Bet2 — Sportsbook Platform Audit & Gap Analysis

1. Executive Assessment

22 / 100

Overall Maturity

MVP

Product Stage

NO-GO

Real-money Launch

B+

Feed & UI Craft

Verdict in one paragraph

Bet2 is an impressive front-end and odds-ingestion prototype — the Altenar harvester, 7-group market classifier, pulsing odds UI, Sportradar LMT modal, idempotent upsert, and SettlementEngine scaffolding are well-crafted. However, measured against a real-money, multi-jurisdiction sportsbook, this is still an MVP. It lacks the player lifecycle, wallet/ledger, KYC/AML, risk console, trader controls, compliance tooling, payment rails, DevOps hardening, audit trails and reporting that define a professional operator. Launching this as-is on real money would be financially reckless and likely illegal in every regulated market.

Biggest weaknesses (top 8)

No double-entry wallet / ledger. There is no trusted source of truth for money. You cannot launch without this.
No KYC / AML / PEP / sanctions / age verification. Automatic regulatory blocker everywhere (UK, MGA, Curaçao-new, US, Ontario, France, Spain, Germany, Brazil SPA, etc.).
No payment gateway integration. Deposits/withdrawals do not exist.
No trader / risk console. Exposure, liability, stake factors, market suspension, manual settlement — none of it is operator-controllable.
No responsible gambling tooling. Deposit/loss/session/wager limits, self-exclusion, reality checks — all missing. Hard regulatory fail.
No immutable audit trail. Bet lifecycle, odds version history, admin actions and settlement changes are not reconstructable.
Single-node monolith, no HA, no queues, no CI/CD, no monitoring. Production traffic will crush it.
No multi-tenant / white-label / jurisdictional layer. Everything is hard-coded to one skin, one currency, one rules set.

