115 lines
4.9 KiB
Markdown
115 lines
4.9 KiB
Markdown
# Risk Register
|
|
|
|
## R-001 XPC and Helper Complexity
|
|
|
|
- Impact: High
|
|
- Probability: Medium
|
|
- Owner: `System Agent`
|
|
- Risk: Worker/helper setup and privilege boundaries may delay implementation.
|
|
- Mitigation: Complete architecture and helper allowlist freeze before scaffold build.
|
|
|
|
## R-002 Upstream Adapter Instability
|
|
|
|
- Impact: High
|
|
- Probability: High
|
|
- Owner: `Adapter Agent`
|
|
- Risk: Existing upstream commands may not expose stable structured data.
|
|
- Mitigation: Add adapter normalization layer and rewrite hot paths if JSON mapping is brittle.
|
|
|
|
## R-003 Permission Friction
|
|
|
|
- Impact: High
|
|
- Probability: Medium
|
|
- Owner: `UX Agent`
|
|
- Risk: Aggressive permission prompts may reduce activation.
|
|
- Mitigation: Use just-in-time prompts and support limited mode.
|
|
|
|
## R-004 Recovery Trust Gap
|
|
|
|
- Impact: High
|
|
- Probability: Medium
|
|
- Owner: `Core Agent`
|
|
- Risk: Users may not trust destructive actions without clear rollback behavior.
|
|
- Mitigation: Prefer reversible actions and preserve detailed history.
|
|
|
|
## R-005 Scope Creep
|
|
|
|
- Impact: High
|
|
- Probability: High
|
|
- Owner: `Product Agent`
|
|
- Risk: P1 features may leak into MVP.
|
|
- Mitigation: Freeze MVP scope and require explicit decision-log updates for scope changes.
|
|
|
|
## R-006 Signing and Notarization Surprises
|
|
|
|
- Impact: High
|
|
- Probability: Medium
|
|
- Owner: `Release Agent`
|
|
- Risk: Helper signing or notarization may fail late in the schedule.
|
|
- Mitigation: Keep signed distribution off the active critical path until Apple release credentials exist. Once credentials are available, validate packaging flow before any public beta naming or broad external distribution.
|
|
|
|
## R-007 Experience Polish Drift
|
|
|
|
- Impact: High
|
|
- Probability: High
|
|
- Owner: `Mac App Agent`
|
|
- Risk: MVP screens may continue to diverge in spacing, CTA hierarchy, and state handling as teams polish pages independently.
|
|
- Mitigation: Route visual and interaction changes through shared design-system components before page-level tweaks land.
|
|
|
|
## R-008 Trust Gap in Destructive Flows
|
|
|
|
- Impact: High
|
|
- Probability: Medium
|
|
- Owner: `UX Agent`
|
|
- Risk: Users may still hesitate to run `Smart Clean` or uninstall actions if recovery, review, and consequence messaging stay too subtle.
|
|
- Mitigation: Make recoverability, risk level, and next-step guidance visible at decision points and in completion states.
|
|
|
|
## R-009 State Coverage Debt
|
|
|
|
- Impact: High
|
|
- Probability: Medium
|
|
- Owner: `QA Agent`
|
|
- Risk: Loading, empty, partial-permission, and failure states may feel unfinished even when the happy path is functional.
|
|
- Mitigation: Require state-matrix coverage for primary screens before additional visual polish is considered complete.
|
|
|
|
|
|
## R-010 Localization Drift
|
|
|
|
- Impact: Medium
|
|
- Probability: Medium
|
|
- Owner: `Docs Agent`
|
|
- Risk: Newly added Chinese and English strings may drift between UI, worker summaries, and future screens if copy changes bypass the shared localization layer.
|
|
- Mitigation: Keep user-facing shell copy in shared localization resources and require bilingual QA before release-facing packaging.
|
|
|
|
## R-011 Smart Clean Execution Trust Gap
|
|
|
|
- Impact: High
|
|
- Probability: High
|
|
- Owner: `System Agent`
|
|
- Risk: `Smart Clean` execution now supports a real Trash-based path for a safe subset of targets, but unsupported or unstructured findings still cannot be executed and must fail closed. Physical restore also remains partial and depends on structured recovery mappings.
|
|
- Mitigation: Add real Smart Clean execution targets and block release-facing execution claims until `scan -> execute -> rescan` proves real disk impact.
|
|
|
|
## R-012 Silent Worker Fallback Masks Execution Capability
|
|
|
|
- Impact: High
|
|
- Probability: Medium
|
|
- Owner: `System Agent`
|
|
- Risk: Silent fallback from XPC to the scaffold worker can make user-facing execution appear successful even when the primary worker path is unavailable.
|
|
- Mitigation: Restrict fallback to explicit development mode or surface a concrete error when real execution infrastructure is unavailable.
|
|
|
|
## R-013 Public Beta Coverage Blind Spot
|
|
|
|
- Impact: High
|
|
- Probability: Medium
|
|
- Owner: `QA Agent`
|
|
- Risk: When signing credentials eventually arrive, a public beta that is too small, too homogeneous, or too unstructured may miss install, permission, or cleanup regressions that only appear on different hardware, macOS states, or trust settings.
|
|
- Mitigation: Keep this as a conditional release risk. Use a deliberately hardware-diverse trusted beta cohort, require structured issue intake, and rerun clean-machine install and first-run validation before calling any signed build GA-ready.
|
|
|
|
## R-014 GA Recovery Claim Drift
|
|
|
|
- Impact: High
|
|
- Probability: Medium
|
|
- Owner: `Product Agent`
|
|
- Risk: GA release notes, README copy, or in-app messaging may overstate Atlas's recovery model before physical restore is actually shipped for file-backed recoverable actions.
|
|
- Mitigation: Treat recovery wording as a gated release artifact. Either ship physical restore for file-backed recoverable actions before GA or narrow all GA-facing recovery claims to the shipped behavior.
|