# Requirements Traceability Matrix (RTM): Drop — Fintech Payment App

# Requirements Traceability Matrix (RTM): Drop — Fintech Payment App

> **Project:** Drop — Remittance + QR Payments
> **Version:** 1.0
> **Date:** 2026-02-23
> **Author:** John (AI Director)
> **Status:** Active
> **Reviewers:** Alem Bašić (CEO)

## Document History
| Version | Date | Author | Changes |
|---------|------|--------|---------|
| 0.1 | 2026-02-23 | John | Initial RTM — mapped from brd.md, functional-requirements.md, TEST-INVENTORY.md |

---

## 1. Purpose of Traceability

The RTM maps requirements through the full SDLC:
Business Requirement → Functional Requirement → User Story → Code → Test Cases

Functions:
1. **Coverage Assurance** — Every business requirement has a test
2. **Change Impact** — When requirement changes, see all affected code and tests
3. **Gap Detection** — Requirements with no tests; tests with no requirements
4. **Audit Trail** — Demonstrates compliance for Finanstilsynet / investor due diligence

---

## 2. Document References

| Document | Location | Version | Last Updated |
|----------|----------|---------|-------------|
| Business Requirements Document | `brd.md` | 1.0 | 2026-02-23 |
| Functional Requirements Spec | `functional-requirements.md` | 1.0 | 2026-02-23 |
| Non-Functional Requirements | `non-functional-requirements.md` | 1.0 | 2026-02-23 |
| User Stories | `user-stories.md` | 1.0 | 2026-02-23 |
| Acceptance Criteria | `acceptance-criteria.md` | 1.0 | 2026-02-23 |
| Testing Guide | `../../docs/testing/TESTING-GUIDE.md` | — | 2026-02-13 |
| Test Inventory | `../../docs/testing/TEST-INVENTORY.md` | — | 2026-02-13 |
| Test Plan | `../templates-testing/test-plan.md` | 1.0 | 2026-02-23 |

---

## 3. Forward Traceability Matrix

### 3.1 Functional Requirements Traceability

| BR ID | Business Requirement | FR ID | Functional Requirement | US ID | Code Module | Unit Test | Integration Test | E2E Test | AC ID | Status |
|-------|---------------------|-------|----------------------|-------|-------------|-----------|-----------------|----------|-------|--------|
| BR-001 | BankID identity verification | FR-001 | User Registration (3-step) | US-001 | `src/app/api/auth/register/route.ts` | api-routes.test.ts | api-endpoints.test.ts | user-flows.spec.ts | AC-001 | ✅ Implemented |
| BR-001 | BankID identity verification | FR-002 | User Login | US-002 | `src/app/api/auth/login/route.ts` | api-routes.test.ts | api-endpoints.test.ts | user-flows.spec.ts | AC-020 | ✅ Implemented |
| BR-001 | BankID identity verification | FR-003 | Session Management | US-003 | `src/app/api/auth/logout/route.ts` | api-routes.test.ts | api-routes.test.ts | full-flows.spec.ts | AC-021 | ✅ Implemented |
| BR-002 | Minimum age 18 enforcement | FR-001 | User Registration — DOB validation | US-001 | `src/app/api/auth/register/route.ts` | api-routes.test.ts | api-endpoints.test.ts | input-chaos.spec.ts | AC-004 | ✅ Implemented |
| BR-003 | Remittance to 30+ countries | FR-020 | Send Money Remittance | US-010 | `src/app/api/transactions/remittance/route.ts` | api-routes.test.ts | api-endpoints.test.ts | full-flows.spec.ts | AC-030 | ✅ Implemented |
| BR-003 | Remittance to 30+ countries | FR-021 | Exchange Rates API | US-011 | `src/app/api/rates/route.ts` | api-routes.test.ts | api-endpoints.test.ts | user-flows.spec.ts | AC-050 | ✅ Implemented |
| BR-003 | Remittance to 30+ countries | FR-022 | Recipients Management | US-012 | `src/app/api/recipients/route.ts` | api-routes.test.ts | api-endpoints.test.ts | — | — | ✅ Implemented |
| BR-004 | QR merchant payments at 1% | FR-030 | QR Payment Consumer Flow | US-020 | `src/app/api/transactions/qr-payment/route.ts` | api-routes.test.ts | api-endpoints.test.ts | full-flows.spec.ts | AC-060 | ✅ Implemented |
| BR-004 | QR merchant payments at 1% | FR-031 | Merchant Registration + QR | US-021 | `src/app/api/merchants/route.ts` | api-routes.test.ts | api-endpoints.test.ts | — | AC-070 | ✅ Implemented |
| BR-005 | PSD2 pass-through model | FR-001 | No balance column | US-001 | `src/lib/db.ts` (schema) | db.test.ts | — | — | AC-091 | ✅ Verified |
| BR-006 | Merchant self-service onboarding | FR-031 | Merchant Registration | US-021 | `src/app/api/merchants/route.ts` | api-routes.test.ts | api-endpoints.test.ts | — | AC-070 | ✅ Implemented |
| BR-007 | GDPR compliance | FR-070 | User Profile + deletion | US-041 | `src/app/api/auth/me/route.ts` | — | — | full-flows.spec.ts | — | ⏳ Partial |
| BR-008 | Real-time notifications | FR-060 | Transaction Notifications | US-041 | `src/app/api/notifications/route.ts` | api-routes.test.ts | — | — | — | ✅ Implemented |
| BR-009 | Transaction history | FR-050 | Transaction History | US-040 | `src/app/api/transactions/route.ts` | api-routes.test.ts | api-endpoints.test.ts | user-flows.spec.ts | — | ✅ Implemented |
| BR-010 | AISP balance view | FR-040 | Bank Account Balance | US-030 | `src/app/api/bank-accounts/route.ts` | — | — | full-flows.spec.ts | — | ⏳ Mock only |
| BR-011 | Merchant dashboard analytics | FR-032 | Merchant Dashboard | US-022 | `src/app/api/merchants/dashboard/route.ts` | api-routes.test.ts | — | — | — | ✅ Implemented |
| BR-014 | Feature flags | FR-080 | Feature Flag Control | — | `src/lib/feature-flags.ts` | feature-flags.test.ts | — | — | — | ✅ Implemented |

