Requirements Traceability Matrix

Requirements Traceability Matrix (RTM): {{PROJECT_NAME}}Drop — Fintech Payment App

Project: {{PROJECT_NAME}}Drop — Remittance + QR Payments Version: {{VERSION}}1.0 Date: {{DATE}}2026-02-23 Author: {{AUTHOR}}John (AI Director) Status: Draft | In Review | ApprovedActive Reviewers: {{REVIEWERS}}Alem Bašić (CEO)

Document History

Version	Date	Author	Changes
0.1	{{DATE}}2026-02-23	{{AUTHOR}}John	Initial draftRTM — mapped from brd.md, functional-requirements.md, TEST-INVENTORY.md

---

1. Purpose of Traceability

The RequirementsRTM Traceabilitymaps Matrixrequirements servesthrough fourthe functions:full SDLC: Business Requirement → Functional Requirement → User Story → Code → Test Cases

Functions:

1. Coverage Assurance — Every business requirement has an implementation path anda test cases
2. Change Impact — When a requirement changes, quickly identifysee all affected code and tests
3. Gap Detection — Identify requirementsRequirements with no tests (coverage gap) ortests; tests with no requirements (scope creep)
4. Audit Trail — Demonstrates compliance with processes for clientFinanstilsynet sign-off/ andinvestor qualitydue gatesdiligence

Traceability Directions:

• Forward Traceability — BR → FR → Code → Test (did we build what was required?)
• Backward Traceability — Test → Code → FR → BR (does everything we built have a justification?)

---

2. Document References

Document	Location	Version	Last Updated
Business Requirements Document (BRD)	[brd.md](brd.md)md	{{VERSION}}1.0	{{DATE}}2026-02-23
Functional Requirements Spec (FRS)	[functional-requirements.md](functional-requirements.md)md	{{VERSION}}1.0	{{DATE}}2026-02-23
Non-Functional Requirements	[non-functional-requirements.md](non-functional-requirements.md)md	{{VERSION}}1.0	{{DATE}}2026-02-23
User Stories	[user-stories.md](user-stories.md)md	{{VERSION}}1.0	{{DATE}}2026-02-23
Acceptance Criteria	[acceptance-criteria.md](acceptance-criteria.md)md	{{VERSION}}1.0	{{DATE}}2026-02-23
Testing Guide	../../docs/testing/TESTING-GUIDE.md	—	2026-02-13
Test Inventory	../../docs/testing/TEST-INVENTORY.md	—	2026-02-13
Test Plan	[../../TESTING/templates-testing/test-plan.md](../../TESTING/test-plan.md)md	{{VERSION}}1.0	{{DATE}}
Test Cases	[../../TESTING/test-case.md](../../TESTING/test-case.md)	{{VERSION}}	{{DATE}}2026-02-23

