# VYNDR — System Manifest Source of truth for every interface in the codebase as of Session 7c (958 tests across 73 suites, zero regressions). When this drifts from reality, update this file FIRST. --- ## 1. Architecture overview ``` ┌──────────────────┐ │ Next.js (3000) │ ─── public web app + app/api/* proxies └────────┬─────────┘ │ BACKEND_URL ▼ n8n cron ── POST ─► ┌──────────────────┐ ─► Supabase (RLS-enforced reads, PM2 pollers ──────► │ Express (3001) │ service-role writes from API) Coolify healthcheck │ │ ─► Redis (cache + locks) └────────┬─────────┘ │ ▼ ┌───────────────────────────────────┐ │ External adapters (configured()- │ │ gated, rate-limited, breakered) │ │ SharpAPI · OddsPapi · PropOdds · │ │ ParlayAPI · CFBD · OpenRouter · │ │ ESPN · MLB Stats API · Pinnacle │ └───────────────────────────────────┘ ``` Two parallel grading paths coexist (audited in Session 7c): - **Legacy path** (still wired): `routes/scan|analyze|bets|alerts` → `parlayScanService` → `propAnalyzer` → `grader.js` → `UnifiedOddsProvider` → 9 book adapters (ESPN, Pinnacle, DraftKings, FanDuel, BetMGM, Caesars, PrizePicks, Covers, Rotowire) → `processing/{LineShoppingEngine, MiddlesDetector, EVCalculator}`. - **New path** (Sessions 6a-6c): `routes/grading/pipeline` → `gradingOrchestrator` → `featureCache` + `trapDetection` + `consistencyScore` + `probabilityEstimator` → `engine1` → (A/B-tier only) `engine2` via OpenRouter. The two paths share `grade_history`, `Redis`, `Supabase`. They do not share the grading function itself. **This duplication is documented as finding #ARCH-1 below.** --- ## 2. Express API endpoints Mounted in `src/app.js`. Auth column meanings: - **public** — no auth middleware - **user** — `requireAuth` (Supabase JWT bearer) - **internal** — `requireInternal` (X-VYNDR-Internal-Key + loopback IP) - **pipeline** — `requirePipelineSecret` (X-Pipeline-Secret) - **stripe-sig** — `stripe.webhooks.constructEvent` signature | Method | Path | Auth | Body limit | Handler | | ------ | ------------------------------------- | ----------- | ---------- | ------------------------------------ | | GET | /api/health | public | n/a | `app.js` (inline) | | GET | /api/odds/nba | public | 10mb | `routes/odds.js` | | GET | /api/odds/ncaab | public | 10mb | `routes/odds.js` | | POST | /api/analyze/prop | public | 10mb | `routes/analyze.js` (demo scan) | | POST | /api/analyze/batch | public | 10mb | `routes/analyze.js` ⚠ no rate limit | | POST | /api/scan/parlay | user | 10mb | `routes/scan.js` | | GET | /api/movements | public | 10mb | `routes/movements.js` | | GET | /api/alerts | user | 10mb | `routes/alerts.js` | | PATCH | /api/alerts/:id/read | user | 10mb | `routes/alerts.js` | | POST | /api/bets/quickslip | user | 10mb | `routes/bets.js` | | POST | /api/bets/screenshot | user | 10mb | `routes/bets.js` | | POST | /api/bets/screenshot/confirm | user | 10mb | `routes/bets.js` | | POST | /api/bets/sync | user | 10mb | `routes/bets.js` | | PATCH | /api/bets/:id/settle | user | 10mb | `routes/bets.js` | | GET | /api/bets | user | 10mb | `routes/bets.js` | | GET | /api/bets/performance | user | 10mb | `routes/bets.js` | | POST | /api/stripe/checkout | user | 10mb | `routes/stripe.js` | | POST | /api/stripe/webhook | stripe-sig | raw bytes | `routes/stripe.js` | | POST | /api/stripe/portal | user | 10mb | `routes/stripe.js` | | GET | /api/stripe/status | user | 10mb | `routes/stripe.js` | | GET | /api/stats/parlays-graded | public | 10mb | `routes/stats.js` | | GET | /api/stats/public | public | 10mb | `routes/stats.js` | | GET | /api/stats/live | public | 10mb | `routes/stats.js` | | GET | /api/props/joint-history | user | 10mb | `routes/props.js` | | POST | /api/waitlist | public | 10mb | `routes/waitlist.js` | | POST | /api/pipeline/refresh | pipeline | 10mb | `routes/pipeline.js` | | GET | /api/pipeline/status | public | 10mb | `routes/pipeline.js` | | POST | /api/share-card | public | 10mb | `routes/shareCard.js` | | POST | /api/push/subscribe | user | 10mb | `routes/push.js` | | DELETE | /api/push/unsubscribe | user | 10mb | `routes/push.js` | | POST | /api/grading/resolve | internal | **10mb** | `routes/grading.js` | | POST | /api/grading/pipeline | internal | 10mb | `routes/grading.js` | | POST | /api/grading/correct | internal | 256kb | `routes/corrections.js` | | GET | /api/widget | public | 10mb | `routes/widget.js` | | OPTIONS| /api/widget | public | n/a | `routes/widget.js` | ### Next.js API routes (frontend `app/api/*`) These are proxies or thin wrappers; they hit Express via `BACKEND_URL` or the Python service via `NEXT_PUBLIC_NBA_SERVICE_URL`. - `/api/checkout` (POST/GET) — NexaPay checkout - `/api/games/[id]` and `/api/games/tonight` — list / detail - `/api/games/[id]/props` — props for a game - `/api/intelligence/feed` — homepage live signals - `/api/ledger`, `/api/ledger/accuracy` — Ledger feed - `/api/parlay/add-leg`, `/api/parlay/grade` — proxy to `/api/scan/parlay` - `/api/players/search` — proxy to Python `/players/search` - `/api/props/live`, `/api/props/most-parlayed`, `/api/props/top-graded` - `/api/scan` — bare scan endpoint - `/api/stats/parlays-graded`, `/api/stats/public` — proxy - `/api/user/profile`, `/api/user/scans`, `/api/user/recent-scans` - `/api/waitlist` — proxy - `/api/webhook/nexapay` — NexaPay webhook --- ## 3. Environment variables Source: `grep -rn 'process\.env\.' src/ poller/ scripts/ web/src/`. ✓ = documented in `.env.example`. ⚠ = used but optional (default falls back). Updated this session in Section 1 of Session 7c. ### Core | Var | Required | Default | Used By | Doc? | | ------------------------- | -------- | -------------- | ------------------------------------ | ---- | | `NODE_ENV` | no | (none) | various | ✓ | | `PORT` | no | `3001` | `src/server.js` | implicit | | `BASE_URL` | yes | `http://localhost:3001` | `stripeService`, `widget` | ✓ | | `FRONTEND_ORIGINS` | yes | (none) | `app.js` (CORS) | ✓ | | `VYNDR_INTERNAL_KEY` | yes | (none) | `routes/grading`, `corrections` | ✓ | ### Supabase | Var | Required | Used By | Doc? | | -------------------------------- | -------- | -------------------------------- | ---- | | `SUPABASE_URL` | yes | both clients | ✓ | | `SUPABASE_ANON_KEY` | yes | `getSupabaseClient` | ✓ | | `SUPABASE_SERVICE_ROLE_KEY` | yes | `getSupabaseServiceClient` | ✓ | | `SUPABASE_SERVICE_KEY` (legacy) | no | fallback only (7b) | ✓ commented | | `SUPABASE_DB_URL` | yes | `scripts/backup.sh`, `migrations`| ✓ | | `SUPABASE_DB_PASSWORD` | no | legacy backup form | ✓ commented | | `NEXT_PUBLIC_SUPABASE_URL` | yes | Next.js client | ✓ | | `NEXT_PUBLIC_SUPABASE_ANON_KEY` | yes | Next.js client | ✓ | | `NEXT_PUBLIC_SITE_URL` | yes | Next.js metadata | ✓ | ### Web ↔ Backend | Var | Required | Default | Used By | Doc? | | ---------------------------- | -------- | ------------------------ | -------------------------------- | ---- | | `NEXT_PUBLIC_API_URL` | yes | `http://localhost:3001` | `web/src/lib/api.ts` | ✓ (added 7c) | | `NEXT_PUBLIC_NBA_SERVICE_URL`| yes | `http://localhost:8000` | `web/api/players/search` | ✓ (added 7c) | | `BACKEND_URL` | yes | `http://localhost:3001` | `web/services/odds-cache.ts` | ✓ (added 7c) | ### Stripe + Payments | Var | Doc? | | ---------------------------- | ---- | | `STRIPE_SECRET_KEY` | ✓ | | `STRIPE_WEBHOOK_SECRET` | ✓ | | `STRIPE_PRICE_ANALYST` | ✓ | | `STRIPE_PRICE_ANALYST_FOUNDER` | ✓ | | `STRIPE_PRICE_DESK` | ✓ | | `STRIPE_PRICE_DESK_FOUNDER` | ✓ | | `FOUNDER_CODES` | ✓ | | `FOUNDER_CODE_EXPIRY` | ✓ | | `NEXAPAY_API_URL` | ✓ (added 7c) | | `NEXAPAY_API_KEY` | ✓ (added 7c) | | `NEXAPAY_WEBHOOK_SECRET` | ✓ (added 7c) | ### Push | Var | Doc? | | ---------------------------- | ---- | | `VAPID_PUBLIC_KEY` | ✓ | | `VAPID_PRIVATE_KEY` | ✓ | | `VAPID_SUBJECT` | ✓ | | `NEXT_PUBLIC_VAPID_PUBLIC_KEY`| ✓ | ### Odds adapters | Var | Doc? | | ------------------------- | ---- | | `SHARPAPI_KEY` | ✓ | | `SHARPAPI_BASE_URL` | ✓ | | `ODDSPAPI_KEY` | ✓ | | `ODDSPAPI_BASE_URL` | ✓ | | `PARLAYAPI_KEY` | ✓ | | `PARLAYAPI_BASE_URL` | ✓ | | `PARLAYAPI_PULL_RATE_MS` | ✓ | | `PROPODDS_KEY` | ✓ | | `PROPODDS_BASE_URL` | ✓ | | `CFBD_KEY` | ✓ | | `CFBD_BASE_URL` | ✓ | | `PINNACLE_API_KEY` | ✓ commented (legacy) | | `PINNACLE_API_BASE` | ✓ commented (legacy) | | `ODDS_API_KEY` | ✓ commented (legacy) | ### Engine 2 | Var | Doc? | | ---------------------------- | ---- | | `OPENROUTER_API_KEY` | ✓ | | `OPENROUTER_PRIMARY_MODEL` | ✓ | | `OPENROUTER_FALLBACK_MODEL` | ✓ | | `OPENROUTER_BASE_URL` | ✓ | | `OPENROUTER_REFERER` | ✓ | | `OPENROUTER_TITLE` | ✓ | | `ENGINE2_BATCH_SIZE` | ✓ | | `ENGINE2_ENABLED` | ✓ | ### Redis + Python | Var | Doc? | | ------------------------- | ---- | | `REDIS_URL` | ✓ | | `PYTHON_SERVICE_URL` | ✓ | | `NBA_SERVICE_URL` | ✓ commented (legacy alias) | | `NBA_STATS_URL` | ✓ commented (legacy alias) | | `EVOLUTION_SERVICE_URL` | ✓ commented (legacy) | | `VYNDR_PYTHON` | ✓ commented (legacy alias) | ### Distribution + Analytics | Var | Doc? | | ------------------------- | ---- | | `TELEGRAM_BOT_TOKEN` | ✓ | | `TELEGRAM_CHANNEL_ID` | ✓ | | `DISCORD_WEBHOOK_DAILY` | ✓ | | `DISCORD_WEBHOOK_RESULTS` | ✓ | | `DISCORD_WEBHOOK_ALERTS` | ✓ | | `DISCORD_WEBHOOK_RARE` | ✓ | | `RESEND_API_KEY` | ✓ (added 7c) | | `RESEND_FROM_EMAIL` | ✓ (added 7c) | | `NEXT_PUBLIC_POSTHOG_KEY` | ✓ (added 7c) | | `NEXT_PUBLIC_POSTHOG_HOST`| ✓ (added 7c) | ### Poller-set (per-process via PM2) | Var | Default | Doc? | | ----------------- | ------- | ---- | | `SPORT` | (none) | ✓ commented | | `POLL_INTERVAL` | `60000` | ✓ commented | | `BUFFER_MS` | `30000` | ✓ commented | | `VYNDR_API_URL` | `http://localhost:3001` | ✓ commented | | `OFF_HOURS_POLL_MS` | hardcoded 5min | not env | ### Backup + Ops | Var | Doc? | | ------------------------- | ---- | | `NTFY_PORT` | ✓ | | `NTFY_TOPIC` | ✓ | | `BACKUP_RETENTION_DAYS` | ✓ | | `PIPELINE_SECRET` | ✓ commented | | `PUBLIC_SHARE_CARD_BASE` | ✓ commented | | `API_BASE_URL` | ✓ commented (alias of BASE_URL) | | `ENGINE` | ✓ commented (legacy) | --- ## 4. Supabase tables Source: `grep -rn "\.from('[a-z_]*')" src/ poller/`. ### Tables created by VYNDR migrations | Table | Migration | Read by | Written by | | ---------------------- | --------- | ------------------------------------------------------ | --------------------------------------- | | `user_profiles` | 011, 015 | AuthContext, stripeService mirror, accuracyTracker | handle_new_user, stripeService | | `parlay_leg_frequency` | 011 | parlay analytics | scan flow | | `scan_history` | 011 | user scans listing | scanRoutes | | `odds_cache` | 014 | oddsService | oddsService, n8n pipeline | | `line_history` | 014 | lineMovementService | lineMovementService | | `cascade_alerts` | 014 | cascadeService, intelligence feed | cascadeService | | `player_stats_cache` | 014 | propAnalyzer | propAnalyzer | | `grade_history` | 014/16/18 | Ledger, resolution route, weight adjuster, accuracy | orchestrator, resolution, engine2, corrections | | `prop_correlations` | 014 | correlationEngine | correlationEngine | | `player_id_map` | 014→016 | populate-player-ids, oddsPapiAdapter | populate-player-ids | | `push_subscriptions` | 015 | webPush | push routes, webPush prune | | `closing_lines` | 016 | clvTracker, oddsPapiAdapter | oddsPapiAdapter.batchCapture | | `resolution_results` | 016 | clvTracker, weightAdjuster, corrections | resolution route | | `historical_props` | 017 | trap historical signal (future) | pull-parlayapi-history | | `line_snapshots` | 017 | lineMovement intel | sharpApiAdapter (fire-and-forget) | | `ref_profiles` | 017 | refSignals | scrape-sports-reference | | `coach_profiles` | 017 | coachSignals | scrape-sports-reference, seed file | | `game_ref_assignments` | 017 | refSignals | ops manual entry | | `engine1_weights` | 018 | weightAdjuster | weightAdjuster | | `accuracy_tracking` | 018 | accuracyTracker, Ledger accuracy page | accuracyTracker | | `user_notifications` | 013 | notifications route | notification senders | ### Tables present in DB but NOT in VYNDR migrations (BetonBLK era) `bets`, `daily_scan`, `discrepancy_reliability_scores`, `joint_outcomes`, `lineup_role_profiles`, `model_predictions_extended`, `outcomes`, `performance`, `picks`, `player_role_activations`, `player_role_profiles`, `prediction_registry`, `scan_sessions`. VYNDR code reads/writes only the subset still in use: - `bets` — `routes/bets.js`, `betService.js` - `joint_outcomes` — `routes/props.js` (joint-history) - `model_predictions_extended` — `propAnalyzer` - `performance` — `performanceService` - `picks` — `parlayScanService` - `scan_sessions` — `routes/scan.js` ### Shared tables (BetonBLK + VYNDR) - `users` — both eras - `waitlist` / `waitlist_signups` — created in 012 (latter is canonical) --- ## 5. Redis keys Source: `grep -rn "cacheSet\|cacheGet\|redis\.set"`. | Key pattern | TTL | Set by | Read by | | ---------------------------------------- | ----------- | --------------------------------- | ----------------------------- | | `odds:{sport}:{gameId}:player_props` | 60s (300s stale) | sharpApiAdapter | sharpApiAdapter, orchestrator | | `odds:{sport}:{gameId}:game` | 60s | sharpApiAdapter | sharpApiAdapter | | `parlayapi:hist:{sport}:{p}:{stat}:{n}` | 24h | parlayApiAdapter | trapDetection (future) | | `parlayapi:close:{sport}:{date}` | 24h | parlayApiAdapter | pull script | | `parlayapi:checkpoint:{sport}:{season}` | 30d | pull-parlayapi-history | pull-parlayapi-history | | `propodds:{sport}:{game}:{player}:{stat}`| 90s (300s stale) | propOddsAdapter | propOddsAdapter | | `cfbd:teamstats:{team}:{year}` | 6h | cfbdAdapter | cfbdAdapter | | `cfbd:usage:{player}:{team}:{year}` | 6h | cfbdAdapter | cfbdAdapter | | `cfbd:talent:{team}:{year}` | 6h | cfbdAdapter | cfbdAdapter | | `cfbd:lines:{team}:{year}` | 6h | cfbdAdapter | cfbdAdapter | | `gamelogs:{sport}:{player}:{n}` | 4h | gameLogService | featureCache, consistency | | `team_stats:{sport}:{teamAbbr}` | 24h | teamStatsCache | featureCache, engine1 | | `features:{sport}:{playerId}:{stat}:{game}` | 2m | featureCache | orchestrator | | `injuries:{sport}:{teamId}` | 2h | injuryParser | featureCache | | `game:{gameId}:status` | 36h | poller | poller | | `game:{gameId}:resolution_lock` | 5min (NX) | poller | poller (dedupe) | | `game:{gameId}:live_status` | 1h | poller | frontend badges (future) | | `poller:{sport}:heartbeat` | 3min | poller | ops monitoring | | `vyndr:line_baseline:{...}` | 24h | lineMovementService | lineMovementService | | (cascadeService player-set key) | 24h | cascadeService | cascadeService | | (oddsService legacy game cache) | 5min | oddsService | routes/odds | | (schemeClassifier cache) | varies | schemeClassifier | schemeClassifier | --- ## 6. External API dependencies | Service | Adapter | Env vars | Rate budget | Used by | | -------------- | ------------------------------------ | ------------------------------------- | ----------------- | ------------------------ | | SharpAPI | `sharpApiAdapter.js` | `SHARPAPI_KEY`, `SHARPAPI_BASE_URL` | 10/min | orchestrator | | OddsPapi | `oddsPapiAdapter.js` | `ODDSPAPI_KEY`, `ODDSPAPI_BASE_URL` | 5/min | poller (tip-off CLV) | | ParlayAPI | `parlayApiAdapter.js` | `PARLAYAPI_KEY` | 5/min | pull script | | PropOdds | `propOddsAdapter.js` | `PROPODDS_KEY` | 3/min | trap consensus | | CFBD | `cfbdAdapter.js` | `CFBD_KEY` | 10/min | college features | | OpenRouter | `openRouterAdapter.js` | `OPENROUTER_API_KEY` + model env | 20/min, 1000/day | engine2 | | ESPN scoreboard| `poller`, `teamStatsCache`, `injuryParser` | none | 2/min (limiter) | poller, refresh job | | MLB Stats API | `poller` (gamePk feed) | none | 2/min | poller (mlb final) | | Pinnacle (legacy) | `PinnacleAdapter.js` | `PINNACLE_API_KEY`, `PINNACLE_API_BASE` | tunable | UnifiedOddsProvider | | DraftKings (legacy) | `DraftKingsAdapter.js` | none | tunable | UnifiedOddsProvider | | FanDuel/BetMGM/Caesars/PrizePicks/Covers/Rotowire (legacy) | each `*Adapter.js` | none | tunable | UnifiedOddsProvider | | Sports-Reference HTML | `scripts/scrape-sports-reference.js` | `REF_HTML_FILE`, `COACH_HTML_FILE` (optional) | 1 req / 5s | scraper | | Resend (email) | `web/src/services/email.ts` | `RESEND_API_KEY`, `RESEND_FROM_EMAIL` | n/a | transactional email | | NexaPay | `web/src/services/nexapay.ts` | `NEXAPAY_*` | n/a | checkout fallback | | PostHog | `web/src/lib/analytics.ts` | `NEXT_PUBLIC_POSTHOG_KEY/HOST` | n/a | browser analytics | --- ## 7. File dependency graph (entry points) ### Express entry: `src/server.js` ``` server.js └─ app.js ├─ routes/{odds,analyze,scan,movements,alerts,bets,stripe,stats, │ props,waitlist,pipeline,shareCard,push,grading,corrections,widget} └─ middleware/{auth, mission} routes/grading.js (POST /pipeline) └─ services/intelligence/gradingOrchestrator ├─ adapters/sharpApiAdapter ├─ services/intelligence/featureCache │ ├─ teamStatsCache · refSignals · coachSignals │ ├─ injuryParser · lineMovement · gameLogService │ └─ lineupSignals ├─ services/intelligence/trapDetection │ └─ lineMovement ├─ services/intelligence/consistencyScore ├─ services/intelligence/probabilityEstimator ├─ services/intelligence/engine1 └─ services/intelligence/engine2 └─ adapters/openRouterAdapter routes/grading.js (POST /resolve) └─ services/training/jsonlLogger └─ services/distribution/{webPush, telegram, discord} └─ services/intelligence/{clvTracker, accuracyTracker, weightAdjuster} routes/scan.js (POST /parlay — legacy path, still wired) └─ services/parlayScanService └─ services/propAnalyzer └─ services/grader ← legacy grading (see ARCH-1) └─ services/UnifiedOddsProvider └─ adapters/{ESPN,Pinnacle,DraftKings,FanDuel,BetMGM, Caesars,PrizePicks,Covers,Rotowire} └─ services/processing/{LineShoppingEngine, MiddlesDetector, EVCalculator} ``` ### Poller entry: `poller/poller.js` ``` poller.js ├─ src/config/sports ├─ src/utils/redis (cacheGet/cacheSet/lock) ├─ src/utils/rateLimiter (espnLimiter, mlbLimiter) └─ src/services/adapters/oddsPapiAdapter (tip-off CLV capture) ``` No circular imports detected. --- ## 8. Findings ### ARCH — Architecture - **[ARCH-1] Dual grading paths.** Severity: Medium. The legacy `parlayScanService → propAnalyzer → grader → UnifiedOddsProvider` chain still serves `/api/scan/parlay`, `/api/analyze/*`, and `/api/bets/*`. The new `gradingOrchestrator → engine1 → engine2` chain serves `/api/grading/pipeline`. Both write to `grade_history` with different column sets and factor models. **Scope to fix:** ~1 session — choose one as canonical, migrate the routes, retire the other adapter set. - **[ARCH-2] Two circuit-breaker / rate-limiter modules.** Severity: Low (documented in 6a). `src/services/{circuitBreaker.js, rateLimiter.js}` (keyed registry, legacy) coexist with `src/utils/rateLimiter.js` (factory, new). Consolidation is purely cosmetic — both work. Scope: half-session. ### SEC — Security - **[SEC-1] `/api/analyze/batch` has no auth or rate limit.** Severity: High. A malicious caller can blast through prop-analyzer credits. **Recommended fix:** require auth OR add an IP-keyed rate limiter (10 req/min). Scope: ~30 min. - **[SEC-2] `routes/shareCard.js` leaks `err.message` via `detail:`.** Severity: Medium. Lines 185 and 206 expose upstream error messages to public callers. **Recommended fix:** drop `detail` from public responses; log to stderr only. Scope: ~10 min. - **[SEC-3] Several `console.log` calls in production code.** Severity: Low. All have `[VYNDR]` / `[redis]` / `[poller-X]` prefixes and represent OPERATIONAL status (server starting, poller tick summary), not debug. Per project convention `console.log` is acceptable for operational events. Documenting so future audits don't re-flag. ### DEAD — Dead code - **[DEAD-1] No truly orphaned files.