Test Plan: Drop — Fintech Payment App Test Plan: Drop — Fintech Payment App Project: Drop — Remittance + QR Payments Version: 1.0 Date: 2026-02-23 Author: John (AI Director) Status: Approved Reviewers: Alem Bašić (CEO) Document History Version Date Author Changes 0.1 2026-02-23 John Initial test plan — all MVP modules 1. Test Objectives This test plan covers testing for Drop MVP + Phase 0.5 Security Hardening (v0.5.0). Primary objectives: Verify that all authentication and onboarding flows (registration, OTP, PIN, login) work correctly for Norwegian residents (age ≥ 18, phone +47) Verify that remittance transactions apply correct 0.5% fee across all 6 NOK corridors with mock BaaS Verify that QR payments apply correct 1% merchant fee with mock BaaS Confirm the pass-through model invariant: Drop NEVER stores user balances or full card data Confirm Phase 0.5 security hardening: bcrypt 12 rounds, persistent rate limiting, CSRF, security headers, audit logging Validate performance under expected load (40+ concurrent users; target 200 for Phase 1) Out of scope for this plan: BankID SCA (Phase 2), real BaaS payments (Phase 2), real Sumsub KYC (Phase 2), Cards feature (Phase 3), mobile native app (Phase 2). 2. Features Under Test Feature / Story Priority Test Types Owner User Registration — 3-step (FR-001) Critical Unit, Integration, E2E Builder + Validator User Login (FR-002) Critical Unit, Integration, E2E Builder + Validator Remittance Transaction (FR-020) Critical Unit, Integration, E2E Builder + Validator Exchange Rates API (FR-021) High Integration Builder + Validator QR Payment — Consumer (FR-030) Critical Unit, Integration, E2E Builder + Validator Merchant Registration + QR (FR-031) High Unit, Integration Builder + Validator Rate Limiting (NFR-SEC05) Critical Integration Builder + Validator Input Validation / Security (NFR-SEC06) Critical Unit, E2E (input-chaos) Builder + Validator DB Compliance — No Balance/CVV (NF-AC-020/021) Critical Integration (db.test.ts) Builder + Validator bcrypt Hashing (NFR-SEC02) Critical Unit (auth.test.ts) Builder + Validator Performance Benchmarks (NFR-P01..P06) High Performance (api-benchmarks) Builder + Validator Feature Flags (FR-090) Medium Unit (feature-flags.test.ts) Builder + Validator 3. Scope In Scope Authentication module: registration, OTP verification, PIN setup, login, logout, /api/auth/me Remittance module: POST /api/transactions/remittance , GET /api/transactions , exchange rates QR payments module: POST /api/transactions/qr-payment , POST /api/merchants , GET /api/merchants/me Security middleware: rate limiting, CSRF, JWT validation, security headers Database compliance: schema assertions (no balance, no card_number, no cvv), FK constraints, transaction type enum Performance benchmarks: bcrypt timing, DB query latency, concurrent rate limit check throughput Regression testing of all 26 API routes Input validation: XSS, SQL injection, boundary ages, Unicode names, long passwords Out of Scope Item Justification BankID SCA integration Phase 2 — not yet implemented Real BaaS PISP/AISP payments Phase 2 — mock mode only in MVP Real Sumsub KYC webhooks Phase 2 — auto-approved in MVP Cards feature Phase 3 — feature-flagged OFF Mobile native app Phase 2 — web only in MVP Load testing > 200 concurrent users Phase 1 migration to PostgreSQL required first 4. Test Schedule & Milestones Milestone Date Responsible Test plan approved 2026-02-23 John (AI Director) Test environment ready (staging) Before Phase 0.5 release John (DevOps) Test data seeded Before E2E run Builder agent Unit + integration tests complete Per PR (CI automated) Builder agent Playwright E2E authoring complete Before Phase 0.5 release Builder agent Regression testing complete (all 26 routes) Before Phase 0.5 release Validator agent Performance benchmarks run Before Phase 0.5 release Builder agent UAT start (CEO walkthrough) TBD — before Phase 1 launch John UAT sign-off TBD Alem Bašić (CEO) Go/no-go decision Before Phase 1 launch Alem Bašić (CEO) Production release Phase 1 (BaaS partner confirmed) John (AI Director) 5. Resource Allocation Resource Role Testing Activities Availability Builder Agent (Claude Sonnet) Developer / QA Unit + integration + E2E authoring Per task Validator Agent (Claude Sonnet, read-only) QA Lead Code review + test verification Per task John (AI Director) Tech Lead Test strategy, UAT coordination Continuous Alem Bašić (CEO) Product Owner / UAT CEO UAT walkthrough TBD 6. Entry Criteria Testing may begin when: Feature development is code-complete (all tickets in "Ready for QA") Unit tests passing (≥ 100% pass rate on unit + integration suite) Build artifact deployed to staging (https://drop-staging.fly.dev/) Staging environment is stable (health checks passing) Test data is seeded ( npm run db:seed ) Previous known blocking bugs resolved (Mission Control backlog reviewed) 7. Exit Criteria Testing is complete when: All 14 test files execute cleanly ≥ 100% of unit + integration tests pass All Critical and High test cases in AC-001–AC-092 pass Code coverage ≥ 80% overall; 100% for auth + transaction paths All Playwright E2E tests passing on staging (user-flows, full-flows, input-chaos) Performance benchmarks meeting NFR-P01..P06 targets (api-benchmarks.test.ts green) DB compliance tests passing (db.test.ts: no balance, no card_number/cvv columns) UAT sign-off obtained from Alem Bašić (CEO) — or conditional approval documented Security audit score ≥ 80/100 (post Phase 0.5 hardening) Exceptional circumstances: If exit criteria cannot be met, a documented risk acceptance from Alem Bašić (CEO) is required. 