Risk Register
:::info Source
Sourced from services/authoring-service/16-SERVICE_RISK_REGISTER.md in the documentation repo.
:::
| ID | Risk | Sev | Impact | Mitigation | Owner |
|---|---|---|---|---|---|
| R-AU-01 | Publish saga half-failure → orphan CourseVersion / broken catalog | S1 | Broken publishing; customer trust | Explicit compensations; chaos per step; saga state machine; timeout 15 min | Authoring + Platform |
| R-AU-02 | Block registry rushed → shape churn + rework | S1 | Rework cost across player + bundles | RFC + freeze at M2 start (F17); new kinds additive; forward-compat test | Authoring + Content |
| R-AU-03 | AI block persisted without provenance | S1 | Regulatory (EU AI Act), trust | Domain invariant throws; AIClient port always attaches provenance; test on every codepath | Authoring + AI Services |
| R-AU-04 | Yjs doc corruption → collab session lost | S2 | Author frustration; data loss perception | 60s snapshots; replay from event log; repair tool; chaos tests | Authoring |
| R-AU-05 | Offline authoring conflict UX bad → data loss perception | S1 | Churn | Pre-merge backup; side-by-side diff; AI merge suggestion; 30-day retention | Authoring + Sync |
| R-AU-06 | SCORM import RCE via malicious zip | S1 | Platform compromise | Sandbox import; manifest-driven validation; no eval; signed origin allowlist | Authoring + Security |
| R-AU-07 | AI hallucinated content published as fact | S2 | Wrong education; regulatory | HITL draft_ai → review required; RAG over authoritative sources; provenance visible | Authoring + AI Services |
| R-AU-08 | AI budget exhaustion mid-authoring | S3 | UX friction | Budget UI; fallback to local model with consent; per-tenant quota | Authoring + AI + Platform |
| R-AU-09 | Cross-tenant block reference | S1 | Data leak | Domain invariant DomainError.CrossTenant; two-tenant iso tests | Authoring |
| R-AU-10 | Media reference resolves outside tenant | S1 | Data leak | Media service enforces tenant scope; author-side validation on publish | Authoring + Media |
| R-AU-11 | Draft edit race with publish saga | S2 | Inconsistent state | Aggregate state publishing is immutable to direct edits; API returns 423 locked | Authoring |
| R-AU-12 | Large draft (10k blocks) slow to save | S3 | Author UX | Incremental save; virtualized tree; background compaction | Authoring |
| R-AU-13 | Embed provider XSS | S2 | Learner compromise | Allowlist per tenant; iframe sandbox attributes; CSP | Authoring + Security |
| R-AU-14 | AI prompt injection via author input | S2 | Hijacked AI output | AI gateway prompt-injection shield; system prompt isolation | AI Services + Authoring |
| R-AU-15 | Localization skew between blocks | S3 | Incomplete content in some locales | Required-locales check in publish readiness; UI shows completion % per locale | Authoring |
Governance
- Weekly: Authoring Eng + Security review.
- Block registry changes require ADR.
- AI prompt changes require regression + safety eval pass.