| CUST-R01 | Firebase Auth outage blocks all customer logins | Low | Critical | Monitor Firebase status; plan email magic link fallback for v2 | Platform Eng |
| CUST-R02 | JWT secret rotation causes active session invalidation | Medium | High | Zero-downtime key rotation via JWKS with next key pre-loaded; sessions refresh transparently | Auth Service team |
| CUST-R03 | Raw API key leaked via browser console logging | Low | Critical | ESLint rule to block console.log on objects containing rawKey; no-store headers on responses | Security |
| CUST-R04 | XSS via user-controlled message body content rendered in log | Medium | High | All user content HTML-escaped; DOMPurify for any rich content; CSP nonce-based script policy | Frontend Eng |
| CUST-R05 | Kong gateway degradation causes blank portal | Medium | High | Error boundaries on all data-fetching sections; meaningful degraded-state UI | Frontend Eng |
| CUST-R06 | Large message log queries timeout | Medium | Medium | Pagination enforced (max 100 per page); server component timeout set to 8s; show partial results with warning | Frontend Eng |
| CUST-R07 | Next.js breaking change in minor update | Low | Medium | Lock Next.js minor version in package.json; upgrade only on explicit sprint task | Frontend Eng |
| CUST-R08 | Customer portal serves stale billing data | Low | Low | Cache-Control: no-store on all billing pages; no ISR on financial data | Frontend Eng |