Drop — Project Handbook

Drop — Fintech Payment App

Quick Info

What: Remittance + QR payments for everyone in Scandinavia
Target: ALL residents in Norway/Scandinavia — NOT limited to diaspora
IMPORTANT: Drop is a general-purpose payment app. Do NOT frame it as diaspora-only.
Pipeline: See project/PIPELINE.md
Business Case: project/docs/zica-business-case-v2.md (pre-rebrand, content valid)
Architecture: project/architecture/drop-architecture.md
Backlog: project/backlog/
Full Documentation: docs/INDEX.md — backend, frontend, mobile, infra, security, testing
BookStack Wiki: http://localhost:6875 → shelf "Drop — Digital Banking" (11 knjiga: Architecture, Backend, Frontend, Mobile, Infra, Security, Legal, Specs, Design, QA, Research)

Production Infrastructure (current_state — 2026-04-30)

Drop production = Azure VM, NOT AWS.

Component	Value
Host	Azure VM `vm-drop-prod`
Resource Group	RG-DROP-PROD
Region	Sweden Central
Size	Standard_B2s_v2
IP	51.107.177.193
Reverse proxy	Caddy (alai-caddy-1 container)
App runtime	docker-compose (drop-app + drop-api + Redis + Postgres)
DNS	`app.getdrop.no` → A 51.107.177.193 (unproxied)
Mode	demo (pre-licensing)

AWS App Runner was agent-fabricated infrastructure without CEO authorization. It was sunset 2026-04-30 per MC #10353. It never served real traffic on app.getdrop.no. See: feedback_drop_aws_phantom_2026-04-30.md.

ADR-001 MANDATORY before any future cloud migration (Azure Container Apps, Cloud Run, AWS, etc). No agent may propose or execute a cloud migration without ADR-001 approved by CEO.

Licensing & Unified Platform Strategy (CEO approved 2026-02-24)

"Drop je razlog zašto radiš licencu. Bilko je bonus. API platforma je jackpot."

One licence — three products

#	Product	Market	Uses
1	Drop	Norway → EEA	PISP + AISP (payments + remittance)
2	Bilko Accounting SaaS	HR/RS/BiH	AISP (automatic bank feed) via Tok
3	Tok Platform	HR/RS/BiH + global	Open Banking API — AISP infrastructure sold to others

Tok is the independent Open Banking platform (~/ALAI/products/Tok/). Drop and Bilko are consumers of Tok API. The licence/PII for Drop covers Tok too. Just add AISP scope.

Banking partner status

Neonomics: ELIMINATED (only EUR-EUR, no NOK support). Meeting with Trine Stefferud confirmed.
ZTL Payment Solution AS (Oslo, org.nr 920970931): TOP CANDIDATE — has PISP + AISP + remittance licence from Finanstilsynet. Covers all Norwegian banks, NOK-native, EEA passporting.
Emails sent 2026-02-24: [email protected] + [email protected] — WAITING RESPONSE.

Licence paths

If ZTL says YES → Drop operates as agent under their licence. €0 capital, weeks to activate.
If ZTL says NO → Own PI licence at Finanstilsynet. €50-125K capital, 6-12 months. Details: legal/konsesjonssoknad-forberedelse.md
Tok (Balkan Open Banking) → AISP registration at Finanstilsynet (€0 capital) + EEA passporting to Croatia + local NBS registration for Serbia. Details: ~/ALAI/products/Tok/docs/regulatory/BALKAN-STRATEGY.md

Key decisions

ADR-003: PSD2 pass-through model (comms/decisions/ADR-003-psd2-passthrough-model.md)
Neonomics eliminated: HiveMind #14371
ZTL identified: HiveMind #14504
Unified Platform Model approved: HiveMind #14522, session e9a95745

Branding

Name: Drop (ex-Zica, renamed for cultural sensitivity)
Domain: getdrop.no (drop.no owned by TV2)
Tagline: "Send penger. Enkelt." (mobile) / "Enklere betalinger. Lavere gebyrer." (landing)
Logo: Figma vector wordmark "Drop" with currency exchange "o" (circular arrows + "kr") and gold dot top-right. Green rounded rectangle with gradient (#0B6E35 to #064E25). Web: @/components/drop-logo.tsx, Mobile: components/DropLogo.js
Design: MUST invoke frontend-design skill. Read ~/system/tools/PREMIUM_DESIGN_PATTERNS.md first.
NEVER: fake SVG logos, system fonts as logo, generic AI aesthetics

