drop-mvp-pipeline-plan

Plan: Drop MVP Pipeline A-Z 
 Research Summary 
 Actual State (13.02.2026) 
 Phase 4 (Implementation) — 95% done, NOT 80% as PIPELINE.md says: 
 
 12 frontend pages: ALL wired to real API routes via fetch() 
 24+ API routes: ALL working (auth, transactions, cards, merchants, rates, etc.) 
 SQLite DB: 6 tables + seed data, parameterized queries 
 Auth: JWT httpOnly cookies, rate limiting 
 Validation: hardened (backend + frontend), 18+ age check 
 Services: mock-swan/stripe/sumsub with config toggle (expected for MVP) 
 Rebrand: ALL pages rebranded to Stitch design 
 Tests: 126 unit + 91 e2e = 217 ALL GREEN 
 
 What's actually missing for MVP-ready: 
 
 Full remittance E2E flow test (register → login → send money → verify) 
 .env.example + environment config for production 
 Docker build verification (Dockerfile exists but untested) 
 SQLite → needs volume mount for persistence in Docker 
 5 test iterations per testing.md standard 
 Deploy to staging (Railway/Hetzner — cost analysis says 10-170 NOK/mo) 
 Domain config (getdrop.no) 
 Landing page deploy (static HTML, separate from app) 
 PIPELINE.md outdated — needs update 
 
 Infrastructure already built: 
 
 Dockerfile: 3-stage build, standalone output ✅ 
 docker-compose.yml: app + postgres, healthchecks ✅ 
 next.config.ts: standalone, CSP headers, security headers ✅ 
 Cloud cost analysis: done ✅ 
 
 NOTE: docker-compose.yml has postgres service but app uses SQLite.
For MVP: deploy with SQLite + volume (Railway/Fly persistent disk).
PostgreSQL migration is Phase 2 (200+ users) per cost analysis. 
 Objective 
 Take Drop from "works on localhost" to "deployed MVP on staging with full test coverage."
4 phases, no detours, no cosmetics. 
 Team Orchestration 
 Team Members 
 
 
 
 ID 
 Name 
 Role 
 Agent Type 
 
 
 
 
 B1 
 flow-test-builder 
 Write full remittance E2E flow + missing flow tests 
 builder 
 
 
 V1 
 test-validator 
 Run all 5 test levels, 5 iterations, verify coverage 
 validator 
 
 
 B2 
 deploy-prep-builder 
 Create .env.example, fix docker-compose for SQLite, test Docker build 
 builder 
 
 
 V2 
 deploy-validator 
 Verify Docker image builds and runs correctly 
 validator 
 
 
 B3 
 staging-builder 
 Deploy to Railway/Hetzner, configure domain, SSL 
 builder 
 
 
 V3 
 staging-validator 
 Verify staging is live, all pages load, API responds 
 validator 
 
 
 B4 
 pipeline-closer 
 Update PIPELINE.md, close MC tasks, create post-mortem 
 builder 
 
 
 
 Step-by-Step Tasks 
 Phase 1: Complete Implementation (finish Phase 4) 
 Task 1: Write missing E2E flow tests + update PIPELINE.md status 
 
 Owner: B1 
 BlockedBy: none 
 Files:
 
 tests/e2e/full-flows.spec.ts (NEW) 
 project/PIPELINE.md (UPDATE) 
 .env.example (NEW) 
 
 
 Instructions:
 
 Read existing test files to understand patterns 
 Write full E2E tests for:
 
 Complete registration → login → dashboard flow 
 Login → send money (remittance) → verify transaction in history 
 Login → scan QR → pay → verify in history 
 Login → view cards → order virtual card 
 Login → view accounts → check balances 
 Login → profile → logout → redirect to login 
 
 
 Create .env.example with all required vars:
 JWT_SECRET=change-me-in-production
NODE_ENV=production
NEXT_PUBLIC_SERVICE_MODE=mock
 
 
 Update PIPELINE.md Phase 4 status to 100% 
 Run tests, fix any failures 
 
 
 Acceptance:
 
 full-flows.spec.ts has 6+ complete user journey tests 
 All E2E tests pass (existing + new) 
 .env.example exists with documented vars 
 PIPELINE.md Phase 4 marked complete 
 
 
 
 Phase 2: Testing (5 iterations per testing.md) 
 Task 2: Run 5 test iterations across all levels, fix failures 
 
 Owner: V1 
 BlockedBy: 1 
 Instructions:
 
 Read ~/system/rules/testing.md for requirements 
 Run iteration 1: npx vitest run + npx playwright test 
 Log results to tests/logs/iteration-1.txt 
 Fix any failures found 
 Repeat for iterations 2-5 
 Check coverage: npx vitest run --coverage (target 80%+) 
 Run regression tests: npx vitest run tests/regression/ 
 Run performance tests: npx vitest run tests/performance/ 
 Final summary of all 5 iterations 
 
 
 Acceptance:
 
 5 iterations logged in tests/logs/ 
 ALL tests pass on iteration 5 
 Coverage report generated 
 No regressions 
 Performance benchmarks baselined 
 
 
 
 Phase 3: Deploy to Staging 
 Task 3: Prepare Docker for SQLite deployment 
 
 Owner: B2 
 BlockedBy: 2 
 Files:
 
 docker-compose.yml (UPDATE — add SQLite volume, remove postgres for MVP) 
 docker-compose.production.yml (NEW — for future postgres) 
 Dockerfile (UPDATE if needed) 
 
 
 Instructions:
 
