builtbykev/vyndr

Fork 0

Files

T

builtbykev 0e3839a90a Session 18: Admin dashboard + Tank01 prefetch endpoint (1443 tests)

2026-06-11 22:29:38 -04:00

90 KiB

Executable File

Raw Blame History

VYNDR — Build State

Last Updated

2026-06-11

Current Phase

SHIP BUILD v18.0 — Internal admin dashboard + Tank01 prefetch endpoint (Session 18)

Session 18 (2026-06-11) — SHIPPED

Built an operator-facing admin dashboard at /admin so Kev can pull the three numbers he needs every morning (total users, paying users, grades today) without dropping into psql. Added the missing HTTP surface for the Tank01 prefetch script so it can be triggered from the dashboard (or any internally-keyed caller) instead of only from a host shell.

Section 1 — Admin allowlist + UI guard

web/src/lib/isAdmin.ts exposes isAdmin(email) over a hard-coded allowlist (kevdevelops@gmail.com). Case-insensitive on input; trims whitespace. Trivial by design — the security boundary is the server check, not this helper.

web/src/app/admin/page.tsx is a client component that uses useAuth() and isAdmin() to redirect non-admins to /dashboard. This is UX-only — anyone with devtools can flip the boolean. The real check is on the API route.

Section 2 — Stats API with server-side admin check

web/src/app/api/admin/stats/route.ts (force-dynamic, no-store) validates the bearer token via getUserFromRequest, then asserts isAdmin(user.email) before any data leaves Supabase. Non-admin tokens get 403 (not 401 / redirect) so the route's existence doesn't leak. Service-role queries are wrapped in Promise.allSettled so one failed aggregate doesn't blank the dashboard — the notes[] field surfaces partial failures inline.

Aggregates returned: total users, tier breakdown (free|africa|analyst|desk), last-24h signups (max 20, emails masked as j***@gmail.com), all-time grade count, today's grade count, per-sport odds health (NBA/WNBA/MLB/soccer-wc), shared odds-api quota remaining.

Spec assumed table grading_log; actual table is grade_history. The route queries the real table.

Health probes share a 4-second AbortController budget so a stalled upstream can't block the page.

Section 3 — Dashboard UI

Key-metrics row → tier breakdown with proportional bars → recent signups table → system-health table. Mono numbers, VYNDR dark tokens (--bg-surface, --grade-a, --grade-d, --text-tertiary). Not linked from nav — operator bookmarks the URL.

Section 5 — Tank01 prefetch HTTP endpoint

src/routes/internal.js mounts at /api/internal/prefetch/tank01, gated by requireInternalAuth({loopbackOnly:false}). Accepts JSON {max?, sports?, dryRun?} and translates it into argv for the existing scripts/tank01-prefetch.js module's exported main().

Deviation from spec: spec suggested execSync('node scripts/...'). We import the module instead — testable in-process, no PATH dependency, no permission-shell stack. Module already supports the exact CLI flags so the body shape stays the same.

Wired through src/app.js (app.use('/api/internal', internalRoutes)). The shared VYNDR_INTERNAL_KEY is set in Coolify; the Next.js admin page never sees the key (UI button will proxy through a server route in a follow-up — out-of-scope for Session 18).

Tests

tests/integration/internalRoutes.test.js — 5 new tests:

rejects without x-internal-key
translates body into argv (sports list, max, dryRun)
forwards --dry-run correctly
accepts string-form sports (single sport)
returns 500 with the underlying error message on module rejection

All 5 tests pass. Existing 1438 tests untouched.

Battery

Express suite: 112 passed / 1443 tests (5 new, baseline was 1438)
Web build: clean — /admin and /api/admin/stats registered as dynamic routes
TypeScript: clean (initial build flagged a NextResponse-vs-Response mismatch on jsonError returns; relaxed the route's return type to the shared supertype)

What Kev sees now (next session, in a browser)

Visit /admin while signed in as kevdevelops@gmail.com:

Three big numbers across the top: Total Users / Paying Users / Free Users / Grades Today
Tier-distribution bars
Last-24h signups (masked emails, relative timestamps)
Per-sport health (NBA · ✅ Live · 234 props / WNBA · ⚪ No props / etc.)
Odds-api quota remaining

Anyone else visiting /admin → soft-redirect to /dashboard. Anyone calling /api/admin/stats without an admin token → 403.

Files changed (Session 18)

Created:

web/src/lib/isAdmin.ts
web/src/app/admin/page.tsx
web/src/app/api/admin/stats/route.ts
src/routes/internal.js
tests/integration/internalRoutes.test.js

Modified:

src/app.js — mount /api/internal router

Pending (out-of-scope for Session 18)

Wire a "Prefetch Tank01 now" button on the admin page that POSTs through a Next.js server route (so VYNDR_INTERNAL_KEY stays out of the browser).
Add a real "monthly revenue" tile (requires Stripe-side aggregation; spec said three numbers — we shipped two and added Grades Today as the third operational signal).

Session 17 (2026-06-12) — SHIPPED

A platform audit from a signed-in / signed-out walkthrough flagged 12 issues. This session traced each to root cause and shipped fixes. Stripe is live with real products + webhooks; the symptoms audited were code-side, not Stripe-side.

FIX 1 — Checkout 401 "User profile not found" [CRITICAL]

src/middleware/auth.js 401'd authenticated users whose auth.users row had no matching public.users profile. Signup writes to auth.users automatically; the application-side row never landed for SSO callbacks and legacy accounts that pre-dated the trigger.

Fix: when .single() returns PostgREST's PGRST116 ("no rows"), the middleware now upserts a default {id, email, tier:'free'} row and re-reads. Idempotent under concurrent requests. Distinct 401 message (User profile creation failed) when the upsert itself fails — lets the operator separate missing-row recovery from real DB outages in logs. 9 tests cover happy path, missing row → upsert, message-only PGRST116 detection, upsert error, post-upsert empty re-read, and non-PGRST116 errors NOT triggering an upsert.

FIX 2 — Hero prop 404 [CRITICAL]

web/src/app/api/hero-prop/route.ts shipped Session 16 with BOTH dynamic = 'force-dynamic' AND revalidate = 900. Next.js App Router silently 404s on this conflict. Removed revalidate. The 15-minute cache still works via the existing Cache-Control: s-maxage=900 response header.

FIX 3 — WNBA games not surfacing [HIGH]

Slate.tsx's groupByGame skipped every prop because Number.isFinite(r.line) failed on the actual Express response shape. Express's groupProps returns props with lines: [{ book, line, over_odds, under_odds }], but the Slate expected a flat line: number. Every WNBA / NBA / MLB prop was filtered out.

Fix: added a pickLine() unwrapper that prefers the flat r.line when present (legacy callers + test fixtures) and otherwise picks the first numeric line out of r.lines[]. The Slate now correctly surfaces game cards for any sport with a populated lines array.

FIX 4 — ALL tab error cascade [HIGH]

Slate.tsx's cascade surfaced a top-level error whenever ANY single sport rejected — even when the other sports succeeded with empty data. Reworked to track per-sport failures separately and only show the top-level banner when EVERY attempted sport rejected. Failed- but-attempted sports get appended to the existing footer "endpoint not configured" line.

Root cause was visual overlap, not the component's logic: BottomTabBar and CookieConsent both position: fixed; bottom: 0, and BottomTabBar's 64px height visually obscured the banner. Resolved transitively by FIX 7 — anonymous visitors no longer see BottomTabBar, so the cookie banner has the bottom of the viewport to itself on first visit.

FIX 6 — Scan autocomplete silent failure [MEDIUM]

The dropdown logic was correct — the silent failure happened when /api/players/search returned { players: [] } (NBA service down, or no spelling match). Added a visible "no players matched" state when the search has run but returned empty, so users get feedback.

FIX 7 — Mobile bottom nav auth gate [MEDIUM]

BottomTabBar.tsx rendered for all users on all eligible routes. Anonymous visitors on /pricing saw Home/Read/Parlay/Ledger/Profile — all auth-gated destinations that would 401 on click. Gated behind useAuth() with a loading || !user early-return. Also fixed FIX 5 transitively.

FIX 8 — Footer support email + stale copy [LOW]

Added Support link (mailto:support@vyndr.app) to the Legal column. Removed (test mode while we onboard founders) from Pricing.tsx — Stripe is live. Replaced with "First 100 users lock $14.99/mo Analyst for life."

FIX 9 — Sentry zero events [MEDIUM]

Code wiring is correct in both backend (initSentry() + setupExpress ErrorHandler mounted) and frontend (SentryInit reads NEXT_PUBLIC_SENTRY_DSN). Audit found zero events because the DSN env vars aren't set in Coolify. Code-level no-op; documented as a Coolify env action.

FIX 10 — Read counter visibility [LOW]

Quota pill appeared in the global Nav across every page. Restricted to /scan and /dashboard (the surfaces where it acts as quota context next to the scan action) via a pathname check in Nav.tsx.

FIX 11 — Profile page [NO-OP]

Audit reported "no profile page exists." Verified: it does, at web/src/app/profile/page.tsx (196 lines, includes email, tier, subscription_status, subscription_end, founder_pricing, cancel_at_period_end). Audit looked at a stale build.

FIX 12 — Tonight's slate landing preview [MEDIUM]

web/src/components/TonightsSlate.tsx (new) — game-count strip mounted between Hero and LivePropsStrip. Fetches the three sport-odds proxies in parallel, dedupes games by (away, home, time), renders "X NBA · Y WNBA · Z MLB games being graded right now." with a signup CTA. Hides itself when every sport returns zero.

Tests added (Session 17)

Suite	Tests
`tests/unit/requireAuth.test.js`	9
Session 17 total	9

Quality gates

npm test: 1438 / 1438 passing (1429 + 9 new), 111 suites, 0 regressions
web/npm run build: clean — /api/hero-prop now compiles to ƒ (was silently 404'd in production by the conflicting directives)
License audit: third-party deps remain permissive

Honest verification status

Build + tests verified. I CANNOT verify the following on the live site from here — they need a deploy + re-audit smoke test:

Checkout 401 ↔ actual Supabase row creation under load
Hero prop endpoint returning JSON in production
WNBA Slate tab actually showing games
Cookie banner visible on first incognito load
Mobile bottom nav truly absent for signed-out visitors

Coolify follow-ups (operator action)

Set SENTRY_DSN and NEXT_PUBLIC_SENTRY_DSN env vars to enable server-side and browser-side error capture. Currently unset → Sentry dashboard sees zero events even when 503/401 errors occur.
The Session 16 sport-scoped markets fix is in code; the NODE_OPTIONS=--require /app/data/patch.js workaround can be dropped from the web service env after this deploy.

Session 16 (2026-06-11) — SHIPPED

Phase 1 — Sport-specific market map

src/services/oddsService.js now scopes the markets-list parameter to the requested sport. Previously every odds-api request sent ALL_MARKETS (the union of every sport's markets), which the upstream 422'd on because soccer markets (player_goals, player_shots_on_target, etc.) aren't valid for basketball endpoints. Production briefly worked around this with a runtime axios interceptor injected via NODE_OPTIONS=--require /app/data/patch.js.

