# Risk Register ## R-001 XPC and Helper Complexity - Impact: High - Probability: Medium - Owner: `System Agent` - Risk: Worker/helper setup and privilege boundaries may delay implementation. - Mitigation: Complete architecture and helper allowlist freeze before scaffold build. ## R-002 Upstream Adapter Instability - Impact: High - Probability: High - Owner: `Adapter Agent` - Risk: Existing upstream commands may not expose stable structured data. - Mitigation: Add adapter normalization layer and rewrite hot paths if JSON mapping is brittle. ## R-003 Permission Friction - Impact: High - Probability: Medium - Owner: `UX Agent` - Risk: Aggressive permission prompts may reduce activation. - Mitigation: Use just-in-time prompts and support limited mode. ## R-004 Recovery Trust Gap - Impact: High - Probability: Medium - Owner: `Core Agent` - Risk: Users may not trust destructive actions without clear rollback behavior. - Mitigation: Prefer reversible actions and preserve detailed history. ## R-005 Scope Creep - Impact: High - Probability: High - Owner: `Product Agent` - Risk: P1 features may leak into MVP. - Mitigation: Freeze MVP scope and require explicit decision-log updates for scope changes. ## R-006 Signing and Notarization Surprises - Impact: High - Probability: Medium - Owner: `Release Agent` - Risk: Helper signing or notarization may fail late in the schedule. - Mitigation: Keep signed distribution off the active critical path until Apple release credentials exist. Once credentials are available, validate packaging flow before any public beta naming or broad external distribution. ## R-007 Experience Polish Drift - Impact: High - Probability: High - Owner: `Mac App Agent` - Risk: MVP screens may continue to diverge in spacing, CTA hierarchy, and state handling as teams polish pages independently. - Mitigation: Route visual and interaction changes through shared design-system components before page-level tweaks land. ## R-008 Trust Gap in Destructive Flows - Impact: High - Probability: Medium - Owner: `UX Agent` - Risk: Users may still hesitate to run `Smart Clean` or uninstall actions if recovery, review, and consequence messaging stay too subtle. - Mitigation: Make recoverability, risk level, and next-step guidance visible at decision points and in completion states. ## R-009 State Coverage Debt - Impact: High - Probability: Medium - Owner: `QA Agent` - Risk: Loading, empty, partial-permission, and failure states may feel unfinished even when the happy path is functional. - Mitigation: Require state-matrix coverage for primary screens before additional visual polish is considered complete. ## R-010 Localization Drift - Impact: Medium - Probability: Medium - Owner: `Docs Agent` - Risk: Newly added Chinese and English strings may drift between UI, worker summaries, and future screens if copy changes bypass the shared localization layer. - Mitigation: Keep user-facing shell copy in shared localization resources and require bilingual QA before release-facing packaging. ## R-011 Smart Clean Execution Trust Gap - Impact: High - Probability: High - Owner: `System Agent` - Risk: `Smart Clean` execution now supports a real Trash-based path for a safe subset of targets, but unsupported or unstructured findings still cannot be executed and must fail closed. Physical restore also remains partial and depends on structured recovery mappings. - Mitigation: Add real Smart Clean execution targets and block release-facing execution claims until `scan -> execute -> rescan` proves real disk impact. ## R-012 Silent Worker Fallback Masks Execution Capability - Impact: High - Probability: Medium - Owner: `System Agent` - Risk: Silent fallback from XPC to the scaffold worker can make user-facing execution appear successful even when the primary worker path is unavailable. - Mitigation: Restrict fallback to explicit development mode or surface a concrete error when real execution infrastructure is unavailable. ## R-013 Public Beta Coverage Blind Spot - Impact: High - Probability: Medium - Owner: `QA Agent` - Risk: When signing credentials eventually arrive, a public beta that is too small, too homogeneous, or too unstructured may miss install, permission, or cleanup regressions that only appear on different hardware, macOS states, or trust settings. - Mitigation: Keep this as a conditional release risk. Use a deliberately hardware-diverse trusted beta cohort, require structured issue intake, and rerun clean-machine install and first-run validation before calling any signed build GA-ready. ## R-014 GA Recovery Claim Drift - Impact: High - Probability: Medium - Owner: `Product Agent` - Risk: GA release notes, README copy, or in-app messaging may overstate Atlas's recovery model before physical restore is actually shipped for file-backed recoverable actions. - Mitigation: Treat recovery wording as a gated release artifact. Either ship physical restore for file-backed recoverable actions before GA or narrow all GA-facing recovery claims to the shipped behavior. ## R-015 Launch Surface Trust Drift - Impact: High - Probability: Medium - Owner: `Product Agent` - Risk: A future landing page or custom-domain launch surface may overstate release readiness, signed-install status, recovery behavior, or permission expectations relative to the actual downloadable build. - Mitigation: Make release-channel state and install guidance dynamic, keep prerelease warnings visible, and gate launch-surface copy review with the same trust standards used for README and release materials. ## R-016 Competitive Breadth Perception Gap - Impact: High - Probability: High - Owner: `Product Agent` - Risk: Users comparing Atlas with `Mole` or `Tencent Lemon Cleaner` may conclude Atlas is cleaner in presentation but weaker in practical cleanup breadth if `Smart Clean` execution coverage stays too narrow or too invisible. - Mitigation: Expand only the highest-value safe target classes inside frozen MVP, and make supported-vs-unsupported execution scope explicit in product copy and UI states. ## R-017 Apps Depth Comparison Gap - Impact: High - Probability: Medium - Owner: `Mac App Agent` - Risk: Users comparing Atlas with `Pearcleaner` or `Tencent Lemon Cleaner` may find the `Apps` module less credible if uninstall preview taxonomy, leftover visibility, and completion evidence remain too shallow. - Mitigation: Add fixture-based uninstall benchmarking, deepen supported footprint categories, and surface recoverability/audit cues directly in the `Apps` flow. ## R-018 License Contamination From Competitor Reuse - Impact: High - Probability: Medium - Owner: `Docs Agent` - Risk: Competitive pressure may tempt reuse of code or assets from `Tencent Lemon Cleaner`, `GrandPerspective`, or GPL-constrained `Czkawka` components, creating license conflict with Atlas's shipping posture. `Pearcleaner` also remains unsuitable for monetized derivative reuse due `Commons Clause`. - Mitigation: Treat these projects as product and technical references only, require explicit license review before adapting any third-party implementation, and prefer MIT-compatible upstream or original Atlas implementations for shipped code.