DIREKT Risk Register¶
Scores use probability (P) and impact (I) from 1–5. Priority is P × I.
| ID | Risk | P | I | Priority | Controls | Owner/state |
|---|---|---|---|---|---|---|
| R-001 | False or forged provider evidence | 4 | 5 | 20 | issuing-body matrix, manual review, private evidence, expiry, fraud flags | Trust lead / open |
| R-002 | Blanket verification wording misleads customers | 3 | 5 | 15 | separate claim cards, limitation copy, legal review | Product / controlled |
| R-003 | Exact home location exposes provider safety risk | 3 | 5 | 15 | service areas, reduced public precision, consent, private evidence | Security / controlled |
| R-004 | Field-agent collusion or bribery | 3 | 5 | 15 | assignment controls, structured evidence, audit, random rechecks, four-eyes approval | Operations / pilot gate |
| R-005 | Stale business pins and expired evidence | 4 | 4 | 16 | renewal, customer reports, periodic checks, automatic claim degradation | Trust / open |
| R-006 | Low bandwidth causes failed onboarding/uploads | 3 | 4 | 12 | persistent logical upload intent, fresh retry sessions, safe local recovery state, text-first Android UI; WorkManager and real-device validation before pilot | Android / controlled for synthetic phase |
| R-007 | Provider documents leak from public repository or storage | 2 | 5 | 10 | private buckets, signed access, secret scan, synthetic fixtures | Security / controlled |
| R-008 | Contact moves off-platform and reduces accountability | 4 | 3 | 12 | tracked enquiry before handoff, follow-up and review eligibility | Product / open |
| R-009 | Mobile-money integration creates reconciliation errors | 3 | 5 | 15 | adapter, idempotent webhooks, ledger, reconciliation, exception queue | Finance / Phase 9 gate |
| R-010 | Verification cost exceeds subscription revenue | 4 | 4 | 16 | narrow pilot, category-specific checks, cost measurement, tier design | Business / pilot gate |
| R-011 | Too few nearby providers make search useless | 4 | 4 | 16 | Lusaka-first, limited categories, supply onboarding before demand launch | Growth / open |
| R-012 | Fake or retaliatory reviews | 3 | 4 | 12 | tracked-interaction eligibility, one review, moderation, reports, appeals and later anomaly rules | Trust / controlled for synthetic phase |
| R-013 | Legal interpretation is wrong | 3 | 5 | 15 | qualified Zambia counsel, legal register, policy versioning | Owner/legal / Phase 10 gate |
| R-014 | Map costs or coverage are unsuitable | 3 | 4 | 12 | provider abstraction, manual area fallback, Plus Codes, quotas, pilot tests | Architecture / open |
| R-015 | Android fragmentation harms usability | 4 | 3 | 12 | conservative design, later device matrix, performance budgets | Android / open |
| R-016 | Single-lane workflow stalls | 3 | 3 | 9 | bounded tasks, automated PR steward, handoffs and explicit lock | Programme / controlled |
| R-017 | Pages exposes real test data | 2 | 5 | 10 | synthetic-only policy, CI scan, review checklist | Security / controlled |
| R-018 | Trust score becomes opaque or discriminatory | 3 | 5 | 15 | interpretable inputs, no protected-class proxies, appeals, periodic review | Trust/legal / open |
| R-019 | Account takeover permits fraudulent profile changes | 3 | 5 | 15 | short access tokens, hashed rotating refresh sessions, reuse-family revocation, MFA before pilot, re-verification of sensitive changes | Security / active |
| R-020 | Backups exist but cannot be restored | 2 | 5 | 10 | scheduled restore exercises and recovery evidence | Operations / planned |
| R-021 | Secondary research reflects urban or online bias | 4 | 4 | 16 | mark provisional, design low-bandwidth fallbacks, validate during controlled pilot | Product/research / accepted limitation |
| R-022 | Official registries cannot legally or economically support verification | 3 | 5 | 15 | no premature integration, manual fallback, written approval before launch | Trust/legal / Phase 10 gate |
| R-023 | Future field research exposes participant data | 3 | 5 | 15 | coded IDs, minimization, private raw-data store, publication checklist | Research/privacy / pilot gate |
| R-024 | Team treats provisional baseline as validated market truth | 4 | 4 | 16 | evidence labels, prototype disclaimers, exit-review limitations, pilot contradiction rule | Product/programme / active |
| R-025 | High-risk categories exceed pilot safety capacity | 3 | 5 | 15 | excluded-category list, category scorecard, legal review, limited claims | Product/trust / controlled |
| R-026 | Delayed manual fieldwork blocks design indefinitely | 1 | 4 | 4 | secondary-research gate; primary validation moved to later phases | Programme / mitigated |
| R-027 | Synthetic prototype is mistaken for implemented functionality | 3 | 4 | 12 | explicit prototype labelling, fictional data, no real submissions | Design/programme / active |
| R-028 | Call/WhatsApp handoff causes privacy leakage or bypass | 3 | 4 | 12 | accepted tracked interaction, verified contact reference, masked hint, 24-hour consent, revocation, disabled delivery and leak regressions | Product/privacy / controlled for synthetic phase; production gate open |