This session retires that hack at the code layer:

New SPORT_MARKETS map alongside SPORT_KEYS — separate lists per sport, all frozen with Object.freeze. NBA + NCAAB share basketball markets; WNBA is basketball minus PRA (odds-api doesn't carry that for WNBA); MLB sends batter + pitcher markets; every soccer league shares the soccer set.
fetchEventOddsFromApi(sportKey, eventId, apiKey, sport) — third arg added; reads getMarketsForSport(sport) instead of the union. Backwards-compatible: omitted sport falls back to NBA (safe default).
fetchAllOdds(sport, apiKey) — already had the local sport key; now passes it through.

Coolify follow-up: after this deploy, the operator can drop NODE_OPTIONS=--require /app/data/patch.js from the web service env and delete /app/data/patch.js. The runtime patch is now dead code.

Phase 2 — Live hero prop

web/src/app/api/hero-prop/route.ts (new) — picks one fresh real prop from today's NBA → WNBA → MLB cascade and grades it. Two-stage flow: GET /api/odds/{sport} → POST /api/analyze/prop. Both calls share a 6s AbortController timeout. Server-side cached for 15 minutes via Cache-Control: s-maxage=900. Falls back to a static Jokic example (isStatic: true) when every sport is empty so the landing page never blanks out.

web/src/components/LiveHeroProp.tsx (new) — replaces the hard-coded FloatingDemoCard inside Hero.tsx. Renders the live prop with:

"LIVE" badge with a pulsing green dot
Sport-colored category tag (NBA red, WNBA orange, MLB blue, soccer green)
Player name + line + projection + edge visible (hook)
Grade letter + confidence visible via GradePill (proof)
Reasoning section blurred with backdrop blur(4px), a scan-line gradient (repeating-linear-gradient), a bottom-fade mask, and a "CLASSIFIED · Sign up to unlock" label (paywall)
Single CTA: "Sign up to read the full analysis →"

While loading OR when the API returns isStatic: true, renders the original Jokic mockup byte-for-byte. No flash-of-blank-card.

Hero.tsx — old FloatingDemoCard, Stat, and row constant deleted. GradePill import moved into LiveHeroProp.

Phase 3 — Soccer weather

soccerFeatureExtractor.js now calls weatherService.getWeather() for outdoor WC venues after resolving the venue. Dome venues skip the fetch. Unknown venues skip silently. New feature fields: weather_temp_f, weather_wind_mph, weather_wind_dir, weather_precip_mm. All null when skipped/failed.

Phase 4/5 — OG tags + CSP (mostly already done)

OG meta + Twitter card + og-image.png were all wired in Session 9. Existing CSP in next.config.ts was comprehensive. Session 16 added:

https://browser.sentry-cdn.com to script-src (Sentry SDK)
https://*.sentry.io and https://*.ingest.sentry.io to connect-src (event ingestion). Without these the browser Sentry client silently dropped events.

Tests added (Session 16)

Suite	Tests
`tests/unit/sportMarkets.test.js`	16
`tests/unit/soccerWeather.test.js`	7
Session 16 total	23

Quality gates

npm test: 1429 / 1429 passing (1405 + 24), 110 suites, 0 regressions
web/npm run build: clean
License audit: third-party deps remain permissive

Honest gaps

LiveHeroProp's glitch effect (scan lines + blur + fade) renders only in a browser. Build verified. Deploy smoke-test recommended.
Hero endpoint depends on /api/odds/{sport} returning populated props. If upstream odds-api is rate-limited or proxies aren't reaching Express, the static fallback fires — cold visitors see the Jokic mockup, not live data.
Sentry CSP entries added but require redeploy to take effect. Until then, the browser SDK silently drops events.

Coolify follow-ups

Drop the patch.js workaround: remove NODE_OPTIONS=--require /app/data/patch.js from the web service env. Code-layer fix in Session 16 makes the runtime patch obsolete.

Session 15 (2026-06-11) — SHIPPED

Phase 0 — Correctness

Africa short-circuit removed (Pricing.tsx:152). The Session 14 backend handles 'africa' end-to-end: validation accepts it; missing STRIPE_PRICE_AFRICA returns a 503 with code:'tier_unconfigured' the existing inline error surface displays. The frontend short- circuit was blocking checkout even after the backend was ready.
Odds + Sentry + welcome email audits: all already correct from prior sessions. Documented for posterity; no fixes required.
Poller → odds pipeline: confirmed there's NO key-mismatch pipeline issue. Pollers handle game resolution (game:{id}:status, poller:{SPORT}:heartbeat); oddsService populates odds:{sport}:{date} on-demand. The "1 games shown but Slate empty" report would be a separate odds-api quota / key issue.
Founder price fallback hardened. PRICE_MAP no longer falls back to fake strings like 'price_analyst_monthly' that would 400 from Stripe in live mode. Missing env → PRICE_UNCONFIGURED sentinel → 503 with code:'tier_unconfigured'. Founder codes presented against an unwired founder-price env now fall back GRACEFULLY to the standard tier price rather than dropping the checkout — the founder discount is operator-controlled and shouldn't break the user's purchase.

Phase 1 — Signal audit

Documented in a new comment block at the top of src/services/intelligence/computeFeatures.js. Every signal cited to its data source: injury (ESPN injury feed), coach (Supabase coach_profiles + JSON seed), consistency (game logs via gameLogService), Tank01 fields (Session 14 + 15 prefetch), soccer cascade (Session 9), park factors (Session 15 — static), weather (Session 15 — Open-Meteo), pace factors (Session 15 — static). No phantom signals.

Phase 2 — MLB park factors

src/data/parkFactors.js — all 30 MLB parks indexed to 100 league average. FanGraphs 2024-25 three-year weighted data. Coors at hr=128, SF Oracle at hr=85 (the two extremes by design). getParkFactor() returns null on unknown teams so the feature extractor drops the signal cleanly rather than falsely reporting "neutral".

Wired into computeFeatures.js MLB branch — features pick up park_hr, park_h, park_r, park_home when the home team resolves.

Phase 3 — Weather (Open-Meteo)

src/services/weatherService.js — Open-Meteo proxy (no API key required). 5-second hard timeout, 1-hour Redis cache, silent degrade on failure (never blocks the grade). Fahrenheit + mph units to match the bettors' mental model.

src/data/venueCoordinates.js — lat/lon + dome flag for all 30 MLB venues and all 16 World Cup 2026 venues. Retractable stadiums are marked dome:true because operators close the roof when conditions warrant — weather doesn't drive grade in that case.

Wired into computeFeatures.js MLB branch — fetches weather when the home venue is outdoor + has finite coordinates.

Phase 4 — Tank01 daily prefetch

scripts/tank01-prefetch.js — orchestrator that pulls the Redis cache keys Session 14's tank01Augment.js reads. Default budget ≤80 requests/run, configurable via --max=N. NBA path pulls schedule + final-game box scores + daily odds. MLB path pulls scoreboard + final-game box scores (BvP pull awaits batter/pitcher ID resolution on the scoreboard payload).

Recommended trigger: extend the n8n "Morning Ops" workflow to exec the script daily at 7am UTC.

Phase 5 — MLB matchup context

src/services/intelligence/mlbContext.js — pure functions for platoonAdvantage(pitcherHand, batterHand) and projectedPA(lineupPosition). Tested with all hand combinations + all lineup slots. Wiring into computeFeatures is deferred until odds-api carries those fields (it doesn't today).

Phase 6 — NBA pace factors

src/data/paceFactors.js — all 30 NBA teams (NBA.com/stats 2024-25, indexed to 100). Legacy-abbreviation aliases (NJN→BKN, NOH→NOP, SEA→OKC, CHO→CHA) so historical lookups resolve. Wired into the NBA branch of computeFeatures.js — pace_factor (player's team) + opp_pace_factor (opponent).

Tests added (Session 15)

Suite	Tests
`tests/unit/parkFactors.test.js`	14
`tests/unit/weatherService.test.js`	14
`tests/unit/tank01Prefetch.test.js`	14
`tests/unit/mlbContext.test.js`	21
`tests/unit/paceFactors.test.js`	12
Session 15 total	75

Quality gates

npm test: 1405 / 1405 passing (1330 + 75 new), 108 suites, 0 regressions. One pre-existing computeFeatures test was updated: the contract used to be "ESPN failure → empty features"; the contract is now "ESPN failure → static context augmentation (pace, park) still surfaces."
web/npm run build: clean
License audit: third-party deps remain permissive

Honest gaps

Tank01 prefetch must be triggered by n8n/cron before the augmentor reads return data. Grades work as before until then.
BvP pull is no-op until probable-pitcher IDs land on the Tank01 MLB scoreboard projection.
Phase 5 helpers tested but not wired — odds-api doesn't carry batter handedness or lineup position fields today.
Weather for soccer venues: only MLB is wired this session. Soccer venue weather is a 5-line follow-up in the soccer extractor.

Coolify env (Session 15 additions)

None new from this session.

Session 14 (2026-06-11) — SHIPPED

Phase 1 — Africa tier checkout

src/services/stripeService.js — PRICE_MAP.africa added (reads STRIPE_PRICE_AFRICA, null when unset). getPriceId('africa') returns the new PRICE_UNCONFIGURED sentinel when the env var isn't set. createCheckoutSession translates the sentinel to a 503 with code: 'tier_unconfigured' so the frontend can render a helpful message instead of a generic failure.
src/routes/stripe.js — validation whitelist extended: ['africa', 'analyst', 'desk']. The catch block recognizes err.code === 'tier_unconfigured' and surfaces it cleanly.
Tests: +6 (3 integration around /api/stripe/checkout for the africa tier, 3 unit around getPriceId('africa') and the exported sentinel).
DB CHECK constraint blocker from Session 12 still applies — Stripe webhook writes of tier='africa' to users.tier / user_profiles.tier will 23514 until the manual SQL drops + re- adds the constraint with 'africa' included. Validation-layer fix is in place; the migration is the next step.

Phase 2 + 3 — Tank01 NBA + MLB wired into computeFeatures

Architectural choice: cache-read path only on the user request path. The Tank01 adapters (Session 9) already wrap their primitives behind Redis with TTL'd tank01:* keys. The new src/services/intelligence/tank01Augment.js reads those keys directly without ever calling RapidAPI — that keeps the user request path off the 1000/mo free-tier budget. A daily prefetch (future session) will populate the keys; until then the augmentor returns empty objects and the existing ESPN-derived features stand alone.

augmentNbaFeatures({gameId, playerName, ymd}) reads tank01:nba:boxscore:{gameId} and tank01:nba:odds:{ymd}, surfaces t01_pts/reb/ast/threes/blk/stl/tov/minutes/_final for the named player when present, plus a t01_market_present marker when daily odds are cached.
augmentMlbFeatures({gameId, batterName, batterId, pitcherId, pitcherName, ymd}) reads tank01:mlb:bvp:{batterId}:{pitcherId} and surfaces BvP signals (t01_bvp_pa/ab/h/hr/so + derived t01_bvp_so_rate). Best-effort fallbacks: name-only markers when IDs are absent (future ID resolution), daily-scoreboard presence marker when pitcher is unknown.
computeFeatures.js calls both augmentors after safeGetFeatures and merges the result with Object.assign. Wrapped in try/catch so a Redis hiccup never poisons a grade.
Tests: 13 new in tests/unit/tank01Augment.test.js. Existing computeFeatures + soccerBranch suites still green (no regressions).

