# Bilko Documentation Index

# Bilko Documentation Index

**Last updated:** 2026-02-25
**Total documents:** 90
**Status:** 32 Final / 58 Draft

---

## Quick Links
- [Project Handbook](../CLAUDE.md)
- [Pipeline](../PIPELINE.md)
- [High-Level Design](HLD.md)
- [Low-Level Design](LLD.md)
- [Validation Report](VALIDATION-REPORT.md)
- [Open Banking Strategy](open-banking/balkan-open-banking-strategy.md)

---

## Business Requirements
*6 documents*

| Document | Description | Status |
|---|---|---|
| [Acceptance Criteria](business-requirements/ACCEPTANCE-CRITERIA.md) | Feature acceptance criteria and DoD per module | Draft |
| [BRD](business-requirements/BRD.md) | Business Requirements Document — project goals, stakeholders, scope | Draft |
| [Functional Requirements](business-requirements/FUNCTIONAL-REQUIREMENTS.md) | Detailed functional requirements for all features | Draft |
| [Non-Functional Requirements](business-requirements/NON-FUNCTIONAL-REQUIREMENTS.md) | Performance, scalability, reliability, and quality requirements | Draft |
| [Requirements Traceability Matrix](business-requirements/RTM.md) | Maps requirements to implementation and tests | Draft |
| [User Stories](business-requirements/USER-STORIES.md) | Agile user stories with acceptance criteria by epic | Draft |

---

## Architecture
*6 documents*

| Document | Description | Status |
|---|---|---|
| [ADR](architecture/ADR.md) | Architecture Decision Records — key technical decisions and rationale | Final |
| [API Specification](architecture/API-SPECIFICATION.md) | OpenAPI v3 specification for the Bilko REST API | Final |
| [Data Flow](architecture/DATA-FLOW.md) | Data flow diagrams — user actions, API calls, DB interactions | Draft |
| [Database Schema Document](architecture/DATABASE-SCHEMA-DOCUMENT.md) | Full database schema documentation for bilko_production | Draft |
| [Integration Design](architecture/INTEGRATION-DESIGN.md) | External integrations — SEF, eRačun, SendGrid, ECB/Fixer.io, Cloudflare R2 | Draft |
| [Module Design](architecture/MODULE-DESIGN.md) | Design of @bilko/core accounting core module (Turborepo package) | Draft |

---

## Backend
*14 documents*

| Document | Description | Status |
|---|---|---|
| [API Coverage Report](backend/API-COVERAGE-REPORT.md) | Maps every frontend page to required API endpoints | Draft |
| [API Reference](backend/API-REFERENCE.md) | Full REST API reference with endpoints, schemas, and examples | Draft |
| [Authentication](backend/AUTHENTICATION.md) | Auth architecture — JWT, sessions, OAuth, and RBAC design | Draft |
| [Backend Architecture](backend/BACKEND-ARCHITECTURE.md) | Node.js/Express service architecture overview | Draft |
| [Business Logic](backend/BUSINESS-LOGIC.md) | Core accounting rules — invoicing, VAT calculation, journal entries | Draft |
| [Database Schema](backend/DATABASE-SCHEMA.md) | Prisma schema reference — implemented PostgreSQL data model | Final |
| [Error Codes Catalog](backend/ERROR-CODES-CATALOG.md) | Complete error code catalog with HTTP status, cause, and resolution | Final |
| [Event Schema](backend/EVENT-SCHEMA.md) | Domain event definitions for the event-driven architecture | Draft |
| [External Services](backend/EXTERNAL-SERVICES.md) | Third-party integrations — fiscal APIs, payment providers | Draft |
| [Middleware Design](backend/MIDDLEWARE-DESIGN.md) | Express middleware stack — auth, logging, rate limiting design | Draft |
| [Middleware](backend/MIDDLEWARE.md) | Middleware configuration and execution order specification | Draft |
| [Roles and Permissions](backend/ROLES-AND-PERMISSIONS.md) | RBAC model — roles, permissions, and resource access matrix | Final |
| [Service Design](backend/SERVICE-DESIGN.md) | Service layer design for all backend services | Draft |
| [Services](backend/SERVICES.md) | Service catalogue — external APIs and integrations consumed | Draft |

