Documentation Index

Drop Documentation Index

Last ~~updated:~~Updated: 2026-~~02-17~~03-04 |Auto-generated ~~Validated:~~from directory scan. Covers 280+ documents across 12 directories. Previous "20/20 ~~PASS~~PASS" ~~after~~validation ~~doc~~claim ~~alignment~~removed — that audit only covered ~30% of documentation.

How to Use This Index

All paths are relative to the project root (~/ALAI/products/Drop/)

Template files are listed in a dedicated section at the bottom — they are blank starters, not live documents

Archived items are marked [ARCHIVED]

Dead leads/eliminated options are marked [DEAD LEAD] or [ELIMINATED]

1. Architecture

1.1 Architecture Decision Records (ADRs)

Document	Description
ADR Index	Overview of all ADRs and their status
ADR-001 Consolidate Backends	Decision to consolidate to a single backend
ADR-002 Separate Fontelepay	Decision to separate Fontelepay integration
ADR-003 PSD2 Pass-Through	Pass-through model — Drop never holds funds
ADR-004 JWT HttpOnly Cookies	Auth token storage strategy
ADR-005 Monolith First	Monolith-first approach before microservices
ADR-006 SQLite to PostgreSQL	Migration from SQLite (SUPERSEDED by ADR-014)
ADR-007 BankID OIDC Auth	Norwegian BankID as primary authentication
ADR-008 Hono API Framework	Hono chosen as API framework
ADR-009 Feature Flag System	Feature flag architecture
ADR-010 Dual Database Driver	Dual-driver approach (SUPERSEDED by ADR-014)
ADR-011 Expo Mobile Framework	Expo chosen for React Native mobile
ADR-012 AWS App Runner Deploy	AWS App Runner for deployment
ADR-013 Settlement Split Payment	Payment settlement and split design
ADR-014 PostgreSQL Only	PostgreSQL as the sole database (CURRENT)
ADR-015 BullMQ Redis Job Queue	BullMQ + Redis for async job processing
ADR-016 Graceful Shutdown	Graceful shutdown pattern for production

Also in comms/decisions/:

Document	Description
ADR-001 Consolidate Backends	Decision log copy
ADR-002 Separate Fontelepay	Decision log copy
ADR-003 PSD2 Pass-Through Model	Decision log copy
ADR-004 ZTL Partnership Eliminated	ZTL eliminated as licensing partner [DEAD LEAD]
ADR-005 Neonomics Eliminated	Neonomics eliminated (EUR-EUR only, no NOK) [ELIMINATED]

1.2 High-Level Design (HLD)

Document	Description
Component Overview	All major system components and responsibilities
Container Diagram	C4 container-level diagram and descriptions
Data Architecture	Data ownership, flow, and storage strategy
Deployment Architecture	HLD-level deployment topology
Security Architecture (HLD)	Security model at the architecture level
System Context	System boundaries and external actors

1.3 Low-Level Design (LLD) — Flow Diagrams

Document	Description
Bank Account Linking Flow	AISP bank account linking via Open Banking
KYC/AML Flow	Sumsub KYC and AML verification flow
Login Authentication (Backend)	Backend login and token issuance flow
Login Authentication	End-to-end login flow including BankID
Merchant Onboarding Flow	Merchant registration and setup
Middleware Lifecycle	Request middleware chain execution
Notifications Flow	Push notification delivery flow
Profile Settings Flow	User profile update flow
QR Payment Flow	QR code generation and PISP payment flow
Registration/Onboarding Flow	New user registration and BankID onboarding
Remittance Flow	International remittance PISP flow
Transaction History Flow	Transaction retrieval and display flow
Withdrawal Flow	Fund withdrawal/transfer flow

1.4 Database Architecture

Document	Description
Audit Architecture	Audit log table design and retention
Data Lifecycle	Data creation, archival, and deletion policies
Database Design	Full database design — tables, relations, constraints
Indexing Strategy	Index design for query performance
Migration Strategy	Drizzle ORM migration approach

