--- id: NK-WP-0017 type: workplan title: "User Engine Multi-Application And Catalog Support" domain: netkingdom repo: net-kingdom status: ready owner: codex topic_slug: netkingdom planning_priority: high planning_order: 17 created: "2026-05-22" updated: "2026-05-22" depends_on: - NK-WP-0015 state_hub_workstream_id: "08398d26-cadf-44bc-97ee-67da790040e6" --- # NK-WP-0017 - User Engine Multi-Application And Catalog Support ## Goal Extend user-engine from a single-app MVP into a governed multi-application profile and customization service. Applications should be able to register as profile consumers, own catalog namespaces, publish versioned customization catalogs, and receive application-specific projections without attribute collisions or data leakage. ## Scope In scope: - application registry and bindings; - catalog namespace ownership; - catalog lifecycle and migration checks; - application-specific profile layers; - application runtime projections; - optional claims-enrichment boundary; - multi-app tests and examples. Out of scope: - UI implementation; - full marketplace or plugin ecosystem; - enterprise SCIM server; - making user-engine a token issuer. ## Tasks ```task id: NK-WP-0017-T1 status: todo priority: high state_hub_task_id: "9363492d-49af-4929-bb64-576ed8c47ddb" ``` **Application registry split.** Implement user-engine application records as profile-consumer records with explicit bindings to IAM OIDC clients, flex-auth protected systems, catalog namespaces, event identities, and deployment metadata. ```task id: NK-WP-0017-T2 status: todo priority: high state_hub_task_id: "cd9dff26-d570-4f9f-9ebf-6f20eddf3ef0" ``` **Catalog namespace governance.** Implement namespace ownership, catalog semantic versions, lifecycle states, compatibility checks, sensitivity downgrade prevention, and activation/deprecation flows. ```task id: NK-WP-0017-T3 status: todo priority: high state_hub_task_id: "6bbe4250-a6e7-4ecf-b916-7e79eddd76f6" ``` **Application profile layer.** Add application-specific profile values, preferences, defaults, and effective-profile precedence rules that compose with global and tenant layers. ```task id: NK-WP-0017-T4 status: todo priority: high state_hub_task_id: "29012ed5-f6c2-455f-8999-037a653d14e1" ``` **Application runtime projections.** Implement app-specific projection requests with allowed projection types, attribute-level visibility, mutability, sensitivity, and redaction rules. ```task id: NK-WP-0017-T5 status: todo priority: medium state_hub_task_id: "a3226c20-1278-409e-a49d-965e4783dc7a" ``` **Claims-enrichment adapter boundary.** Specify and, if appropriate, prototype an optional cache-backed projection used by IAM-side claims enrichment. The implementation must not place user-engine synchronously in the default token issuance path. ```task id: NK-WP-0017-T6 status: todo priority: high state_hub_task_id: "ada5a9f5-19f6-4e9e-a176-b1b47ec36ca7" ``` **Multi-app tests.** Add tests for namespace collisions, catalog activation failure, application-specific profile values, projection redaction, application access denial, catalog migration checks, and onboarding two demo applications side by side. ```task id: NK-WP-0017-T7 status: todo priority: medium state_hub_task_id: "09f38d5c-af6c-4d95-a570-e5a5c25d7cfe" ``` **Developer-facing integration examples.** Provide examples or fixtures that show how a new application registers, owns a catalog namespace, requests runtime projections, and handles profile-change events. ## Acceptance Criteria - Multiple applications can register without attribute collisions. - Catalog ownership and lifecycle are enforced. - Application-specific profile values resolve consistently with global and tenant layers. - Runtime projections expose only eligible attributes. - Claims enrichment is explicitly optional and adapter-owned. - Tests cover multi-app positive, negative, and migration paths. ## Dependencies And Sequencing - Depends on NK-WP-0015. - Coordinates with NK-WP-0016 where application behavior is tenant-scoped.