drop-srbija-plan

Plan: Drop Srbija — Phase 2 Build Plan

Created: 2026-04-16 Product: Drop Srbija — Serbian market phone-based payment app Scaffold: ~/ALAI/products/DropSrbija/ Status: Scaffold complete. Phase 2 build begins.

Research Summary (5-Expert Gap Analysis)

Critical Discoveries

#	Finding	Severity	Expert
1	NBS IPS is ISO 20022 XML via mTLS — NOT REST. Blueprint's `https://ips.nbs.rs/api/v1` endpoint DOES NOT EXIST	P0	Markos Zachariadis
2	Drop cannot connect to NBS IPS directly — must go through a licensed bank partner	P0	Markos Zachariadis
3	No Serbian d.o.o. legal entity → NBS PI license application impossible	P0	Thaer Sabri
4	No NBS PI license application initiated — operating live IPS is criminal violation	P0	Thaer Sabri
5	OTP stored as `hash($otp)` = plaintext string — NOT bcrypt. Security theater.	P0	Petter Graff / Angie Jones
6	Phone-to-IBAN resolution missing — NBS IPS needs IBAN, not phone. No Serbian registry exists	P0	Markos Zachariadis
7	Phase 3 (live IPS) BEFORE Phase 4 (KYC) = ZPNFTM AML violation — sequence is illegal	P0	Thaer Sabri
8	69 test cases needed, 0 exist. No test infrastructure, no src/test directory	P0	Angie Jones
9	NBS IPS P2P transfers are FREE by regulation — per-transaction fee model impossible for consumers	P1	Markos Zachariadis + BA
10	IPS QR must use DinaCard standard — custom HMAC QR unreadable by all Serbian bank apps	P1	Markos Zachariadis
11	No SMS provider integrated (Twilio referenced but not implemented)	P1	Petter Graff
12	Sanctions screening references "NBS SDN list" — doesn't exist. Must use UN + EU + Serbian lists	P1	Thaer Sabri
13	Pre-transaction disclosure screen missing — legally required by Law on Payment Services	P1	Thaer Sabri
14	USPNFT AML reporting module entirely absent from architecture	P1	Thaer Sabri
15	No CI/CD pipeline, no Dockerfile, no docker-compose.yml for DropSrbija	P1	Petter Graff

Revenue Model Reality

Consumer P2P: Must be FREE (NBS regulation mandate)
Merchant QR: 0.5–1.2% per transaction (competitive vs. card at 1.5–1.8%)
B2B payroll: Flat fee per batch
NBS IPS cap: 300,000 RSD (~€2,550) per transaction hard limit
Bank partner timeline: 12–18 months to live IPS integration

CEO-Level Decisions Required

Incorporate Drop Srbija d.o.o. in Serbia — min capital EUR 125,000
Bank partner outreach — Priority: Raiffeisen Serbia, MTS Banka (Telekom Srbija subsidiary — phone data synergy)
NBS PI license application — 12–14 months, requires Serbian legal counsel

Objective

Build Drop Srbija from scaffold to production-ready MVP: fix all P0 security/legal blockers, implement bank partner adapter architecture, build KYC/AML compliance layer, write 69+ test cases, set up CI/CD — in correct regulatory sequence (KYC → IPS, not IPS → KYC).

Team Orchestration

Team Members

ID	Name	Role	Company	Agent Type
B1	petter-graff	Backend architecture + security fixes	CodeCraft	backend-builder
B2	finverge	Payments compliance + AML architecture	Finverge	finverge
B3	lexicon	Legal docs + ZZPL compliance	Lexicon	lexicon
B4	proveo	QA — all test suites	Proveo	proveo
B5	flowforge	DevOps — CI/CD, Docker	FlowForge	devops-dev
B6	vizu	Frontend — disclosure screens, complaints UI	Vizu	vizu
V1	angie-jones	Test validation — all builds	Proveo	angie-jones
V2	sentinel-validator	Cross-reference final report	SENTINEL	sentinel-validator