Phase 4 — WNBA + MLB odds proxies

oddsService.SPORT_KEYS — added wnba: 'basketball_wnba' and mlb: 'baseball_mlb'. Off-season odds-api responses return empty arrays which the Slate handles cleanly.
src/routes/odds.js — new buildSportRoute() factory drives /api/odds/wnba and /api/odds/mlb (clones of the existing /api/odds/nba handler).
Next.js proxies: web/src/app/api/odds/{nba,wnba,mlb}/route.ts (the NBA one was also missing — Slate had been pointing at a non-existent route).
Slate.tsx FETCH_URLS — WNBA + MLB no longer flagged as unsupported. ALL tab fans out to all four sports via Promise.allSettled.

Phase 5 — UX polish

web/src/components/OAuthIcons.tsx — inline SVGs for Google G, Apple silhouette, X glyph. ~1 KB each, no icon library import.
Login + signup pages wire icons into the OAuth buttons with a shared layout helper.
Slate loading state — bare "Loading the slate…" text replaced with three shimmer-skeleton placeholder cards approximating GameCard dimensions. @keyframes vyndr-shimmer added to globals.css so other loading surfaces can reuse the animation.
Empty state messaging — the Slate's empty-result case already shows a "Scan it manually →" CTA from Session 13; Session 14 preserves that path.
Mobile nav — added a subtle "Scan manually →" tertiary link in the mobile hamburger panel. The desktop nav stays clean (the Slate IS the scan surface there).

Tests added (Session 14)

Suite	Tests
`tests/unit/tank01Augment.test.js`	13
`tests/integration/stripe.test.js` extended (Africa checkout)	+3
`tests/unit/stripeService.test.js` extended (Africa getPriceId)	+3
Session 14 total	19

Quality gates

npm test: 1330 / 1330 passing (1311 + 19), 103 suites, 0 regressions
web/npm run build: clean — all four odds proxies prerender
License audit: third-party deps remain permissive

Honest gaps

Tank01 cache keys are not yet populated by any prefetch — the augmentor wiring is in place but reads will miss until a daily prefetch script lands. The augmentor returns {} on miss, so grades work exactly as before until the keys populate.
Africa-tier writes to users.tier will still 23514 (CHECK violation) post-checkout. The DB constraint migration remains a manual SQL step from Session 12.
STRIPE_PRICE_AFRICA env var is not set in Coolify yet. Until it is, /api/stripe/checkout returns 503 with code: 'tier_unconfigured' for tier:'africa'.
WNBA odds: odds-api may not always carry props during off-season. Slate degrades cleanly (empty props array + empty state UX).
OAuth: Google works (if Supabase Site URL + Redirect URLs are configured). Apple + X buttons render with their icons but the redirect won't succeed until provider configuration lands in the Supabase dashboard (Apple Developer Service ID + key; X OAuth 2.0 client).

Coolify env (Session 14 additions)

# New, required to unblock Africa checkout end-to-end:
STRIPE_PRICE_AFRICA=price_...   # After creating the product in Stripe dashboard

Session 13 (2026-06-11) — SHIPPED

Phase 1 — Africa geo-restriction via CF-IPCountry

The Session 12 Africa tier was visible to anyone on a Swahili locale (too narrow: most African users browse in English/French; too broad: Swahili speakers anywhere got the discount). Session 13 swaps the locale proxy for real Cloudflare IP geolocation.

web/middleware.ts — reads cf-ipcountry (uppercase), stamps x-vyndr-country on the request alongside the locale header. Empty string when traffic bypasses Cloudflare (local dev).
web/src/lib/locales.ts — AFRICAN_COUNTRIES set covering all 54 sovereign African nations (NG/KE/ZA/GH + sub-Saharan + MENA overlap). isAfricanCountry(code) is case-insensitive and degrades closed on empty/null inputs.
LocaleContext — extended with country/inAfrica fields; new useRegion() hook for components that gate by geography.
Pricing.tsx — inAfrica === false filters the Africa tier out of the render entirely. inAfrica === true puts it first. Locale-based reorder removed.
Pricing grid CSS — desktop column count now tracks the visible tier count via a --pricing-cols CSS custom property on the grid root (3 outside Africa, 4 inside). Sidesteps a styled-jsx limitation with attribute selectors inside :global().

Phase 2 — OAuth: Google + Apple + X

AuthContext — added generic signInWithProvider(provider) alongside the legacy signInWithGoogle() (kept as an alias so existing callers don't break). Translates Supabase OAuth errors into a flat { error: string } so the UI can surface a friendly inline message when a provider isn't configured.
login/page.tsx + signup/page.tsx — both pages now render three OAuth buttons (Google, Apple, X). The handleOAuth helper routes to signInWithProvider and shows an inline error when the provider isn't configured ("apple login isn't available yet. Use email or another method.").
External configuration required (operator action, not code):
- Supabase Auth → Providers → Apple: needs an Apple Developer Service ID + private key
- Supabase Auth → Providers → Twitter: needs an X Developer OAuth 2.0 client
- Google should already work — if it doesn't, verify Supabase Auth → URL Configuration → Site URL = https://vyndr.app and Redirect URLs include https://vyndr.app/**, and that the Google Cloud Console OAuth consent screen has the Supabase callback URL in Authorized redirect URIs.

Phase 3 — The Slate (browse-first dashboard)

Generalizes the Session 8 /soccer page pattern across every sport.

web/src/components/PropRow.tsx — single-prop UI with three states (ungraded/grading/graded). Pure presentational — parent owns the API call so there's one shared rate-limited grading queue. Free-tier expansion shows blurred reasoning + Unlock CTA; paid tier shows full reasoning + kill conditions. Exports propRowKey() for stable Map keys.
web/src/components/GameCard.tsx — game header + expandable prop list. Sport emoji prefix (🏀 NBA/WNBA, ⚾ MLB, ⚽ soccer), sport-accented left border, formatted local game time, + N more expander when props > defaultVisible.
web/src/components/Slate.tsx — the orchestrator. Sport tabs (ALL / NBA / WNBA / MLB / Soccer), sticky search input, group-by-game pipeline, gradedProps Map, single-flight grading queue (gradingKey). Promise.allSettled fan-out for the ALL tab so a single sport failing doesn't blank the slate. FETCH_URLS is null-aware — sports without an odds proxy yet (WNBA, MLB) render a bottom-of-page "endpoint not configured yet" note rather than spamming 404s.
Search filter + manual-scan fallback — sticky search filters game cards by team name and prop rows by player/stat. Empty result shows a CTA linking to /scan?q=<query> so users land on a partially-filled scan form.
/dashboard — <Slate /> mounted as the lead surface above the existing Top Graded / Most Parlayed / Recent Reads sections. Those sections stay as supplementary intelligence layers — not removed.
Nav.tsx — "Scan" link removed from primary nav. The Slate is the scan surface; /scan stays reachable from the slate's empty-state CTA.

Tests added

Suite	Tests
`tests/unit/africaCountries.test.js`	6
Session 13 total	6

Quality gates

npm test: 1311 / 1311 passing (1305 + 6 new), 102 suites, 0 regressions
web/npm run build: clean — Slate page + components prerender
License audit: third-party deps remain permissive

Honest gaps (documented, not bugs)

I could not visually verify The Slate in a browser. Build/type correctness is confirmed; "renders correctly with live odds data" needs a deploy smoke test.
Google/Apple/X OAuth: button wiring is complete. Whether the buttons actually authenticate depends on external dashboard configuration (Supabase + Google Cloud Console + Apple Developer + X Developer Portal). Apple and X are guaranteed to show the "isn't available yet" inline error until configured.
WNBA + MLB don't have /api/odds/* proxies on the Next.js side yet. The Slate degrades cleanly (footer note), but those tabs return empty until the proxies exist. Session-14 work.
Africa tier still can't be SOLD even when geo gates open it — the Stripe price + the DB CHECK migration remain outstanding from Session 12.

Coolify env (Session 13 additions)

None. CF-IPCountry is set by Cloudflare automatically; no env-var change required.

Session 12 (2026-06-11) — SHIPPED

Honest scope decision: skipped the full [locale]/ URL-prefix refactor (would have touched all 24+ pages). Went cookie-based + header-stamping middleware instead — same UX, much smaller blast radius. URL-prefix routing can layer on later without breaking anything.

web/src/lib/locales.ts — locale registry. 10 locales: en (source), es, fr, pt, ar (RTL), sw, hi, ja, ko, zh. LOCALE_META carries native names + dir + region. AFRICA_LOCALES = {sw} used by the pricing reorder logic.
web/src/middleware.ts — locale resolver. Priority: URL prefix → NEXT_LOCALE cookie → Accept-Language parsing → default 'en'. Stamps x-vyndr-locale on the request so server components can read it via next/headers.
web/src/locales/{en,es,fr,pt,ar,sw,hi,ja,ko,zh}.json — 10 translation dictionaries, each ~17 keys covering nav, slate, grade, pricing, sports, auth, common, cookie. Every file declares its _meta.review_status: en is source, the other 9 are translated_unreviewed. Sports terminology is locale-correct (Fútbol/Football/サッカー/كرة القدم/Soka, etc.).
web/src/lib/i18n.ts — synchronous server-side loader (getTranslations(locale) → {t, locale, dir}) plus getServerTranslations() which reads the middleware-stamped header. English fallback per key, falls to the key string itself when missing on both. {name} interpolation supported.
web/src/contexts/LocaleContext.tsx — client provider + useT() / useLocale() hooks. Mounted in the root layout above every other provider.
RTL — <html dir="rtl"> set in root layout when locale is Arabic. globals.css flips nav direction and isolates monospace blocks (numbers stay LTR — financial data convention).
LocaleSwitcher.tsx — compact mono dropdown with native language names. Sets the cookie, reloads the page. Mounted in Nav for both authenticated and anonymous states.
Wired into: Nav (5 links + login button), CookieConsent (message + accept + privacy link), Pricing (CTAs translate per tier). High-impact components first; longer-tail strings remain English with t('key') calls scheduled for a follow-up.

FIX 2 — Africa tier ($4.99/mo)

src/config/tiers.js — adds the africa tier between free and analyst: 10 scans/day, reasoning_visible:true, kill_conditions_detail:true, alerts:false, api_access:false. Frozen.
Scan-limit middleware — no change needed. scanLimit() reads via getScanLimit(), which now resolves 'africa' to 10.
web/src/components/Pricing.tsx — adds the VYNDR Africa card. The pricing-grid CSS unfolds from 2-up (tablet) to 4-up (≥1100px desktop). When the user's locale is Swahili (a proxy for African markets — IP-based geolocation deferred to a future session), the Africa tier renders FIRST.
Honest UX gap: Africa-tier checkout short-circuits to an inline "coming soon" message instead of triggering Stripe. Two reasons: (a) the backend /api/stripe/checkout route validates tier against ['analyst','desk'] and the spec forbids backend edits this session; (b) STRIPE_PRICE_AFRICA is unset and the Stripe product hasn't been created in the dashboard yet.
DB CHECK constraint blocker: migrations 001 + 011 declare tier IN ('free','analyst','desk'). The webhook will 23514 (check_violation) if it tries to write africa until the constraint is extended. Documented in tiers.js header + in SYSTEM-MANIFEST. Out of scope this session per the no-migration rule.
.env.example — STRIPE_PRICE_AFRICA=price_... placeholder with explanatory comment.

