Owner: Robert Taylor (Eng) · Department: Engineering · Status: Live · Version: 1.0
Effective Date: 2026-06-13 · Last Reviewed: 2026-06-13 · Next Review Date: 2026-09-13
Source of Truth: code (FastAPI backend) · Maturity: 4 (Operational)
In-store/pickup point-of-sale verification: an append-only event whose server-computed decision gates order completion.
flowchart LR
C[Cashier scans seal] --> PE[POST /pos-verification]
PE --> D[compute_sale_decision<br/>server-side]
D --> EV[(PosVerificationEvent<br/>append-only)]
OC[order complete] --> G{approved/unexpired/unconsumed?}
G -->|yes| OK[order completes]
G -->|no| BLK[409 blocked]
- TTL 15 min; single-use (unique partial index on order_id).
- Decision: customer seal status + physical-description + face-match attestations.
- Signed receipt JWT (10-yr audit artifact). Fail-closed if signer down (prod).
- Blocked scans logged + flagged review_status=open.
- Gate fires only for pickup — delivery/shipping bypass it; no driver handoff age check (§15.8, §17.11).
- Product seal (
product_jti) captured but NOT validated in the decision (§15.10).
- Seal status is client-asserted, not re-resolved against the seal table (§15.9).
- No cashier role/training gate before scan (§15.25).
Architecture index · POS Age Verification SOP · Home
Distilled from docs/audits/backend-truth-audit-2026-06-13.md and portal-maturity-audit-2026-06-13.md.