Skip to main content

Documentation Index

Drop Documentation Index

Last Updated: 2026-03-04 Auto-generated from directory scan. Covers 280+ documents across 12 directories. Previous "20/20 PASS" validation claim removed — that audit only covered ~30% of documentation.

How to Use This Index

  • All paths are relative to the project root (~/ALAI/products/Drop/)
  • Template files are listed in a dedicated section at the bottom — they are blank starters, not live documents
  • Archived items are marked [ARCHIVED]
  • Dead leads/eliminated options are marked [DEAD LEAD] or [ELIMINATED]

1. Architecture

1.1 Architecture Decision Records (ADRs)

Document Description
ADR Index Overview of all ADRs and their status
ADR-001 Consolidate Backends Decision to consolidate to a single backend
ADR-002 Separate Fontelepay Decision to separate Fontelepay integration
ADR-003 PSD2 Pass-Through Pass-through model — Drop never holds funds
ADR-004 JWT HttpOnly Cookies Auth token storage strategy
ADR-005 Monolith First Monolith-first approach before microservices
ADR-006 SQLite to PostgreSQL Migration from SQLite (SUPERSEDED by ADR-014)
ADR-007 BankID OIDC Auth Norwegian BankID as primary authentication
ADR-008 Hono API Framework Hono chosen as API framework
ADR-009 Feature Flag System Feature flag architecture
ADR-010 Dual Database Driver Dual-driver approach (SUPERSEDED by ADR-014)
ADR-011 Expo Mobile Framework Expo chosen for React Native mobile
ADR-012 AWS App Runner Deploy AWS App Runner for deployment
ADR-013 Settlement Split Payment Payment settlement and split design
ADR-014 PostgreSQL Only PostgreSQL as the sole database (CURRENT)
ADR-015 BullMQ Redis Job Queue BullMQ + Redis for async job processing
ADR-016 Graceful Shutdown Graceful shutdown pattern for production

Also in comms/decisions/:

Document Description
ADR-001 Consolidate Backends Decision log copy
ADR-002 Separate Fontelepay Decision log copy
ADR-003 PSD2 Pass-Through Model Decision log copy
ADR-004 ZTL Partnership Eliminated ZTL eliminated as licensing partner [DEAD LEAD]
ADR-005 Neonomics Eliminated Neonomics eliminated (EUR-EUR only, no NOK) [ELIMINATED]

1.2 High-Level Design (HLD)

Document Description
Component Overview All major system components and responsibilities
Container Diagram C4 container-level diagram and descriptions
Data Architecture Data ownership, flow, and storage strategy
Deployment Architecture HLD-level deployment topology
Security Architecture (HLD) Security model at the architecture level
System Context System boundaries and external actors

1.3 Low-Level Design (LLD) — Flow Diagrams

Document Description
Bank Account Linking Flow AISP bank account linking via Open Banking
KYC/AML Flow Sumsub KYC and AML verification flow
Login Authentication (Backend) Backend login and token issuance flow
Login Authentication End-to-end login flow including BankID
Merchant Onboarding Flow Merchant registration and setup
Middleware Lifecycle Request middleware chain execution
Notifications Flow Push notification delivery flow
Profile Settings Flow User profile update flow
QR Payment Flow QR code generation and PISP payment flow
Registration/Onboarding Flow New user registration and BankID onboarding
Remittance Flow International remittance PISP flow
Transaction History Flow Transaction retrieval and display flow
Withdrawal Flow Fund withdrawal/transfer flow

1.4 Database Architecture

Document Description
Audit Architecture Audit log table design and retention
Data Lifecycle Data creation, archival, and deletion policies
Database Design Full database design — tables, relations, constraints
Indexing Strategy Index design for query performance
Migration Strategy Drizzle ORM migration approach

1.5 Integrations

Document Description
BankID OIDC Integration Norwegian BankID OIDC provider integration
Open Banking AISP/PISP PSD2 Open Banking read (AISP) and payment (PISP)
Payment Processing End-to-end payment processing architecture
Sentry Observability Error tracking and observability via Sentry
Sumsub KYC Integration Sumsub identity verification integration

