Risk Register

Mitigation

Recruit at least one co-maintainer with write access. Prioritize PIC pack co-ownership (only production pack). Document the release process. Write a contributor onboarding guide.

Contingency

Substrate files remain functional on disk as plain YAML. Another person can operate read-only. No new packs, features, or bug fixes ship until a new maintainer is found.

Mitigation

Add a minimal validation suite as first deliverable of M09: schema validators for manifest.yaml, reporting-matrix.yaml, milestone files, and pack profiles. Wire into a pre-commit hook or GitHub Action. Higher priority than M03 (matrix editor).

Contingency

Without tests, validate manually before each release using a checklist. Create a scripts/validate-substrate.sh that checks required fields.

Mitigation

Ruthlessly prioritize. Highest-value milestones are M09 (validation suite — prevents silent corruption) and M02 (pack hardening — makes the system usable beyond PIC). Defer M03 (matrix editor), M07 (multi-project dashboard), and M04 (pack registry) to v2.2+. Accept that v2.1 will be smaller than planned.

Contingency

If timeline slips, communicate openly via blog and changelog. Substrate format is stable — users are not blocked, they just don't get new features.

Mitigation

Update orchestrator SKILL.md to use generic v2 skill names (project-funder-reporting, project-review-meeting). Make routines conditional on whether the active pack provides those profiles.

Contingency

Non-PIC users will see confusing orchestrator output referencing nonexistent skills. Workaround: document that quarterly/SC sections only apply when PIC pack is loaded.

Mitigation

Either ship the missing profile YAMLs (e.g. agile-default.review-meeting, agile-default.phase-gate) or remove the provides.profiles entries from pack manifests. Do not declare capabilities the pack does not deliver.

Contingency

Document clearly that starter packs require user-authored profiles before use. Add a startup validation check that warns when a loaded pack declares profiles that do not exist on disk.

Mitigation

Descope to 1 pack per wave the maintainer has access to validate (e.g. NSERC). Solicit community contributions for others via blog and issue tracker. Reframe roadmap as community-driven rather than single-author.

Contingency

If no domain experts contribute, publish packs as experimental maturity with clear warnings. Focus effort on making the pack authoring guide and PIC pack so exemplary that others can self-serve.

Mitigation

Document the MCP tools each skill depends on in a central manifest. Pin to specific MCP server versions where possible. Add a health-check routine that tests each MCP tool's availability before the orchestrator runs.

Contingency

If MCP tools break, the substrate still works. Users lose surface automation (Slack posts, Gmail drafts, Calendar events) but can manually perform those actions. System degrades to 'generate artifacts on disk, deliver manually.'

Mitigation

Push to a public GitHub repository with LICENSE, CONTRIBUTING.md, issue templates, and discussion forum. Make the PIC pack a showcase. Write a 'Your First Pack' tutorial as a blog post.

Contingency

Accept the system serves a niche of one (maintainer's own projects) and optimize for that use case rather than pursuing generality.

Mitigation

Add a local content cache that persists the last successful API response to disk. The regenerate script should snapshot blog content at build time so static exports don't depend on runtime API availability.

Contingency

If scsiwyg goes down permanently, rewrite lib/scsiwyg.ts to read from local markdown files in a content/blog/ directory instead. Blog posts already exist as markdown in the API response body.

Mitigation

Add structured error logging in state readers (console.error before returning fallback). Collect errors into a _diagnostics object for dev/admin mode. Add a validate command that checks all substrate files parse correctly.

Contingency

Users can run js-yaml CLI directly against YAML files to find parse errors. Document as a troubleshooting step.

Mitigation

Add a build-time data snapshot step: serialize all substrate data into JSON files inside the website directory so the deployed site doesn't depend on filesystem access to ../. Use a prebuild script that copies substrate YAML into content/ before next build runs.

Contingency

For Vercel deployment, the current approach works because Vercel uploads the entire directory including parent paths. If deployed from a monorepo or CI, the prebuild step becomes mandatory.