BSE student, HITMS BSE, Aptech ADSE, Pakistan. 2026.

Find Me Across the Web

• ✍️ Medium: @syedahmershah
• 💬 DEV.to: @syedahmershah
• 🧠 Hashnode: @syedahmershah
• 💻 GitHub: @ahmershahdev
• 🔗 LinkedIn: Syed Ahmer Shah
• 🧭 All links: Beacons
• 🌐 Portfolio: ahmershah.dev