Appearance
Risk Register
Phase: 1 Architecture Plan Status: active
| ID | Risk | Impact | Likelihood | Mitigation | Owner |
|---|---|---|---|---|---|
| R-001 | Frontend depends on undocumented /api response shapes. | High | High | Capture request/response examples before route migration; use gateway adapters. | api-gateway |
| R-002 | Manual question-type overrides in import editor are lost during DOCX migration. | High | Medium | Preserve review payload semantics; run real import save/reload browser checks before cutover. | docx-import-service |
| R-003 | Exam/attempt snapshots change after normalization. | High | Medium | Keep snapshot JSON compatibility; parity-test publish/start/submit flows. | exam-service, attempt-service |
| R-004 | Database split breaks tenant scoping or admin all-org behavior. | High | Medium | Explicit policy objects and tenant filters in SQL review checklist. | school-service |
| R-005 | Legacy wallet/AZ Credit coupling blocks storage/import routes. | Medium | High | Keep wallet routes legacy-proxied; document any credit checks hit by migrated routes. | api-gateway |
| R-006 | SSE behavior changes because gateway buffers events. | High | Medium | Dedicated streaming tests and client disconnect handling. | api-gateway |
| R-007 | External Go Formula DOCX behavior diverges from current wrapper behavior. | High | Medium | Wrap existing endpoint first; preserve warnings/timing/media fields. | docx-import-service |
| R-008 | Shared taxonomy ownership causes duplicate or conflicting records. | Medium | Medium | Assign initial ownership to question-bank-service; replicate read models only by event/API. | question-bank-service |
| R-009 | Hard delete semantics delete historical attempt data in Go unexpectedly. | High | Low | Reproduce only after explicit product signoff; prefer archive behavior initially. | question-bank-service |
| R-010 | Route migration lacks rollback path. | High | Medium | Gateway route state and rollback command are required for every cutover. | api-gateway |
| R-011 | Secrets or local defaults leak into production configs. | High | Medium | Environment validation blocks dev defaults in production. | platform |
| R-012 | Backfill changes source legacy DB by accident. | High | Low | Use read-only credentials for legacy source; CI guard for migration code. | migration |
| R-013 | Performance regressions from service fanout. | Medium | Medium | Gateway aggregation budgets, service-level metrics, cache/read models for analytics. | platform |
| R-014 | Import corpus edge cases are missed. | High | Medium | Use real HOCTAPAZ DOCX corpus and produce parse/review diff reports. | docx-import-service |
| R-015 | Admin feature maintenance no longer protects same route prefixes. | Medium | Medium | Port feature prefix map and exact labels; route-level contract tests. | admin-service |
Risk Review Rule
Every Phase 2 implementation PR must either reference a risk ID above or add a new one when it introduces a new migration or behavior risk.