# LegiPro Architecture Risk Register And Mitigation Map

Date: 2026-06-29
Task: SAAS-0045
Audience: acquirer, partner product, API/platform, architecture and AI reviewers.

This document is public-safe. It names current platform risks, what has already been mitigated, which SaaS roadmap tasks carry the mitigation, and what LegiPro does not claim yet.

## Current Reading

LegiPro has a working corpus/API/control-plane substrate, a verified corpus warehouse/source-of-truth boundary, public API/architecture assets, and e-invoicing-first partner proof fixtures.

It is not presented as a finished enterprise SaaS deployment, certified professional review system, live third-party integration, or client-reliance product. Those remain gated separately.

## Risk Register

| ID | Risk | Current control | Mitigation map | Non-claim |
| --- | --- | --- | --- | --- |
| RISK-001 | Host/substrate coupling: current topology still uses named hosts and worker lanes. | `mtl-01` owns product/control, `mtl-02` durable warehouse/storage, `mtl-03` execution-only workers; remote queue minting is disabled. | `SAAS-0021`, `SAAS-0043`, `SAAS-0044` map the target SaaS substrate and current/target boundaries. | Not claimed as managed HA SaaS or autoscaled cattle today. |
| RISK-002 | Tenant/auth maturity: current API uses bearer-token and workspace/tenant controls rather than full enterprise IdP. | Demo/public tokens are bounded; worker/control routes require scoped worker posture; partner docs separate product, MCP and worker surfaces. | `SAAS-0007`, `SAAS-0012`, `SAAS-0025`, `SAAS-0055` cover scoped tokens, workspace/RBAC/quota foundations and sandbox promotion gate. | Not claimed as OIDC/SAML enterprise SSO in production yet. |
| RISK-003 | Source-rights diligence: public/legal/accounting sources need careful attribution and redistribution boundaries. | Source-rights/data-governance gate is visible in architecture; export candidates and caveats are kept separate from product readiness. | `SAAS-0015`, `SAAS-0020`, `SAAS-0043`, `SAAS-0044` keep diligence narrative, architecture and public boundaries explicit. | Not claimed as legal clearance, legal opinion, or unrestricted redistribution rights. |
| RISK-004 | Scenario remains locked: the demo/workspace surface should not be mistaken for certified client workflow. | Scenario, answer, promotion, human review and client reliance flags are hard false in public matrices and closeouts. | `SAAS-0011`, `SAAS-0024`, `SAAS-0038`, `SAAS-0040`, `SAAS-0041` define the gate, review contract, eval set and dossier path. | Not claimed as Scenario launch, answer-ready state or client-ready reliance. |
| RISK-005 | Semantic/vector search is not active: current serving search remains lexical/fuzzy plus warehouse provenance. | Meilisearch is labelled as derived cache; warehouse is durable source of truth; semantic flag remains false. | `SAAS-0003`, `SAAS-0010`, `SAAS-0026`, `SAAS-0043` cover warehouse parity, embedding strategy and decision-grade evidence path. | Not claimed as live semantic search or production vector retrieval. |
| RISK-006 | Professional review and liability boundary: source-backed packets are useful evidence, not professional certification. | Review Runtime preview returns structured outputs and refusal boundaries; human/professional gates remain false. | `SAAS-0024`, `SAAS-0028`, `SAAS-0038`, `SAAS-0040`, `SAAS-0041` cover review contract, dossiers, eval and audit path. | Not claimed as human-reviewed, professionally certified, or reliance-safe output. |
| RISK-007 | Third-party integration maturity: partner adapters are dry-run fixtures, not approved vendor integrations. | First proof is credential-free; Cegid and first-wave stubs record no live third-party API call and no mutation. | `SAAS-0047`, `SAAS-0052`, `SAAS-0053`, `SAAS-0055`, `SAAS-0057`, `SAAS-0058` cover fixture harness, stubs and sandbox gate. | Not claimed as approved partnership, live credentials, production integration or SLA. |
| RISK-008 | Observability/SLO maturity: receipts and status exist, but enterprise SLO operations are still a target-state concern. | Public status, roadmap, product-observability snapshot, rotor status and docs receipts are published. | `SAAS-0013`, `SAAS-0027`, `SAAS-0030`, `SAAS-0031` cover dashboards, product telemetry, degraded modes and recurring jobs. | Not claimed as enterprise SLA or full managed observability programme. |
| RISK-009 | Data durability and recovery: corpus value depends on warehouse/backups remaining reproducible. | Postgres warehouse parity is verified; backup/DR artifacts and restore proofs are first-class architecture surfaces. | `SAAS-0003`, `SAAS-0008`, `SAAS-0043`, `SAAS-0044` cover parity, DR drill and source-of-truth visibility. | Not claimed as multi-region managed PITR/failover today. |
| RISK-010 | Corpus completion and e-invoicing work remains active: corpus workers are still producing machine evidence. | Rotor shows canonical leases, heartbeats, closeouts, stale reaper and false flags; machine ingest may continue without human review. | `SAAS-0001`, `SAAS-0043`, `SAAS-0044`, `SAAS-0057` keep the e-invoicing focus visible and bounded. | Not claimed as fully completed e-invoicing corpus, answer-ready state or client reliance. |

## Hard Boundaries

These remain false unless a later verified release proves otherwise:

- `scenario_ready=false`
- `answer_ready=false`
- `promotion_allowed=false`
- `human_review_complete=false`
- `client_reliance=false`
- `semantic_search_active=false`
- `professional_certification=false`

## How To Read This In Diligence

The register is not a negative sales memo. It is a diligence control: every known caveat is paired with the current control, the roadmap task that mitigates it, and the claim LegiPro is deliberately not making.

For a partner or acquirer, the strongest current proof remains the bounded corpus/API layer: source-backed e-invoicing/VAT review fixtures, a durable corpus warehouse, derived search cache, protected worker control plane, public architecture views, and machine-readable receipts.