2. Missing Features — Detailed Gap Table

Priority: Critical High Medium Low · Complexity: Low Med High

Category	Missing Option / Function	Why it matters	Risk if missing	Priority	Complexity	Suggested implementation
1. Architecture	Service decomposition (Wallet, Risk, Settlement, Feed, Auth, CRM, Report) as separate processes behind an API gateway	Single monolith cannot scale live-odds bursts or isolate failure domains	Outage of one sport freezes the whole site	Critical	High	Extract services into PHP-FPM pools or Node/Go microservices; Nginx/Envoy as gateway; Redis + RabbitMQ between services
	Message queue (RabbitMQ / Kafka / Redis Streams)	Every current flow is synchronous cURL loops	Data loss, stalls, unbounded DB locks	Critical	Med	Redis Streams for odds diff + bet events, RabbitMQ for settlement and payments
	Read replicas + CQRS split	Harvester writes hit the same DB as hot reads from clients	Slow UI, lock contention, corrupted cycles	High	Med	MySQL primary for writes; 2 read replicas for `/api/*`; ProxySQL router
	Multi-region / HA deployment blueprint	Laragon single-box only	One reboot = total outage	High	High	2× app servers + HAProxy + managed MySQL (Galera/AWS Aurora) in EU + failover region
	Disaster recovery plan + backups + PITR	No RTO/RPO defined	Permanent data loss	Critical	Low	xtrabackup hourly, binlog streaming, encrypted offsite, tested restore runbook
	API-first contract (OpenAPI)	Current APIs are undocumented ad-hoc PHP	Partners, mobile app, QA all blocked	High	Low	Write OpenAPI 3.1 for every `/api/*`, generate SDKs, CI-validate
	Fault-tolerance patterns (circuit breaker, timeouts, retries, idempotency keys)	cURL to Altenar has no budget, no breaker	Upstream flaps will melt your DB	High	Med	Guzzle + `ghostff/circuit-breaker` or custom; idempotency key per bet
	Multi-tenant / skin layer	Hard-coded to `sb2vegasbet`	Cannot onboard second brand / jurisdiction	High	Med	`tenants` table, tenant-scoped config, branding, rules, feeds, currencies
2. Player Mgmt	Full registration funnel (email verify, phone verify, SOF, SOW, document upload, selfie liveness)	Cannot legally open accounts	Regulatory shutdown	Critical	High	Integrate Sumsub / Onfido / Veriff / Jumio; async webhook → user status state machine
	MFA/2FA (TOTP, SMS, WebAuthn)	No second factor	Mass ATO, chargebacks	Critical	Low	Google Authenticator TOTP + optional WebAuthn; backup codes
	KYC state machine (pending, in-review, verified, rejected, expired, re-KYC)	Today: no state at all	Cannot gate deposits / withdrawals	Critical	Med	`kyc_cases` table; per-jurisdiction threshold engine; auto-expiry at 12/24 months
	AML monitoring (transaction monitoring, SAR/STR filing)	No detection	Criminal liability for operator	Critical	High	ComplyAdvantage / Napier rules engine; alert queue; case manager
	PEP / sanctions / adverse-media screening on signup and ongoing	Must-have for every licence	Fines, licence loss	Critical	Med	Hook KYC provider; re-screen nightly
	Player account tiers / VIP	No segmentation	Cannot run retention or bespoke limits	High	Low	`user_segments` with rules; VIP manager assignment
	Self-exclusion (temporary, permanent, GAMSTOP-style national register hooks)	RG law	Licence loss, lawsuits	Critical	Med	Irreversible flag + national integration (GAMSTOP, ROFUS, Spelpaus, Rejstřík vyloučených osob)
	Dormant / cool-off / account closure workflows	No lifecycle	Regulatory + data-retention fail	High	Low	Scheduled job; state transitions logged
	Bonus-abuse flags & fraud markers on user profile	Cannot defend	Bonus hunters drain margin	High	Low	`user_flags` table with reason, evidence, TTL
3. Wallet & Payments	Double-entry ledger (immutable journal + balance snapshots)	Current model has no `wallet_transactions` journal	Money loss, fraud, impossible audit	Critical	High	`ledger_entries(debit_account,credit_account,amount,currency,tx_type,ref)`; append-only; balances derived
	Main / bonus / locked wallet separation	Single balance confuses wagering, KYC holds, withdrawals	Incorrect bonus behaviour	Critical	Med	Wallet account types per user; clear priority rules for stake deduction
	Payment gateway integrations (Stripe / Skrill / Neteller / MuchBetter / PayPal / bank / crypto)	You cannot take money	No business	Critical	High	Adapter pattern with `PaymentProvider` interface; PSP orchestrator; 3DS2 flow
	Withdrawal review & approval queue (KYC gated, AML score, manual approval above thresholds)	Auto-pay = auto-fraud	Massive loss	Critical	Med	State machine: requested → under-review → approved → sent → settled / rejected
	Reconciliation engine (daily PSP vs ledger)	Must match to the cent	Silent money leak	Critical	Med	Nightly CSV/API pull from PSP, auto-match on `ext_ref`, exception queue
	Chargeback handling + fraud score on deposits	Disputes will come	PSP de-risk, loss of processor	High	Med	Webhook handler; auto-lock wallet; Kount/Sift device score
	Multi-currency + FX module	Only 1 currency assumed	Cannot expand	High	Med	Store currency per account; daily FX rates table; conversion entries
	Payment routing & smart cascading	Deposit success rate will be poor	Lost revenue	Medium	Med	Route by BIN, country, amount, PSP uptime
	Reversal / refund / manual credit flows with maker-checker	Support team has no tools	Fraud by insiders	High	Low	Admin action requires second approver above €100; all logged
4. Betting Engine	Server-authoritative bet placement (price re-fetch, lock check, stake validation, exposure check, wallet atomic debit)	Client today talks directly to `odds` rows	Price manipulation, stale odds, negative balance	Critical	High	One endpoint `/api/bet/place` inside DB transaction; idempotency key; row-level lock on wallet
	Bet state machine (pending, accepted, partial-accept, rejected, open, won, lost, void, half-won, half-lost, cashed-out, resettled)	Mandatory	Unresolved bets, disputes	Critical	Med	`bet_status` ENUM + transition log
	Odds-change & acceptance policy (accept higher only, accept any, decline)	Industry standard	Players revolt on surprise prices	High	Low	Per-user setting; server applies during `place`
	Singles / Multiples / System (Yankee, Trixie, Lucky 15/31/63, Heinz, Canadian, SGP)	Only single-line detected	No revenue from combos (largest margin source)	Critical	High	Generic combination generator + correlation matrix for SGP
	Cashout & partial cashout engine	Standard feature	Competitor disadvantage	High	High	Real-time expected-value pricing using current market prices + margin
	Bet builder / SGP with correlation-aware pricing	Player expectation	Lost volume	Medium	High	Use provider (Kambi, IMG Arena, BetGenius) or in-house Monte Carlo
	Push / dead-heat / void / postponed / abandoned rules engine	Not implemented	Regulatory and dispute risk	Critical	Med	Rule templates per sport/market; executed by settlement engine
