| RISK-AUDIT-01 | Audit entries tampered or deleted | Very Low | Critical | CRITICAL | DBA + Security Lead | UPDATE/DELETE revoked at DB role level; chain-hash detects tampering; daily verification job; CRITICAL alert | Very low |
| RISK-AUDIT-02 | Cross-tenant audit data visible to wrong tenant admin | Low | Critical | CRITICAL | Security Lead + DBA | RLS on audit_entries; JWT-extracted tenantId; mandatory tenant-isolation.spec.ts in CI | Very low |
| RISK-AUDIT-03 | Chain-hash verification job silently fails | Low | High | HIGH | SRE | Job emits audit_chain_integrity_failures_total metric; alert fires on any > 0 value; job is monitored in Grafana | Low |
| RISK-AUDIT-04 | Source service stops emitting events (audit gap) | Medium | High | HIGH | Platform Eng | Per-service event rate metric; AuditIngestionStopped alert if rate drops to zero for > 5 min; source service contract tests | Low |
| RISK-AUDIT-05 | NATS DLQ grows silently — events never ingested | Low | High | HIGH | SRE | audit_dlq_pending_messages metric; AuditDLQGrowing alert; DLQ handler retries 3x; audit.dlq.alert.v1 to platform-admin-service | Low |
| RISK-AUDIT-06 | Postgres DB unavailable — audit trail gap | Low–Medium | High | HIGH | SRE | NATS JetStream holds messages; events re-delivered on DB recovery; at-least-once delivery; gap duration logged | Low |
| RISK-AUDIT-07 | Export file exposed beyond intended recipient | Low | High | HIGH | Security Lead | Signed URLs; 1-hour TTL; export request itself creates AuditEntry (meta-audit); rate-limited to Super Admin | Low |
| RISK-AUDIT-08 | PHI in metadata field of audit entries visible to unauthorized roles | Low | High | HIGH | Compliance Officer | Access controlled by RBAC + RLS; Tenant Admins see their own tenant only; patients see only disclosure endpoint | Low |
| RISK-AUDIT-09 | Monthly partition not pruned → table bloat → query degradation | Low | Medium | MEDIUM | DBA | Drizzle migration manages monthly partitions; partition-pruning for time-range queries; archival policy applied; DBA monitors table size | Low |
| RISK-AUDIT-10 | Event schema change from source service breaks ingestion normalisation | Medium | Medium | MEDIUM | Platform Eng | Schema registry with conformance tests per event type; malformed events go to DLQ (not dropped); DLQ handler alerts | Medium |
| RISK-AUDIT-11 | Audit service itself is a target for denial-of-service via query flood | Low | Medium | MEDIUM | SRE | Kong rate limiting (60 req/min per user); 90-day query window enforced; expensive queries forced to async export | Low |
| RISK-AUDIT-12 | 7-year retention policy not applied correctly — data deleted early | Very Low | Critical | CRITICAL | DBA + Compliance Officer | Partition archival policy reviewed in CI; automated tests verify no rows deleted before 7-year mark; DBA quarterly review | Very low |