1.6 Architecture Reviews & Audits

Document Description
Architecture README Architecture documentation overview
C4 Diagrams C4 model diagrams (context, container, component)
Petter Graff Review External architect review by Petter Graff
Architecture Validation Report Architecture cross-reference validation
Architecture Review Comprehensive architecture review findings
Architecture Feasibility Review Feasibility analysis for architecture decisions
Architecture Re-Review Follow-up architecture review

1.7 Architecture Specs (project/)

Document Description
Architecture Document Master architecture document (section 1.4 = user requirements)
API Specification (project) API spec maintained in project/

2. Backend

Document Description
API Reference All 26 API endpoints — method, path, request/response, auth, rate limits
Database Schema All 19 tables (12 core + 7 compliance) — columns, types, constraints, indexes
Authentication JWT auth flow — register, login, refresh, logout, middleware
Services External integrations — Sumsub (KYC) [PRODUCTION], Stripe (Cards) [MOCK], Swan [DEPRECATED]
Middleware Auth, validation, rate limiting, CSRF, error handling
Feature Flags 8 feature flags, 16 tracked features, server/client APIs
OpenAPI Spec Machine-readable OpenAPI 3.0 specification
Validator Review (Backend) Backend code review findings from validator agent

3. Frontend

Document Description
Component Inventory All components — custom, icons, shadcn/ui primitives
Pages All 20 routes — auth, components, data fetching, compliance pages
Design System Colors, typography (Fraunces/DM Sans/Geist Mono), spacing, patterns
State Management useAuth hook, feature flags, data fetching patterns
Landing Pages Marketing site — 9 sections, 12 sub-pages, waitlist API

3.1 Page Specs (project/specs/)

Document Description
Accounts Page Bank accounts page spec
Dashboard Page Main dashboard page spec
Landing Page Marketing landing page spec
Login Page Login page spec
Notifications Page Notifications page spec
Profile Page User profile page spec
Register Page Registration page spec
QR Scan Page QR payment scan page spec
Send Money Page Remittance/send money page spec
Transactions Page Transaction history page spec

4. Mobile

Document Description
Mobile App Expo Router architecture, 8 screens, API client, theme
Mobile Strategy Mobile product strategy and roadmap

4.1 App Store Materials (project/store/)

Document Description
App Store Metadata App Store and Google Play listing metadata
Icon Spec App icon requirements and specifications
Screenshot Texts Promotional screenshot copy

5. Infrastructure

Document Description
Deployment Docker, Fly.io, 3 deployment configs (MVP/Production/Staging)
CI/CD GitHub Actions pipeline — lint, test, build, e2e, docker (5 jobs)
Monitoring Health checks, container monitoring, gaps identified
Environment Tech stack, npm scripts, Next.js config, env modes
DR Runbook Disaster recovery runbook for production
Secrets Management Secret storage, rotation, and access patterns
BetterStack Setup BetterStack uptime monitoring and alerting setup
Sentry Setup Sentry error tracking configuration

5.1 Cloud Audit

Document Description
Resource Inventory Current cloud resource inventory
Multi-Cloud Design Multi-cloud architecture design
App Cloud Readiness Application readiness for cloud deployment
Cloud Audit Validation Cloud audit validation report
CloudWatch Logs Setup AWS CloudWatch logging configuration
WAF Rules Web Application Firewall rules

5.2 Archived Infrastructure

Document Description
DR Runbook (Archived) Earlier version of DR runbook [ARCHIVED]

5.3 Project Deployment Docs

Document Description
Deployment (project) Earlier deployment documentation
DevOps/SRE Stack DevOps and SRE tooling decisions
Cloud Cost Analysis Cloud provider cost comparison
Cloud Deployment Options Research on cloud deployment options

6. Security & Compliance

6.1 Core Security Docs

Document Description
Security Architecture JWT, cookies, bcrypt, CSRF, rate limiting, input validation
Compliance PSD2, AML, GDPR, DORA readiness — 8/100 overall, remediation plan
Business Continuity Plan BCP for critical service disruptions
Dependency Audit Report npm dependency security audit
Incident Response Playbook Step-by-step incident response
OWASP Top 10 Checklist OWASP Top 10 compliance checklist
Pentest Report Template Penetration testing report template
SAST Report Template Static analysis security testing report
Security Code Review Checklist Code review security checklist
Threat Modeling Template Threat modeling methodology and template

