| F1 | Postgres writer outage | Writes fail; reads degraded | /readyz | Failover; retry on client |
| F2 | OpenSearch outage | Fuzzy search degraded to prefix match | Health metric | Fallback to DB search; warn ops |
| F3 | Redis outage | Privilege checks hit DB | Cache miss 100% | Circuit break; reduce non-critical reads |
| F4 | NATS outage | Outbox backlog | outbox_lag_seconds | Wait, then replay |
| F5 | Credential expiry job silently fails | Providers continue with expired license | Job heartbeat missing | Heartbeat metric + alert; rerun manually |
| F6 | Endpoint healthcheck stuck | Partners see no updates | Success rate plummets | Replace probe pod; circuit-break caller |
| F7 | Privilege cascade bug — revoked credential does not demote roles | Clinical safety | Integration test + audit replay | Transactional cascade + regression test |
| F8 | Cross-tenant leak via search | Security incident | Mandatory isolation test | RLS; tenant-scoped index; alert on drift |
| F9 | FHIR projection lag | Partner staleness | Projection error rate | DLQ + manual replay |
| F10 | Duplicate creation race (same identifier) | Data-quality issue | Unique constraint violation | DB constraint; 409 to second caller |
| F11 | Credential PDF upload triggers PII retention policy | Legal | Review hook | Separate document-service bucket with encryption |
| F12 | Expired credential brown-out (clock skew) | False expired state | NTP alerts | NTP sync; tolerance of 60s skew in scheduler |
| F13 | Terminology-service outage blocks writes | Onboarding halted | Timeout metrics | Soft-fail: accept with specialty.unverified flag; re-validate later |
| F14 | Endpoint with mtls auth has expired cert | Partner auth fails | endpoint.health_changed.v1 to error | Alert on error transition; runbook |