### 3.2 Non-Functional Requirements Traceability

| NFR ID | Requirement | Target | Test Type | Test File | Status |
|--------|------------|--------|-----------|-----------|--------|
| NFR-SEC01 | JWT auth in httpOnly cookie | httpOnly + SameSite=Strict | Unit | auth.test.ts | ✅ |
| NFR-SEC02 | bcrypt password hashing (no SHA-256) | bcrypt 12 rounds; SHA-256 rejected | Unit | auth.test.ts | ✅ |
| NFR-SEC05 | Rate limiting (persistent) | DB-backed; 10/min auth | Unit | middleware.test.ts | ✅ |
| NFR-SEC06 | Input validation | Parameterized SQL; server-side validation | Unit | validation.test.ts | ✅ |
| NFR-SEC09 | PCI-DSS card data | No card_number/cvv in DB or API | Unit | db.test.ts | ✅ |
| NFR-R02 | Transaction integrity (ACID) | No orphaned sessions; FK constraints | Unit | db.test.ts | ✅ |
| NFR-P03 | bcrypt < 1,000ms | < 1,000ms | Performance | api-benchmarks.test.ts | ✅ |
| NFR-P04 | DB queries < 10-20ms | SELECT < 10ms; INSERT < 20ms | Performance | api-benchmarks.test.ts | ✅ |
| NFR-P05 | Rate limit check < 50ms | < 50ms | Performance | api-benchmarks.test.ts | ✅ |
| NFR-COMP01 | GDPR compliance | Right to deletion API | Legal review | — | ⏳ Pending |
| NFR-COMP03 | PSD2 registration | Finanstilsynet registration | Regulatory | — | ❌ Not started |
| NFR-COMP04 | AML/KYC | Sumsub integration | Integration | — | ⏳ Mock only |
| NFR-COMP05 | PCI-DSS cards | No CVV storage | Unit | db.test.ts | ✅ |
| NFR-A01 | 99.5% uptime | Monthly SLA | Operations monitoring | — | ⏳ Staging only |
| NFR-M01 | ≥80% test coverage | Vitest coverage | CI | vitest.config.ts | ⏳ Measuring |

