id: evaluation/user-engine/interface-card-expectations
title: User Engine Canon Interface Card Expectations
status: candidate
consumer: user-engine
evaluation_pack: evaluation/user-engine
expected_consumer_fields:
  repo: user-engine
  domain: user-management
  intent: Evaluate and later integrate user-management capability against InfoTechCanon.
  scope:
    - user identity
    - accounts
    - tenants
    - teams
    - memberships
    - roles
    - access decisions
    - access reviews
    - governance evidence
  purposes:
    - id: user-engine/user-management-evaluation
      use_case: Compare user-engine entities and access behavior with InfoTechCanon models and small-saas profile expectations.
      consumer_need: Clear distinction among identities, actors, principals, subjects, roles, grants, policies, controls, evidence, and lifecycle work.
      demand_signals:
        - user-engine will be assessed before integration.
        - user-engine needs a canon-side conformance question set.
expected_canon_surfaces:
  implemented_profiles:
    - profile/small-saas
  consumed_artifacts:
    - model/organization
    - model/access-control
    - model/governance
    - model/data
    - model/security
    - model/task
    - model/purpose-demand-extension
    - standard/caring
  consumed_concepts:
    - Actor
    - Subject
    - Principal
    - User
    - Team
    - Tenant
    - Organization Role
    - AccessRole
    - Permission
    - Entitlement
    - ResourceScope
    - Policy
    - Control
    - Evidence
    - AccessReview
    - ConsumerPurpose
    - PurposeFit
    - EvolutionRequest
expected_entities:
  - id: user
    canon_anchor: model/organization
    expectation: Represents a human or service user without collapsing into authenticated principal.
  - id: account
    canon_anchor: model/access-control
    expectation: Represents login or system account bound to a user, actor, or principal.
  - id: principal
    canon_anchor: model/access-control
    expectation: Represents authenticated identity used in an authorization decision.
  - id: subject
    canon_anchor: model/access-control
    expectation: Represents entity evaluated by policy, possibly a user, principal, group, or service account.
  - id: tenant
    canon_anchor: model/organization
    expectation: Represents customer or organization boundary used for membership, data, and access scope.
  - id: team
    canon_anchor: model/organization
    expectation: Represents operational group, not an access role.
  - id: organization-role
    canon_anchor: model/organization
    expectation: Represents responsibility or position.
  - id: access-role
    canon_anchor: model/access-control
    expectation: Represents permission bundle or access capability.
  - id: policy
    canon_anchor: model/governance
    expectation: Governs access or lifecycle behavior.
  - id: control
    canon_anchor: model/security
    expectation: Implements or enforces a policy or objective.
  - id: evidence
    canon_anchor: model/observability
    expectation: Supports review, control, access, or integration claims.
expected_edges:
  - type: member_of
    source: user
    target: team
    expectation: User or actor belongs to team.
  - type: belongs_to_tenant
    source: user
    target: tenant
    expectation: User or account is scoped to a tenant when applicable.
  - type: authenticates_as
    source: account
    target: principal
    expectation: Account produces or binds authenticated principal.
  - type: evaluated_as
    source: principal
    target: subject
    expectation: Principal is evaluated as policy subject.
  - type: assigned_role
    source: subject
    target: access-role
    expectation: Subject receives access role within explicit scope.
  - type: scoped_to
    source: access-role
    target: tenant
    expectation: Access role or grant declares resource or tenant scope.
  - type: governed_by
    source: access-grant
    target: policy
    expectation: Grant traces to policy or rule.
  - type: implemented_by
    source: policy
    target: control
    expectation: Policy is enforced by a control.
  - type: evidenced_by
    source: access-grant
    target: evidence
    expectation: Grant, review, or control has evidence.
  - type: creates_task
    source: evaluation-gap
    target: task
    expectation: Gap creates work only after triage and commitment.
evidence_required:
  - completed Canon Interface Card
  - entity and edge mapping export
  - access grant trace
  - tenant-scoped role or permission example
  - access review example
  - policy/control/evidence trace
  - data object inventory for user-management data
  - user lifecycle task or request examples
  - explicit integration gaps and requested evolution
validation_expectations:
  commands:
    - PYTHONPATH=src python3 -m info_tech_canon validate
    - PYTHONPATH=src python3 -m info_tech_canon profile validate small-saas
  known_gaps_allowed: true
  gap_rule: A gap is acceptable only when recorded with purpose fit state, owner, and proposed disposition.