Dependencies¶
What the customer must have in place before each phase can start. Each row carries a blast radius (which phase blocks if missing), a how-to-obtain pointer, and a typical lead time. Use this as a Discovery-phase checklist (see Phased Rollout → Phase 1).
Lead times are calendar weeks. Anything > 1 week should start in Discovery to avoid blocking Phase 4 or Phase 7.
Budget context: monthly OpEx for AWS infra + every paid SaaS in §2 is broken down per scaling scenario in
../business/infrastructure-cost.md. Use it to size the Phase 1 budget request.
1. Infrastructure¶
| Item | Blast radius | How to obtain | Lead time |
|---|---|---|---|
| AWS account (or equivalent — Terraform targets EC2 + ECR + IAM) | Phase 3 blocks without it | Customer signs up for AWS; Terraform modules in terraform/perf/ target arm64 (c7g.*) instances in a single AZ. Equivalent on GCP/Azure requires module rewrite. |
1–3 days (account opening) + 1 day (IAM) |
| VPC + subnet in the target AWS region | Phase 3 blocks | Either reuse customer's existing VPC or create a fresh one. The Terraform expects existing IDs via vpc_id / subnet_id. |
< 1 day |
| EC2 key pair | Phase 3 blocks SSH | Generate via AWS console or aws ec2 create-key-pair. Default key name is nik; override via key_name tfvar. |
< 1 day |
Domain names for dropbet, admin, grafana, jaeger |
Phase 3 (TLS), Phase 7 (cohort) | Customer-owned DNS; CNAME or A record to SUT/monitoring public IP (Terraform outputs dropbet_url etc., but cosmetic — customer overrides). |
1–7 days (DNS propagation; immediate if customer already owns) |
| TLS certificates | Phase 3 | ACM + ALB (recommended) or Let's Encrypt + nginx-proxy. Terraform baseline is direct-to-EC2 — customer adds cert termination. | 1–2 days (ACM with domain validation) |
| KMS key for Doppler (optional) | Phase 3 (advisable for prod) | Customer creates AWS KMS CMK; Doppler integrates with KMS for at-rest encryption of secrets backups. | < 1 day |
| Admin workstation IPs (CIDR) | Phase 3 (SSH + admin HTTP) | Customer collects IPs of all engineers who will SSH/admin; supplies via admin_ssh_cidrs / admin_http_cidrs tfvars. Default is data.http.my_ip (whoever runs apply first). |
< 1 day |
| CI/CD runners with Docker buildx + AWS creds | Phase 3 → 8 (deployments) | GitLab CI / GitHub Actions / Jenkins; needs ECR push + EC2 SSM permissions. Reuse the customer's existing CI; the .gitlab-ci.yml in each repo is a starting template. |
1–3 days |
2. Third-party accounts¶
Each of these has its own approval pipeline. Open every one of them in Phase 1 — the slow ones (KYC, payments, gaming license) become Phase 4 blockers if they're not already approved.
Cost ranges per provider: see
../business/infrastructure-cost.md§3 — every row below has a sourced public price (or{{Quote-only}}marker) and a per-scenario monthly $ estimate.