Step-by-Step Tasks

Phase 0: CEO Decisions (Escalated — Not Delegated to Builders)

Task 0a: Incorporate Drop Srbija d.o.o. + initiate NBS PI license

Owner: Alem Basic (CEO)
Estimated cost: EUR 125,000 minimum capital + Serbian legal counsel fees
Lexicon can draft the application package; Serbian advocate must sign/submit
Timeline: 12–18 months to authorization

Task 0b: Bank partner outreach

Priority 1: Raiffeisen Bank Srbija (developer portal, fintech-friendly)
Priority 2: MTS Banka (Telekom Srbija — phone-to-IBAN synergy)
Documents prepared by: sentinel-ba (Task 10 below)

Phase 1: Security P0 Fixes (CodeCraft)

Task 1: Fix OTP Security (CRITICAL BLOCKER)

Owner: B1 (petter-graff)
BlockedBy: none
Acceptance:
- PhoneOtpService.hashOtp() uses bcrypt (BCrypt.hashpw, cost factor 12)
- PhoneOtpService.verifyOtpHash() uses BCrypt.checkpw
- Stored OTP in DB is bcrypt hash, not "hash($otp)" string
- Existing unit tests pass (or are updated to match)
- No plaintext OTP ever written to logs

Task 2: Fix Phone Regex + Add Serbian Format Normalisation

Owner: B1 (petter-graff)
BlockedBy: none
Acceptance:
- Regex updated: ^\+381[0-9]{8,9}$ (8–9 digits after country code)
- Normalisation: 0641234567 → +381641234567 at route layer
- Landline prefix (+38111, +38121 etc.) rejected for OTP
- Test fixtures documented in code

Task 3: Per-Phone OTP Rate Limiting

Owner: B1 (petter-graff)
BlockedBy: none
Acceptance:
- 3 OTP requests per phone per minute → 4th returns 429
- 10 OTP requests per phone per hour → returns 429
- Redis used as rate limit store (already in docker-compose)
- Rate limit headers in response (X-RateLimit-Remaining)

Task 4: SMS Provider Integration (SmsGateway abstraction + Twilio)

Owner: B1 (petter-graff)
BlockedBy: Task 1
Acceptance:
- SmsGateway interface with sendOtp(phone: String, otp: String): SmsResult
- TwilioSmsGateway implementation using Twilio REST API
- StubSmsGateway for dev/test (prints OTP to logs)
- PhoneOtpService injects SmsGateway (DI via Koin/manual)
- Twilio credentials from environment variables (not hardcoded)
- ENV: TWILIO_ACCOUNT_SID, TWILIO_AUTH_TOKEN, TWILIO_FROM_NUMBER

Task 5: Validate Task 1–4 (Security Fixes)

Owner: V1 (angie-jones)
BlockedBy: Tasks 1, 2, 3, 4
Acceptance:
- OTP in phone_verifications table is bcrypt hash (verified via SELECT)
- Attempting brute force OTP (6 wrong guesses) returns correct HTTP 400
- 4th OTP request in 1 minute returns HTTP 429
- Phone +381123456 (too short) rejected at route layer

Phase 2: Architecture (CodeCraft)

Task 6: NBS IPS Bank Partner Adapter Pattern

Owner: B1 (petter-graff)
BlockedBy: Task 1
Acceptance:
- BankPartnerAdapter interface with initiateTransfer(), checkStatus(), resolvePhoneToAccount()
- StubBankPartnerAdapter — realistic mock with ISO 20022 status codes (ACCP, ACSC, RJCT, PDNG)
- RaiffeisenBankAdapter — skeleton with mTLS config hooks
- Amount validation: amount > 300_000 RSD → HTTP 422 AMOUNT_EXCEEDS_IPS_LIMIT
- NbsIpsLogs.request_body stores ISO 20022 XML (not JSON stub)
- partner_bank column added via Flyway V2 migration

