Risk Register

Cross-phase risks. Update as discovered.

Active risks

ID	Risk	Phase	Likelihood	Impact	Owner	Mitigation	Status
R-01	LIFF iOS Safari WebView quirks break auth	1	M	H	Julian	Use in-memory token (1.D-3); test matrix iOS+Android	Open
R-02	LINE Pay merchant onboarding delays > 4 weeks	3	M	M	r_goto	Ship MVP without LINE Pay (3.D-2); add later	Open
R-03	HMAC secret leaks → unauthorized webhooks	0+	L	H	Julian	Key versioning (0.D-1); rotation; restrict log output	Open
R-04	Multi-tenant LIFF routing breaks all tenants	1	L	CRITICAL	Julian	Canary tenant first; feature flag; explicit rollback	Open
R-05	Order webhook backlog if Curva down	0+	M	M	Julian	BullMQ retry + DLQ + alerting (X.I-5)	Open
R-06	Identify endpoint hammered (DDoS or bot)	1	M	M	Julian	Rate limit per IP; CAPTCHA fallback	Open
R-07	LINE rate limits on push messages exceeded	2+	M	M	Curva team	Reuse BulkMessage batching; monitor quota	Open
R-08	PII (line_user_id) exposed in logs	0+	M	H	Julian	Hash/mask in log statements; PII review of all new logs	Open
R-09	Stripe + LINE Pay race condition (double charge)	3	L	H	Julian	Idempotency key per order; lock on payment state	Open
R-10	Curva develop branch deploys break Pasukuru integration	all	M	M	both	Contract version in headers (v1, v2); both sides backward-compat	Open
R-11	Pasukuru tenant-per-Host changes break LIFF flow	1	L	H	Julian	Decision 1.D-1 final; explicit middleware order	Open
R-12	LINE Console LIFF endpoint URL drift between envs	X	M	M	r_goto	Document each env’s IDs in vault; verify in CI	Open
R-13	Member double-account (LINE-linked + email-linked)	1	M	M	Julian	Merge UX in account settings (post-Phase 3 work)	Open
R-14	Agent commission attributed to wrong agent (multi-QR)	3	L	M	Julian	First-touch attribution; document policy	Open
R-15	Curva and Pasukuru DBs become inconsistent	all	M	H	Julian	Periodic reconciliation cron; smoke test alerts	Open
R-16	Da Vinci accidentally touched	all	L	CRITICAL	Julian	NO-TOUCH rule; pre-commit hook check (existing)	Mitigated

Incident response framework

If something breaks in prod:

Severity scale

SEV-1 — payment fails, data loss, security breach → all hands, 15min response
SEV-2 — feature degraded for many users → 1hr response
SEV-3 — feature degraded for few users → next-day response
SEV-4 — cosmetic / non-critical → backlog

Runbook per system

Webhook delivery failures → check BullMQ board (X.I-4) → rerun from DLQ
LIFF identify failures → check Pasukuru BE logs → likely LINE API issue → fall back to web
Order events not received → check Pasukuru emit logs → check Curva inbound logs → check feature flags
Multi-tenant resolution wrong → check JWT decode logs → fall back to Host header (flag off)

Kill switches (feature flags)

Flag	Effect when OFF
`integration.order_events`	Pasukuru stops emitting order webhooks
`integration.webhook.v1_hmac`	Falls back to v0 bearer auth
`integration.curva_inbound_receiver`	Returns 503; Pasukuru retries to DLQ
`liff.enabled`	LIFF init disabled; pure-web mode
`liff.auto_identify`	Manual login required
`flex.pasukuru_picker`	Picker button hidden
`payment.line_pay`	LINE Pay option hidden in checkout
`tenant.line_resolution`	Falls back to Host-only tenant resolution

All flips reversible within 5 min.

Pre-launch risk review

Before going to prod, walk through this register. For each Open risk:

Mitigation in place?
Tested?
Owner aware?

If any risk Open + not mitigated + Severity ≥ M → block launch.

Post-launch monitoring (first 48hr)

Watch:

Webhook DLQ depth (target: 0; alert: >10)
Identify endpoint p95 latency (target: <500ms)
LIFF init success rate (target: >99%)
LINE Pay sandbox vs prod confirm rate match
Curva inbound 5xx rate (target: <0.1%)

If anything red → activate kill switch, debug, re-deploy.

Corone Vault

Explorer

09-risk-register