Coding Standards: Drop — Fintech Payment App

Coding Standards: Drop — Fintech Payment App

Project: Drop — Remittance + QR Payments Version: 1.0 Date: 2026-02-23 Author: John (AI Director) Status: Approved Reviewers: Alem Bašić (CEO)

Document History

Version	Date	Author	Changes
0.1	2026-02-23	John	Initial standards — TypeScript strict, Next.js App Router, fintech security rules

---

Purpose

These standards apply to all code in Drop. When automated tools enforce a rule, the tool wins. When in doubt, optimize for readability — the next AI agent reading your code is trying to understand intent, not guess it.

Non-negotiable: All new code must pass TypeScript strict check, ESLint, and Prettier formatting before merge. No exceptions.

Fintech non-negotiable: Parameterized SQL everywhere. No stored balances. No stored card numbers or CVV. These are encoded as automated tests — failing these means P0.

---

1. Language-Specific Conventions

1.1 Naming Conventions

TypeScript (Drop's primary language):

Type	Convention	Example
Variables	camelCase	userId, kycStatus
Functions	camelCase	hashPassword(), calculateFee()
Classes	PascalCase	TransactionService
Interfaces	PascalCase (no I prefix)	User, TransactionResult
Types	PascalCase	KycStatus, CurrencyCode
Enums	PascalCase	TransactionType, KycStatus
Constants	UPPER_SNAKE_CASE	REMITTANCE_FEE_RATE, MIN_AMOUNT_NOK
Files — components	PascalCase.tsx	SendMoneyForm.tsx
Files — utilities	camelCase.ts	calculateFee.ts, verifyJWT.ts
Files — API routes	route.ts (Next.js convention)	app/api/auth/login/route.ts
Test files	{name}.test.ts	auth.test.ts, db.test.ts
E2E test files	{name}.spec.ts	user-flows.spec.ts

Drop-specific constants:

// Fee rates (business rules — change requires CEO approval + ADR)
const REMITTANCE_FEE_RATE = 0.005;  // 0.5%
const QR_MERCHANT_FEE_RATE = 0.01;  // 1%
const MIN_REMITTANCE_NOK = 100;
const MAX_REMITTANCE_NOK = 50_000;

// Supported corridors
const SUPPORTED_CURRENCIES = ['RSD', 'BAM', 'PKR', 'TRY', 'PLN', 'EUR'] as const;
type CurrencyCode = typeof SUPPORTED_CURRENCIES[number];

1.2 File Organization

src/drop-app/src/
├── app/
│   ├── api/                  # Next.js API Routes
│   │   ├── auth/
│   │   │   ├── login/route.ts
│   │   │   ├── register/route.ts
│   │   │   └── me/route.ts
│   │   ├── transactions/
│   │   │   ├── remittance/route.ts
│   │   │   └── qr-payment/route.ts
│   │   └── rates/
│   │       ├── route.ts           # GET /api/rates
│   │       └── [currency]/route.ts # GET /api/rates/RSD
│   └── (app)/               # Protected pages (dashboard, send-money, etc.)
├── lib/
│   ├── auth.ts              # JWT, bcrypt, session helpers
│   ├── db.ts                # SQLite/PostgreSQL client
│   ├── validate.ts          # Zod schemas for input validation
│   └── fee.ts               # Fee calculation functions
└── components/
    ├── drop-logo.tsx        # Brand logo component
    └── ui/                  # Shared UI components

Rules:

• One route handler per file (route.ts in Next.js App Router)
• Business logic extracted to lib/ — never inline in route handlers
• Test files co-located with source files in __tests__/

1.3 Import Ordering

// 1. Node built-ins
import { cookies } from 'next/headers';

// 2. External dependencies (node_modules)
import { z } from 'zod';
import * as bcrypt from 'bcrypt';
import { SignJWT, jwtVerify } from 'jose';

// 3. Internal — absolute paths (@/ alias)
import { db } from '@/lib/db';
import { verifyJWT } from '@/lib/auth';
import type { User } from '@/lib/types';

// 4. Internal — relative paths
import { validateRemittanceBody } from './validate';

