The full M1 deliverable is a 15-section audit of the client's production database: every table, index, materialized view, cron job, and RPC named and measured, with verbatim excerpts from the platform's code and schema annotations. Publishing that would publish the client's private architecture, so this page carries the audit's shape, method, and aggregate findings instead, with every identifying detail removed. The metrics are carried unchanged from the private report.
| Surface | Measured |
|---|---|
| Largest table (price history) | 17.5M rows, 8.3 GB total, 2.4 GB heap + 5.9 GB indexes |
| eBay listings table | 274K rows (265K active), 663 MB, 18 indexes |
| Largest materialized view (daily price rollup) | 19.9M rows, 2.8 GB |
| Near-miss review queue (0.50-0.70 confidence band) | 5,732 rows; 99.8% single-card class |
| Arbitrage opportunity rows | 895 computed; 16% linked to PSA population data |
| Scheduled jobs read from the cron log | 18 jobs over a 30-day window |
The index-to-heap ratio on the price-history table (2.44x) was audited index-by-index against live scan counts and found justified: every index on that table earns its keep on a real access path. The growth math was stated in advance: at the measured monthly insert rate the table crosses 50M rows within a year, at which point the DELETE-based compaction pattern becomes the bottleneck and a declarative monthly partition (drop old partitions instead of DELETE) is the named successor, with the trigger thresholds written down before they fire.
Ten actions, ordered by impact-to-risk ratio, tiered additive → invariant → operational, with Phase-2 candidates explicitly fenced out of contract scope:
| Tier | Actions | Shape |
|---|---|---|
| Tier 0, additive | partial index on the review band; provenance audit column on the arbitrage table; dry-run parameter for the data-bridge function | 15 min to 2 h each, rollback is a single DROP or revert |
| Tier 1, invariants | CHECK constraints on two de-facto-enum columns (pre-verified: 0 would-fail rows); resync schema-as-code with prod | NOT VALID + VALIDATE pattern, no data-operation lock |
| Tier 2, operational | stats reset + 14-day observation window; root-cause the two dead crons; re-arm the stopped scraper; drop verified-unused indexes only after the window | observation gates before any destructive step |
Every action shipped with an explicit rollback and an explicit test. A third de-facto-enum column was deliberately excluded from the constraint batch: pre-validation found 18 distinct live values where the naive constraint assumed 2, and adding it would have failed on 80K+ rows. The check that kept it out of the plan is the same check that makes the other two safe.
The plan also wrote down what it would NOT do: no schema redesign of the arbitrage table, no matcher-code changes, no Phase-2 architecture inside the milestone. Open questions were routed to named owners with a stated default if unanswered, so the next milestone could start without waiting. Outcome, verified in the M2 deliverable: seven of the nine near-term actions were deployed and independently validated against production within the next milestone; the remaining two were deliberately gated (a 14-day observation window; a Phase-2 partition trigger).
The platform refreshes five MVs, one of them after every marketplace sync. The audit's verdict: CONCURRENTLY refresh is the right pattern at current scale (unique indexes present, dashboard reads never blocked, refresh fits comfortably), and the escalation triggers were written down in advance rather than left to be discovered: escalate when a single refresh crosses 5 minutes of wall-clock, when the largest MV approaches 10 GB, or when the active-game count triples. The named next pattern is partition-aligned refresh (refresh only the current month), and the managed image already ships the extensions that work would need (available but not installed). One MV is locked as materialized by an incident note in the schema itself: it had once been a regular view, and a DISTINCT ON over 222K rows re-running on every API call caused a 12-hour outage. The audit's recommendation was to keep that lock exactly as it is.
The platform's strict matcher opens with a warning comment (quoted verbatim in the private report; the client's name is replaced here):
"Wrong matches = wrong arbitrage = [the client] buys the wrong card. Return null rather than guess."
Every recommendation in the audit is gated on that constraint: prefer reversible and additive change over destructive rewrite, prefer abstain over confidently-wrong, and never drop or rewrite anything on inference when an observation window can be had first.