	Resettlement (score correction / VAR / disciplinary)	Results change	Customer complaints, regulator fines	Critical	Med	Reverse original ledger entries, apply new; full audit
	Early payout rules	Popular promo lever	Lost acquisition	Low	Low	Config-driven per market
	Bet acceptance delay (offer-counter-offer) for live	Standard protection	Latency arbitrage drains profits	High	Med	Configurable 3–8s delay per sport; during delay check exposure & odds
5. Odds / Trading	Trader console (suspend market / event / sport / outcome, adjust line, adjust margin, set limits)	Traders have ZERO control today	Cannot react to news, injuries, sharp action	Critical	High	Vue/React SPA + WebSocket; per-action audit
	Auto-suspend on price swing / goal / red card / betrad alert	Live-betting must-have	Massive live losses	Critical	Med	Subscribe to Sportradar Betradar feed events; rule engine
	Margin / overround controller per sport / market / jurisdiction	Margin is whatever Altenar gives	Can't compete on price or protect hold	High	Med	Post-ingest margin reshaper; logs vs source
	Exposure / liability matrix (real-time per selection, per user segment)	Invisible risk	Black-swan loss	Critical	High	Roll up on every accepted bet in Redis sorted set; alert thresholds
	Stake factor / player-specific limits	Sharps will farm you	Long-term losses	Critical	Med	Score per user; multiplier on max stake; applied at bet placement
	Competitor price monitoring	Need to see market	Uncompetitive or too generous	Medium	Med	Scraper or OddsJam / BetGenius feed
	Manual market & manual event creation	Novelties, specials, politics	Missed revenue	Medium	Med	Admin UI producing same `markets/odds` schema
6. Coverage / Markets	Outrights / futures management	Only event-level markets shown	Missing high-margin products	High	Med	Separate table for outrights, each competitor is an outcome
	Player props with official stats-provider settlement	Huge US/UK driver	Revenue loss	High	High	Sportradar/Stats Perform player feed; settle by box score
	Event lifecycle (scheduled → live → finished → resulted → settled → archived) explicit	Today ad hoc	Stuck events, ghost bets	High	Low	ENUM + transitions + cron check
	Localized market names + translations	Single language	Cannot expand	Medium	Low	`market_translations(market_key,lang,name)`
7. Settlement	Primary results source + fallback chain + manual override	GetResults returned placeholder; current fallback is GetEventDetails	Wrong / missed settlement	Critical	Med	Sportradar Results API primary, Enetpulse secondary, manual last
	Settlement QA (4-eye approval for non-automatic)	No review	Insider fraud	High	Low	Maker-checker gate above threshold
	Partial settlement for in-play markets already decided	Players expect	UX complaints, funds held too long	Medium	Med	Per-market-template allow-list
	Rollback + resettle with ledger-perfect reversal	Currently impossible	Regulatory fail	Critical	Med	Ledger reversal entries referencing original
	Abandoned / postponed cut-off windows per sport	Rules vary	Disputes	High	Low	Rule config; e.g. tennis finish-in-48h, football restart-in-24h
8. Risk	Risk dashboard (top exposures, top winners, top losers, top bettors)	Operators need it every minute	Can't react	Critical	High	Grafana / custom; Redis-backed live metrics
	Sharp / syndicate / arbitrage detection	Pattern matching on stake timing vs price move	Losses to pros	High	High	Daily batch + real-time feature store
	Multi-accounting (same device / IP / payment fingerprint)	Bonus abuse + collusion	Margin drain	Critical	Med	Device graph; Seon / Sift / in-house
	Velocity checks (deposits per hour, bets per minute, login attempts)	Fraud signal	ATO, bonus abuse	High	Low	Redis counters with sliding window
	Automated risk actions (freeze, reduce stake factor, re-KYC, escalate)	Respond at scale	Manual can't cope	High	Med	Rule engine + audit log
	IP / VPN / proxy / TOR detection + geofencing	Jurisdictional must	Illegal bet acceptance	Critical	Low	MaxMind GeoIP2 + IPQualityScore
9. Security	WAF + DDoS + rate limiting + bot protection	You will be attacked day one	Outage, data breach	Critical	Low	Cloudflare / AWS WAF; per-endpoint rate-limit
	RBAC for admin	No admin tooling exists	Insider risk	Critical	Med	Casbin / Spatie-like; per-action permission; admin audit
	Secrets management (Vault / KMS)	Config files in repo	Credential leaks	Critical	Low	Hashicorp Vault / AWS Secrets Manager; rotate quarterly
	TLS everywhere + HSTS + CSP + CSRF + session hardening	Unverified	Credential theft	Critical	Low	Harden Nginx; enable `Secure`, `HttpOnly`, `SameSite=Lax`
	Encryption at rest (PII, KYC docs, card tokens)	GDPR + PCI	Fines	Critical	Med	AES-256 per-column for PII, S3 SSE-KMS for docs
	Security audit log (who did what, when, from where)	Mandatory	No investigations possible	Critical	Low	Append-only table + SIEM
10. Compliance	Jurisdiction configuration engine (country → licence → allowed markets / stakes / ages / languages / currencies)	You cannot be compliant otherwise	Licence loss	Critical	High	`jurisdictions` + `jurisdiction_rules` + middleware that enforces per request
	Regulatory reporting (UKGC RTS, MGA LAD, SGA SDRF, ONJN, ANJ…)	Licence obligation	Fine / suspension	Critical	High	Scheduled exports in required formats
	Consent + T&C + policy version tracking	GDPR / PECR	Fines	High	Low	`user_consents(user_id,policy_id,version,ts)`
	Right-to-be-forgotten / data export (GDPR)	Mandatory EU	Fines	High	Med	Anonymization scripts; CSV export endpoint
	Source of funds / wealth flow	Mandatory for high rollers	AML fine	Critical	Med	Trigger by deposit threshold or velocity; doc upload UI
11. RG	Deposit / loss / wager / session / single-bet limits (daily / weekly / monthly)	Everywhere	Licence loss	Critical	Med	Enforced in wallet + betting service; 24h cool-down on increases
	Reality checks + session timer	UK, DE, NL require it	Non-compliance	Critical	Low	Every 60 min popup
	Self-exclusion (1 mo, 6 mo, 5 yr, permanent) + national register integration	Mandatory	Licence loss	Critical	Med	Per-jurisdiction adapters
	Behavioural risk score (affordability signals)	UK / NL / Germany strongly	Regulatory, reputational	High	High	ML on deposit frequency, chasing losses, late-night sessions
	RG dashboard for support	Hand-holding	Harm to player	High	Med	Alerts + intervention log
12. Promotions	Bonus engine (free bet, bonus money, cashback, odds boost, mission, tournament, leaderboard)	Retention & acquisition	No growth	High	High	Rule-based promo service + bonus wallet + wagering tracking
	Wagering requirement tracker	Mandatory for bonuses	Bonus abuse, disputes	Critical	Med	Event-sourced: accumulate qualifying stake; flush on completion
	Targeting + segmentation + A/B	Standard CRM	Wasted promo spend	Medium	Med	Braze / Optimove / in-house
	Promo code / coupon system	Marketing need	Miss campaigns	Medium	Low	Redeemable codes table + usage cap
