Key Features

Audience: Sales, leadership, prospect's CTO/CEO. Read alongside ../architecture.md — the diagrams there name every module referenced below. Format: One row per shippable capability. Each row has a 1-line description, the owning code path (clickable in most viewers), key dependencies, and a documentation marker.

Doc-status legend — applied per row: - ✓ — covered by a published flow doc in ../flows/ or a runbook in ../runbooks/. - 🆗 — partially documented (architecture or API reference covers it; no dedicated flow doc). - ⚠ — {{TBD}} — not yet documented at flow-doc depth.

---

1. Identity & access

Feature	Description	Owns it	Depends on	Status
Email + password sign-up	Username + email + password registration with email verification mail-out	apps/api/src/auth/auth.controller.ts (sign-up), auth.service.ts	SMTP via external-notification-sender/, captcha (GeeTest or reCAPTCHA), Postgres user table	✓ flows/dropbet-sign-up.md
Email + password sign-in	Bcrypt verification, JWT access + refresh tokens, cookies set with secure flags	apps/api/src/auth/auth.controller.ts, cookies.ts	bcrypt, jsonwebtoken, Redis-backed session via BullMQ producer	✓ flows/dropbet-sign-in.md
2FA (TOTP)	Per-user TOTP secret + OtpGuard for SuperAdmin endpoints; setup + verify + disable flow	apps/api/src/auth/guards/, apps/api/src/auth/auth.service.ts	otplib	🆗 runbooks/2fa-unknown-secret.md
Password reset	Token-based reset via signed URL emailed to verified address	apps/api/src/auth/auth.controller.ts	SMTP	✓ flows/dropbet-password-reset.md
OAuth scaffolding (Google, Steam)	GoogleStrategy + Steam strategy registered in auth.module.ts; setupUsernameAfterOAuthRegistration endpoint exists. Production-readiness: scaffolded; live-traffic enablement is operator config + integration testing	apps/api/src/auth/strategies/google.strategy.ts, apps/api/src/auth/strategies/steam/	Google OAuth client, Steam OpenID	⚠
API key auth	ApiKeyStrategy for service-to-service callers (e.g. external bots, sportsbook S2S)	apps/api/src/auth/strategies/api-key.strategy.ts, apps/api/src/api-key/	—	⚠
Captcha (GeeTest primary)	GeeTest v4 sliding-puzzle captcha on sign-up + sign-in; deduped via Redis cache key	apps/api/src/captcha/geetest/geetest-captcha.service.ts	Redis cache, GeeTest API	🆗
Captcha (reCAPTCHA fallback)	Google reCAPTCHA gate; is-capture-on: off header + NODE_ENV=local bypasses it for E2E + dev	apps/api/src/captcha/google/recaptcha.guard.ts	Google reCAPTCHA	🆗 + runbooks/recaptcha-fails-locally.md
WebSocket auth	Socket handshake via auth={socket_token}, validated against Redis session store; per-IP throttle	apps/rt/src/gateway/, libs/ws-throttler/	Redis cache (MAX_CONNECTIONS_PER_IP=10 per IP, configurable in env)	✓ flows/rt-websocket.md

---

2. Wallet, payments, and accounting

Feature	Description	Owns it	Depends on	Status
Multi-currency balance ledger	user_balance per (user, currency) with amount + vault_amount; transactional ledger writes with idempotency	libs/_prisma/src/schema/api.prisma (UserBalance), apps/api/src/accounting/	Postgres	🆗
FX / USD valuation	ExchangeRatesService.toUsd() for cross-currency display & wager normalisation	apps/api/src/exchange-rates/	external rate feed ({{TBD: provider}})	⚠
Crypto deposit (CCPayment)	CCPayment provider integration: invoice creation, webhook handling, signature verification	apps/api/src/payment/provider/integration/ccpayment/	CCPayment API	🆗 flows/dropbet-wallet.md
Crypto deposit (NowPayments)	NowPayments invoice + IPN webhook + fee/fixed-rate flags	apps/api/src/payment/provider/integration/nowpayments/	NowPayments API	🆗
Skin trading deposits	SkinDeck integration for skin-to-balance flow	apps/api/src/payment/provider/integration/skindeck/	SkinDeck API	⚠
Withdrawal pipeline	withdraw controller + admin approval flow + withdraw-check.service.ts for compliance gates	apps/api/src/payment/withdraw/	KYC status, ledger	🆗
Deposit pipeline	deposit controller + admin review + Redis pub-sub gateway notifier	apps/api/src/payment/deposit/	provider webhook → ledger	🆗
Payment provider abstraction	PaymentProviderModule aggregates all integrations; PaymentProviderService is the single import surface	apps/api/src/payment/provider/payment-provider.module.ts	—	🆗
Network registry	Catalogue of supported chains/networks per provider	apps/api/src/payment/provider/network/	—	⚠
Wallet display	Player-facing wallet UI: balances, deposit, withdraw, history	ebit-fe/src/app/[locale]/... (wallet route)	API client, socket events	✓ flows/dropbet-wallet.md

