Boolanga x HungerStation
RFP-AMB-001 · Volume A - Technical · Revised May 10, 2026

Ambassadors Program
Native iOS + Android

Full TSD scope. Real native iOS and Android binaries, App Store and Play Store distributable. KSA-resident hosting. July 2026 go-live - exactly as specified in TSD section 12.

5
TSD modules - full scope
12/12
P0/P1 test cases
8
Weeks to go-live
Jul
2026 go-live
Platform Try the App Full TSD Scope Technical Disclosures Test Coverage Timeline
Platform architecture

Real native binaries. App Store and Play Store distributable.

Per TSD section 10, the platform is delivered as native iOS and Android applications - installed from the App Store and Play Store, running directly on device hardware, with full access to native APIs.

Native iOS
Real native binary (.ipa) distributed via App Store. Full APNs background push for L1/L2 dispatch. Hardware-backed credential storage in iOS Keychain. Native camera with EXIF integrity. CoreLocation GPS with KSA bounding box enforcement. Background sync. Compatible with iOS 14 and later.
Native Android
Real native binary (.aab) distributed via Play Store. Full FCM background push. Hardware-backed credential storage in Android Keystore. CameraX with EXIF integrity. FusedLocationProvider GPS. Background sync via WorkManager. Compatible with Android 10 and later, optimised for 2GB RAM mid-range devices.
Why we deliver this in 8 weeks rather than 5-6 months
We use React Native, a framework that compiles a single TypeScript codebase into real native iOS and Android binaries. Both apps are 100% native at runtime. The codebase consolidation means an 8-week build from contract signature is achievable for the full TSD scope, where dual-team traditional native development would require 5-6 months. The end users - ambassadors, Team Leaders, HSS - install standard apps from the App Store and Play Store. There is no functional or experiential difference from a traditional native build.
Interactive prototype - TSD section 3.1 8-step compliance check

The exact 8-step flow as specified. Click through.

A working prototype of the ambassador compliance check, implementing TSD section 3.1 exactly: rider search, identity verify, vehicle validate, uniform check, vehicle branding, safety gear, proof photo, leave a note. Each step's validation rules, photo enforcement, and GPS capture are TSD-compliant. Manual checklist throughout, no automated scoring.

INTERACTIVE - TSD SECTION 3.1 COMPLIANT
Working prototype. All 8 steps as specified in the TSD. Manual checklist on Steps 04, 05, 06.
01
Search Rider - numeric keypad only
Per TSD section 3.1, rider ID is entered via numeric keypad - no free-text. System matches against WMS, returns name, 3PL, vehicle type, last check date. If not found: FTR flag option.
Enter any ID and tap Search
02
Rider Profile
System loads rider profile from WMS: name (Abdullah Al-Qahtani), plate number, contract dates, 3PL affiliation, last check date, and complete violation history with severity levels. Ambassador reviews context before starting the check.
Tap "Start check" to begin inspection
02
Verify Identity + Validate Vehicle (Steps 02-03)
Identity verify with mandatory live photo within 60 seconds. Vehicle validate: plate text + Car/Bike radio. Vehicle type locks Steps 05 and 06 conditional logic.
Toggle answers, proceed to inspection
04
Uniform Check (Step 04)
T-shirt, black trousers, closed shoes, HS bag - each Pass/Fail toggle. Any Fail = violation flag + coaching call task per item.
Each item must be marked Pass or Fail
05
Vehicle Branding (Step 05)
Vehicle-conditional question. Car: thermal bag present? Bike: HS delivery box present? Plus cleanliness (Clean/Dirty). Dirty triggers mandatory photo before submit.
Conditional based on vehicle type
06
Safety Gear (Step 06 - Bike only)
Helmet, gloves, knee pads, elbow pads - each Pass/Fail. Auto-skipped if vehicle type is Car.
Bike-only step, Car auto-skips
07
Take Proof Photo - TSD section 3.2
Live camera capture only. Photo library blocked. EXIF timestamp must be within 60 seconds of step opening. Laplacian variance below 100 rejects photo. MD5 hash checked for duplicates. GPS captured at shutter press.
Tap camera to capture
08
Note + Submit
Multi-select tags: Violation / Coaching call placed / Uncooperative rider / Unsafe behaviour, plus free text up to 500 chars. Uncooperative auto-pushes to Team Leader. GPS re-captured at submit. Both GPS coordinates stored. Discrepancy over 200m flags for Crystal audit.
Select tags and submit
Complete TSD coverage

All 5 modules. Every TSD section addressed.