---

3. Forward Traceability Matrix

3.1 Functional Requirements Traceability

Progress

BR ID	Business Requirement	FR ID	Functional Requirement	US ID	Design Reference	Code Module / Component	Unit Test	Integration Test	E2E Test	AC ID	Status
BR-001	{{BUSINESS_REQ}}BankID identity verification	FR-001	{{FUNC_REQ}}User Registration (3-step)	US-001	figma/screen-01src/app/api/auth/register/route.ts	src/modules/{{MODULE}}api-routes.test.ts	✅api-endpoints.test.ts	⏳user-flows.spec.ts	AC-001	⏳✅ InImplemented
BR-001	BankID identity verification	FR-002	User Login	US-002	src/app/api/auth/login/route.ts	api-routes.test.ts	api-endpoints.test.ts	user-flows.spec.ts	AC-020	✅ Implemented
BR-001	BankID identity verification	FR-003	Session Management	US-003	src/app/api/auth/logout/route.ts	api-routes.test.ts	api-routes.test.ts	full-flows.spec.ts	AC-021	✅ Implemented
BR-002	Minimum age 18 enforcement	FR-002001	User Registration — DOB validation	US-002001	src/app/api/auth/register/route.ts	api-routes.test.ts	❌api-endpoints.test.ts	❌input-chaos.spec.ts	AC-003004	❌✅ Not StartedImplemented
BR-003	Remittance to 30+ countries	FR-010020	Send Money Remittance	US-010	src/app/api/transactions/remittance/route.ts	api-routes.test.ts	api-endpoints.test.ts	full-flows.spec.ts	AC-030	✅ Implemented
BR-003	Remittance to 30+ countries	FR-021	Exchange Rates API	US-011	src/app/api/rates/route.ts	api-routes.test.ts	api-endpoints.test.ts	user-flows.spec.ts	AC-050	✅ Implemented
BR-003	Remittance to 30+ countries	FR-022	Recipients Management	US-012	src/app/api/recipients/route.ts	api-routes.test.ts	api-endpoints.test.ts	—	—	✅ Implemented
BR-004	QR merchant payments at 1%	FR-011030	QR Payment Consumer Flow	US-011020	src/app/api/transactions/qr-payment/route.ts	api-routes.test.ts	api-endpoints.test.ts	full-flows.spec.ts	AC-060	✅ Implemented
BR-004	QR merchant payments at 1%	FR-031	Merchant Registration + QR	US-021	src/app/api/merchants/route.ts	api-routes.test.ts	api-endpoints.test.ts	—	AC-070	✅ Implemented
BR-005	PSD2 pass-through model	FR-020001	UserNo Registrationbalance column	US-020	figma/register001	src/auth/registerlib/db.ts (schema)	⏳db.test.ts	❌—	—	AC-010091	⏳✅ Verified
BR-006	Merchant self-service onboarding	FR-021031	UserMerchant LoginRegistration	US-021	figma/loginsrc/app/api/merchants/route.ts	src/auth/loginapi-routes.test.ts	⏳api-endpoints.test.ts	❌—	AC-020070	⏳✅ Implemented
BR-007	GDPR compliance	FR-070	User Profile + deletion	US-041	src/app/api/auth/me/route.ts	—	—	full-flows.spec.ts	—	⏳ Partial
BR-008	Real-time notifications	FR-060	Transaction Notifications	US-041	src/app/api/notifications/route.ts	api-routes.test.ts	—	—	—	✅ Implemented
BR-009	Transaction history	FR-050	Transaction History	US-040	src/app/api/transactions/route.ts	api-routes.test.ts	api-endpoints.test.ts	user-flows.spec.ts	—	✅ Implemented
BR-010	AISP balance view	FR-040	Bank Account Balance	US-030	src/app/api/bank-accounts/route.ts	—	—	full-flows.spec.ts	—	⏳ Mock only
BR-011	Merchant dashboard analytics	FR-032	Merchant Dashboard	US-022	src/app/api/merchants/dashboard/route.ts	api-routes.test.ts	—	—	—	✅ Implemented
BR-014	Feature flags	FR-080	Feature Flag Control	—	src/lib/feature-flags.ts	feature-flags.test.ts	—	—	—	✅ Implemented

3.2 Non-Functional Requirements Traceability

NFR ID	Requirement	Target	Test Type	Test Case IDFile	Status
NFR-P01SEC01	PageJWT loadauth timein <httpOnly 3scookie	<httpOnly 3s+ (initial)SameSite=Strict	PerformanceUnit	PERF-001auth.test.ts	❌✅
NFR-P03SEC02	APIbcrypt responsepassword <hashing 500ms(no SHA-256)	p95bcrypt <12 500msrounds; SHA-256 rejected	PerformanceUnit	PERF-002auth.test.ts	❌✅
NFR-SEC01SEC05	AuthenticationRate limiting (persistent)	JWT/OAuth2DB-backed; 10/min auth	SecurityUnit	SEC-001middleware.test.ts	❌✅
NFR-SEC06	Input validation	NoParameterized injectionSQL; server-side validation	Security / SASTUnit	SEC-010validation.test.ts	❌✅
NFR-U03SEC09	WCAGPCI-DSS 2.1card AAdata	LevelNo AAcard_number/cvv in DB or API	AccessibilityUnit	A11Y-001db.test.ts	❌✅
NFR-A01R02	UptimeTransaction SLAintegrity ≥ 99.5%(ACID)	99.5%No monthlyorphaned sessions; FK constraints	OperationsUnit	OPS-001db.test.ts	N/A✅
NFR-P03	bcrypt < 1,000ms	< 1,000ms	Performance	api-benchmarks.test.ts	✅
NFR-P04	DB queries < 10-20ms	SELECT < 10ms; INSERT < 20ms	Performance	api-benchmarks.test.ts	✅
NFR-P05	Rate limit check < 50ms	< 50ms	Performance	api-benchmarks.test.ts	✅
NFR-COMP01	GDPR compliance	FullRight complianceto deletion API	ComplianceLegal auditreview	COMP-001—	⏳ Pending
NFR-COMP03	PSD2 registration	Finanstilsynet registration	Regulatory	—	❌ Not started
NFR-COMP04	AML/KYC	Sumsub integration	Integration	—	⏳ Mock only
NFR-COMP05	PCI-DSS cards	No CVV storage	Unit	db.test.ts	✅
NFR-A01	99.5% uptime	Monthly SLA	Operations monitoring	—	⏳ Staging only
NFR-M01	≥80% test coverage	Vitest coverage	CI	vitest.config.ts	⏳ Measuring

