{
  "schema_version": "legipro.architecture_risk_register.v1",
  "task_id": "SAAS-0045",
  "generated_utc": "2026-06-29T06:53:02Z",
  "status": "public_safe_diligence_register",
  "summary": "Buyer-facing architecture risk register with current controls, mitigation roadmap links and explicit non-claims.",
  "risks": [
    {
      "risk_id": "RISK-001",
      "category": "host_substrate_coupling",
      "title": "Current topology still uses named hosts and worker lanes.",
      "current_risk": "The bootstrap deployment is split across mtl-01, mtl-02 and mtl-03 rather than a managed autoscaled SaaS substrate.",
      "current_controls": [
        "mtl-01 remains product/control and canonical queue owner.",
        "mtl-02 holds durable warehouse/storage.",
        "mtl-03 is execution-only; remote queue minting is disabled."
      ],
      "mitigation_status": "mapped_not_replatformed",
      "linked_saas_tasks": ["SAAS-0021", "SAAS-0043", "SAAS-0044"],
      "non_claims": ["managed_ha_saas", "autoscaled_cattle_workers"]
    },
    {
      "risk_id": "RISK-002",
      "category": "tenant_auth_maturity",
      "title": "Current API auth is bearer-token/workspace scoped, not full enterprise IdP.",
      "current_risk": "Enterprise partners will expect OIDC/SAML, scoped keys, revocation, audit and clear worker/product token separation.",
      "current_controls": [
        "Public demo tokens are bounded.",
        "Worker/control surfaces are separated from partner product surfaces.",
        "Workspace, tenant, cost-unit and rate-limit contracts are documented."
      ],
      "mitigation_status": "partially_hardened_with_sandbox_gate_pending",
      "linked_saas_tasks": ["SAAS-0007", "SAAS-0012", "SAAS-0025", "SAAS-0055"],
      "non_claims": ["enterprise_sso_live", "production_partner_key_rotation_complete"]
    },
    {
      "risk_id": "RISK-003",
      "category": "source_rights_diligence",
      "title": "Source rights, attribution and redistribution boundaries require review.",
      "current_risk": "French legal/accounting public-source reuse needs careful attribution and export rules before commercial reliance.",
      "current_controls": [
        "Source-rights/data-governance gate is visible in architecture.",
        "Export candidates and caveats are separated from readiness claims.",
        "Public docs avoid legal clearance claims."
      ],
      "mitigation_status": "bounded_and_visible",
      "linked_saas_tasks": ["SAAS-0015", "SAAS-0020", "SAAS-0043", "SAAS-0044"],
      "non_claims": ["legal_clearance", "legal_opinion", "unrestricted_redistribution_rights"]
    },
    {
      "risk_id": "RISK-004",
      "category": "scenario_locked",
      "title": "Scenario remains locked behind launch gates.",
      "current_risk": "Reviewers could mistake the Bureau/demo surface for a certified client workflow.",
      "current_controls": [
        "Scenario, answer, promotion, human review and client reliance flags remain false.",
        "Review Runtime is documented as preview contract unless separately released.",
        "Public roadmap names the remaining eval/dossier work."
      ],
      "mitigation_status": "hard_gated",
      "linked_saas_tasks": ["SAAS-0011", "SAAS-0024", "SAAS-0038", "SAAS-0040", "SAAS-0041"],
      "non_claims": ["scenario_launch", "answer_ready", "client_reliance"]
    },
    {
      "risk_id": "RISK-005",
      "category": "semantic_search_boundary",
      "title": "Semantic/vector search is planned, not active.",
      "current_risk": "The current public serving path should not be read as production vector retrieval.",
      "current_controls": [
        "Meilisearch is labelled as derived lexical/fuzzy cache.",
        "Corpus Warehouse is labelled as durable source of truth.",
        "semantic_search_active remains false in public matrices."
      ],
      "mitigation_status": "planned_and_benchmarked",
      "linked_saas_tasks": ["SAAS-0003", "SAAS-0010", "SAAS-0026", "SAAS-0043"],
      "non_claims": ["live_semantic_search", "production_vector_retrieval"]
    },
    {
      "risk_id": "RISK-006",
      "category": "professional_review_liability",
      "title": "Source-backed packets are evidence, not professional certification.",
      "current_risk": "Accounting/legal outputs require human or professional review before client reliance.",
      "current_controls": [
        "Review contract carries answerability, missing facts, caveats and refusal boundaries.",
        "Dossier/export work remains review-gated.",
        "Human review and professional certification flags remain false."