6.2 Security Compliance Framework (docs/SECURITY-COMPLIANCE/)

Document Description
Compliance Framework PSD2, GDPR, AML, DORA compliance framework
Data Breach Response Plan GDPR-compliant breach notification and response
Data Encryption Policy Encryption standards for data at rest and in transit
Data Protection Impact Assessment DPIA for GDPR Article 35 compliance
Key Management Policy Cryptographic key lifecycle management
Security Architecture (SECURITY-COMPLIANCE) Security architecture in compliance context
Security Testing Policy Security testing standards and frequency

6.3 Security Audits & Reports

Document Description
Security Audit 2026-03-01 Full security audit report March 2026
JWT/CSRF Audit 2026-03-02 JWT and CSRF vulnerability audit
DR Test Report 2026 Disaster recovery test results
Drop Security Rapport Internal security rapport
Security Gap Analysis Security gap analysis findings
Security Hardening Checklist Hardening actions checklist
Security Hardening Implementation Implementation details for security hardening
Security Rapport 2026-02-12 February 2026 security rapport

6.4 Regulatory Docs (docs/regulatory/)

Document Description
AML/KYC Policy Anti-money laundering and KYC policy
IT Security Policy IT security policy for Finanstilsynet
PI License Business Plan Payment Institution license application business plan
Document Description
Legal README Legal directory overview
Brukervilkar Terms of service (Norwegian)
Personvernerklaering Privacy policy / GDPR statement (Norwegian)
DPIA Vurdering Data Protection Impact Assessment (Norwegian)
Behandlingsprotokoll GDPR data processing register
Beredskapsplan Emergency/contingency plan
DPA — Sentry Data Processing Agreement with Sentry
DPA — Sumsub Data Processing Agreement with Sumsub
DPA — Swan Data Processing Agreement with Swan (DEPRECATED)
DPA Template Blank DPA template for new vendors
Egnethetsvurdering Suitability assessment for PI license
Gebyrskjema Fee schedule / gebyr scheme
Hendelseshaandtering Incident handling procedures
Hvitvaskingsrutiner AML/money laundering routines
IKT Sikkerhetspolicy ICT security policy (Norwegian)
Internkontroll Internal control framework
Klagebehandling Complaint handling procedure
Konsesjonssoknad Forberedelse PI license application preparation — €50-125K capital, 6-12 months
Rammeavtale Framework agreement template
Risikovurdering Hvitvasking AML risk assessment
Utkontraktering Policy Outsourcing/vendor policy
Virksomhetsplan Business plan for Finanstilsynet
Neonomics Meeting Prep Prep for Neonomics meeting [ELIMINATED]
Regulatory Map v2 Full regulatory map (PSD2, GDPR, AML, DORA)
Legal Gap Analysis v2 Legal/regulatory gap analysis
Kjeller Innovasjon Egenerklaering Self-declaration for Kjeller Innovasjon program

7. Testing & QA

Document Description
Testing Guide Vitest + Playwright, running tests, mocking, patterns
Test Inventory All 14 test files — unit, integration, e2e, regression, performance
API Testing Checklist Checklist for API endpoint testing
UAT Plan User Acceptance Testing plan
Test Plan (project) Project-level test plan

7.1 Quality Reports

Document Description
QA Report QA findings and status
Validation Report Cross-reference audit of all docs against source code
Test Audit 2026-03-01 Test coverage and quality audit
Code Coverage Report Test code coverage metrics
Code Review Checklist Standard code review checklist
Drop QA Rapport (project) Project QA rapport
Security QA Audit (project) Combined security and QA audit

7.2 Audit Reports

Document Description
Drop Full Audit 2026-03-03 Comprehensive full-system audit
Documentation Audit 2026-03-04 Documentation coverage audit (this generated the H-18 finding)
OPS Audit 2026-03-01 Operations audit
OPS Readiness Audit 2026-03-01 Production operations readiness audit
Team 1 Core System Rapport Core system team build rapport
Team 2 User Experience Rapport UX team rapport
Team 3 Operations Rapport Operations team rapport
Vault Squad Analysis Security vault squad analysis
Hardening Plan Security hardening plan
Hardening Report Security hardening results report
GAP Analysis vs Standard Gap analysis against industry standards
Performance Budgets Performance budget definitions and targets

