Branch J — Implementation Risk & Sequencing Review

Each risk: mitigation · phase · owner.

---

#	Risk	Mitigation	Phase	Owner
R1	Over-engineering — 15 DOTs + 16 cols + 4 surfaces for 2 workflows	Ship read subset + EXTEND first; register mutating DOTs only when migration needs them; build UI surfaces incrementally (Surface 1/2 first). Columns are cheap (nullable); DOTs/views gated by demand.	P1	GOV-MOW
R2	User confusion — "design vs runtime", "MOWD vs MOW"	Doc 08 boundary + consistent language: MOWD = MOW subdomain, not a Mother. UI labels say "Design" everywhere; no runtime affordances rendered.	P1	GOV-MOW
R3	Data migration risk — wrong/duplicate IU mint, lost semantics	Inline text is short (max 67, 0 long-text); placeholder descriptions discarded not migrated; dedupe by semantic hash; per-batch dry-run + human review; reversible binds.	P1	GOV-MOW + author
R4	Lock/DDL risk — ALTER blocked by long txn / Directus migration	All additive nullable + FK NOT VALID (no rewrite/scan); lock_timeout=5s fail-fast; off-peak; confirm Directus idle. VALIDATE separately, one FK per tx (weaker lock).	P1	workflow_admin op
R5	Governance bottleneck — council ≥2 cross-sign on every change	Two-tier: MOW-owner does binds/freeze without council; only activation/rollback/schema need council. Batch approvals per migration batch, not per step.	P1	GOV-COUNCIL
R6	Permission ambiguity — who can do what	Explicit approver matrix (doc 07 §5/6); backend-enforced per-row capability list (doc 04 §B); agent self-approval CHECK.	P1	GOV-COUNCIL
R7	Stale UI data — cockpit shows old gate/approval state	Every payload carries as_of/date_updated/gate checked_at; re-fetch on action; no optimistic governance updates.	P1	UI contract
R8	DOT misuse — mutating DOT called outside flow / without test	Mutating DOTs gate on owner + (activation) approval + Điều-35 paired test; read vs mutate split in catalog; validate-before-activate.	P1	GOV-DOT
R9	Agent overreach — agent activates/approves	Council owns activate/rollback; automated-agent CHECK blocks approve/reject; agent limited to propose + read DOTs.	P1	GOV-COUNCIL
R10	Performance at 10k workflows — correlated subqueries, OFFSET paging	Pre-aggregated count join in v_mow_design_workflow (doc 04 §A); keyset pagination; indexed filter cols; page cap + refine guard; validation fn scoped per-workflow.	P1→P2	GOV-MOW
R11	Composite event FK can't single-ref	Modelled as composite (event_domain_ref,event_type_ref) FK; VALIDATE last, after all event refs resolve.	P1	workflow_admin op
R12	Forward-only rollback misunderstood	Rollback = version-pin to prior active_design_version, never destructive (Điều 30); freeze as emergency stop; documented in doc 07/09.	P1	GOV-COUNCIL
R13	Scope creep into Phase 2 (triggers/assignee/hierarchy)	Explicit DEFER list (doc 01 §5, doc 08); Phase 2 tables via birth contract, separate ratification.	P2	GOV-MOW

Sequencing (critical path)

0. Human ratify (doc 01)                       [GOV-COUNCIL]
1. EXTEND commit off-peak (doc 02)             [workflow_admin] — gated on 0
2. Register read DOTs (doc 03 §4)              [GOV-DOT]       — gated on 1
3. Stand up read models / Surfaces 1-2 (doc 04)[UI]           — gated on 1
4. Pilot WF-001 bind+validate (doc 09)         [GOV-MOW]      — gated on 1,2
5. Governance drill on pilot (doc 07)          [GOV-COUNCIL]  — gated on 4
6. VALIDATE FKs off-peak (doc 02 §7)           [workflow_admin]— gated on 4 (refs clean)
7. WF-002 migration batches (doc 05)           [GOV-MOW]      — gated on 4
8. Register mutating DOTs (doc 03 §5)          [GOV-DOT+council]— gated on 5
9. Phase 1 acceptance (doc 06)                 [GOV-SIV]      — gated on 6,7
→ Runtime phase entry criteria (doc 08 §4)

Risk review verdict

Complete. 13 risks with mitigation/phase/owner; critical-path sequencing with explicit gating dependencies. Dominant risks (R1 over-engineering, R4 DDL lock, R9 agent overreach) each have concrete, already-designed mitigations.