Key Features
Audience : Sales, leadership, prospect's CTO/CEO. Read alongside ../architecture.mdFormat : One row per shippable capability. Each row has a 1-line description, the owning code path (clickable in most viewers), key dependencies, and a documentation marker.
Doc-status legend — applied per row:
- ✓ — covered by a published flow doc in ../flows/../runbooks/{{TBD}} — not yet documented at flow-doc depth.
1. Identity & access
Feature
Description
Owns it
Depends on
Status
Email + password sign-up
Username + email + password registration with email verification mail-out
apps/api/src/auth/auth.controller.ts (sign-up), auth.service.tsSMTP via external-notification-sender/, captcha (GeeTest or reCAPTCHA), Postgres user table
✓ flows/dropbet-sign-up.md
Email + password sign-in
Bcrypt verification, JWT access + refresh tokens, cookies set with secure flags
apps/api/src/auth/auth.controller.ts, cookies.tsbcrypt, jsonwebtoken, Redis-backed session via BullMQ producer
✓ flows/dropbet-sign-in.md
2FA (TOTP)
Per-user TOTP secret + OtpGuard for SuperAdmin endpoints; setup + verify + disable flow
apps/api/src/auth/guards/, apps/api/src/auth/auth.service.tsotplib
🆗 runbooks/2fa-unknown-secret.md
Password reset
Token-based reset via signed URL emailed to verified address
apps/api/src/auth/auth.controller.tsSMTP
✓ flows/dropbet-password-reset.md
OAuth scaffolding (Google, Steam)
GoogleStrategy + Steam strategy registered in auth.module.ts; setupUsernameAfterOAuthRegistration endpoint exists. Production-readiness : scaffolded; live-traffic enablement is operator config + integration testingapps/api/src/auth/strategies/google.strategy.ts, apps/api/src/auth/strategies/steam/Google OAuth client, Steam OpenID
⚠
API key auth
ApiKeyStrategy for service-to-service callers (e.g. external bots, sportsbook S2S)apps/api/src/auth/strategies/api-key.strategy.ts, apps/api/src/api-key/—
⚠
Captcha (GeeTest primary)
GeeTest v4 sliding-puzzle captcha on sign-up + sign-in; deduped via Redis cache key
apps/api/src/captcha/geetest/geetest-captcha.service.tsRedis cache, GeeTest API
🆗
Captcha (reCAPTCHA fallback)
Google reCAPTCHA gate; is-capture-on: off header + NODE_ENV=local bypasses it for E2E + dev
apps/api/src/captcha/google/recaptcha.guard.tsGoogle reCAPTCHA
🆗 + runbooks/recaptcha-fails-locally.md
WebSocket auth
Socket handshake via auth={socket_token}, validated against Redis session store; per-IP throttle
apps/rt/src/gateway/, libs/ws-throttler/Redis cache (MAX_CONNECTIONS_PER_IP=10 per IP, configurable in env)
✓ flows/rt-websocket.md
2. Wallet, payments, and accounting
Feature
Description
Owns it
Depends on
Status
Multi-currency balance ledger
user_balance per (user, currency) with amount + vault_amount; transactional ledger writes with idempotencylibs/_prisma/src/schema/api.prisma (UserBalance), apps/api/src/accounting/Postgres
🆗
FX / USD valuation
ExchangeRatesService.toUsd() for cross-currency display & wager normalisationapps/api/src/exchange-rates/external rate feed ({{TBD: provider}})
⚠
Crypto deposit (CCPayment)
CCPayment provider integration: invoice creation, webhook handling, signature verification
apps/api/src/payment/provider/integration/ccpayment/CCPayment API
🆗 flows/dropbet-wallet.md
Crypto deposit (NowPayments)