8. Business Requirements

8.1 Core BRD Docs (docs/BUSINESS-REQUIREMENTS/)

Document Description
Business Requirements Document Master BRD — business goals, scope, stakeholders
Functional Requirements All functional requirements
Non-Functional Requirements Performance, scalability, security NFRs
User Stories User story backlog
Acceptance Criteria Acceptance criteria per user story
Requirements Traceability Matrix RTM — requirements to test/code mapping

8.2 Requirements (docs/requirements/)

Document Description
Functional Requirements Functional requirements document
Non-Functional Requirements Non-functional requirements
User Stories User stories
Requirements Traceability Matrix RTM
EP-09 Admin Portal Epic 9 — Admin portal requirements
FR-073 Daily Reconciliation Daily reconciliation functional requirement
FR-074 Payment Idempotency Payment idempotency requirement
FR-075 Circuit Breaker Fallback Circuit breaker and fallback requirement
FR-076 Webhook Handling Webhook ingestion and processing requirement
FR-077 Dispute Refund Dispute and refund handling requirement

8.3 PLC Phase 1 — Requirements (docs/plc/phase-1-requirements/)

Document Description
Functional Requirements Summary PLC phase 1 functional requirements
Non-Functional Requirements Summary PLC phase 1 NFR summary
User Stories Summary PLC phase 1 user stories
Acceptance Criteria PLC phase 1 acceptance criteria
RTM Summary PLC phase 1 RTM summary
PSD2 Compliance Requirements PSD2-specific compliance requirements
DPIA Supplement GDPR DPIA supplement for PLC

8.4 Business Case & Strategy

Document Description
Business Case v2 Drop business case v2 (pre-rebrand, content valid)
Business Case v1 Original business case (pre-rebrand)
Requirements Document (project) Project-level requirements document
Features: Merchant/Recipients/Rates Feature definitions for merchants, recipients, exchange rates

9. Project Governance

9.1 Governance Docs (docs/PROJECT-GOVERNANCE/)

Document Description
Project Charter Formal project charter — scope, objectives, authority
Project Brief Executive project brief
Risk Register Risk identification and mitigation
RACI Matrix Responsibility assignment matrix
Communication Plan Stakeholder communication plan

9.2 Project Docs (project/)

Document Description
Pipeline Development pipeline and stage gates
Production Plan Production readiness plan
Project Charter (project) Project charter (earlier version)
Risk Register (project) Risk register (earlier version)
Production Readiness Checklist Production go-live checklist
Gap Analysis 2026-02-14 Gap analysis from February 2026
Pipeline Review 929 Pipeline review task #929
Docs Validation 930 Docs validation task #930
Compliance Gap (Overnight 2026-02-16) Compliance gap overnight analysis
Workflow Development workflow description
Incident Report Production incident report

9.3 PLC Phase 4 — Sprint Planning (docs/plc/phase-4-sprint-planning/)

Document Description
Epics and Sprint Plan All epics and sprint breakdown
Risk Register Supplement Sprint-level risk additions
Definition of Done DoD for all story types
Project Governance Summary Governance summary for PLC phase 4

9.4 Decision Log (comms/decisions/)

Document Description
Budget Decision 2026-02-08 Initial Zica/Drop budget decision
Legal Review 2026-02-08 Legal review decision
SpareBank1 Outreach 2026-02-09 Decision to contact SpareBank1

10. Developer Experience

Document Description
Developer Onboarding Guide Complete onboarding for new developers
Developer Offboarding Guide Offboarding checklist and access revocation
Coding Standards TypeScript, formatting, naming conventions
Local Development Setup Getting the project running locally
Contributing Contribution guidelines

11. Release Management

Document Description
Release Notes Version release notes and changelog
Rollback Plan Production rollback procedures
Deployment Checklist Pre/post-deployment checklist
UAT Sign-off User acceptance test sign-off document
Deployment Checklist (project) Earlier deployment checklist
CHANGELOG Project changelog
ROADMAP Product roadmap