	Bonus abuse detection	Must	Loss of margin	High	Med	Same-device, same-IP, stake-patterns rules
	Promo P&L report	Finance	Blind spending	High	Low	Reporting cube
13. CRM	Email / SMS / Push / WhatsApp orchestration	Retention backbone	High churn	High	Med	Sendgrid / Twilio / OneSignal; template versioning
	Player segmentation + recommendation engine	Personalization drives NGR	Lost revenue	Medium	High	Event stream to data warehouse → segments
	Churn prediction + re-engagement	Must-have	Wasted CAC	Medium	High	Model on BigQuery / Snowflake
	VIP / host CRM desk	Whales generate majority of NGR	Losing them	High	Med	CRM module + dedicated console
14. Frontend / UX	Native mobile apps (iOS & Android) + responsive PWA	>75% of betting is mobile	Massive revenue gap	Critical	High	React Native or Flutter; shared API
	Live streaming + match tracker integration (Sportradar / IMG / Genius)	Drives live betting by ~3×	Revenue loss	High	Med	Geo-gated stream URL; iframe
	Betslip UX for changing odds / suspended selections / partial accept	Not implemented	Frustration, churn	Critical	Med	Explicit banners; "accept new price"
	Accessibility (WCAG 2.1 AA)	Legal in EU/UK	Fines + bad press	High	Med	Semantic HTML audit; screen-reader tests
	i18n (RTL, locale, plural)	Global market	Cannot expand	High	Med	gettext / i18next
	Performance budget + WebSocket odds (no 5-second polling)	Current 5 s polling is heavy	Latency / cost	High	Med	Dedicated WS server; server pushes diffs
15. Admin / Back-office	Complete admin SPA: Customer, Risk, Trader, Finance, Marketing, RG, Support, Reporting, Config	None exists	Operation impossible	Critical	High	React + API gateway + RBAC
	Customer 360 view (balance, bets, deposits, KYC, flags, comms)	Basic need	Support cannot work	Critical	Med	Aggregated endpoint
	Maker-checker on sensitive actions	Insider fraud	Financial loss	High	Low	Second approver required above thresholds
	Bet search / inspection with full lifecycle trace	Must	Disputes	Critical	Med	Bet timeline: placed → odds history → suspensions → settlement
	Config management (limits, stakes, margins, promotions) versioned	Hard-coded	Operational brittleness	High	Med	DB-backed config + audit
	Admin action log + SIEM export	Audit	Blind spot	Critical	Low	Append-only table, daily export
16. Support	Ticketing + live chat + WhatsApp + SLA	Players expect it	Churn	High	Med	Zendesk / Freshdesk integration
	Dispute workflow per bet / deposit / withdrawal	Regulatory	Fines	High	Med	Queue + SLA timers
	Knowledge base + help center + self-service	Deflection	Cost	Medium	Low	CMS pages
17. Reporting / BI	GGR / NGR / turnover / hold% / liability daily + real-time	Board reporting	Blind business	Critical	Med	DWH (ClickHouse / BigQuery) + Metabase / Looker
	Cohort, retention, LTV, ARPU, churn	Growth	Wasted marketing	High	Med	Event layer in DWH
	Player profitability score	Risk + marketing	Can't tier	High	Low	Daily job
	Regulatory-grade reports (daily bet log, self-exclusion register, AML report)	Licence	Fines	Critical	Med	Format per regulator
	Real-time ops dashboard (Grafana)	SRE need	Outages	High	Low	Prometheus exporters on every service
18. Affiliate	Affiliate tracking, CPA/RevShare/Hybrid, sub-affiliates, attribution	Major acquisition channel	No growth	High	High	Income Access / Cellxpert / MyAffiliates or build
	Fraud controls on affiliate traffic	Bot traffic common	Wasted CPA	High	Med	Device fingerprint, velocity
	White-label / skin support	Scale	Stuck single-brand	Medium	High	Multi-tenant already listed
19. Integrations	Secondary odds feed (Betradar, BetGenius, OddsJam) for redundancy	Altenar single point	Outage = no product	Critical	High	Feed abstraction + failover
	Webhook reliability (retries, DLQ, signing, idempotency)	Crashes lose events	Money loss	Critical	Med	Outbox pattern + worker
	Monitoring per integration (uptime, p99 latency, error budget)	Need visibility	Hidden outages	High	Low	Pingdom / Datadog synthetic
	Streaming provider	Live engagement	Revenue loss	Medium	Med	Betradar LCO / IMG Arena
	Fraud provider (Seon, Sift, Sardine)	Faster than in-house	Fraud loss	High	Low	Signal on login, deposit, bet
20. Data Model	Immutable event log / event sourcing for bet & wallet	Replay & audit	Cannot reconstruct disputes	Critical	High	Append-only `events` table; build snapshots
	Odds versioning (you have `odds_history` — need full `odds_snapshot_at_bet` per bet)	Regulatory audit	Fail audit	Critical	Low	Serialize market + odds at bet placement
	Admin action history	Audit	Cannot investigate	Critical	Low	Same table pattern
	Settlement state history	Resettlement	Disputes	High	Low	State transitions logged
	Config versioning	Blame / rollback	Outage root-cause unclear	Medium	Low	Git-like config table
21. DevOps / QA	CI/CD pipelines (lint, unit, integration, E2E, security scan, deploy)	None	Broken deploys	Critical	Med	GitHub Actions / GitLab CI
	Automated tests (unit >70%, integration for bet lifecycle, E2E via Playwright)	None	Regressions in production	Critical	High	PHPUnit + Pest + Playwright
	Environment separation (dev / staging / prod)	Only local	Dangerous	Critical	Low	Terraform / Ansible
	Observability (metrics, traces, structured logs)	Only `sync_log`	Hidden issues	Critical	Med	OpenTelemetry + Grafana stack
	Load + chaos testing	Big match days	Crash	High	Med	k6 / Locust; GameDay
	Feature flags & progressive rollout	Safe releases	Outage from bad deploy	High	Low	Unleash / LaunchDarkly / DB-flag
22. Performance	WebSocket odds push + client diffing	5 s polling doesn't scale	High DB cost, laggy UX	Critical	Med	Centrifugo / Soketi; server broadcasts deltas
	Cache layer (Redis) for market trees, odds snapshots	Hot reads	DB chokes	Critical	Low	Cache with TTL + invalidation on update
	DB indexing audit + partitioning	501 matches x 8k odds today = tiny. Tomorrow 200k	Query cliff	High	Low	EXPLAIN every query; partition `odds_history` by day
	Load shedding / back-pressure	Big kickoff	Meltdown	High	Med	Queue depth gates; 503 early
23. i18n	Multi-language + RTL + locale-aware formatting	Global	Lost markets	High	Med	Phrase / Crowdin
	Local payment methods	Conversion	Lost deposits	High	Med	PSPs per geo
	Time zone & date formatting	Trivial but missing	Confusion	Medium	Low	User-setting; per-page format
24. CMS	Dynamic homepage / banners / promo pages with A/B	Marketing	Frozen content	Medium	Med	Strapi / Contentful
	SEO structure (schema, sitemaps, canonicals)	Organic acquisition	Lost traffic	Medium	Low	Per-event SSR page
	Help center content model	Support deflection	Cost	Low	Low	CMS
25. Legal	Versioned house rules / market rules / bonus T&C / privacy / RG policy per jurisdiction	Mandatory	Licence	Critical	Low	Content repository with version + audit + acceptance log
	Cookie consent + DPA + DSR workflow	GDPR	Fine	High	Low	OneTrust / Cookiebot
	Change log of accepted T&C per user	Dispute defense	Lose complaints	High	Low	Consent table