Tests added (Session 12)

Suite	Tests
`tests/unit/i18n.test.js`	14
`tests/unit/tiers.test.js` (extended)	+5
Total new	19

Quality gates

npm test: 1305 / 1305 passing (1286 + 19), 101 suites, 0 regressions
web/npm run build: clean. NOTE — every page is now ƒ Dynamic rather than ○ Static because the root layout reads request headers (next/headers) for locale resolution. This is the expected cost of SSR i18n. If FCP regresses, the fallback is client-side cookie reads (brief English flash on first paint, but static prerender returns).
License audit: third-party deps remain permissive (no new licenses introduced — translation files are JSON in our own repo).

Open items / follow-ups

DB CHECK constraint must be updated before the Africa tier can actually be assigned to users. Manual SQL:

ALTER TABLE users DROP CONSTRAINT users_tier_check;
ALTER TABLE users ADD CONSTRAINT users_tier_check
  CHECK (tier IN ('free','africa','analyst','desk'));
-- same for user_profiles

Stripe product for VYNDR Africa not created. Manual step: create the product + price in the Stripe dashboard, set STRIPE_PRICE_AFRICA in Coolify, then extend the backend checkout route's validation list.
Translation review — only en is source quality. The other 9 locales are translated_unreviewed. Native-speaker review recommended for Arabic, Chinese, Korean, Japanese, Hindi before public launch.
Browser geolocation — Africa tier currently sorts first only for Swahili-locale users. IP-based detection (NG/KE/ZA/GH/etc.) would catch English-speaking African users; deferred to a session with proper geo middleware (Cloudflare headers, etc.).
Per-page meta translations — page <title> and OG tags are still English. Adding per-locale metadata requires the [locale]/ segment refactor, deferred.

Coolify env (Session 12 additions)

# Already required:
NEXT_LOCALE         # No env — set as a per-user cookie by the switcher.

# New, optional:
STRIPE_PRICE_AFRICA=price_...   # Once you create the Stripe product

Session 10 (2026-06-10) — SHIPPED

FIX 1 — Internal auth refactor + /pipeline off-host support

Pre-audit revealed the spec's premise was wrong: /api/grading/pipeline and /api/grading/resolve ALREADY EXISTED with requireInternal middleware inline in each route file. The actual n8n bug was a header- name mismatch (n8n sends x-internal-key, code read X-VYNDR-Internal-Key) PLUS a hard loopback-IP check that blocks any caller from a separate container.

src/middleware/internalAuth.js (new) — centralized middleware. Accepts BOTH x-internal-key (Session 10 short form, n8n) AND X-VYNDR-Internal-Key (legacy, poller + existing tests). Timing-safe string compare. loopbackOnly is now an OPT-IN flag (default off).
src/routes/grading.js — replaced inline requireInternal with the centralized middleware. /resolve uses {loopbackOnly: true} (poller from localhost). /pipeline uses the off-host variant (n8n from a separate container). __helpers.requireInternal kept exported for the existing test suite — backwards compatible.
src/routes/corrections.js — same refactor; /correct stays loopback-only (morning sweep is co-located).
/api/grading/pipeline body shape — empty body now iterates nba/wnba/mlb (n8n's "Morning Ops" workflow case). Single-sport body still works and returns the legacy summary object so existing per-sport tests continue to pass.

FIX 2 — Soccer prefetch cascade keys

Session 9's adapters write to apifootball:* and footapi:* cache keys; the daily prefetch was still only writing soccer:* (the tertiary fallback). The cascade in soccerFeatureExtractor never hit PRIMARY because nothing populated those keys.

scripts/soccer-data-prefetch.js — new enrichFromApiFootball() walks finished WC fixtures via apiFootballAdapter.getFixtures + getFixturePlayerStats, aggregates per-player season stats across matches (minutes, goals, assists, shots, tackles, cards, rating), collapses to per-90 rates, and writes apifootball:player_by_name:{normalizedName} (24h TTL). Hard-capped at --max-players=80 per run.
CLI flags added — --source=api-football|footapi|football-data|all (default all), --max-players=N, --season=N. Existing --leagues and --dry-run flags unchanged.
enrichRefereesFromFootApi() — best-effort referee enrichment. Writes footapi:referee_by_name:{name} (7d TTL).
Behavior preserved — legacy soccer:player:* writes still happen when football-data source is selected (and it's the default in all mode). The cascade resolves at PRIMARY when api-football data is available, TERTIARY otherwise.
Boot guard relaxed — previously bailed when FOOTBALL_DATA_API_KEY was unset; now bails only when EVERY source is unavailable. The script can run on api-football alone.

FIX 3 — Sentry error tracking

src/utils/sentry.js (new) — graceful no-op when SENTRY_DSN is unset (every Sentry surface becomes a noop). Initialized at the top of src/app.js BEFORE express is required.
Sentry.setupExpressErrorHandler(app) mounted AFTER all routes in app.js — catches uncaught route errors automatically.
PII scrubbing — beforeSend strips user.ip_address, user.email, request.cookies, request.headers.authorization, request.headers.cookie, and BOTH internal-key headers. Bearer tokens never reach Sentry.
Sampling — 10% traces, 100% errors. Free-tier friendly.
Frontend — manual init via web/src/components/SentryInit.tsx (client component, mounted in root layout). Lazy import('@sentry/nextjs') fires on mount only if NEXT_PUBLIC_SENTRY_DSN is set. Avoids the withSentryConfig plugin which conflicts with standalone output mode (per Session 10 spec note).

The sendWelcomeEmail function in web/src/services/email.ts already existed; nobody called it.

Copy updated — 5/month → 3/day, NexaPay → Stripe founder pricing ($14.99/mo locked for life), added the soccer/World Cup mention per Session 10 spec. Both HTML and plain-text variants.
web/src/app/api/welcome-email/route.ts (new) — POST endpoint, bearer-auth required. Reads Supabase user_metadata via the service-role admin client, checks welcome_email_sent, sends if absent, sets the flag. Idempotent — re-trigger is a cheap noop. No migration needed — user_metadata is the Supabase auth user's existing JSONB scratchpad.
Trigger — web/src/app/welcome/page.tsx fires the POST once on mount via useRef guard. Server-side idempotency keeps it safe across refreshes too.
Graceful failure — if RESEND_API_KEY is unset, send returns { ok: false } but the flag is still set (manual operator override if a batch needs re-sending).

Tests added

Suite	Tests
`tests/unit/internalAuth.test.js`	15
`tests/unit/soccerDataPrefetchCascade.test.js`	20
`tests/unit/sentry.test.js`	10
Existing suites (pipeline, resolution, prefetch) re-verified	0 new
Session 10 total	45+

Quality gates

npm test: 1286 / 1286 passing (1240 + 46 new), 100 suites, 0 regressions
web/npm run build: clean — Sentry mount + /api/welcome-email prerender
License audit: only permissive licenses (Sentry adds nothing exotic)

Env vars to set in Coolify

# Already required from prior sessions:
VYNDR_INTERNAL_KEY=<existing — header is now x-internal-key OR X-VYNDR-Internal-Key>
RESEND_API_KEY=<existing>
RESEND_FROM_EMAIL=<existing, defaults to "VYNDR <grades@vyndr.app>">

# New in Session 10 (all optional — wrappers degrade gracefully):
SENTRY_DSN=<from sentry.io project settings>
NEXT_PUBLIC_SENTRY_DSN=<same DSN — needs the NEXT_PUBLIC_ prefix to reach browser bundle>

Open items

Soccer prefetch hasn't run against live api-football yet — first cron tick after deploy will populate the cascade. Until then, the feature extractor resolves at tertiary (football-data).
Sentry's frontend manual-init pattern means errors before the React tree mounts (e.g. SSR errors) bypass Sentry. The backend handler catches Express-side errors; for browser-side SSR errors we'd need instrumentation.ts, deferred.
Welcome email idempotency relies on Supabase user_metadata. If a user signs in via SSO and never lands on /welcome, they don't get the email. Acceptable Day-1 — track via PostHog if it becomes a real conversion gap.

Session 9 (2026-06-10) — SHIPPED

World Cup opens tomorrow. This session closed three live-site emergencies (404, OOM cycle, slow FCP), added three new soccer data sources with a priority cascade, two new RapidAPI sports adapters, a real grace-period downgrade middleware, and updated the legal pages.

Phase 0 — critical fixes

/pricing 404 → fixed. web/src/app/pricing/page.tsx created; wraps the existing Pricing component on a standalone route so email renewal CTAs (which link to /pricing via web/src/services/email.ts:204) no longer land on 404. Metadata block ships with OG + Twitter tags.
Web container OOM cycle → cause identified, fix documented. docker logs on the live host (z2zyki…-032334469519, 44 restarts and climbing) returned FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory. Docker mem limit is unlimited (0) — this is Node's own ~2 GB V8 default. Fix is a Coolify env-var change: NODE_OPTIONS=--max-old-space-size=4096 on the web container. Cannot be applied from this session — listed under the Coolify env requirements at the end of this entry.
7.5s FCP → root cause traced to the OOM cycle. All page routes are static-prerendered; root layout makes no blocking calls. The FCP measurement is dominated by cold-start latency hit during each restart. The NODE_OPTIONS fix is the primary FCP fix too — re-measure after deploy.

Phase 1 — soccer source upgrade

New adapter cascade for soccer (priority order):

api-football.com (PRIMARY) — src/services/adapters/apiFootballAdapter.js. 100 req/day soft limit (90, with 10-req safety margin). 6 endpoints: getFixtures, getFixtureLineups, getFixturePlayerStats, getFixtureEvents, getPlayerSeasonStats, getStandings. Auth via x-apisports-key header (NOT RapidAPI). Per-endpoint TTLs match data volatility (fixtures 6h, lineups/playerstats 24h, events 12h).
FootApi via RapidAPI (BACKUP) — src/services/adapters/footApiAdapter.js. 50 req/day (soft 45). 4 endpoints: getMatchLineups (28 stat keys), getMatchIncidents (minute + addedTime), getRefereeStatistics (yellow/red per game), getWorldCupSchedule (tournament ID 16).
football-data.org (TERTIARY) — existing Session 7j adapter unchanged.

The soccerFeatureExtractor now cascades through these via a new loadFromCascade() helper. Each load returns a _source tag so debugging is straightforward; meta.sources exposes the attribution per lookup (player, nextMatch, lastFixture, referee). Existing 17 soccer-extractor tests still pass; 7 new cascade tests prove the priority order.

Phase 1 — Tank01 RapidAPI adapters

tank01NbaAdapter.js — live NBA box scores, schedule, betting odds. Status-aware TTL: 5-min cache while a game is in-progress, 24-hour cache once it reports Final. Free tier 1,000 req/mo; TTL-bound rather than counter-bound.
tank01MlbAdapter.js — live MLB box scores, daily scoreboard, and batter-vs-pitcher (the headline new MLB signal — a batter's historical PA/AB/H/HR/SO line against a specific pitcher). Same status-aware TTL pattern as NBA.

Both Tank01 adapters use the shared RAPID_API_KEY (also used by FootApi). Host overridable via TANK01_NBA_HOST / TANK01_MLB_HOST.

