CleanMM/Docs/RISKS.md

# Risk Register

## R-001 XPC and Helper Complexity

- Impact: High
- Probability: Medium
- Owner: `System Agent`
- Risk: Worker/helper setup and privilege boundaries may delay implementation.
- Mitigation: Complete architecture and helper allowlist freeze before scaffold build.

## R-002 Upstream Adapter Instability

- Impact: High
- Probability: High
- Owner: `Adapter Agent`
- Risk: Existing upstream commands may not expose stable structured data.
- Mitigation: Add adapter normalization layer and rewrite hot paths if JSON mapping is brittle.

## R-003 Permission Friction

- Impact: High
- Probability: Medium
- Owner: `UX Agent`
- Risk: Aggressive permission prompts may reduce activation.
- Mitigation: Use just-in-time prompts and support limited mode.

## R-004 Recovery Trust Gap

- Impact: High
- Probability: Medium
- Owner: `Core Agent`
- Risk: Users may not trust destructive actions without clear rollback behavior.
- Mitigation: Prefer reversible actions and preserve detailed history.

## R-005 Scope Creep

- Impact: High
- Probability: High
- Owner: `Product Agent`
- Risk: P1 features may leak into MVP.
- Mitigation: Freeze MVP scope and require explicit decision-log updates for scope changes.

## R-006 Signing and Notarization Surprises

- Impact: High
- Probability: Medium
- Owner: `Release Agent`
- Risk: Helper signing or notarization may fail late in the schedule.
- Mitigation: Validate packaging flow before feature-complete milestone. Current repo now includes native build/package scripts and CI workflow, but signing and notarization still depend on release credentials.

## R-007 Experience Polish Drift

- Impact: High
- Probability: High
- Owner: `Mac App Agent`
- Risk: MVP screens may continue to diverge in spacing, CTA hierarchy, and state handling as teams polish pages independently.
- Mitigation: Route visual and interaction changes through shared design-system components before page-level tweaks land.

## R-008 Trust Gap in Destructive Flows

- Impact: High
- Probability: Medium
- Owner: `UX Agent`
- Risk: Users may still hesitate to run `Smart Clean` or uninstall actions if recovery, review, and consequence messaging stay too subtle.
- Mitigation: Make recoverability, risk level, and next-step guidance visible at decision points and in completion states.

## R-009 State Coverage Debt

- Impact: High
- Probability: Medium
- Owner: `QA Agent`
- Risk: Loading, empty, partial-permission, and failure states may feel unfinished even when the happy path is functional.
- Mitigation: Require state-matrix coverage for primary screens before additional visual polish is considered complete.


## R-010 Localization Drift

- Impact: Medium
- Probability: Medium
- Owner: `Docs Agent`
- Risk: Newly added Chinese and English strings may drift between UI, worker summaries, and future screens if copy changes bypass the shared localization layer.
- Mitigation: Keep user-facing shell copy in shared localization resources and require bilingual QA before release-facing packaging.

## R-011 Smart Clean Execution Trust Gap

- Impact: High
- Probability: High
- Owner: `System Agent`
- Risk: `Smart Clean` execution now supports a real Trash-based path for a safe subset of targets, but unsupported or unstructured findings still cannot be executed and must fail closed. Physical restore also remains partial and depends on structured recovery mappings.
- Mitigation: Add real Smart Clean execution targets and block release-facing execution claims until `scan -> execute -> rescan` proves real disk impact.

## R-012 Silent Worker Fallback Masks Execution Capability

- Impact: High
- Probability: Medium
- Owner: `System Agent`
- Risk: Silent fallback from XPC to the scaffold worker can make user-facing execution appear successful even when the primary worker path is unavailable.
- Mitigation: Restrict fallback to explicit development mode or surface a concrete error when real execution infrastructure is unavailable.