Enforced by: ESLint import/order rule

1.4 Error Handling Patterns

// PREFERRED — consistent HTTP error responses in Next.js API routes
export async function POST(request: Request): Promise<Response> {
  let body: unknown;
  try {
    body = await request.json();
  } catch {
    return Response.json({ error: 'Invalid JSON body' }, { status: 400 });
  }

  const validation = remittanceSchema.safeParse(body);
  if (!validation.success) {
    return Response.json(
      { error: 'Validation failed', details: validation.error.flatten() },
      { status: 422 }
    );
  }

  // Business logic in lib/ — throws typed errors
  try {
    const result = await processRemittance(validation.data);
    return Response.json(result, { status: 201 });
  } catch (error) {
    if (error instanceof InsufficientBalanceError) {
      return Response.json({ error: 'Insufficient balance' }, { status: 402 });
    }
    if (error instanceof KycRequiredError) {
      return Response.json({ error: 'KYC verification required' }, { status: 403 });
    }
    // Never expose internal errors
    console.error('Unhandled error in remittance:', error);
    return Response.json({ error: 'Internal server error' }, { status: 500 });
  }
}

Rules:

• NEVER return stack traces or DB error messages to the client
• NEVER use any type — TypeScript strict mode enforces this
• NEVER swallow errors silently
• Use 402 for Insufficient Balance (fintech convention), not 400
• Error messages in Norwegian for user-facing validation

---

2. Code Formatting

2.1 Formatter

Language	Tool	Config File	Enforced In
TypeScript / JavaScript	Prettier	.prettierrc	CI + pre-commit hook
JSON / YAML	Prettier	.prettierrc	CI + pre-commit hook

Key formatting rules:

• Indentation: 2 spaces
• Max line length: 100 characters
• Semicolons: required
• Trailing commas: all (ES2020)
• Quotes: single quotes

Auto-format on save: Enabled via .vscode/settings.json (see local-development-setup.md)

2.2 Linter

Language	Tool	Config	Rules Severity
TypeScript	ESLint + TypeScript-ESLint	.eslintrc.json	Error = blocks CI

Linting rules that are errors (block CI):

• @typescript-eslint/no-explicit-any — no any types
• no-console (except console.error in server code)
• @typescript-eslint/no-unused-vars
• SQL string concatenation (custom Drop rule)

Disable linting inline (sparingly):

// eslint-disable-next-line @typescript-eslint/no-explicit-any -- External library returns untyped response
const rawResponse: any = await externalLibrary.call();

Every inline disable must have a comment explaining why.

---

3. Git Conventions

3.1 Commit Message Format

Standard: Conventional Commits

Format:

<type>(<scope>): <description>

[optional body]

[optional footer(s)]

Types:

Type	When to Use
feat	New feature
fix	Bug fix
docs	Documentation only
style	Formatting changes (no logic change)
refactor	Code change that neither fixes a bug nor adds a feature
test	Adding or updating tests
chore	Build system, dependency updates, CI changes
perf	Performance improvements
security	Security fix or hardening

Drop examples:

feat(auth): add bcrypt rounds configuration via env var
fix(transactions): prevent double-spend with per-user lock
test(db): add assertion that users table has no balance column
security(middleware): add CSRF protection to all mutating endpoints
chore: upgrade Next.js to 15.x patch

Breaking changes:

feat(api)!: rename /api/transactions/send to /api/transactions/remittance

BREAKING CHANGE: All clients must update API calls to new path

3.2 Branch Naming Convention

Type	Pattern	Example
Feature	feature/MC-{task-id}-description	feature/MC-042-rate-limiting
Bug fix	fix/MC-{task-id}-description	fix/MC-051-double-spend
Hotfix	hotfix/MC-{task-id}-description	hotfix/MC-060-jwt-bypass
Security	security/MC-{task-id}-description	security/MC-070-csrf-fix
Chore	chore/MC-{task-id}-description	chore/MC-080-upgrade-deps

Rules:

• Lowercase only; hyphens, not underscores
• Always include Mission Control task ID (MC-{id})

3.3 PR Title & Description Format

Title format: Same as commit message: type(scope): description

Required PR description sections:

1. What: What does this PR do? (bullet points)
2. Why: Which Mission Control task / acceptance criterion?
3. Pass-through model check: Does this change touch DB schema? If yes, confirm no balance/CVV columns added
4. Tests: What tests were added/modified?
5. Security: Does this touch auth, payments, or input validation?

