# Integration Registry Master catalog of every external API, infrastructure component, and commercial service wired into Agencio Predict as of 2026-04-21. This is the "what are we touching and why" document — separate from cost projections (`docs/25`), AWS deployment shapes (`docs/23`), route catalog (`docs/24`), and Cognito-specific setup (`docs/cognito.md`). **Source of truth for the live data-feed registry** that drives the `/admin/integrations` UI + probe buttons: `apps/web/src/app/api/predict/v1/admin/integrations/route.ts` (`INTEGRATIONS[]` array). This doc is synced to it. --- ## 1. At-a-glance summary | Category | Count | Live | Stub / coming-soon | Notes | |---|---|---|---|---| | AWS infrastructure | 9 | 9 | — | RDS, ElastiCache/Valkey, S3, Cognito, Secrets Manager, CloudWatch, ALB/CloudFront, Fargate/EKS, WAF | | Authentication & identity | 3 | 3 | — | Cognito, local JWT, Agencio bertha (wire-ready, endpoints stubbed) | | Market-price feeds | 6 | 6 | — | Yahoo, CoinGecko, Finnhub, Frankfurter, Polygon.io, Binance aggTrades | | Prediction markets | 4 | 3 | 1 | Polymarket, Kalshi, Metaculus live; PredictIt blocked by Cloudflare | | Derivatives | 5 | 5 | — | Yahoo VIX, Alternative.me, Binance, Deribit, Coinglass | | Macro / economic | 3 | 3 | 0 | FRED, World Bank, Auto Sales (via FRED TOTALSA) — all live | | News | 7 | 7 | — | NewsAPI, Finnhub news, GitHub, GDELT, Google News RSS, Guardian, NYT | | Social | 3 | 3 | — | Reddit, Twitter/X, Truth Social (unofficial) | | Advertising platforms | 5 | 2 | 3 | Google Ads, Meta live; TikTok/LinkedIn/Pinterest coming-soon | | LLM providers | 4 | 4 | — | Anthropic Claude, Agencio LLMRouter, Voyage embeddings, OpenAI fallback | | Payments | 1 | 1 | — | Stripe (per-user + per-org seats) | | Email | 1 | 1 | — | Azure Graph (Microsoft 365 transactional mail) | | Browser push | 1 | 1 | — | Web Push VAPID | | Storage | 2 | 2 | — | MinIO (dev), AWS S3 (prod) | | Brokers | 3 | 3 | 0 | Alpaca, IBKR, Binance — all live (paper + live trading) | | **Total** | **57** | **54** | **3** | | --- ## 2. Infrastructure ### 2.1 AWS — native services | Service | Purpose | Code reference | Env vars | Notes | |---|---|---|---|---| | **RDS (Postgres 16)** | Primary data store — 7 schemas (auth, predict, marketing, trading, derivatives, omniscient, billing), 60+ tables | `packages/be/src/lib/db/client.ts` | `DATABASE_URL` | Migrations applied via `scripts/deploy-migrations.sh` | | **ElastiCache (Valkey / Redis)** | Read-through cache for price data + FRED overlays; planned migration surface for in-memory rate limiter + OAuth state | `packages/be/src/lib/cache/redis.ts` | `REDIS_URL` | `ioredis@5.4.2` — works with both Redis OSS and Valkey | | **S3** (or MinIO in dev) | Object store for exports, reports, uploads | `packages/be/src/lib/storage/*` | `STORAGE_PROVIDER`, `S3_BUCKET`, `S3_REGION`, `MINIO_*` in dev | `aws-sdk v3` client | | **Cognito User Pool** | Primary auth provider in prod | `packages/be/src/lib/auth/providers/cognito.ts`, `cognito-admin.ts` | `COGNITO_USER_POOL_ID`, `COGNITO_CLIENT_ID`, `AWS_REGION` | Full flow in `docs/cognito.md` | | **Secrets Manager** | Production secret rotation / retrieval (optional; env-var