SERVICE_RISK_REGISTER — pricing-service
Sibling: FAILURE_MODES · SECURITY_MODEL · AI_INTEGRATION · SERVICE_READINESS
This register captures known and accepted risks for the pricing-service. Risks are scored on a 1–5 scale for likelihood (L) and impact (I); the score is L × I. Anything ≥ 12 requires an active mitigation plan with an owner and a target review date. Entries are reviewed quarterly by the service owner and on every major release.
1. Risk score legend
| Likelihood / Impact | 1 — Trivial | 2 — Minor | 3 — Moderate | 4 — Major | 5 — Critical |
|---|---|---|---|---|---|
| 1 — Rare | 1 | 2 | 3 | 4 | 5 |
| 2 — Unlikely | 2 | 4 | 6 | 8 | 10 |
| 3 — Possible | 3 | 6 | 9 | 12 | 15 |
| 4 — Likely | 4 | 8 | 12 | 16 | 20 |
| 5 — Almost certain | 5 | 10 | 15 | 20 | 25 |
2. Active risks
R-01 — Cross-tenant rate leakage
| Field | Value |
|---|---|
| Category | Security / Tenancy |
| L × I | 2 × 5 = 10 |
| Description | A query path bypasses the SET LOCAL app.tenant_id step and returns rows from another tenant. Pricing data is commercially sensitive. |
| Mitigations | Multi-layer isolation (RLS + ALS + cache prefix + CMEK namespace); CI test plants two tenants and asserts cross-tenant queries return zero rows; audit log alert on MELMASTOON.SECURITY.TENANT_VIOLATION. |
| Residual | Low |
| Owner | Service owner + AppSec |
| Review | Quarterly |
R-02 — Sharia rule misinterpretation
| Field | Value |
|---|---|
| Category | Compliance |
| L × I | 2 × 4 = 8 |
| Description | The Sharia guard's logic could disagree with the tenant's local Sharia council on a specific fee structure. |
| Mitigations | Domain-level guard documented; shariaTag curated by Revenue Ops with Sharia liaison sign-off; configurable per tenant via tenant-service config; AI suggestions explicitly constrained for Sharia plans; Sharia council on the ORR sign-off list. |
| Residual | Medium |
| Owner | Service owner + Sharia council liaison |
| Review | Annually + per fee/category change |
R-03 — FX provider concentration
| Field | Value |
|---|---|
| Category | Vendor / Reliability |
| L × I | 3 × 3 = 9 |
| Description | Single FX provider outage degrades multi-currency display for up to 72h. |
| Mitigations | Cached snapshot pattern with staleAfter/hardExpireAt; provider abstracted behind FxProviderClient port; secondary provider integration on roadmap (planned Q2 2026). |
| Residual | Medium |
| Owner | Platform Eng |
| Review | Quarterly |
R-04 — Promo enumeration brute force
| Field | Value |
|---|---|
| Category | Security |
| L × I | 3 × 2 = 6 |
| Description | Booker session brute-forces promo codes via :validate. |
| Mitigations | Rate-limit :validate to 30/min; IP block on > 100 invalid in 1h; promo codes scoped per tenant; audit alert. |
| Residual | Low |
| Owner | AppSec |
| Review | Annually |
R-05 — AI suggestion bias / drift
| Field | Value |
|---|---|
| Category | AI / Compliance |
| L × I | 3 × 3 = 9 |
| Description | Vertex AI model drift produces systematically high (or low) suggestions, biasing operator decisions. |
| Mitigations | All suggestions are advisory + HITL gated (acceptance bounded by safety floor/ceiling); suggestion outcomes tracked via pricing_dynamic_suggestion_total{outcome=…} and reviewed monthly; prompt versioning; orchestrator audit retention. |
| Residual | Medium |
| Owner | Revenue Ops + AI Eng |
| Review | Monthly suggestion-quality review |
R-06 — Quote derivation determinism regression
| Field | Value |
|---|---|
| Category | Correctness |
| L × I | 2 × 5 = 10 |
| Description | A code change introduces non-determinism in derivation; reservations could be priced inconsistently between server and desktop. |