Task 7: Phone-to-IBAN Resolution Layer

Owner: B1 (petter-graff)
BlockedBy: Task 6
Acceptance:
- linked_accounts table via Flyway V3 (id, user_id, iban, bank_name, is_primary, verified_at)
- IBAN validation: Serbian RS + 20 digits with checksum
- AccountLinkingService.resolvePhoneToIban(phone) returns primary IBAN or null
- GET /v1/accounts, POST /v1/accounts/link, PATCH /v1/accounts/{id}/set-primary
- POST /v1/ips/initiate returns 404 RECIPIENT_NOT_REGISTERED if phone not linked
- Onboarding flow requires IBAN link before first payment

Task 8: Transaction Idempotency

Owner: B1 (petter-graff)
BlockedBy: Task 7
Acceptance:
- Idempotency-Key header on POST /v1/ips/initiate
- Duplicate request with same key returns original response (not double charge)
- Idempotency key stored in Transactions table
- 60-minute idempotency window

Task 9: Validate Task 6–8 (Architecture)

Owner: V1 (angie-jones)
BlockedBy: Tasks 6, 7, 8
Acceptance:
- POST /v1/ips/initiate with amount 300,001 → HTTP 422
- POST /v1/ips/initiate to unlinked phone → HTTP 404
- Duplicate initiate with same Idempotency-Key → single transaction in DB

Phase 3: Compliance Architecture (Finverge + CodeCraft)

Task 10: KYC Service (Veriff/Sumsub + JMBG)

Owner: B2 (finverge)
BlockedBy: Task 6
Acceptance:
- KycService.kt with createKycSession(), handleKycWebhook(), updateKycStatus()
- kyc_sessions table via Flyway V5
- JMBG field added to Users: jmbg_encrypted, jmbg_hash (Flyway V6)
- KycRequiredPlugin gates /v1/ips/initiate → 403 if kyc_status ≠ VERIFIED
- Human-in-the-loop review step before VERIFIED status
- Phase sequence enforced: KYC BEFORE live IPS

Task 11: AML Monitoring + USPNFT Reporting

Owner: B2 (finverge)
BlockedBy: Task 10
Acceptance:
- Velocity rules: flag user exceeding 120,000 RSD in 24h
- Structuring detection: multiple sub-threshold transactions in pattern
- STR workflow: alert → compliance review → USPNFT eUprava export (XML)
- Sanctions screening: UN consolidated + EU restrictive + Serbian Government lists
- All references to "NBS SDN list" removed/corrected in codebase + docs
- aml_flags table with risk_level, flag_reason, reviewed_by, resolved_at

Task 12: Pre-Transaction Disclosure + Post-Settlement Receipt

Owner: B1 (petter-graff) backend + B6 (vizu) frontend
BlockedBy: Task 11
Acceptance:
- Confirmation screen before POST /v1/ips/initiate: amount, fee, execution time, exchange rate
- disclosure_acknowledged: true flag in initiation payload + stored in Transactions
- NBS IPS settlement webhook handler → push notification/in-app receipt
- Receipt contains: tx reference, amount, fee, value date, recipient ID
- Flyway migration adds disclosure_acknowledged to Transactions table

Task 13: Complaints Handling Module

Owner: B1 (petter-graff) backend + B6 (vizu) frontend
BlockedBy: Task 12
Acceptance:
- complaints table (id, user_id, transaction_id, category, status, submitted_at, resolved_at)
- POST /v1/complaints (authenticated user)
- GET /admin/complaints (compliance officer)
- SLA alert: flag if complaint > 10 working days unresolved
- Resolution letter template in Serbian with NBS escalation notice

Task 14: Legal Documents Package (Lexicon)

