# Test Plan: Drop — Fintech Payment App # Test Plan: Drop — Fintech Payment App > **Project:** Drop — Remittance + QR Payments > **Version:** 1.0 > **Date:** 2026-02-23 > **Author:** John (AI Director) > **Status:** Approved > **Reviewers:** Alem Bašić (CEO) ## Document History | Version | Date | Author | Changes | |---------|------|--------|---------| | 0.1 | 2026-02-23 | John | Initial test plan — all MVP modules | --- ## 1. Test Objectives This test plan covers testing for **Drop MVP + Phase 0.5 Security Hardening** (v0.5.0). **Primary objectives:** 1. Verify that all authentication and onboarding flows (registration, OTP, PIN, login) work correctly for Norwegian residents (age ≥ 18, phone +47) 2. Verify that remittance transactions apply correct 0.5% fee across all 6 NOK corridors with mock BaaS 3. Verify that QR payments apply correct 1% merchant fee with mock BaaS 4. Confirm the pass-through model invariant: Drop NEVER stores user balances or full card data 5. Confirm Phase 0.5 security hardening: bcrypt 12 rounds, persistent rate limiting, CSRF, security headers, audit logging 6. Validate performance under expected load (40+ concurrent users; target 200 for Phase 1) **Out of scope for this plan:** BankID SCA (Phase 2), real BaaS payments (Phase 2), real Sumsub KYC (Phase 2), Cards feature (Phase 3), mobile native app (Phase 2). --- ## 2. Features Under Test | Feature / Story | Priority | Test Types | Owner | |-----------------|----------|------------|-------| | User Registration — 3-step (FR-001) | Critical | Unit, Integration, E2E | Builder + Validator | | User Login (FR-002) | Critical | Unit, Integration, E2E | Builder + Validator | | Remittance Transaction (FR-020) | Critical | Unit, Integration, E2E | Builder + Validator | | Exchange Rates API (FR-021) | High | Integration | Builder + Validator | | QR Payment — Consumer (FR-030) | Critical | Unit, Integration, E2E | Builder + Validator | | Merchant Registration + QR (FR-031) | High | Unit, Integration | Builder + Validator | | Rate Limiting (NFR-SEC05) | Critical | Integration | Builder + Validator | | Input Validation / Security (NFR-SEC06) | Critical | Unit, E2E (input-chaos) | Builder + Validator | | DB Compliance — No Balance/CVV (NF-AC-020/021) | Critical | Integration (db.test.ts) | Builder + Validator | | bcrypt Hashing (NFR-SEC02) | Critical | Unit (auth.test.ts) | Builder + Validator | | Performance Benchmarks (NFR-P01..P06) | High | Performance (api-benchmarks) | Builder + Validator | | Feature Flags (FR-090) | Medium | Unit (feature-flags.test.ts) | Builder + Validator | --- ## 3. Scope ### In Scope - Authentication module: registration, OTP verification, PIN setup, login, logout, `/api/auth/me` - Remittance module: `POST /api/transactions/remittance`, `GET /api/transactions`, exchange rates - QR payments module: `POST /api/transactions/qr-payment`, `POST /api/merchants`, `GET /api/merchants/me` - Security middleware: rate limiting, CSRF, JWT validation, security headers - Database compliance: schema assertions (no balance, no card_number, no cvv), FK constraints, transaction type enum - Performance benchmarks: bcrypt timing, DB query latency, concurrent rate limit check throughput - Regression testing of all 26 API routes - Input validation: XSS, SQL injection, boundary ages, Unicode names, long passwords ### Out of Scope | Item | Justification | |------|---------------| | BankID SCA integration | Phase 2 — not yet implemented | | Real BaaS PISP/AISP payments | Phase 2 — mock mode only in MVP | | Real Sumsub KYC webhooks | Phase 2 — auto-approved in MVP | | Cards feature | Phase 3 — feature-flagged OFF | | Mobile native app | Phase 2 — web only in MVP | | Load testing > 200 concurrent users | Phase 1 migration to PostgreSQL required first | --- ## 4. Test Schedule & Milestones | Milestone | Date | Responsible | |-----------|------|-------------| | Test plan approved | 2026-02-23 | John (AI Director) | | Test environment ready (staging) | Before Phase 0.5 release | John (DevOps) | | Test data seeded | Before E2E run | Builder agent | | Unit + integration tests complete | Per PR (CI automated) | Builder agent | | Playwright E2E authoring complete | Before Phase 0.5 release | Builder agent | | Regression testing complete (all 26 routes) | Before Phase 0.5 release | Validator agent | | Performance benchmarks run | Before Phase 0.5 release | Builder agent | | UAT start (CEO walkthrough) | TBD — before Phase 1 launch | John | | UAT sign-off | TBD | Alem Bašić (CEO) | | Go/no-go decision | Before Phase 1 launch | Alem Bašić (CEO) | | Production release | Phase 1 (BaaS partner confirmed) | John (AI Director) | --- ## 5. Resource Allocation | Resource | Role | Testing Activities | Availability | |----------|------|-------------------|-------------| | Builder Agent (Claude Sonnet) | Developer / QA | Unit + integration + E2E authoring | Per task | | Validator Agent (Claude Sonnet, read-only) | QA Lead | Code review + test verification | Per task | | John (AI Director) | Tech Lead | Test strategy, UAT coordination | Continuous | | Alem Bašić (CEO) | Product Owner / UAT | CEO UAT walkthrough | TBD | --- ## 6. Entry Criteria Testing may begin when: - [ ] Feature development is code-complete (all tickets in "Ready for QA") - [ ] Unit tests passing (≥ 100% pass rate on unit + integration suite) - [ ] Build artifact deployed to staging (https://drop-staging.fly.dev/) - [ ] Staging environment is stable (health checks passing) - [ ] Test data is seeded (`npm run db:seed`) - [ ] Previous known blocking bugs resolved (Mission Control backlog reviewed) --- ## 7. Exit Criteria Testing is complete when: - [ ] All 14 test files execute cleanly - [ ] ≥ 100% of unit + integration tests pass - [ ] All Critical and High test cases in AC-001–AC-092 pass - [ ] Code coverage ≥ 80% overall; 100% for auth + transaction paths - [ ] All Playwright E2E tests passing on staging (user-flows, full-flows, input-chaos) - [ ] Performance benchmarks meeting NFR-P01..P06 targets (api-benchmarks.test.ts green) - [ ] DB compliance tests passing (db.test.ts: no balance, no card_number/cvv columns) - [ ] UAT sign-off obtained from Alem Bašić (CEO) — or conditional approval documented - [ ] Security audit score ≥ 80/100 (post Phase 0.5 hardening) **Exceptional circumstances:** If exit criteria cannot be met, a documented risk acceptance from Alem Bašić (CEO) is required. --- ## 8. Test Strategy Summary Per Type | Type | Approach | Tool | Owner | Gate | |------|----------|------|-------|------| | Unit | White-box — bcrypt, JWT, fee calc, validators | Vitest | Builder | Blocks merge | | Integration | Real SQLite test DB — 26 API routes, DB schema | Vitest | Builder | Blocks merge | | E2E | Critical journeys on staging — 3 Playwright projects | Playwright | Builder | Blocks release | | Regression | All 26 routes via api-endpoints.test.ts | Vitest | Builder | Blocks merge | | Performance | api-benchmarks.test.ts — bcrypt timing, query latency | Vitest bench | Builder | Warning → release | | Security | `npm audit` + validation.test.ts + middleware.test.ts | Vitest + GitHub Actions | Builder | Blocks merge | | DB compliance | db.test.ts — schema assertions | Vitest | Builder | Blocks merge | | UAT | CEO business scenario walkthrough | Manual | Alem Bašić | Blocks Phase 1 launch | --- ## 9. Test Environment Requirements | Environment | Purpose | URL | Access Needed | |-------------|---------|-----|---------------| | Local dev | Unit/integration | `http://localhost:3000` | Builder agent | | Staging (Fly.io, Stockholm) | E2E, regression, UAT | `https://drop-staging.fly.dev/` | Team + Alem | | Performance | Benchmarks | Local (api-benchmarks.test.ts) | Builder agent | **Environment requirements:** - Staging must have `NEXT_PUBLIC_SERVICE_MODE=mock` (no real BaaS) - Staging SQLite DB seeded with synthetic test data (no real PII) - Monitoring enabled (Fly.io metrics) --- ## 10. Test Data Requirements | Data Category | Volume | Creation Method | Responsible | |---------------|--------|----------------|-------------| | Test consumer accounts | 3 (fresh, KYC-approved, KYC-pending) | `npm