Skip to content
Gestalt

CPU face-match fallback policy

Status: customer boundary doc. Required topic cpu_face_match_fallback_policy from contracts/production-admission.v0.json customer_boundary_lane.required_doc_topics.

Posture

Section titled “Posture”

The face-match fallback is shape-only today. The membrane operation humanAuth.faceMatchFallback exists at POST /v1/human-auth/face-match, returns a structurally correct response, and records no consequence. There is no biometric pipeline behind it.

The label is taken from contracts/production-admission.v0.json operation_maturity:

humanAuth.faceMatchFallback: shape-only

This is also reflected in docs/reference/capability-state.md, which is the public ledger of operation labels.

What “shape-only” means here

Section titled “What “shape-only” means here”

A shape-only operation:

  • Has a defined contract and types.
  • Returns a structurally correct response.
  • Records no durable consequence.
  • Is not eligible for production admission. The pilot admission lane cannot admit a shape-only operation as authentic, because there is no consequence to admit.

A pilot customer must not treat a shape-only response as evidence of identity, presence, or any other authority claim. The receipt shape exists so that Koerper code can prepare for a future authentic path; it carries no factual content.

What would have to be true to enable face-match

Section titled “What would have to be true to enable face-match”

For face-match to move off shape-only, all of the following would be required as a precondition, before any pilot admission:

  • An on-device match path with an attestation that the match ran on-device and that no biometric template left the device.
  • A membrane payload limited to the WebAuthn-style shape (credential hash, public verification material, replay status). No biometric template material on the membrane. This is required by Biometric template posture and is enforced by the contract.
  • An updated operation_maturity entry that moves the operation off shape-only.
  • An updated capability state ledger row.
  • Inclusion in the admitted operations set of a signed pilot admission record.

Until those preconditions are met, the operation refuses to act as a presence factor. A pilot relying on identity must use the durable HumanAuth passkey path (humanAuth.passkeyImport, humanAuth.verifyPasskey).

See also

Section titled “See also”