Requirements Traceability Matrix
Requirements Traceability Matrix (RTM): Drop — Fintech Payment App
Project: Drop — Remittance + QR Payments
Version: 1.0
Date: 2026-02-23
Author: John (AI Director)
Status: Active
Reviewers: Alem Bašić (CEO)
Document History
| Version |
Date |
Author |
Changes |
| 0.1 |
2026-02-23 |
John |
Initial RTM — mapped from brd.md, functional-requirements.md, TEST-INVENTORY.md |
1. Purpose of Traceability
The RTM maps requirements through the full SDLC:
Business Requirement → Functional Requirement → User Story → Code → Test Cases
Functions:
- Coverage Assurance — Every business requirement has a test
- Change Impact — When requirement changes, see all affected code and tests
- Gap Detection — Requirements with no tests; tests with no requirements
- Audit Trail — Demonstrates compliance for Finanstilsynet / investor due diligence
2. Document References
| Document |
Location |
Version |
Last Updated |
| Business Requirements Document |
brd.md |
1.0 |
2026-02-23 |
| Functional Requirements Spec |
functional-requirements.md |
1.0 |
2026-02-23 |
| Non-Functional Requirements |
non-functional-requirements.md |
1.0 |
2026-02-23 |
| User Stories |
user-stories.md |
1.0 |
2026-02-23 |
| Acceptance Criteria |
acceptance-criteria.md |
1.0 |
2026-02-23 |
| Testing Guide |
../../docs/testing/TESTING-GUIDE.md |
— |
2026-02-13 |
| Test Inventory |
../../docs/testing/TEST-INVENTORY.md |
— |
2026-02-13 |
| Test Plan |
../templates-testing/test-plan.md |
1.0 |
2026-02-23 |
3. Forward Traceability Matrix
3.1 Functional Requirements Traceability
| BR ID |
Business Requirement |
FR ID |
Functional Requirement |
US ID |
Code Module |
Unit Test |
Integration Test |
E2E Test |
AC ID |
Status |
| BR-001 |
BankID identity verification |
FR-001 |
User Registration (3-step) |
US-001 |
src/app/api/auth/register/route.ts |
api-routes.test.ts |
api-endpoints.test.ts |
user-flows.spec.ts |
AC-001 |
✅ Implemented |
| BR-001 |
BankID identity verification |
FR-002 |
User Login |
US-002 |
src/app/api/auth/login/route.ts |
api-routes.test.ts |
api-endpoints.test.ts |
user-flows.spec.ts |
AC-020 |
✅ Implemented |
| BR-001 |
BankID identity verification |
FR-003 |
Session Management |
US-003 |
src/app/api/auth/logout/route.ts |
api-routes.test.ts |
api-routes.test.ts |
full-flows.spec.ts |
AC-021 |
✅ Implemented |
| BR-002 |
Minimum age 18 enforcement |
FR-001 |
User Registration — DOB validation |
US-001 |
src/app/api/auth/register/route.ts |
api-routes.test.ts |
api-endpoints.test.ts |
input-chaos.spec.ts |
AC-004 |
✅ Implemented |
| BR-003 |
Remittance to 30+ countries |
FR-020 |
Send Money Remittance |
US-010 |
src/app/api/transactions/remittance/route.ts |
api-routes.test.ts |
api-endpoints.test.ts |
full-flows.spec.ts |
AC-030 |
✅ Implemented |
| BR-003 |
Remittance to 30+ countries |
FR-021 |
Exchange Rates API |
US-011 |
src/app/api/rates/route.ts |
api-routes.test.ts |
api-endpoints.test.ts |
user-flows.spec.ts |
AC-050 |
✅ Implemented |
| BR-003 |
Remittance to 30+ countries |
FR-022 |
Recipients Management |
US-012 |
src/app/api/recipients/route.ts |
api-routes.test.ts |
api-endpoints.test.ts |
— |
— |
✅ Implemented |
| BR-004 |
