| RISK-CONFIG-01 | Resolution SLO breach — pipeline latency exceeds 500 ms p95 due to BFS depth or upstream slowness | Medium | High | High | Platform SRE | Circuit breakers on all upstreams; Redis cache hit target ≥ 85 %; BFS depth limit 10; resolution timeout 504 |
| RISK-CONFIG-02 | Cross-tenant data leak — RLS misconfiguration exposes config of Tenant B to Tenant A | Low | Critical | Critical | Security team | RLS policies enforced + automated tenant-isolation test in CI; any failure blocks deploy |
| RISK-CONFIG-03 | Stale cache after missed eviction event — NATS message lost before eviction; user retains denied/granted access longer than TTL | Low-Medium | Medium | Medium | Platform team | Short TTL (60 s); DLQ alert on missed events; manual full-tenant cache flush tool |
| RISK-CONFIG-04 | DAG cycle in production — circular role or config node reference introduced via direct DB manipulation | Low | Medium | Medium | DBAs | Application-level cycle detection; no direct DB write access in prod; migrations only |
| RISK-CONFIG-05 | ExplicitAllow override abuse — Tenant Admin grants broad override without adequate review | Medium | High | High | Compliance team | justification mandatory; override events audited; override expiry required; audit alerts for broad nodeId scope |
| RISK-CONFIG-06 | BFS role graph explosion — extremely deep role hierarchy degrades resolution performance | Low | High | Medium | Platform team | Max depth 10 enforced at definition time; rejected at CIRCULAR_ROLE_INHERITANCE or depth > 10 |
| RISK-CONFIG-07 | facility-service coupling — config-service cannot resolve without hierarchy spine; if facility-service is down, all resolutions fail | Medium | High | High | Platform SRE | Fail closed (deny); cache for unexpired spines; facility-service SLO aligned with config-service SLO |
| RISK-CONFIG-08 | Design token bloat — tenants create thousands of token overrides; token merge becomes slow | Low | Low | Low | Product | Paginate token list API; compress token map in Redis; alert on token count > 500 per tenant |
| RISK-CONFIG-09 | System role mutation during incident — SUPER_ADMIN modifies system roles under pressure; unintended access granted | Low | Critical | High | Platform lead | SUPER_ADMIN role changes require change-management ticket; audit event; 4-eyes approval (procedural) |