---

3. Compliance

Feature	Description	Owns it	Depends on	Status
KYC (Sumsub)	Applicant lifecycle: create → upload → review → status webhook → state transition	apps/api/src/kyc/sumsub/, apps/api/src/kyc/kyc.service.ts	Sumsub API + webhooks	🆗
KYC repository	Persistent applicant + document state model	apps/api/src/kyc/kyc.repository.ts	Postgres	🆗
User limits	Self-exclusion, deposit limits, loss limits	apps/api/src/users-limits/ (also apps/bo/src/user-limits/)	accounting, admin	⚠
Geo / country gating	IP → country resolver + restricted-country list	apps/api/src/country/	external geo-IP lookup ({{TBD: provider}})	⚠
Audit logging	Admin notes, OTel spans across every state-changing endpoint, structured pino logs to Loki	apps/api/src/user/admin/notes/, libs/shared/ (NestLoggerModule), docs/observability.md	Loki, Jaeger	🆗

---

4. Casino — house games (in-house RNG)

All settle through the shared bet/ pipeline (apps/api/src/bet/) and produce a bet_settled BullMQ job that drives leaderboard / promo / rakeback.

Game	Code path	Status
Dice	apps/api/src/casino/house/dice/ (dice.service.ts)	✓ flows/dropbet-house-game.md (covers all four house games)
Limbo	apps/api/src/casino/house/limbo/	✓
Mines	apps/api/src/casino/house/mines/ (multi-step rounds, mid-round cashout)	✓
Plinko	apps/api/src/casino/house/plinko/	✓
Provably-fair seeding	apps/api/src/provably-fair/ — server seed rotation, client seed support	🆗

---

5. Casino — live + game-server-driven

Game	App	Description	Code	Status
Blackjack (dropbet)	apps/api (in-process)	Player-facing blackjack UI + game logic served via REST + websocket	apps/api/src/casino/games/... (blackjack ref)	✓ flows/dropbet-blackjack.md
Blackjack (orphan game-server)	apps/bj (port 4002)	Standalone blackjack server with EVO-Games external-wallet path. Currently not wired to dropbet traffic — see architecture §1 trust boundary note	apps/bj/src/main.ts	⚠
Speed Roulette	apps/speed-roulette	EOS-blockchain-anchored roulette wheel; BullMQ state machine concurrency=1 per round	apps/speed-roulette/, libs/_prisma/src/schema/speed_roulette.prisma	✓ flows/dropbet-speed-roulette.md

---

6. Casino — provider-game catalogues (slots + tables via partner)

Adapter pattern: each provider lives in apps/api/src/casino/slots/providers/<name>/, exposing a launch service and a wallet callback.

Provider	Code path	What it ships
Softswiss	apps/api/src/casino/games/api/softswiss/ (CDN + sub-vendor catalogue) + apps/api/src/casino/games/service/hydrate-softswiss.service.ts	Game catalogue hydration from Softswiss CDN
PM8	apps/api/src/casino/slots/providers/pm8/	Launch URL signing, wallet callbacks, controller
BGaming	apps/api/src/casino/slots/providers/bgaming/ (api/bgaming-api.service.ts, wallet/)	Launch + wallet callback + dev-proxy controller
ST8	apps/api/src/casino/slots/providers/st8/	Launch + wallet integration
EvoGames	apps/api/src/casino/slots/providers/evogames/	Launch + wallet integration
Common provider scaffolding	apps/api/src/casino/slots/providers/common/	Shared signature/HMAC helpers, error taxonomy

Status across the row: 🆗 — the adapters exist and are wired into slot-games.service.ts; per-provider integration depth varies, see integration-options.md §Game provider integration model.

