Skip to content

11. Risks & Technical Debt

Known risks and deliberate debt, ordered by current severity.

Active risks

R1 — Sprint 2 decision gate

What: Week 2 gate requires that phx.gen.auth + V2Repo MyXQL bridge + integration deploy all validate in the same sprint. If any blocks, plan is to pivot to Laravel Plan B.

Mitigation: Parallel execution of F-006 (auth) and F-009 (V2Repo) in Sprint 2 maximises signal by Week 2. F-011 (integration deploy) follows in Sprint 3.

Owner: Gautham. Trigger for re-assessment: End of Sprint 2 (2026-05-01).

R2 — Solo engineer capacity

What: The 44-week roadmap assumes 3-person team capacity; it is currently a 1-person (+ AI) effort.

Mitigation: Strict adherence to 42 Commandments (no speculative abstractions); AI-assisted development for leverage; hire trigger at Phase 1 entry.

Trigger: Velocity < 10 points/sprint over two consecutive sprints.

R3 — IRAP certification timeline

What: IRAP assessment scheduled for Week 44 presumes all ISM controls in place by Week 40. Slippage cascades to customer commitments.

Mitigation: IRAP-shaped architecture from day 1 (see architecture/irap.md); assessor engagement early in Phase 2; three-layer pattern isolates changes to the proxy layer.

R4 — Strangler-Fig migration complexity

What: 44-week parallel operation with ASG Central v2 carries risk of data-divergence bugs.

Mitigation: Read-only bridge only (no dual-writes); event-driven reconciliation; per-domain cut-over with feature flags.

R5 — AI cost ceiling drift

What: 70 %-at-$0 target relies on local-first routing, which requires disciplined pattern-match / DB-query code paths. Drift towards "just call the LLM" erodes the ceiling.

Mitigation: BudgetGuard circuit-breaker; per-org spend dashboards; code review checklist.

Deferred / accepted technical debt

TD1 — DaisyUI deferred to STORY-F-017

Phase 0 uses pure Tailwind v4 utilities to avoid a Node build stage for @plugin "daisyui". Wire real DaisyUI when the agent chat LiveView lands.

TD2 — Mobile app build deferred to Phase 2

Flutter app exists as a v5.0.4 codebase for ASG Central; adaptation to Finnest APIs waits until Phase 2 (Week 20+).

TD3 — Award interpretation native (not KeyPay)

Originally ADR-009-F committed to KeyPay; superseded by ADR-016-F (native with FWC MAPD). Debt: the port in finnest_payroll is currently behaviour-shaped for KeyPay; refactor when the native calculator is built.

TD4 — Single-region deployment

All three environments in ap-southeast-2. Cross-region DR satisfied by snapshots only; no warm standby. Acceptable for Phase 0–2; revisit at enterprise-customer threshold.

TD5 — finnest_core vs Finnest module naming

The Boundary library's classify_to limitation means all modules live under FinnestCore.* (not Finnest.*). Internal-API ergonomics cost; no user-visible impact. Documented in memory + CLAUDE.md.

How risks are reviewed

  • Per-sprint: decision-gate recap at end of each sprint updates this list.
  • Per-phase: quarterly risk review at phase boundaries with full re-ranking.
  • Ad-hoc: any new risk surfaced in a retrospective or ADR is added immediately.