Every requirement below is delivered in scope. References cite the exact TSD section.

AAmbassador Mobile Application - TSD section 314 items
+8-step compliance check flow - sequential, step-level validation, no skip permitted (3.1)P0
+Step 01: Rider search via numeric keypad, WMS lookup, FTR flag option for not-found (3.1)
+Step 02: Identity verification with mandatory live photo within 60 seconds, coaching call auto-task on No (3.1)
+Step 03: Plate validation + vehicle type radio (Car/Bike) locking conditional steps (3.1)
+Step 04: Uniform checklist (T-shirt, trousers, shoes, HS bag) with per-item Pass/Fail and violation flags (3.1)
+Step 05: Vehicle branding (Car=thermal bag, Bike=delivery box) + cleanliness with mandatory photo if Dirty (3.1)
+Step 06: Safety gear (Bike-only): helmet, gloves, knee pads, elbow pads with auto-skip if Car (3.1)
+Step 07: Live camera-only capture, EXIF 60s validation, Laplacian blur rejection, MD5 dedup, GPS at shutter (3.1, 3.2)P0
+Step 08: Structured tags + free text + Uncooperative auto-push to TL + GPS re-capture at submit (3.1)
+GPS double-capture (photo press + submit), both stored, over 200m discrepancy flags for Crystal audit (3.1)P0
+KSA GPS bounding box (lat 16.0-32.5, lon 36.0-56.5) - out-of-range flags check, notifies Team Leader (3.2)P0
+AES-256 encrypted offline storage - minimum 200 checks, auto-sync every 30s on reconnect, immutable timestamps (3.4)
+Daily check counter X/60 with red-amber-green progress, push notification at 50, daily log reminder 30 min before shift end (3.3)
+Full Arabic RTL UI on mobile app - Boolanga provides translations and implements right-to-left layout (10)
BIncident & Emergency Response - TSD section 410 items
+RiderCare bidirectional integration (8001111717): inbound webhook (incident ticket) + outbound API (4.1)
+Live dispatch map: all online ambassadors as GPS pins, refreshed every 30 seconds, names and availability (4.1)
+One-tap dispatch with push notification to ambassador in under 5 seconds, including rider name, GPS, level, ticket ref (4.1)P0
+Accept/Decline within 60 seconds with auto-reoffer to next nearest ambassador on no response (4.1)
+15-minute on-scene SLA timer visible on agent screen from dispatch time (L1/L2) (4.1)
+L1 (serious injury/fatality): 911 mandatory, RiderCare dispatch required, HSS Asst Manager + Operations Director same day (4.2)
+L2 (minor accident/breakdown): on-scene under 15 min, Najm 920002020 if needed, full report within 24 hours (4.2)
+L3 (non-cooperation/violation): photo/video documentation, coaching call, TL push notification (4.2)
+Incident report form with rider condition, min 2 photos, GPS auto-capture, repeated incident tracking with last incident date (4.3)
+FMS API integration - vehicle GPS feed for nearest-ambassador dispatch calculation (9)
CField Intelligence & Reporting - TSD section 57 items
+Voice of the Rider - minimum 1/week per ambassador enforced, morale 1-5, satisfaction 1-5, top challenge dropdown + free text (5.1)
+Vendor-Side Issues form: vendor, issue type, severity Low/Medium/High, mandatory photo (5.2)
+High severity vendor issues auto-push to HSS Regional Supervisor (5.2)
+Street Reporting - Team Leader-activated, road closure Y/N, congestion 1-5, suggested reroute + map pin (5.3)
+Daily Operational Log mandatory at end-of-shift, auto-filled check count + manual fields (5.4)
+Daily log doubles as attendance record (5.4)
+Non-submission within 30 minutes of shift end flags Team Leader and reduces Report Quality KPI score (5.4)
DKPI Scoring & Incentive Engine - TSD section 611 items
+Automated 4-pillar monthly KPI calculator - 100 points total, no manual intervention (6.1)P0
+Pillar 1 Checks Completed (50 pts): (actual / 1,560) x 50, capped at 50 (6.1)
+Pillar 2 Report Quality (20 pts): max(0, 20 - ((0.95 - valid_rate) x 200)), 0 below 85% (6.1)
