Strategic Blind Spots
Last updated: 2026-05-12 Origin: Level 2 review artifacts — accumulated across L2 audits; source artifacts are not tracked in
docs/.Admission criterion: An unresolved gap in the architecture or domain model that risks silent failure, data corruption, or incorrect system behavior if not addressed before the affected feature ships. The team may not notice the problem until it manifests in production. These carry genuine technical uncertainty.
Items that represent open product decisions (where the architecture already supports multiple answers and the team consciously defers the choice) live on the Open Product Decisions tracker. None of the items below are blockers for Phase 1 implementation.
Open
| ID | Description | Category | Next Step |
|---|---|---|---|
| (None) | All items have been resolved or relocated. |
Resolved
| ID | Description | Resolution |
|---|---|---|
| SB-1 | FX rate refresh cadence — When to snapshot exchange rates on multi-currency procurement. | Closed by ADR-035. Phase 2a: fx_config_snapshot on PriceMatrix (ADR-011 pattern). Phase 2b: ECB daily rate pull + staleness badge. Phase 3: threshold-based publication gate. Full hedge engine (AP10) deferred to adoption trigger. |
| SB-17 | BullMQ Job Cancellation Atomicity — Race conditions between the Supersession handler calling job.remove() and BullMQ worker execution. | Closed as covered. ADR-033 §Supersession Rule prescribes a messages.status guard in the DispatchWorker (double-read before dispatch). Test matrix scenario T3 validates the guard. Schema enum update (SUPERSEDED, PENDING_REVIEW) applied to schema-communications.md — activates with AP26. |
| SB-18 | On-Device ML Feasibility — Field-Device Media Pipeline requires On-Device Quality Scoring. | Recent spikes confirmed technology feasibility. TensorFlow.js (WebGPU/WASM), ONNX Runtime Web, and MediaPipe Vision all support production-grade on-device inference in PWAs. Image quality scoring (blur/exposure) requires no ML — classical Canvas API algorithms (Laplacian variance, histogram analysis) suffice. Face/person detection runs in <15ms via MediaPipe (~1.5 MB model). We exclude WebNN because it remains experimental. AP24 stays in backlog for implementation readiness reasons (no ADR, no prototype, no dependencies), not technology infeasibility. The research question shifts from "is on-device ML possible?" to "what detection thresholds and consent UX achieve field-acceptable reliability under GDPR constraints on low-end fleet hardware?" |
| SB-2 | § 25 UStG per-line tax split — Per-variant TOMS tax is a legal fiction. | Closed by ADR-012. Tax deferred to Phase 3 FinancialLedger. |
| SB-4 | Stale allotment data on LOCKED sheets — Allotment availability may change after CostingSheet LOCK. | Resolved by design. LOCK is an immutability guarantee. Operator regenerates a new CostingSheet version if allotments change. Document in operator playbook. |
| SB-5 | JSONB audit diffing — No mechanism to diff snapshots between PriceMatrix versions. | Resolved as implementation detail. ADR-011 snapshots enable diffing. Mechanism (Hasura computed field vs. NestJS service) is an implementation choice, not an architecture decision. Technical spike during Phase 2. |
| SB-9 | Ancillary catalog design — How operators define their available ancillaries per template. | Resolved by ancillary-catalog.md. Centralized operator-level catalog with template-level assignments and price overrides. Schema: ancillary_catalog_items + template_ancillary_assignments in schema-backoffice.md. |
| SB-11 | Multi-leg delay propagation — If the system delays Leg 1 (PICKUP), downstream Leg 2 (TRANSIT) is implicitly delayed. | Resolved by design. The ETA Recalculation Service propagates delays automatically — see schema-operations.md §E-6. Implementation details (storage model, transfer_buffer source, downstream notification flow) documented inline on E-6 for future L3 specification. |
| SB-12 | Driver app manifest size limits — Claimed ~245 tickets for a 49-seat coach with 5 PICKUP legs. | Closed as invalid. The original estimate multiplied seats × legs (49 × 5 = 245), but each passenger holds one ticket regardless of pickup legs. The actual manifest contains ≤49 ManifestPassenger records (~16 KB) — well below any IndexedDB or sync bottleneck. The Offline Manifest Pre-Sync Specification already concludes "well within IndexedDB capacity." |
