# drop-full-delivery-plan # Plan: Drop Full Delivery (#7187) ## Research Summary Full codebase audit completed (2026-04-06). Drop is 65-70% feature complete, 40% production ready. **What exists:** - Landing page with waitlist form (PostgreSQL-backed) — 13 languages - Next.js web app: 27 pages, 72 API routes, CSRF/CSP security - Hono/TS backend: 27 route modules, 20 DB tables, demo mode - React Native/Expo mobile: 18 screens, BankID WebView, biometrics - BankID mock + Bank mock (PISP/AISP simulation) — fully implemented - Docker Compose (postgres, redis, api, app) - 11 GitHub Actions workflows (CI/CD) - 561 test files (mixed quality) **What's missing:** - Production deploy to Azure (currently Vercel/Fly.io) - Comprehensive E2E test suite (~100 scenarios, currently ~3) - CI/CD targeting Azure (currently Fly.io) - Browser verification that bugs are fixed post-deploy - Native mobile builds tested on device **CEO constraints:** - Deploy to Azure (NOT Vercel) - Everything that exists must WORK in demo - ~100 E2E scenarios covering all user flows - CI/CD triggers Playwright on every push to dev/main - Native apps for iOS + Android ## Objective Deploy Drop to Azure with a fully functional demo (BankID mock + Bank mock), 100+ E2E test scenarios with CI/CD integration, and verified native mobile builds. ## Team Orchestration ### Team Members | ID | Name | Role | Agent Type | Model | |----|------|------|------------|-------| | TL | Petter Graff | Team Lead / Architect | persona (petter-graff) | sonnet | | B1 | infra-builder | Azure deploy + Docker + CI/CD | builder (flowforge) | sonnet | | B2 | e2e-builder | Playwright E2E test suite (~100 scenarios) | builder (codecraft) | sonnet | | B3 | mobile-builder | Native mobile build verification + fixes | builder (paul-hudson) | sonnet | | B4 | landing-builder | Landing page Azure deploy + form verification | builder (frontend-builder) | sonnet | | V1 | drop-validator | Validate all phases | validator | sonnet | | D1 | Jake Wharton | Android advisory (consulted by B3) | persona (jake-wharton) | sonnet | | D2 | Thaer Sabri | Payments domain advisory (consulted by TL) | persona (thaer-sabri) | sonnet | ### Step-by-Step Tasks --- #### Phase 1: Azure Infrastructure + Deploy (B1) **Task 1.1:** Dockerize and deploy Drop full stack to Azure - Owner: B1 (flowforge) - BlockedBy: none - Description: - Use existing Docker Compose as base (postgres:16, redis:7, drop-api, drop-app) - Deploy to Azure VM 4.223.110.181 or new Azure Container Apps - Configure DNS: app.getdrop.no → Azure (not Vercel) - Configure DNS: getdrop.no → Azure (static landing from landing/) - Set DROP_MODE=demo, SEED_DEMO=true - Ensure PostgreSQL persistent volume - Ensure Redis for rate limiting/sessions - Configure SSL/TLS (Let's Encrypt or Azure managed cert) - Set environment variables (DATABASE_URL, JWT_SECRET, PII_ENCRYPTION_KEY, etc.) - Files owned: docker-compose.production.yml, infrastructure/, .github/workflows/deploy*.yml - Acceptance: - [ ] app.getdrop.no loads on Azure (not white page) - [ ] getdrop.no landing loads with waitlist form - [ ] Waitlist form submits and stores in PostgreSQL - [ ] Demo login works at app.getdrop.no/login - [ ] Health endpoint returns 200: app.getdrop.no/api/health - [ ] SSL certificate valid **Task 1.2:** Configure CI/CD for Azure deploy - Owner: B1 (flowforge) - BlockedBy: 1.1 - Description: - Update .github/workflows/ci.yml to run Playwright E2E on every push to dev/main - Create .github/workflows/deploy-azure.yml for production deploy to Azure - Trigger: push to main → build → test → deploy - Trigger: push to dev → build → test (no deploy) - Use GitHub Actions with SSH deploy or Azure CLI - Files owned: .github/workflows/ - Acceptance: - [ ] Push to dev triggers lint + test + Playwright - [ ] Push to main triggers lint + test + Playwright + Azure deploy - [ ] Failed tests block deploy --- #### Phase 2: E2E Test Suite (B2) — PARALLEL with Phase 1 **Task 