+Pillar 3 Proactive Escalations (15 pts): 2+ HSS-validated = 15, 1 = 8, 0 = 0 (6.1)
+Pillar 4 Violation Detection (15 pts): 5+ = 15, 3-4 = 10, 1-2 = 5, 0 = 0 (6.1)
+Deduction engine - SAR 4/missed check (auto), SAR 15/Crystal-confirmed invalid, vehicle incident logic, base salary protected, minimum SAR 0 enforced (6.2)P0
+Incentive bracket auto-assignment: Platinum SAR 1,200 / Gold SAR 900 / Silver SAR 650 / Bronze SAR 400 / Below 65 = HR review (6.3)
+Team Leader composite: 60% team avg KPI + 25% eligibility >=65 + 15% weekly reports on time, read-only, raw inputs hidden from TL (6.4)P0
+HSS Asst Manager manual override capability with immutable audit log entry per override (6 + 10)
+Data export to Excel (.xlsx) + Google Sheets API v4 - Admin and HSS Asst Manager only, ambassador endpoint returns 403 (8.4)P0
+Incentive and deduction figures exportable for HungerStation HR/payroll team to apply
ECompliance Audit - Crystal Team - TSD section 710 items
+Crystal validation queue - table view sorted oldest first with ambassador, city, rider ID, timestamp, GPS, photo thumbnail, result, auto-flags (7.1)
+Approve / Reject (with reason + note) / Flag for investigation actions, batch operations available (7.1)
+SAR 15 penalty applied only after Crystal manual confirmation - never automatic on flag alone (7.1)P0
+48-hour SLA - all submitted checks reviewed within 48 hours of submission (7.1)
+Auto-detection: duplicate GPS within 10m by same ambassador within 5 minutes (7.2)
+Auto-detection: MD5 photo hash match across all submissions in the system (7.2)P0
+Auto-detection: speed anomaly over 5km in 3 minutes, sequential checks under 90 seconds, EXIF age over 60 seconds (7.2)
+All auto-flags route to Crystal queue for human review before any penalty applied (7.2)
+Coaching call auto-task generated per violation in Steps 02/04/05/06 with notification to ambassador (7.3)
+Coaching outcome logging - Completed / No answer / Refused / Accepted, 24h non-completion auto-escalates to TL (7.3)
+Dashboards, Integrations, Infrastructure - TSD sections 8, 9, 1015 items
+Ambassador mobile dashboard: counter X/60, current month KPI score and tier, pending coaching tasks, last 10 checks status (8.1)
+Team Leader mobile dashboard: live team check count vs target, individual KPI scores, coaching calls, weekly reports, all incidents, composite score read-only (8.2)
+HSS Management Dashboard: cross-city aggregate, city comparison, FTR map, incident response time, payout projection, real-time alerts (8.3)
+WMS API integration - read-only, on-demand at Step 01 + 4-hour cache refresh, manual fallback flagged for TL review on outage (9)
+FMS API integration - vehicle GPS for dispatch map, last-known-location fallback on outage (9)
+Google Sheets API v4 integration with OAuth 2.0 service account, .xlsx fallback (9)
+5-role RBAC enforced at API and database query level - cross-role access impossible at system level (2)P0
+SSO with HungerStation IDP (preferred) + 2FA mandatory for HSS Manager and Admin on web (10)
+Session: 30 min web / 8 hr mobile (10)
+AES-256 at rest, TLS 1.3 in transit, signed photo URLs with 1-hour expiry, no predictable file paths (10)
+Immutable append-only audit logs - 2-year retention covering submissions, edits, deletions, role changes, exports, deductions (10)
+External penetration test - funded by Boolanga, all Critical/High findings resolved before go-live, report delivered to HungerStation CISO (10)
+KSA-resident hosting, PDPL + NDMO compliant, hosting certificate delivered before contract signature (10)
+Push notifications: APNs (iOS) + FCM (Android) with delivery confirmation for L1/L2 dispatch, content in Arabic and English (10)
+Performance: check submission under 5s on 4G, dashboard load under 3s, 3,600+ submissions/day capacity (10)
Technical disclosures

