9. Risks and Technical Debts

Ar42 specifications helper

Contents

A list of identified technical risks or technical debts, ordered by priority

Motivation

“Risk management is project management for grown-ups” (Tim Lister, Atlantic Systems Guild.)

This should be your motto for systematic detection and evaluation of risks and technical debts in the architecture, which will be needed by management stakeholders (e.g. project managers, product owners) as part of the overall risk analysis and measurement planning.

Form

List of risks and/or technical debts, probably including suggested measures to minimize, mitigate or avoid risks or reduce technical debts.

Missing-Feature

###	Feature gap	Category	Impact	Prob.	Short risk description	Mitigation / next step
F-1	Transmission-schedule upload (attach PDF/ICS to RFQ)	UX / scope	Med – manual e-mail fallback wastes time	High	Users must send schedules by mail; information loss between systems.	Define REST /rfqs/{id}/attachments & 15 MB Static S3 bucket; MVP = PDF only.
F-2	CSV bulk import for RFQ items	Efficiency	Med	Med	Large tournaments (30+ venues) are painful to enter line-by-line.	Re-use existing item DTO; add /rfqs/items/csv endpoint + simple Parser.
F-3	IAM: Pw change / expiry / idle auto-logout	Security	High	Med	Strong audit requirement for ISO-27001; risk of account abuse.	Implement /auth/changePassword, PW expiry claim, idle timer in SPA.
F-4	Audit log (profile, RFQ, Quote)	Compliance	Low	Low	Traceability with app log but can't be displayed in the app	Create a audit module that persist log on each relavant event
F-5	Global search (provider / RFQ / quote)	UX	Low	Med	Navigation pain for power users → adoption risk.	Elastic index PoC; Fallback to SQL UNION.
F-6	SNG photo upload	UX	Low	Low	Catalogue looks empty; not blocking.	Implement static storage done.
F-7	Mobile responsiveness	UX / sales	Med	Med	user frustration.	Bootstrap 5 grid audit, prioritize break-points on critical pages.

Front end technical debt

####	Item	Category	Impact	Prob.	Risk / debt	Mitigation
FE-1	No client-side caching	Performance	Med	High	Repeated GETs (countries, specs) hammer API; slower UX offline.	Pinia “stale-while-revalidate” helper; expire after 1 h.
FE-2	Missing input validation	Security	High	High	XSS / malformed DTO can hit back-end; risk of data corruption.	Central vee-validate schema per form; sanitize strings.
FE-3	Refresh-token rotation absent	Security	High	Med	Session hijack if stolen refresh token valid 24 h.	Adopt short-lived (30 min) access + 12 h rotated refresh flow.
FE-4	Native alert()/confirm dialogs	UX	Low	High	Inconsistent look & accessibility.	Replace with Bootstrap modal wrapper; migrate gradually.
FE-4	Modularity and composition	Design	Low	High	Bloated component and hard to maintain	Split component into smaller part

Back end teachnical debt

####	Item	Category	Impact	Prob.	Risk / debt	Mitigation
BE-1	Country data not normalised	Architecture / data	Med	High	Free-text country in 5 tables → duplicates & join pain.	Introduce country dimension via Flyway, back-fill from open DB, FK.
BE-2	/api context-path workaround	API design	Low	Low	Breaks tooling (OpenAPI links), extra reverse-proxy rules.	Remove prefix in Spring, adjust paths.
BE-3	No HATEOAS / self links	API evolution	Low	Med	Clients must hard-code URLs; harder versioning.	Add Spring HATEOAS gradually (start with RFQ).
BE-4	Tech-spec validator ties to JSON column	Maintainability	Med	Med	Each new spec => code change; risk of drift.	Validate against technical_specification dimension instead.
BE-5	Privileges unused	Security	Low	Med	Coarse RBAC may be insufficient	Map routes → privilege, add method-level @PreAuthorize.
BE-6	JWT blacklist table growth	Performance	Med	Med	Millions of tokens → DB bloat, slower auth calls.	Shrink TTL to 30 min + drop blacklist (use short validity).
BE-7	Light websocket auth rules	Security	High	Low	Potential info leak via STOMP topics.	Harden MessageMatcherDelegatingAuthorizationManager; topic pattern checks.
BE-8	Missing pagination on notifications	Performance	Med	High	Large notification set → OOM / bandwidth.	Add Pageable to /notifications, adapt store.
BE-9	Sequential TruckSpecificationBuilder	Maintainability / perf	Low	Med	Each new filter => code change & query slowdown.	Consider JSON→PostgreSQL GIN index or switch to doc DB.
BE-10	Partial RFQ versioning (no history)	Compliance	High	Med	Can’t trace contract changes; legal exposure.	Introduce RFQ revision table + Envers audit; expose /versions.
BE-11	Zero cache layer	Scalability	Med	Med	High DB load in growth scenario.	Use Spring Cache (Caffeine) on reference data.
BE-12	Unit-test style divergence	Quality	Low	High	Harder PR review & onboarding.	Implement Sonar scan + adapt styling with a linter
BE-13	Entity Functional Numbering logic	Architecture Data	Med	High	Concurrency issue with numbering creation of (RFQ, Quotes and Registraiton isssue). AS the MySQL engine can't manage to auto increment on the same table a manual sequence creation has been impleemnted and might cuase race condition	Generalizre and refactor the numbering features by using read only logic or migrating towards a PostgreSQL

CI/CD & Infrastructure debt

####	Item	Category	Impact	Prob.	Risk / debt	Mitigation
CI-1	MySQL Docker runs as root / single user	Security	Med	Med	Privilege escalation if container breached.	Create dedicated DB user with least privilege; add USER mysql in Dockerfile.
CI-2	Private repos under personal account	Governance	High	Med	Bus-factor = 1; IP ownership unclear.	Migrate to corporate GitHub Org + self-hosted registry.
CI-3	University VPS prod hosting	Ops / SLA	High	Med	Time bounded	Move to corporate cloud tenancy;
CI-4	No pipeline security scanning	Security	Med	Med	Vulnerable deps may slip to prod.	Add a Trivy scan