| FM-TEN-01 | PostgreSQL | Primary unavailable | All lifecycle and membership operations fail | Health probe; DB error spike | Automatic failover; pgBouncer retries; alert on-call |
| FM-TEN-02 | Activation saga — facility-service unreachable | Root hierarchy node not created | Tenant activation fails; stays PENDING | Step failure logged; saga exhausted alert | Bounded retry (3x); idempotent create-or-return; alert SRE |
| FM-TEN-03 | Activation saga — identity-service unreachable | Admin user not seeded | Tenant activation fails; stays PENDING | Step failure logged | Bounded retry; idempotent; alert SRE |
| FM-TEN-04 | Activation saga — licensing seed fails | Always-on licenses not seeded | Tenant active but no modules accessible | Step failure logged | Bounded retry; fallback: run seed on next cron cycle |
| FM-TEN-05 | NATS JetStream outbox | Events not published | Downstream services miss lifecycle events | Outbox row age > 60 s alert | Outbox relay retries; manual replay |
| FM-TEN-06 | evaluate() — DB query timeout | Authorization denied / latency spike | Request blocked or returns 503 | p95 latency alert | Query timeout 500 ms; return deny on timeout; alert |
| FM-TEN-07 | Redis cache eviction | Hierarchy tree rebuild on every request | Latency spike on tree queries | Cache hit rate drop alert | Increase Redis memory; warm cache on startup |
| FM-TEN-08 | Subscription expiry cron crash | Expired subscriptions not detected | Tenants retain access beyond contract end | Cron absent from metrics | Kubernetes CronJob restart policy; alert on job failure |
| FM-TEN-09 | identity.user.suspended.v1 not consumed | Suspended user retains memberships | User may appear active in tenant context | Inbox lag alert | NATS at-least-once; inbox deduplication; manual replay |
| FM-TEN-10 | RLS bypass leak | Cross-tenant data exposure | Catastrophic data breach | RLS test failure in CI; isolation audit | tenant_rls_bypass role restricted to background workers only; audit quarterly |