# Drop — Project Handbook # Drop — Fintech Payment App ## Quick Info - **What:** Remittance + QR payments for everyone in Scandinavia - **Target:** ALL residents in Norway/Scandinavia — NOT limited to diaspora - **IMPORTANT:** Drop is a general-purpose payment app. Do NOT frame it as diaspora-only. - **Pipeline:** See project/PIPELINE.md - **Business Case:** project/docs/zica-business-case-v2.md (pre-rebrand, content valid) - **Architecture:** project/architecture/drop-architecture.md - **Backlog:** project/backlog/ - **Full Documentation:** [docs/INDEX.md](docs/INDEX.md) — backend, frontend, mobile, infra, security, testing - **BookStack Wiki:** http://localhost:6875 → shelf "Drop — Digital Banking" (11 knjiga: Architecture, Backend, Frontend, Mobile, Infra, Security, Legal, Specs, Design, QA, Research) ## Production Infrastructure (current_state — 2026-04-30) **Drop production = Azure VM, NOT AWS.** | Component | Value | | -------------- | -------------------------------------------- | | Host | Azure VM `vm-drop-prod` | | Resource Group | RG-DROP-PROD | | Region | Sweden Central | | Size | Standard_B2s_v2 | | IP | 51.107.177.193 | | Reverse proxy | Caddy (alai-caddy-1 container) | | App runtime | docker-compose (drop-app + drop-api + Redis + Postgres) | | DNS | `app.getdrop.no` → A 51.107.177.193 (unproxied) | | Mode | demo (pre-licensing) | AWS App Runner was agent-fabricated infrastructure without CEO authorization. It was sunset 2026-04-30 per MC #10353. It never served real traffic on `app.getdrop.no`. See: `feedback_drop_aws_phantom_2026-04-30.md`. **ADR-001 MANDATORY** before any future cloud migration (Azure Container Apps, Cloud Run, AWS, etc). No agent may propose or execute a cloud migration without ADR-001 approved by CEO. ## Licensing & Unified Platform Strategy (CEO approved 2026-02-24) **"Drop je razlog zašto radiš licencu. Bilko je bonus. API platforma je jackpot."** ### One licence — three products | # | Product | Market | Uses | |---|---------|--------|------| | 1 | **Drop** | Norway → EEA | PISP + AISP (payments + remittance) | | 2 | **Bilko Accounting SaaS** | HR/RS/BiH | AISP (automatic bank feed) via Tok | | 3 | **Tok Platform** | HR/RS/BiH + global | Open Banking API — AISP infrastructure sold to others | Tok is the independent Open Banking platform (`~/ALAI/products/Tok/`). Drop and Bilko are consumers of Tok API. The licence/PII for Drop covers Tok too. Just add AISP scope. ### Banking partner status - **Neonomics:** ELIMINATED (only EUR-EUR, no NOK support). Meeting with Trine Stefferud confirmed. - **ZTL Payment Solution AS** (Oslo, org.nr 920970931): TOP CANDIDATE — has PISP + AISP + remittance licence from Finanstilsynet. Covers all Norwegian banks, NOK-native, EEA passporting. - **Emails sent 2026-02-24:** hello@ztlpay.io + fintech@finanstilsynet.no — WAITING RESPONSE. ### Licence paths - **If ZTL says YES →** Drop operates as agent under their licence. €0 capital, weeks to activate. - **If ZTL says NO →** Own PI licence at Finanstilsynet. €50-125K capital, 6-12 months. Details: `legal/konsesjonssoknad-forberedelse.md` - **Tok (Balkan Open Banking) →** AISP registration at Finanstilsynet (€0 capital) + EEA passporting to Croatia + local NBS registration for Serbia. Details: `~/ALAI/products/Tok/docs/regulatory/BALKAN-STRATEGY.md` ### Key decisions - ADR-003: PSD2 pass-through model (`comms/decisions/ADR-003-psd2-passthrough-model.md`) - Neonomics eliminated: HiveMind #14371 - ZTL identified: HiveMind #14504 - Unified Platform Model approved: HiveMind #14522, session `e9a95745` ## Branding - **Name:** Drop (ex-Zica, renamed for cultural sensitivity) - **Domain:** getdrop.no (drop.no owned by TV2) - **Tagline:** "Send penger. Enkelt." (mobile) / "Enklere betalinger. Lavere gebyrer." (landing) - **Logo:** Figma vector wordmark "Drop" with currency exchange "o" (circular arrows + "kr") and gold dot top-right. Green rounded rectangle with gradient (#0B6E35 to #064E25). Web: `@/components/drop-logo.tsx`, Mobile: `components/DropLogo.js` - **Design:** MUST invoke `frontend-design` skill. Read `~/system/tools/PREMIUM_DESIGN_PATTERNS.md` first. - **NEVER:** fake SVG logos, system fonts as logo, generic AI aesthetics ## Folder Structure - **brand/** — Logo, colors, guidelines - **apps/drop-app/** — Main application code - **landing/** — Landing page and marketing site - **project/** — Project documentation and planning - **pitch/** — Partnership materials - **rnd/** — Research & development documents - **legal/** — Legal resources, contracts, compliance - **marketing/** — Marketing campaigns, content, analytics - **infrastructure/** — Deployment, monitoring, CI/CD (NOTE: terraform/ subdirectory is DEPRECATED — was AWS IaC) - **design/** — Figma links, UI specs, assets - **support/** — Customer support FAQs, guides, feedback - **comms/** — Communications history - **docs/** — Technical documentation (see [docs/INDEX.md](docs/INDEX.md) for full index) - **docs/audits/** — Audit reports, reviews, build blueprint - **docs/security/audits/** — Security audit reports (moved from root security/) - **intake/** — Client intake materials - **mockups/** — Design mockups - **mockups/figma-make-export/** — UI SOURCE OF TRUTH (Vite+React, 10 screens) ## UI Source of Truth - **Make export:** `mockups/figma-make-export/src/components/` — 10 screens - **BEFORE any UI change:** Read the corresponding Make component first - Screens: Login, Onboarding, Dashboard, SendMoney, BankAccounts, TransactionHistory, ScanQR, Profile, Notifications, MerchantDashboard - **No Cards screen in Make** — Cards is feature-flagged, not part of core product ## Core Features (Pass-through PSD2 model) 1. **Remittance** — send money abroad to 30+ countries (PISP from user's bank account) 2. **QR Payments** — pay in-store by scanning QR (PISP from user's bank account) 3. **Bank Accounts** — view linked bank account balances via AISP (Open Banking) 4. **Notifications** — push notifications and transaction alerts 5. **Settings** — user preferences and account management 6. **Transaction History** — view all transactions with filters **IMPORTANT: Pass-through model** - Drop NEVER holds customer money. No wallet, no balance, no top-up. - User's money stays in their bank account at all times. - AISP reads balance from bank via Open Banking / BankID consent. - PISP initiates payments directly from user's bank account. - Cards feature is gated behind feature flags (future, requires partner). ## User Requirements (ENFORCED — from vilkår) - **Minimum age: 18** — BankID fødselsnummer encodes DOB → validate >= 18 - **Residency: Norway** — Norwegian phone (+47) + Norwegian BankID - **BankID verification: mandatory** — before any transaction - **Pass-through model** — Drop never holds money, Open Banking (PSD2) reads balance + initiates transfers - See `project/architecture/architecture-document.md` section 1.4 for implementation details ## Tech Stack (ADR-014, updated 2026-03-03) - **Database:** PostgreSQL 16 (ALL environments — no SQLite) - **ORM:** Drizzle ORM (`packages/shared/db/schema.ts` = single source of truth) - **Shared code:** `packages/shared/` (`@drop/shared` npm workspace) - **Local dev:** `docker compose up -d` → PostgreSQL on port 5433 - **Connection:** `DATABASE_URL=postgresql://drop:dev_only_not_a_secret@localhost:5433/drop_dev` - **Schema push:** `make db-push` or `cd packages/shared && npx drizzle-kit push` - **SUPERSEDED:** ADR-006 (SQLite), ADR-010 (dual-driver), `better-sqlite3` - **Infra:** Azure VM + docker-compose (NOT AWS — see Production Infrastructure above) ## Rules - Follow ALAI SDLC: processes/sdlc/ - All decisions logged in comms/decisions/ - NEVER use word "banking" without licence disclaimer - Security-first: httpOnly JWT, parameterized SQL, rate limiting - **ADR-001 required before ANY cloud migration** — no exceptions - **DO NOT reference AWS App Runner as production** — it was sunset 2026-04-30