Phase 2 — production readiness

Grace-period downgrade middleware — src/middleware/gracePeriod.js. Fires at request time on tier-gated routes (/api/scan/parlay, /api/alerts, /api/props/joint-history). Reads req.user.grace_period_until (now selected by requireAuth in src/middleware/auth.js), and on expiry atomically downgrades users.tier and user_profiles.tier to 'free', clears the timestamp, sets subscription_status='expired' on the profile mirror, and rewrites req.user so the route immediately sees the downgrade. Closes the long-standing "cancelled users keep paid access forever" gap. Ordering matters: grace must run AFTER requireAuth and BEFORE scanLimit, because scanLimit reads tier off req.user — a just-expired Desk user would otherwise burn one final unlimited-quota request.
TOS update — web/src/app/terms/page.tsx Subscription Terms switched from NexaPay to Stripe; Acceptable Use now explicitly states "VYNDR does NOT offer API access at any tier" — closes the Session 7h immutable.
Privacy update — web/src/app/privacy/page.tsx Payment Data section switched from NexaPay to Stripe with specifics on what Stripe receives. New "Sub-processors" section explicitly lists Stripe, Supabase, PostHog, Resend.
Cookie consent banner — web/src/components/CookieConsent.tsx, mounted in root layout. Thin bottom bar, SSR-safe (renders nothing until client mount checks localStorage), single-button accept, links to Privacy Policy.
Root layout metadata — keywords + description extended to include soccer and World Cup 2026 intelligence terms. OG + Twitter cards already comprehensive from prior sessions. Per-page metadata for /soccer + /scan deferred (those pages are 'use client'; would need server-component wrappers — cosmetic).

Tests added

Suite	Tests
`tests/unit/apiFootballAdapter.test.js`	16
`tests/unit/footApiAdapter.test.js`	13
`tests/unit/soccerFeatureExtractorCascade.test.js`	7
`tests/unit/tank01NbaAdapter.test.js`	12
`tests/unit/tank01MlbAdapter.test.js`	12
`tests/unit/gracePeriod.test.js`	7
Session 9 total	67

Quality gates

npm test: 1240 / 1240 passing (1173 baseline + 67 new), 97 suites, 0 regressions
web/npm run build: clean — /pricing + everything else prerenders, no type errors
License audit: only permissive licenses

Coolify env vars (apply on the web container — keys not in repo)

NODE_OPTIONS=--max-old-space-size=4096        # fixes the OOM cycle
API_FOOTBALL_KEY=<from api-sports.io>          # PRIMARY soccer source
FOOTBALL_DATA_API_KEY=<from football-data.org> # TERTIARY soccer source
RAPID_API_KEY=<from RapidAPI marketplace>      # FootApi + Tank01 NBA + Tank01 MLB
FOOTAPI_HOST=footapi7.p.rapidapi.com           # default — override only for mirrors
TANK01_NBA_HOST=tank01-fantasy-stats.p.rapidapi.com
TANK01_MLB_HOST=tank01-mlb-live-in-game-real-time-statistics.p.rapidapi.com

Open items

NODE_OPTIONS must be set in Coolify before the next deploy; until then, the web container will keep OOM-looping. This is the single most important production action item.
The 2 GB+ heap usage that triggered the OOM suggests a memory leak in the Next.js standalone server. Heap-snapshot investigation deferred — the env-var bump buys headroom but doesn't fix the leak root cause.
Per-page OG metadata on /soccer and /scan requires those pages to be refactored to a server-component wrapper pattern. Not blocking.
The new adapter cascade improves data quality WHEN API_FOOTBALL_KEY / RAPID_API_KEY are populated and a daily prefetch has run against them. Until then, the cascade silently falls through to football-data.org and static reference data. Updating scripts/soccer-data-prefetch.js to write the new apifootball:* / footapi:* cache keys is a follow-up.

Session 8 (2026-06-10) — SHIPPED

Frontend layer that connects users to the Session 7h–7j backend. NexaPay → Stripe cutover on the pricing flow + a /soccer page that exposes the soccer intelligence pipeline.

Files created (frontend)

web/src/app/api/odds/soccer/[league]/route.ts — Next.js proxy → Express GET /api/odds/soccer/:league. Validates league against the 9 accepted codes upstream so a typo bounces at the Next boundary.
web/src/app/soccer/page.tsx — live soccer odds feed. Hosts SportSelector, fetches /api/odds/soccer/:league, groups props by match → stat type. "Grade" button triggers inline scan via /api/scan (sport: Soccer) and renders the result through SoccerGradeResult. Soccer-only page; switching the selector to another sport bounces to /scan.
web/src/app/upgrade/success/page.tsx — Stripe success landing. Reads session_id, refreshes AuthContext so the new tier flips immediately. Does NOT verify against Stripe from the client (no secret key on the browser) — the webhook is the source of truth.
web/src/app/upgrade/cancel/page.tsx — Stripe cancel landing.
web/src/components/SportSelector.tsx — pill tabs (NBA/WNBA/MLB/ Soccer); Soccer reveals a sub-row of the 9 league codes matching Express's SOCCER_SPORT_KEYS. Emits { sport, league? } via onChange — pure UI, no fetches.
web/src/components/SoccerGradeResult.tsx — soccer-themed result card. Parses the engine's reasoning summary into visual chips (⚽ goals/90, 📊 xG, 🎯 penalty taker, 🏹 free-kick taker, ⛳ corner taker, 🏔️ altitude, 🟨 referee, ⏱️ minutes discount, 🛡️ opponent defense, 🏆 tournament pedigree). Color-coded by tone (positive / caution / warning / neutral). Free-tier responses (carrying tier_gated: true) render the chip row blurred under an upgrade CTA; the structured grade + confidence + edge stay visible. Kept separate from GradeCard so the NBA/MLB/WNBA path is untouched.

Files modified (frontend)

web/src/app/api/checkout/route.ts — full rewrite. Was a NexaPay payment-link creator; is now a thin proxy that forwards { tier, founder_code? } + bearer to Express /api/stripe/checkout. Response remap: checkout_url → url for callsite compat; both fields shipped so either reads cleanly.
web/src/app/api/scan/route.ts — accepts Soccer sport in addition to NBA/MLB/WNBA. Soccer stat-type allowlist mirrors the backend VALID_STAT_TYPES (goals, shots_on_target, shots, tackles, cards, corners, saves, goals_conceded, passes, clean_sheet, assists).
web/src/components/Pricing.tsx — CTAs converted from <a href> to onClick handlers. Uses useAuth() for the bearer token, POSTs to /api/checkout, window.location.assign to the returned Stripe URL. Loading state on the active tier, inline error banner. Anonymous visitors bounce to /signup?return=/%23pricing. Footnote rewritten from "NexaPay" to "Stripe (test mode while we onboard founders)".
web/src/components/Nav.tsx — small BETA tag next to the wordmark. Glitch-styled, monospace, low-opacity green border. Renders on every page that mounts Nav.

Files modified (backend — ONE allowed change)

src/services/stripeService.js — success_url / cancel_url point at the frontend (NEXT_PUBLIC_SITE_URL with BASE_URL fallback, default http://localhost:3000). Previously the routes pointed at the Express origin which would have 404'd the redirect. New URLs:
- ${frontendUrl}/upgrade/success?session_id={CHECKOUT_SESSION_ID}
- ${frontendUrl}/upgrade/cancel All 23 Stripe tests still pass (none asserted on the URL strings).

Files modified (docs)

docs/SYSTEM-MANIFEST.md — /api/odds/soccer/[league] row in Next.js routes, new section listing the three new Next.js pages, the Session 7h "dual-provider divergence" callout flipped from open-work to ✅ complete.
BUILD-STATE.md — Session 8 entry.

Honest verification status

Build-verified (passed web/npm run build after every component):

All TypeScript types resolve
All routes prerender / build correctly (24 pages, 30+ API routes)
No ESLint errors

NOT runtime-verified in this session (I have no browser to click through):

Actual Stripe checkout redirect end-to-end (test mode card flow)
Soccer odds rendering with live data (depends on FOOTBALL_DATA_API_KEY being set in prod and the daily prefetch having run)
SoccerGradeResult signal parsing against a real engine response (signal-chip regex tested against the exact phrasing buildSoccerReasoningLines emits in analyzeViaEngine1.js, but not against live engine output)
AuthContext.refresh() actually triggering a profile re-read after the Stripe redirect

These are the expected next-session sanity checks once Coolify deploys this build.

Quality gates

npm test (backend): 1173 / 1173 passing, 91 suites, 0 regressions from Session 7j baseline
web/npm run build: clean — all new routes prerendered, no type errors
License audit: only permissive licenses

Session 7j (2026-06-10) — SHIPPED

Permanent soccer sport vertical, launching with FIFA World Cup 2026 (opens June 11). League-agnostic architecture supports WC, EPL, La Liga, Bundesliga, Serie A, Ligue 1, UCL, MLS, Liga MX from the same code paths.

Files created

src/data/worldcup2026.js — 16 venues + altitudes + climate, CONCACAF
- CONMEBOL teams, penalty/corner/free-kick takers (top 25 teams), tournament players (≥3 career WC goals). All frozen. Helpers: isPenaltyTaker, isCornerTaker, isFreeKickTaker, getTournamentHistory, isHomeContinent, getVenue, altitudeImpact.
src/services/adapters/footballDataAdapter.js — football-data.org v4 REST adapter. 8/min token bucket (2-req safety margin vs the 10/min upstream cap). Tier-matched Redis TTLs (fixtures 6h, standings 12h, squads 24h, scorers 6h). Stale-while-revalidate fallback when the bucket is drained or the API 5xx's. Returns null when no API key — callers degrade gracefully.
src/services/intelligence/soccerFeatureExtractor.js — reads from prefetch-populated Redis cache (NEVER hits external APIs on the user request path). Builds the engine1 feature vector + a soccer overlay (goals_per_90, xG, penalty/corner/FK role, altitude, referee, tournament history, rest_days).
poller/soccer.js — league-agnostic fixture poller. WC pulls from the rezarahiminia/worldcup2026 OSS API (no rate limit) and falls back to football-data.org. Other leagues use the adapter directly. Writes soccer:nextmatch:{team} (24h TTL) + soccer:lastfixture:{team} (7d TTL) per fixture. Self-rescheduling: 5-min ticks during live matches, 30-min otherwise. PM2-managed.
scripts/soccer-data-prefetch.js — daily batch job. Pulls standings
- scorers per configured league, computes per-team defensive aggregate (goals_conceded_per_game, defensive_rank_norm on a 0..1 scale that slots into engine1's opp_rank_stat) and per-player per-90 rates. Writes soccer:teamdefense:{league}:{team} and soccer:player:{normalizedName}. --leagues=WC,PL --dry-run flags supported. xG fields left null on Day 1 (soccerdata-Python bridge is a follow-up; engine handles nulls gracefully).
tests/unit/worldcup2026.test.js (20 tests)
tests/unit/footballDataAdapter.test.js (15 tests)
tests/unit/soccerFeatureExtractor.test.js (17 tests)
tests/unit/trapDetectionSoccer.test.js (21 tests)
tests/unit/computeFeaturesSoccerBranch.test.js (4 tests)
tests/unit/analyzeViaEngine1Soccer.test.js (8 tests)
tests/unit/soccerPoller.test.js (22 tests)
tests/unit/soccerDataPrefetch.test.js (14 tests)
tests/integration/oddsSoccer.test.js (6 tests)