Owner: B3 (lexicon)
BlockedBy: none (parallel)
Acceptance:
- Privacy policy in Serbian (ZZPL Article 23 compliant)
- DPIA for KYC biometric processing (ZZPL Article 54)
- NBS PI license application package (business plan, org chart, AML programme)
- Framework contract for payment service users (Serbian, Law on Payment Services Articles 60-70)
- NBS PISP license requirements checklist
- Bank partnership pitch document
- Incident notification procedure (NBS 4h initial, NBS 72h detailed, Poverenik 72h)
- All saved to: ~/ALAI/products/DropSrbija/comms/decisions/

Task 15: Validate Task 10–13 (Compliance)

Owner: V1 (angie-jones)
BlockedBy: Tasks 10, 11, 12, 13
Acceptance:
- User with kyc_status = PENDING cannot initiate payment → 403
- Payment attempt with sanctioned phone → 403 + audit log entry
- Complaint submission → DB record + SLA timer started
- Disclosure screen appears before payment confirmation

Phase 4: DevOps (FlowForge)

Task 16: Dockerfile + Docker Compose for DropSrbija

Owner: B5 (flowforge)
BlockedBy: Task 4 (SMS env vars needed)
Acceptance:
- Dockerfile.drop-srbija-api with non-root user (uid 1001)
- Multi-stage build (builder + runtime)
- docker-compose.yml with all 4 services: postgres:5434, redis:6380, api:3003, frontend:3000
- docker-compose.production.yml with SEED_DEMO=false
- Health checks on all containers
- .env.example with all required variables documented

Task 17: CI/CD Pipeline

Owner: B5 (flowforge)
BlockedBy: Task 16
Acceptance:
- .github/workflows/test.yml — run Kotest on every PR
- .github/workflows/build.yml — docker build on push to develop
- .github/workflows/deploy-staging.yml — deploy to staging on merge to develop
- Quality gate: fails if test coverage < 60%
- Sonar integration (reuse pattern from Drop Norway)

Task 18: Validate Task 16–17 (DevOps)

Owner: B5 (flowforge) + V1 (angie-jones)
BlockedBy: Tasks 16, 17
Acceptance:
- docker-compose up starts all 4 containers healthy
- GET http://localhost:3003/health returns 200
- CI pipeline runs on test PR without errors

Phase 5: Test Suites (Proveo + CodeCraft)

Task 19: Kotest + Testcontainers + WireMock Infrastructure

Owner: B1 (petter-graff)
BlockedBy: Task 16
Acceptance:
- build.gradle.kts test dependencies: kotest-runner-junit5, kotest-assertions-core, testcontainers-postgresql, wiremock-jre8, ktor-server-test-host
- AbstractIntegrationTest base class: starts PG16 container, runs Flyway, truncates tables between tests
- FakeSmsGateway implementation
- docker-compose.test.yml (PG only)
- Makefile target make test

Task 20: PhoneOtpService Tests (10 cases)

Owner: B4 (proveo)
BlockedBy: Task 19
Acceptance:
- PhoneOtpServiceTest.kt — 10 test cases per Angie Jones spec
- OTP bcrypt storage verified
- Expiry, attempts lock, re-request all tested
- All 10 pass

Task 21: OTP Rate Limiting Tests (5 cases)

Owner: B4 (proveo)
BlockedBy: Tasks 3, 19
Acceptance:
- 5 rate limiting scenarios tested
- Per-phone independence verified
- All 5 pass

Task 22: NBS IPS WireMock Tests (9 cases)

Owner: B4 (proveo)
BlockedBy: Tasks 6, 19
Acceptance:
- WireMock stubs for ACCP, RJCT, 500, timeout, 429 scenarios
- NbsIpsLogs verified after each scenario
- All 9 pass

Task 23: Amount Validation + AML Threshold Tests (19 cases)

Owner: B4 (proveo)
BlockedBy: Tasks 8, 11, 19
Acceptance:
- Amount edge cases: 0, -1, MAX_INT, decimal, >300k RSD
- AML threshold: >120k RSD flags correctly
- Sanctioned phone → 403
- All 19 pass