| SB-13 | Partial leg completion — A bus breaks down mid-leg. The leg is neither COMPLETED nor CANCELLED — it is "aborted." | Resolved by existing design. CANCELLED + Incident linkage (type=BREAKDOWN) is the canonical pattern. cancelServiceLeg auto-creates a linked Incident (schema-operations.md §cancelServiceLeg), ServiceLegCancelled carries incident_id in its payload (event-contracts-operations.md), and the Incident's type, geo_coordinates, and resolution_notes capture full operational context. Adding ABORTED would force every consumer (Commerce, Communications, Backoffice) to handle a third terminal state with no informational gain over CANCELLED + Incident metadata. |
| SB-14 | TelemetryPoint data retention — High-frequency GPS data (every 5–15s) for 30 vehicles over 12 months produces millions of rows. No retention or archival policy exists. | Not a current architectural risk — TelemetryPoint does not exist yet, so no data flows or rows accumulate. The retention policy design (storage engine selection, partitioning strategy, TTL semantics) remains an open research question for the telemetry ingestion pipeline (AP12). Removed from this tracker because the risk cannot manifest before the entity exists, not because the solution is known. |
| SB-15 | CRDT Payload Size for Trip Planning — Does CRDT tombstone growth impact client memory during extended collaborative sessions? | Closed as covered. ADR-032 §Risks already identifies CRDT document size growth (Low–Medium) with two mitigation strategies (document splitting per Day, GC strategies). The tombstone framing is inaccurate for the primary candidate (Loro), which uses DAG-based versioning, not tombstone GC. Performance monitoring of document size is a standard Phase 1 spike deliverable (ADR-032 §Phase 1: "Benchmarks: document size after 1,000 edits, memory usage, merge latency"), not an unrecognized architectural risk. |
| SB-16 | CWT-JS Ecosystem Maturity — No dominant CWT library in JS; fallback if crypto fails on low-end devices. | Not a current architectural risk — AP19 does not exist yet (no ADR, no spike, no code). The ecosystem concern remains an active technical uncertainty documented as AP19 uncertainty #3 (funding-work-packages.md §AP19). The evaluation requires a dedicated spike to determine whether @auth0/cose + cbor-x can reliably execute COSE cryptographic operations across diverse passenger mobile browsers — the outcome is not predetermined. Standard Apple/Google Wallet passes serve as a product fallback if CWT proves infeasible. Removed from this tracker because it tracks a dependency (AP19) that does not yet exist, not because the technical question is resolved. |
Relocated Items
The following items were removed from this tracker during a taxonomy audit (2026-05-11). They do not meet the admission criterion — they represent open product decisions or documentation gaps, not architectural risks.
| Former ID | Relocated To | Reason |
|---|---|---|
| SB-19 | AP28 — Human-AI Co-Creation in CRDT-basierten Echtzeit-Umgebungen | Research question relocated to AP28 (BSFZ Vorhaben 3). The core technical spikes (Agentic Undo, Shadow Branching, Concurrency Trap) constitute a planned Phase 3 F&E workpackage building on AP18 (CRDT infrastructure) and AP9 (Agentic Governance). |
| SB-3 | PD-1 — Agency commission ↔ margin interplay | Architecture supports multiple commission models via the 1:N PriceMatrix channel mechanism (ADR-006). Open question is display/UX, not architecture. |
| SB-6 | Idea file — Partial recalculation | Premature optimization already assessed as non-issue (≤72 variants). Relocated to ideas. |
| SB-7 | PD-2 — Default deposit percentage | Architecture supports any deposit value via cascading deposit_config. Pending legal review, not technical uncertainty. |
| SB-8 | PD-3 — Platform fee model | Mollie Marketplace supports any fee model. Core monetization decision, not an architectural gap. |
| SB-10 | PD-4 — Billing address capture | Schema change is trivial (bookings.billing_address JSONB). Open question is UX placement. |
| SB-20 | PD-5 — Legal Frameworks for AI Data & Marketing | Legal/policy task (drafting ToS), not an architectural risk. Relocated to Open Decisions. |
| SB-21 | TODOS.md §3 — Placeholder user journeys | Documentation gap, not an architectural risk. |