** Every adapter in `src/services/adapters/` has at least one consumer (legacy ones via `UnifiedOddsProvider`, new ones via orchestrator/poller). Removing any would break either `/api/scan` or `/api/grading/pipeline`. - **[DEAD-2] `grader.js` is LIVE.** Imported by `propAnalyzer.js` → `parlayScanService.js` → `routes/scan.js`. Kept until ARCH-1 is resolved. ### DUP — Duplicates - **[DUP-1] `normalizeName()` exists twice.** Severity: Low. - `src/services/intelligence/trapDetection.js` - `scripts/populate-player-ids.js` Implementations are near-identical (NFD strip, lowercase, suffix removal). **Recommended fix:** extract to `src/utils/normalize.js`; the script can `require('../src/utils/normalize')`. Skipped this session because the script is intentionally self-contained for remote execution. - **[DUP-2] `oddsToImplied` etc. only live in `src/utils/odds.js`.** Confirmed not duplicated despite the `oddsNormalizer.js` neighbor — the two files serve different purposes (math primitives vs book-level prop shape). ### LEGACY — Documentation / naming - **[LEG-1] BetonBLK references.** Severity: Informational. Confined to `BUILD-STATE.md` historical notes, the `FOUNDER_CODES` allowlist (intentional grandfathering — documented in stripeService comment), and tests that assert the grandfathered code still validates. No action. ### TODO - **[TODO-1] PrizePicks / DraftKings / Pinnacle adapter TODOs.** Severity: Low. Tracked in `specs/data-pipeline-books.md`. Each has a comment line referencing the spec. Keep until the corresponding feature ships. ### PERF — Performance - **[PERF-1] `/api/analyze/*` lacks Redis cache.** Severity: Medium. Each call re-runs `analyzeProp()` end-to-end. **Recommended fix:** cache the result by `(player, stat, line, direction, sport)` for 60s. Scope: ~30 min. - **[PERF-2] `routes/scan.js` resolves parlays one prop at a time.** Sequential `await analyzeProp()` inside a for-loop. For 6-leg parlays this is ~6x latency vs `Promise.allSettled`. **Recommended fix:** parallelize independent props. - **[PERF-3] Bundle analysis not run this session.** The `ANALYZE=true` flag would require `@next/bundle-analyzer` which is not installed. **Recommended fix:** install bundle-analyzer dev dep + run once + decide whether to ship a hidden audit/page route. ### Frontend ↔ Backend contract All frontend API paths discovered are either: - Direct Express paths confirmed in `src/app.js` (e.g. `/api/scan/parlay`, `/api/waitlist`), or - Next.js `app/api/*/route.ts` proxies that internally fetch `${BACKEND_URL}/...`. **No broken contracts found** — every fetched path maps to an existing handler. Spot-checked: `/api/players/search` (Next → Python), `/api/scan` (Next → Express), `/api/intelligence/feed` (Next direct DB). --- ## 9. How to update this manifest When you add a route, table, env var, or external API: 1. Add the row to the appropriate section above. 2. Re-run the discovery greps from this session's prompt to confirm nothing else changed implicitly. 3. If you remove a table or env var, mark it `[REMOVED Session NX]` instead of deleting the row outright — keeps audit trail. Last updated: Session 7c.