rl-docs-hub

Home · Apps · rl-bank-mvp · rl-main-infra · todo_api · todo_mobile

---

rl-bank-mvp

Status: Current

Fake bank MVP documentation for:

• rl-bank-api — NestJS GraphQL API
• rl-bank-webapp — Flutter web customer app
• rl-bank-mobile-app — Flutter mobile customer app
• rl-bank-mp-webapp — Flutter web staff/merchant portal
• rl-bank-mp-mobile-app — Flutter mobile staff/merchant portal

Scope

This section now combines two truths:

• the fake bank already has a meaningful product MVP surface across customer, staff, and backend repos
• AWS deployment for the bank is still intentionally plan-first and aligned to the current rl-main-infra Pulumi style

Infrastructure planning remains aligned to:

• TypeScript Pulumi
• ap-southeast-1
• production-only account (982233224911)
• explicit config gating for create vs scaffold
• least-privilege IAM
• no risky import/apply changes yet

Recommended MVP shape

• API: ECS Fargate service behind an internet-facing ALB
• Web apps: Static hosting on S3 + CloudFront
• DNS/TLS: Route53 + ACM (us-east-1 for CloudFront, ap-southeast-1 for ALB)
• Auth: Auth0 for browser login + JWT validation in API + Auth0 Management API for selected server-side flows
• Cache: ElastiCache Serverless for Valkey/Redis-compatible cache
• Primary database: externalized behind DB_URI for MVP, with Pulumi managing secret delivery rather than forcing a premature DB migration decision
• Secrets/config: AWS Secrets Manager + SSM Parameter Store split
• Observability: CloudWatch Logs/alarms + Sentry

Documentation

• Feature inventory and implementation status
• Architecture & implementation plan
• Fake shop / merchant ecosystem overview
• Fake shop / merchant ecosystem vision
• Fake shop / merchant ecosystem functional requirements
• Fake shop / merchant ecosystem MVP scope
• Fake shop / merchant ecosystem workflows
• Fake shop / merchant ecosystem open questions
• Card servicing + activity feed slice
• Account detail + history realism slice
• Staff account servicing + support workspace slice
• Physical payment terminal workstream
• Terminal API specs
• Terminal hardware / component strategy
• Terminal firmware architecture
• PBX IVR / call script and disclaimer rule
• API specs
• DB schema

PBX disclaimer rule

For the fake-bank telephony experience, PBX call-menu/IVR scripting now has two variants:

• authorised/internal callers: internal script path may omit the fake-bank disclaimer
• all other callers: explicit fake-bank / experimentation / hobbyist disclaimer is required

Public/external numbers should carry the disclaimer, and callers should be told not to share real banking details or sensitive personal information.

Notes from current repos

rl-bank-api

• NestJS + Apollo GraphQL
• requires DB_URI and CACHE_URI
• serves GraphQL under /api/graphql
• validates JWTs via JWKS/Auth0
• uses Auth0 Management API credentials for some flows
• enforces CORS whitelist

rl-bank-mp-webapp

• React/Vite static SPA
• uses VITE_API_BASE_URL
• uses Auth0 SPA SDK (VITE_AUTH_DOMAIN, VITE_AUTH_CLIENT_ID)
• GraphQL browser calls target ${VITE_API_BASE_URL}/graphql

rl-bank-webapp

• Flutter web app
• compile-time defines for AUTH0_DOMAIN, AUTH0_CLIENT_ID, GRAPHQL_ENDPOINT
• suitable for static web hosting after flutter build web

Decision summary

For MVP, I would not over-engineer with EKS, multi-region, or a full internal service mesh. A simple ALB + ECS Fargate API plus CloudFront-hosted static apps is the right trade-off: cheap enough, secure enough, and easy to evolve into a more formal multi-service platform later.