3. Critical Gaps — Top 20 Launch Blockers

No user / auth / KYC system — you cannot legally onboard a single real-money player.
No wallet or double-entry ledger — nothing to debit on bet placement or credit on settlement.
No payment gateway integration — zero deposits, zero withdrawals.
No responsible-gambling tooling (limits, self-exclusion, reality checks) — instant licence refusal.
No AML / PEP / sanctions screening, no SAR filing — criminal liability.
No server-authoritative bet placement — client-side odds manipulation is trivial today.
No bet state machine, no settlement lifecycle, no resettlement — every dispute is unwinnable.
No trader / risk console and no manual suspension — traders are blind to exposure.
No real-time exposure / liability monitoring — black-swan waiting to happen.
No auto-suspension on live events (goal, red card, delay) — live losses are inevitable.
No per-user stake factor / limits / syndicate detection — sharps will farm you.
No multi / system / SGP / cashout — no real revenue product.
No immutable audit trail (bet, odds at bet, admin, wallet) — regulators will fail the audit in 10 minutes.
No admin / back-office suite — you cannot operate, support, or investigate.
No jurisdiction / multi-tenant engine — one-country-only, one-brand-only.
No GDPR tooling (consent, DSR, retention, encryption at rest).
No CI/CD, no tests, no staging, no monitoring, no backups, no DR — a single bug or reboot kills you.
No WAF, rate-limiting, MFA, RBAC, secrets vault — Day-1 security breach risk.
Single upstream feed (Altenar only) with no failover — one feed outage = zero product.
No regulatory reporting pipeline (daily bet file, self-exclusion register, AML report) — guaranteed fines.