Files modified

src/utils/oddsNormalizer.js — MARKET_MAP gains 10 soccer market keys (player_goals, player_shots_on_target, etc → goals, shots_on_target, etc). Existing NBA mappings untouched.
src/routes/analyze.js, src/routes/scan.js — VALID_STAT_TYPES set extended with 10 soccer stat types. 'assists' is shared with NBA; sport field discriminates downstream.
src/routes/odds.js — new GET /api/odds/soccer/:league route. Validates league against SOCCER_SPORT_KEYS (9 leagues), surfaces 405 valid-list hint on miss.
src/services/oddsService.js — SPORT_KEYS gains 9 soccer entries mapping soccer_wc → soccer_fifa_world_cup, soccer_epl → soccer_epl, etc. SOCCER_SPORT_KEYS exported as a frozen list.
src/services/intelligence/computeFeatures.js — sport ∈ {'soccer','football'} dispatches to extractSoccerFeatures. NBA path unchanged.
src/services/intelligence/trapDetection.js — six soccer signals (xg_regression, altitude_risk, rotation_risk, minute_discount, referee_card_bias [positive — excluded from composite], strong_defense). getTrapScore branches on input.sport.
src/services/intelligence/analyzeViaEngine1.js — soccer reasoning branch (buildSoccerReasoningLines). Uses "matches" not "games", surfaces xG / penalty taker / altitude / referee / minutes / WC pedigree. NBA-specific sentences (back-to-back, injury report) guarded by !isSoccer.
poller/ecosystem.config.js — poller-soccer PM2 app added. Same restart policy as box-score pollers; SOCCER_LEAGUES env wired.
.env.example — soccer block (FOOTBALL_DATA_API_KEY, SOCCER_LEAGUES, WORLDCUP_API_URL, RAPID_API_KEY).
docs/SYSTEM-MANIFEST.md — /api/odds/soccer/:league row in §2, Soccer env block in §3, soccer poller in poller-set, four new external API rows in §6, [ARCH-3] soccer-pipeline note in §8.

Quality gates (all green)

npm test: 1173 / 1173 passing (1042 baseline + 131 new soccer tests across 9 new suites), 91 suites, 0 failures
web/npm run build: clean
License audit: only permissive third-party licenses

Session 7i (2026-06-10) — SHIPPED

Stripe checkout + webhook (no new routes — gap-fill on existing)

Pre-audit revealed Session 3.4 already shipped a fuller Stripe integration than this session's spec asked for: route, sig verify, all 4 event handlers with 48h grace, customer create + persist, portal + status endpoints, founder-code system, and users ↔ user_profiles dual writes. Raw-body middleware was already correctly positioned at src/app.js:52 (before global express.json()).

What this session added on top:

tests/integration/stripe.test.js — refactored stripe mock to a singleton handle, then added two route-level tests:
1. constructEvent throws → route returns 400 with { error: /signature/i }
2. valid signature → route dispatches to handleWebhookEvent and returns { received: true }
tests/unit/stripeService.test.js — added customer.subscription.updated test covering portal-driven plan-change: maps items.data[0].price.id back to a tier via PRICE_MAP, writes to both users + user_profiles, clears grace.
docs/SYSTEM-MANIFEST.md — appended a Payments: dual-provider divergence subsection under § 8 Findings → Frontend ↔ Backend contract, documenting that the Next.js /api/checkout still routes to NexaPay while Express Stripe is wired but uncalled by the frontend, with a 4-step cutover punch list for a follow-up session.

Quality gates (all green)

npm test: 1042 / 1042 passing (delta +3 from 1039 baseline, 0 regressions)
web/npm run build: clean
License audit: third-party deps only permissive (MIT/Apache-2.0/BSD/ISC/MPL/BlueOak/CC-BY/0BSD)
curl https://api.vyndr.app/api/health → {"status":"healthy"}

Session 7h (2026-06-10) — SHIPPED

Stripe (test mode)

Resources created against sk_test_* via direct REST API (Stripe MCP plugin OAuth flow was non-functional in this environment; bypassed by hitting https://api.stripe.com/v1 with the secret key in a single shell subprocess, then shredding the on-disk key file).

prod_UgBel9RYTROCxr — VYNDR (metadata.tier=analyst)
- price_1TgpGxIp1Mec3r2E6Wh6oeaP — $14.99/mo recurring (metadata.tier=analyst)
prod_UgBeSBYw2j9oXL — VYNDR Desk (metadata.tier=desk)
- price_1TgpGyIp1Mec3r2EQq50KKhF — $44.99/mo recurring (metadata.tier=desk)
we_1TgpGzIp1Mec3r2ERtDIF2n2 — webhook → https://api.vyndr.app/api/stripe/webhook
- Subscribed events: checkout.session.completed, customer.subscription.updated, customer.subscription.deleted, invoice.payment_failed
- Signing secret saved to ~/.stripe-webhook-secret (chmod 600) — read once, paste into Coolify, then shred -u.

Tier infrastructure

src/config/tiers.js — frozen access matrix (free / analyst / desk); api_access:false on every tier (non-negotiable consumer-product invariant)
src/middleware/scanLimit.js — 24h rolling per-user/IP quota (free=3, analyst=15, desk=∞); 429 + Retry-After + X-Scans-Used/Limit headers on overflow; in-memory LRU with MAX_TRACKED=50_000
src/utils/tierGating.js — pure response gating; free tier keeps grade/confidence/edge_pct, redacts reasoning + kill_conditions_triggered; paid tiers pass through
Wired into src/routes/scan.js (/parlay after requireAuth) and src/routes/analyze.js (/prop + /batch, gating applied per-result)

SQL (run manually in Supabase SQL Editor)

docs/sql/pricing_slots.sql — creates pricing_slots table + RLS + price IDs seeded. Not added to the migrations chain per session policy.

Tests

tests/unit/tiers.test.js (10 tests) — frozen matrix, api_access=false invariant, fallback behavior
tests/unit/tierGating.test.js (9 tests) — free-tier redaction, paid passthrough, no input mutation
tests/unit/scanLimit.test.js (10 tests) — per-tier limits, anonymous IP fallback, independent quotas, desk skip
Existing suites adapted for the new middleware: tests/unit/analyzeCache.test.js, tests/integration/analyze.test.js, tests/integration/scan.test.js reset the scan-limit map in beforeEach; the integration suite for /api/analyze mocks applyTierGating as pass-through so engine-shape assertions stay focused on the engine contract (gating has its own suite).

Quality gates (all green)

npm test: 1039 / 1039 passing, 82 suites, 0 failures
web/npm run build: production build clean, all 24 routes prerendered
License audit: only permissive third-party licenses (MIT/Apache-2.0/BSD/ISC/etc.); single UNLICENSED entry is our own vyndr-web workspace

Web Tier v6 (2026-05-18) — SHIPPED

Complete frontend overhaul. 18 pages, 22 API routes. npm run build passes with zero errors.

New pages

/dashboard — post-login slate (sport tabs, top grades, tonight's games, most parlayed, recent scans, first-time onboarding)
/game/[id] — game preview with spread/total/ML, starting lineups with injury flags, expandable prop list, add-to-parlay
/profile — tier status, subscription state, founder badge, cancel-at-period-end flow
/intelligence — Desk-tier timeline of evolution/coaching/cascade/ABS/line-movement signals (blurred for non-Desk)
/terms, /privacy, /responsible-gambling — branded legal pages with brand voice
/scan — full rebuild (sport tabs, real /api/scan with tier gating, parlay tray hook)
/login, /signup — wired to Supabase Auth via AuthContext (Google OAuth + email/password + age check)
/marketplace — coming-soon waitlist (API access, custom alerts, capsule drop)
/ledger, /tracker — design system refresh, accuracy buckets, miss autopsy, quick-slip
/ — auth-aware: logged-in users redirect to /dashboard; anonymous see marketing

New API routes

/api/games/tonight, /api/games/[id], /api/games/[id]/props
/api/props/top-graded, /api/props/most-parlayed
/api/players/search
/api/user/recent-scans
/api/intelligence/feed
/api/parlay/add-leg, /api/parlay/grade
/api/ledger, /api/ledger/accuracy
All cached via Supabase odds_cache table (5-min TTL) — never hit Odds API directly

Services + middleware

services/odds-cache.ts — Supabase-backed TTL cache for upstream calls (loader + stale-fallback)
services/email.ts — Resend wrapper: sendWelcomeEmail, sendPaymentReceipt, sendRenewalReminder
middleware/rateLimit.ts — per-tier per-minute scan throttle (5/30/60 free/analyst/desk)
services/nexapay.ts — already shipped (createPaymentLink + HMAC webhook verify), now wired to email receipts

Components

GradeCard.tsx — premium grade card with tier-gated blur (factors locked for free; alt-lines locked for non-Desk)
ParlayContext.tsx + ParlayTray.tsx — cross-page parlay state, slide-up tray, /api/parlay/grade integration
BottomTabBar.tsx — mobile-only 5-tab navigation (Home/Scan/Parlay/Ledger/Profile) with parlay badge
ShareCard.tsx — canvas-rendered 1200x630 OG share image with grade letter; download + copy-to-clipboard
Nav.tsx, Hero.tsx, LivePropsStrip.tsx, Features.tsx, Pricing.tsx, HowItWorks.tsx, FAQ.tsx, Footer.tsx — design system refresh already shipped

PWA + meta

public/manifest.json (192/512/maskable icons)
public/icons/icon-{192,512,maskable-512}.png, apple-touch-icon.png, favicon.ico, favicon.png
public/og-image.png — 1200x630 social share card
appleWebApp + manifest + theme-color wired in layout.tsx

Supabase migrations

011_user_profiles_web.sql (already deployed): user_profiles (+RLS+trigger), parlay_leg_frequency (+RPC), scan_history
012_web_caching_waitlist.sql (NEW): odds_cache (TTL cache), waitlist_signups, founder_pricing_seats view, prune_expired_odds_cache() helper

Backend

src/app.js — CORS middleware added (localhost dev + vyndr.app + *.vercel.app + FRONTEND_ORIGINS env var)
package.json — added cors@2.8.5

Bug fixes

Scan page sibling-div JSX bug fixed (rewritten from scratch)
Lockfile warning silenced via next.config.ts turbopack.root (already in place)
Auth callback rewritten to use Supabase JS session API instead of raw localStorage parse

Environment variables (set in Vercel + Railway)

Vercel (Next.js)

NEXT_PUBLIC_SUPABASE_URL — Supabase project URL
NEXT_PUBLIC_SUPABASE_ANON_KEY — Supabase anon key
SUPABASE_SERVICE_ROLE_KEY — service role (server-only, NEVER expose to client)
NEXT_PUBLIC_SITE_URL — https://vyndr.app
BACKEND_URL — Railway URL of Express grading engine
NEXT_PUBLIC_API_URL — same as BACKEND_URL (for legacy client fetches)
NEXT_PUBLIC_NBA_SERVICE_URL — FastAPI nba_api wrapper URL
NEXAPAY_API_KEY — bearer token from NexaPay dashboard
NEXAPAY_WEBHOOK_SECRET — HMAC secret from NexaPay dashboard
NEXAPAY_API_URL — defaults to https://api.nexapay.one/v1
RESEND_API_KEY — from resend.com
RESEND_FROM_EMAIL — defaults to VYNDR <grades@vyndr.app>
NEXT_PUBLIC_POSTHOG_KEY — PostHog project key (optional)
NEXT_PUBLIC_POSTHOG_HOST — defaults to https://us.i.posthog.com