run db:seed` | Builder agent | | Test merchant accounts | 2 (registered, unregistered) | `npm run db:seed` | Builder agent | | Test recipients (for remittance) | 3 | `npm run db:seed` | Builder agent | | Edge case data (under-18, duplicate email, max amounts) | Defined per test | Vitest fixtures | Builder agent | **Data cleanup:** All test data removed after test run via Vitest `afterEach` teardown. Staging DB reset between major test runs. --- ## 11. Risk-Based Test Prioritization | Risk Area | Likelihood | Impact | Priority | Mitigation | |-----------|------------|--------|----------|------------| | Pass-through model violation (Drop stores balance) | Low | Critical | P1 | db.test.ts always asserts no balance column | | Authentication bypass | Low | Critical | P1 | Full auth.test.ts suite + middleware.test.ts | | Fee calculation error (wrong percentage) | Medium | Critical | P1 | Unit tests for 0.5% and 1% fee calculations | | Double-spend race condition | Low | Critical | P1 | Transaction lock integration test | | Rate limiter reset on server restart | Medium (was a bug) | High | P2 | middleware.test.ts with persistent limiter | | BaaS mock mode leaking to production config | Low | High | P2 | CI check for `NEXT_PUBLIC_SERVICE_MODE` env var | | SQLite concurrent write limit reached | High (at ~200 users) | Medium | P3 | Phase 1: PostgreSQL migration | --- ## 12. Dependencies & Assumptions **Dependencies:** - Staging environment provisioned and accessible at https://drop-staging.fly.dev/ - Mock BaaS and Mock Sumsub configured in staging environment variables - Playwright installed in CI (`npx playwright install`) **Assumptions:** - Feature requirements will not change during the testing phase without John (AI Director) review - All Builder agent PRs include tests alongside code - Validator agent reviews test files before merge - BaaS partnership not confirmed — mock mode accepted for MVP/staging --- ## 13. Defect Management Process **Bug tracker:** Mission Control tasks + Slack #drop-bugs on alai-talk.slack.com **Severity levels:** | Severity | Definition | Resolution SLA | |----------|------------|----------------| | Critical | Financial invariant broken; auth bypass; data loss | Fix before release — no exceptions | | High | Major feature broken; security finding; no workaround | Fix before release | | Medium | Feature degraded; mock/workaround exists | Fix in next sprint | | Low | Minor issue, cosmetic | Backlog | **Bug lifecycle:** Open → Assigned (Mission Control) → In Progress → Fixed → Verified by Validator → Closed **Triage cadence:** On each PR/commit (CI-driven); daily for active test phase --- ## 14. Test Deliverables | Deliverable | Format | Due Date | Owner | |-------------|--------|----------|-------| | Test plan (this document) | Markdown | 2026-02-23 | John (AI Director) | | Test strategy | [test-strategy.md](./test-strategy.md) | 2026-02-23 | John | | Test cases (automated) | Vitest + Playwright test files | Per sprint | Builder agent | | Test execution results | Vitest + Playwright CI reports | Per PR | CI | | Performance test report | api-benchmarks.test.ts output | Per release | Builder agent | | UAT sign-off | [uat-signoff.md](../RELEASE/uat-signoff.md) | Before Phase 1 | Alem Bašić | | Test summary report | Markdown (per release) | Per release | Validator agent | --- ## Related Documents - [Test Strategy](./test-strategy.md) - [Test Case Template](./test-case-template.md) - [E2E Test Plan](./e2e-test-plan.md) - [Performance Test Plan](./performance-test-plan.md) - [Definition of Done](./definition-of-done.md) - [UAT Sign-off](../RELEASE/uat-signoff.md) - [Testing Guide](../../docs/testing/TESTING-GUIDE.md) - [Test Inventory](../../docs/testing/TEST-INVENTORY.md) --- ## Approval | Role | Name | Date | Signature | |------|------|------|-----------| | Author | John (AI Director) | 2026-02-23 | Approved (AI) | | QA Lead | Validator Agent | 2026-02-23 | Approved (AI) | | AI Director (John) | John | 2026-02-23 | Approved | | CEO (Alem) | Alem Bašić | TBD | |