| Vendor | Blast radius | How to obtain | Lead time |
|---|---|---|---|
| Sumsub (KYC) | Phase 4 (KYC wiring), Phase 6 (UAT KYC scenarios), Phase 7+ (regulatory) | Apply at sumsub.com → onboarding workflow; sandbox typically 2–4 wk approval. Alternative: Veriff, Onfido — would require new adapter under apps/api/src/kyc/. |
2–4 wk |
| CCPAYMENT (crypto payments) | Phase 4 (deposit/withdraw) | ccpayment.com merchant account; sandbox + production keys. Webhook URL on customer side. Already wired under apps/api/src/payment/. |
1–2 wk |
| NowPayments (alt crypto payments) | Phase 4 (alternate provider) | nowpayments.io merchant account. Already wired under apps/api/src/payment/. Customer can enable both. |
1–2 wk |
| Softswiss (game provider, optional) | Phase 4 (game catalog) — only if the customer chose this in Discovery | Operator agreement + integration paperwork. | 4–8 wk; significant scope add (Risks #2) |
| PM8 (game provider, optional) | Phase 4 (game catalog) — only if chosen in Discovery | Operator agreement. | 4–8 wk |
| GeeTest (captcha) | Phase 4 (production captcha key); Phase 7 GA (sign-up flow) | geetest.com; a Google Cloud account with reCAPTCHA Enterprise is the alternative. | Same-day to 1 wk |
| CoinGecko (price feed) | Phase 4 (FX for currency usdAmount) |
coingecko.com Pro API key (free tier may suffice for local; production needs Pro). | < 1 day |
| MaxMind (GeoIP) | Phase 7+ (jurisdiction enforcement, country/ module) |
maxmind.com GeoLite2 free or commercial. | 1–3 days |
| SendGrid (transactional email) | Phase 4 (email templates), Phase 6 (UAT email scenarios) | sendgrid.com account + DKIM/SPF/DMARC on sending domain. Alternative: AWS SES, Mailgun. | 1–3 days (incl. domain verification + warmup if new) |
| Sentry (error tracking) | Phase 3 (stage error visibility), Phase 7+ (prod) | sentry.io org + 3 projects (ebit-api, ebit-fe, ebit-admin-fe). DSNs into Doppler. |
< 1 day |
| Doppler (secrets) | Phase 2 optional, Phase 3+ required for non-local | doppler.com workspace + project per app + config per env (dev, dev_stage, dev_perf, prd). |
< 1 day |
| ECR repos | Phase 3 (image push) | Auto-created by Terraform under ebit/*; lifecycle = 10 tagged + 7d untagged. |
included in Phase 3 |
| Public EOS RPC node | Phase 4 (speed-roulette only) | Public EOS Wax/Jungle endpoint or run own. Speed-roulette uses block hash for fairness. | < 1 day if using public node |
| Skindeck (deposit alt, optional) | Phase 4 (only if enabled) | skindeck.com merchant account. Already wired. | 1–2 wk |
| Google reCAPTCHA Enterprise (alt to GeeTest) | Phase 4 (production captcha) | Google Cloud project + reCAPTCHA Enterprise. | < 1 day |
| Telegram bot token (optional) | Phase 4 (telegram features only) | @BotFather. | < 1 day |
| Fast Track CRM (optional) | Currently stubbed; flipping the producer requires CRM credentials | fasttrack.solutions account + JWT keypair. Adds the 11 producer call sites flagged in AF-6. | 4–6 wk; out of scope unless customer explicitly opts in |
3. People / skills¶
The customer's team needs these capabilities in-house (or contracted) by the named phase. Evospin's handover engineer can advise but cannot replace the customer's on-call rotation.
| Capability | Blast radius | Notes |
|---|---|---|
| Backend engineer with NestJS 11 + Prisma 7 experience | Phase 2 onwards | At least one. Will own server-side defects, runbooks, perf-fix work. |
| Frontend engineer with Next.js 14 App Router experience | Phase 4 (branding, locale), Phase 6 (UAT) | At least one. next-intl, Tailwind, shadcn familiarity strongly preferred. |
| Postgres DBA capacity | Phase 5 (perf tuning), Phase 7+ | Index review, connection pool sizing, replica strategy. Can be part-time. |
| AWS / Terraform engineer | Phase 3 onwards | Owns the perf/stage/prod environments; must read terraform/perf/README.md §"Circular-dependency note for maintainers" before changing modules. |
| OTel / observability engineer | Phase 3+, Phase 5 (bottleneck attribution) | Familiar with Jaeger, Prometheus, Loki, Grafana. Must understand AF-2 trace blind spot in architecture.md. |
