# Risks And Gaps

Open items only; remove resolved duplicates.

## Auth
- KSA-focused phone normalization; multi-country strategy pending.
- Phone auth abuse controls need production tuning (IP/device thresholds).
- Social login/OAuth linking policy still undefined (collision/merge rules).
- JWT test warning exists for short test signing key (`InsecureKeyLengthWarning`).

## Booking
- No explicit timezone/business-hours policy beyond current availability checks.
- Cancellation policy and refund policy not finalized.

## Payments
- Core Moyasar flow works; admin capture/refund endpoints not exposed yet.
- Monitoring/alerting for webhook failures is still basic.

## Localization
- Foundations exist (`en`, `ar-sa`, RTL), but translation coverage is incomplete.
- RTL QA across all future pages still pending.

## Ops/Compliance
- No full audit log strategy for privileged actions.
- No PDPL/GDPR retention policy or data export workflow.
- No formal observability baseline (metrics/SLO dashboards).