Documentation Index
Drop Documentation Index
Last updated: 2026-03-10 | Validated: 20/20 PASS after doc alignment audit
Backend
| Document |
Description |
| API Reference |
All 26 API endpoints — method, path, request/response, auth, rate limits |
| Database Schema |
All 19 tables (12 core + 7 compliance) — columns, types, constraints, indexes |
| Authentication |
JWT auth flow — register, login, refresh, logout, middleware |
| Services |
External integrations — Sumsub (KYC) [PRODUCTION], Stripe (Cards) [MOCK], Swan [DEPRECATED] |
| Integrations |
Partner adapter docs — BankID [PRODUCTION], Sumsub [PRODUCTION], Tink/Aiia/Enable Banking [CANDIDATE], Swan [DEPRECATED], ZTL [DEAD LEAD] |
| Middleware |
Auth, validation, rate limiting, CSRF, error handling |
| Feature Flags |
8 feature flags, 16 tracked features, server/client APIs |
Frontend
| Document |
Description |
| Component Inventory |
All components — custom, icons, shadcn/ui primitives |
| Pages |
All 20 routes — auth, components, data fetching, compliance pages |
| Design System |
Colors, typography (Fraunces/DM Sans/Geist Mono), spacing, patterns |
| State Management |
useAuth hook, feature flags, data fetching patterns |
| Landing Pages |
Marketing site — 9 sections, 12 sub-pages, waitlist API |
Mobile
| Document |
Description |
| Mobile App |
Expo Router architecture, 8 screens, API client, theme |
Infrastructure
| Document |
Description |
| Deployment |
Docker, Fly.io, 3 deployment configs (MVP/Production/Staging) |
| CI/CD |
GitHub Actions pipeline — lint, test, build, e2e, docker (5 jobs) |
| Monitoring |
Health checks, container monitoring, gaps identified |
| Environment |
Tech stack, npm scripts, Next.js config, env modes |
Security
| Document |
Description |
| Security Architecture |
JWT, cookies, bcrypt, CSRF, rate limiting, input validation |
| Compliance Status |
PSD2, AML, GDPR, DORA readiness — current status, audit trail, legal inventory |
Regulatory Compliance (SECURITY-COMPLIANCE/)
Detailed regulatory documents for Finanstilsynet PI licence application:
| Document |
Description |
| Compliance Framework |
Master framework — GDPR, PSD2/SCA, AML, DORA, third-party risk, follow-up procedures |
| DORA ICT Risk Self-Assessment |
DORA Art. 6(8) annual self-assessment — maturity scores, gaps, remediation roadmap |
| Data Encryption Policy |
AES-256-GCM, TLS 1.3, KMS key hierarchy, PII encryption |
| Key Management Policy |
AWS KMS, key rotation, access controls |
| Data Protection Impact Assessment |
GDPR Art. 35 DPIA — risk classification, mitigation measures |
| Data Breach Response Plan |
72-hour GDPR notification, breach triage, Finanstilsynet reporting |
| Security Architecture |
Defence-in-depth, network segmentation, access control layers |
| Security Testing Policy |
Pen test schedule, VA cadence, DORA Art. 24 resilience testing |
Testing
| Document |
Description |
| Testing Guide |
Vitest + Playwright, running tests, mocking, patterns |
| Test Inventory |
All 14 test files — unit, integration, e2e, regression, performance |
Quality Assurance
| Document |
Description |
| Validation Report |
Cross-reference audit of all docs against source code |