NowPayments invoice + IPN webhook + fee/fixed-rate flags
apps/api/src/payment/provider/integration/nowpayments/NowPayments API
🆗
Skin trading deposits
SkinDeck integration for skin-to-balance flow
apps/api/src/payment/provider/integration/skindeck/SkinDeck API
⚠
Withdrawal pipeline
withdraw controller + admin approval flow + withdraw-check.service.ts for compliance gatesapps/api/src/payment/withdraw/KYC status, ledger
🆗
Deposit pipeline
deposit controller + admin review + Redis pub-sub gateway notifierapps/api/src/payment/deposit/provider webhook → ledger
🆗
Payment provider abstraction
PaymentProviderModule aggregates all integrations; PaymentProviderService is the single import surfaceapps/api/src/payment/provider/payment-provider.module.ts—
🆗
Network registry
Catalogue of supported chains/networks per provider
apps/api/src/payment/provider/network/—
⚠
Wallet display
Player-facing wallet UI: balances, deposit, withdraw, history
ebit-fe/src/app/[locale]/... (wallet route)API client, socket events
✓ flows/dropbet-wallet.md
3. Compliance
Feature
Description
Owns it
Depends on
Status
KYC (Sumsub)
Applicant lifecycle: create → upload → review → status webhook → state transition
apps/api/src/kyc/sumsub/, apps/api/src/kyc/kyc.service.tsSumsub API + webhooks
🆗
KYC repository
Persistent applicant + document state model
apps/api/src/kyc/kyc.repository.tsPostgres
🆗
User limits
Self-exclusion, deposit limits, loss limits
apps/api/src/users-limits/ (also apps/bo/src/user-limits/)accounting, admin
⚠
Geo / country gating
IP → country resolver + restricted-country list
apps/api/src/country/external geo-IP lookup ({{TBD: provider}})
⚠
Audit logging
Admin notes, OTel spans across every state-changing endpoint, structured pino logs to Loki
apps/api/src/user/admin/notes/, libs/shared/ (NestLoggerModule), docs/observability.mdLoki, Jaeger
🆗
4. Casino — house games (in-house RNG)
All settle through the shared bet/ pipeline (apps/api/src/bet/) and produce a bet_settled BullMQ job that drives leaderboard / promo / rakeback.
Game
Code path
Status
Dice
apps/api/src/casino/house/dice/ (dice.service.ts)✓ flows/dropbet-house-game.md
Limbo
apps/api/src/casino/house/limbo/✓
Mines
apps/api/src/casino/house/mines/ (multi-step rounds, mid-round cashout)✓
Plinko
apps/api/src/casino/house/plinko/✓
Provably-fair seeding
apps/api/src/provably-fair/ — server seed rotation, client seed support🆗
5. Casino — live + game-server-driven
Game
App
Description
Code
Status
Blackjack (dropbet)
apps/api (in-process)Player-facing blackjack UI + game logic served via REST + websocket
apps/api/src/casino/games/... (blackjack ref)✓ flows/dropbet-blackjack.md
Blackjack (orphan game-server)
apps/bj (port 4002)Standalone blackjack server with EVO-Games external-wallet path. Currently not wired to dropbet traffic — see architecture §1 trust boundary note
apps/bj/src/main.ts⚠
Speed Roulette
apps/speed-rouletteEOS-blockchain-anchored roulette wheel; BullMQ state machine concurrency=1 per round
apps/speed-roulette/, libs/_prisma/src/schema/speed_roulette.prisma✓ flows/dropbet-speed-roulette.md
6. Casino — provider-game catalogues (slots + tables via partner)
Adapter pattern: each provider lives in apps/api/src/casino/slots/providers/<name>/, exposing a launch service and a wallet callback.