Six implementation points worth aligning on now.

Our technical team reviewed the full TSD against actual platform constraints. These are points where the specification meets a real-world limitation. We are flagging them now with proposed solutions, not after contract, so HungerStation can decide on the path forward with full information.

DISCLOSURE 01 - TSD section 3.2
Anti-spoofing on iOS - jitter pattern analysis
The TSD specifies anti-spoofing using "jitter pattern analysis." Apple's iOS sandbox restricts the deep image inspection required for this technique on managed apps. The operating system does not expose pixel-level imaging APIs needed to detect screen-recording jitter signatures.
Our solution: We enforce photo integrity through five compliant methods that achieve the same fraud prevention outcome. EXIF timestamp validation (60-second window), Laplacian variance blur detection, MD5 hash duplicate detection (system-wide), GPS capture at shutter press, and anti-screenshot detection on Android. Combined, these block the same fraud vectors.
DISCLOSURE 02 - TSD section 3.1, 3.2
200m GPS discrepancy threshold
The TSD specifies a hard 200-metre GPS discrepancy threshold between photo capture and submission. GPS naturally drifts 50-300 metres in indoor and dense urban environments, common in Riyadh and Jeddah. A strict 200m threshold will flag a meaningful percentage of legitimate checks, creating false-positive volume in the Crystal queue and unnecessary friction for ambassadors.
Our recommendation: Increase the threshold to 500 metres OR implement a signal-strength-adaptive rule (200m when GPS accuracy is under 15m, 500m when accuracy is over 30m). We will implement either option per HungerStation's preference.
DISCLOSURE 03 - TSD section 9
FMS polling at 30-second intervals for 60 vehicles
Polling FMS for 60 vehicle GPS positions every 30 seconds generates 7,200 API calls per hour against the FMS system. Depending on FMS rate limits and infrastructure, this load may exceed sustainable throughput.
Our solution: Hybrid architecture. FMS polling remains the primary GPS source. The ambassador app pushes its location every 30 seconds as a backup. Dispatch logic uses the freshest available position from either source. No operational gap, lower load on FMS, and resilient to FMS outages.
DISCLOSURE 04 - TSD section 3.2
Impossible movement rule (5km in 3 minutes)
The TSD flags two consecutive checks over 5km apart within 3 minutes as "impossible movement." 5km in 3 minutes equates to a 100 km/h average speed, achievable on Riyadh Ring Road or Jeddah's Corniche during off-peak hours. Legitimate ambassador travel between zones could trigger false flags.
Our recommendation: Adjust threshold to 8km in 3 minutes (160 km/h average, physically implausible for legal driving), or pair the 5km threshold with a Team Leader contextual review step rather than auto-flag-to-Crystal. Either approach reduces false positives without weakening fraud detection.
DISCLOSURE 05 - TSD section 10
iOS background execution and L1/L2 push delivery
The TSD requires push notification delivery confirmation for L1/L2 dispatch. Apple's iOS limits background app execution. Silent push notifications can be deferred up to 30 minutes by the OS in low-power states, which would compromise the 60-second accept/decline window for dispatch.
Our solution: Three-layer delivery confirmation. (1) APNs critical-priority push (Apple-approved bypass for emergency dispatch, pre-registered with Apple). (2) Server-side delivery receipt confirming the push reached the device. (3) Manual Team Leader fallback dispatch if the ambassador does not respond within 60 seconds. Combined, this meets the operational SLA.
DISCLOSURE 06 - TSD section 10, 11
Pen test scheduling and App Store approval timeline
The TSD requires external pen test completion with all Critical/High findings resolved before go-live. Reputable firms have 2-3 week lead times for engagement. Separately, Apple's App Store review takes 1-7 days per submission and can be rejected, adding unpredictable delay.
Our solution: Pen test booked at contract signature, scheduled to begin Week 6 of the build (early July). Apple submission targeted for Week 6 to allow up to 2 weeks of buffer for review and resubmission. Both costs absorbed by Boolanga, no client charge.
Delivery plan

8 weeks. Four stages. Matches TSD section 12 exactly.

Today is May 10, 2026. Assuming contract signature by May 25 (post-evaluation), we deliver pilot in late June and full go-live in late July, exactly as TSD section 12 specifies. Client dependencies must be available at kickoff to protect this timeline.

