# risks.md

## Technical Risks

### Shared hosting limitations
- **30-second PHP execution limit** — Monte Carlo with 1000 runs × 50 years × 12 months is right at the ceiling. Mitigations:
  - Default to 500 runs; cap at 1000.
  - Pre-compute HMRC gross-up once per year (already done).
  - Cache bracket lookups per-instance (already done).
  - **Open:** if Phase 4 adds accumulation phase, total iterations roughly double → may need to reduce default runs to 250 or move to async (Phase 6).
- **No SSH for Composer** — no auto-updates, no package management. Each dependency requires manual vendor zip + autoloader wiring.
- **30 MB upload limit** in default cPanel — fine for our files; problem only if vendoring mPDF requires a single upload >15 MB (the zip).

### Performance constraints
- Single-threaded PHP per request — concurrent simulations can saturate the host.
- MySQL query plan: not yet optimised. Performance becomes a concern at 10k+ funds (deferred).

### Browser cache staleness
- Already mitigated via `APP_JS_VERSION` mismatch banner. Re-confirm on every deploy.

### Engine version drift
- A run executed under one version will not regenerate identically under a later version. We persist the `app_version` against each `simulation_run` so audits know which engine produced a given number. **Open:** make the `app_version` column actually populate (TODO Phase 5).

---

## Security Risks

### Data exposure
- PII in `clients.name_enc` and `clients.ni_number_enc` is AES-256-GCM encrypted;
  other fields are plaintext. Phone, address are NOT yet encrypted (Phase 4).
  Until then, advisers should not store additional PII in unencrypted fields.
- Audit log retention: 6 years required for FCA-regulated firms; currently no purge cron —
  table will grow forever. Add purge cron in Phase 5 (with configurable retention period).

### Injection vulnerabilities
- Native prepared statements everywhere — risk currently low.
- `LIMIT` inline (with explicit `max(1, min(N, ...))`) — risk negligible but technically opens an audit finding.
- File-upload paths (CSV/XLSX) checked for path traversal — risk low.

### Session hijacking
- Cookies are `HttpOnly + Secure + SameSite=Lax`. Risk low on HTTPS.
- No active session invalidation on password change — TODO Phase 5.

### Open-finding from earlier audit
- `async_funds_agent.php` in webroot exposes DB credentials. **Must be deleted from production.** Tracked in `backlog.md`.

### Stripe webhook verification
- Webhook `Stripe-Signature` header validation must be verified end-to-end using `STRIPE_WEBHOOK_SECRET`.
  Code path exists; needs audit before scaling paid revenue.

---

## Business Risks

### Low adoption
- UK IFA market: ~27,000 FCA-authorised advisers. 1% market share = 270 paying customers.
- Cold sales is hard; IFAs are conservative adopters. Mitigations: CISI/PIMFA partnership
  outreach, conference visibility (CISI Annual Conference, PIMFA Forum), referral commissions.

### Weak conversion model
- Free tier is generous (3 clients). Risk: advisers stay free forever.
- Mitigation: limit "reports per client" on Free tier; require Lite to unlock branded PDF.

### FCA regulatory exposure
- The engine produces numbers an adviser presents to clients. If we mis-model something,
  the adviser faces an FCA complaint and may sue us.
- Mitigations:
  - **Every PDF carries the FCA disclosure disclaimer.**
  - We pin the engine version against each saved run.
  - We log every assumption that materially affects the success rate (HMRC gross-up, SIPP PCLS rules,
    State Pension income, monthly cashflow, etc.) in the report.
  - Terms of Service explicitly say "adviser is responsible."
  - **Open:** professional indemnity insurance once paid revenue >£1k/mo.

### UK GDPR compliance exposure
- Any data breach must be reported to the ICO within 72 hours.
- Mitigations: AES-256-GCM encryption on PII; audit log; DPO email on each tenant; consent withdrawal handler.

### Concentration / single-point-of-failure
- Founder is the only engineer. If incapacitated, the system continues running but bug fixes pause.
- Mitigation: every change is documented (DEPLOY_NOW.md, this workspace). Onboarding-engineer notes in `notes.md`.
- Long-term: hire a second engineer at ~250 subscribers.

### Hosting outage
- Shared cPanel ≠ 99.99% SLA. A 24h outage kills trust.
- Mitigation: monitor uptime via UptimeRobot (free), daily DB backups off-site, documented restore procedure.

### UK tax year changes
- HMRC Income Tax brackets may change in the Autumn Statement (October) or Spring Budget (March).
  Must be applied within 7 days. Process documented in `notes.md`.

---

## Mitigation Strategy (cross-cutting)

- **Keep architecture modular** — every domain concern in its own folder under `app/`. Replacing one module (e.g. Stripe → GoCardless) is a 2-day job, not a 2-month refactor.
- **Validate ROI early** — track MRR vs CAC monthly. Stop spending on growth channels that don't pay back in 6 months.
- **Document everything** — this workspace (the 16 .md files), `DEPLOY_NOW.md` per release, `DEVELOPMENT_PLAN.md` for forward-looking scope.
- **Engine audits every quarter** — re-run the Scenario A/B/C/D smoke tests from `testing.md`. Flag any drift >5%.
- **Lock customer data exports** — Pro tier must always be able to bulk-export client + run data. Anti-lock-in covenant.
- **Compliance pass annually** — UK GDPR + FCA COBS review with an external compliance officer before each financial year.