1.5 Integrations

Document	Description
BankID OIDC Integration	Norwegian BankID OIDC provider integration
Open Banking AISP/PISP	PSD2 Open Banking read (AISP) and payment (PISP)
Payment Processing	End-to-end payment processing architecture
Sentry Observability	Error tracking and observability via Sentry
Sumsub KYC Integration	Sumsub identity verification integration

1.6 Architecture Reviews & Audits

Document	Description
Architecture README	Architecture documentation overview
C4 Diagrams	C4 model diagrams (context, container, component)
Petter Graff Review	External architect review by Petter Graff
Architecture Validation Report	Architecture cross-reference validation
Architecture Review	Comprehensive architecture review findings
Architecture Feasibility Review	Feasibility analysis for architecture decisions
Architecture Re-Review	Follow-up architecture review

1.7 Architecture Specs (project/)

Document	Description
Architecture Document	Master architecture document (section 1.4 = user requirements)
API Specification (project)	API spec maintained in project/

2. Backend

Document	Description
API Reference	All 26 API endpoints — method, path, request/response, auth, rate limits
Database Schema	All 19 tables (12 core + 7 compliance) — columns, types, constraints, indexes
Authentication	JWT auth flow — register, login, refresh, logout, middleware
Services	External integrations — Sumsub (KYC) `[PRODUCTION]`, Stripe (Cards) `[MOCK]`, Swan `[DEPRECATED]`
Middleware	Auth, validation, rate limiting, CSRF, error handling
Feature Flags	8 feature flags, 16 tracked features, server/client APIs
OpenAPI Spec	Machine-readable OpenAPI 3.0 specification
Validator Review (Backend)	Backend code review findings from validator agent

3. Frontend

Document	Description
Component Inventory	All components — custom, icons, shadcn/ui primitives
Pages	All 20 routes — auth, components, data fetching, compliance pages
Design System	Colors, typography (Fraunces/DM Sans/Geist Mono), spacing, patterns
State Management	useAuth hook, feature flags, data fetching patterns
Landing Pages	Marketing site — 9 sections, 12 sub-pages, waitlist API

3.1 Page Specs (project/specs/)

Document	Description
Accounts Page	Bank accounts page spec
Dashboard Page	Main dashboard page spec
Landing Page	Marketing landing page spec
Login Page	Login page spec
Notifications Page	Notifications page spec
Profile Page	User profile page spec
Register Page	Registration page spec
QR Scan Page	QR payment scan page spec
Send Money Page	Remittance/send money page spec
Transactions Page	Transaction history page spec

4. Mobile

Document	Description
Mobile App	Expo Router architecture, 8 screens, API client, theme
Mobile Strategy	Mobile product strategy and roadmap

4.1 App Store Materials (project/store/)

Document	Description
App Store Metadata	App Store and Google Play listing metadata
Icon Spec	App icon requirements and specifications
Screenshot Texts	Promotional screenshot copy

5. Infrastructure

Document	Description
Deployment	Docker, Fly.io, 3 deployment configs (MVP/Production/Staging)
CI/CD	GitHub Actions pipeline — lint, test, build, e2e, docker (5 jobs)
Monitoring	Health checks, container monitoring, gaps identified
Environment	Tech stack, npm scripts, Next.js config, env modes
DR Runbook	Disaster recovery runbook for production
Secrets Management	Secret storage, rotation, and access patterns
BetterStack Setup	BetterStack uptime monitoring and alerting setup
Sentry Setup	Sentry error tracking configuration

5.1 Cloud Audit

Document	Description
Resource Inventory	Current cloud resource inventory
Multi-Cloud Design	Multi-cloud architecture design
App Cloud Readiness	Application readiness for cloud deployment
Cloud Audit Validation	Cloud audit validation report
CloudWatch Logs Setup	AWS CloudWatch logging configuration
WAF Rules	Web Application Firewall rules

5.2 Archived Infrastructure

Document	Description
DR Runbook (Archived)	Earlier version of DR runbook [ARCHIVED]

5.3 Project Deployment Docs

Document	Description
Deployment (project)	Earlier deployment documentation
DevOps/SRE Stack	DevOps and SRE tooling decisions
Cloud Cost Analysis	Cloud provider cost comparison
Cloud Deployment Options	Research on cloud deployment options