QR merchant payments at 1% |
FR-030 |
QR Payment Consumer Flow |
US-020 |
src/app/api/transactions/qr-payment/route.ts |
api-routes.test.ts |
api-endpoints.test.ts |
full-flows.spec.ts |
AC-060 |
✅ Implemented |
| BR-004 |
QR merchant payments at 1% |
FR-031 |
Merchant Registration + QR |
US-021 |
src/app/api/merchants/route.ts |
api-routes.test.ts |
api-endpoints.test.ts |
— |
AC-070 |
✅ Implemented |
| BR-005 |
PSD2 pass-through model |
FR-001 |
No balance column |
US-001 |
src/lib/db.ts (schema) |
db.test.ts |
— |
— |
AC-091 |
✅ Verified |
| BR-006 |
Merchant self-service onboarding |
FR-031 |
Merchant Registration |
US-021 |
src/app/api/merchants/route.ts |
api-routes.test.ts |
api-endpoints.test.ts |
— |
AC-070 |
✅ Implemented |
| BR-007 |
GDPR compliance |
FR-070 |
User Profile + deletion |
US-041 |
src/app/api/auth/me/route.ts |
— |
— |
full-flows.spec.ts |
— |
⏳ Partial |
| BR-008 |
Real-time notifications |
FR-060 |
Transaction Notifications |
US-041 |
src/app/api/notifications/route.ts |
api-routes.test.ts |
— |
— |
— |
✅ Implemented |
| BR-009 |
Transaction history |
FR-050 |
Transaction History |
US-040 |
src/app/api/transactions/route.ts |
api-routes.test.ts |
api-endpoints.test.ts |
user-flows.spec.ts |
— |
✅ Implemented |
| BR-010 |
AISP balance view |
FR-040 |
Bank Account Balance |
US-030 |
src/app/api/bank-accounts/route.ts |
— |
— |
full-flows.spec.ts |
— |
⏳ Mock only |
| BR-011 |
Merchant dashboard analytics |
FR-032 |
Merchant Dashboard |
US-022 |
src/app/api/merchants/dashboard/route.ts |
api-routes.test.ts |
— |
— |
— |
✅ Implemented |
| BR-014 |
Feature flags |
FR-080 |
Feature Flag Control |
— |
src/lib/feature-flags.ts |
feature-flags.test.ts |
— |
— |
— |
✅ Implemented |
3.2 Non-Functional Requirements Traceability
| NFR ID |
Requirement |
Target |
Test Type |
Test File |
Status |
| NFR-SEC01 |
JWT auth in httpOnly cookie |
httpOnly + SameSite=Strict |
Unit |
auth.test.ts |
✅ |
| NFR-SEC02 |
bcrypt password hashing (no SHA-256) |
bcrypt 12 rounds; SHA-256 rejected |
Unit |
auth.test.ts |
✅ |
| NFR-SEC05 |
Rate limiting (persistent) |
DB-backed; 10/min auth |
Unit |
middleware.test.ts |
✅ |
| NFR-SEC06 |
Input validation |
Parameterized SQL; server-side validation |
Unit |
validation.test.ts |
✅ |
| NFR-SEC09 |
PCI-DSS card data |
No card_number/cvv in DB or API |
Unit |
db.test.ts |
✅ |
| NFR-R02 |
Transaction integrity (ACID) |
No orphaned sessions; FK constraints |
Unit |
db.test.ts |
✅ |
| NFR-P03 |
bcrypt < 1,000ms |
< 1,000ms |
Performance |
api-benchmarks.test.ts |
✅ |
| NFR-P04 |
DB queries < 10-20ms |
SELECT < 10ms; INSERT < 20ms |
Performance |
api-benchmarks.test.ts |
✅ |
| NFR-P05 |
Rate limit check < 50ms |
< 50ms |
Performance |
api-benchmarks.test.ts |
✅ |
| NFR-COMP01 |
GDPR compliance |
Right to deletion API |
Legal review |
— |
⏳ Pending |
| NFR-COMP03 |
PSD2 registration |
Finanstilsynet registration |
Regulatory |
— |
❌ Not started |
| NFR-COMP04 |
AML/KYC |
Sumsub integration |
Integration |
— |
⏳ Mock only |
| NFR-COMP05 |
PCI-DSS cards |
No CVV storage |
Unit |
db.test.ts |
✅ |
| NFR-A01 |
99.5% uptime |
Monthly SLA |
Operations monitoring |
— |
⏳ Staging only |
| NFR-M01 |