| On-call rotation | Phase 7 onwards | Minimum 4-person rotation; 24/7 if customer's market requires it. Knows the runbooks library. |
| Customer support team | Phase 6 onwards | Trained on user-mgmt admin endpoints, KYC review, ban / unban (today via Swagger — see Risks #5). |
| Compliance officer / DPO | Phase 1 (Discovery), Phase 7 (regulatory) | Owns AML/KYC policy, data retention, jurisdictional mapping. |
4. Compliance / legal¶
| Item | Blast radius | How to obtain | Lead time |
|---|---|---|---|
| Gaming license for each target jurisdiction | Phase 7 (pilot in regulated market), Phase 8 (GA) | Jurisdiction-specific (Curacao, Malta MGA, Anjouan, etc.). Customer's compliance team owns the application. | 2–18 months depending on jurisdiction. Start in Discovery; this is the single biggest schedule risk. |
| AML/KYC policy | Phase 4 (KYC mapping to deposit caps), Phase 6 (UAT scenarios) | Customer's compliance team drafts; Evospin can supply technical capability matrix. | 2–4 wk |
| Data retention policy | Phase 7 (regulatory), Phase 8 (GA) | Customer policy + technical implementation in Loki retention, Postgres TTL on PII tables, Sentry retention config. | 1–2 wk |
| Terms of Service + Privacy Policy | Phase 8 GA | Customer legal team. ebit-fe surfaces them via the customer's CMS or apps/api/src/faq/. |
2–4 wk |
| Self-exclusion / responsible-gaming policy | Phase 7+ regulatory | Customer policy; technical surface via user-self-exclusion/ already exists. |
2 wk |
| GDPR / CCPA data subject access workflow | Phase 8+ regulatory | Customer SOP; technical capability via admin user export endpoints. | 2 wk |
5. Internal customer decisions¶
These are decisions that Evospin cannot make on the customer's behalf. Each one blocks at least one downstream phase. Consolidate into the Discovery decision log.
| Decision | Blast radius | Notes |
|---|---|---|
| Currency set (DBC native + which fiat / crypto) | Phase 4 (accounting/ registry), Phase 5 (perf scenarios), Phase 6 (UAT) |
DBC is the platform's native unit; customer chooses display currencies and convertibility. SF-018 (TETH/ETH) needs disambiguation pre-launch. |
| Locale set | Phase 4 (FE strings) | en, de ship today. Each new locale = messages/<locale>.json + next-intl config update. |
| Brand identity | Phase 4 (branding), Phase 6 (UAT) | Logo, palette, favicon, sender email. Provided as asset pack; ebit-fe theme tokens absorb. |
| Game catalog | Phase 1 (Discovery scope decision), Phase 4 (catalog seed) | House games (dice, limbo, mines, plinko, blackjack), speed-roulette, sportsbook, blackjack via orphan ebit-bj (AF-4 — recommended scope decision: deprecate). Game-provider integrations (PM8 / Softswiss) are major scope adds. |
| Payment methods enabled | Phase 1 (Discovery), Phase 4 (wiring), Phase 7 (pilot cohort) | CCPAYMENT, NowPayments, Skindeck pre-wired. Customer-preferred fiat processor adds adapter scope. |
| Feature-flag posture | Phase 4 (initial flags), Phase 7 (cohort gate) | RACE_ENABLED, sign-up variants, sportsbook on/off. Decide flag-management tool: Unleash, GitLab Feature Flags, or LaunchDarkly. |
| Pilot cohort definition | Phase 7 | Geography, percentage, invite list. Affects feature-flag and country-allowlist setup. |
| On-call SLO | Phase 7 onwards | 24/7 vs business-hours; affects rotation size and pager tooling. |
| Rollback criteria | Phase 7 | "If error rate > X% for Y minutes, roll back." Codify before pilot starts. |
| Public communication plan | Phase 8 | Press, customer email, in-app banner. Customer marketing-owned; Evospin not involved. |
Discovery exit checklist¶
By the end of Phase 1, every row above should be in one of these states:
- ✅ In place — already obtained, link captured.
- ⏳ In flight — request submitted, expected-by date logged.
- ❌ N/A — explicitly out of scope, decision-owner signed off.
Anything in the implicit "not yet asked" state at end of Discovery is by definition a Phase-2-or-later blocker. See Risks → Risk #1 (Doppler) and Risk #3 (Sumsub) for the two we hit most often.