| RISK-DOC-01 | PHI exposure via object storage misconfiguration — public bucket ACL or broken presigned URL grants unauthorized access to patient documents | Low | Critical | Critical | Security team | Bucket ACL enforced as private-only; presigned URL TTL 15 min; automated ACL audit in CI/CD; pen test before launch |
| RISK-DOC-02 | Virus scan bypass — ClamAV unavailable; uploads accepted without scan | Low | High | High | Platform SRE | Health check gates uploads on ClamAV readiness; upload endpoint returns 503 if ClamAV not connected; never skip scan |
| RISK-DOC-03 | PDF generation timeout degrading clinical workflow — complex templates or slow FHIR resolution causes p95 > 5 s | Medium | Medium | Medium | Platform team | Async render job fallback; circuit breaker on FHIR calls; template complexity limits enforced at publish time |
| RISK-DOC-04 | FHIR binding resolution exposes wrong patient data — binding path error generates PDF with incorrect or mixed patient data | Low | Critical | Critical | Clinical informatics | Binding validation at template publish time; required context IDs validated at generation time; golden test per reference form |
| RISK-DOC-05 | Platform reference template divergence — platform package upgrade breaks existing generated documents or tenant forks | Low | Medium | Medium | Product team | Semantic versioning on reference-forms package; tenants may pin version; golden PDF hash tests in CI block breaking changes |
| RISK-DOC-06 | Render worker queue backlog — high volume of async jobs starves queue; jobs sit for > 30 s | Medium | Medium | Medium | Platform SRE | Auto-scale workers on queue depth; alert at 500 queued; bulk generation license gates high-volume scenarios |
| RISK-DOC-07 | Object storage data loss — accidental bucket deletion or replication failure | Very Low | Critical | High | SRE | S3 versioning + replication; weekly restore drills; legal hold prevents deletion during retention period |
| RISK-DOC-08 | AI-assisted wording accepted without clinical review — AI suggestion contains inaccurate clinical text accepted by a non-clinical author | Low | High | High | Clinical governance | AI output is advisory; HITL acceptance required; AI-assisted fields flagged in template version metadata; clinical governance review before publish |
| RISK-DOC-09 | RTL/LTR PDF rendering defects — Pashto/Dari scripts render incorrectly in generated PDFs | Medium | High | High | Engineering | Embedded fonts (Noto Nastaliq Urdu) required; locale test suite per reference form; golden PDF comparison tests |
| RISK-DOC-10 | clientMutationId collision — two different render requests share same idempotency key; wrong document returned | Very Low | Medium | Low | Engineering | Idempotency key scoped to (tenantId, clientMutationId); collision probability negligible with UUIDv4; documented in API contracts |