How to read this register
- Severity
-
HIGH — Could cause data loss, security breach, production outage, or significant user harm. Needs active mitigation or tracking.
MEDIUM — Degrades quality, increases tech debt, or creates exploitable surface. Should be tracked and addressed.
LOW — Minor, low-probability, or well-understood. Monitor but not urgent.
- Status
-
Open — Active risk. Not yet mitigated or accepted.
Accepted — Known tradeoff we've deliberately kept. Revisit if conditions change.
Closed — Resolved. Historical record retained for context.
Open risks
| Risk | Severity | Last reviewed | Notes |
|---|---|---|---|
| Neon+Drizzle migration leaves unguarded household-scoped queries | HIGH | 2026-04-09 |
Migration planned (see DECISIONS.md). Every query currently relying on RLS for household isolation needs an explicit .where(eq(table.householdId, householdId)) before the migration is safe. Audit required before cutover.
|
Playwright + Next.js server action redirect() crash |
LOW | 2026-04-10 |
Playwright crashes when screenshotting Next.js server actions that call redirect(). Dinly uses server actions heavily (plan finalization, candidate curation, shopping list). Any future Playwright E2E tests for these flows need a different screenshot strategy — do NOT screenshot inside a server action that redirects. Surfaced by authexis in fleet testing.
|
Accepted risks
Deliberate tradeoffs. Known, documented, and tolerated by design. Revisit if conditions change.
| Risk | Severity | Last reviewed | Notes |
|---|---|---|---|
| Admin client actions bypass RLS | HIGH | 2026-04-09 |
createAdminClient() bypasses RLS entirely. All current call sites verified: each calls requireHousehold() or explicitly checks ownership before operating. Pattern documented in DECISIONS.md. Risk is in future admin client additions missing the ownership check.
|
Closed risks
Resolved. Kept as historical record.
| Risk | Severity | Tracker | Last reviewed | Notes |
|---|---|---|---|---|
| Pantry scoring dead in production | MEDIUM | Closed — #393 | 2026-04-12 |
Fixed in #393. Both plan and results pages now fetch pantry items and pass to rankCandidates().
|
| Post-meal ratings excluded from results ranking | MEDIUM | Closed — #392 | 2026-04-12 |
Fixed in #392. Added rating to results page bookmark select — now matches plan page query.
|
generateIcs() in calendar route unguarded |
LOW | Closed — #419 | 2026-04-11 |
Fixed in #419. generateIcs() now wrapped in try/catch returning a 500 JSON response.
|
| Mutations missing household_id scope filter (pre-check pattern) | LOW | Closed — #396 | 2026-04-12 |
Fixed in #396. All mutations now include household_id filter: deletePantryItem (#418), updateFamilyMember, deleteFamilyMember (#396).
|