6. Security & Compliance

6.1 Core Security Docs

Document	Description
Security Architecture	JWT, cookies, bcrypt, CSRF, rate limiting, input validation
Compliance	PSD2, AML, GDPR, DORA readiness — 8/100 overall, remediation plan
Business Continuity Plan	BCP for critical service disruptions
Dependency Audit Report	npm dependency security audit
Incident Response Playbook	Step-by-step incident response
OWASP Top 10 Checklist	OWASP Top 10 compliance checklist
Pentest Report Template	Penetration testing report template
SAST Report Template	Static analysis security testing report
Security Code Review Checklist	Code review security checklist
Threat Modeling Template	Threat modeling methodology and template

6.2 Security Compliance Framework (docs/SECURITY-COMPLIANCE/)

Document	Description
Compliance Framework	PSD2, GDPR, AML, DORA compliance framework
Data Breach Response Plan	GDPR-compliant breach notification and response
Data Encryption Policy	Encryption standards for data at rest and in transit
Data Protection Impact Assessment	DPIA for GDPR Article 35 compliance
Key Management Policy	Cryptographic key lifecycle management
Security Architecture (SECURITY-COMPLIANCE)	Security architecture in compliance context
Security Testing Policy	Security testing standards and frequency

6.3 Security Audits & Reports

Document	Description
Security Audit 2026-03-01	Full security audit report March 2026
JWT/CSRF Audit 2026-03-02	JWT and CSRF vulnerability audit
DR Test Report 2026	Disaster recovery test results
Drop Security Rapport	Internal security rapport
Security Gap Analysis	Security gap analysis findings
Security Hardening Checklist	Hardening actions checklist
Security Hardening Implementation	Implementation details for security hardening
Security Rapport 2026-02-12	February 2026 security rapport

6.4 Regulatory Docs (docs/regulatory/)

Document	Description
AML/KYC Policy	Anti-money laundering and KYC policy
IT Security Policy	IT security policy for Finanstilsynet
PI License Business Plan	Payment Institution license application business plan

6.5 Legal & Regulatory (legal/)

Document	Description
Legal README	Legal directory overview
Brukervilkar	Terms of service (Norwegian)
Personvernerklaering	Privacy policy / GDPR statement (Norwegian)
DPIA Vurdering	Data Protection Impact Assessment (Norwegian)
Behandlingsprotokoll	GDPR data processing register
Beredskapsplan	Emergency/contingency plan
DPA — Sentry	Data Processing Agreement with Sentry
DPA — Sumsub	Data Processing Agreement with Sumsub
DPA — Swan	Data Processing Agreement with Swan (DEPRECATED)
DPA Template	Blank DPA template for new vendors
Egnethetsvurdering	Suitability assessment for PI license
Gebyrskjema	Fee schedule / gebyr scheme
Hendelseshaandtering	Incident handling procedures
Hvitvaskingsrutiner	AML/money laundering routines
IKT Sikkerhetspolicy	ICT security policy (Norwegian)
Internkontroll	Internal control framework
Klagebehandling	Complaint handling procedure
Konsesjonssoknad Forberedelse	PI license application preparation — €50-125K capital, 6-12 months
Rammeavtale	Framework agreement template
Risikovurdering Hvitvasking	AML risk assessment
Utkontraktering Policy	Outsourcing/vendor policy
Virksomhetsplan	Business plan for Finanstilsynet
Neonomics Meeting Prep	Prep for Neonomics meeting [ELIMINATED]
Regulatory Map v2	Full regulatory map (PSD2, GDPR, AML, DORA)
Legal Gap Analysis v2	Legal/regulatory gap analysis
Kjeller Innovasjon Egenerklaering	Self-declaration for Kjeller Innovasjon program

7. Testing & QA

Document	Description
Testing Guide	Vitest + Playwright, running tests, mocking, patterns
Test Inventory	All 14 test files — unit, integration, e2e, regression, performance
API Testing Checklist	Checklist for API endpoint testing
UAT Plan	User Acceptance Testing plan
Test Plan (project)	Project-level test plan