12. Cross-Cutting Concerns

Document Description
Change Request Change request process and form
Lessons Learned Retrospective lessons learned log
Tech Debt Log Technical debt tracking
Implementation Plan Implementation plan for current phase
Hallucination Analysis 2026-02-09 Analysis of AI hallucination incidents

13. Support

13.1 Runbooks (support/runbooks/)

Document Description
AISP Balance Failure Runbook: AISP balance fetch failure
Backup/Restore Test Runbook: backup and restore testing
BankID Failure Runbook: BankID authentication outage
Data Breach Response Runbook: data breach containment and notification
Database Outage Runbook: PostgreSQL database outage
Hotfix Process Runbook: production hotfix deployment
JWT Rotation Runbook: JWT secret rotation
PISP Payment Failure Runbook: PISP payment initiation failure
Queue/Redis Failure Runbook: BullMQ/Redis failure
Rate Limiting Incident Runbook: rate limiting incident response
Security Incident Runbook: general security incident
Sumsub KYC Failure Runbook: Sumsub KYC service failure
Swan API Outage Runbook: Swan API outage [DEPRECATED partner]
Neonomics Outage (Archived) Runbook: Neonomics outage [ARCHIVED — ELIMINATED]

13.2 FAQ & Customer Support

Document Description
FAQ (English) Customer FAQ in English
FAQ (Norwegian) Customer FAQ in Norwegian
Escalation Policy Support escalation tiers and contacts
On-Call Rotation On-call engineer schedule and responsibilities

13.3 Email Templates (support/email-templates/)

Document Description
Account Locked Email template: account locked notification
General Inquiry Email template: general support response
Payment Failed Email template: payment failure notification
Refund Request Email template: refund request handling

13.4 Support System Docs

Document Description
Support README Support directory overview
Support Systems Analysis Analysis of support system options
P0 Implementation Checklist P0 priority support items checklist
Audit Logging Setup Audit logging configuration guide

14. Brand & Design

14.1 Brand Guidelines

Document Description
Brand Guide Drop brand guidelines — logo, colors, typography, usage

14.2 Design Documentation

Document Description
Design README Design directory overview
Design System Reference Design system tokens and component reference
Figma Organization Guide How Figma files are organized
Figma Quick Action Plan Quick-start Figma workflow
Research Summary UX research synthesis
Login Comparison Login screen design comparison
Rebrand Verification Verification that rebrand (Zica → Drop) is complete
Stitch Prompts All Screens AI stitch prompts for all 10 screens
Task 936 Status Design task #936 status tracking
Screenshot Import Guide Guide for importing design screenshots
UI Design Spec (project) UI design specification
UI Redesign Proposal (rnd) Research proposal for UI redesign
UI/UX Reference (rnd) UI/UX reference patterns and inspiration

15. Sales & Pitch Materials

Document Description
SpareBank1 Partnership Pitch (NO) Partnership pitch in Norwegian
SpareBank1 Email Molba Email outreach to SpareBank1
SpareBank1 Partnership Molba Formal partnership proposal to SpareBank1
Kjeller Innovasjon Presentation Presentation for Kjeller Innovasjon incubator
Promo Video Storyboard Drop promotional video storyboard
SpareBank1 Email Text Draft email text for SpareBank1 outreach
SpareBank1 Pitch (docs/sales) SpareBank1 pitch document (docs/ copy)
Neonomics Pitch [ARCHIVED] Neonomics pitch talk [ARCHIVED — ELIMINATED]

15.1 Promo & Marketing

Document Description
Promo Video Storyboard (project) Video storyboard (project copy)
SpareBank1 Package Email SpareBank1 package email text
SpareBank1 Storyboard (project) SpareBank1-specific video storyboard
SpareBank1 Pitch NO (project) Norwegian pitch (project copy)
SpareBank1 Pitch EN (project) English pitch (project copy)
BankID/Vipps Research Research on BankID and Vipps integration options

16. PLC Documentation Summaries

These are structured summaries produced during the Product Lifecycle Completion (PLC) process:

Phase 2 — Architecture Summaries (docs/plc/phase-2-architecture/)

Document Description
HLD Summary High-level design summary
LLD Summary Low-level design summary
API Specification Summary API spec summary
Database Schema Summary Database schema summary
Data Flow Document End-to-end data flow documentation
Integration Design Integration design summary
Security Compliance Architecture Security and compliance architecture summary

