Developer Offboarding Guide: Drop — Fintech Payment App

Developer Offboarding Guide: Drop — Fintech Payment App

Project: Drop — Remittance + QR Payments Version: 1.0 Date: 2026-02-23 Author: John (AI Director) Status: Approved Reviewers: Alem Bašić (CEO)

Document History

Version	Date	Author	Changes
0.1	2026-02-23	John	Initial offboarding guide — AI-native team context

---

1. Offboarding Overview

Developer: {DEVELOPER_NAME} Last Session: {LAST_DATE} Manager: John (AI Director) Offboarding Coordinator: John (AI Director) Security Review: John (AI Director) + Alem Bašić (CEO)

Departure type: Agent session completion / Agent role change / Human developer departure

Drop offboarding context: Because Drop uses an AI-native team (Builder agents, Validator agents), most "offboarding" is agent session completion — no persistent access to revoke. Human developer offboarding is documented in full below for Alem Bašić or any future human team members.

Handoff started: {HANDOFF_START} Access revocation deadline: Same day for involuntary; planned for voluntary

---

2. Access Revocation Checklist

For AI agent team members (Builder / Validator agents): Agent sessions are ephemeral — no persistent credentials. Verify:

• Agent session terminated in Claude Code / Mission Control
• No API keys or secrets were stored in agent memory or session files
• All in-progress work committed or documented in Mission Control

For human developers (Alem Bašić or future hires):

Code & Version Control

• GitHub (alai-org) — remove from organization and all Drop repositories
• SSH keys — remove from GitHub: Settings > SSH and GPG keys
• Personal access tokens — revoke all tokens in GitHub settings
• Fly.io — remove from drop-app app team (fly.io dashboard → Members)

Cloud Infrastructure (Fly.io)

• Fly.io team — remove from drop-app org/team
• Fly.io deploy tokens — revoke any personal deploy tokens
• SSH keys on Fly.io machines — remove from ~/.ssh/authorized_keys on app machines

Secrets & Credentials — CRITICAL FOR FINTECH

Drop handles financial data. All shared secrets must be rotated immediately on any departure:

• Vaultwarden (vault.basicconsulting.no) — remove user account; rotate all shared vault items they had access to
• JWT_SECRET — rotate immediately; rotate all active user sessions (deploy new secret)
• BAAS_API_KEY — rotate with BaaS partner (SpareBank1 / Swan) — Phase 2
• SUMSUB_API_KEY — rotate with Sumsub — Phase 2
• Database URL / password — rotate Fly.io PostgreSQL password (Phase 1+)
• GitHub Actions secrets — rotate any deploy keys / secrets in repo settings

All secrets known to this developer:

Secret	Location	Rotated	Rotated By
JWT_SECRET	Vaultwarden + Fly.io secrets	Yes / No	John
BAAS_API_KEY	Vaultwarden + Fly.io secrets	Yes / No	John
SUMSUB_API_KEY	Vaultwarden + Fly.io secrets	Yes / No	John
Vaultwarden master vault	Vaultwarden	Yes / No	Alem Bašić

Third-Party Services

• alai-talk.slack.com — deactivate account; remove from #drop, #drop-security channels
• Mission Control — remove any permanent task assignments

Access revocation completion signed off by: John (AI Director) + Alem Bašić (CEO) on {DATE}

---

3. Knowledge Transfer

Active Projects & Ownership Transfer

Project / Area	Current Status	New Owner	Handoff Complete
Drop Phase 0.5 security hardening	{STATUS}	Builder Agent (next session)	Yes / No
Drop Phase 1 BaaS integration	{STATUS}	John (AI Director)	Yes / No
Finanstilsynet registration prep	{STATUS}	John (AI Director)	Yes / No

Ongoing Work Documentation

Work Item	Mission Control Task	Status	Documentation	New Owner
{WORK_1}	MC-{ID}	{STATUS}	{LINK}	John
{WORK_2}	MC-{ID}	{STATUS}	{LINK}	John

Documentation written during knowledge transfer:

• All in-progress PRs reviewed and commented
• Active branches documented and either merged or closed
• Ongoing investigations/research notes written up in comms/decisions/
• Architecture decisions in progress documented as ADRs
• Pending operational tasks documented in docs/OPERATIONS/

