Design · §10
Risk register
Every risk identified during the design phase, classified by severity and paired with a concrete mitigation. Reviewed at the start of each implementation sprint.
Approach
A risk is anything that could cause Ekdotico to fail to meet its commitments to users, partners, or the wider academic community. Risks are tracked here with a stable identifier, a severity classification, and a specific mitigation strategy that can be evaluated against during implementation.
Severity levels:
- High — The platform's core value proposition or legal standing is at stake. Mitigation must be in place before launch.
- Medium — The platform's quality, cost, or scalability is materially affected. Mitigation is required but may be iterative.
- Low — The risk is contained but worth documenting. Lightweight mitigation is acceptable.
Register
| ID | Risk | Severity | Mitigation |
|---|---|---|---|
| R-01 | Citation hallucination in AI Research synthesis | High | System prompt explicitly forbids inventing sources; Claude may only cite from injected abstracts; all citations verified via CrossRef before chip rendering; unverified chips show a warning badge. |
| R-02 | Academic integrity framing of AI writing features | High | All features labelled as assistance tools; the word "humanize" never appears in UI copy; export metadata includes AI disclosure; Terms of Service explicitly defers to the institution's AI use policy. |
| R-03 | Provenance gaming — student writes elsewhere and pastes at the end | High | Large paste events over 500 characters are flagged and weighted heavily in the AI contribution score; paste velocity and word count velocity are independent signals; disclosure is a probabilistic breakdown, not a binary pass or fail. |
| R-04 | Ed25519 private key compromise | High | Key stored only in environment variable; never logged or transmitted; key rotation procedure documented; old signatures remain verifiable using versioned public keys. |
| R-05 | Google Docs extension privacy overreach | High | Extension captures only event type, timestamp, and byte length; no raw keystroke values; no clipboard content; reviewed against Chrome Web Store privacy policies prior to submission. |
| R-06 | GDPR compliance for writing event logs | High | Raw keystroke values never stored; only aggregate metrics and event types; per-document opt-in or opt-out; full data deletion via self-service route; lawful basis documented as legitimate interest. |
| R-07 | pgvector query performance degradation at scale | Medium | HNSW index on embedding column; chunk size tuned to approximately 512 tokens; source document count per document capped at Free tier; Pro tier gets expanded quota. |
| R-08 | Mini-chat context window exceeding model limits | Medium | Context payload capped: selectedText 500 chars, surrounding 1,000 chars, top 3 chunks 1,500 chars total, document thesis 200 chars; total always under 4k tokens for Haiku. |
| R-09 | Anthropic API cost from mini-chat at scale | Medium | Claude Haiku for all mini-chat inference; per-user daily token budget enforced via Redis; mini-chat capped at 5 messages before user is prompted to promote to Source Chat where Sonnet handles deeper context. |
| R-10 | URL-to-citation accuracy varies by site | Medium | Prioritise DOI over URL resolution; show pre-filled form for user correction; URL-derived citations marked as unverified until DOI confirmed via CrossRef. |
| R-11 | React Flow mind map collaborative sync complexity | Medium | Mind map stored as JSON in PostgreSQL, not as Yjs CRDT; optimistic local updates plus server reconciliation on tab switch; Yjs reserved exclusively for the Write editor. |
| R-12 | PDF storage costs at scale | Medium | Free tier provides link-only PDFs via Unpaywall open-access URLs; PDF upload gated to Pro tier; per-user storage quota enforced at API layer. |
| R-13 | verify.ekdoti.co impersonation or fake signatures | Medium | Signatures verifiable only against published public key; HTTPS enforced; publicIds are non-guessable cuid values; rate limiting applied to all verification endpoints. |
| R-14 | Novel fork diverging from upstream security patches | Low | Academic extensions isolated in separate Tiptap extension files; upstream security patches cherry-picked; all divergence points documented in FORK.md. |
| R-15 | Retraction Watch external dependency at runtime | Low | Database cached as a weekly-refreshed CSV in PostgreSQL via BullMQ cron; zero external dependency at citation-check query time. |
| R-16 | Source Chat embedding cost at scale | Low | Embedding runs once per source document chunk and is cached indefinitely in pgvector; no re-embedding unless source is removed and re-added; processing via BullMQ batch workers. |
| R-17 | False positive task auto-completion eroding student trust | High | Amber confirmation state (confidence 0.5–0.85) gates all uncertain completions; only high-confidence signals above 0.85 auto-complete silently; full TaskEvent audit trail; one-click revert always available. |
| R-18 | Research Journal generation cost at scale | Medium | Delta generation rather than full regeneration as the default path; delta jobs run on Claude Haiku using only new activity since last update, typically under 1k tokens per update; full regeneration rate-limited to once per 30 minutes per document. |
| R-19 | Task extraction noise producing too many irrelevant tasks | Medium | Extraction prompt includes existing pending task titles to prevent duplication; Claude instructed to extract only clearly actionable items, not generic advice; extraction output validated as JSON before any database writes; student can dismiss individual tasks without affecting the extraction pipeline. |
Review cadence
The risk register is reviewed at three checkpoints:
- Start of each implementation sprint. New risks discovered during the previous sprint are added; mitigations are checked for effectiveness.
- Before each major release. Severity classifications are re-evaluated against the current state of the platform.
- Annually for ongoing operational risks such as vendor pricing changes, GDPR enforcement updates, and academic integrity policy shifts at partner institutions.