fallback) | `packages/be/src/lib/aws/secrets-manager.ts` | `USE_SECRETS_MANAGER`, `AWS_SECRETS_REGION`, `SECRETS_PREFIX` | Lazy-loaded only if USE_SECRETS_MANAGER=true | | **CloudWatch Logs** | Request + scheduler log sink | implicit (container stdout) | — | Structured JSON logs on the roadmap | | **ALB / CloudFront** | TLS termination, edge routing, WAF attachment | infra layer | — | Subdomain routing duplicated at middleware layer (`apps/web/src/middleware.ts`) | | **Fargate / EKS** | Compute (web tasks + scheduler leader) | infra layer | — | Scheduler safe for Spot via `pg_try_advisory_lock` — see `docs/23` § Fargate Spot | | **AWS WAF** | Layer-7 firewall (rate limits, OWASP CRS, bad-IP rep) | infra layer | — | Config in `docs/23` § Firewall + WAF | ### 2.2 Non-AWS infrastructure (in the dev stack) | Service | Purpose | Env vars | Prod equivalent | |---|---|---|---| | Postgres (Docker) | Dev database | `DATABASE_URL` | RDS | | Redis (Docker) | Dev cache | `REDIS_URL` | ElastiCache Valkey | | MinIO (Docker) | Dev object store | `MINIO_*` | S3 | | Nginx (Docker) | Dev reverse proxy + self-signed SSL | — | ALB (nginx is dev-only per `docs/23`) | --- ## 3. Authentication & identity | Provider | Status | Code | Env vars | Purpose | |---|---|---|---|---| | **AWS Cognito** | ✅ Live | `packages/be/src/lib/auth/providers/cognito.ts` + `cognito-admin.ts` | `AUTH_PROVIDER=cognito`, `COGNITO_USER_POOL_ID`, `COGNITO_CLIENT_ID`, `AWS_REGION` | Primary prod auth — SignUp/Login/Confirm/ForgotPassword/MFA (TOTP) + admin ops | | **Local (bcrypt + JWT)** | ✅ Live | `packages/be/src/lib/auth/providers/local.ts` | `AUTH_PROVIDER=local`, `JWT_SECRET` | Dev + test environment; bcrypt-hashed passwords in `auth.users` | | **Agencio / bertha-auth-service** | 🟡 Wire-ready, endpoints stubbed | `packages/be/src/lib/auth/providers/agencio.ts` | `AUTH_PROVIDER=agencio`, `AGENCIO_AUTH_URL`, `AGENCIO_AUTH_API_KEY` | HTTP proxy to external bertha2 service; MFA / email-verification / password-reset return `*_NOT_SUPPORTED` until bertha endpoints land | **Session + MFA surface:** - Email verification: Cognito `ConfirmSignUpCommand` OR local 6-digit code via Azure Graph (§ 12) - TOTP MFA: Cognito `AssociateSoftwareToken` + `VerifySoftwareToken` + `SetUserMFAPreference` OR local via `otpauth` lib + AES-GCM-encrypted secret - Session timeout: 1h main app, 8h on terminal subdomain (`packages/fe/src/store/auth.ts`) --- ## 4. Market-price feeds | Provider | Status | Code | Env vars | Pricing | Notes | |---|---|---|---|---|---| | **Yahoo Finance** (unofficial) | ✅ Live | `packages/be/src/lib/yahoo-fetch.ts`, `trading/data/price-service.ts` | none | Free, rate-limited by IP | 3-attempt retry + 8s timeout; `^TNX`/`^TYX` bond indexes; `BTC-USD` crypto fallback | | **CoinGecko** | ✅ Live | `packages/be/src/trading/data/price-service.ts` | optional `COINGECKO_PRO_KEY` | Free 50 req/min; Pro $129/mo | Crypto OHLC (alts), trending coins, 24h volume | | **Finnhub** | ✅ Live | `packages/be/src/integrations/finnhub.ts` | `FINNHUB_API_KEY` | Free 60 req/min; All-In-One $50–200/mo | Real-time quotes, social sentiment, company news, analyst trends | | **Frankfurter (ECB)** | ✅ Live | `packages/be/src/trading/data/price-service.ts:192` | none | Free | Daily FX reference rates; no intraday | | **Polygon.io** | ✅ Live | `packages/be/src/integrations/polygon.ts` | `POLYGON_API_KEY` | Free 5 calls/min EOD; Starter $29/mo unlocks intraday | Real FX OHLC daily candles + per-trade equity ticks for whale/bot classification | | **Binance aggTrades** | ✅ Live | `packages/be/src/integrations/binance-trades.ts` | none | Free, keyless | Crypto per-trade ticks via public `/aggTrades` endpoint (1200 req/min IP limit). Feeds whale/bot classifier | Used by: `/trading/market-data/*`, `/overlays/live-data`, `/console` terminal tickers, bond-market panel, dashboard, whale/bot classification (`tick-classifier.ts`). --- ## 5. Prediction-market feeds | Provider | Status | Code | Env vars | Notes | |---|---|---|---|---| | **Polymarket** | ✅ Live | `packages/be/src/integrations/polymarket.ts` | none | Core prediction-signal source; public API | | **Kalshi** | ✅ Live | `packages/be/src/integrations/kalshi.ts` | none | US prediction markets (elections, economic) | | **Metaculus** | ✅ Live (token recommended) | `packages/be/src/integrations/metaculus.ts` | `METACULUS_TOKEN` (optional) | Long-term forecasting; API token raises rate ceiling | | **PredictIt** | 🔴 Blocked | `packages/be/src/integrations/predictit.ts` | none | Cloudflare 403 from AWS IPs since 2023; needs paid proxy | Aggregated via `packages/be/src/all-seeing-eye/aggregation/prediction-markets.ts` → `fetchAllPredictionMarkets()`. --- ## 6. Derivatives feeds | Provider | Status | Code | Env vars | Notes | |---|---|---|---|---| | **Yahoo VIX** | ✅ Live | `packages/be/src/integrations/derivatives.ts` | none | S&P 500 volatility + 30d percentile | | **Alternative.me** | ✅ Live | same | none | Crypto Fear & Greed (0–100) | | **Binance Futures** (public) | ✅ Live | same | none | Funding rates, open interest | | **Deribit** (public) | ✅ Live | same | none | Implied vol (BTC/ETH 30d DVOL) | | **Coinglass** | ⚠️ Key required for full access | same | `COINGLASS_API_KEY` | Aggregated liquidations; free tier caps lookback at 3 days | --- ## 7. Macro / economic feeds | Provider | Status | Code | Env vars | Notes | |---|---|---|---|---| | **FRED** (St. Louis Fed) | ✅ Live | `packages/be/src/overlays/data-fetcher.ts`, `integrations/*` | `FRED_API_KEY` | Treasury curve (10Y/2Y/3M/5Y/30Y), TIPS, CPI, fed funds, SOFR, financial-stress | | **World Bank** | ✅ Live | overlays | none | International CPI, GDP for 10+ countries | | **Auto Sales** | ✅ Live | `packages/be/src/overlays/data-fetcher.ts` | `FRED_API_KEY` | US light vehicle sales via FRED TOTALSA series (monthly data) | --- ## 8. News feeds | Provider | Status | Code | Env vars | Notes | |---|---|---|---|---| | **NewsAPI** | ✅ Live | `packages/be/src/news/service.ts` | `NEWSAPI_KEY` | Free 100 req/day; commercial tier $449/mo | | **Finnhub Market News** | ✅ Live | `packages/be/src/scheduler/news-collector.ts` | `FINNHUB_API_KEY` | Reuses Finnhub key; 4 categories (general/forex/crypto/merger) | | **GitHub** | ✅ Live | `packages/be/src/integrations/*` | `GITHUB_TOKEN` (optional) | AI project activity, trending repos | | **GDELT** | ✅ Live | `packages/be/src/news/service.ts` (news_sources adapter) | none | Global news events + entity extraction | | **Google News RSS** | ✅ Live | news_sources adapter | none | General news fallback | | **Guardian / NYT** | ✅ Live (opt-in) | news_sources adapter | `GUARDIAN_API_KEY` / `NYT_API_KEY` | Both free for dev; commercial limits apply | Ingested hourly by the `news-archive` + `news-ingestion` scheduler jobs; RAG corpus derived from `predict.news_archive`. --- ## 9. Social feeds | Provider | Status | Code | Env vars | Notes | |---|---|---|---|---| | **Reddit** | ✅ Live | `packages/be/src/social/service.ts` | none (public JSON API) | Aggressive rate limits (100 req/min); commercial tier $0.24/1k | | **Twitter / X** | ✅ Live with paid token | same | `TWITTER_BEARER_TOKEN` | Requires paid Basic tier ($200/mo) — free tier is read-only + heavily limited | | **Truth Social** | ✅ Live (unofficial scraper) | same (platform id 047, migration 047) | none | No official API; fragile | Polled by `social-follows` scheduler job every 5 min. Per-ticker + generic rollups into `sentiment_hourly` feed the divergence engine + composite score. --- ## 10. Advertising platforms Used by marketing analytics (attribution, campaign prediction, platform dashboards). **Read-only access only** — WS4 locked OAuth scopes to `read` variants to de-risk platform compliance. | Platform | Status | Code | Env vars | Notes | |---|---|---|---|---| | **Google Ads** | ✅ Live | `packages/be/src/integrations/google-ads.ts` | `GOOGLE_ADS_CLIENT_ID`, `GOOGLE_ADS_CLIENT_SECRET`, `GOOGLE_ADS_DEVELOPER_TOKEN`, `GOOGLE_ADS_REFRESH_TOKEN` | REST v18 implementation; no `.readonly` scope variant exists, permission-boundary lives in Google Ads account role | | **Meta (Facebook/Instagram) Ads** | ✅ Live | `packages/be/src/integrations/meta-ads.ts` | `META_APP_ID`, `META_APP_SECRET`, `META_ACCESS_TOKEN` | Graph API v18; scopes downgraded to `ads_read` + `read_insights` | | **TikTok Ads** | 🟡 Coming-soon | `packages/be/src/integrations/tiktok-ads.ts` | `TIKTOK_APP_ID` + others | Throws `PlatformComingSoonError` until adapter body filled | | **LinkedIn Ads** | 🟡 Coming-soon | `packages/be/src/integrations/linkedin-ads.ts` | `LINKEDIN_CLIENT_ID` + others | Same pattern | | **Pinterest Ads** | 🟡 Coming-soon | `packages/be/src/integrations/pinterest-ads.ts` | `PINTEREST_APP_ID` + others | Same pattern | OAuth callback at `/api/predict/v1/marketing/oauth/callback/[platform]`. --- ## 11. LLM providers | Provider | Status | Code | Env vars | Purpose | |---|---|---|---|---| | **Anthropic Claude** | ✅ Live | `packages/be/src/algorithms/llm/client.ts:57-63` | `ANTHROPIC_API_KEY` | Algorithm critique + jury + NL-to-DSL translate + RAG synthesis — uses `claude-sonnet-4-20250514` (`opus` tier alias) + `claude-haiku-4-5-20251001` (`haiku` tier) | | **Agencio LLMRouter** | ✅ Live (optional) | same | `LLMROUTER_API_KEY`, `LLMROUTER_BASE_URL` | Primary when configured; falls back to Anthropic direct | | **Voyage AI** | ✅ Live | `packages/be/src/rag/embeddings.ts` | `VOYAGE_API_KEY` | News-corpus embeddings, `voyage-3-lite` (1024 dims) | | **OpenAI** | ✅ Live (fallback only) | same | `OPENAI_API_KEY` | Embedding fallback — `text-embedding-3-small` (1536 dims); only used when Voyage unavailable | **LLM routing:** `packages/be/src/algorithms/llm/client.ts` → LLMRouter → Anthropic direct → error. All calls Zod-validated on output (anti-hallucination defense 1). **Daily budget