---

## 4. Backward Traceability Matrix

| Test File | Test Description | AC ID | FR ID | BR ID | Has Requirement? |
|-----------|-----------------|-------|-------|-------|-----------------|
| auth.test.ts | bcrypt hash produces $2 prefix | AC-012 | FR-002 | BR-001 | ✅ Yes |
| auth.test.ts | SHA-256 hashes rejected | NF-AC-010 | FR-002 | BR-001 | ✅ Yes |
| auth.test.ts | JWT round-trip sign/verify | NF-AC-011 | FR-003 | BR-001 | ✅ Yes |
| db.test.ts | No balance column in users | AC-091, NF-AC-020 | FR-001 | BR-005 | ✅ Yes |
| db.test.ts | No card_number/cvv in cards | AC-090, NF-AC-021 | FR-080 | BR-005 | ✅ Yes |
| db.test.ts | Transaction type constraint | NF-AC-022 | FR-020, FR-030 | BR-003, BR-004 | ✅ Yes |
| middleware.test.ts | Rate limit allows within limit | AC-024 | FR-002 | BR-001 | ✅ Yes |
| middleware.test.ts | Rate limit blocks after exceeded | NF-AC-012 | FR-002 | BR-001 | ✅ Yes |
| validation.test.ts | XSS payloads rejected | AC-080 | FR-001 | BR-001 | ✅ Yes |
| validation.test.ts | SQL injection rejected | AC-081 | FR-001 | BR-001 | ✅ Yes |
| feature-flags.test.ts | topUpViaCard flag absent | — | FR-080 | BR-014 | ✅ Yes (removed feature) |
| api-endpoints.test.ts | Register → 201 with valid input | AC-001 | FR-001 | BR-001 | ✅ Yes |
| api-endpoints.test.ts | Register → 409 duplicate email | AC-005 | FR-001 | BR-001 | ✅ Yes |
| api-endpoints.test.ts | Remittance → 201 with valid data | AC-030 | FR-020 | BR-003 | ✅ Yes |
| api-endpoints.test.ts | Remittance → 403 KYC not approved | AC-034 | FR-020, FR-010 | BR-001 | ✅ Yes |
| api-endpoints.test.ts | QR payment → 201 with valid data | AC-060 | FR-030 | BR-004 | ✅ Yes |
| api-benchmarks.test.ts | bcrypt < 1,000ms | NF-AC-001 | FR-002 | BR-001 | ✅ Yes |
| user-flows.spec.ts (E2E) | Login redirects to dashboard | AC-020 | FR-002 | BR-001 | ✅ Yes |
| full-flows.spec.ts (E2E) | Send money flow | AC-030 | FR-020 | BR-003 | ✅ Yes |
| full-flows.spec.ts (E2E) | QR payment flow | AC-060 | FR-030 | BR-004 | ✅ Yes |
| input-chaos.spec.ts (E2E) | XSS in firstName | AC-080 | FR-001 | BR-001 | ✅ Yes |
| input-chaos.spec.ts (E2E) | Underage DOB | AC-084 | FR-001 | BR-002 | ✅ Yes |

---

## 5. Coverage Analysis

### 5.1 Requirement Coverage Summary (2026-02-23)

| Category | Total | Fully Covered | Partially Covered | Not Covered | Coverage % |
|----------|-------|--------------|-------------------|-------------|-----------|
| Business Requirements (BR) | 14 | 11 | 2 (BR-007, BR-010) | 1 (BR-012 — won't have) | 93% |
| Functional Requirements (FR) | 15 | 12 | 2 (FR-040, FR-070) | 1 (FR-080 cards) | 93% |
| Non-Functional Requirements (NFR) | ~40 | 15 | 10 | 15 (compliance/monitoring) | 62% |
| User Stories (US) | 13 | 11 | 2 (Phase 2) | 0 | 100% defined |
| Acceptance Criteria (AC) | ~30 | 25 | 3 | 2 | 92% |

**Overall Requirement Coverage:** ~85% (Phase 1 MVP)
**Target before Phase 2 launch:** ≥ 95%

### 5.2 Test Coverage Summary (2026-02-13 data)

| Test Type | Total Tests | Passing | Failing | Coverage |
|-----------|------------|---------|---------|----------|
| Unit tests (Vitest) | 40 | 40 | 0 | High |
| Integration tests (Vitest) | 20+ | 20+ | 0 | High |
| Performance tests | 8 | 8 | 0 | Benchmarks passing |
| Regression tests | 4 groups | All | 0 | Bug regressions covered |
| E2E tests (Playwright) | 3 projects | Configured | 0 | User flows + chaos |

