verifyRegistrationResponse fails if not metadata was found

How about a verificationMode enum / union-type string instead?

Good call, I’d considered this earlier but was still indecisive on what exactly I needed to change about MetadataService to make things more permissive. A boolean seemed the simplest, but then I remembered that that’s what led to there being a requireResidentKey: boolean and “residentKey: ResidentKeyRequirement + instructions on what to set requireResidentKey to for a given residentKey” in L2 of the WebAuthn spec (because in L1 it made sense for resident key requirement to be a simple yes/no!)

I settled on this:

// Allow MetadataService to accommodate unregistered AAGUIDs ("permissive"), or only allow
// registered AAGUIDs ("strict"). Currently primarily impacts how `getStatement()` operates
type VerificationMode = 'permissive' | 'strict';

An optional verificationMode can be set when calling MetadataService.initialize(opts); to control how the service behaves. It will default to "strict" because that’s how MetadataService currently operates and I don’t want this to be a breaking change.

How about a verificationMode enum / union-type string instead? Something like

export type VerificationMode = "none" | "default" | "strict";

? Using verificationMode: "none" would be helpful for the use-case I described earlier where someone wants to fetch metadata only for logging or display purposes. Not sure what to call the “middle tier”. Maybe something more descriptive like fallback? Or perhaps you can come up with even more options for the verification behaviour 😃 That’s the nice things about using an enum instead of a boolean - it leaves you the option of adding additional modes in the future.