7.1 Quality Assurance

Reports

Document	Description
QA Report	QA findings and status
Validation Report	Cross-reference audit of all docs against source code
Test Audit 2026-03-01	Test coverage and quality audit
Code Coverage Report	Test code coverage metrics
Code Review Checklist	Standard code review checklist
Drop QA Rapport (project)	Project QA rapport
Security QA Audit (project)	Combined security and QA audit

7.2 Audit Reports

Document	Description
Drop Full Audit 2026-03-03	Comprehensive full-system audit
Documentation Audit 2026-03-04	Documentation coverage audit (this generated the H-18 finding)
OPS Audit 2026-03-01	Operations audit
OPS Readiness Audit 2026-03-01	Production operations readiness audit
Team 1 Core System Rapport	Core system team build rapport
Team 2 User Experience Rapport	UX team rapport
Team 3 Operations Rapport	Operations team rapport
Vault Squad Analysis	Security vault squad analysis
Hardening Plan	Security hardening plan
Hardening Report	Security hardening results report
GAP Analysis vs Standard	Gap analysis against industry standards
Performance Budgets	Performance budget definitions and targets

8. Business Requirements

8.1 Core BRD Docs (docs/BUSINESS-REQUIREMENTS/)

Document	Description
Business Requirements Document	Master BRD — business goals, scope, stakeholders
Functional Requirements	All functional requirements
Non-Functional Requirements	Performance, scalability, security NFRs
User Stories	User story backlog
Acceptance Criteria	Acceptance criteria per user story
Requirements Traceability Matrix	RTM — requirements to test/code mapping

8.2 Requirements (docs/requirements/)

Document	Description
Functional Requirements	Functional requirements document
Non-Functional Requirements	Non-functional requirements
User Stories	User stories
Requirements Traceability Matrix	RTM
EP-09 Admin Portal	Epic 9 — Admin portal requirements
FR-073 Daily Reconciliation	Daily reconciliation functional requirement
FR-074 Payment Idempotency	Payment idempotency requirement
FR-075 Circuit Breaker Fallback	Circuit breaker and fallback requirement
FR-076 Webhook Handling	Webhook ingestion and processing requirement
FR-077 Dispute Refund	Dispute and refund handling requirement

8.3 PLC Phase 1 — Requirements (docs/plc/phase-1-requirements/)

Document	Description
Functional Requirements Summary	PLC phase 1 functional requirements
Non-Functional Requirements Summary	PLC phase 1 NFR summary
User Stories Summary	PLC phase 1 user stories
Acceptance Criteria	PLC phase 1 acceptance criteria
RTM Summary	PLC phase 1 RTM summary
PSD2 Compliance Requirements	PSD2-specific compliance requirements
DPIA Supplement	GDPR DPIA supplement for PLC

8.4 Business Case & Strategy

Document	Description
Business Case v2	Drop business case v2 (pre-rebrand, content valid)
Business Case v1	Original business case (pre-rebrand)
Requirements Document (project)	Project-level requirements document
Features: Merchant/Recipients/Rates	Feature definitions for merchants, recipients, exchange rates

9. Project Governance

9.1 Governance Docs (docs/PROJECT-GOVERNANCE/)

Document	Description
Project Charter	Formal project charter — scope, objectives, authority
Project Brief	Executive project brief
Risk Register	Risk identification and mitigation
RACI Matrix	Responsibility assignment matrix
Communication Plan	Stakeholder communication plan

9.2 Project Docs (project/)

Document	Description
Pipeline	Development pipeline and stage gates
Production Plan	Production readiness plan
Project Charter (project)	Project charter (earlier version)
Risk Register (project)	Risk register (earlier version)
Production Readiness Checklist	Production go-live checklist
Gap Analysis 2026-02-14	Gap analysis from February 2026
Pipeline Review 929	Pipeline review task #929
Docs Validation 930	Docs validation task #930
Compliance Gap (Overnight 2026-02-16)	Compliance gap overnight analysis
Workflow	Development workflow description
Incident Report	Production incident report

9.3 PLC Phase 4 — Sprint Planning (docs/plc/phase-4-sprint-planning/)

Document	Description
Epics and Sprint Plan	All epics and sprint breakdown
Risk Register Supplement	Sprint-level risk additions
Definition of Done	DoD for all story types
Project Governance Summary	Governance summary for PLC phase 4