| R-029 | Informal-provider pathway is perceived as lower quality or misleading | 3 | 4 | 12 | equal layout, explicit evidence states, no hidden ranking penalty | Product/trust / open |
| R-030 | OTP/challenge endpoint enables enumeration, spam or cost abuse | 4 | 5 | 20 | enumeration-safe response, expiry, attempt limit, hashed fingerprint, synthetic-only adapter; distributed throttling and vendor controls required before production | Security / Phase 10 gate |
| R-031 | Refresh-token theft allows persistent account access | 3 | 5 | 15 | raw token never stored, short access token, rotation, family reuse detection, device/session revocation, secure client storage later | Security / active |
| R-032 | Incorrect global/provider role scope causes cross-provider access | 3 | 5 | 15 | database role-scope trigger, non-overlap constraint, provider-aware repository, deny tests, server-side permission resolution | Security/backend / controlled |
| R-033 | Operations portal leaks privileged data through indexing, browser bundles or direct connectors | 3 | 5 | 15 | noindex/security headers, API-only boundary, CI import scan, synthetic fixtures, no deployment, CSP review before real data | Security/admin / controlled |
| R-034 | Synthetic authentication is mistakenly enabled in production | 2 | 5 | 10 | production configuration permits only disabled mode and requires external secrets; deployment gate and runtime checks still required | Security/operations / controlled |
| R-035 | Profile completion or an operator action accidentally publishes an unverified provider | 3 | 5 | 15 | policy-controlled publication function, live provider/category/claim eligibility and public-route regressions | Trust/backend / controlled |
| R-036 | Category requirements change and invalidate historical evidence meaning | 3 | 5 | 15 | immutable activated versions, provider selections pin a version, new versions required for changes | Trust/data / controlled |
| R-037 | Provider pathways become a proxy for quality or unfair ranking | 3 | 4 | 12 | pathways describe evidence context only, equal presentation, no pathway-derived trust score, pilot fairness review | Product/trust / open |
| R-038 | A provider representative gains access to another provider or retains access after revocation | 3 | 5 | 15 | provider-scoped role assignments, active-time checks, immediate server resolution, cross-provider and revocation tests | Security/backend / controlled |
| R-039 | Private-storage adapter or bucket policy exposes original evidence | 3 | 5 | 15 | adapter-only backend access, opaque object keys, private buckets, short-lived signed access, access audit, no public URL, infrastructure review before real data | Security/storage / production gate |
| R-040 | A shared requirement key is linked to the wrong provider category | 2 | 5 | 10 | category-scoped resolution, pinned requirement versions, ambiguity rejection and regression tests | Trust/backend / controlled |
| R-041 | Repeat or contradictory verification decisions create misleading claims | 2 | 5 | 10 | in-review lifecycle gate, immutable decisions, reason/result semantics trigger and regression tests | Trust/data / controlled |
| R-042 | Expiry processing is not scheduled or fails silently in production | 3 | 5 | 15 | deterministic database function, audited batch result, monitored scheduler, retry and stale-claim alert before public discovery | Trust/operations / deployment gate |
| R-043 | Synthetic private storage is mistaken for production-ready document handling | 3 | 4 | 12 | synthetic labelling, production adapter contract, malware/MIME/checksum controls required before real evidence, deployment checklist | Programme/security / active |
| R-044 | Safe claim projection accidentally includes private evidence or reviewer data | 2 | 5 | 10 | dedicated safe view/types, allowlisted fields, OpenAPI/public-route tests and no object references in clients | Trust/privacy / controlled |
| R-045 | A stale published row remains visible after provider suspension or category removal | 3 | 5 | 15 | live provider/category/version joins on every public read, current-claim checks and removal regressions | Trust/backend / controlled |
| R-046 | Search distance or map output reveals a mobile provider private base | 2 | 5 | 10 | separate private/public geometry, service-area matching for mobile providers, public DTO allowlists and privacy regressions | Privacy/location / controlled |
| R-047 | Saved-provider lists retain ineligible or withdrawn providers | 3 | 4 | 12 | re-evaluate publication, organization, category/version and claim eligibility on save and every saved-list read | Product/backend / controlled |
| R-048 | Map/vendor outage, cost or permission denial makes discovery unusable | 3 | 4 | 12 | manual area path, list mode, adapter boundary, no background location and production vendor gate | Android/architecture / open |
| R-049 | Sparse supply or aggressive filters produce empty results that mislead customers | 4 | 3 | 12 | bounded no-results recovery, transparent filters, sparse/empty synthetic states and no fabricated providers | Product/growth / open |
