Change Request

Change Request:Request {{CR_TITLE}}Template: Drop — Fintech Payment App

Project: ~~{{PROJECT_NAME}}~~Drop — Remittance + QR Payments Version: ~~{{VERSION}}~~1.0 Date: ~~{{DATE}}~~2026-02-23 Author: ~~{{AUTHOR}}~~John (AI Director) Status: ~~Draft~~Approved ~~| In Review | Approved~~(Template) Reviewers: ~~{{REVIEWERS}}~~Alem Bašić (CEO)

Document History

Version	Date	Author	Changes
0.1	~~{{DATE}}~~2026-02-23	~~{{AUTHOR}}~~John	Initial ~~draft~~CR template — Drop fintech context

How to Use This Template

A Change Request (CR) is submitted whenever a stakeholder wants to modify any approved project artifact — scope, timeline, budget, requirements, or design.

EVERY change must go through this process, no matter how "small" it seems. In fintech, one "small" change (e.g., adding a column to the users table) can violate PCI-DSS compliance and trigger a P0 incident.

Copy this template to docs/CROSS-CUTTING/change-requests/CR-{XXX}-{short-title}.md and fill in all fields.

Drop-Specific Rules:

Any schema change to users or cards tables requires explicit compliance review — pass-through model (ADR-003) must not be violated

Any change to fee rates (currently 0.5% remittance, 1% QR) requires CEO sign-off from Alem Bašić

Any change affecting authentication, rate limiting, or JWT handling requires security review by John + Validator Agent

Changes that affect Finanstilsynet registration scope must be reviewed before submission

Change Request Log

CR ID	Title	Status	Submitted	Decision Date	Impact
CR-001	Phase 0.5 Security Hardening Scope	Approved	2026-02-23	2026-02-23	In-scope security fixes; no fee/schema changes
CR-002	(use template below)

[TEMPLATE STARTS HERE — Copy below for each new CR]

Change Request: {CR_TITLE}

1. Change Request Metadata

Field	Value
CR ID	CR-{{XXX}} (assigned by ~~PM)~~John as AI Director)
Date Submitted	{{DATE}}
Submitted By	{{NAME}} — {{ROLE}}
Project	~~{{PROJECT_NAME}}~~Drop — Remittance + QR Payments
Priority	Critical / High / Medium / Low
CR Type	Scope Change / Budget Change / Timeline Change / Requirements Change / Design Change / Technical Change
Current Phase	~~Planning~~Phase 0.5 Security Hardening / ~~Design~~Phase 1 BaaS Integration / ~~Development~~Phase /2 ~~Testing / Deployment~~Compliance
Decision Deadline	{{DATE}} (by when a decision must be made to avoid impact)

2. Change Description

2.1 Summary of Change

2.2 Current State (Before)

Currently approved in: {{DOCUMENT_NAME_AND_VERSION}}, Section {{X.X}}

Drop compliance check — Current state:

Does the current state involve the users.balance column? Yes / No — (Must remain: No)

Does the current state involve cards.card_number or cards.cvv? Yes / No — (Must remain: No)

Does the current state involve fee rates? Yes / No — (Current: remittance 0.5%, QR 1%)

2.3 Proposed State (After)

{DESCRIPTION_OF_PROPOSED_STATE}

~~{{DESCRIPTION_OF_PROPOSED_STATE}}~~Drop compliance check — Proposed state:

Will the proposed state add a balance column to users? Yes / No — (If Yes: BLOCKED — violates ADR-003)

Will the proposed state store card_number or cvv in full? Yes / No — (If Yes: BLOCKED — violates PCI-DSS)

Does this change fee rates? Yes / No — (If Yes: CEO sign-off required)

2.4 Out of Scope for This Change

This CR does NOT include:

{{EXPLICITLY_EXCLUDED_ITEM_1}}
{{EXPLICITLY_EXCLUDED_ITEM_2}}

3. Reason & Justification

3.1 Reason for Change

Reason Category	Applies?	Details
New business requirement discovered	Yes / No	{{DETAILS}}
Regulatory / compliance mandate	Yes / No	{{DETAILS}}
Client feedback from UAT / prototype	Yes / No	{{DETAILS}}
Technical blocker / infeasibility	Yes / No	{{DETAILS}}
Market opportunity / competitive pressure	Yes / No	{{DETAILS}}
Error/omission in original requirements	Yes / No	{{DETAILS}}
Performance / quality improvement	Yes / No	{DETAILS}
Security finding from audit	Yes / No	Reference: security/drop-security-rapport.md SEC-{~~DETAILS}}~~ID}

Primary Justification: {{CLEAR_BUSINESS_JUSTIFICATION_WHY_THIS_CHANGE_IS_NECESSARY}}

3.2 Consequence of Not Changing

If this change is not approved: {{CONSEQUENCE_OF_REJECTION}}

4. Impact Analysis

4.1 Scope Impact

Deliverable Affected	Current Scope	Proposed Scope	Impact Type
{{DELIVERABLE}}	{{CURRENT}}	{{PROPOSED}}	Added / Removed / Modified
~~{{DELIVERABLE_2}}~~

Scope Change Size: Small (< 1 day) / Medium (1–3 days) / Large (3–10 days) / Major (> 10 days)

4.2 Timeline Impact

Milestone	Current Date	New Date (if approved)	Delay
~~{{MILESTONE}}~~Phase 0.5 Security Hardening	2026-02-28	{~~{DATE}}~~NEW_DATE}	{~~{NEW_DATE}}~~	{{DAYS}} days
~~Project~~Phase ~~completion~~1 BaaS Integration	2026-04-30	{~~{DATE}}~~NEW_DATE}	{~~{NEW_DATE}}~~DAYS} days
Finanstilsynet Registration	2026-05-31	{NEW_DATE}	{DAYS}} days

Timeline Impact: None / Minor (≤ 3 days) / Moderate (4–14 days) / Major (> 14 days)

Critical Path Impact: Yes / No If yes: {{WHICH_CRITICAL_PATH_ITEMS_AFFECTED}}

4.3 Budget Impact

Cost Category	Current Budget (NOK)	Additional Cost (NOK)	Notes
Development	~~{{CURRENT}}~~150,000 (Innovasjon Norge + bootstrap)	{{ADDITIONAL}}	{{NOTES}}
Design	—	{ADDITIONAL}
Testing	—	{ADDITIONAL}
Infrastructure (Fly.io)	—	{ADDITIONAL}
Total Additional Cost		{{TOTAL_ADDITIONAL}}

Budget Impact: None / Minor (< 5%) / Moderate (5–15%) / Major (> 15%)

Total Drop budget: ~250,000 NOK (150K Innovasjon Norge + bootstrap) Funding Source for Additional Cost: {{HOW_WILL_ADDITIONAL_COST_BE_COVERED}} ~~(e.g., contingency reserve, client additional purchase order, scope reduction elsewhere)~~

4.4 Resource Impact

Resource	Current Allocation	Required if Approved	Impact
~~{{ROLE}}~~Builder Agent (Claude Sonnet)	Per-task	{~~{CURRENT_ALLOCATION}}~~NEW_ALLOCATION}	{~~{NEW_ALLOCATION}}~~NOTES}
Validator Agent (Claude Sonnet)	Per-review	{NEW_ALLOCATION}
John (AI Director)	Architecture + coordination	{~~NOTES}}~~NEW_ALLOCATION}

4.5 Risk Impact

Risk	Probability	Impact	Notes
{{NEW_RISK_INTRODUCED}}	H/M/L	H/M/L
~~{{EXISTING_RISK_CHANGES}}~~Pass-through model violation risk	~~H/M/~~L (if schema touched)	~~H/M/L~~Critical	~~Risk~~Always ~~score~~assess for schema changes ~~from {{OLD}} to {{NEW}}~~