9.4 Decision Log (comms/decisions/)

Document	Description
Budget Decision 2026-02-08	Initial Zica/Drop budget decision
Legal Review 2026-02-08	Legal review decision
SpareBank1 Outreach 2026-02-09	Decision to contact SpareBank1

10. Developer Experience

Document	Description
Developer Onboarding Guide	Complete onboarding for new developers
Developer Offboarding Guide	Offboarding checklist and access revocation
Coding Standards	TypeScript, formatting, naming conventions
Local Development Setup	Getting the project running locally
Contributing	Contribution guidelines

11. Release Management

Document	Description
Release Notes	Version release notes and changelog
Rollback Plan	Production rollback procedures
Deployment Checklist	Pre/post-deployment checklist
UAT Sign-off	User acceptance test sign-off document
Deployment Checklist (project)	Earlier deployment checklist
CHANGELOG	Project changelog
ROADMAP	Product roadmap

12. Cross-Cutting Concerns

Document	Description
Change Request	Change request process and form
Lessons Learned	Retrospective lessons learned log
Tech Debt Log	Technical debt tracking
Implementation Plan	Implementation plan for current phase
Hallucination Analysis 2026-02-09	Analysis of AI hallucination incidents

13. Support

13.1 Runbooks (support/runbooks/)

Document	Description
AISP Balance Failure	Runbook: AISP balance fetch failure
Backup/Restore Test	Runbook: backup and restore testing
BankID Failure	Runbook: BankID authentication outage
Data Breach Response	Runbook: data breach containment and notification
Database Outage	Runbook: PostgreSQL database outage
Hotfix Process	Runbook: production hotfix deployment
JWT Rotation	Runbook: JWT secret rotation
PISP Payment Failure	Runbook: PISP payment initiation failure
Queue/Redis Failure	Runbook: BullMQ/Redis failure
Rate Limiting Incident	Runbook: rate limiting incident response
Security Incident	Runbook: general security incident
Sumsub KYC Failure	Runbook: Sumsub KYC service failure
Swan API Outage	Runbook: Swan API outage [DEPRECATED partner]
Neonomics Outage (Archived)	Runbook: Neonomics outage [ARCHIVED — ELIMINATED]

13.2 FAQ & Customer Support

Document	Description
FAQ (English)	Customer FAQ in English
FAQ (Norwegian)	Customer FAQ in Norwegian
Escalation Policy	Support escalation tiers and contacts
On-Call Rotation	On-call engineer schedule and responsibilities

13.3 Email Templates (support/email-templates/)

Document	Description
Account Locked	Email template: account locked notification
General Inquiry	Email template: general support response
Payment Failed	Email template: payment failure notification
Refund Request	Email template: refund request handling

13.4 Support System Docs

Document	Description
Support README	Support directory overview
Support Systems Analysis	Analysis of support system options
P0 Implementation Checklist	P0 priority support items checklist
Audit Logging Setup	Audit logging configuration guide

14. Brand & Design

14.1 Brand Guidelines

Document	Description
Brand Guide	Drop brand guidelines — logo, colors, typography, usage

14.2 Design Documentation

Document	Description
Design README	Design directory overview
Design System Reference	Design system tokens and component reference
Figma Organization Guide	How Figma files are organized
Figma Quick Action Plan	Quick-start Figma workflow
Research Summary	UX research synthesis
Login Comparison	Login screen design comparison
Rebrand Verification	Verification that rebrand (Zica → Drop) is complete
Stitch Prompts All Screens	AI stitch prompts for all 10 screens
Task 936 Status	Design task #936 status tracking
Screenshot Import Guide	Guide for importing design screenshots
UI Design Spec (project)	UI design specification
UI Redesign Proposal (rnd)	Research proposal for UI redesign
UI/UX Reference (rnd)	UI/UX reference patterns and inspiration