2.1:** Create comprehensive Playwright E2E test suite (~100 scenarios) - Owner: B2 (codecraft) - BlockedBy: none (can write tests against local docker compose) - Description: - Use existing playwright.config.ts as base - Create organized test structure in src/drop-app/tests/e2e/ - All tests run against demo mode (DROP_MODE=demo) - Test categories and approximate scenario counts: **Authentication (12 scenarios):** - Demo login happy path - Demo login with different users (standard, merchant, admin) - Login form validation (empty, invalid email, wrong password) - Logout - Session expiry handling - CSRF protection verification - Rate limiting on login - BankID mock flow initiation - Register new account - Register validation (age <18, invalid phone) - Auth redirect (unauthenticated user → login) - Multiple device session handling **Onboarding (8 scenarios):** - Complete onboarding flow - Skip optional steps - KYC verification mock - Phone number validation (+47 only) - Age verification (must be 18+) - Terms acceptance required - Back navigation during onboarding - Resume incomplete onboarding **Dashboard (8 scenarios):** - Dashboard loads with balance - Recent transactions display - Quick action buttons work - Pull-to-refresh behavior - Empty state (new user) - Currency display (NOK) - Navigation to all sections - Notification badge count **Send Money / Remittance (15 scenarios):** - Send to existing recipient - Add new recipient + send - Amount validation (min, max, decimal) - Currency selection (30+ countries) - Fee calculation display (0.5%) - Exchange rate display - Confirmation screen - Transaction success - Transaction failure handling - Receipt generation - Send again from history - Rate lock (30-min expiry) - Insufficient balance handling - AML threshold warning - Cancel mid-transaction **QR Payments (8 scenarios):** - Generate QR code (merchant) - Scan QR code (customer) - QR payment confirmation - QR payment success - Invalid QR code handling - QR amount pre-filled - QR payment receipt - Merchant dashboard after QR payment **Bank Accounts (6 scenarios):** - View linked accounts - Link new bank account (AISP mock) - Refresh balance - Multiple accounts display - Unlink account - Consent renewal flow **Transaction History (10 scenarios):** - List all transactions - Filter by date range - Filter by type (sent/received) - Search transactions - Transaction detail view - Receipt download/view - CSV export - Pagination/infinite scroll - Empty state - Transaction status indicators **Merchant (8 scenarios):** - Register as merchant - Merchant dashboard loads - QR code generation - Sales overview - Transaction list (merchant view) - Settlement statement - Merchant profile edit - Merchant fee display **Profile & Settings (12 scenarios):** - View profile - Edit personal details - Change language (nb, en, etc.) - Notification preferences toggle - Security settings - Biometric lock toggle (face unlock) - Privacy policy accessible - Terms of service accessible - GDPR data export request - GDPR objection/rectification - Help/FAQ accessible - Complaint filing **Notifications (5 scenarios):** - Notification list loads - Mark as read - Mark all as read - Unread count badge - Empty notifications state **Edge Cases & Error Handling (8 scenarios):** - Network error handling - 500 server error display - 404 page - Session expired mid-action - Concurrent tab handling - Mobile viewport responsiveness - Accessibility (keyboard navigation) - Input sanitization (XSS prevention) **TOTAL: ~100 scenarios** - Files owned: src/drop-app/tests/e2e/** - Acceptance: - [ ] 100+ test scenarios written - [ ] All tests pass against local Docker compose (demo mode) - [ ] Tests organized by feature area - [ ] Each test has descriptive name - [ ] Tests are independent (no order dependency) - [ ] Test report generated (HTML reporter) --- #### Phase 3: Landing Page Azure Deploy (B4) — PARALLEL with Phase 1 & 2 **Task 3.1:** Deploy