Skip to content

RAID Report — 2026-04-25

Date: 25-04-2026 Subject: RAID Report

Source: docs/architecture/RISKS_GAPS_ASSUMPTIONS.md (last updated 2026-04-23/24 per Change Summary)

Issue NumberIssue TypeStatusDays Open
1. Monolithic UI/control plane (src/App.jsx)RiskOpenUnknown (predates 2026-04-23)
2. Oversized hooks acting as service layers (useNoteForm, useSettings)RiskOpenUnknown (predates 2026-04-23)
3. Schema probe only runs once after first failure [SUR-61]RiskOpenUnknown (predates 2026-04-23)
4. Manual Supabase migration application (out-of-band) [SUR-60]DependencyOpenUnknown (predates 2026-04-23)
5. Managed proxy env fragility — SUPABASE_SERVICE_ROLE_KEY / ANTHROPIC_API_KEY misconfig surfaces as generic 500sDependencyOpenUnknown (predates 2026-04-23)
6. Direct Anthropic exposure via BYOK leaks plaintext + key from compromised browsers [SUR-63]RiskOpenUnknown (predates 2026-04-23)
7. No storage cleanup — note-images bucket retains orphans after note deleteGapOpenUnknown (predates 2026-04-23)
8. Full-table sync only — fetchSince helper unused [SUR-62]GapOpenUnknown (predates 2026-04-23)
9. Outbox single queue blocks all entity types on one stuck payloadRiskOpenUnknown (predates 2026-04-23)
10. No OCR regression coverage for callTranscribeImageGapOpenUnknown (predates 2026-04-23)
11. Accessibility gaps — long-press only, no keyboard / context-menu alternativeGapOpenUnknown (predates 2026-04-23)
12. Usage opacity — ai_usage_daily data not surfaced; users only see “Monthly limit reached” toastGapOpenUnknown (predates 2026-04-23)
13. Broken in-app help links — /#faq and /#what-is-surfc resolve to nothing post-SUR-218 [SUR-209]RiskOpen2
14. How-It-Works placeholders — removed by SUR-215RiskClosedn/a
15. Dexie and Supabase schemas stay in lockstep via manual updatesAssumptionOpenUnknown (predates 2026-04-23)
16. 30 calls/month managed quota is sufficient for free tier; per-tier pricing deferred [SUR-67]AssumptionOpenUnknown (predates 2026-04-23)
17. VitePWA service-worker defaults sufficient — no explicit update prompts / cache bustingAssumptionOpenUnknown (predates 2026-04-23)
18. Cascading book + note tombstones acceptable despite orphan image riskAssumptionOpenUnknown (predates 2026-04-23)
19. Future ingest adapters (Readwise / Kindle) reuse existing ingest interface without backend changesAssumptionOpenUnknown (predates 2026-04-23)
20. CaptureFabMenu speed-dial provides sufficient navigation on capture/note screens [SUR-238]AssumptionOpen2
21. How are Supabase credentials managed in Netlify (env vars, secrets manager, etc.)?DependencyOpenUnknown (predates 2026-04-23)
22. Monitoring/alerting for sync failures and Edge Function errors (only syncStatus shown client-side)GapOpenUnknown (predates 2026-04-23)
23. Should exports include Supabase storage paths / binary blobs for portable backup?GapOpenUnknown (predates 2026-04-23)
24. SLA for clearing orphaned images / fully deleting user data upon account removalGapOpenUnknown (predates 2026-04-23)
25. Multi-device conflict UI beyond last-write-wins not surfacedGapOpenUnknown (predates 2026-04-23)
26. Background sync (service worker sync events) for queued writes when app is closedGapOpenUnknown (predates 2026-04-23)

Summary

  • 26 items total: 7 Risks, 9 Gaps, 3 Dependencies, 6 Assumptions, 1 Closed (How-It-Works placeholders, resolved by SUR-215 on 2026-04-23).
  • 25 Open / 1 Closed.
  • Only 2 items have a known “days open” value (SUR-209 and SUR-238, both added 2026-04-23). The remainder predate the 2026-04-23 update; the source document does not record an opened date per item, so precise age cannot be derived without git history of RISKS_GAPS_ASSUMPTIONS.md.

Notes / autonomous decisions

  • Classification choices: items framed as “missing capability or coverage” → Gap; items framed as “external requirement that could break things” (env vars, manual migrations, third-party config) → Dependency; items framed as a future event/condition that could damage the product → Risk; items in the “Key assumptions to validate” section → Assumption.
  • “Days open” is reported as Unknown (predates 2026-04-23) for items whose entry date is not recorded in the source. A future cleanup pass on RISKS_GAPS_ASSUMPTIONS.md to add a Logged date per item would let this column be precise.