Provider
Code path
What it ships
Softswiss apps/api/src/casino/games/api/softswiss/ (CDN + sub-vendor catalogue) + apps/api/src/casino/games/service/hydrate-softswiss.service.tsGame catalogue hydration from Softswiss CDN
PM8 apps/api/src/casino/slots/providers/pm8/Launch URL signing, wallet callbacks, controller
BGaming apps/api/src/casino/slots/providers/bgaming/ (api/bgaming-api.service.ts, wallet/)Launch + wallet callback + dev-proxy controller
ST8 apps/api/src/casino/slots/providers/st8/Launch + wallet integration
EvoGames apps/api/src/casino/slots/providers/evogames/Launch + wallet integration
Common provider scaffolding
apps/api/src/casino/slots/providers/common/Shared signature/HMAC helpers, error taxonomy
Status across the row: 🆗 — the adapters exist and are wired into slot-games.service.ts; per-provider integration depth varies, see integration-options.md
7. Sportsbook
Feature
Description
Owns it
Status
Sportsbook proxy
Player-facing endpoints proxy to upstream odds engine
apps/api/src/sportbook/sportbook.controller.ts, sportbook.service.ts⚠
S2S auth
Service-to-service auth for upstream odds engine callbacks
apps/api/src/sportbook/s2s/⚠
Sportsbook actions / transactions
Bet placement → settlement → ledger writeback
apps/api/src/sportbook/actions/transactions/⚠
System endpoints
Health / config / catalogue endpoints
apps/api/src/sportbook/system/⚠
Note: sportsbook is a proxy . Evospin does not run an odds engine; the upstream provider is operator-configured.
8. Bet pipeline
Feature
Description
Owns it
Status
Bet placement
Single canonical endpoint per game; decoupled validation, balance hold, settlement
apps/api/src/bet/ (BetController, BetCrudService, BetRepository)✓ flows/dropbet-bet-place.md
Bet settlement queue
BullMQ bet_settled_queue — every settled bet drives downstream processors (leaderboard, promo, rakeback, GGR)
apps/api/src/bet/queue/🆗
Bet history
Paginated player history; admin-side detailed view
apps/api/src/bet/, apps/bo/src/bet/✓ flows/dropbet-bet-history.mdflows/admin-bets.md
GGR commission
Provider-game GGR computed via ggr-commission.service.ts
apps/api/src/casino/games/service/ggr-commission.service.ts⚠
Feature
Description
Owns it
Status
Promo / bonus
PromoController + PromoEffectService apply bonuses on deposit / sign-up / events; lock.decorator.ts for race safetyapps/api/src/promo/🆗
Challenges
Award-only challenges driven by admin; wager / win triggers
apps/api/src/challenge/✓ flows/dropbet-challenges.md
Leaderboard
Periodic recompute (leaderboard.checker.ts), gateway pushes top-N to subscribed sockets
apps/api/src/leaderboard/✓ flows/dropbet-leaderboard.md
Rakeback
Computed on bet_settled events
apps/api/src/rakeback/🆗
VIP program
Tier progression based on wagered volume
apps/api/src/vip-program/⚠
Tips (peer-to-peer)
Player-to-player balance tips with admin reversal capability
apps/api/src/tips/, apps/api/src/admin-tips/⚠
Affiliate
Affiliate-link tracking + commissions
apps/api/src/affiliate/⚠
Traffic arbitrage
Arbitrage marketing campaign accounting
apps/api/src/traffic-arbitrage/⚠
Telegram bot integration
Bot endpoints for in-Telegram interactions
apps/api/src/telegram/⚠
FastTrack bonus tracker
RabbitMQ producer to FastTrack — stubbed (disabled = true at line 8 of apps/api/src/fast-track/rabbitmq/fast-track.rmq.module.ts)
apps/api/src/fast-track/⚠
10. Real-time + chat
Feature
Description
Owns it
Status
WebSocket fan-out
socket.io v4, /events namespace, websocket-only transport, Redis pub/sub backplane