3.4 PR Size Guidelines

Size	Lines Changed	Status
Small	< 200	Ideal — review same session
Medium	200-400	Acceptable
Large	400-800	Needs justification — split if possible
Extra Large	> 800	Exceptional only — must be pre-approved by John

---

4. Code Review Guidelines

4.1 What to Look For (Validator Agent Checklist)

Reviewers must check:

• Pass-through model invariant: no balance column; no card_number or cvv
• Parameterized SQL — no string interpolation in any DB query
• bcrypt used for passwords — SHA-256 explicitly forbidden
• JWT secret not hardcoded; not in response body
• Rate limiting applies to new auth/transaction endpoints
• Input validation (Zod schema) on all new request bodies
• Error messages don't leak internal state
• Fee calculations correct (0.5% remittance; 1% QR)
• Tests cover the change and edge cases

Reviewers should NOT block on:

• Personal style preferences covered by Prettier/ESLint (the linter decides)
• Minor refactors not related to the PR's scope

4.2 Review Turnaround

PR Type	First review
Security / Critical fix	Same session
Standard feature	Within 1 session

4.3 Approval Requirements

Branch	Required Approvals
main	Validator agent approval + John (AI Director) sign-off
Feature branches	Validator agent approval
Hotfix	John (AI Director) or Alem Bašić (CEO) approval — async OK

4.4 Constructive Review Feedback

• nit: — Minor issue, not a blocker
• question: — Need clarification
• suggestion: — Improvement idea (not required)
• blocker: — Must be fixed before merge (e.g., SQL injection risk, bcrypt bypass)

---

5. Testing Standards

5.1 Test Naming Conventions

// Vitest format: describe → it('should [behavior] when [condition]')
describe('hashPassword', () => {
  it('should return a bcrypt hash starting with $2', async () => { ... });
  it('should reject SHA-256 hashes at verify time', async () => { ... });
  it('should reject passwords longer than 1000 characters', async () => { ... });
});

describe('calculateRemittanceFee', () => {
  it('should return 5 NOK fee for 1000 NOK amount', () => { ... });
  it('should reject amounts below 100 NOK', () => { ... });
});

5.2 Test Organization

src/drop-app/__tests__/
├── auth.test.ts              # Unit: bcrypt, JWT, password validation
├── validation.test.ts        # Unit: input validation, XSS, injection
├── transactions.test.ts      # Unit: fee calculation, transaction logic
├── rates.test.ts             # Unit: exchange rates
├── api-endpoints.test.ts     # Integration: all 26 API routes
├── db.test.ts                # Integration: schema compliance, FK constraints
├── middleware.test.ts        # Integration: rate limiting, auth, CSRF
├── api-benchmarks.test.ts    # Performance: bcrypt timing, DB queries
├── feature-flags.test.ts     # Unit: feature flag behavior
├── regression-suite.test.ts  # Regression: critical path smoke
├── sumsub-integration.test.ts # Integration: KYC webhook mock
├── cards-integration.test.ts  # Integration: cards (feature-flagged)
└── e2e/
    ├── user-flows.spec.ts    # E2E: registration, login
    ├── full-flows.spec.ts    # E2E: remittance, QR payment
    └── input-chaos.spec.ts   # E2E: 20+ validation edge cases

5.3 Mocking Guidelines

// PREFERRED: Mock BaaS at the module level (NEXT_PUBLIC_SERVICE_MODE=mock)
// The mock mode is configured via env var — no vi.mock() needed for BaaS

// PREFERRED for unit tests: vi.mock for db queries
vi.mock('@/lib/db', () => ({
  db: {
    query: vi.fn(),
    run: vi.fn(),
  }
}));

// For integration tests: use real SQLite in-memory DB
// (configured in vitest.config.ts — no mock needed)

