Biometric puzzles and the auth-methods-testing surface treat a 404 / not-deployed proxy endpoint as a soft-pass in training mode (verdict soft_pass / reason endpoint_not_deployed); unmapped variants skip server validation entirely. This is acceptable for a training surface but must never be mistaken for a hardened gate — the real gate is enroll/verify.
Evidence (origin/main): src/features/biometric-puzzles/useBiometricPuzzleServer.ts:200-222 (if (status === 404) → soft_pass in training mode; auth mode fails closed).
Action: confirm auth mode is always fail-closed (it appears to be), document the training-mode soft-pass clearly in code/UX so it is not presented as a security control. Low severity.
Source: MASTER_ISSUE_REGISTER_2026-06-03 (WEB-4), re-verified on origin/main 2026-06-13.
Biometric puzzles and the auth-methods-testing surface treat a 404 / not-deployed proxy endpoint as a soft-pass in training mode (verdict
soft_pass/ reasonendpoint_not_deployed); unmapped variants skip server validation entirely. This is acceptable for a training surface but must never be mistaken for a hardened gate — the real gate is enroll/verify.Evidence (origin/main):
src/features/biometric-puzzles/useBiometricPuzzleServer.ts:200-222(if (status === 404)→ soft_pass in training mode; auth mode fails closed).Action: confirm auth mode is always fail-closed (it appears to be), document the training-mode soft-pass clearly in code/UX so it is not presented as a security control. Low severity.
Source: MASTER_ISSUE_REGISTER_2026-06-03 (WEB-4), re-verified on origin/main 2026-06-13.