Railway (Express backend)

All existing engine vars (Odds API key, Supabase, etc.)
FRONTEND_ORIGINS — comma-separated additional CORS origins (optional; defaults cover localhost + vyndr.app + *.vercel.app)

Vercel deployment

Repo root → /home/kev/mastermind/vyndr
Root Directory in Vercel project settings: web
Framework Preset: Next.js (auto-detected)
Build Command: npm run build (default)
Install Command: npm install (default)
Output Directory: .next (default; we use output: 'standalone')
Node version: 20.x or 22.x
Add all env vars from the list above

Railway deployment (backend)

railway.toml already configured in repo root
Connect GitHub → Deploy from main
Set env vars (same as Vercel backend list)
Get URL → set BACKEND_URL in Vercel

NexaPay configuration

Create NexaPay account → get API key + webhook secret
Webhook URL: https://vyndr.app/api/webhook/nexapay
Webhook events to enable: payment.succeeded, payment.failed, payment.refunded, subscription.canceled
Settlement wallet: USDC on Polygon (or your preferred chain)
Set NEXAPAY_* env vars in Vercel

Resend configuration

Create Resend account → verify vyndr.app domain
Add DNS records (SPF, DKIM, DMARC) from Resend dashboard
Create API key → set RESEND_API_KEY in Vercel
Test: trigger a signup, check the welcome email arrives

Supabase Auth setup

Run migrations 011_user_profiles_web.sql and 012_web_caching_waitlist.sql (Supabase SQL editor or CLI)
Auth → Providers → enable Email/Password (default)
Auth → Providers → enable Google: paste client ID/secret from Google Cloud Console
Auth → URL Configuration → Site URL: https://vyndr.app
Auth → URL Configuration → Redirect URLs: https://vyndr.app/auth/callback, http://localhost:3001/auth/callback

What Has Shipped (Backend — Already Live)

Phase 1 — Foundation (COMPLETE)

Feature 1.1 — Odds API Integration
Feature 1.2 — NBA_API Stats Wrapper (FastAPI microservice)
Feature 1.3 — Prop Analysis Engine (6-step grading pipeline)
Feature 1.4 — Database Schema (9 tables, RLS, triggers)
Feature 1.5 — Bet Submission (3 methods + performance tracking)

Phase 2 — Core Product (COMPLETE)

Feature 2.1 — Parlay Scan (correlation detection, monetization)
Feature 2.2 — Line Movement + Cascade Detection

Phase 3 — Web MVP (COMPLETE)

Feature 3.1 — Landing Page + Blog (Next.js, MDX, VYNDR voice, SEO)
Feature 3.2 — Scan UI (leg builder, grade results, upgrade pitch)
Feature 3.3 — Bet Tracker (performance dashboard, quick slip, settle flow)
Feature 3.4 — Stripe Integration (checkout, webhooks, portal, founder codes)

Also Shipped (Separate Repo)

Mastermind Agency Site

/home/kev/mastermind/agency-site/
Glitch aesthetic, scan lines, CRT flicker, JetBrains Mono
Home, VYNDR case study, Contact pages

Phase 1 Additions — Intelligence Engine (COMPLETE)

Addition 1 — Stats endpoints (parlays-graded, public, live props)
Addition 2 — Dynamic role profile system (8 roles, Shannon entropy, conditional profiles)
Addition 3 — Player selector (placeholder — Cowork handles design)
Addition 4 — Parlay probability (phi coefficient, juice-adjusted EV, correlation math)
Addition 5 — MLB prop grading (14 stat types, 10 kill conditions, 30 parks, weather API)
Addition 6 — Intelligence engine (similarity, evolution/PELT, line discrepancy, alt line, Bayesian, model trainer)
Addition 7 — Lineup watch speed (role activation detection framework)
Addition 8 — Database additions (7 new tables, migration 003, indexes, RLS)
Addition 9 — Design system update (forest green, Hero tagline, live props strip, DemoScan result card)
Addition 10 — Accuracy ledger page (/ledger)
Addition 11 — Marketplace page (/marketplace, waitlist, honeypot)
Addition 12 — ARCHITECTURE.md v1.0
Permanent: FOUNDER_NOTE constant (immutable, tested for integrity)
Permanent: X-VYNDR-Mission header on all API responses

Also Shipped (Separate Repo)

Mastermind Agency Site

/home/kev/mastermind/agency-site/
Glitch aesthetic, scan lines, CRT flicker, JetBrains Mono
Home, VYNDR case study, Contact pages

Test Summary

Node.js: 662 tests passing (unit + integration) — 357 original + 187 ship + 65 supplement + 35 patch + 45 security
Python: 27 tests passing
Total: 689 tests, all green
8 new test files: shipInfrastructure, shipGradingEngine, shipDataSources, shipResolution, shipSchemeClassifier, supplementSystems, patchIntegration, securityAudit
Next.js project builds (pending Vercel deploy)

Active Blockers

BLOCKER-003: WSL2 DNS cannot resolve *.supabase.co
Migrations 003-010 need manual apply via Supabase SQL Editor

Phase 1 Additions Part 2 (COMPLETE)

Addition 13 — Simplified scan selector (sport toggle NBA/MLB, player search, stat dropdown, line pre-fill from Odds API)
Addition 14 — PostHog analytics integration (5 events: scan_completed, grade_viewed, upgrade_cta_clicked, prop_shared, alt_line_viewed)
Addition 15 — Affiliate database (Migration 004: referral_codes, referral_conversions, affiliate_payouts, wallet_addresses, RLS on all)
Addition 16 — Scheme intelligence data layer (schemeClassifier.js: PnR coverage classification DROP/SWITCH/HEDGE/MIXED/UNKNOWN, 8-possession min, 6hr cache, graceful degradation, silent logging to model_predictions_extended)
- Scheme intelligence: data layer active, user activation pending Day 31

Phase 2 Pending

Model learning loop (Feature 4.1 spec exists)
Player selector UI completion (Cowork handles design)
Full parlay probability UI integration
Real-time lineup watch CRON implementation
Evolution watch UI on ledger page
Pre-registered predictions system activation
Physical ledger fulfillment
Education library content

Manual Actions Required

Paste SQL migrations 003-010 in Supabase SQL Editor (in order)
Run node scripts/seedRoleProfiles.js after NBA API access configured
Set Stripe env vars (STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET, price IDs)
Set NEXT_PUBLIC_POSTHOG_KEY env var for PostHog analytics
Set ODDS_API_KEY env var for Odds API
Set SUPABASE_URL + SUPABASE_SERVICE_ROLE_KEY for Python service
Deploy Next.js frontend to Vercel
Start Python service: cd src/services/python && pip install -r requirements.txt && python3 app.py
Set up GitHub Actions crons: lineup monitoring (15min), morning odds (10am ET), pre-game odds (90min), weather (30min), nightly resolution (2am ET)
Run cold_start_boot() on first launch (seeds reporters, loads data files)
SHADOW_MODE=True for first 2 weeks — grades logged but not published to capper

Session Log

Sessions 1-6 — 2026-03-21/22

Built all backend: Phase 1 + Phase 2 + Feature 1.5
221 backend tests passing

Session 7 — 2026-03-22

Built Feature 3.1: Landing page + blog (Hero, Pricing, Blog/MDX, Auth pages)
Built Mastermind Agency Site (glitch aesthetic, 5 pages)
Built Features 3.2 + 3.3: Scan UI + Bet Tracker
Built Feature 3.4: Stripe Integration (checkout, webhooks, portal, founder codes)
ALL FEATURES COMPLETE
Total: 237 tests (210 Node.js + 27 Python), all green

Session 8 — 2026-03-28

Built all 12 Phase 1 additions in single session
68 new tests (305 total), all green
New services: roleProfileEngine, roleStabilityEngine, similarityEngine, evolutionEngine, lineDiscrepancyDetector, altLineScanner, bayesianEngine, modelTrainer, correlationMath, mlbGrader, mlbKillConditions, mlbStatsClient
New routes: stats, props, waitlist
New frontend: LivePropsStrip, ledger page, marketplace page
New constants: founderNote, mlbParks
New middleware: mission header
Migration 003: 7 new tables with indexes and RLS
Python microservice: evolutionEngine.py (Flask/PELT on port 5001)
ARCHITECTURE.md v1.0 created

Session 9 — 2026-04-12

Built 4 Phase 1 Part 2 additions
52 new tests (357 total), all green
New component: SimplifiedSelector (sport toggle, player search, stat dropdown, line pre-fill)
PostHog analytics: 5 tracked events, initialized in layout.tsx
Migration 004: 4 affiliate tables (referral_codes, referral_conversions, affiliate_payouts, wallet_addresses)
New service: schemeClassifier.js (PnR coverage classification, 6hr cache, graceful degradation)
Scheme intelligence: data layer active, user activation pending Day 31

Session 10 — 2026-04-13 (SHIP BUILD v5.1)

Built complete dual-sport grading engine from vyndr-SHIP.md spec
187 new tests (544 total), all green across 38 test suites
Phase 1 — Infrastructure:
- Flask app.py with blueprints, health check, rate limiting (60/min default, 20/min grade), flask-cors, /api/docs
- evolutionEngine.py moved to blueprints/evolution.py (structural only — logic unchanged)
- utils: retry.py, data_warehouse.py (game-day TTL), bayesian.py (per-stat-type weights, skewness, data sufficiency curve), edge_calculator.py (real edge + quarter-Kelly), context_aggregator.py (15 factors), similarity.py (min 0.7), regime_detector.py (disabled <20 games), blind_spot_detector.py (worst 5%), supabase_client.py
- Data files: park_factors.json (30 parks, lat/lng, roof_status), reporter_database.json (80+ handles), timezone_map.json (30 arenas), grade_thresholds.json, odds_api_config.json
- requirements.txt with all 15 dependencies
- Cold start boot sequence with reporter seeding
Phase 2 — Data Sources:
- blueprints/synergy.py (team play types, matchup, tracking, defensive scheme)
- blueprints/nba_context.py (teammate impact, game script, home/road, rest/travel, matchup pace, foul trouble, B2B stat-specific, positional defense, usage-efficiency, playoff modifiers, NBA sub-scores endpoint)
- blueprints/lineup_intelligence.py (3-source architecture, reporter trust tiers, tweet parsing, two-stage grading, reporter-line correlation)
- blueprints/odds_scanner.py (free tier 2 pulls/day, odds warehouse, line movement detection, slate scanner)
- utils/weather.py (Open-Meteo, continuous 30min, dome detection, regrade triggers)
- utils/archetypes.py (5 pitcher dimensions, 5 batter dimensions, 6 NBA dimensions — ALL with weight_profiles, batting order, batter approach, pitcher identity, weight blending)
- schemeClassifier.js enhanced: Synergy-first with regex fallback, backward compatible
Phase 3 — Grading Engines:
- blueprints/mlb.py (14-step pipeline, pitcher/batter profiles, ABS challenge system with player-specific discipline score, TTO decay, platoon-specific opponent quality, lineup protection, day/night, bullpen state, catcher framing)
- blueprints/image_grade.py (OCR pipeline with low-confidence confirmation)
- utils/sportsbooks.py (10 books, parlay grading with correlation check, phi coefficient)
- utils/capper.py (pick numbers, breaking alerts, daily recap, miss autopsy)
Phase 4 — Self-Improving Loop:
- blueprints/resolution.py (nightly job: actuals from nba_api/MLB-StatsAPI, hit/miss, CLV, alignment, joint outcomes, calibration triggers)
- blueprints/calibration.py (point-biserial weights, global offset, Brier score, blind spots, CLV/alignment reports)
Phase 5 — Database + Tests:
- Migration 005: lineup_scheme_data
- Migration 006: nba_data_cache, mlb_data_cache, grade_outcomes (ALL ship columns incl discipline_score, CLV, alignment), player_calibrated_weights
- Migration 007: lineup_updates, reporter_trust (with source_type + starting_trust), odds_warehouse, ship_line_movements, reporter_line_correlation, api_health_log, global_calibration, ship_joint_outcomes
- 5 new test files covering infrastructure, grading engine, data sources, resolution pipeline, scheme classifier enhancement
Key Spec Compliance:
- Grade thresholds LOCKED (A+ through F)
- SHADOW_MODE = True (first 2 weeks)
- Bayesian weights are INITIAL ESTIMATES (marked as such)
- Abstention check BEFORE data cap
- Point-biserial bounds 0.05-0.50, global offset ±0.15
- Real edge with vig + quarter-Kelly
- Brier + CLV from day one
- Capper A- and above ONLY
- ABS is CHALLENGE system (successful challenges don't deplete)
- Foul trouble widens std, not mean
- Stat-specific B2B adjustments
- Matchup-specific pace (home 60/40)
- Positional defense (tracking > roster position)
- Usage-efficiency tradeoff (-1.5% TS per +5% usage)
- Tier limits documented but NOT enforced (gate manually later)
- Node.js stays Node.js, Python is data/utility layer via HTTP