Key Contacts & Relationships

Contact	Company / Role	Relationship	Transferred To
SpareBank1 BD contact	SpareBank1 (potential BaaS)	BaaS partnership pitch	Alem Bašić (CEO)
Swan.io contact	Swan (backup BaaS)	BaaS partnership pitch	Alem Bašić (CEO)
Finanstilsynet contact	Norwegian FSA	PSD2 registration	Alem Bašić (CEO) + Legal
Sumsub account manager	Sumsub (KYC provider)	KYC integration	John (AI Director)

Drop-Specific Tribal Knowledge Capture

Knowledge transfer sessions:

Topic	Date	Format	Notes Doc
Pass-through model ADR-003	2026-02-23	Written in project/architecture/	ADR-003
Security audit findings	2026-02-23	Written in security/drop-security-rapport.md	Security audit
BaaS mock implementation	2026-02-23	Code in src/drop-app/lib/baas-mock.ts	CODE-BAAS.md

Capture questions answered:

1. What breaks in production that only you know how to fix? → SQLite concurrent write limit (200 users); documented in NFR-S01
2. What shortcuts or workarounds exist? → Mock BaaS in NEXT_PUBLIC_SERVICE_MODE=mock; documented in CLAUDE.md
3. What external services have non-obvious quirks? → Sumsub webhook signature validation; documented in sumsub-integration.test.ts
4. What technical debt exists? → Documented in docs/CROSS-CUTTING/tech-debt-log.md
5. Upcoming risks? → BaaS partner not confirmed; SQLite concurrent limit; documented in risk-register.md

---

4. Code Ownership Transfer

CODEOWNERS Update

# Review current code ownership assignments
# (No formal CODEOWNERS file yet — John (AI Director) owns all Drop code)

# Transfer to new agent/developer:
# Update CLAUDE.md "Builder" and "Validator" role assignments
# Update Mission Control task ownership

• Mission Control task ownership transferred
• New builder/validator agents briefed on active tasks
• John (AI Director) notified of any in-flight architecture decisions

PR Review Reassignment

• Open PRs awaiting review: reassigned to Validator Agent (new session)
• In-progress PR review responsibilities communicated to John (AI Director)

---

5. Asset Return

Drop is AI-native — no physical hardware assets for agent team members.

For human developer offboarding:

Asset	Return By	Returned
Laptop (ALAI issued, if any)	Last day	Yes / No
Access cards / badges (N/A — remote)	—	—

IT coordinator: Alem Bašić (CEO) — [email protected]

---

6. Exit Interview Topics

For human developers leaving the Drop project:

Exit interview conducted by: John (AI Director) + Alem Bašić (CEO) (joint, async OK) Format: Written notes in comms/decisions/YYYY-MM-DD-exit-{name}.md

Topics to cover:

• What did you learn from working on a fintech pass-through payment system?
• Were there any technical decisions you disagreed with? (ADR feedback)
• What gaps exist in the documentation or test coverage?
• Any concerns about the codebase security or compliance you want to flag?
• What would you do differently in Phase 1?

Exit notes: Stored in comms/decisions/ (confidential — CEO + AI Director access only)

---

7. Final Checklist Sign-Off

John (AI Director) Sign-Off

• All access revocation items completed
• JWT_SECRET and all shared secrets rotated
• Knowledge transfer complete (ADRs, decisions, tribal knowledge documented)
• Code ownership transferred in Mission Control
• All open PRs and tasks handed off
• Security audit log reviewed for last 30 days (no anomalies)

John (AI Director): John | Date: {DATE} | Signature: Approved (AI)

Developer Sign-Off

• All work documented and handed off to new owner
• No Drop production credentials retained on personal devices
• Exit interview/notes completed

Developer: {DEVELOPER_NAME} | Date: {DATE} | Signature: ___________

CEO Sign-Off (Alem Bašić)

• Vaultwarden access revoked
• Fly.io team membership confirmed removed
• Shared BaaS/financial credentials confirmed rotated
• Business relationships (BaaS, Finanstilsynet, Sumsub contacts) transferred

Alem Bašić (CEO): | Date: {DATE} | Signature: ___________

---

Related Documents

• Developer Onboarding Guide
• Coding Standards
• Security Audit Report

---

Approval

Role	Name	Date	Signature
Author	John (AI Director)	2026-02-23	Approved (AI)
Tech Lead	John	2026-02-23	Approved
CEO (Alem)	Alem Bašić	TBD