Developer Offboarding Guide

Developer Offboarding GuideGuide: Drop — Fintech Payment App

Project: {{PROJECT_NAME}}Drop — Remittance + QR Payments Version: {{VERSION}}1.0 Date: {{DATE}}2026-02-23 Author: {{AUTHOR}}John (AI Director) Status: Draft | In Review | Approved Reviewers: {{REVIEWERS}}Alem Bašić (CEO)

Document History

Version	Date	Author	Changes
0.1	{{DATE}}2026-02-23	{{AUTHOR}}John	Initial draftoffboarding guide — AI-native team context

---

1. Offboarding Overview

Developer: {{DEVELOPER_NAME}} Last Day:Session: {{LAST_DAY}}LAST_DATE} Manager: {{MANAGER}}John (AI Director) Offboarding Coordinator: {{COORDINATOR}}John (AI Director) Security Review: {{SECURITY_REVIEWER}}John (AI Director) + Alem Bašić (CEO)

Departure type: VoluntaryAgent session completion / InvoluntaryAgent role change / Human developer departure

Drop offboarding context: Because Drop uses an AI-native team (Builder agents, Validator agents), most "offboarding" is agent session completion — no persistent access to revoke. Human developer offboarding is documented in full below for Alem Bašić or any future human team members.

Handoff started: {{HANDOFF_START}} Access revocation deadline: {{LAST_DAY}}Same byday {{REVOCATION_TIME}}for involuntary; planned for voluntary

---

2. Access Revocation Checklist

For AI agent team members (Builder / Validator agents): Agent sessions are ephemeral — no persistent credentials. Verify:

•  Agent session terminated in Claude Code / Mission Control
•  No API keys or secrets were stored in agent memory or session files
•  All in-progress work committed or documented in Mission Control

For human developers (Alem Bašić or future hires):

Code & Version Control

• GitHub / GitLab(alai-org) — remove from organization and all Drop repositories
• SSH keys — remove from all servers and deployment systems
  • ~/.ssh/authorized_keys on servers
  • GitHub SSH keys:GitHub: Settings > SSH and GPG keys
•  GPG signing keys — revoke from keyserver if used for commit signing
• Personal access tokens — revoke all tokens in GitHub/GitLabGitHub settings
• Webhooks using personal tokenFly.io — identifiedremove andfrom updateddrop-app toapp serviceteam account(fly.io dashboard → Members)

Cloud Infrastructure (Fly.io)

• {{CLOUD_PROVIDER}}Fly.io IAMteam — remove user from alldrop-app IAM groups and rolesorg/team
• {{CLOUD_PROVIDER}}Fly.io consoledeploy accesstokens — deactivaterevoke userany accountpersonal deploy tokens
• SSH keys on cloudFly.io instancesmachines — remove from all~/.ssh/authorized_keys EC2/GCE/VMon authorized_keys
app
•  Cloud access keys / credentials — deactivate and delete

CI/CD & DevOps

•  {{CI_PLATFORM}} — remove from organization (GitHub Actions / GitLab CI / CircleCI)
•  Container registry — remove push/pull credentials
•  {{ARTIFACT_REGISTRY}} — remove user access
•  Kubernetes — remove kubeconfig entries, remove from RBACmachines

Secrets & Credentials — CRITICAL FOR FINTECH

Drop handles financial data. All shared secrets must be rotated immediately on any departure:

• {{VAULT_TOOL}}Vaultwarden (HashiCorp Vault / 1Password / Vaultwarden)vault.basicconsulting.no) — remove user,user account; rotate anyall shared secretsvault items they had access to
• All shared secrets/passwords known to the developerJWT_SECRET — rotate immediatelyimmediately; rotate all active user sessions (DBdeploy passwords,new API keys, etc.)
  • Database passwords: {{DB_CREDS}}
  • API keys accessed: {{API_KEYS}}
  • Any others: {{OTHER_CREDS}}
  secret)
• Environment variables / .env filesBAAS_API_KEY — confirmrotate nowith secretsBaaS taken/copied
partner

(SpareBank1

VPN/ & Network

•  VPNSwan) — revokePhase VPN certificate / remove user account2
• Bastion hostSUMSUB_API_KEY — removerotate fromwith authorizedSumsub users— Phase 2
• IPDatabase allowlistsURL / password — removerotate theirFly.io IPPostgreSQL ifpassword personal(Phase device1+)
was
• allowlistedGitHub Actions secrets — rotate any deploy keys / secrets in repo settings

All secrets known to this developer:

