Risk Register
:::info Source
Sourced from services/catalog-service/SERVICE_RISK_REGISTER.md in the documentation repo.
:::
| ID | Risk | Sev | Impact | Mitigation | Owner |
|---|---|---|---|---|---|
| R-CA-01 | Duplicate CourseVersion registered | S2 | Confused downstreams | Unique constraint; idempotent | Catalog |
| R-CA-02 | Cross-tenant catalog leak via public listings | S1 | Data leak | Visibility invariant; iso tests | Catalog + Security |
| R-CA-03 | Taxonomy depth blowup | S3 | Query perf | Depth cap 10; integrity job | Catalog |
| R-CA-04 | Slug collision | S3 | UX | Unique per tenant + suggestions | Catalog |
| R-CA-05 | Withdrawal cascade missed | S2 | Stale marketplace | Event-driven; manual re-emit | Catalog |
| R-CA-06 | Course visibility upgrade unintended | S2 | Privacy | RBAC check on visibility change | Catalog + Security |
| R-CA-07 | GDPR erasure of authored data | S2 | Regulator | Participate; audit retention as legit | Compliance + Catalog |
| R-CA-08 | Orphan CourseVersion (missing play_package) | S3 | Broken learner experience | Validate at registration | Catalog |