generated from coulomb/repo-seed
Add user-engine architecture workplans
This commit is contained in:
140
workplans/NK-WP-0018-user-engine-integrated-test-scenarios.md
Normal file
140
workplans/NK-WP-0018-user-engine-integrated-test-scenarios.md
Normal file
@@ -0,0 +1,140 @@
|
||||
---
|
||||
id: NK-WP-0018
|
||||
type: workplan
|
||||
title: "User Engine Integrated Test Scenarios"
|
||||
domain: netkingdom
|
||||
repo: net-kingdom
|
||||
status: ready
|
||||
owner: codex
|
||||
topic_slug: netkingdom
|
||||
planning_priority: high
|
||||
planning_order: 18
|
||||
created: "2026-05-22"
|
||||
updated: "2026-05-22"
|
||||
depends_on:
|
||||
- NK-WP-0016
|
||||
- NK-WP-0017
|
||||
state_hub_workstream_id: "6f75035a-e056-4eab-8fdb-00a18bacdf87"
|
||||
---
|
||||
|
||||
# NK-WP-0018 - User Engine Integrated Test Scenarios
|
||||
|
||||
## Goal
|
||||
|
||||
Extend user-engine test coverage from isolated MVP tests to realistic
|
||||
standalone, platform, multi-tenant, multi-application, audit, and performance
|
||||
scenarios. The test suite should prove the architecture boundaries rather than
|
||||
only individual functions.
|
||||
|
||||
## Scope
|
||||
|
||||
In scope:
|
||||
|
||||
- scenario matrix;
|
||||
- local identity and IAM Profile fixtures;
|
||||
- flex-auth authorization harness;
|
||||
- multi-tenant and multi-application integration tests;
|
||||
- audit/outbox/correlation tests;
|
||||
- effective-profile performance tests;
|
||||
- CI/readiness gates.
|
||||
|
||||
Out of scope:
|
||||
|
||||
- full production Railiance deployment;
|
||||
- full enterprise SCIM conformance;
|
||||
- UI end-to-end tests for future UI repos.
|
||||
|
||||
## Tasks
|
||||
|
||||
```task
|
||||
id: NK-WP-0018-T1
|
||||
status: todo
|
||||
priority: high
|
||||
state_hub_task_id: "6da86ef6-ea8b-49b9-8897-cbed00f6e61d"
|
||||
```
|
||||
|
||||
**Scenario matrix.** Define canonical scenarios: standalone single-app,
|
||||
standalone denied access, platform local-identity fixture, tenant admin,
|
||||
platform operator, cross-tenant denial, two applications with separate
|
||||
catalogs, sensitive projection redaction, and event/audit replay.
|
||||
|
||||
```task
|
||||
id: NK-WP-0018-T2
|
||||
status: todo
|
||||
priority: high
|
||||
state_hub_task_id: "e3424148-90d6-4c43-8f15-988f2a21d166"
|
||||
```
|
||||
|
||||
**Identity fixtures.** Add IAM Profile claim fixtures for human, service,
|
||||
agent, delegated agent, tenant admin, platform operator, break-glass, local
|
||||
development issuer, and invalid/expired/missing-tenant tokens.
|
||||
|
||||
```task
|
||||
id: NK-WP-0018-T3
|
||||
status: todo
|
||||
priority: high
|
||||
state_hub_task_id: "23fa4617-e7ce-4cdc-b753-489ec361757b"
|
||||
```
|
||||
|
||||
**Authorization harness.** Add a deterministic flex-auth-compatible test
|
||||
harness that supports allow, deny, obligation, tenant-boundary, assurance, and
|
||||
bulk decision scenarios.
|
||||
|
||||
```task
|
||||
id: NK-WP-0018-T4
|
||||
status: todo
|
||||
priority: high
|
||||
state_hub_task_id: "33c53479-7856-42ee-b9ee-8795aa73c39a"
|
||||
```
|
||||
|
||||
**End-to-end domain scenarios.** Test full flows from actor claims through
|
||||
authorization, mutation, profile resolution, projection, audit write, and
|
||||
outbox event creation.
|
||||
|
||||
```task
|
||||
id: NK-WP-0018-T5
|
||||
status: todo
|
||||
priority: medium
|
||||
state_hub_task_id: "fc2d73e4-1f45-4891-9c31-1a4dc2f3a002"
|
||||
```
|
||||
|
||||
**Performance and cache tests.** Add tests or benchmarks for effective-profile
|
||||
resolution, projection rendering, authorization batching, request-scoped
|
||||
memoization, and cache invalidation on catalog/profile/membership changes.
|
||||
|
||||
```task
|
||||
id: NK-WP-0018-T6
|
||||
status: todo
|
||||
priority: high
|
||||
state_hub_task_id: "26b63aa0-deb6-4b4d-9388-6b7e531bd4ff"
|
||||
```
|
||||
|
||||
**Security and privacy negative tests.** Cover local issuer rejection in
|
||||
production, sensitive attribute leakage, cross-tenant reads/writes, admin
|
||||
overreach, catalog sensitivity downgrade, namespace hijack, stale membership
|
||||
facts, and missing audit correlation.
|
||||
|
||||
```task
|
||||
id: NK-WP-0018-T7
|
||||
status: todo
|
||||
priority: medium
|
||||
state_hub_task_id: "a46e6e78-71a1-4518-881f-85b39269f4a8"
|
||||
```
|
||||
|
||||
**CI and readiness gates.** Add repeatable commands for unit, integration,
|
||||
scenario, and conformance-style tests. Document what must pass before a
|
||||
platform deployment or UI consumer can depend on user-engine.
|
||||
|
||||
## Acceptance Criteria
|
||||
|
||||
- The test suite proves standalone, tenant, multi-app, authorization, profile,
|
||||
projection, audit, and event behavior.
|
||||
- Negative tests cover the architecture review risks.
|
||||
- Scenario fixtures are readable enough for future agents and developers to
|
||||
extend.
|
||||
- CI/readiness commands are documented and deterministic.
|
||||
|
||||
## Dependencies And Sequencing
|
||||
|
||||
- Depends on NK-WP-0016 and NK-WP-0017.
|
||||
- Feeds the final implementation assessment in NK-WP-0019.
|
||||
Reference in New Issue
Block a user