The dashboard 'auth-methods-testing' surface (meant as a training/testing playground) silently enrolls the caller's real biometrics into the production biometric store on the first not-enrolled/404 attempt, and the route has no admin/role gate.
Evidence (origin/main):
src/features/auth-methods-testing/puzzles/useAuthMethodPuzzleApi.ts — on isNotEnrolledError it calls real enroll endpoints: face ~line 118-120 biometric.enrollFace(u.id, image) → POST /biometric/enroll/{userId}; voice ~line 158-162 POST /biometric/voice/enroll/{userId}. No training-mode/flag gate around the enroll calls.
src/App.tsx:269 mounts the route under <ProtectedRoute> only (any logged-in user), NOT <AdminRoute> like admin-flows/enrollments.
Impact: any non-admin dashboard user can navigate there, attempt FACE/VOICE, and have their biometrics enrolled in prod without explicit consent.
Fix: wrap the route in <AdminRoute> AND/OR make the testing surface verify-only (never auto-enroll), or gate auto-enroll behind an explicit consent + a disposable/test account.
Source: MASTER_ISSUE_REGISTER_2026-06-03 (WEB-2), re-verified on origin/main 2026-06-13.
The dashboard 'auth-methods-testing' surface (meant as a training/testing playground) silently enrolls the caller's real biometrics into the production biometric store on the first not-enrolled/404 attempt, and the route has no admin/role gate.
Evidence (origin/main):
src/features/auth-methods-testing/puzzles/useAuthMethodPuzzleApi.ts— onisNotEnrolledErrorit calls real enroll endpoints: face ~line 118-120biometric.enrollFace(u.id, image)→POST /biometric/enroll/{userId}; voice ~line 158-162POST /biometric/voice/enroll/{userId}. No training-mode/flag gate around the enroll calls.src/App.tsx:269mounts the route under<ProtectedRoute>only (any logged-in user), NOT<AdminRoute>likeadmin-flows/enrollments.Impact: any non-admin dashboard user can navigate there, attempt FACE/VOICE, and have their biometrics enrolled in prod without explicit consent.
Fix: wrap the route in
<AdminRoute>AND/OR make the testing surface verify-only (never auto-enroll), or gate auto-enroll behind an explicit consent + a disposable/test account.Source: MASTER_ISSUE_REGISTER_2026-06-03 (WEB-2), re-verified on origin/main 2026-06-13.