Session 10c — 2026-04-13 (FINAL INTEGRATION PATCH)

Applied 15-item integration patch — wiring + features + infrastructure
35 new tests (644 total), all green across 40 test suites
Wiring (items 1-5):
- Scratch → redistribution → re-grade → alt line scan → alert chain in lineup_intelligence.py
- Slate scan → alt line auto-scan for A-grades in odds_scanner.py
- Nightly resolution steps 14-18: coaching update, player-out history, evolution scan, unconventional data collection, monthly validation
- Migration 009: supplement columns on grade_outcomes (coaching_context, redistribution_context, evolution_flag, alt_line_opportunity, unconventional_factors) + unconventional_factor_data table
- API docs updated with 7 supplement endpoints
Features (items 6-10):
- MLB lineup shift logic (PA multiplier changes when player scratched)
- high_leverage_hook_tendency added to MLB coaching schema
- Evolution persistence check (3 games before public promotion, false positive detection)
- Unconventional daily data collection + monthly validation functions
- Alt line ladder mode (ALT_LINE_MODE env var — 'manual' generates probability ladder)
Infrastructure (items 11-15):
- 5 GitHub Actions YAML files: nightly (2am ET), morning odds (10am ET), pre-game (3pm/5pm/6:30pm ET), reporter poll (every 15min), weather (every 30min)
- scripts/seed_historical.py — one-time historical data seeder (NBA 2024-25 + MLB 2024)
- railway.toml (Flask service, port 5001, health check)
- web/vercel.json (Next.js deployment)
- MLB coaching helper functions for historical seeding
Product is DEPLOYMENT-READY

Session 10d — 2026-04-13 (SECURITY AUDIT)

Applied 19-item security hardening pass — Ryan Montgomery panel reviewed
45 new tests (689 total), all green across 41 test suites
Authentication (items 1, 8, 11):
- utils/auth.py: require_auth (JWT with issuer check) + require_service_role (BETONBLK_INTERNAL_KEY)
- PyJWT added to requirements.txt
- BETONBLK_INTERNAL_KEY separates cron auth from service key — service key never leaves Railway
Input Security (items 3, 10, 13):
- utils/validation.py: whitelist stat types, sanitize strings (strip SQL/HTML), validate line 0-500, image upload (magic bytes, 10MB max, PNG/JPEG/GIF), parlay legs 2-12
- OCR rate limit 3/min, max 2 concurrent
- MAX_CONTENT_LENGTH 1MB globally, 413 JSON response
Network Security (items 2, 12):
- CORS locked to ALLOWED_ORIGINS env var (no more wildcard)
- Real IP from X-Forwarded-For for rate limiter and security logger
Error Handling (item 9):
- Production returns generic "Internal server error" — no stack traces
- 404, 405, 413, 429 all return JSON
Monitoring (items 4, 5, 6, 15, 17, 18):
- Security headers: X-Frame-Options DENY, HSTS, CSP, nosniff, XSS protection, Server removed
- utils/security_logger.py: request logging, rate tracking, SQL injection detection, security_events table
- utils/env_check.py: startup validation, exits on missing required vars, never logs secrets
- security-scan.yml: weekly pip-audit + npm audit
- security.txt: /.well-known/security.txt with contact
- 90-day security event retention cleanup + weekly security digest (50+ events per IP = action required)
Infrastructure (items 7, 14, 16, 19):
- Migration 010: security_events table with RLS
- Supabase client timeout guidance, retry with 30s default timeout
- Source code secret scan test (sk_live_, eyJhbGci, sbp_)
- .gitignore: .env, .env.local, .env.production, *.pem, *.key, .vercel/

Session 10b — 2026-04-13 (SUPPLEMENT BUILD)

Built 5 intelligence supplement systems — ADDITIVE, no existing code modified
65 new tests (609 total), all green across 39 test suites
System 1 — Coaching Tendency Database:
- blueprints/coaching.py (NEW) — per-coach NBA + MLB tendencies, nightly update from game logs, shift detection (15%+ threshold on last 15 vs season baseline)
- 12 NBA fields (pace, 3PT rate, ISO freq, PnR usage, rotation depth, late-game player, score-state lineups, second-unit patterns, redistribution profile, shot location, timeout tendency)
- 10 MLB fields (starter hook, quick hook, bullpen philosophy, IBB rate, PH freq, bunts, closer-only, platoon, lineup consistency, challenge aggressiveness)
System 2 — Usage Redistribution Engine:
- blueprints/redistribution.py (NEW) — two-layer calculation (Layer A: minutes redistribution from historical player-out data + coaching rotation depth; Layer B: offensive system change from archetype shifts)
- Uses coaching database, applies usage-efficiency tradeoff (-1.5% TS per +5% usage)
- Three tiers: primary (>=0.20 boost, >=0.75 confidence), secondary (>=0.10, >=0.60), tertiary (>=0.05)
- Auto-grades at 15%+ boost / 0.65+ confidence, formats 60-second absorption alerts
System 3 — Alt Line Scanner:
- Added to existing odds_scanner.py — auto-runs on A-grade props after slate scan
- Pulls alt lines from odds_warehouse, calculates model probability via Bayesian norm_cdf
- Real edge with vig on each alt, finds optimal (best EV/dollar)
- Only recommends if alt edge exceeds standard by 3%+
System 4 — Unconventional Data Pipeline:
- blueprints/unconventional.py (NEW) — validation gate for non-traditional correlates
- 500 instance minimum, Pearson r > 0.15, Bonferroni-corrected p-value
- 5 tracked factors: altitude, contract year, referee crew history, travel distance (pre-validated), arena altitude
- Factors only enter grading engine AFTER passing validation
System 5 — Player Evolution Alerting:
- Added to existing evolution.py — daily scan across multiple metrics simultaneously
- NBA: usage_rate, assist_rate, three_pa_rate, fg_pct, minutes
- MLB: k_rate, bb_rate, exit_velocity, hard_hit_pct, fb_velo
- PLAYER_EVOLUTION_DETECTED when 2+ metrics show concurrent inflection (10%+ change, 15 game minimum)
- Timestamped records in evolution_detections table, Evolution Watch content formatter
Migration 008: coaching_tendencies, player_out_history, evolution_detections, unconventional_validations (all with indexes + RLS)
Integration: 3 new blueprints registered in app.py (coaching_bp, redistribution_bp, unconventional_bp), evolution + odds_scanner extended with new endpoints

90 KiB Executable File Raw Blame History Unescape Escape

VYNDR — Build State

Last Updated

Current Phase

Session 18 (2026-06-11) — SHIPPED

Section 1 — Admin allowlist + UI guard

Section 2 — Stats API with server-side admin check

Section 3 — Dashboard UI

Section 5 — Tank01 prefetch HTTP endpoint

Tests

Battery

What Kev sees now (next session, in a browser)

Files changed (Session 18)

Pending (out-of-scope for Session 18)

Session 17 (2026-06-12) — SHIPPED

FIX 1 — Checkout 401 "User profile not found" [CRITICAL]

FIX 2 — Hero prop 404 [CRITICAL]

FIX 3 — WNBA games not surfacing [HIGH]

FIX 4 — ALL tab error cascade [HIGH]

FIX 5 — Cookie consent visibility [HIGH — Legal]

FIX 6 — Scan autocomplete silent failure [MEDIUM]

FIX 7 — Mobile bottom nav auth gate [MEDIUM]

FIX 8 — Footer support email + stale copy [LOW]

FIX 9 — Sentry zero events [MEDIUM]

FIX 10 — Read counter visibility [LOW]

FIX 11 — Profile page [NO-OP]

FIX 12 — Tonight's slate landing preview [MEDIUM]

Tests added (Session 17)

Quality gates

Honest verification status

Coolify follow-ups (operator action)

Session 16 (2026-06-11) — SHIPPED

Phase 1 — Sport-specific market map

Phase 2 — Live hero prop

Phase 3 — Soccer weather

Phase 4/5 — OG tags + CSP (mostly already done)

Tests added (Session 16)

Quality gates

Honest gaps

Coolify follow-ups

Session 15 (2026-06-11) — SHIPPED

Phase 0 — Correctness

Phase 1 — Signal audit

Phase 2 — MLB park factors

Phase 3 — Weather (Open-Meteo)

Phase 4 — Tank01 daily prefetch

Phase 5 — MLB matchup context

Phase 6 — NBA pace factors

Tests added (Session 15)

Quality gates

Honest gaps

Coolify env (Session 15 additions)

Session 14 (2026-06-11) — SHIPPED

Phase 1 — Africa tier checkout

Phase 2 + 3 — Tank01 NBA + MLB wired into computeFeatures

Phase 4 — WNBA + MLB odds proxies

Phase 5 — UX polish

Tests added (Session 14)

Quality gates

Honest gaps

Coolify env (Session 14 additions)

Session 13 (2026-06-11) — SHIPPED

Phase 1 — Africa geo-restriction via CF-IPCountry

Phase 2 — OAuth: Google + Apple + X

Phase 3 — The Slate (browse-first dashboard)

Tests added

Quality gates

Honest gaps (documented, not bugs)

Coolify env (Session 13 additions)

Session 12 (2026-06-11) — SHIPPED

FIX 1 — i18n infrastructure (10 languages, cookie-based)

FIX 2 — Africa tier ($4.99/mo)

Tests added (Session 12)

Quality gates

Open items / follow-ups

Coolify env (Session 12 additions)

Session 10 (2026-06-10) — SHIPPED

FIX 1 — Internal auth refactor + /pipeline off-host support

FIX 2 — Soccer prefetch cascade keys

FIX 3 — Sentry error tracking

90 KiB

Executable File

Raw Blame History