Secret	Location	Rotated	Rotated By
JWT_SECRET	Vaultwarden + Fly.io secrets	Yes / No	John
BAAS_API_KEY	Vaultwarden + Fly.io secrets	Yes / No	John
SUMSUB_API_KEY	Vaultwarden + Fly.io secrets	Yes / No	John
Vaultwarden master vault	Vaultwarden	Yes / No	Alem Bašić

Third-Party Services

• {{SERVICE_1}}alai-talk.slack.com (e.g., Sentry, Datadog, PagerDuty) — deactivate account; remove userfrom #drop, #drop-security channels
• {{SERVICE_2}}Mission (e.g., Slack, Jira, Confluence) — deactivate account
•  {{SERVICE_3}} (e.g., Stripe, AWS Marketplace) — remove user
•  Email / Google Workspace — deactivate account, set out-of-office, forward to manager
•  Password manager (shared vaults)Control — remove fromany sharedpermanent vaultstask assignments

Access revocation completion signed off by: {{SECURITY_REVIEWER}}John (AI Director) + Alem Bašić (CEO) on {{DATE}}

---

3. Knowledge Transfer

Active Projects & Ownership Transfer

Project / Area	Current Status	New Owner	Handoff Complete
{{PROJECT_1}}Drop Phase 0.5 security hardening	{{STATUS}}	{{NEW_OWNER}}Builder Agent (next session)	Yes / No
{{PROJECT_2}}Drop Phase 1 BaaS integration	{{STATUS}}	{{NEW_OWNER}}John (AI Director)	Yes / No
{{PROJECT_3}}Finanstilsynet registration prep	{{STATUS}}	{{NEW_OWNER}}John (AI Director)	Yes / No

Ongoing Work Documentation

Work Item	TicketMission Control Task	Status	Documentation	New Owner
{WORK_1}	MC-{WORK_1}}ID}	{{TICKET}}STATUS}	{{STATUS}}LINK}	{{LINK}}	{{OWNER}}John
{WORK_2}	MC-{WORK_2}}ID}	{{TICKET}}STATUS}	{{STATUS}}LINK}	{{LINK}}	{{OWNER}}John

Documentation written during knowledge transfer:

• All in-progress PRs reviewed and commented
• Active branches documented and either merged or closed
• Ongoing investigations/research notes written up in comms/decisions/
• Architecture decisions currentlyin being made:progress documented as ADRs
• Pending operational tasks documented in runbooksdocs/OPERATIONS/

Key Contacts & Relationships

Contact	Company / Role	Relationship	Transferred To
{{CONTACT_1}}SpareBank1 BD contact	{{ORG}}SpareBank1 (potential BaaS)	{{RELATIONSHIP}}BaaS partnership pitch	{{NEW_OWNER}}Alem Bašić (CEO)
{{CONTACT_2}}Swan.io contact	{{ORG}}Swan (backup BaaS)	{{RELATIONSHIP}}BaaS partnership pitch	{{NEW_OWNER}}Alem Bašić (CEO)
Finanstilsynet contact	Norwegian FSA	PSD2 registration	Alem Bašić (CEO) + Legal
Sumsub account manager	Sumsub (KYC provider)	KYC integration	John (AI Director)

UndocumentedDrop-Specific Tribal Knowledge Capture

Knowledge transfer sessions scheduled:sessions:

Topic	Date	Format	Notes Doc
{{TOPIC_1}}Pass-through model ADR-003	{{DATE}}2026-02-23	1:1Written recordingin + notesproject/architecture/	{{LINK}}ADR-003
{{TOPIC_2}}Security audit findings	{{DATE}}2026-02-23	PairWritten programmingin security/drop-security-rapport.md	{{LINK}}Security audit
BaaS mock implementation	2026-02-23	Code in src/drop-app/lib/baas-mock.ts	CODE-BAAS.md

Capture questions to ask:answered:

1. What breaks in production that only you know how to fix? → SQLite concurrent write limit (200 users); documented in NFR-S01
2. What shortcuts or workarounds existexist? → Mock BaaS in theNEXT_PUBLIC_SERVICE_MODE=mock; codebasedocumented thatin aren't documented?CLAUDE.md
3. What external services have non-obvious quirks? → Sumsub webhook signature validation; documented in sumsub-integration.test.ts
4. What technical debt existsexists? that→ you'veDocumented beenin meaning to address?docs/CROSS-CUTTING/tech-debt-log.md
5. AreUpcoming thererisks? any→ upcomingBaaS riskspartner ornot timeconfirmed; bombsSQLite concurrent limit; documented in the codebase?
6. Are there any informal agreements or commitments with stakeholders?risk-register.md

