Evospin API changelog¶

Single source of truth for cross-version API behaviour. Each release maps to a tagged OpenAPI snapshot in docs/api-reference/openapi/.

Versioning policy — semver against the public surface of the api and bo Nest applications. Breaking response/request schema changes bump major, additive endpoints bump minor, fixes/clarifications bump patch. The info.version field inside the live OpenAPI spec (Evospin API v1.0, Evospin BO v1.0) is the authoritative tag — bump it inside the Nest buildSwagger call when cutting a release.

How to update — see changelog-process.md. TL;DR: run ./sync-postman.sh, review the JSON diff, categorise the change (breaking / additive / deprecation), append an entry below.

v1.0.0 — 2026-04-25 (initial baseline)¶

First stable extraction of OpenAPI from the live local stack. Source-of-truth artefacts:

docs/api-reference/openapi/api.openapi.json — Evospin API v1.0, OpenAPI 3.0.0, 277 paths / 317 operations.
docs/api-reference/openapi/bo.openapi.json — Evospin BO v1.0, OpenAPI 3.0.0, 48 paths / 58 operations.
docs/api-reference/api.md, docs/api-reference/bo.md, docs/api-reference/rt-events.md — rendered Markdown reference.
docs/api/postman/ebit-api.postman_collection.json — 59 folders, 317 requests.
docs/api/postman/ebit-bo.postman_collection.json — 15 folders, 58 requests.

Endpoints introduced (`api`, port 4000)¶

Method totals: GET=164, POST=104, PATCH=18, DELETE=17, PUT=14.

Tag	Ops	Tag	Ops
Casino API	36	Admin Tips API	4
Admin User API	24	Fairness API	4
Admin Casino API	16	Promo API	4
Debug API	13	Session API	4
User API	13	VipApplicationAdmin	4
Promo Admin API	12	Admin Affiliate Streamer API	3
Admin Payments API	10	Admin Core API	3
Admin Challenge API	9	Admin Country API	3
Authorization API	9	Admin FAQ API	3
Admin Affiliate API	8	Admin Key API	3
Admin Dashboard API V2	8	Admin withdrawals block API	3
Admin Leaderboard API	8	Challenge API	3
Affiliate API	8	Core API	3
Payments API	8	KYC API	3
Admin Dashboard API	7	KYC Admin API	3
FastTrack	7	Leaderboard API	3
Admin User Limits API	5	Notifications API	3
Bets API	5	Sportsbook external GR8	3
BotActivity	5	User Limits API	3
FastTrackDebug	5	User tips API	3
Webhooks	5	VipApplication	3
Accounting API	4	Admin Rakeback API	2
Admin Accounting API	4	FAQ API	2

Plus 13 single- or double-op tags: Payments SkinDeck API (2), Rakeback API (2), Sportsbook exteranal GR8 ( auth ) (2 — note the typo in the live spec), Admin Bets API, Admin Registration Info API, AdminBetQueue, Affiliates External API, Coming Soon API, Country API, Currency, Exchange Rates API, FAST_TRACK external auth, GEO Restrictions API.

Endpoints introduced (`bo`, port 4003)¶

Method totals: GET=24, POST=20, PUT=7, PATCH=4, DELETE=3.

Tag	Ops
Admin User API	18
Admin Leaderboard API	8
Admin Payments API	5
Admin User Limits API	5
Admin Affiliate API	4
FAQ API	4
Admin Key API	3
Admin Tips API	3
Admin Bets API	2
Admin Accounting API	1
Admin Chat API	1
Admin Core API	1
Admin Rakeback API	1
Admin Registration Info API	1
Core API	1

Websocket surface (`rt`, port 4001)¶

No Swagger — see docs/api-reference/rt-events.md and the flat catalog at docs/api-reference/openapi/rt.events.md. Event names sourced from apps/rt/src/gateway/events.ts. Default throttle: WS_THROTTLER_LIMIT=240 requests / WS_THROTTLER_TTL=60000 ms.

Apps with no public REST¶

bj (port 4002) and speed-roulette (port 4004) do not register Swagger. bj is currently orphaned per project_ebit_bj_orphan.md; speed-roulette is internal RPC only and surfaces through rt. No OpenAPI artefact is produced for these apps and no Postman collection is generated.

Breaking changes¶

None — initial baseline.