landing page to Azure - Owner: B4 (frontend-builder) - BlockedBy: none - Description: - Landing page is static HTML (landing/index.html + api/waitlist.js) - Deploy static files via Nginx on Azure VM or Azure Static Web Apps - Waitlist API needs Node.js runtime (serverless or Express wrapper) - Configure getdrop.no DNS → Azure - Ensure DATABASE_URL for waitlist PostgreSQL - Verify form submission works end-to-end - Files owned: landing/, nginx configs - Acceptance: - [ ] getdrop.no loads landing page - [ ] Waitlist form submits successfully - [ ] Email stored in PostgreSQL waitlist_signups table - [ ] All 13 language variants accessible - [ ] SSL certificate valid - [ ] Mobile responsive --- #### Phase 4: Mobile Build Verification (B3) — PARALLEL **Task 4.1:** Verify and fix React Native mobile builds - Owner: B3 (paul-hudson persona for iOS guidance) - BlockedBy: none - Description: - Verify iOS build compiles (EAS Build) - Verify Android build compiles (EAS Build) - Test demo mode on iOS Simulator - Test demo mode on Android Emulator - Verify BankID WebView integration in demo mode - Verify biometric auth flow - Fix any build errors - Document build steps - Consult jake-wharton persona for Android-specific issues (Samsung Knox, biometric) - Files owned: src/drop-mobile/ - Acceptance: - [ ] iOS build compiles without errors - [ ] Android build compiles without errors - [ ] Demo login works on iOS Simulator - [ ] Demo login works on Android Emulator - [ ] Navigation through all 18 screens works - [ ] Biometric auth prompt appears --- #### Phase 5: Validation (V1) — AFTER Phases 1-4 **Task 5.1:** Validate entire Drop deployment - Owner: V1 (validator) - BlockedBy: 1.1, 1.2, 2.1, 3.1, 4.1 - Description: - Browser verification: app.getdrop.no loads and demo works - Browser verification: getdrop.no form submits - Run full Playwright E2E suite against Azure deployment - Verify CI/CD pipeline triggers correctly - Verify mobile builds - Check HiveMind updates from all builders - Run qa-19.js quality gate - Acceptance: - [ ] app.getdrop.no renders (NOT white page) — Playwright screenshot - [ ] getdrop.no waitlist form submits — Playwright screenshot - [ ] E2E suite: 90%+ pass rate on Azure - [ ] CI/CD: test push to dev triggers workflow - [ ] Mobile: builds compile - [ ] qa-19.js score >= 17/19 --- ## Validation Commands ```bash # Health check curl -s https://app.getdrop.no/api/health | jq . # Landing page curl -s -o /dev/null -w "%{http_code}" https://getdrop.no # Waitlist form curl -s -X POST https://getdrop.no/api/waitlist -H "Content-Type: application/json" -d '{"email":"test@test.com"}' # Run E2E tests against Azure cd ~/ALAI/products/Drop/src/drop-app && BASE_URL=https://app.getdrop.no npx playwright test # CI/CD verification gh workflow list -R ALAI/Drop gh run list -R ALAI/Drop --limit 5 # QA gate node ~/system/tools/qa-19.js check 7187 # Mobile builds cd ~/ALAI/products/Drop/src/drop-mobile && eas build --platform all --profile preview --non-interactive ``` ## Execution Order ``` Phase 1 (B1: Azure infra) ──┐ Phase 2 (B2: E2E tests) ──┼──→ Phase 5 (V1: Validate all) Phase 3 (B4: Landing) ──┤ Phase 4 (B3: Mobile) ──┘ ``` All 4 builder phases run IN PARALLEL. Validator runs after all complete. ## Risk Mitigations | Risk | Mitigation | |------|------------| | Azure VM resource limits (4GB RAM) | Use Container Apps if needed, or scale VM | | DNS propagation delay | Pre-configure Azure IP, use low TTL | | Playwright flaky on CI | Use retry: 1, serial mode for auth tests | | Mobile EAS build queue | Use local builds as fallback | | Hook permission blocks | Builders use worktree isolation | ## Notes - Backend is Hono/TS (migration to Kotlin pending MC #5124) — we deploy CURRENT stack, not migrated - BankID + Bank mock already exist — no need to build from scratch - Demo mode (DROP_MODE=demo) is the target, not production with real banking - Cards feature stays disabled (feature-flagged off)