{"product":"UmamiEdge","generatedAt":"2026-06-27T16:46:49.075Z","summary":{"total":5,"highOrCritical":2,"mitigating":3,"open":2},"risks":[{"title":"Runtime proxy not connected to real vLLM/Ollama/TGI service","category":"Product","severity":"high","likelihood":"medium","owner":"API","status":"mitigating","mitigation":"Add runtime health table, signed runtime URL config, timeout budget, and provider failover before paid production traffic."},{"title":"Node agent needs signed release and retry queue","category":"Infrastructure","severity":"high","likelihood":"medium","owner":"Infra","status":"mitigating","mitigation":"Package agent with systemd, buffered telemetry queue, release checksum, and upgrade channel."},{"title":"Customer quota enforcement is still conceptual","category":"Commercial","severity":"medium","likelihood":"high","owner":"Platform","status":"open","mitigation":"Add customer API key middleware, usage_events write path, hard quotas, and admin override workflow."},{"title":"Supabase migrations may be run out of order by operators","category":"Database","severity":"medium","likelihood":"medium","owner":"Platform","status":"mitigating","mitigation":"Keep compatibility SQL first, add migration center page, and document SQL order in guides."},{"title":"Regional residency proof must be exportable for regulated buyers","category":"Compliance","severity":"medium","likelihood":"medium","owner":"Security","status":"open","mitigation":"Add exportable evidence bundle with routing decisions, policy IDs, audit events, and incident attestations."}]}