Risks & Mitigation
| Risk | Likelihood | Impact | Mitigation |
|---|---|---|---|
| Fake attendance / buddy punching | High | High | Geo-fencing + device binding + MANUAL_PUNCH audits. |
| Clock drift on client devices | Medium | Medium | Server-generated punched_at, client clock used only as hint with divergence flag. |
| Over-zealous blocking causes missed punches | Medium | High | Default policy is allow_flag; blocking only via explicit opt-in per unit. |
| Geo accuracy is poor indoors | High | Medium | Accuracy cap + LOW_ACCURACY flag; fallback to Wi-Fi BSSID (V1.1). |
| Locked months silently edited | Low | Critical | Unlock is SuperAdmin only, reasoned, and audited; CI enforces lock checks in policies. |
| Roster edits cascade unpredictably | Medium | Medium | AttendanceRecalculator idempotent + driven by queued jobs with retries. |
| Horizon queue backlog at shift change | High | High | Pre-provision workers; dedicated punches queue; load test at 500 rps. |
| Partner webhook down | Medium | Medium | Exponential retry + dead-letter + GET /pull fallback. |
| Telegram bot token leaked | Low | Medium | Scope the bot to a dedicated webhook URL; rotate monthly; signature-verify updates. |
| Mobile app store rejection | Medium | Medium | Use vanilla permissions text; avoid background GPS in V1; submit review build by Sprint 7. |
| PII leakage via exports | Medium | High | Exports signed + TTL 24h; PII scrubbed when scope doesn't include the column. |
| Privileged access review | Low | High | Quarterly role-scope audit; Filament report lists all non-Employee accounts. |
Residual Risk
Even after mitigations, two risks stay on the radar:
- Offline abuse — if a device is offline for days, buffered punches may violate rules retroactively. The app auto-converts these into regularization requests so a human approves them.
- Regulatory shift — labour-law timing rules vary by region. Shifts and grace windows are per-unit config, so changes require data, not code.