| R-050 | Client-selected or ambiguous provider context causes cross-provider workspace access | 2 | 5 | 10 | actor-resolved assignment, double authorization lookup, zero/multiple-assignment rejection and revocation regressions | Security/backend / controlled |
| R-051 | Interrupted retries create duplicate evidence or link to the wrong case | 2 | 5 | 10 | logical intent key, attempt/session linkage triggers, one version per session, case/provider/requirement lifecycle validation and rollback tests | Trust/backend / controlled |
| R-052 | Provider timeline or operations readiness leaks reviewer or evidence data | 2 | 5 | 10 | dedicated allowlisted projections, aggregate counts, explicit non-exposure flags and serialization tests | Privacy/operations / controlled |
| R-053 | Android recovery persistence stores sensitive evidence or bearer-like data | 3 | 5 | 15 | metadata-only synthetic snapshot, no bytes/URI/hash/object key/token, corruption-safe fallback; encrypted storage required before real evidence | Android/security / production gate |
| R-054 | Phase 6 accidentally implements enquiry, review or payment mutations | 2 | 4 | 8 | explicit read-only endpoints, absent mutation routes, Phase 8/9 ownership copy and HTTP regressions | Product/architecture / mitigated by Phase 8 promotion; Phase 9 boundary retained |
| R-055 | Unassigned, revoked or expired operators access private evidence | 2 | 5 | 10 | active assignment match, short-lived grants, access audit, immediate revocation/expiry checks and deny regressions | Security/trust / controlled |
| R-056 | Field text leaks precise coordinates, private storage paths or checksums into operator responses | 2 | 5 | 10 | database public-safe text predicate, structured observations, separate private notes and HTTP regressions | Privacy/operations / controlled |
| R-057 | Field agents create final trust decisions or claims | 2 | 5 | 10 | advisory-only schema, separate permissions, absent decision routes and before/after trust-state regressions | Trust/operations / controlled |
| R-058 | High-risk override requester, duplicate or colluding approvers weaken evidence policy | 3 | 5 | 15 | serialized approvals, two distinct eligible identities, requester/self/duplicate rejection and mandatory-evidence gates | Trust/security / controlled; pilot review required |
| R-059 | An unrelated operator starts or resolves another owner's incident | 2 | 4 | 8 | owner-scoped lookup, trust-supervisor/admin override rules, immutable terminal resolution and HTTP regressions | Operations/security / controlled |
| R-060 | Expiry or aggregate reporting leaks provider/evidence identifiers or storage metadata | 2 | 5 | 10 | fixed allowlists, safe views/types, explicit non-exposure flags and serialization tests | Privacy/reporting / controlled |
| R-061 | Stale or replayed enquiry actions overwrite a newer provider/customer decision | 3 | 4 | 12 | expected revisions, immutable events, idempotency fingerprints, conflict responses and Android refresh state | Backend/Android / controlled |
| R-062 | Contact consent is misunderstood as permanent provider access or marketing consent | 3 | 5 | 15 | channel-specific 24-hour scope, explicit expiry/revocation copy, provider retrieval denial, no marketing reuse and later legal review | Product/privacy / production gate |
| R-063 | Interaction or review APIs become an alternate route to create trust, publication or ranking | 2 | 5 | 10 | separate schemas, absent write coupling, database state machines and before/after decision/claim/publication assertions | Trust/backend / controlled |
| R-064 | Appeal handling loses the prior moderation state or accidentally exposes a review | 2 | 5 | 10 | persisted pre-appeal state/timestamp, immutable origin, reasoned decisions and denied/upheld regressions | Trust/data / controlled |
| R-065 | Customer complaints are confused with public reports or internal incidents | 3 | 4 | 12 | separate tables, permissions, routes, portal workspaces, projections and no-link flags | Operations/product / controlled |
| R-066 | Moderation, appeal or complaint queues exceed operational service levels | 4 | 4 | 16 | queue metrics, ownership, escalation policy, staffing model, ageing alerts and pilot load testing | Operations / Phase 10–11 gate |
| R-067 | Android offline draft recovery stores raw contact or sensitive service detail insecurely | 3 | 5 | 15 | bounded synthetic metadata only, no tokens/contact/evidence, reset path; encrypted approved storage and retention tests before real data | Android/security / production gate |
| R-068 | A production communications adapter sends duplicate, unauthorized or non-consensual messages/calls | 3 | 5 | 15 | disabled adapter in Phase 8; future signed provider adapter, consent-at-send check, idempotency, delivery audit, opt-out and abuse controls | Communications/security / production gate |