// NEVER mock the pass-through model assertions in db.test.ts
// NEVER mock the bcrypt rejection tests in auth.test.ts

5.4 Coverage Requirements

Layer	Lines	Branches	Notes
Auth module	100%	100%	Fintech security — strictly enforced
Transaction logic	100%	100%	Fee calculation — strictly enforced
API handlers	≥ 80%	≥ 70%
Input validation	≥ 90%	≥ 85%	Security-critical
DB layer	≥ 90%	—	Compliance assertions required
Overall minimum	≥ 80%	—	CI gate

---

6. Documentation Standards

6.1 When to Add Comments

// GOOD — explains WHY (not obvious from code)
// Bcrypt rounds set to 12 (not 10) per NFR-SEC02 fintech standard.
// Using 10 rounds would be faster but falls below security threshold.
const BCRYPT_ROUNDS = parseInt(process.env.BCRYPT_ROUNDS ?? '12', 10);

// GOOD — documents non-obvious business rule
// Fee is calculated on gross amount, not total debit (gross + fee)
// This is required by Drop's pass-through model (ADR-003)
const fee = amount * REMITTANCE_FEE_RATE;

// BAD — restates what code says
// Multiply amount by fee rate
const fee = amount * REMITTANCE_FEE_RATE;

Comment when:

• A fintech business rule is implemented (always cite the rule)
• A security decision was made (e.g., why bcrypt rounds = 12)
• A workaround exists for an external system quirk

6.2 ADR Format

Write an Architecture Decision Record when:

• Changing the database (SQLite → PostgreSQL)
• Changing the authentication mechanism (DOB → BankID)
• Modifying the fee model (new corridor, new fee rate)
• Adding a new BaaS partner

ADR location: comms/decisions/YYYY-MM-DD-decision-title.md

6.3 API Documentation

When adding a new API endpoint, update docs/backend/API-REFERENCE.md:

• Method + path
• Authentication required (Yes/No)
• Request body schema (Zod type → JSON example)
• Response schema (success + all error codes)

---

7. Security Coding Practices — Drop Fintech Standards

Practice	Rule
SQL queries	NEVER string interpolation. Always parameterized queries (better-sqlite3 ? placeholders)
Password hashing	bcrypt ONLY with 12 rounds in production. SHA-256 hashes are REJECTED at login
JWT	jose library only. Secret via JWT_SECRET env var. Fail fast if missing
Input validation	Zod schemas on ALL API route request bodies. Server-side only — never trust client
Pass-through model	NEVER add balance column to users. NEVER add card_number or cvv to cards
Rate limiting	DB-backed rate limiter (not in-memory). Auth: 10/min; General: 60/min
CSRF	CSRF token required on all POST/PATCH/DELETE endpoints
Cookie settings	JWT: httpOnly, SameSite=Strict, Secure in production
Logging	NEVER log passwords, JWT tokens, card numbers, or full phone numbers
Error messages	NEVER expose DB errors, stack traces, or internal state to users
Dependencies	Run npm audit before adding any dependency. No HIGH/CRITICAL CVEs

Security review trigger: Any PR touching auth, payments, DB schema, or input validation must be reviewed by Validator agent AND flagged to John (AI Director).

---

8. Performance Coding Practices

Practice	Rule
Database queries	One bounded query per API call where possible. Use JOIN instead of N+1
Pagination	Never load all transactions in history — always paginate (default: 20 per page)
bcrypt	Password max length = 1,000 chars (validation before bcrypt to prevent DoS)
SQLite	Use WAL mode for concurrent reads. Serialize writes (one at a time)
Next.js	Use Server Components for static/cached data; Client Components for interactive UI
Bundle size	Run npm run build and check bundle analyzer before UI changes

---

Related Documents

• Developer Onboarding Guide
• Local Development Setup
• Test Strategy
• Definition of Done

---

Approval

Role	Name	Date	Signature
Author	John (AI Director)	2026-02-23	Approved (AI)
QA Lead	Validator Agent	2026-02-23	Approved (AI)
Tech Lead	John	2026-02-23	Approved
CEO (Alem)	Alem Bašić	TBD