---

## Frontend
*7 documents*

| Document | Description | Status |
|---|---|---|
| [Accessibility Audit](frontend/ACCESSIBILITY-AUDIT.md) | WCAG 2.1 AA accessibility audit and remediation plan | Draft |
| [Component Inventory](frontend/COMPONENT-INVENTORY.md) | Full inventory of React components in apps/web/components/ | Final |
| [Design System](frontend/DESIGN-SYSTEM.md) | Design tokens, color palette, typography, and spacing system | Final |
| [Forms](frontend/FORMS.md) | Form inventory, validation patterns, and react-hook-form migration plan | Final |
| [Frontend Architecture](frontend/FRONTEND-ARCHITECTURE.md) | Next.js 15 App Router architecture, routing, and rendering strategy | Draft |
| [Pages](frontend/PAGES.md) | All implemented pages with routes, components, and data requirements | Final |
| [State Management](frontend/STATE-MANAGEMENT.md) | Current React hooks state + Zustand migration plan | Final |

---

## Security & Compliance
*8 documents*

| Document | Description | Status |
|---|---|---|
| [Breach Response Plan](security/BREACH-RESPONSE-PLAN.md) | IRP-SEC-001 — Incident response procedures for data breaches | Final |
| [Compliance Framework](security/COMPLIANCE-FRAMEWORK.md) | GDPR, PCI-DSS, and regional compliance requirements overview | Final |
| [Compliance Status](security/COMPLIANCE.md) | Current compliance posture — gaps and remediation roadmap | Draft |
| [Data Encryption Policy](security/DATA-ENCRYPTION-POLICY.md) | POL-SEC-ENC-001 — Encryption standards for data at rest and in transit | Final |
| [DPIA](security/DPIA.md) | Data Protection Impact Assessment for processing personal financial data | Final |
| [Key Management Policy](security/KEY-MANAGEMENT-POLICY.md) | POL-SEC-KM-001 — Cryptographic key lifecycle management | Final |
| [Security Architecture](security/SECURITY-ARCHITECTURE.md) | Security design — auth, network security, secrets, and threat model | Draft |
| [Security Testing Policy](security/SECURITY-TESTING-POLICY.md) | POL-SEC-TEST-001 — SAST, DAST, and penetration testing requirements | Final |

---

## Testing & QA
*7 documents — see also [Test Plan](TEST-PLAN.md) in Standalone*

| Document | Description | Status |
|---|---|---|
| [Definition of Done](testing/DEFINITION-OF-DONE.md) | DoD checklist for features, sprints, and releases | Draft |
| [E2E Test Plan](testing/E2E-TEST-PLAN.md) | End-to-end testing plan with Playwright test scenarios | Draft |
| [Performance Test Plan](testing/PERFORMANCE-TEST-PLAN.md) | Load and stress testing targets and methodology | Draft |
| [Test Case Template](testing/TEST-CASE-TEMPLATE.md) | Standard template for writing and documenting test cases | Draft |
| [Test Inventory](testing/TEST-INVENTORY.md) | Catalogue of all planned tests — unit, integration, E2E | Draft |
| [Test Strategy](testing/TEST-STRATEGY.md) | Overall testing strategy — scope, tools, and coverage targets | Draft |
| [Testing Guide](testing/TESTING-GUIDE.md) | Developer guide for running and writing tests | Draft |

---

## Infrastructure & DevOps
*6 documents*

| Document | Description | Status |
|---|---|---|
| [CI/CD Pipeline](infrastructure/CI-CD.md) | GitHub Actions pipeline design — build, test, deploy stages | Draft |
| [Deployment Guide](infrastructure/DEPLOYMENT.md) | Target deployment architecture — Railway/Fly.io, Postgres, S3 | Draft |
| [Disaster Recovery](infrastructure/DISASTER-RECOVERY.md) | DR plan — RTO/RPO targets, backup strategy, failover procedures | Draft |
| [Environment Configuration](infrastructure/ENVIRONMENT.md) | Environment variables, secrets management, dev/staging/prod config | Draft |
| [Infrastructure as Code](infrastructure/IAC.md) | Terraform/IaC specifications for cloud infrastructure | Draft |
| [Monitoring & Observability](infrastructure/MONITORING.md) | Metrics, logging, alerting, and observability stack design | Draft |

---

## Operations
*5 documents*

| Document | Description | Status |
|---|---|---|
| [Go-Live Runbook](operations/GO-LIVE-RUNBOOK.md) | Step-by-step production launch checklist and procedures | Draft |
| [Incident Report](operations/INCIDENT-REPORT.md) | Incident report template and reporting process | Draft |
| [Operational Runbook](operations/OPERATIONAL-RUNBOOK.md) | Day-to-day ops procedures — deployments, rollbacks, monitoring | Draft |
| [Post-Mortem](operations/POST-MORTEM.md) | Post-incident analysis template and blameless review process | Draft |
| [SLA Report](operations/SLA-REPORT.md) | SLA definitions and monthly performance reporting template | Draft |

