Likelihood: Low / Medium / High. Impact: Low / Medium / High / Critical.
Status: Open / Mitigated / Accepted / Closed.
R-001: Keeper Trial Expiry
Field
Value
Risk
Keeper trial expires before integration is validated end-to-end
Likelihood
High — trial is a 12-day window from 2026-04-25 provisioning
Impact
Critical — KSM reads stop working, Commander shares become unavailable, staging vault integration is dead
Mitigation
Convert trial to paid license before expiry. Contact Keeper sales for enterprise pricing and timeline.
Status
Open
Owner
Ben / CTO (budget approval)
R-002: Bot Framework Not Registered
Field
Value
Risk
Teams notification flow cannot be exercised end-to-end
Likelihood
High — no bot is registered, M365 admin involvement required
Impact
Medium — notifications fall back to in-app (Prisma Notification table). No user-facing impact until Teams delivery is needed.
Mitigation
Register bot, wire notification.service.ts to real Adaptive Card delivery. Requires M365 admin approval.
Status
Open
Owner
Ben (engineering) / M365 admin (approval)
R-003: Frontend Test Runner Not Wired
Field
Value
Risk
UI regressions ship undetected
Likelihood
Medium — changes to frontend are infrequent right now but will increase in v3
Impact
Medium — no automated safety net for frontend changes
Mitigation
Wire vitest into frontend/package.json scripts. Expand from 2 test files (governance.spec.ts, RequestIssuancePanel.test.tsx) to baseline coverage.
Status
Open
Owner
Ben
R-004: Hand-Linked SQL Between Postgres and Keeper UIDs
Field
Value
Risk
Bootstrap title-match linkage between Postgres Record.vaultRecordUid and Keeper vault UIDs is fragile; discovery rebuild may produce inconsistent state
Likelihood
Medium — works now but will break if vault records are renamed or re-created
Impact
Medium — incorrect linkage means wrong credential gets shared
Mitigation
Finalize UID-pinned discovery (option B). Either reconcile existing hand-linked SQL or reset and re-bootstrap. vaultRecordUidPinned flag exists for this purpose.
Status
Open
Owner
Ben
R-005: KSM Application IP Lock
Field
Value
Risk
KSM Application was created with IP lock checked. SDK calls from App Service may fail if the IP lock doesn’t match the App Service’s outbound IP (or NAT Gateway IP in production).
Likelihood
High — IP lock is checked by default at KSM Application creation
Impact
High — KSM reads fail, which means vault record metadata is unavailable
Mitigation
Uncheck IP lock in Keeper Console, or delete and recreate the KSM Application without IP lock. If IP lock is desired, configure it to match App Service outbound IPs and NAT Gateway IP.
Status
Open
Owner
Ben
R-006: HARDEN_GOVERNANCE_v1 Never Tested in True Mode
Field
Value
Risk
Flipping HARDEN_GOVERNANCE_v1=true in production without prior staging validation may break issuance flows
Likelihood
Medium — the code paths exist and are unit-tested, but the flag has never been exercised in a running environment
Impact
High — if the hardened flow breaks, credential delivery stops
Mitigation
Flip to true on staging first. Run the full approve-then-issue integration flow. Validate issuance token generation, delivery, verification, and rate-limiting. Only then flip in production.
Status
Open
Owner
Ben
R-007: Production App Service Not Provisioned
Field
Value
Risk
No path to production. app-passkey-prod-1353 exists as a resource but has no deployed code, incomplete Entra config (ENTRA_APP_ID_HERE placeholders in appsettings-prod.json), and no VNet/NAT Gateway.
Likelihood
High — this is a known gap, not a probabilistic risk
Impact
Medium — blocks any production use. Not critical while in pilot/staging.
Mitigation
Complete appsettings-prod.json, register Entra app for production, provision VNet + NAT Gateway, deploy, validate. See Roadmap v3.
Status
Open
Owner
Ben / CTO (infrastructure approval)
R-008: Commander CLI as Single Point of Failure for Shares
Field
Value
Risk
All share creation flows through python3 -m keepercommander subprocess. If Keeper changes the Commander CLI behavior, output format, or authentication model, share creation breaks.
Likelihood
Low — Keeper Commander is a stable product, but CLI tools do change between major versions
Impact
High — share creation is the core value proposition; if it breaks, credentials can’t be issued
Mitigation
Pin Commander version. Error classification (classifyCommanderError) handles known failure modes. parseShareUrl regex extracts URLs from stdout. Consider wrapping Commander in a versioned Docker container for isolation.
Status
Accepted
Owner
Ben
R-009: Key Vault Dependency
Field
Value
Risk
If Azure Key Vault access fails, the application fails to start (DATABASE_URL, KSM_CONFIG are KV references)
Likelihood
Low — Azure KV has 99.99% SLA
Impact
Critical — complete application outage
Mitigation
KV is a fundamental Azure platform dependency. Acceptable risk. Monitor KV health via Application Insights. Consider caching resolved secrets with a TTL if cold-start latency becomes an issue.
Status
Accepted
Owner
Ben
R-010: v4 SMS Adds SIM-Swap and Interception Risk
Field
Value
Risk
SMS-based OTP is vulnerable to SIM swap attacks and SS7 interception. An attacker who controls the phone number can intercept the OTP and complete credential retrieval.
Likelihood
Low for targeted attacks on enterprise users; Medium if high-value credentials are at stake
Impact
High — complete bypass of the second factor
Mitigation
SMS alone is insufficient. v4 hardening should add device-bound MFA on top (FIDO2, app-based TOTP, or push notification). SMS serves as a usability layer, not the security boundary.
Status
Open (v4 conceptual)
Owner
CTO (security architecture decision)
R-011: Entra Client Secret in Provisioning Transcript
Field
Value
Risk
Entra client secret appeared in the provisioning chat transcript (noted in manifest.yaml deviation client-secret-in-transcript)
Likelihood
Low — transcript access is limited
Impact
Medium — if the secret is compromised, an attacker could impersonate the application to Entra
Mitigation
Rotate the client secret before production deployment. Acceptable for staging.
Status
Open
Owner
Ben
R-012: Incomplete Prisma Migration Chain
Field
Value
Risk
Prisma migrations assume a pre-existing base schema. Staging was bootstrapped with db push (not migrate deploy). A new environment can’t be stood up from the migration chain alone.
Likelihood
High — will be hit when deploying to production
Impact
Medium — workaround exists (db push), but it’s not suitable for production (no migration history, no rollback)
Mitigation
Create a baseline migration that captures the current schema state. All future changes go through prisma migrate dev / prisma migrate deploy.
Status
Open
Owner
Ben
R-013: Default Postgres Database Name
Field
Value
Risk
Staging uses the default postgres database instead of a dedicated passkey database (noted in manifest.yaml deviation default-postgres-db)
Likelihood
Medium — acceptable for staging, problematic for production (shared namespace, backup/restore ambiguity)
Impact
Low — no functional impact, but violates best practices for production deployments
Mitigation
Create dedicated passkey database before production deployment.
Status
Open
Owner
Ben
R-014: getFolderPermissions() Stubbed in Real Implementation
Field
Value
Risk
RealVaultReadService.getFolderPermissions() throws “not supported by KSM SDK.” Interface method exists but has zero callers in production code. If a future feature depends on it, it will fail silently in real mode.
Likelihood
Low — no current callers
Impact
Low — no functional impact unless a new feature calls it
Mitigation
Document the limitation. If folder-level ACL resolution is needed from the real vault, it must come through Commander or the Keeper REST API (not KSM).