4. Professional Sportsbook Checklist

Legend: PRESENT MISSING NEEDS IMPROVEMENT NOT ENOUGH INFO

Product & Architecture

NEEDS Monolith suitable for MVP only — needs service split
MISSING Message bus / async processing
MISSING Multi-tenant / white-label layer
MISSING API-first OpenAPI contracts
MISSING High-availability / multi-region / DR
NEEDS Circuit breaker / retries / idempotency

Account & Player Mgmt

MISSING Registration / email / phone verify
MISSING MFA
MISSING KYC provider integration
MISSING PEP / sanctions / AML screening
MISSING Self-exclusion + national register
MISSING Account tiers & VIP
MISSING RG profile
MISSING Dormant / closure workflows

Wallet & Payments

MISSING Double-entry ledger
MISSING Bonus wallet
MISSING PSP integration(s)
MISSING Withdrawal review
MISSING Reconciliation job
MISSING Chargeback handling
MISSING Multi-currency + FX

Betting Engine

NEEDS Pre-match UI exists; no server-auth bet placement
NEEDS Live odds pipeline exists; live bet placement missing
MISSING Multiples / systems / SGP
MISSING Cashout / partial
MISSING Bet state machine
MISSING Acceptance-delay offer engine
MISSING Resettlement
MISSING Void / push / dead-heat rules

Odds / Trading

PRESENT Altenar harvester (menu + live + upcoming + details)
PRESENT 7-group market classification (main/goals/halves/corners/cards/players/specials)
PRESENT Odds history & direction tracking (idempotent upsert fixed 2026-04-22)
MISSING Trader console
MISSING Auto-suspend on goal / delay
MISSING Margin controller
MISSING Real-time exposure / liability
MISSING Stake factor per user
MISSING Secondary feed failover

Sports & Coverage

PRESENT Sport/category/championship hierarchy
PRESENT Live + upcoming fixtures
PRESENT Sportradar LMT (widget) stats modal
MISSING Outrights / futures module
MISSING Player props with stats settlement
MISSING Localized market names

Settlement

NEEDS SettlementEngine scaffold via GetEventDetails fallback — no primary results provider, no QA gate
MISSING Rollback / resettle
MISSING Void / postponed / abandoned rules
MISSING Maker-checker

Risk

MISSING Exposure dashboard
MISSING Multi-accounting detection
MISSING Device fingerprint
MISSING Velocity checks
MISSING Geo + VPN detection
MISSING Sharp / syndicate scoring

Security

MISSING WAF + DDoS
MISSING Rate limiting
MISSING MFA / RBAC
MISSING Secrets manager
MISSING Encryption at rest for PII
MISSING Security / admin audit log

Compliance / RG

MISSING Jurisdiction rules engine
MISSING Deposit / loss / wager / session limits
MISSING Reality checks
MISSING Self-exclusion
MISSING Affordability scoring
MISSING Regulatory reports

Promotions & CRM

MISSING Bonus engine
MISSING Wagering tracker
MISSING Email/SMS/push
MISSING Segmentation / recommendations
MISSING VIP desk

Frontend / UX

PRESENT Web UI: 3-col layout, market-group tabs, pulsing odds, search, +MORE, stats icon, pulsing EN DIRECT
NEEDS 5-second polling → WebSocket
MISSING Native iOS / Android
MISSING Live streaming integration
MISSING Accessibility audit (WCAG 2.1 AA)
MISSING i18n / RTL / locales
MISSING Betslip UX for odds change / suspend / partial accept

Admin & Back-office

MISSING Admin SPA
MISSING Customer 360
MISSING Trader / Risk / Finance / Support consoles
MISSING Maker-checker
MISSING Config mgmt (versioned)

Reporting / BI

MISSING GGR / NGR / turnover / hold
MISSING Cohort / LTV / churn
MISSING Regulatory reports
MISSING Ops dashboard (Grafana)

DevOps / QA

PRESENT Local sync daemon + test_all.php smoke (23/23)
MISSING CI/CD
MISSING Unit / integration / E2E tests
MISSING Staging
MISSING Observability (metrics/traces/logs)
MISSING Load & chaos
MISSING Backups + DR

5. Advanced Features for a World-Class Sportsbook

AI-driven pricing & player-specific odds (elastic prices based on segment, exposure, and player CLV).
Request-a-bet with LLM parsing and automated price quote.
Bet builder with Monte-Carlo correlation pricing for same-game combos.
Real-time cashout with partial cashout and auto-cashout triggers.
Live streaming geo-gated with betting overlays and multi-camera.
Personalized home page (ML recommendations per user).
Social sportsbook features: follow friends, copy-bet, leaderboards, community predictions.
Predictive affordability & RG scoring (behavioural model to intervene early).
Open banking for SOF & real-time KYC (Trustly, TrueLayer).
Crypto rails (stablecoin deposits, on-chain KYC attestations, Travel Rule).
Data warehouse + real-time CDP (Kafka → ClickHouse → Rudderstack → Braze).
Feature flags + progressive delivery with per-tenant rollout.
Chaos Engineering GameDays and automated failover drills.
Self-service BI for traders and marketers (Looker, Metabase, Superset).
Tokenized bet history / receipt with cryptographic proof for disputes.
Syndicate & bot detection via graph databases (Neo4j) on device / IP / payment clusters.
Embedded sportsbook SDK for partners (widgets, deep links).
On-device biometrics (Face/Touch ID) for high-risk actions.
Trader AI co-pilot that suggests line moves from exposure, news feeds, and social sentiment.
Regulatory real-time API for direct regulator feed (UKGC GAP / DGOJ / ANJ where required).