cap:** `LLM_SENTIMENT_DAILY_BUDGET` (default 5000) in `packages/be/src/sentiment/llm-scorer.ts`. --- ## 12. Payments — Stripe | Flow | Code | Notes | |---|---|---| | Subscription checkout (per-user) | `packages/be/src/billing/services/subscription-service.ts` | Via `onboarding/checkout` endpoint | | Subscription checkout (org-seats) | `packages/be/src/billing/services/org-seats-service.ts` | Via `org/billing/checkout` endpoint | | Webhook ingest | `packages/be/src/billing/stripe/webhooks.ts` | `customer.subscription.*`, `invoice.*`, `payment_method.*`, `customer.*`; raw body preserved for signature verification | | Trial-ending, payment-received, payment-failed email | webhook → `sendBillingEmail` via Azure Graph | Fire-and-forget; webhook doesn't block on send | **Env vars:** `STRIPE_SECRET_KEY`, `STRIPE_WEBHOOK_SECRET`. **Pricing:** 2.9% + $0.30 per successful charge. **Webhook endpoint:** `POST /api/predict/v1/billing/webhooks/stripe` — must not be rate-limited or body-transformed at the gateway. --- ## 13. Email & notifications | Provider | Status | Code | Env vars | Purpose | |---|---|---|---|---| | **Azure Graph (Microsoft 365)** | ✅ Live | `packages/be/src/email/azure-graph.ts` | `AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SENDER_EMAIL` | All transactional email — verification codes, approval / rejection, MFA notices, password reset, Stripe billing notifications, workflow email action | | **Web Push (VAPID)** | ✅ Live | `packages/be/src/notifications/*` | `VAPID_PUBLIC_KEY`, `VAPID_PRIVATE_KEY`, `VAPID_EMAIL` | Browser push notifications for signal alerts | Azure Graph needs an Azure AD app registration with `Mail.Send` application permission granted with admin consent. --- ## 14. Storage | Provider | Dev | Prod | Code | Env vars | |---|---|---|---|---| | **MinIO** | ✅ Default | — | `packages/be/src/lib/storage/*` | `MINIO_ENDPOINT`, `MINIO_ACCESS_KEY`, `MINIO_SECRET_KEY` | | **AWS S3** | — | ✅ Default | same | `STORAGE_PROVIDER=s3`, `S3_BUCKET`, `S3_REGION` (+ AWS credential chain) | Uses: export reports (PDF/CSV from `/api/predict/v1/export/**`), user-uploaded assets. --- ## 15. Broker integrations | Broker | Status | Code | Env vars | Notes | |---|---|---|---|---| | **Alpaca** | ✅ Live | `packages/be/src/brokers/alpaca.ts` | Per-user credentials AES-256-GCM encrypted in `user_broker_credentials` | US stocks/ETFs, commission-free, paper + live trading; 4-gate preflight | | **IBKR** | ✅ Live | `packages/be/src/brokers/ibkr.ts` | Per-user credentials encrypted | Interactive Brokers Client Portal API; multi-asset (stocks, options, futures, forex); session-based auth; requires IBKR Gateway running | | **Binance** | ✅ Live | `packages/be/src/brokers/binance.ts` | Per-user credentials encrypted | Crypto spot + futures; HMAC-SHA256 signed requests; testnet for paper, production for live | **Platform-level credentials encryption key:** `CREDENTIALS_ENCRYPTION_KEY` (32-byte hex). Must rotate in prod (audit flagged dev padded value). **Mock default:** every user starts on mock credit; paper/live is opt-in and live requires admin `live_trading_enabled` flag (migration 036). --- ## 16. Security perimeter | Layer | Service | Code / Config | |---|---|---| | **L3/L4 DDoS (auto)** | AWS Shield Standard | included with