---

7. Sportsbook

Feature	Description	Owns it	Status
Sportsbook proxy	Player-facing endpoints proxy to upstream odds engine	apps/api/src/sportbook/sportbook.controller.ts, sportbook.service.ts	⚠
S2S auth	Service-to-service auth for upstream odds engine callbacks	apps/api/src/sportbook/s2s/	⚠
Sportsbook actions / transactions	Bet placement → settlement → ledger writeback	apps/api/src/sportbook/actions/transactions/	⚠
System endpoints	Health / config / catalogue endpoints	apps/api/src/sportbook/system/	⚠

Note: sportsbook is a proxy. Evospin does not run an odds engine; the upstream provider is operator-configured.

---

8. Bet pipeline

Feature	Description	Owns it	Status
Bet placement	Single canonical endpoint per game; decoupled validation, balance hold, settlement	apps/api/src/bet/ (BetController, BetCrudService, BetRepository)	✓ flows/dropbet-bet-place.md
Bet settlement queue	BullMQ bet_settled_queue — every settled bet drives downstream processors (leaderboard, promo, rakeback, GGR)	apps/api/src/bet/queue/	🆗
Bet history	Paginated player history; admin-side detailed view	apps/api/src/bet/, apps/bo/src/bet/	✓ flows/dropbet-bet-history.md, flows/admin-bets.md
GGR commission	Provider-game GGR computed via ggr-commission.service.ts	apps/api/src/casino/games/service/ggr-commission.service.ts	⚠

---

9. Promotions, loyalty, social

Feature	Description	Owns it	Status
Promo / bonus	PromoController + PromoEffectService apply bonuses on deposit / sign-up / events; lock.decorator.ts for race safety	apps/api/src/promo/	🆗
Challenges	Award-only challenges driven by admin; wager / win triggers	apps/api/src/challenge/	✓ flows/dropbet-challenges.md
Leaderboard	Periodic recompute (leaderboard.checker.ts), gateway pushes top-N to subscribed sockets	apps/api/src/leaderboard/	✓ flows/dropbet-leaderboard.md
Rakeback	Computed on bet_settled events	apps/api/src/rakeback/	🆗
VIP program	Tier progression based on wagered volume	apps/api/src/vip-program/	⚠
Tips (peer-to-peer)	Player-to-player balance tips with admin reversal capability	apps/api/src/tips/, apps/api/src/admin-tips/	⚠
Affiliate	Affiliate-link tracking + commissions	apps/api/src/affiliate/	⚠
Traffic arbitrage	Arbitrage marketing campaign accounting	apps/api/src/traffic-arbitrage/	⚠
Telegram bot integration	Bot endpoints for in-Telegram interactions	apps/api/src/telegram/	⚠
FastTrack bonus tracker	RabbitMQ producer to FastTrack — stubbed (disabled = true at line 8 of apps/api/src/fast-track/rabbitmq/fast-track.rmq.module.ts)	apps/api/src/fast-track/	⚠

---

10. Real-time + chat

Feature	Description	Owns it	Status
WebSocket fan-out	socket.io v4, /events namespace, websocket-only transport, Redis pub/sub backplane	apps/rt/src/gateway/	✓ flows/rt-websocket.md
Online tracker	Live online-user counter, broadcast to UI	apps/rt/src/online-tracker/	🆗
Event catalogue	Typed event definitions consumed by FE socket-client	apps/rt/src/gateway/events.ts	✓
RT notifications	API-side publishers → gateway pub/sub → rt	apps/api/src/rt-notification/	🆗
Chat	In-game chat channels + admin moderation	apps/api/src/chat/	⚠