6. Risk & Compliance Red Flags

Regulatory

No KYC, AML, PEP/sanctions, age-verification, self-exclusion, RG limits, consent tracking, SOF/SOW → automatic licence refusal in every major jurisdiction.
No geofencing / VPN blocking → accepting bets from prohibited jurisdictions is a criminal offence.
No tax / betting-duty calculation hooks — operator liable for unpaid levies.
No advertising / bonus T&C compliance (UK ASA, ANJ, AGCO, DGOJ).

Fraud

No device fingerprint, velocity checks, multi-account detection → bonus and arb abuse will drain margin fast.
No MFA / RBAC / secrets vault → credential stuffing + insider risk.
No chargeback handling → PSPs will de-risk or offboard you.

Financial

No double-entry ledger → balances derived from mutation are not trustworthy; reconciliation impossible.
No real-time exposure/liability → catastrophic payout risk on correlated outcomes.
No stake factors or market-limit engine → professional bettors will extract positive EV forever.
Single odds feed (Altenar) with no failover → outage = zero product = refund obligations.

Reputational

No dispute workflow, no bet audit trail, no odds-at-bet snapshot → every complaint goes viral.
No WCAG accessibility, no RG tooling → press + regulator reputational risk.

Operational

Single-node Laragon box, no backups tested, no monitoring, no alerting, no runbooks → minutes of downtime = hours of outage.
No CI/CD, no staging, no automated tests → every deploy is a production bet.
No customer-support tooling → unanswered tickets → chargebacks → PSP loss.

7. Architecture Recommendations

Target service map

Edge: Cloudflare (WAF, DDoS, bot mgmt) → Nginx/Envoy API gateway with OIDC + JWT.
Core services (Go / Node / PHP 8.3-fpm pools):
- auth — registration, login, MFA, sessions, password policy.
- player — KYC state, RG profile, segments, self-exclusion.
- wallet — double-entry ledger, holds, releases; Postgres or MySQL XA.
- payments — PSP orchestrator, 3DS2, withdrawals queue, chargebacks.
- catalog — sports / categories / championships / fixtures / markets / odds (current monolith; split from harvester).
- harvester — Altenar + secondary feed adapters, publishes to bus.
- pricing — margin shaper, stake factors, liability-aware adjustments.
- risk — exposure, liability, sharp/syndicate/multi-acct, velocity.
- betting — bet placement, state machine, cashout.
- settlement — results ingestion, rule engine, resettlement, payouts.
- promo — bonus engine, wagering, codes.
- crm — messaging, segmentation.
- cms — content, banners, pages.
- admin-bff — back-office API.
- reporting — OLAP, ETL to DWH.
Event bus: Kafka (or Redis Streams initially) — topics odds.changed, bet.placed, bet.settled, wallet.tx, risk.alert, promo.granted.
Cache: Redis Cluster — odds snapshot per event, market tree per tenant, session, rate-limit counters.
Push: Centrifugo / Soketi — WebSocket odds deltas + bet status + cashout quotes.
Databases:
- MySQL 8 (or PostgreSQL) primary + 2 read replicas, ProxySQL router.
- ClickHouse for OLAP / odds history / event log.
- S3 + KMS for KYC docs.
- Vault for secrets.
Observability: OpenTelemetry → Grafana (Tempo / Loki / Prometheus); PagerDuty / Opsgenie alerts.
CI/CD: GitHub Actions → ArgoCD to Kubernetes; blue/green + feature flags (Unleash).
DR: Active-active in 2 EU regions (or active-passive); RPO ≤ 5 min; RTO ≤ 30 min; quarterly drill.

Required admin tools

Trader console · Risk console · Finance console · Customer 360 · RG desk · Fraud case manager · KYC case manager · AML case manager · Affiliate console · Promo manager · Reporting & BI · Config center · Release / feature-flag dashboard · Audit viewer.

8. Prioritized Roadmap

Phase 1 — Launch Blockers (pre-real-money)

Auth + MFA + email/phone verify + password policy.
KYC/AML/PEP/sanctions provider integration (Sumsub or Onfido).
Double-entry wallet + ledger + currency config.
Payment gateway (one PSP, one card, one local method).
Server-authoritative bet placement with bet state machine, odds-at-bet snapshot.
Settlement rule engine with rollback + resettlement + manual override.
RG tooling: deposit/loss/wager/session limits + reality check + self-exclusion.
Jurisdiction engine (country → allowed markets / currencies / ages / limits).
Admin back-office v1: Customer 360, Bet inspector, Withdrawal review, KYC queue, RG queue.
Security baseline: WAF + rate limiting + RBAC + secrets vault + TLS/HSTS/CSP + audit log.
Observability baseline: Prometheus + Grafana + structured logs + on-call alerting.
CI/CD + staging + backups + tested restore + DR runbook.
Regulatory reports: daily bet log + SE register + RG events + AML alerts export.

Phase 2 — Professional Operations

Trader console (suspend, adjust margin, stake factors).
Real-time exposure / liability monitoring.
Auto-suspend rules on live events (goal, red card, delay).
Risk console + multi-accounting / velocity / device fingerprint.
Cashout + partial cashout.
Multiples / Systems / SGP (start simple, no correlation engine).
Bonus engine + wagering tracker + promo codes + abuse detection.
CRM (email + push + SMS) with segmentation.
Secondary odds feed + failover harvester.
Settlement QA (maker-checker) + primary results provider (Sportradar) with fallback.
Affordability/RG scoring (rules-based v1).
Full i18n + local payment methods.