---

## Governance
*5 documents*

| Document | Description | Status |
|---|---|---|
| [Communication Plan](governance/COMMUNICATION-PLAN.md) | Stakeholder communication cadence and channels | Draft |
| [Project Brief](governance/PROJECT-BRIEF.md) | One-page project summary — scope, goals, and constraints | Draft |
| [Project Charter](governance/PROJECT-CHARTER.md) | Formal project authorization — objectives, budget, and authority | Draft |
| [RACI Matrix](governance/RACI-MATRIX.md) | Responsibility assignment for all project activities | Draft |
| [Risk Register](governance/RISK-REGISTER.md) | Identified risks with probability, impact, and mitigation | Draft |

---

## Release
*4 documents*

| Document | Description | Status |
|---|---|---|
| [Deployment Checklist](release/DEPLOYMENT-CHECKLIST.md) | Pre/post-deployment verification checklist | Draft |
| [Release Notes](release/RELEASE-NOTES.md) | Release notes template and changelog format | Draft |
| [Rollback Plan](release/ROLLBACK-PLAN.md) | Rollback procedures and decision criteria | Draft |
| [UAT Sign-Off](release/UAT-SIGNOFF.md) | User acceptance testing sign-off template | Draft |

---

## Developer Experience
*4 documents*

| Document | Description | Status |
|---|---|---|
| [Coding Standards](developer-experience/CODING-STANDARDS.md) | TypeScript, ESLint, Prettier, and project-specific code conventions | Draft |
| [Developer Offboarding](developer-experience/DEVELOPER-OFFBOARDING.md) | Knowledge transfer and access revocation checklist | Draft |
| [Developer Onboarding](developer-experience/DEVELOPER-ONBOARDING.md) | New developer orientation — codebase, tools, and first contribution | Draft |
| [Local Development Setup](developer-experience/LOCAL-DEVELOPMENT-SETUP.md) | Step-by-step local environment setup with prerequisites | Draft |

---

## Cross-Cutting
*3 documents*

| Document | Description | Status |
|---|---|---|
| [Change Request](cross-cutting/CHANGE-REQUEST.md) | Change request process, templates, and approval workflow | Draft |
| [Lessons Learned](cross-cutting/LESSONS-LEARNED.md) | Project retrospective insights and team learnings | Draft |
| [Tech Debt Log](cross-cutting/TECH-DEBT-LOG.md) | Known technical debt items with priority and remediation plan | Draft |

---

## Regulatory
*8 documents*

| Document | Description | Status |
|---|---|---|
| [Bosnia & Herzegovina Overview](regulatory/BA/README.md) | BA regulatory requirements — entity structure and tax obligations | Final |
| [BIH PDV (VAT)](regulatory/BIH-PDV.md) | Bosnia & Herzegovina VAT rules, rates, and e-invoicing status | Final |
| [Chart of Accounts](regulatory/CHART-OF-ACCOUNTS.md) | Unified CoA reference — BA, RS, HR cross-country comparison | Final |
| [Croatia eRačun](regulatory/CROATIA-ERACUN.md) | Croatia e-invoicing (eRačun) and fiscalization (Fiskalizacija) | Final |
| [Croatia Overview](regulatory/HR/README.md) | HR regulatory requirements — EU member, PDV, fiscal obligations | Final |
| [Multi-Region Overview](regulatory/MULTI-REGION-OVERVIEW.md) | Shared core + country plugin architecture for multi-region compliance | Final |
| [Serbia Overview](regulatory/RS/README.md) | RS regulatory requirements — SEF mandate, PDV, e-invoicing | Final |
| [Serbia SEF](regulatory/SERBIA-SEF.md) | Serbia's Sistem Elektronskih Faktura — mandatory e-invoicing system | Final |

---

## Open Banking
*2 documents*

| Document | Description | Status |
|---|---|---|
| [Balkan Open Banking Strategy](open-banking/balkan-open-banking-strategy.md) | CEO-approved unified platform strategy for open banking across the Balkans | Final |
| [Open Banking Business Case](open-banking/business-case-open-banking.md) | Financial and strategic justification for open banking investment | Final |

---

## Standalone Documents
*5 documents*

| Document | Description | Status |
|---|---|---|
| [Competitive Research](COMPETITIVE-RESEARCH.md) | Market analysis — competitors, positioning, and differentiation strategy | Final |
| [High-Level Design](HLD.md) | System overview — architecture, technology stack, and key decisions | Final |
| [Low-Level Design](LLD.md) | Detailed component design — services, APIs, and data models | Final |
| [Test Plan](TEST-PLAN.md) | Master test plan covering all testing phases and acceptance criteria | Final |
| [Validation Report](VALIDATION-REPORT.md) | Gate validation report — documentation completeness and quality | Final |

---

*Templates excluded. See [templates/](templates/) for reusable document templates.*