---

4. Code Ownership Transfer

CODEOWNERS File Update

# Review current CODEOWNERScode catownership assignments
# (No formal CODEOWNERS |file grepyet "{{DEVELOPER_HANDLE}}"— John (AI Director) owns all Drop code)

# ReplaceTransfer withto new owner(s)agent/developer:
# CODEOWNERSUpdate updateCLAUDE.md PR:"Builder" {{PR_LINK}}and "Validator" role assignments
# Update Mission Control task ownership

• CODEOWNERSMission fileControl updatedtask andownership PR mergedtransferred
• New ownersbuilder/validator agents briefed on theiractive additionaltasks
responsibilities
•  John (AI Director) notified of any in-flight architecture decisions

PR Review Reassignment

• Open PRs awaiting their review: reassigned to {{REVIEWER_REPLACEMENT}}Validator Agent (new session)
• In-progress PR review responsibilities communicated to team
John

(AI

On-Call Rotation

•  Removed from on-call rotation in {{ONCALL_TOOL}}
•  On-call schedule updated and communicated
•  On-call runbooks updated to remove their contact informationDirector)

---

5. Asset Return

Drop is AI-native — no physical hardware assets for agent team members.

For human developer offboarding:

Last

Asset	Serial / ID	Return By	Returned	Condition
Laptop (ALAI issued, if any)	{{SERIAL}}	{{LAST_DAY}}day	Yes / No
Monitor	{{SERIAL}}	{{LAST_DAY}}	Yes / No
Access cardcards / badgebadges (N/A — remote)	—	{{LAST_DAY}}	Yes / No
{{OTHER_ASSET}}	—	{{LAST_DAY}}	Yes / No

IT returns coordinator: {{IT_CONTACT}}Alem Bašić (CEO) — [email protected]

---

6. Exit Interview Topics

For human developers leaving the Drop project:

Exit interview conducted by: {{INTERVIEWER}}John Date:(AI {{DATE}}Director) + Alem Bašić (CEO) (joint, async OK) Format: Written notes in comms/decisions/YYYY-MM-DD-exit-{{FORMAT}} name}.md

Topics to cover:

• What did you enjoylearn most aboutfrom working here?
on
• Whata couldfintech wepass-through improvepayment for future developers?system?
• Were there any blockerstechnical ordecisions frustrationsyou thatdisagreed weren'twith? addressed?(ADR feedback)
• What didgaps youexist learn?in Whatthe skillsdocumentation didor youtest develop?
• Would you recommend working here to others? Why / why not?coverage?
• Any concerns about the teamcodebase security or codebasecompliance you want to flagflag?
before
• What leaving?would you do differently in Phase 1?

Exit interview notes: {{NOTES_LINK}}Stored in comms/decisions/ (confidential — managerCEO + AI Director access only)

---

7. Final Checklist Sign-Off

John

Manager(AI Director) Sign-Off

• All access revocation items completed
• JWT_SECRET and all shared secrets rotated
•  Knowledge transfer sessionscomplete completed(ADRs, decisions, tribal knowledge documented)
• Code ownership transferred in Mission Control
• All projectsopen PRs and tasks handed off with documentation
• AssetsSecurity returned
audit
• log Exitreviewed interviewfor conducted
last
• 30 Payrolldays and(no HR notifiedanomalies)

Manager:John (AI Director): {{MANAGER}}John | Date: {{DATE}} | Signature: ___________Approved (AI)

Developer Sign-Off

• All work documented and handed off
• to Allnew personal assets retrieved (personal items, any personal accounts)owner
• No companyDrop dataproduction credentials retained on personal devices
• Exit interviewinterview/notes completed

Developer: {{DEVELOPER_NAME}} | Date: {{DATE}} | Signature: ___________

SecurityCEO Sign-Off (Alem Bašić)

• AllVaultwarden access revocationrevoked
items
• verifiedFly.io independentlyteam membership confirmed removed
• Shared secretsBaaS/financial credentials confirmed rotated
• AuditBusiness logrelationships reviewed(BaaS, forFinanstilsynet, lastSumsub 30contacts) days — no anomaliestransferred

SecurityAlem Reviewer:Bašić (CEO): {{SECURITY_REVIEWER}} | Date: {{DATE}} | Signature: ___________

---

Related Documents

• Developer Onboarding Guide
• Coding Standards
• Security Audit Report

---

Approval

Role	Name	Date	Signature
Author	John (AI Director)	2026-02-23	Approved (AI)
ReviewerTech Lead	John	2026-02-23	Approved
ApproverCEO (Alem)	Alem Bašić	TBD