15. Sales & Pitch Materials

Document	Description
SpareBank1 Partnership Pitch (NO)	Partnership pitch in Norwegian
SpareBank1 Email Molba	Email outreach to SpareBank1
SpareBank1 Partnership Molba	Formal partnership proposal to SpareBank1
Kjeller Innovasjon Presentation	Presentation for Kjeller Innovasjon incubator
Promo Video Storyboard	Drop promotional video storyboard
SpareBank1 Email Text	Draft email text for SpareBank1 outreach
SpareBank1 Pitch (docs/sales)	SpareBank1 pitch document (docs/ copy)
Neonomics Pitch [ARCHIVED]	Neonomics pitch talk [ARCHIVED — ELIMINATED]

Document	Description
Promo Video Storyboard (project)	Video storyboard (project copy)
SpareBank1 Package Email	SpareBank1 package email text
SpareBank1 Storyboard (project)	SpareBank1-specific video storyboard
SpareBank1 Pitch NO (project)	Norwegian pitch (project copy)
SpareBank1 Pitch EN (project)	English pitch (project copy)
BankID/Vipps Research	Research on BankID and Vipps integration options

16. PLC Documentation Summaries

These are structured summaries produced during the Product Lifecycle Completion (PLC) process:

Phase 2 — Architecture Summaries (docs/plc/phase-2-architecture/)

Document	Description
HLD Summary	High-level design summary
LLD Summary	Low-level design summary
API Specification Summary	API spec summary
Database Schema Summary	Database schema summary
Data Flow Document	End-to-end data flow documentation
Integration Design	Integration design summary
Security Compliance Architecture	Security and compliance architecture summary

Phase 3 — Documentation Summaries (docs/plc/phase-3-documentation/)

Document	Description
Frontend Architecture Summary	Frontend architecture summary
Backend Architecture Summary	Backend architecture summary
Infrastructure CI/CD Summary	Infrastructure and CI/CD summary
Developer Experience Summary	Developer experience summary
Mobile Architecture Summary	Mobile architecture summary

17. Research & Development (rnd/)

Document	Description
RND README	Research and development directory overview
Security Audit (rnd)	Early security audit research
Cloud Deployment Options	Cloud hosting options research
UI Redesign Proposal	UI redesign research proposal
UI/UX Reference	UI/UX reference patterns
Mobile Bank Research README	Mobile banking research overview
Research	Mobile banking market research
Providers	Banking provider options research
Costs	Cost analysis for mobile banking
MVP Spec	Early MVP specification (pre-Drop)
Tech Stack	Tech stack research

18. Root-Level Documents

Document	Description
CHANGELOG	Project-wide changelog
ROADMAP	Product roadmap
CONTRIBUTING	Contribution guidelines and PR process
CLAUDE.md	AI agent context and project rules

19. Document Templates

These are blank starter templates — not live documentation. Populated versions exist in their corresponding non-template directories above.

Architecture Templates

Backend Templates

Frontend Templates

docs/templates/FRONTEND/ and docs/templates-frontend/: accessibility-audit.md | component-inventory.md | design-system.md | frontend-architecture.md | state-management.md

Infrastructure Templates

Mobile Templates

docs/templates/MOBILE/ and docs/templates-mobile/: app-store-submission-checklist.md | mobile-architecture.md | mobile-security.md | offline-first-strategy.md | push-notification-design.md

Testing Templates

Business Requirements Templates

Project Governance Templates

docs/templates/PROJECT-GOVERNANCE/: project-charter.md | project-brief.md | risk-register.md | raci-matrix.md | communication-plan.md

Security/Compliance Templates

Developer Experience Templates

docs/templates/DEVELOPER-EXPERIENCE/: developer-onboarding-guide.md | developer-offboarding-guide.md | coding-standards.md | local-development-setup.md

Release Templates

docs/templates/RELEASE/: release-notes.md | rollback-plan.md | deployment-checklist.md | uat-signoff.md

Cross-Cutting Templates

docs/templates/CROSS-CUTTING/: change-request.md | lessons-learned.md | tech-debt-log.md

Operations Templates

docs/templates/OPERATIONS/ and docs/templates-ops/: go-live-runbook.md | incident-report.md | operational-runbook.md | post-mortem.md | sla-report.md

Template Index

docs/templates/INDEX.md — template directory index

Index rebuilt 2026-03-04. Previous version (2026-02-17) covered ~30% of documentation. This index covers all live documentation across 12 directories.