**Total test files:** 14 | **Total Vitest tests:** 40+ passing

---

## 6. Gap Identification

### 6.1 Requirements Without Full Test Coverage

| Requirement ID | Description | Gap Type | Action Required | Owner | Target |
|---------------|-------------|----------|----------------|-------|--------|
| FR-040 | Bank account AISP balance | Mock only; no real integration test | Write integration test with BaaS sandbox | John | Phase 2 |
| FR-070 | GDPR user deletion | No API endpoint test | Add deletion endpoint + test | John | Phase 2 |
| NFR-COMP01 | GDPR compliance | Legal review not complete | Engage external legal advisor | Alem | Phase 2 |
| NFR-COMP03 | PSD2 Finanstilsynet registration | Not started | Initiate registration process | Alem + Legal | 2026-05-15 |
| NFR-COMP04 | AML/KYC Sumsub | Mock only in production path | Sumsub contract + integration | John | Phase 2 |
| NFR-A01 | 99.5% uptime SLA | Staging only; no production monitoring | Set up production monitoring + alerts | John | Phase 3 |
| NFR-SEC12 | External penetration test | Not conducted | External pentest before launch | John + External | Phase 3 |

### 6.2 Test Cases Without Requirements (Orphans)

| Test File | Description | Status | Action |
|-----------|-------------|--------|--------|
| known-bugs.test.ts — BUG-001 | rateLimit missing await | Linked to regression fix | ✅ Keep — valid regression |
| known-bugs.test.ts — BUG-002 | Generic validation messages | Linked to UX fix | ✅ Keep |
| known-bugs.test.ts — BUG-003 | Email without @ | Linked to FR-001 validation | ✅ Keep |
| known-bugs.test.ts — BUG-004 | Missing getDb import | Linked to FR-001 | ✅ Keep |

No orphaned test cases identified.

---

## 7. Change Impact Tracking

| Change Request ID | Changed Requirement | Impact on FR | Impact on Code | Impact on Tests | Status |
|-----------------|--------------------|--------------|--------------|-----------------|----|
| ADR-001 | Consolidate backends (FontelePay removed) | FR-030 updated (no FontelePay in payments) | Architecture cleanup done | Tests updated | ✅ Closed |
| ADR-002 | Separate FontelePay | FR-030 | src/lib/services removed FontelePay | Tests updated | ✅ Closed |
| ADR-003 | PSD2 pass-through model | FR-001 (no balance), FR-040 | users table no balance; db.test.ts | db.test.ts updated | ✅ Closed |
| Phase 0.5 | Security hardening (8 critical issues) | FR-001 through FR-080 (all auth/tx routes) | auth, middleware, security headers | validation.test.ts, middleware.test.ts | ⏳ In progress |

---

## 8. Traceability Status Dashboard

**Last Updated:** 2026-02-23
**Updated By:** John (AI Director)

| Metric | Value | Target | Status |
|--------|-------|--------|--------|
| Total Business Requirements | 14 | — | |
| BRs with FR coverage | 13/14 | 100% | ✅ |
| FRs with test coverage | 12/15 | 100% | ⚠️ 3 in progress |
| Test cases passing | 40+/40+ (Vitest) | 100% | ✅ |
| Open gaps | 7 (Phase 2 items) | 0 at Phase 2 launch | ⚠️ |
| Change requests open | 1 (Phase 0.5 security) | ≤ 3 at a time | ✅ |
| UAT sign-off pending | Not started (Phase 3) | 0 at launch | ❌ |

**Overall RTM Health:** AMBER (Phase 1 MVP complete; Phase 2 compliance gaps tracked)

---

## Approval

| Role | Name | Date | Signature |
|------|------|------|-----------|
| Author | John (AI Director) | 2026-02-23 | Approved (AI) |
| QA Engineer | Validator agent | 2026-02-23 | Reviewed |
| Tech Lead | John | 2026-02-23 | Approved |
| AI Director (John) | John | 2026-02-23 | Approved |
| CEO (Alem) | Alem Bašić | TBD | |