      ],
      "mitigation_status": "review_gated",
      "linked_saas_tasks": ["SAAS-0024", "SAAS-0028", "SAAS-0038", "SAAS-0040", "SAAS-0041"],
      "non_claims": ["human_review_complete", "professional_certification", "reliance_safe_output"]
    },
    {
      "risk_id": "RISK-007",
      "category": "third_party_integration_maturity",
      "title": "Partner adapters are dry-run fixtures, not approved integrations.",
      "current_risk": "Strategic interest requires a careful path from credential-free proof to sandbox access without implying live vendor approval.",
      "current_controls": [
        "First proof fixture is credential-free.",
        "Cegid and first-wave stubs record no live third-party API call.",
        "Public/demo tokens are denied for protected rotor and live third-party mutation paths."
      ],
      "mitigation_status": "fixture_complete_sandbox_gate_pending",
      "linked_saas_tasks": ["SAAS-0047", "SAAS-0052", "SAAS-0053", "SAAS-0055", "SAAS-0057", "SAAS-0058"],
      "non_claims": ["approved_partnership", "live_third_party_credentials", "production_integration", "sla"]
    },
    {
      "risk_id": "RISK-008",
      "category": "observability_slo_maturity",
      "title": "Receipts/status exist, but enterprise SLO operation remains a target state.",
      "current_risk": "A buyer will expect operational SLOs, alerting, product KPIs and audit query paths.",
      "current_controls": [
        "Public status, roadmap, product-observability and docs receipts are published.",
        "Rotor status exposes leases, lane registry, closeouts, stale reaper and events.",
        "Degraded-mode behavior is documented as preview contract."
      ],
      "mitigation_status": "operational_receipts_active_enterprise_slo_targeted",
      "linked_saas_tasks": ["SAAS-0013", "SAAS-0027", "SAAS-0030", "SAAS-0031"],
      "non_claims": ["enterprise_sla", "full_managed_observability_program"]
    },
    {
      "risk_id": "RISK-009",
      "category": "data_durability_recovery",
      "title": "Corpus value depends on reproducible warehouse and backup posture.",
      "current_risk": "The corpus warehouse must remain rebuildable and recoverable as it becomes the core asset.",
      "current_controls": [
        "Warehouse chunks match local full-index rows.",
        "Meilisearch is a rebuildable derived cache.",
        "Backup/DR artifacts and restore proofs are first-class architecture surfaces."
      ],
      "mitigation_status": "prototype_dr_proven_managed_failover_targeted",
      "linked_saas_tasks": ["SAAS-0003", "SAAS-0008", "SAAS-0043", "SAAS-0044"],
      "non_claims": ["multi_region_pitr", "managed_failover_today"]
    },
    {
      "risk_id": "RISK-010",
      "category": "corpus_completion_einvoicing_focus",
      "title": "E-invoicing corpus work is active and machine-ingest only.",
      "current_risk": "Fourteen lanes are producing e-invoicing evidence, but active work should not be read as completion or answer readiness.",
      "current_controls": [
        "Rotor focus keeps lanes on e-invoicing.",
        "Canonical leases, heartbeats, closeouts and stale reaper keep lane state visible.",
        "Machine ingest may continue while professional reliance remains blocked."
      ],
      "mitigation_status": "active_machine_ingest",
      "linked_saas_tasks": ["SAAS-0001", "SAAS-0043", "SAAS-0044", "SAAS-0057"],
      "non_claims": ["einvoicing_corpus_complete", "answer_ready", "client_reliance"]
    }
  ],
  "hard_boundaries": {
    "scenario_ready": false,
    "answer_ready": false,
    "promotion_allowed": false,
    "human_review_complete": false,
    "client_reliance": false,
    "semantic_search_active": false,
    "professional_certification": false
  },
  "public_assets": {
    "markdown_source": "docs/product/architecture-risk-register-2026-06-29.md",
    "risk_register_json": "https://legipro.fr/assets/legipro-architecture-risk-register-2026-06-29.json",
    "api_guide": "https://legipro.fr/bureau-api.html#architecture-map",
    "roadmap": "https://legipro.fr/bureau-roadmap.html#saas-0045"
  }
}