Phase 3 — Documentation Summaries (docs/plc/phase-3-documentation/)

Document Description
Frontend Architecture Summary Frontend architecture summary
Backend Architecture Summary Backend architecture summary
Infrastructure CI/CD Summary Infrastructure and CI/CD summary
Developer Experience Summary Developer experience summary
Mobile Architecture Summary Mobile architecture summary

17. Research & Development (rnd/)

Document Description
RND README Research and development directory overview
Security Audit (rnd) Early security audit research
Cloud Deployment Options Cloud hosting options research
UI Redesign Proposal UI redesign research proposal
UI/UX Reference UI/UX reference patterns
Mobile Bank Research README Mobile banking research overview
Research Mobile banking market research
Providers Banking provider options research
Costs Cost analysis for mobile banking
MVP Spec Early MVP specification (pre-Drop)
Tech Stack Tech stack research

18. Root-Level Documents

Document Description
CHANGELOG Project-wide changelog
ROADMAP Product roadmap
CONTRIBUTING Contribution guidelines and PR process
CLAUDE.md AI agent context and project rules

19. Document Templates

These are blank starter templates — not live documentation. Populated versions exist in their corresponding non-template directories above.

Architecture Templates

docs/templates/ARCHITECTURE/ and docs/templates-arch/: adr.md | api-specification.md | data-flow-document.md | database-schema-document.md | hld.md | integration-design.md | lld.md | module-design.md

Backend Templates

docs/templates/BACKEND/ and docs/templates-backend/: api-reference.md | backend-architecture.md | event-schema-documentation.md | external-services-integration.md | middleware-design.md | service-design.md

Frontend Templates

docs/templates/FRONTEND/ and docs/templates-frontend/: accessibility-audit.md | component-inventory.md | design-system.md | frontend-architecture.md | state-management.md

Infrastructure Templates

docs/templates/INFRASTRUCTURE/ and docs/templates-infra/: cicd-pipeline.md | deployment-architecture.md | disaster-recovery-plan.md | environment-configuration.md | infrastructure-as-code.md | monitoring-observability.md

Mobile Templates

docs/templates/MOBILE/ and docs/templates-mobile/: app-store-submission-checklist.md | mobile-architecture.md | mobile-security.md | offline-first-strategy.md | push-notification-design.md

Testing Templates

docs/templates/TESTING/ and docs/templates-testing/: definition-of-done.md | e2e-test-plan.md | mobile-e2e-test-plan.md | performance-test-plan.md | test-case-template.md | test-plan.md | test-strategy.md

Business Requirements Templates

docs/templates/BUSINESS-REQUIREMENTS/: brd.md | functional-requirements.md | non-functional-requirements.md | requirements-traceability-matrix.md | user-stories.md | acceptance-criteria.md

Project Governance Templates

docs/templates/PROJECT-GOVERNANCE/: project-charter.md | project-brief.md | risk-register.md | raci-matrix.md | communication-plan.md

Security/Compliance Templates

docs/templates/SECURITY-COMPLIANCE/: compliance-framework.md | data-breach-response-plan.md | data-encryption-policy.md | data-protection-impact-assessment.md | key-management-policy.md | security-architecture.md | security-testing-policy.md

Developer Experience Templates

docs/templates/DEVELOPER-EXPERIENCE/: developer-onboarding-guide.md | developer-offboarding-guide.md | coding-standards.md | local-development-setup.md

Release Templates

docs/templates/RELEASE/: release-notes.md | rollback-plan.md | deployment-checklist.md | uat-signoff.md

Cross-Cutting Templates

docs/templates/CROSS-CUTTING/: change-request.md | lessons-learned.md | tech-debt-log.md

Operations Templates

docs/templates/OPERATIONS/ and docs/templates-ops/: go-live-runbook.md | incident-report.md | operational-runbook.md | post-mortem.md | sla-report.md

Template Index

docs/templates/INDEX.md — template directory index

Index rebuilt 2026-03-04. Previous version (2026-02-17) covered ~30% of documentation. This index covers all live documentation across 12 directories.

Back to top