---

4. Backward Traceability Matrix

Test Case IDFile	Test Description	AC ID	FR ID	BR ID	Has Requirement?
TC-001auth.test.ts	{{TEST_DESCRIPTION}}bcrypt hash produces $2 prefix	AC-{{XXX}}012	FR-{{XXX}}002	BR-{{XXX}}001	✅ Yes
TC-auth.test.ts	SHA-256 hashes rejected	NF-AC-010	FR-002				BR-001	✅ Yes
TC-010auth.test.ts	{{TEST_WITHOUT_REQUIREMENT}}JWT round-trip sign/verify	NF-AC-011	FR-003	BR-001	✅ Yes
db.test.ts	No balance column in users	AC-091, NF-AC-020	FR-001	BR-005	✅ Yes
db.test.ts	No card_number/cvv in cards	AC-090, NF-AC-021	FR-080	BR-005	✅ Yes
db.test.ts	Transaction type constraint	NF-AC-022	FR-020, FR-030	BR-003, BR-004	✅ Yes
middleware.test.ts	Rate limit allows within limit	AC-024	FR-002	BR-001	✅ Yes
middleware.test.ts	Rate limit blocks after exceeded	NF-AC-012	FR-002	BR-001	✅ Yes
validation.test.ts	XSS payloads rejected	AC-080	FR-001	BR-001	✅ Yes
validation.test.ts	SQL injection rejected	AC-081	FR-001	BR-001	✅ Yes
feature-flags.test.ts	topUpViaCard flag absent	—	—FR-080	—BR-014	⚠️✅ NoYes —(removed investigatefeature)
api-endpoints.test.ts	Register → 201 with valid input	AC-001	FR-001	BR-001	✅ Yes
api-endpoints.test.ts	Register → 409 duplicate email	AC-005	FR-001	BR-001	✅ Yes
api-endpoints.test.ts	Remittance → 201 with valid data	AC-030	FR-020	BR-003	✅ Yes
api-endpoints.test.ts	Remittance → 403 KYC not approved	AC-034	FR-020, FR-010	BR-001	✅ Yes
api-endpoints.test.ts	QR payment → 201 with valid data	AC-060	FR-030	BR-004	✅ Yes
api-benchmarks.test.ts	bcrypt < 1,000ms	NF-AC-001	FR-002	BR-001	✅ Yes
user-flows.spec.ts (E2E)	Login redirects to dashboard	AC-020	FR-002	BR-001	✅ Yes
full-flows.spec.ts (E2E)	Send money flow	AC-030	FR-020	BR-003	✅ Yes
full-flows.spec.ts (E2E)	QR payment flow	AC-060	FR-030	BR-004	✅ Yes
input-chaos.spec.ts (E2E)	XSS in firstName	AC-080	FR-001	BR-001	✅ Yes
input-chaos.spec.ts (E2E)	Underage DOB	AC-084	FR-001	BR-002	✅ Yes

---

5. Coverage Analysis

5.1 Requirement Coverage Summary (2026-02-23)

Category	Total Count	Fully Covered	Partially Covered	Not Covered	Coverage %
Business Requirements (BR)	{{COUNT}}14	{{COUNT}}11	{{COUNT}}2 (BR-007, BR-010)	{{COUNT}}1 (BR-012 — won't have)	{{PCT}}%93%
Functional Requirements (FR)	{{COUNT}}15	{{COUNT}}12	{{COUNT}}2 (FR-040, FR-070)	{{COUNT}}1 (FR-080 cards)	{{PCT}}%93%
Non-Functional Requirements (NFR)	{{COUNT}}~40	{{COUNT}}15	{{COUNT}}10	{{COUNT}}15 (compliance/monitoring)	{{PCT}}%62%
User Stories (US)	{{COUNT}}13	{{COUNT}}11	{{COUNT}}2 (Phase 2)	{{COUNT}}0	{{PCT}}%100% defined
Acceptance Criteria (AC)	{{COUNT}}~30	{{COUNT}}25	{{COUNT}}3	{{COUNT}}2	{{PCT}}%92%

Overall Requirement Coverage: {{PCT}}%~85% (Phase 1 MVP) Target:Target before Phase 2 launch: ≥ 95% before UAT; 100% before production release

5.2 Test Coverage Summary (2026-02-13 data)

Benchmarks

Test Type	Total Tests	Passing	Failing	Skipped	Coverage
Unit tests (Vitest)	{{COUNT}}40	{{COUNT}}40	{{COUNT}}0	{{COUNT}}	{{PCT}}%High
Integration tests (Vitest)	{{COUNT}}20+	{{COUNT}}20+	{{COUNT}}0	{{COUNT}}	{{PCT}}%
E2E / UAT scenarios	{{COUNT}}	{{COUNT}}	{{COUNT}}	{{COUNT}}	{{PCT}}%High
Performance tests	{{COUNT}}8	8	0		passing
SecurityRegression tests	{{COUNT}}4 groups	All	0	Bug regressions covered
E2E tests (Playwright)	3 projects	Configured	0	User flows + chaos