 Read existing Dockerfile and docker-compose.yml 
 Create docker-compose.mvp.yml for SQLite deployment:
 
 App service with SQLite volume mount 
 JWT_SECRET from env 
 Health check on /api/health 
 No postgres (not needed for MVP) 
 
 
 Keep existing docker-compose.yml as docker-compose.production.yml (postgres version) 
 Test: docker build -t drop-app . — must succeed 
 Test: docker run -p 3000:3000 -e JWT_SECRET=test drop-app — must serve pages 
 Verify /api/health, /login, /onboarding all respond 200 
 
 
 Acceptance:
 
 Docker image builds successfully 
 Docker container starts and serves pages 
 /api/health returns 200 
 SQLite data persists across container restart (volume) 
 docker-compose.mvp.yml works with docker-compose -f docker-compose.mvp.yml up 
 
 
 
 Task 4: Validate Docker deployment 
 
 Owner: V2 
 BlockedBy: 3 
 Acceptance:
 
 Docker build < 2 minutes 
 Image size < 500MB 
 Container starts in < 10s 
 All API endpoints respond correctly 
 No security warnings in container logs 
 
 
 
 Task 5: Deploy to staging (Railway or Hetzner) 
 
 Owner: B3 
 BlockedBy: 4 
 Instructions:
 
 Read cloud-cost-analysis.md for recommended approach 
 Option A (Railway): railway init + railway up — easiest, persistent disk 
 Option B (Hetzner): Docker deploy to existing VPS if available 
 Configure:
 
 JWT_SECRET (generate secure random) 
 NODE_ENV=production 
 Domain: staging.getdrop.no or drop-staging.alai.no 
 
 
 Set up SSL (Let's Encrypt / Cloudflare) 
 Verify all pages load on staging URL 
 Deploy landing page (static HTML) to same domain or subdomain 
 
 
 Acceptance:
 
 Staging URL accessible via HTTPS 
 All 12 app pages load correctly 
 Login + registration flow works end-to-end 
 API health check passes 
 Landing page live 
 
 
 
 Task 6: Validate staging deployment 
 
 Owner: V3 
 BlockedBy: 5 
 Instructions:
 
 Hit staging URL — verify HTTPS, correct domain 
 Test all pages load (no 404, no 500) 
 Test registration flow end-to-end 
 Test login with demo credentials 
 Test send money flow 
 Test QR scan flow 
 Check security headers (CSP, HSTS, X-Frame-Options) 
 Check mobile responsiveness (375px viewport) 
 
 
 Acceptance:
 
 All pages load via HTTPS 
 Registration + login works 
 Core flows work (send, scan, cards) 
 Security headers present 
 Mobile-friendly 
 
 
 
 Phase 4: Close Pipeline 
 Task 7: Update PIPELINE.md, close tasks, create summary 
 
 Owner: B4 
 BlockedBy: 6 
 Instructions:
 
 Update PIPELINE.md:
 
 Phase 4: ✅ Done 
 Phase 5: ✅ Done (5 iterations, all pass) 
 Phase 6: ✅ Done (staging live at URL) 
 Phase 7: 🔄 Monitoring 
 
 
 Close related MC tasks: #526, #608, #791-793 (update status) 
 Create post-mortem summary:
 
 What was built 
 Test results 
 Staging URL 
 Known limitations (mock services, SQLite, no BankID) 
 Next steps for production (partner agreements, PostgreSQL, Finanstilsynet) 
 
 
 Post summary to HiveMind 
 
 
 Acceptance:
 
 PIPELINE.md fully updated 
 MC tasks updated 
 Post-mortem written 
 HiveMind updated 
 Alem can access staging URL 
 
 
 
 Validation Commands 
 # Phase 1 — Tests
cd ~/ALAI/products/Drop/src/drop-app
npx vitest run # Unit tests
npx playwright test # E2E tests

# Phase 2 — Coverage
npx vitest run --coverage

# Phase 3 — Docker
docker build -t drop-app .
docker run -p 3001:3000 -e JWT_SECRET=test123 drop-app
curl http://localhost:3001/api/health

# Phase 4 — Staging
curl -I https://staging.getdrop.no
curl https://staging.getdrop.no/api/health
 
 Risk Register 
 
 
 
 Risk 
 Impact 
 Mitigation 
 
 
 
 
 Docker build fails (native deps) 
 Blocks deploy 
 better-sqlite3 needs python/g++ in Dockerfile — already there 
 
 
 Railway free tier limits 
 Slow staging 
 Upgrade to $5/mo Starter — within budget 
 
 
 SQLite concurrent writes 
 Data corruption under load 
 MVP only, < 200 users. PostgreSQL in Phase 2 
 
 
 No real BankID 
 Can't verify real users 
 Expected for MVP. Mock BankID with DOB field 
 
 
 No partner APIs (Swan/Stripe/Sumsub) 
 All transactions are mock 
 Expected. Partner agreements are business tasks, not code 
 
 
 
 Timeline 
 
 
 
 Phase 
 Tasks 
 Parallel? 
 Estimated 
 
 
 
 
 1: Complete impl 
 Task 1 
 Solo 
 1 builder 
 
 
 2: Testing 
 Task 2 
 Solo (blocked by 1) 
 1 validator 
 
 
 3: Deploy 
 Tasks 3-6 
 B2→V2→B3→V3 sequential 
 2 builders + 2 validators 
 
 
 4: Close 
 Task 7 
 Solo (blocked by 6) 
 1 builder 
 
 
 
 Total: 4 builders + 3 validators = 7 agent tasks