≥80% test coverage |
Vitest coverage |
CI |
vitest.config.ts |
⏳ Measuring |
4. Backward Traceability Matrix
| Test File |
Test Description |
AC ID |
FR ID |
BR ID |
Has Requirement? |
| auth.test.ts |
bcrypt hash produces $2 prefix |
AC-012 |
FR-002 |
BR-001 |
✅ Yes |
| auth.test.ts |
SHA-256 hashes rejected |
NF-AC-010 |
FR-002 |
BR-001 |
✅ Yes |
| auth.test.ts |
JWT round-trip sign/verify |
NF-AC-011 |
FR-003 |
BR-001 |
✅ Yes |
| db.test.ts |
No balance column in users |
AC-091, NF-AC-020 |
FR-001 |
BR-005 |
✅ Yes |
| db.test.ts |
No card_number/cvv in cards |
AC-090, NF-AC-021 |
FR-080 |
BR-005 |
✅ Yes |
| db.test.ts |
Transaction type constraint |
NF-AC-022 |
FR-020, FR-030 |
BR-003, BR-004 |
✅ Yes |
| middleware.test.ts |
Rate limit allows within limit |
AC-024 |
FR-002 |
BR-001 |
✅ Yes |
| middleware.test.ts |
Rate limit blocks after exceeded |
NF-AC-012 |
FR-002 |
BR-001 |
✅ Yes |
| validation.test.ts |
XSS payloads rejected |
AC-080 |
FR-001 |
BR-001 |
✅ Yes |
| validation.test.ts |
SQL injection rejected |
AC-081 |
FR-001 |
BR-001 |
✅ Yes |
| feature-flags.test.ts |
topUpViaCard flag absent |
— |
FR-080 |
BR-014 |
✅ Yes (removed feature) |
| api-endpoints.test.ts |
Register → 201 with valid input |
AC-001 |
FR-001 |
BR-001 |
✅ Yes |
| api-endpoints.test.ts |
Register → 409 duplicate email |
AC-005 |
FR-001 |
BR-001 |
✅ Yes |
| api-endpoints.test.ts |
Remittance → 201 with valid data |
AC-030 |
FR-020 |
BR-003 |
✅ Yes |
| api-endpoints.test.ts |
Remittance → 403 KYC not approved |
AC-034 |
FR-020, FR-010 |
BR-001 |
✅ Yes |
| api-endpoints.test.ts |
QR payment → 201 with valid data |
AC-060 |
FR-030 |
BR-004 |
✅ Yes |
| api-benchmarks.test.ts |
bcrypt < 1,000ms |
NF-AC-001 |
FR-002 |
BR-001 |
✅ Yes |
| user-flows.spec.ts (E2E) |
Login redirects to dashboard |
AC-020 |
FR-002 |
BR-001 |
✅ Yes |
| full-flows.spec.ts (E2E) |
Send money flow |
AC-030 |
FR-020 |
BR-003 |
✅ Yes |
| full-flows.spec.ts (E2E) |
QR payment flow |
AC-060 |
FR-030 |
BR-004 |
✅ Yes |
| input-chaos.spec.ts (E2E) |
XSS in firstName |
AC-080 |
FR-001 |
BR-001 |
✅ Yes |
| input-chaos.spec.ts (E2E) |
Underage DOB |
AC-084 |
FR-001 |
BR-002 |
✅ Yes |
5. Coverage Analysis
5.1 Requirement Coverage Summary (2026-02-23)
| Category |
Total |
Fully Covered |
Partially Covered |
Not Covered |
Coverage % |
| Business Requirements (BR) |
14 |
11 |
2 (BR-007, BR-010) |
1 (BR-012 — won't have) |
93% |
| Functional Requirements (FR) |
15 |
12 |
2 (FR-040, FR-070) |
1 (FR-080 cards) |
93% |
| Non-Functional Requirements (NFR) |
~40 |
15 |
10 |
15 (compliance/monitoring) |
62% |
| User Stories (US) |
13 |
11 |
2 (Phase 2) |
0 |
100% defined |
| Acceptance Criteria (AC) |
~30 |
25 |
3 |
2 |
92% |
Overall Requirement Coverage: ~85% (Phase 1 MVP)
Target before Phase 2 launch: ≥ 95%
5.2 Test Coverage Summary (2026-02-13 data)
| Test Type |
Total Tests |
Passing |
Failing |
Coverage |
| Unit tests (Vitest) |
40 |
40 |
0 |
High |
| Integration tests (Vitest) |
20+ |
20+ |
0 |
High |
| Performance tests |
8 |
8 |
0 |
Benchmarks passing |
| Regression tests |
4 groups |
All |
0 |
Bug regressions covered |
| E2E tests (Playwright) |
3 projects |
Configured |
0 |