Deprecations¶

None — initial baseline. The jwt_access_token cookie name is still emitted by admin-fe for back-compat (see project_admin_fe_auth_bugs.md); it is not formally deprecated yet but should be marked for removal in a future minor.

Known quirks (carried over from existing docs, not new)¶

Captcha bypass is local-only. x-captcha-token: pass is silently rejected outside NODE_ENV=local — apps/api/src/captcha/google/recaptcha.service.ts:28.
Bet endpoints have an OTel blind spot. DiceService.play and BetService.createAndSettleBet lack manual spans; the BullMQ bet-settled consumer starts an orphan trace (see docs/audits/perf-trace-coverage-audit.md).
Socket.io auth reads the cookie, not the header. Setting Authorization: Bearer … on the upgrade request is ignored.
Sportsbook exteranal GR8 ( auth ) tag has a typo in the source — preserved verbatim in the spec; do not rename without coordinating with sportsbook integration partners.
Debug API (13 operations) and FastTrackDebug (5 operations) are mounted on api itself and gate on env. They must remain unreachable in prod — verify with the perf audit before any release.

Migration notes¶

None — first release.

v0.x — pre-baseline (historical)¶

The repository's info.version field was pinned at 1.0 for the entire visible window of the prod branch (≥ 12 months). Without per-release tags, granular pre-baseline history is not reconstructible from info.version alone.

Notable pre-baseline events surfaced via git log --since="2025-01-01" --pretty=format:"%h %ad %s" --date=short in ebit-api/:

Date	Commit	Visible API impact
2025-02-10	`6fad1dd8`	Updated global API guard whitelist + error handling.
2025-04-11	`5ee3caa6`	`featureFlag` filters API data (slots feature flag landing).
2026-03-23	`529dfb69`	`BetRepository.decrementBetAggregatesForRefund` added — refund accounting path.
2026-03-24 → 2026-03-30	`ST8` integration cluster (≈20 commits)	New ST8 admin bonus operations, transaction-state model, mutex-locked wallet actions. Reflected as new ops under the Admin tags in v1.0.0.
2026-04-02	`b3eb53d2`	`NEW_RELEASES` category added to `MAIN_GAME_GRID_CATEGORIES`; `BLACKJACK`/`LIVE_CASINO` temporarily commented out (later re-enabled `182e739d`).
2026-04-09	`92dc5846`, `a40e077c`, `a31fadb6`	Challenge module + DTOs + cache pagination decorator refactor.
2026-04-10	`97704692`	Country restriction page — affects geo-restriction flow.
2026-04-13	`5ad08322`	User profile statistics endpoints.

{{TBD: pre-history}} for sub-feature granularity prior to 2025. The changelog starts fresh at v1.0.0 — earlier states are reconstructible only by checking out a pinned commit and re-running the OpenAPI extraction.

Forward template¶

Each new release should add a section like the following:

## v1.<minor>.<patch> — YYYY-MM-DD

### Breaking changes
- `<METHOD> <path>` — request schema changed: `oldField` removed, `newField` (type X) added. Migration: clients must…

### New endpoints
- `<METHOD> <path>` (tag: `…`) — short purpose. Auth: bearer / public / admin guard.

### Modified endpoints
- `<METHOD> <path>` — response added optional field `…`. Backward-compatible.

### Deprecations
- `<METHOD> <path>` — sunset YYYY-MM-DD. Replacement: `<METHOD> <path>`.

### Migration notes
```diff
- old client snippet
+ new client snippet

Refresh checklist¶

[ ] Bumped info.version in the Nest buildSwagger call.
[ ] Re-ran ./sync-postman.sh (regenerates Postman collections + diff).
[ ] Updated docs/api-reference/api.md / bo.md via python3 docs/api-reference/_gen.py.
[ ] Updated this changelog and removed the corresponding changelog-draft-*.diff artefact. ```

Conventions for changelog authors¶

Reference paths verbatim. Use the OpenAPI path value ({paramName}), not the curl-pretty form, so consumers can grep.
Cite the tag in parentheses — controllers in this codebase are split across many tags and the tag is the navigational unit in api.md/bo.md.
Group related changes under the smallest possible bullet — one line per endpoint, not per file changed.
Always include a migration snippet for any breaking change. If the migration is "no client change required" say so explicitly.
For deprecations, give a sunset date that is at least one minor release out, and link the replacement endpoint.
Do not commit secrets. When showing a curl/JSON example, use {{accessToken}} / {{TBD}} placeholders.