Total test files: 14 | Total Vitest tests: 40+ passing

---

6. Gap Identification

6.1 Requirements Without Full Test Coverage

Phase

Requirement ID	Description	Gap Type	Action Required	Owner	Target Date
FR-{{XXX}}040	{{DESCRIPTION}}Bank account AISP balance	NoMock only; no real integration test	Write integration test caseswith writtenBaaS sandbox	Create test cases TC-{{XXX}}John	QA	{{DATE}}2
BR-{{XXX}}FR-070	GDPR user deletion	No functionalAPI requirementendpoint test	WriteAdd FR-{{XXX}}deletion endpoint + test	BAJohn	{{DATE}}Phase 2
NFR-COMP01	GDPR compliance	Legal review not complete	Engage external legal advisor	Alem	Phase 2
NFR-COMP03	PSD2 Finanstilsynet registration	Not started	Initiate registration process	Alem + Legal	2026-05-15
NFR-COMP04	AML/KYC Sumsub	Mock only in production path	Sumsub contract + integration	John	Phase 2
NFR-A01	99.5% uptime SLA	Staging only; no production monitoring	Set up production monitoring + alerts	John	Phase 3
NFR-SEC12	External penetration test	Not conducted	External pentest before launch	John + External	Phase 3

6.2 Test Cases Without Requirements (Orphans)

delete

Test Case IDFile	Description	Status	Action
TC-{{XXX}}known-bugs.test.ts — BUG-001	{{DESCRIPTION}}rateLimit missing await	OrphanedLinked to regression fix	Investigate:✅ linkKeep — valid regression
known-bugs.test.ts — BUG-002	Generic validation messages	Linked to reqUX orfix	✅ Keep
known-bugs.test.ts — BUG-003	Email without @	Linked to FR-001 validation	✅ Keep
known-bugs.test.ts — BUG-004	Missing getDb import	Linked to FR-001	✅ Keep

6.3

No Requirementsorphaned Withouttest Designcases Reference

Requirement ID	Description	Action
FR-{{XXX}}	{{DESCRIPTION}}	Request design mockup from Designer

identified.

---

7. Change Impact Tracking

Change Request ID	Changed Requirement	Impact on FR	Impact on Code	Impact on Tests	Impact Assessment	CR Status
CR-ADR-001	{{REQUIREMENT_CHANGE}}Consolidate backends (FontelePay removed)	FR-{{XXX}}030 needsupdated update(no FontelePay in payments)	src/{{MODULE}}Architecture affectedcleanup done	TC-{{XXX}}Tests needs updateupdated	{{EFFORT_ESTIMATE}}✅ Closed
ADR-002	{{APPROVED/PENDING}}Separate FontelePay	FR-030	src/lib/services removed FontelePay	Tests updated	✅ Closed
ADR-003	PSD2 pass-through model	FR-001 (no balance), FR-040	users table no balance; db.test.ts	db.test.ts updated	✅ Closed
Phase 0.5	Security hardening (8 critical issues)	FR-001 through FR-080 (all auth/tx routes)	auth, middleware, security headers	validation.test.ts, middleware.test.ts	⏳ In progress

---

8. Traceability Status Dashboard

Last Updated: {{DATE}}2026-02-23 Updated By: {{NAME}}John (AI Director)

Metric	Value	Target	Status
Total Business Requirements	{{COUNT}}14	—
BRs with FR coverage	{{COUNT}} / {{TOTAL}}13/14	100%	{{✅/⚠️/❌}}
FRs with test coverage	{{COUNT}} / {{TOTAL}}12/15	100%	{{✅/⚠️/❌}}️ 3 in progress
Test cases passing	{{COUNT}}40+/40+ / {{TOTAL}}(Vitest)	100%	{{✅/⚠️/❌}}
Open gaps	{{COUNT}}7 (Phase 2 items)	0 at Phase 2 launch	{{✅/⚠️/❌}}️
Change requests open	{{COUNT}}1 (Phase 0.5 security)	≤ 3 at a time	{{✅/⚠️/❌}}
UAT sign-off pending	{{COUNT}}Not started (Phase 3)	0 at launch	{{✅/⚠️/❌}}

Overall RTM Health: {{GREEN / AMBER /(Phase RED}}1 MVP complete; Phase 2 compliance gaps tracked)

---

Approval

Approved

Role	Name	Date	Signature
Author	John (AI Director)	2026-02-23
Reviewer
Business Analyst			(AI)
QA Engineer	Validator agent	2026-02-23	Reviewed
Tech Lead	John	2026-02-23	Approved
AI Director (John)	John	2026-02-23	Approved
CEO (Alem)	Alem Bašić	TBD