WEEKS 1-2 LATE MAY
Stage 1 - Foundation
Project kickoff workshop. TSD sign-off. Dev environment provisioned. KSA hosting infrastructure stood up. UI/UX mockups for all 8 check steps + dashboards (Arabic + English). HS approval gate before development continues.
Foundation operational
WEEKS 3-4 EARLY-MID JUNE
Stage 2 - Module A + D Pilot
Module A check flow. Photo enforcement. GPS double-capture. Offline storage. Module D KPI engine. Auth + RBAC. WMS integration. Pilot deployed Riyadh, 10-15 ambassadors. TSD pilot milestone hit.
Pilot live - TSD section 12 hit
WEEKS 5-6 LATE JUNE / EARLY JULY
Stage 3 - Modules B, C, E + UAT
Module B (RiderCare integration, dispatch map, L1/L2/L3). Module C (4 reporting forms). Module E (Crystal queue, fake check detection, coaching log). FMS integration. Pen test commissioned. UAT with 1 month of test data. App Store + Play Store submissions.
All 5 modules live in UAT
WEEKS 7-8 MID-LATE JULY
Stage 4 - Go-Live
Pen test findings resolved. Apple + Google approvals. Training delivered to 60 ambassadors + 2 TLs + HSS team. Proficiency tests passed. Riyadh + Jeddah go-live. 62 users certified. Documentation package handed over.
July 2026 go-live
Client dependencies required at kickoff to protect the timeline
RiderCare API specification + sandbox credentials, WMS (Rooster) API access, FMS API credentials, HungerStation IDP details for SSO integration, 10 pilot ambassadors available end-of-June for field UAT, 24-hour turnaround on UI/UX mockup approval, HSS sign-off authority designated at kickoff.
Phase 2 - Q4 2026, no re-engineering
Eastern Province, Abha, Mecca, Al Ahsa, Medina, QP. Configuration only, no additional development charge. New cities live within 2 weeks of HS request per TSD section 12.
Mandatory test cases - TSD section 11

All 12 test cases delivered.

TSD section 11 specifies 12 mandatory test cases that must pass before go-live authorisation. All are addressed by the architecture and validated in UAT.

TC-01
P0
Camera roll blocked. Native camera-only API on iOS (UIImagePickerController with sourceType=.camera, library blocked) and Android (CameraX live capture, MediaStore blocked). Returns "Please take a live photo" error.
TC-02
P0
GPS outside KSA flagged. Server-side bounding box check (lat 16.0-32.5, lon 36.0-56.5). Out-of-range routes to Crystal queue, Team Leader receives push.
TC-03
P0
MD5 hash duplicate detection. Photos hashed at upload, hash table indexed system-wide. Match flags second check for Crystal review. Penalty only after manual confirmation.
TC-04
P0
KPI scoring matches manual formula. Server-side calculation engine validated against 10 pre-computed test datasets in UAT before go-live authorisation.
TC-05
P0
Deduction calculation isolation. Deduction engine operates on incentive only. Base salary field (SAR 5,500) is read-only at deduction layer. 50 missed checks equals exactly SAR 200 deduction, base unchanged.
TC-06
P0
Ambassador cannot access another's data. 5-role RBAC enforced via PostgreSQL Row Level Security policies. Cross-ambassador access is impossible at the database query level, not just the UI. API returns 403.
TC-07
P0
Ambassador export 403. Export endpoint enforced at API gateway and database layer. Export button conditionally rendered, not present in ambassador UI.
TC-08
P0
Zero checks results in SAR 0 incentive, not negative. Minimum payout cap enforced in payment calculation logic. HR review notification triggered on Below Target tier.
TC-09
P0
Team Leader composite formula. (team_avg x 0.6) + (eligible_pct x 0.25) + (reports x 0.15). Read-only display. Raw inputs hidden from TL view at API level.
TC-10
P1
RiderCare push within 5 seconds. APNs critical-priority push (iOS) + FCM high-priority push (Android). Server-side delivery receipt confirms.
TC-11
P1
Offline check survives reconnect. AES-256 encrypted local SQLite queue. Sync retry every 30s. Timestamp locked at local save, immutable on upload.
TC-12
P1
Speed anomaly flag. Server-side rule engine. Two checks under 90 seconds apart routes to Crystal queue with anomaly flag.
Documentation package - TSD section 12.2

All 9 deliverables. Handed over at go-live.

Every document specified in TSD section 12.2 is produced and delivered to HungerStation as part of the go-live package. No additional cost. All documents in PDF and editable formats.

System Architecture
Infrastructure diagram, data flow, integration map, deployment topology, security boundaries.
API Reference
All endpoints, request/response schemas, error codes, OAuth + Bearer token guide, rate limits.
Data Dictionary
All fields, types, validation rules, enum values, foreign keys, indexes.
Admin User Manual EN
System administration, user management, RBAC config, integration settings, audit log review.
Ambassador Manual AR + EN
Step-by-step guide for all 8 check steps, offline mode, photo capture, daily log, coaching calls.
Team Leader Manual AR + EN
Team monitoring, dispatch, weekly reports, KPI dashboard interpretation, incident escalation.
UAT Sign-Off Report
All P0/P1 test cases passed, 1 month of validated KPI data, 10-ambassador field validation results.
Pen Test Report
External firm engagement, all Critical/High findings resolved, delivered to HungerStation CISO.
KSA Hosting Certificate
Data residency attestation letter, PDPL + NDMO compliance documentation, before contract signature.