AWS account | | **L7 WAF** | AWS WAF | attached to Amplify / ALB / CloudFront per tier (`docs/23` § Firewall + WAF) | | **Network ACLs + Security Groups** | VPC | `docs/23` § Minimum VPC layout | | **Auth — JWT signature verification** | jose (Cognito JWKS) / jsonwebtoken (local HMAC) | `packages/be/src/lib/auth/middleware.ts` | | **Rate limiting (app-level)** | In-memory today (Redis migration on AWS checklist) | `packages/be/src/middleware/rate-limiter.ts` | | **Input validation** | Zod schemas on state-changing routes | `packages/be/src/validation/**` | | **Credential encryption at rest** | AES-256-GCM | `packages/be/src/brokers/crypto.ts` (brokers + TOTP secrets) | | **Password hashing** | bcryptjs (12 rounds) | `packages/be/src/lib/auth/providers/local.ts` | | **TOTP** | `otpauth` lib | `packages/be/src/lib/auth/mfa-enrollment.ts` | | **CSRF / XSS policy** | Next.js defaults + explicit output escaping in email bodies | various | | **Terms acceptance gate** | `TermsAcceptanceGate` in LayoutProvider | `packages/fe/src/components/legal/TermsAcceptanceGate.tsx` | | **Secrets** | AWS Secrets Manager (prod) / env vars (dev) | `packages/be/src/lib/aws/secrets-manager.ts` | ### 16.1 Known security postures documented elsewhere - Dev auth bypass requires both `NODE_ENV != 'production'` AND `ALLOW_DEV_AUTH_BYPASS=true` (`lib/auth/middleware.ts`) - Live-trading: mock default → admin-granted role → MFA ack → 3-gate `setUserBrokerMode` → 4-gate `placeLiveOrder` - Stripe webhooks: raw body preserved, HMAC signature verified server-side - Portfolio / position / trade queries carry `WHERE user_id = $x` scoping (security patch 2026-04-17) - JWT tokens: 7-day expiry, pinned algorithm --- ## 17. Observability | Surface | Current state | Planned | |---|---|---| | Request logs | Next.js console.log → Docker stdout → CloudWatch | Structured JSON (`LOG_LEVEL=info`) | | Error tracking | Conditional `@sentry/nextjs` in `lib/errors/api-error.ts:107-114` — no-op until `SENTRY_DSN` set | Sentry DSN in prod env | | Metrics | CloudWatch defaults + `/api/health` probe | Custom metrics via CloudWatch EMF | | Audit logs | Per-domain DB tables — `broker_audit_log`, `algorithm_llm_rejections`, `algorithm_llm_jury`, `algorithm_kills`, `webhook_deliveries` | Retention policies per table | | Slow queries | `lib/db/client.ts` logs queries > 1s with redacted SQL | See AWS checklist slow-query audit | | Rate-limit events | Logged by `middleware/rate-limiter.ts` | Redis/Valkey backing for multi-instance view | --- ## 18. Roadmap — proposed integrations (not wired) Flagged in TODO.md and in integration comments but not active. | Provider | Category | Notes | |---|---|---| | **Databento** | Cross-asset ticks | Institutional, expensive (~$500+/mo start) | | **Kaiko** | Crypto institutional | Tick-level + trade data | | **EPFR** | Fund flows | Stub ready; adapter body pending contract | | **Refinitiv** | Multi-asset | Stub ready; adapter body pending contract | | **CDX / MBS OAS paid data** | Bond overlays | Audit skipped for POC; ETF-ratio + MOVE regime sufficient | | **Glassnode / IntoTheBlock** | Crypto on-chain | Not wired | | **Bloomberg Terminal API** | Multi-asset | Not considered — cost-prohibitive for beta | **Recently promoted to