Developer Offboarding Guide: Drop — Fintech Payment App
Developer Offboarding Guide: Drop — Fintech Payment App
Project: Drop — Remittance + QR Payments Version: 1.0 Date: 2026-02-23 Author: John (AI Director) Status: Approved Reviewers: Alem Bašić (CEO)
Document History
| Version | Date | Author | Changes |
|---|---|---|---|
| 0.1 | 2026-02-23 | John | Initial offboarding guide — AI-native team context |
1. Offboarding Overview
Developer: {DEVELOPER_NAME} Last Session: {LAST_DATE} Manager: John (AI Director) Offboarding Coordinator: John (AI Director) Security Review: John (AI Director) + Alem Bašić (CEO)
Departure type: Agent session completion / Agent role change / Human developer departure
Drop offboarding context: Because Drop uses an AI-native team (Builder agents, Validator agents), most "offboarding" is agent session completion — no persistent access to revoke. Human developer offboarding is documented in full below for Alem Bašić or any future human team members.
Handoff started: {HANDOFF_START} Access revocation deadline: Same day for involuntary; planned for voluntary
2. Access Revocation Checklist
For AI agent team members (Builder / Validator agents): Agent sessions are ephemeral — no persistent credentials. Verify:
- Agent session terminated in Claude Code / Mission Control
- No API keys or secrets were stored in agent memory or session files
- All in-progress work committed or documented in Mission Control
For human developers (Alem Bašić or future hires):
Code & Version Control
- GitHub (alai-org) — remove from organization and all Drop repositories
- SSH keys — remove from GitHub: Settings > SSH and GPG keys
- Personal access tokens — revoke all tokens in GitHub settings
- Fly.io — remove from
drop-appapp team (fly.io dashboard → Members)
Cloud Infrastructure (Fly.io)
- Fly.io team — remove from
drop-apporg/team - Fly.io deploy tokens — revoke any personal deploy tokens
- SSH keys on Fly.io machines — remove from
~/.ssh/authorized_keyson app machines
Secrets & Credentials — CRITICAL FOR FINTECH
Drop handles financial data. All shared secrets must be rotated immediately on any departure:
- Vaultwarden (
vault.basicconsulting.no) — remove user account; rotate all shared vault items they had access to -
JWT_SECRET— rotate immediately; rotate all active user sessions (deploy new secret) -
BAAS_API_KEY— rotate with BaaS partner (SpareBank1 / Swan) — Phase 2 -
SUMSUB_API_KEY— rotate with Sumsub — Phase 2 - Database URL / password — rotate Fly.io PostgreSQL password (Phase 1+)
- GitHub Actions secrets — rotate any deploy keys / secrets in repo settings
All secrets known to this developer:
| Secret | Location | Rotated | Rotated By |
|---|---|---|---|
JWT_SECRET |
Vaultwarden + Fly.io secrets | Yes / No | John |
BAAS_API_KEY |
Vaultwarden + Fly.io secrets | Yes / No | John |
SUMSUB_API_KEY |
Vaultwarden + Fly.io secrets | Yes / No | John |
| Vaultwarden master vault | Vaultwarden | Yes / No | Alem Bašić |
Third-Party Services
- alai-talk.slack.com — deactivate account; remove from #drop, #drop-security channels
- Mission Control — remove any permanent task assignments
Access revocation completion signed off by: John (AI Director) + Alem Bašić (CEO) on {DATE}
3. Knowledge Transfer
Active Projects & Ownership Transfer
| Project / Area | Current Status | New Owner | Handoff Complete |
|---|---|---|---|
| Drop Phase 0.5 security hardening | {STATUS} | Builder Agent (next session) | Yes / No |
| Drop Phase 1 BaaS integration | {STATUS} | John (AI Director) | Yes / No |
| Finanstilsynet registration prep | {STATUS} | John (AI Director) | Yes / No |
Ongoing Work Documentation
| Work Item | Mission Control Task | Status | Documentation | New Owner |
|---|---|---|---|---|
| {WORK_1} | MC-{ID} | {STATUS} | {LINK} | John |
| {WORK_2} | MC-{ID} | {STATUS} | {LINK} | John |
Documentation written during knowledge transfer:
- All in-progress PRs reviewed and commented
- Active branches documented and either merged or closed
- Ongoing investigations/research notes written up in
comms/decisions/ - Architecture decisions in progress documented as ADRs
- Pending operational tasks documented in
docs/OPERATIONS/
Key Contacts & Relationships
