# Developer Offboarding Guide: Drop — Fintech Payment App # Developer Offboarding Guide: Drop — Fintech Payment App > **Project:** Drop — Remittance + QR Payments > **Version:** 1.0 > **Date:** 2026-02-23 > **Author:** John (AI Director) > **Status:** Approved > **Reviewers:** Alem Bašić (CEO) ## Document History | Version | Date | Author | Changes | |---------|------|--------|---------| | 0.1 | 2026-02-23 | John | Initial offboarding guide — AI-native team context | --- ## 1. Offboarding Overview **Developer:** {DEVELOPER_NAME} **Last Session:** {LAST_DATE} **Manager:** John (AI Director) **Offboarding Coordinator:** John (AI Director) **Security Review:** John (AI Director) + Alem Bašić (CEO) **Departure type:** Agent session completion / Agent role change / Human developer departure **Drop offboarding context:** Because Drop uses an AI-native team (Builder agents, Validator agents), most "offboarding" is agent session completion — no persistent access to revoke. Human developer offboarding is documented in full below for Alem Bašić or any future human team members. **Handoff started:** {HANDOFF_START} **Access revocation deadline:** Same day for involuntary; planned for voluntary --- ## 2. Access Revocation Checklist **For AI agent team members (Builder / Validator agents):** Agent sessions are ephemeral — no persistent credentials. Verify: - [ ] Agent session terminated in Claude Code / Mission Control - [ ] No API keys or secrets were stored in agent memory or session files - [ ] All in-progress work committed or documented in Mission Control **For human developers (Alem Bašić or future hires):** ### Code & Version Control - [ ] **GitHub (alai-org)** — remove from organization and all Drop repositories - [ ] **SSH keys** — remove from GitHub: Settings > SSH and GPG keys - [ ] **Personal access tokens** — revoke all tokens in GitHub settings - [ ] **Fly.io** — remove from `drop-app` app team (fly.io dashboard → Members) ### Cloud Infrastructure (Fly.io) - [ ] **Fly.io team** — remove from `drop-app` org/team - [ ] **Fly.io deploy tokens** — revoke any personal deploy tokens - [ ] **SSH keys on Fly.io machines** — remove from `~/.ssh/authorized_keys` on app machines ### Secrets & Credentials — CRITICAL FOR FINTECH **Drop handles financial data. All shared secrets must be rotated immediately on any departure:** - [ ] **Vaultwarden** (`vault.basicconsulting.no`) — remove user account; rotate all shared vault items they had access to - [ ] **`JWT_SECRET`** — rotate immediately; rotate all active user sessions (deploy new secret) - [ ] **`BAAS_API_KEY`** — rotate with BaaS partner (SpareBank1 / Swan) — Phase 2 - [ ] **`SUMSUB_API_KEY`** — rotate with Sumsub — Phase 2 - [ ] **Database URL / password** — rotate Fly.io PostgreSQL password (Phase 1+) - [ ] **GitHub Actions secrets** — rotate any deploy keys / secrets in repo settings **All secrets known to this developer:** | Secret | Location | Rotated | Rotated By | |--------|---------|---------|-----------| | `JWT_SECRET` | Vaultwarden + Fly.io secrets | Yes / No | John | | `BAAS_API_KEY` | Vaultwarden + Fly.io secrets | Yes / No | John | | `SUMSUB_API_KEY` | Vaultwarden + Fly.io secrets | Yes / No | John | | Vaultwarden master vault | Vaultwarden | Yes / No | Alem Bašić | ### Third-Party Services - [ ] **alai-talk.slack.com** — deactivate account; remove from #drop, #drop-security channels - [ ] **Mission Control** — remove any permanent task assignments **Access revocation completion signed off by:** John (AI Director) + Alem Bašić (CEO) on {DATE} --- ## 3. Knowledge Transfer ### Active Projects & Ownership Transfer | Project / Area | Current Status | New Owner | Handoff Complete | |----------------|---------------|-----------|-----------------| | Drop Phase 0.5 security hardening | {STATUS} | Builder Agent (next session) | Yes / No | | Drop Phase 1 BaaS integration | {STATUS} | John (AI Director) | Yes / No | | Finanstilsynet registration prep | {STATUS} | John (AI Director) | Yes / No | ### Ongoing Work Documentation | Work Item | Mission Control Task | Status | Documentation | New Owner | |-----------|---------------------|--------|---------------|-----------| | {WORK_1} | MC-{ID} | {STATUS} | {LINK} | John | | {WORK_2} | MC-{ID} | {STATUS} | {LINK} | John | **Documentation written during knowledge transfer:** - [ ] All in-progress PRs reviewed and commented - [ ] Active branches documented and either merged or closed - [ ] Ongoing investigations/research notes written up in `comms/decisions/` - [ ] Architecture decisions in progress documented as ADRs - [ ] Pending operational tasks documented in `docs/OPERATIONS/` ### Key Contacts & Relationships | Contact | Company / Role | Relationship | Transferred To | |---------|---------------|--------------|----------------| | SpareBank1 BD contact | SpareBank1 (potential BaaS) | BaaS partnership pitch | Alem Bašić (CEO) | | Swan.io contact | Swan (backup BaaS) | BaaS partnership pitch | Alem Bašić (CEO) | | Finanstilsynet contact | Norwegian FSA | PSD2 registration | Alem Bašić (CEO) + Legal | | Sumsub account manager | Sumsub (KYC provider) | KYC integration | John (AI Director) | ### Drop-Specific Tribal Knowledge Capture **Knowledge transfer sessions:** | Topic | Date | Format | Notes Doc | |-------|------|--------|-----------| | Pass-through model ADR-003 | 2026-02-23 | Written in `project/architecture/` | ADR-003 | | Security audit findings | 2026-02-23 | Written in `security/drop-security-rapport.md` | Security audit | | BaaS mock implementation | 2026-02-23 | Code in `src/drop-app/lib/baas-mock.ts` | CODE-BAAS.md | **Capture questions answered:** 1. What breaks in production that only you know how to fix? → SQLite concurrent write limit (200 users); documented in NFR-S01 2. What shortcuts or workarounds exist? → Mock BaaS in `NEXT_PUBLIC_SERVICE_MODE=mock`; documented in CLAUDE.md 3. What external services have non-obvious quirks? → Sumsub webhook signature validation; documented in sumsub-integration.test.ts 4. What technical debt exists? → Documented in `docs/CROSS-CUTTING/tech-debt-log.md` 5. Upcoming risks? → BaaS partner not confirmed; SQLite concurrent limit; documented in risk-register.md --- ## 4. Code Ownership Transfer ### CODEOWNERS Update ```bash # Review current code ownership assignments # (No formal CODEOWNERS file yet — John (AI Director) owns all Drop code) # Transfer to new agent/developer: # Update CLAUDE.md "Builder" and "Validator" role assignments # Update Mission Control task ownership ``` - [ ] Mission Control task ownership transferred - [ ] New builder/validator agents briefed on active tasks - [ ] John (AI Director) notified of any in-flight architecture decisions ### PR Review Reassignment - [ ] Open PRs awaiting review: reassigned to Validator Agent (new session) - [ ] In-progress PR review responsibilities communicated to John (AI Director) --- ## 5. Asset Return **Drop is AI-native — no physical hardware assets for agent team members.** For human developer offboarding: | Asset | Return By | Returned | |-------|-----------|---------| | Laptop (ALAI issued, if any) | Last day | Yes / No | | Access cards / badges (N/A — remote) | — | — | **IT coordinator:** Alem Bašić (CEO) — contact@alai.no --- ## 6. Exit Interview Topics **For human developers leaving the Drop project:** **Exit interview conducted by:** John (AI Director) + Alem Bašić (CEO) (joint, async OK) **Format:** Written notes in `comms/decisions/YYYY-MM-DD-exit-{name}.md` **Topics to cover:** - What did you learn from working on a fintech pass-through payment system? - Were there any technical decisions you disagreed with? (ADR feedback) - What gaps exist in the documentation or test coverage? - Any concerns about the codebase security or compliance you want to flag? - What would you do differently in Phase 1? **Exit notes:** Stored in `comms/decisions/` (confidential — CEO + AI Director access only) --- ## 7. Final Checklist Sign-Off ### John (AI Director) Sign-Off - [ ] All access revocation items completed - [ ] `JWT_SECRET` and all shared secrets rotated - [ ] Knowledge transfer complete (ADRs, decisions, tribal knowledge documented) - [ ] Code ownership transferred in Mission Control - [ ] All open PRs and tasks handed off - [ ] Security audit log reviewed for last 30 days (no anomalies) **John (AI Director):** John | **Date:** {DATE} | **Signature:** Approved (AI) ### Developer Sign-Off - [ ] All work documented and handed off to new owner - [ ] No Drop production credentials retained on personal devices - [ ] Exit interview/notes completed **Developer:** {DEVELOPER_NAME} | **Date:** {DATE} | **Signature:** ___________ ### CEO Sign-Off (Alem Bašić) - [ ] Vaultwarden access revoked - [ ] Fly.io team membership confirmed removed - [ ] Shared BaaS/financial credentials confirmed rotated - [ ] Business relationships (BaaS, Finanstilsynet, Sumsub contacts) transferred **Alem Bašić (CEO):** | **Date:** {DATE} | **Signature:** ___________ --- ## Related Documents - [Developer Onboarding Guide](./developer-onboarding-guide.md) - [Coding Standards](./coding-standards.md) - [Security Audit Report](../../security/drop-security-rapport.md) --- ## Approval | Role | Name | Date | Signature | |------|------|------|-----------| | Author | John (AI Director) | 2026-02-23 | Approved (AI) | | Tech Lead | John | 2026-02-23 | Approved | | CEO (Alem) | Alem Bašić | TBD | |