User flows + chaos |
Total test files: 14 | Total Vitest tests: 40+ passing
6. Gap Identification
6.1 Requirements Without Full Test Coverage
| Requirement ID |
Description |
Gap Type |
Action Required |
Owner |
Target |
| FR-040 |
Bank account AISP balance |
Mock only; no real integration test |
Write integration test with BaaS sandbox |
John |
Phase 2 |
| FR-070 |
GDPR user deletion |
No API endpoint test |
Add deletion endpoint + test |
John |
Phase 2 |
| NFR-COMP01 |
GDPR compliance |
Legal review not complete |
Engage external legal advisor |
Alem |
Phase 2 |
| NFR-COMP03 |
PSD2 Finanstilsynet registration |
Not started |
Initiate registration process |
Alem + Legal |
2026-05-15 |
| NFR-COMP04 |
AML/KYC Sumsub |
Mock only in production path |
Sumsub contract + integration |
John |
Phase 2 |
| NFR-A01 |
99.5% uptime SLA |
Staging only; no production monitoring |
Set up production monitoring + alerts |
John |
Phase 3 |
| NFR-SEC12 |
External penetration test |
Not conducted |
External pentest before launch |
John + External |
Phase 3 |
6.2 Test Cases Without Requirements (Orphans)
| Test File |
Description |
Status |
Action |
| known-bugs.test.ts — BUG-001 |
rateLimit missing await |
Linked to regression fix |
✅ Keep — valid regression |
| known-bugs.test.ts — BUG-002 |
Generic validation messages |
Linked to UX fix |
✅ Keep |
| known-bugs.test.ts — BUG-003 |
Email without @ |
Linked to FR-001 validation |
✅ Keep |
| known-bugs.test.ts — BUG-004 |
Missing getDb import |
Linked to FR-001 |
✅ Keep |
No orphaned test cases identified.
7. Change Impact Tracking
| Change Request ID |
Changed Requirement |
Impact on FR |
Impact on Code |
Impact on Tests |
Status |
| ADR-001 |
Consolidate backends (FontelePay removed) |
FR-030 updated (no FontelePay in payments) |
Architecture cleanup done |
Tests updated |
✅ Closed |
| ADR-002 |
Separate FontelePay |
FR-030 |
src/lib/services removed FontelePay |
Tests updated |
✅ Closed |
| ADR-003 |
PSD2 pass-through model |
FR-001 (no balance), FR-040 |
users table no balance; db.test.ts |
db.test.ts updated |
✅ Closed |
| Phase 0.5 |
Security hardening (8 critical issues) |
FR-001 through FR-080 (all auth/tx routes) |
auth, middleware, security headers |
validation.test.ts, middleware.test.ts |
⏳ In progress |
8. Traceability Status Dashboard
Last Updated: 2026-02-23
Updated By: John (AI Director)
| Metric |
Value |
Target |
Status |
| Total Business Requirements |
14 |
— |
|
| BRs with FR coverage |
13/14 |
100% |
✅ |
| FRs with test coverage |
12/15 |
100% |
⚠️ 3 in progress |
| Test cases passing |
40+/40+ (Vitest) |
100% |
✅ |
| Open gaps |
7 (Phase 2 items) |
0 at Phase 2 launch |
⚠️ |
| Change requests open |
1 (Phase 0.5 security) |
≤ 3 at a time |
✅ |
| UAT sign-off pending |
Not started (Phase 3) |
0 at launch |
❌ |
Overall RTM Health: AMBER (Phase 1 MVP complete; Phase 2 compliance gaps tracked)
Approval
| Role |
Name |
Date |
Signature |
| Author |
John (AI Director) |
2026-02-23 |
Approved (AI) |
| QA Engineer |
Validator agent |
2026-02-23 |
Reviewed |
| Tech Lead |
John |
2026-02-23 |
Approved |
| AI Director (John) |
John |
2026-02-23 |
Approved |
| CEO (Alem) |
Alem Bašić |
TBD |
|