Task 24: JWT Security Tests (10 cases)

Owner: B4 (proveo)
BlockedBy: Task 19
Acceptance:
- Wrong issuer, expired, tampered, wrong audience all → 401
- 401 responses don't leak internal info
- All 10 pass

Task 25: Playwright E2E Tests (6 journeys, Serbian locale)

Owner: B4 (proveo)
BlockedBy: Task 16 (needs running stack)
Acceptance:
- playwright.config.ts with sr-RS locale, Belgrade timezone, iPhone 14 viewport
- 6 user journeys: happy login, invalid phone, wrong OTP, network error, session persist, logout
- All 6 pass against running docker-compose stack

Task 26: Validate All Test Suites

Owner: V1 (angie-jones)
BlockedBy: Tasks 20, 21, 22, 23, 24, 25
Acceptance:
- ./gradlew test — all test suites pass
- npx playwright test — all E2E journeys pass
- Total test count ≥ 69
- No test suite has 0 tests
- Coverage report shows ≥ 60% on modules with tests

Phase 6: Business Development (Skybound/BA)

Task 27: Bank Partnership Outreach Package

Owner: B2 (finverge) + Skybound BA
BlockedBy: none (parallel)
Acceptance:
- serbian-banks-api-landscape.md — Raiffeisen, MTS Banka, ProCredit, NLB with API capabilities
- serbian-bank-partnership-pitch.md — one-page pitch deck content
- nbs-pisp-license-requirements.md — full checklist, capital requirements, timeline
- Recommendation: start as bank agent → own license Year 2
- Saved to ~/ALAI/products/DropSrbija/comms/decisions/

Phase 7: Validation (End-to-End)

Task 28: Full E2E Scaffold + Feature Validation

Owner: V1 (angie-jones) + V2 (sentinel-validator)
BlockedBy: All Phase 1–6 tasks
Acceptance:
- docker-compose up — all 4 containers healthy
- OTP flow end-to-end (request → verify → JWT)
- IBAN link → IPS initiate → stub PENDING response
- KYC gate enforced (unverified user blocked)
- AML flag triggered on large transaction
- All DB tables exist (8 tables including new ones)
- Frontend compiles (next build)
- Evidence: screenshots, curl outputs, DB query results

Phase 8: Documentation (Skillforge)

Task 29: BookStack Documentation

Owner: Skillforge
BlockedBy: Task 28
Acceptance:
- BookStack page: Drop Srbija architecture overview
- Regulatory compliance notes (NBS, ZPNFTM, ZZPL)
- Developer onboarding guide
- Runbook: what to do when NBS IPS goes down
- Decision log: bank adapter pattern rationale

Validation Commands

# Backend tests
cd ~/ALAI/products/DropSrbija/backend
./gradlew test --info

# E2E
cd ~/ALAI/products/DropSrbija/frontend
npx playwright test --reporter=html

# Docker stack
cd ~/ALAI/products/DropSrbija
docker-compose up -d
curl http://localhost:3003/health

# DB check
docker exec -it dropsrbija-postgres psql -U dropsrbija -d dropsrbija_dev -c '\dt'

Priority Matrix

Priority	Tasks	Rationale
P0 — Build Now	1, 2, 3, 4, 6, 7, 14, 16, 19	Security, architecture, legal, DevOps foundations
P1 — Build Next	5, 8, 10, 11, 17, 20–25, 27	Compliance, CI, test suites
P2 — Build After	12, 13, 15, 18, 26, 28, 29	UX, validation, docs
CEO Decision	0a, 0b	Capital commitment, bank outreach

Last Updated: 2026-04-16 Experts consulted: Markos Zachariadis (Finverge), Thaer Sabri (Lexicon), Angie Jones (Proveo), Petter Graff (CodeCraft), Sentinel BA (Skybound)