apps/rt/src/gateway/✓ flows/rt-websocket.md
Online tracker
Live online-user counter, broadcast to UI
apps/rt/src/online-tracker/🆗
Event catalogue
Typed event definitions consumed by FE socket-client
apps/rt/src/gateway/events.ts✓
RT notifications
API-side publishers → gateway pub/sub → rt
apps/api/src/rt-notification/🆗
Chat
In-game chat channels + admin moderation
apps/api/src/chat/⚠
11. Admin / backoffice
Feature
Description
Owns it
Status
Admin sign-in (2FA-gated)
Admin login with TOTP, role-based access, OtpGuard for SuperAdmin
apps/api/src/auth/ (admin paths), ebit-admin-fe/src/app/(auth)/✓ flows/admin-sign-in.md
User management
List, search, ban, KYC review, balance adjustment, notes
apps/api/src/user/admin/, apps/bo/src/user/, ebit-admin-fe/.../user/✓ flows/admin-user-mgmt.md
Bet review
Per-bet inspection with full audit trail + ledger correction
apps/bo/src/bet/, ebit-admin-fe/.../bets/✓ flows/admin-bets.md
Promo / challenge / leaderboard CRUD
Admin CRUD over promotional content
apps/api/src/promo/controllers/, apps/api/src/challenge/controller/, apps/api/src/leaderboard/admin.leaderboard.controller.ts🆗
Site config
Feature flags + runtime toggles
apps/api/src/site-config/, apps/bo/src/site-config/⚠
FAQ CMS
FAQ content management
apps/api/src/faq/, apps/bo/src/faq/⚠
Dashboards
Operator KPI dashboards
apps/api/src/dashboard-v2/, apps/api/src/dashboard/, ebit-admin-fe/.../dashboard/ (Ant Design charts)⚠
Affiliate / API key admin
Affiliate management, API key rotation
apps/bo/src/affiliate/, apps/bo/src/api-key/⚠
12. Frontends
App
Framework
Role
Code
Status
ebit-fe (dropbet)Next.js (next-intl en/de, socket.io-client)
Public player site
ebit-fe/src/app/[locale]/✓ — covered by every flows/dropbet-*.md
ebit-admin-feVite + React (TanStack Router)
Internal admin panel (single language)
ebit-admin-fe/src/routes/✓ — covered by every flows/admin-*.md
Versions and full stack inventory: ../engineering/stack.md
13. Async, observability, infrastructure (cross-cutting)
Capability
Description
Owns it
Status
BullMQ async runtime
All production queues: auth-session updates, bet settlement, bots, leaderboard, promo, user-stats migration, skindeck deposits, both speed-roulette queues
apps/api/src/**/bull/, apps/api/src/**/queue/, @nestjs/bullmq🆗 — see CLAUDE.md §"Async queues"
House-bot fleet
Simulated-activity bots driven by BullMQ producers, isolated on Redis :6380
apps/api/src/bots/system/bull/, apps/api/src/bots/bot.service.ts⚠
RabbitMQ broker
In compose (vhost=ft), wired only to FastTrack stub — receives zero traffic until stub removed
apps/api/src/fast-track/rabbitmq/⚠
OpenTelemetry pipeline
Pre-main bootstrap, OTLP HTTP to collector, spanmetrics → Prometheus, traces → Jaeger, logs → Loki via pino
libs/shared/ (OTel pre-main), observability/otel-collector.yml✓ ../observability.md../e2e-trace-demo.md
Sentry
Errors + source maps for all three apps
sentry.*.config.ts per repo🆗
Performance test harness
k6 + Playwright canary, terraform modules for monitoring + app VMs
tests-perf/ (root), terraform/perf/✓ ../performance-testing.md
Provably-fair fairness
Server-seed rotation, HMAC-bound per-bet seeds
apps/api/src/provably-fair/🆗
Multi-tier rate limiting
Per-route sliding-window throttle (Lua on cache Redis), per-IP WS connection cap
apps/api/src/captcha/ (HTTP), libs/ws-throttler/ (WS)🆗
Doppler-managed secrets
All env vars in dev pulled via run_local.sh from Doppler
each repo's run_local.sh
🆗
Cross-links