Live:** - Polygon.io (2026-04-21) — moved from roadmap to § 4 Market-price feeds - Auto Sales (2026-04-21) — now uses FRED TOTALSA series for US light vehicle sales - IBKR (2026-04-21) — full adapter via Client Portal API (migration 082) - Binance (2026-04-21) — full adapter with HMAC-SHA256 signing (migration 082) --- ## 19. Complete env-var reference Pulled from `packages/be/src/lib/config/env.ts` + the registry above. Grouped by criticality: **Boot-required (app won't start):** ``` JWT_SECRET DATABASE_URL REDIS_URL CREDENTIALS_ENCRYPTION_KEY # 32-byte hex ``` **Feature-required (feature silently disables if missing):** ``` AUTH_PROVIDER # cognito | local | agencio (defaults local) COGNITO_USER_POOL_ID COGNITO_CLIENT_ID AWS_REGION AGENCIO_AUTH_URL AGENCIO_AUTH_API_KEY NEXT_PUBLIC_APP_URL STRIPE_SECRET_KEY STRIPE_WEBHOOK_SECRET AZURE_TENANT_ID AZURE_CLIENT_ID AZURE_CLIENT_SECRET AZURE_SENDER_EMAIL ANTHROPIC_API_KEY # OR LLMROUTER_API_KEY + LLMROUTER_BASE_URL VOYAGE_API_KEY OPENAI_API_KEY # fallback FINNHUB_API_KEY FRED_API_KEY NEWSAPI_KEY COINGLASS_API_KEY METACULUS_TOKEN GITHUB_TOKEN # optional TWITTER_BEARER_TOKEN GUARDIAN_API_KEY NYT_API_KEY GOOGLE_ADS_CLIENT_ID + CLIENT_SECRET + DEVELOPER_TOKEN + REFRESH_TOKEN META_APP_ID + APP_SECRET + ACCESS_TOKEN TIKTOK_APP_ID + APP_SECRET + ACCESS_TOKEN + ADVERTISER_ID LINKEDIN_CLIENT_ID + CLIENT_SECRET + ACCESS_TOKEN PINTEREST_APP_ID + APP_SECRET + ACCESS_TOKEN STORAGE_PROVIDER # s3 | minio (defaults minio) S3_BUCKET, S3_REGION # if STORAGE_PROVIDER=s3 MINIO_ENDPOINT + ACCESS_KEY + SECRET_KEY # if MinIO VAPID_PUBLIC_KEY VAPID_PRIVATE_KEY VAPID_EMAIL SENTRY_DSN # error tracking USE_SECRETS_MANAGER # true to load from AWS Secrets Manager AWS_SECRETS_REGION SECRETS_PREFIX SCHEDULER_ENABLED # false to disable scheduler on this instance SCHEDULER_SKIP_LOCK # true in single-instance dev to bypass advisory lock SCHEDULER_LEADER_RETRY_MS # standby poll cadence (default 30000) LLM_SENTIMENT_DAILY_BUDGET # default 5000 ALLOW_DEV_AUTH_BYPASS # dev-only, NEVER set in prod ``` --- ## 20. Admin UI for integration status `/admin/integrations` — renders the registry from `apps/web/src/app/api/predict/v1/admin/integrations/route.ts` with per-source env-var-present status + live probe buttons (`POST /admin/integrations/test`). Currently wired probes: Finnhub, Frankfurter, Auto Sales (FRED TOTALSA), Alpaca, IBKR, Binance. Remaining (NewsAPI, GitHub, Twitter, Stripe, Azure Graph, VAPID, ad-networks) marked "no probe wired" until implementation — tracked in TODO.md § Medium Priority. --- ## 21. Source-of-truth mapping | Concern | Canonical file | |---|---| | Data-feed registry (drives `/admin/integrations`) | `apps/web/src/app/api/predict/v1/admin/integrations/route.ts` | | Env-var validation + defaults | `packages/be/src/lib/config/env.ts` | | Cognito setup + IAM actions | `docs/cognito.md` | | AWS deployment tiers + costs | `docs/23-aws-deployment-tiers.md` | | API route catalog (for gateway / Kong) | `docs/24-api-routes.md` | | OPEX cost projections (data + LLM) | `docs/25-data-feed-llm-opex.md` | | **This registry** | `docs/26-integration-registry.md` | All six docs live in the repo and move together; keep this one synced to the admin registry (`route.ts`) on any integration add/remove.