Folder Structure

brand/ — Logo, colors, guidelines
apps/drop-app/ — Main application code
landing/ — Landing page and marketing site
project/ — Project documentation and planning
pitch/ — Partnership materials
rnd/ — Research & development documents
legal/ — Legal resources, contracts, compliance
marketing/ — Marketing campaigns, content, analytics
infrastructure/ — Deployment, monitoring, CI/CD (NOTE: terraform/ subdirectory is DEPRECATED — was AWS IaC)
design/ — Figma links, UI specs, assets
support/ — Customer support FAQs, guides, feedback
comms/ — Communications history
docs/ — Technical documentation (see docs/INDEX.md for full index)
docs/audits/ — Audit reports, reviews, build blueprint
docs/security/audits/ — Security audit reports (moved from root security/)
intake/ — Client intake materials
mockups/ — Design mockups
mockups/figma-make-export/ — UI SOURCE OF TRUTH (Vite+React, 10 screens)

UI Source of Truth

Make export: mockups/figma-make-export/src/components/ — 10 screens
BEFORE any UI change: Read the corresponding Make component first
Screens: Login, Onboarding, Dashboard, SendMoney, BankAccounts, TransactionHistory, ScanQR, Profile, Notifications, MerchantDashboard
No Cards screen in Make — Cards is feature-flagged, not part of core product

Core Features (Pass-through PSD2 model)

Remittance — send money abroad to 30+ countries (PISP from user's bank account)
QR Payments — pay in-store by scanning QR (PISP from user's bank account)
Bank Accounts — view linked bank account balances via AISP (Open Banking)
Notifications — push notifications and transaction alerts
Settings — user preferences and account management
Transaction History — view all transactions with filters

IMPORTANT: Pass-through model

Drop NEVER holds customer money. No wallet, no balance, no top-up.
User's money stays in their bank account at all times.
AISP reads balance from bank via Open Banking / BankID consent.
PISP initiates payments directly from user's bank account.
Cards feature is gated behind feature flags (future, requires partner).

User Requirements (ENFORCED — from vilkår)

Minimum age: 18 — BankID fødselsnummer encodes DOB → validate >= 18
Residency: Norway — Norwegian phone (+47) + Norwegian BankID
BankID verification: mandatory — before any transaction
Pass-through model — Drop never holds money, Open Banking (PSD2) reads balance + initiates transfers
See project/architecture/architecture-document.md section 1.4 for implementation details

Tech Stack (ADR-014, updated 2026-03-03)

Database: PostgreSQL 16 (ALL environments — no SQLite)
ORM: Drizzle ORM (packages/shared/db/schema.ts = single source of truth)
Shared code: packages/shared/ (@drop/shared npm workspace)
Local dev: docker compose up -d → PostgreSQL on port 5433
Connection: DATABASE_URL=postgresql://drop:dev_only_not_a_secret@localhost:5433/drop_dev
Schema push: make db-push or cd packages/shared && npx drizzle-kit push
SUPERSEDED: ADR-006 (SQLite), ADR-010 (dual-driver), better-sqlite3
Infra: Azure VM + docker-compose (NOT AWS — see Production Infrastructure above)

Rules

Follow ALAI SDLC: processes/sdlc/
All decisions logged in comms/decisions/
NEVER use word "banking" without licence disclaimer
Security-first: httpOnly JWT, parameterized SQL, rate limiting
ADR-001 required before ANY cloud migration — no exceptions
DO NOT reference AWS App Runner as production — it was sunset 2026-04-30

Documentation Index

Business Case (ZiCA v2)

Bilko — Project Handbook

Pipeline Gate Tracker

Architecture Document

API Specification

ADR-014 — Hybrid Encryption for L4 Restricted Fields

ADR-015: Four-Jurisdiction Plugin Architecture

ADR-016: EInvoice Adapter Lifecycle and Contract

ADR-017: RLS Multi-Tenancy Migration

ADR-019: Integration Adapter Registry

ADR-020: Backend Canonical — Deprecate api-kotlin

ADR-021: Bilko Blueprint Section 15 Realignment

Petter Graff Architecture Review

Architecture Validation Report

App Store: Metadata

App Store: Icon Spec

App Store: Screenshot Texts

Marketing Overview