4.6 Quality Impact

Test cases affected: {{LIST_OF_TEST_CASES_NEEDING_UPDATE}}
Regression risk: {{HIGH/MEDIUM/LOW}} — {{EXPLANATION}}
NFRs affected: {LIST_ANY_NFRs_IMPACTED}

db.test.ts pass-through assertions: Will these still pass? Yes / Needs update — {~~LIST_ANY_NFRs_IMPACTED}}~~EXPLANATION}

api-endpoints.test.ts: Will existing 26 API endpoint tests still pass? Yes / Needs update

4.7 Affected Deliverables / Documents

Document	Section	Type of Change	Owner
~~{{DOCUMENT}}~~`docs/backend/API-REFERENCE.md`	{{SECTION}}	Update / Add / Remove	~~{{OWNER}}~~John
`docs/backend/DATABASE-SCHEMA.md`	{SECTION}	Update / Add / Remove	John
`CLAUDE.md`	{SECTION}	Update	John
`docs/BUSINESS-REQUIREMENTS/functional-requirements.md`	FR-{{XXX}}	Modify	BA
`user-stories.md`	~~US-{{XXX}}~~	~~Add new story~~	BAJohn
Test cases	TC-{{XXX}}	Update	QABuilder Agent + Validator Agent

5. Alternative Approaches Considered

Alternative	Description	Why Rejected
Option A (Proposed)	{{THIS_CR}}	Recommended
Option B	{{ALTERNATIVE}}	{{WHY_NOT_CHOSEN}}
Option C — Do Nothing	Reject the change	{{CONSEQUENCE_OF_REJECTION}}

Recommendation: Option {{A/B/C}} Rationale: {{WHY_THIS_IS_THE_BEST_OPTION}}

6. Implementation Plan

6.1 Implementation Steps

#	Task	Owner	Effort	Target Date
1	{{TASK}}	Builder Agent	{~~{OWNER}}~~EFFORT}	{~~{EFFORT}}~~	{{DATE}}
2	Update `db.test.ts` if schema changes	Builder Agent	S	{DATE}
3	Update test cases for affected features	QABuilder Agent + Validator Agent	{{EFFORT}}	{{DATE}}
4	Update requirements ~~documents~~and API reference docs	BAJohn	{{EFFORT}}	{{DATE}}
5	Regression testing (`npm run test` + `npx playwright test`)	QAValidator Agent	M	{~~{EFFORT}}~~DATE}
6	Deploy to staging (`https://drop-staging.fly.dev/`) and verify	Builder Agent	S	{{DATE}}

6.2 Dependencies

Dependency	Type	Blocking?
{{DEPENDENCY}}	Internal / External	Yes / No
Fly.io staging environment	Infrastructure	No (always available)
BaaS partner confirmation (for Phase 2 changes)	External	Yes (for live money movement)

6.3 Test Plan for This Change

Unit tests: {{WHICH_UNITS_NEED_NEW/UPDATED_TESTS}} — add to relevant __tests__/*.test.ts
Integration tests: {{WHAT_INTEGRATIONS_TO_RETEST}} — api-endpoints.test.ts

DB compliance: db.test.ts must still pass (no balance, no CVV)
Regression scope: ~~{{WHICH_EXISTING_FEATURES_TO_REGRESSION_TEST}}~~Full npm run test (40+ tests) + npx playwright test (3 projects)
UAT: {~~{DOES_THIS_REQUIRE_CLIENT_UAT?~~DOES_THIS_REQUIRE_CEO_UAT? Y/N — WHICH_SCENARIOS}}

7. Rollback Plan

Rollback Trigger: {{WHAT_CONDITION_TRIGGERS_ROLLBACK}} (e.g., error rate > 1% post-deploy, smoke tests failing, pass-through model violation detected)

Rollback Steps:

flyctl deploy --app drop-app --image registry.fly.io/drop-app:{{STEP_1}}PREVIOUS_VERSION} (2–5 min)
~~{{STEP_2}}~~Verify health: curl https://drop-staging.fly.dev/api/health
~~{{STEP_3}}~~Run smoke tests: npx playwright test --project=user-flows