| Contact | Company / Role | Relationship | Transferred To |
|---|---|---|---|
| SpareBank1 BD contact | SpareBank1 (potential BaaS) | BaaS partnership pitch | Alem Bašić (CEO) |
| Swan.io contact | Swan (backup BaaS) | BaaS partnership pitch | Alem Bašić (CEO) |
| Finanstilsynet contact | Norwegian FSA | PSD2 registration | Alem Bašić (CEO) + Legal |
| Sumsub account manager | Sumsub (KYC provider) | KYC integration | John (AI Director) |
Drop-Specific Tribal Knowledge Capture
Knowledge transfer sessions:
| Topic | Date | Format | Notes Doc |
|---|---|---|---|
| Pass-through model ADR-003 | 2026-02-23 | Written in project/architecture/ |
ADR-003 |
| Security audit findings | 2026-02-23 | Written in security/drop-security-rapport.md |
Security audit |
| BaaS mock implementation | 2026-02-23 | Code in src/drop-app/lib/baas-mock.ts |
CODE-BAAS.md |
Capture questions answered:
- What breaks in production that only you know how to fix? → SQLite concurrent write limit (200 users); documented in NFR-S01
- What shortcuts or workarounds exist? → Mock BaaS in
NEXT_PUBLIC_SERVICE_MODE=mock; documented in CLAUDE.md - What external services have non-obvious quirks? → Sumsub webhook signature validation; documented in sumsub-integration.test.ts
- What technical debt exists? → Documented in
docs/CROSS-CUTTING/tech-debt-log.md - Upcoming risks? → BaaS partner not confirmed; SQLite concurrent limit; documented in risk-register.md
4. Code Ownership Transfer
CODEOWNERS Update
# Review current code ownership assignments
# (No formal CODEOWNERS file yet — John (AI Director) owns all Drop code)
# Transfer to new agent/developer:
# Update CLAUDE.md "Builder" and "Validator" role assignments
# Update Mission Control task ownership
- Mission Control task ownership transferred
- New builder/validator agents briefed on active tasks
- John (AI Director) notified of any in-flight architecture decisions
PR Review Reassignment
- Open PRs awaiting review: reassigned to Validator Agent (new session)
- In-progress PR review responsibilities communicated to John (AI Director)
5. Asset Return
Drop is AI-native — no physical hardware assets for agent team members.
For human developer offboarding:
| Asset | Return By | Returned |
|---|---|---|
| Laptop (ALAI issued, if any) | Last day | Yes / No |
| Access cards / badges (N/A — remote) | — | — |
IT coordinator: Alem Bašić (CEO) — contact@alai.no
6. Exit Interview Topics
For human developers leaving the Drop project:
Exit interview conducted by: John (AI Director) + Alem Bašić (CEO) (joint, async OK)
Format: Written notes in comms/decisions/YYYY-MM-DD-exit-{name}.md
Topics to cover:
- What did you learn from working on a fintech pass-through payment system?
- Were there any technical decisions you disagreed with? (ADR feedback)
- What gaps exist in the documentation or test coverage?
- Any concerns about the codebase security or compliance you want to flag?
- What would you do differently in Phase 1?
Exit notes: Stored in comms/decisions/ (confidential — CEO + AI Director access only)
7. Final Checklist Sign-Off
John (AI Director) Sign-Off
- All access revocation items completed
-
JWT_SECRETand all shared secrets rotated - Knowledge transfer complete (ADRs, decisions, tribal knowledge documented)
- Code ownership transferred in Mission Control
- All open PRs and tasks handed off
- Security audit log reviewed for last 30 days (no anomalies)
John (AI Director): John | Date: {DATE} | Signature: Approved (AI)
Developer Sign-Off
- All work documented and handed off to new owner
- No Drop production credentials retained on personal devices
- Exit interview/notes completed
Developer: {DEVELOPER_NAME} | Date: {DATE} | Signature: ___________
CEO Sign-Off (Alem Bašić)
- Vaultwarden access revoked
- Fly.io team membership confirmed removed
- Shared BaaS/financial credentials confirmed rotated
- Business relationships (BaaS, Finanstilsynet, Sumsub contacts) transferred
Alem Bašić (CEO): | Date: {DATE} | Signature: ___________
Related Documents
Approval
| Role | Name | Date | Signature |
|---|---|---|---|
| Author | John (AI Director) | 2026-02-23 | Approved (AI) |
| Tech Lead | John | 2026-02-23 | Approved |
| CEO (Alem) | Alem Bašić | TBD |