What is most likely to go wrong, and how each phase guards against it.
Severity: High (could kill the product or cause data loss), Medium (degrades the experience), Low (annoying).
The watch-primary tracking model retires several phone-side risks. They are kept in the list, marked Retired, for traceability.
The phone is no longer the GPS host. The watch's HKWorkoutSession keeps the workout alive and Apple owns location reliability. Risk closed.
A 4-hour marathon on Apple Watch with continuous HR + GPS + audio cues + WC streaming is at the edge of older Apple Watches.
Mitigation:
- Test on an Apple Watch SE/9/10 explicitly.
- Phase 3 stress test: a 4-hour walking session in airplane mode, measure battery on watch + phone.
- Phone battery is no longer a concern for tracking; it is for audio + AI calls. Pre-generated race scripts (Phase 3) drop phone radio usage to near zero.
Spotify keeps ducking forever, or music never resumes after a TTS line.
Mitigation:
- Use the documented
AVAudioSessionoptions. - Phase 1 acceptance test against Apple Music, Spotify, Podcasts, Audible.
Now the watch writes the workout via HKLiveWorkoutBuilder — Apple's most-tested HealthKit path. Failures are extremely rare.
Mitigation:
- The watch is the writer; the phone never duplicates a workout.
- If watch finalisation fails, the phone shows the run as "saved (companion only)" and we surface a retry. Companion data is intact regardless.
Default Siri voice undermines the personality.
Mitigation:
- Pick the highest-quality installed voice; prompt user to download Premium voice on first run.
- Phase 4: ElevenLabs cloud TTS for premium personalities (pre-rendered for race day).
- Phase 4: Personal Voice — founder records own voice.
Someone extracts the proxy URL and racks up Anthropic spend.
Mitigation:
- Phase 1: founder-only TestFlight. No real risk.
- Phase 4: App Attest enforced on proxy; per-device rate limits; daily spend cap.
Marathon start area: 30,000 runners, zero signal.
Mitigation:
- Race mode is fully pre-generated.
- Pre-rendered TTS files for every script message.
- ScriptEngine works against local data only in race mode; the network code path is disabled.
- Phase 3 acceptance: complete a 30-minute run in airplane mode with race mode active and the script plays correctly.
Mitigation:
- Ship as AARC with neutral subtitle.
- No medical claims.
- "AI generates content" disclosure in onboarding.
- A "tame" personality default for App Store review accounts.
Wind, breathing, traffic, accent → garbage transcript → wrong AI reply.
Mitigation:
- Save the original audio.
- Low-confidence transcripts get a "transcript may be unreliable" hint to the LLM.
- Phase 4 polish: cloud Whisper fallback for poor on-device results.
- Always show the transcript in the post-run summary.
The DB now stores only companion data (no workout truth). Worst-case data loss is recoverable: workouts are in HealthKit; we can rebuild Run records by enumerating HK workouts and matching aarcRunId metadata.
Mitigation:
- Schema versioning from day one.
- Per-version migration logic.
Apple's own algorithms handle this. Risk closed.
Roast Coach goes too dark on a grief-day run; chat-reply says something tone-deaf.
Mitigation:
- Personality system prompts include safety guardrails (no slurs, no medical advice).
- "Mute companion" one tap away in ActiveRunView.
- Post-run "this line was bad" feedback action that adjusts MemoryStore.
WatchConnectivity may briefly disconnect. Live metrics stop streaming. The script engine could go silent.
Mitigation:
- Live metrics over WC are best-effort 1Hz; the watch independently records to HealthKit, so no data is lost.
- If no metrics for 10s while supposedly running, surface a "watch disconnected" indicator — but do not stop the run.
- Phase 1 acceptance: deliberately background the watch app for 30s; verify reconnection and ScriptEngine catch-up.
- Workout state events (started/paused/ended) use
transferUserInfo(queued, guaranteed delivery), so even a long disconnect can't lose the start/end signal.
Phone battery dies. No more audio. Run continues on the watch.
Mitigation:
- Run survives because the watch is the workout host. HealthKit gets the workout when watch finishes.
- Phone reconciles companion data (Script played up to point of death) on next launch.
We don't support phone-less runs in V1. Watch alone has no AI brain.
Mitigation:
- Pre-flight check on watch: if phone is unreachable at run start, prompt "Continue without companion?" Watch still records the workout; the AI layer is just absent.
- Future feature: cache a small set of stock lines on the watch for phone-less runs. Phase 5+ if ever.