If DB migrations ran: assess whether down migration is safe (Phase 0.5 migrations are all additive — generally safe to leave tables in place)

Update Mission Control incident task with rollback details

Rollback Owner: ~~{{WHO_EXECUTES_ROLLBACK}}~~John (AI Director) Rollback Time Required: ~~{{ESTIMATED_TIME}}~~5–10 minutes Data Recovery Needed: ~~Yes~~No /(mock NoBaaS — ~~{{IF_YES_HOW}}~~no real transactions in Phase 0.5)

8. Approval Workflow

8.1 Approval Matrix — Drop

~~Budget~~Impact ~~/ Timeline Impact~~Type	Required Approvals	Target Decision Time
~~None~~No budget/timeline impact	POJohn +(AI PMDirector)	1 business day
<Schema 5%change ~~budget OR < 3 days~~(any)	POJohn + PMValidator Agent compliance check	1 business day
Fee rate change	John + ~~John~~Alem Bašić (CEO)	2 business days
Budget impact < 5% OR timeline < 3 days	John + Alem Bašić	2 business days
Budget impact 5–15% ~~budget~~OR ORtimeline 3–14 days	~~PO + PM +~~ John + ~~Client~~Alem ~~Sponsor~~Bašić (CEO)	3 business days
Budget impact > 15% ~~budget~~OR ORtimeline > 14 days	~~PO + PM +~~ John + ~~Client~~Alem ~~Sponsor~~Bašić (CEO) + Board	5 business days
Finanstilsynet registration scope change	John + Alem Bašić + Legal review	5 business days

8.2 This Change Requires

~~PM Review~~ ~~— Impact analysis complete and accurate~~
Tech Lead Review — Technical feasibility and effort confirmed (John)
~~Product~~Validator ~~Owner~~Agent Review — ~~Requirements~~DB ~~and~~compliance ~~priority~~check: ~~alignment~~no balance/CVV violation
John (AI Director) — ~~Delivery~~Architecture accountability
+ ~~Client~~Mission ~~Sponsor~~Control —task ~~Business justification and budget approval~~ ~~(if client-side change)~~created
Alem Bašić (CEO) — ~~Budget~~Fee rate changes, budget > 5%, or scope changes >affecting ~~15%~~ ~~(only if required)~~BaaS/Finanstilsynet

8.3 Decision Record

DBcompliance:pass-through

Level	Reviewer	Decision	Date	Comments
PMTech Lead	~~{{NAME}}~~John	Approved / Rejected / Deferred	{{DATE}}	{{COMMENTS}}
~~Tech~~Validator ~~Lead~~Agent	~~{{NAME}}~~Validator	Approved / Rejected	{{DATE}}
~~Product~~model ~~Owner~~	~~{{NAME}}~~	~~Approved / Rejected~~	~~{{DATE}}~~	intact?
AI Director ~~(John)~~	John	Approved / Rejected	{{DATE}}
~~Client Sponsor~~	~~{{NAME}}~~	~~Approved / Rejected~~	~~{{DATE}}~~
CEO (Alem)	Alem Bašić	Approved / Rejected	{{DATE}}	(ifrequired ~~required)~~for fee/budget/scope changes)

Final Decision: APPROVED / REJECTED / DEFERRED Decision Date: {{DATE}} Effective From Sprint: Phase {X.X} / Sprint {{X}}

9. Change Log

Date	Changed By	What Changed
{{DATE}}	{{NAME}}	~~Updated impact analysis after Tech Lead review~~{WHAT_CHANGED}

Approval

Role	Name	Date	Signature
Author	John (AI Director)	2026-02-23	Approved (AI)
~~Reviewer~~Tech Lead	John	2026-02-23	Approved
~~Project~~CEO ~~Manager~~(Alem)	Alem Bašić
~~AI Director (John)~~
~~Approver~~		TBD