8. Test Strategy Summary Per Type Type Approach Tool Owner Gate Unit White-box — bcrypt, JWT, fee calc, validators Vitest Builder Blocks merge Integration Real SQLite test DB — 26 API routes, DB schema Vitest Builder Blocks merge E2E Critical journeys on staging — 3 Playwright projects Playwright Builder Blocks release Regression All 26 routes via api-endpoints.test.ts Vitest Builder Blocks merge Performance api-benchmarks.test.ts — bcrypt timing, query latency Vitest bench Builder Warning → release Security npm audit + validation.test.ts + middleware.test.ts Vitest + GitHub Actions Builder Blocks merge DB compliance db.test.ts — schema assertions Vitest Builder Blocks merge UAT CEO business scenario walkthrough Manual Alem Bašić Blocks Phase 1 launch 9. Test Environment Requirements Environment Purpose URL Access Needed Local dev Unit/integration http://localhost:3000 Builder agent Staging (Fly.io, Stockholm) E2E, regression, UAT https://drop-staging.fly.dev/ Team + Alem Performance Benchmarks Local (api-benchmarks.test.ts) Builder agent Environment requirements: Staging must have NEXT_PUBLIC_SERVICE_MODE=mock (no real BaaS) Staging SQLite DB seeded with synthetic test data (no real PII) Monitoring enabled (Fly.io metrics) 10. Test Data Requirements Data Category Volume Creation Method Responsible Test consumer accounts 3 (fresh, KYC-approved, KYC-pending) npm run db:seed Builder agent Test merchant accounts 2 (registered, unregistered) npm run db:seed Builder agent Test recipients (for remittance) 3 npm run db:seed Builder agent Edge case data (under-18, duplicate email, max amounts) Defined per test Vitest fixtures Builder agent Data cleanup: All test data removed after test run via Vitest afterEach teardown. Staging DB reset between major test runs. 11. Risk-Based Test Prioritization Risk Area Likelihood Impact Priority Mitigation Pass-through model violation (Drop stores balance) Low Critical P1 db.test.ts always asserts no balance column Authentication bypass Low Critical P1 Full auth.test.ts suite + middleware.test.ts Fee calculation error (wrong percentage) Medium Critical P1 Unit tests for 0.5% and 1% fee calculations Double-spend race condition Low Critical P1 Transaction lock integration test Rate limiter reset on server restart Medium (was a bug) High P2 middleware.test.ts with persistent limiter BaaS mock mode leaking to production config Low High P2 CI check for NEXT_PUBLIC_SERVICE_MODE env var SQLite concurrent write limit reached High (at ~200 users) Medium P3 Phase 1: PostgreSQL migration 12. Dependencies & Assumptions Dependencies: Staging environment provisioned and accessible at https://drop-staging.fly.dev/ Mock BaaS and Mock Sumsub configured in staging environment variables Playwright installed in CI ( npx playwright install ) Assumptions: Feature requirements will not change during the testing phase without John (AI Director) review All Builder agent PRs include tests alongside code Validator agent reviews test files before merge BaaS partnership not confirmed — mock mode accepted for MVP/staging 13. Defect Management Process Bug tracker: Mission Control tasks + Slack #drop-bugs on alai-talk.slack.com Severity levels: Severity Definition Resolution SLA Critical Financial invariant broken; auth bypass; data loss Fix before release — no exceptions High Major feature broken; security finding; no workaround Fix before release Medium Feature degraded; mock/workaround exists Fix in next sprint Low Minor issue, cosmetic Backlog Bug lifecycle: Open → Assigned (Mission Control) → In Progress → Fixed → Verified by Validator → Closed Triage cadence: On each PR/commit (CI-driven); daily for active test phase 14. Test Deliverables Deliverable Format Due Date Owner Test plan (this document) Markdown 2026-02-23 John (AI Director) Test strategy test-strategy.md 2026-02-23 John Test cases (automated) Vitest + Playwright test files Per sprint Builder agent Test execution results Vitest + Playwright CI reports Per PR CI Performance test report api-benchmarks.test.ts output Per release Builder agent UAT sign-off uat-signoff.md Before Phase 1 Alem Bašić Test summary report Markdown (per release) Per release Validator agent Related Documents Test Strategy Test Case Template E2E Test Plan Performance Test Plan Definition of Done UAT Sign-off Testing Guide Test Inventory Approval Role Name Date Signature Author John (AI Director) 2026-02-23 Approved (AI) QA Lead Validator Agent 2026-02-23 Approved (AI) AI Director (John) John 2026-02-23 Approved CEO (Alem) Alem Bašić TBD