Risk Register

R-001 XPC and Helper Complexity

Impact: High
Probability: Medium
Owner: System Agent
Risk: Worker/helper setup and privilege boundaries may delay implementation.
Mitigation: Complete architecture and helper allowlist freeze before scaffold build.

Impact: High
Probability: High
Owner: Adapter Agent
Risk: Existing upstream commands may not expose stable structured data.
Mitigation: Add adapter normalization layer and rewrite hot paths if JSON mapping is brittle.

Impact: High
Probability: High
Owner: Product Agent
Risk: P1 features may leak into MVP.
Mitigation: Freeze MVP scope and require explicit decision-log updates for scope changes.

Impact: High
Probability: Medium
Owner: Release Agent
Risk: Helper signing or notarization may fail late in the schedule.
Mitigation: Keep signed distribution off the active critical path until Apple release credentials exist. Once credentials are available, validate packaging flow before any public beta naming or broad external distribution.

Impact: High
Probability: High
Owner: Mac App Agent
Risk: MVP screens may continue to diverge in spacing, CTA hierarchy, and state handling as teams polish pages independently.
Mitigation: Route visual and interaction changes through shared design-system components before page-level tweaks land.

Impact: High
Probability: Medium
Owner: UX Agent
Risk: Users may still hesitate to run Smart Clean or uninstall actions if recovery, review, and consequence messaging stay too subtle.
Mitigation: Make recoverability, risk level, and next-step guidance visible at decision points and in completion states.

Impact: High
Probability: Medium
Owner: QA Agent
Risk: Loading, empty, partial-permission, and failure states may feel unfinished even when the happy path is functional.
Mitigation: Require state-matrix coverage for primary screens before additional visual polish is considered complete.

Impact: Medium
Probability: Medium
Owner: Docs Agent
Risk: Newly added Chinese and English strings may drift between UI, worker summaries, and future screens if copy changes bypass the shared localization layer.
Mitigation: Keep user-facing shell copy in shared localization resources and require bilingual QA before release-facing packaging.

Impact: High
Probability: High
Owner: System Agent
Risk: Smart Clean execution now supports a real Trash-based path for a safe subset of targets, but unsupported or unstructured findings still cannot be executed and must fail closed. Physical restore also remains partial and depends on structured recovery mappings.
Mitigation: Add real Smart Clean execution targets and block release-facing execution claims until scan -> execute -> rescan proves real disk impact.

Impact: High
Probability: Medium
Owner: System Agent
Risk: Silent fallback from XPC to the scaffold worker can make user-facing execution appear successful even when the primary worker path is unavailable.
Mitigation: Restrict fallback to explicit development mode or surface a concrete error when real execution infrastructure is unavailable.

Impact: High
Probability: Medium
Owner: QA Agent
Risk: When signing credentials eventually arrive, a public beta that is too small, too homogeneous, or too unstructured may miss install, permission, or cleanup regressions that only appear on different hardware, macOS states, or trust settings.
Mitigation: Keep this as a conditional release risk. Use a deliberately hardware-diverse trusted beta cohort, require structured issue intake, and rerun clean-machine install and first-run validation before calling any signed build GA-ready.

Impact: High
Probability: Medium
Owner: Product Agent
Risk: GA release notes, README copy, or in-app messaging may overstate Atlas's recovery model before physical restore is actually shipped for file-backed recoverable actions.
Mitigation: Treat recovery wording as a gated release artifact. Either ship physical restore for file-backed recoverable actions before GA or narrow all GA-facing recovery claims to the shipped behavior.