| Mitigations | Property-based test asserts byte-identical recomputation; integration test recomputes server quote from derivation snapshot; nightly mutation score ≥ 80% on domain layer; CODEOWNERS gate on golden test files. |
| Residual | Low |
| Owner | Service owner |
| Review | Per release |
R-07 — Outbox publisher backlog (escalating to data loss)
| Field | Value |
|---|---|
| Category | Reliability |
| L × I | 2 × 4 = 8 |
| Description | Sustained Pub/Sub outage + outbox runaway growth could cause DB pressure. |
| Mitigations | Publisher leader-election, dual-write to secondary topic, manual replay tool, alert on pricing_outbox_unpublished > 1000. |
| Residual | Low |
| Owner | Platform SRE |
| Review | Quarterly |
R-08 — Rate-plan archive mid-active-bookings
| Field | Value |
|---|---|
| Category | Operational |
| L × I | 3 × 3 = 9 |
| Description | An operator archives a plan that backs significant future bookings; new quotes blocked but existing quotes honoured. |
| Mitigations | Step-up auth required; UI surfaces futureBookingsAtArchive count; rate_plan.archived.v1 event consumed by analytics for visibility; un-archive workflow available. |
| Residual | Low |
| Owner | Backoffice product |
| Review | Annually |
R-09 — Desktop offline quote mismatch
| Field | Value |
|---|---|
| Category | Reliability / UX |
| L × I | 4 × 2 = 8 |
| Description | Long offline windows produce desktop-derived quotes that the server later rejects (promo cap, archive). |
| Mitigations | Server is authoritative on push; desktop UI surfaces rejection with clear remediation; runbook for staff. |
| Residual | Medium |
| Owner | Desktop product |
| Review | Quarterly |
R-10 — Vendor lock-in: Vertex AI Gemini
| Field | Value |
|---|---|
| Category | Strategic |
| L × I | 3 × 2 = 6 |
| Description | Tight integration with Vertex AI complicates a future model switch. |
| Mitigations | Capability is wrapped by ai-orchestrator-service (single broker); AIClient port in this service is provider-agnostic; output schema validation independent of provider. |
| Residual | Low |
| Owner | AI platform |
| Review | Annually |
R-11 — Tax rule data quality (per-jurisdiction)
| Field | Value |
|---|---|
| Category | Compliance |
| L × I | 3 × 4 = 12 |
| Description | Out-of-date tax rates produce incorrect grand totals; legally exposed for under-collection. |
| Mitigations | Tax rule upsert requires gm/owner role + audit trail; EXCLUDE constraint forbids overlapping windows; quarterly review by Revenue Ops cross-checked against government source; tax rate snapshot pinned in quote derivation for legal traceability. |
| Residual | Medium |
| Owner | Revenue Ops |
| Review | Quarterly |
R-12 — Negative-total math bug
| Field | Value |
|---|---|
| Category | Correctness / Financial |
| L × I | 1 × 5 = 5 |
| Description | A bug in derivation produces a non-positive grand total. |
| Mitigations | Defensive guard at pinQuote step; property-based test; immediate alert; quote refused before persistence. |
| Residual | Very low |
| Owner | Service owner |
| Review | Per release |
3. Risk heatmap
1 2 3 4 5
+-----+-----+-----+-----+-----+
5 | | R-01,| R-12 | | |
| | R-06 | | | |
+-----+-----+-----+-----+-----+
4 | | R-02,| | | |
| | R-07 | R-11 | | |
+-----+-----+-----+-----+-----+
3 | | | R-03,| | |
| | | R-05,| | |
| | | R-08 | | |
+-----+-----+-----+-----+-----+
2 | | | R-04,| R-09 | |
| | | R-10 | | |
+-----+-----+-----+-----+-----+
1 | | | | | |
+-----+-----+-----+-----+-----+
L→ Likelihood
No red-zone (≥ 16) risks at this time; R-11 sits at 12 and is the highest-priority active item.
4. Review cadence
- Quarterly review by service owner with notes appended to this file.
- Annual external review by AppSec + Compliance.
- Ad-hoc review on every major incident or before any major release per SERVICE_READINESS.