Phase 3 — Scaling & Optimization

WebSocket odds push + client diff engine (drop polling).
Service decomposition (Wallet, Betting, Risk separated).
Data warehouse + BI (GGR/NGR/LTV/churn/cohort).
Live streaming + match tracker.
Native iOS + Android apps.
Affiliate platform + attribution + sub-affiliates.
Multi-tenant white-label layer.
Chaos + load engineering on real peak events.

Phase 4 — Elite Features

AI pricing, player-specific odds, trader AI co-pilot.
SGP with Monte-Carlo correlation pricing.
Request-a-bet via LLM.
Behavioural RG model + affordability based on open banking.
Graph-based syndicate detection.
Feature-flagged progressive rollouts across tenants.
Embedded SDK for partners.

9. Missing Admin & Internal Tools

Customer 360: balance, wallet history, bets, deposits/withdrawals, KYC status, RG limits, flags, devices, comms log, tickets, affiliate, VIP host.
Bet inspector: bet lifecycle, odds snapshot at placement, market history, settlement trail, resettlement history.
Trader console: live market grid, suspend/resume, adjust line, adjust margin, set limits, watch exposure, notes.
Risk console: exposure heatmap, top risks, alert queue, sharp-score per user, syndicate graph, manual stake-factor, freeze account.
Finance console: withdrawal queue, deposit ops, refund flow, PSP reconciliation dashboard, manual adjustments with maker-checker.
KYC case manager: queue, per-case evidence, reason codes, per-jurisdiction rules, escalation.
AML case manager: alerts, SAR draft, evidence, regulator export.
RG desk: players at risk, limits, self-exclusion actions, intervention log.
Fraud case manager: device graph, IP clusters, multi-accounting links, action buttons.
Support console: ticket queue, SLA, canned responses, macros, bet & wallet linking.
Promo manager: create/edit promotions, segments, wagering rules, P&L, cohort impact.
Affiliate manager: partners, campaigns, CPA/RevShare, attribution, payouts.
CMS: banners, pages, SEO metadata, scheduling, A/B.
Config center: margins, limits, jurisdictional rules, stake factors, sport templates, feature flags.
Release / ops: feature flags, rolling deploys, kill switches, maintenance mode.
Audit viewer: any admin action, any config change, any settlement change, any wallet adjustment — immutable.
RBAC & permissions matrix: roles (super-admin, trader, risk, finance, support L1/L2, compliance, marketing, dev-ops); per-action audit; maker-checker.

10. Final Verdict

What is missing for Bet2 to become a full professional system?
Almost every core pillar except odds ingestion and the player-facing UI: the entire player lifecycle (auth, KYC, AML, RG), the entire money stack (wallet, ledger, PSPs, reconciliation), the server-authoritative betting engine, the trader and risk consoles, the compliance layer (jurisdiction rules, regulatory reporting, responsible-gambling tooling), the back-office suite (admin SPA, RBAC, audit trail, maker-checker, customer 360), the CRM/promo engine, the security baseline (WAF, MFA, secrets vault, encryption at rest), and the production-grade platform (CI/CD, staging, monitoring, backups, DR, HA, WebSocket push, message bus, secondary feed failover). What exists today is an odds-harvester + pretty shell, not a sportsbook.

What IS strong: Altenar feed integration (parallel GetTopSportMenu + GetLiveEvents + GetUpcoming + GetEventDetails), market-group classifier, pulsing odds UI, Sportradar LMT widget via the SIR loader (DNS-safe), odds_history + direction, race-safe idempotent upsert (fixed today), 23/23 smoke test, settlement fallback scaffold. This is a solid trading-facing foundation to build on.

12/100

Launch Readiness

28/100

Trading Readiness

10/100

Risk Readiness

5/100

Compliance Readiness

6/100

Back-office Readiness

Assumptions & Notes

Assumed: the only features present are those visible in the current workspace (auditor reviewed lib/AltenarEngine.php, core/SettlementEngine.php, api/*, assets/js/*, index.php, event.php, settle.php, and MySQL sport3).
Assumed: no external KYC/AML/PSP integration exists and no admin UI has been built yet.
Assumed: target is multi-jurisdiction regulated real-money operation — if the target is a skin on a B2B platform (Kambi / BetConstruct / Altenar full stack), many items above come bundled and the plan shrinks dramatically.
To verify: exact licence target(s), target jurisdictions, chosen PSPs, KYC vendor, data-centre strategy, tenant model, retention policy, staffing model (in-house trading vs MTS).

Bottom line

Bet2 is a compelling prototype. It should not touch real money until at minimum the Phase 1 launch-blocker checklist above is delivered. Until then, continue as a simulation / free-play product, iterate the trading stack (exposure, stake factors, auto-suspend), and in parallel begin integrating a regulated platform partner or build the missing pillars in the order listed. A realistic path to a minimally compliant real-money launch is 4–8 months of focused work with 6–10 engineers + compliance + trading staff, assuming a single jurisdiction and a B2B KYC/PSP partner.