---

11. Admin / backoffice

Feature	Description	Owns it	Status
Admin sign-in (2FA-gated)	Admin login with TOTP, role-based access, OtpGuard for SuperAdmin	apps/api/src/auth/ (admin paths), ebit-admin-fe/src/app/(auth)/	✓ flows/admin-sign-in.md
User management	List, search, ban, KYC review, balance adjustment, notes	apps/api/src/user/admin/, apps/bo/src/user/, ebit-admin-fe/.../user/	✓ flows/admin-user-mgmt.md
Bet review	Per-bet inspection with full audit trail + ledger correction	apps/bo/src/bet/, ebit-admin-fe/.../bets/	✓ flows/admin-bets.md
Promo / challenge / leaderboard CRUD	Admin CRUD over promotional content	apps/api/src/promo/controllers/, apps/api/src/challenge/controller/, apps/api/src/leaderboard/admin.leaderboard.controller.ts	🆗
Site config	Feature flags + runtime toggles	apps/api/src/site-config/, apps/bo/src/site-config/	⚠
FAQ CMS	FAQ content management	apps/api/src/faq/, apps/bo/src/faq/	⚠
Dashboards	Operator KPI dashboards	apps/api/src/dashboard-v2/, apps/api/src/dashboard/, ebit-admin-fe/.../dashboard/ (Ant Design charts)	⚠
Affiliate / API key admin	Affiliate management, API key rotation	apps/bo/src/affiliate/, apps/bo/src/api-key/	⚠

---

12. Frontends

App	Framework	Role	Code	Status
ebit-fe (dropbet)	Next.js (next-intl en/de, socket.io-client)	Public player site	ebit-fe/src/app/[locale]/	✓ — covered by every flows/dropbet-*.md
ebit-admin-fe	Vite + React (TanStack Router)	Internal admin panel (single language)	ebit-admin-fe/src/routes/	✓ — covered by every flows/admin-*.md

Versions and full stack inventory: ../engineering/stack.md.

---

13. Async, observability, infrastructure (cross-cutting)

Capability	Description	Owns it	Status
BullMQ async runtime	All production queues: auth-session updates, bet settlement, bots, leaderboard, promo, user-stats migration, skindeck deposits, both speed-roulette queues	apps/api/src/**/bull/, apps/api/src/**/queue/, @nestjs/bullmq	🆗 — see CLAUDE.md §"Async queues"
House-bot fleet	Simulated-activity bots driven by BullMQ producers, isolated on Redis :6380	apps/api/src/bots/system/bull/, apps/api/src/bots/bot.service.ts	⚠
RabbitMQ broker	In compose (vhost=ft), wired only to FastTrack stub — receives zero traffic until stub removed	apps/api/src/fast-track/rabbitmq/	⚠
OpenTelemetry pipeline	Pre-main bootstrap, OTLP HTTP to collector, spanmetrics → Prometheus, traces → Jaeger, logs → Loki via pino	libs/shared/ (OTel pre-main), observability/otel-collector.yml	✓ ../observability.md, ../e2e-trace-demo.md
Sentry	Errors + source maps for all three apps	sentry.*.config.ts per repo	🆗
Performance test harness	k6 + Playwright canary, terraform modules for monitoring + app VMs	tests-perf/ (root), terraform/perf/	✓ ../performance-testing.md
Provably-fair fairness	Server-seed rotation, HMAC-bound per-bet seeds	apps/api/src/provably-fair/	🆗
Multi-tier rate limiting	Per-route sliding-window throttle (Lua on cache Redis), per-IP WS connection cap	apps/api/src/captcha/ (HTTP), libs/ws-throttler/ (WS)	🆗
Doppler-managed secrets	All env vars in dev pulled via run_local.sh from Doppler	each repo's run_local.sh	🆗

---

Cross-links

• value-proposition.md — why these features matter, what's actually unique.
• integration-options.md — which features are pluggable / replaceable.
• ../architecture.md — C4 diagrams that name every component above.
• ../glossary.md — every term, with file:line citation.
• ../flows/ — flow-doc deep dives for every ✓ row.
• ../runbooks/ — operational responses for the most common 2FA / login / captcha / queue / log gaps.