From the 2026-06-02 DB review (P0-2), verified on origin/main: face_embeddings.embedding is a NOT-NULL plaintext vector(512) (Alembic 0001) with the HNSW search index built on it; embedding_ciphertext (Alembic 0005) is a nullable add-on column. pgvector cosine search requires the plaintext, so a leaked DB dump exposes raw biometric templates regardless of the ciphertext column — the at-rest encryption claim is not real for the searchable copy.
This is NOT a remote exploit (it requires DB-dump access) — it is a data-model / truth-in-claims decision:
- A. Keep plaintext for search, relabel the ciphertext as an explicit "encrypted backup" and stop claiming "biometrics encrypted at rest" (cheap, honest).
- B. Move to searchable/queryable encryption or app-side ANN over ciphertext and drop the plaintext column (large lift, real at-rest encryption).
- C. Accept + document the posture (test-only system, owner is sole user).
Recommend A now (relabel + fix the public claims, see FIVUCSAS#184), B as a roadmap item. Pairs with FIVUCSAS#184 (truth-in-claims).
From the 2026-06-02 DB review (P0-2), verified on origin/main:
face_embeddings.embeddingis a NOT-NULL plaintextvector(512)(Alembic 0001) with the HNSW search index built on it;embedding_ciphertext(Alembic 0005) is a nullable add-on column. pgvector cosine search requires the plaintext, so a leaked DB dump exposes raw biometric templates regardless of the ciphertext column — the at-rest encryption claim is not real for the searchable copy.This is NOT a remote exploit (it requires DB-dump access) — it is a data-model / truth-in-claims decision:
Recommend A now (relabel + fix the public claims, see FIVUCSAS#184), B as a roadmap item. Pairs with FIVUCSAS#184 (truth-in-claims).