| R-069 | Forged, stale or replayed payment webhook changes commercial state | 3 | 5 | 15 | canonical HMAC, timestamp window, unique event ID/fingerprint, replay tests and Phase 10 key-rotation monitoring | Finance/security / controlled synthetically; production gate | | R-070 | Ledger imbalance or direct historical edits corrupt financial audit | 2 | 5 | 10 | append-only triggers, controlled posting functions, debit/credit balance checks and reconciliation | Finance/data / controlled synthetically | | R-071 | Subscription or payment state changes verification, publication, ranking or accountability rights | 2 | 5 | 10 | separate schema/module, absent write coupling, explicit false-effect fields and before/after trust assertions | Product/trust / controlled | | R-072 | Credentials, raw webhook bodies, contact or evidence leak through commercial clients or projections | 3 | 5 | 15 | minimized DTOs, no raw-body storage, API-only portal, metadata-only Android persistence and leak regressions | Privacy/security / controlled synthetically; production gate | | R-073 | Ambiguous or copied provider context causes cross-tenant commercial access | 2 | 5 | 10 | actor-resolved active assignment, zero/multiple-assignment denial, database permission checks and cross-provider tests | Security/backend / controlled | | R-074 | Reconciliation exceptions are unresolved or resolved against incorrect evidence | 4 | 4 | 16 | explicit mismatch codes, ownership, revisions, immutable source records, queue ageing and Phase 10 service levels | Finance/operations / Phase 10 gate | | R-075 | Adjustment or refund requester colludes with or acts as approver | 3 | 5 | 15 | requester exclusion, two distinct eligible approvers, immutable approvals and later anti-collusion review | Finance/security / controlled synthetically; pilot gate | | R-076 | Synthetic payment adapter or test secret is enabled in production | 2 | 5 | 10 | production schema permits disabled mode only, no real provider SDK/credential and Phase 10 configuration/secret scans | Security/operations / controlled; production gate | | R-077 | Supabase activation targets the wrong project or exposes protected credentials | 2 | 5 | 10 | exact project-ref check, protected environment secrets, backend-only keys, sanitized artifacts and abort-on-mismatch workflow | Security/infrastructure / blocked until verified access |
Current treatment priorities¶
Phase 9 exit controls are implemented for the synthetic checkpoint:
- R-009 is controlled by adapter isolation, idempotent signed webhooks, an append-only balanced ledger and reconciliation queues;
- R-054 is mitigated because the former subscription placeholder is replaced by a live actor-scoped commercial workspace;
- R-069 is controlled synthetically by canonical HMAC verification, timestamp freshness and replay/conflict regressions;
- R-070 is controlled by immutable ledger history, balanced posting functions and direct-mutation denial;
- R-071 is controlled by schema separation and before/after verification, claim, publication, review and complaint assertions;
- R-072 is controlled by minimized projections, absent raw webhook storage, API-only portal access and credential-free Android persistence;
- R-073 is controlled by active actor-resolved provider scope and cross-provider denial tests;
- R-075 is controlled synthetically by requester exclusion and two independent approvals;
- R-076 is controlled because production configuration accepts only disabled payment mode;
- R-077 remains blocked until the exact DIREKT Supabase project and protected secrets are verifiably accessible.
Before production integration:
- R-006 still requires WorkManager/network implementation and representative low-connectivity device validation;
- R-014 and R-048 require an approved map/location provider, quotas, cost controls and manual fallback validation;
- R-039, R-042 and R-043 require production storage, scheduler, scanning, alerting and recovery validation;
- R-053 and R-067 require approved encrypted Android storage, secure local retention and deletion tests;
- R-055 and R-056 require production identity, object-storage and log-redaction review;
- R-062 requires approved consent copy, privacy notice, lawful-use boundaries and qualified Zambia review;
- R-066 and R-074 require queue ownership, service levels, ageing alerts, staffing and escalation exercises;
- R-068 requires approved communication providers, consent-at-send enforcement, idempotency, audit, opt-out and abuse controls;
- R-069, R-072, R-076 and R-077 require production key rotation, secret/configuration scanning, verified infrastructure activation and incident monitoring.
Before the controlled pilot:
- R-004, R-010, R-013, R-015, R-021, R-022, R-023 and R-025 require real operational or legal evidence;
- R-030 requires approved providers, distributed rate limiting and monitored abuse controls;
- R-033 requires deployment, cookie/session, CSP and private-data review;
- R-034 and R-076 require production configuration and secret-management validation;
- R-037, R-058 and R-075 require representative fairness, independence and anti-collusion testing;
- R-062, R-066, R-067, R-068 and R-074 require representative consent, moderation, connectivity, communications and finance-operations validation.
Review cadence¶
- Phase review: update affected risks.
- Pilot: daily operational review and weekly formal risk review.
- Production: monthly review plus immediate review after a material incident.
- Any priority of 15 or more requires a named owner and treatment before public launch.