T

alexei.dolgolyov 0683e348ba fix(security): bound bet-notes length + harden EventId against path/control chars

Two defense-in-depth findings from the I-series security review (both safe today,
neither currently exploitable):
- AddBetForm.Notes was unbounded free-text into SQLite; add a 2000-char sanity cap
  in IsValid (covers both the add and edit paths), alongside the existing stake/rate
  caps.
- EventId only rejected empty/whitespace; now also reject path separators, '..'
  traversal, control/newline chars and over-length input so no current-or-future
  consumer that builds a path/filename/log line from an id can be tricked. The
  charset stays open for forward-compat with non-numeric bookmaker ids.

2026-05-29 14:14:12 +03:00

design

chore: add vex config + redesign mockups, ignore debug scratch

2026-05-29 14:03:12 +03:00

plans/initial-implementation

fix(phase-7): close review notes — hoist anomaly dedup query, drop dead expr

2026-05-05 13:46:34 +03:00

spike

feat(initial-implementation): phase 0 - scraping spike findings

2026-05-05 01:04:03 +03:00

src

fix(security): bound bet-notes length + harden EventId against path/control chars

2026-05-29 14:14:12 +03:00

tests

fix(security): bound bet-notes length + harden EventId against path/control chars

2026-05-29 14:14:12 +03:00

.editorconfig

feat: implement Phase 1 — solution skeleton and domain model

2026-05-05 01:20:28 +03:00

.gitignore

chore: add vex config + redesign mockups, ignore debug scratch

2026-05-29 14:03:12 +03:00

.vex.toml

chore: add vex config + redesign mockups, ignore debug scratch

2026-05-29 14:03:12 +03:00

CLAUDE.md

docs: capture H-series learnings in project memory

2026-05-29 11:18:52 +03:00

Directory.Build.props

feat: implement Phase 1 — solution skeleton and domain model

2026-05-05 01:20:28 +03:00

Directory.Packages.props

feat(phase-6): event browsing UI — pre-match/live lists, detail page, +26 bUnit tests

2026-05-05 12:58:03 +03:00

Marathon.sln

feat: implement Phase 1 — solution skeleton and domain model

2026-05-05 01:20:28 +03:00

Marathon.slnx

feat: implement Phase 1 — solution skeleton and domain model

2026-05-05 01:20:28 +03:00

README.md

chore: initial repo setup (.gitignore, README, CLAUDE.md)

2026-05-05 00:31:54 +03:00

README.md

maraphon-app

Sports betting odds analyzer for marathonbet.by.

Scrapes pre-match (/su) and live (/su/live) sports events, tracks coefficient changes over time, and detects anomalies — in particular the "odds-flip" pattern where the bookmaker freezes betting and then inverts underdog/favorite odds.

Tech stack

.NET 8 + C# 12
Blazor Hybrid — WPF shell hosting BlazorWebView (designed to migrate to ASP.NET Core Blazor Server with no UI rewrite)
EF Core + SQLite (WAL mode) for local storage
ClosedXML for Excel export
AngleSharp for HTML scraping (with Playwright fallback for JS-rendered pages)
Polly v8 for retry / circuit breaker / rate limiting
MudBlazor UI components, Plotly.Blazor for charts
Serilog structured logging
xUnit / FluentAssertions / NSubstitute for tests

Project layout

src/
  Marathon.Domain/         entities, value objects, no dependencies
  Marathon.Application/    use cases, abstractions (IOddsScraper, IRepository, ...)
  Marathon.Infrastructure/ EF Core, scraping, Polly, Excel, Playwright
  Marathon.UI/             Razor Class Library — all Blazor components live here
  Marathon.Hosts.WpfBlazor/ WPF + BlazorWebView host (replaceable for web)
tests/
  Marathon.*.Tests/        unit + integration tests per layer

Build & run

dotnet build Marathon.sln
dotnet test  Marathon.sln
dotnet run   --project src/Marathon.Hosts.WpfBlazor

Configuration

All variable parameters (polling intervals, concurrency, user-agents, retry policy, snapshot retention, locale) are exposed via appsettings.json and live-editable via the in-app Settings page.

Status

🟡 In active development. See plans/initial-implementation/PLAN.md for the current phase plan and progress.

License

Private — customer project.