--- id: NK-WP-0018 type: workplan title: "User Engine Integrated Test Scenarios" domain: netkingdom repo: net-kingdom status: ready owner: codex topic_slug: netkingdom planning_priority: high planning_order: 18 created: "2026-05-22" updated: "2026-05-22" depends_on: - NK-WP-0016 - NK-WP-0017 state_hub_workstream_id: "6f75035a-e056-4eab-8fdb-00a18bacdf87" --- # NK-WP-0018 - User Engine Integrated Test Scenarios ## Goal Extend user-engine test coverage from isolated MVP tests to realistic standalone, platform, multi-tenant, multi-application, audit, and performance scenarios. The test suite should prove the architecture boundaries rather than only individual functions. ## Scope In scope: - scenario matrix; - local identity and IAM Profile fixtures; - flex-auth authorization harness; - multi-tenant and multi-application integration tests; - audit/outbox/correlation tests; - effective-profile performance tests; - CI/readiness gates. Out of scope: - full production Railiance deployment; - full enterprise SCIM conformance; - UI end-to-end tests for future UI repos. ## Tasks ```task id: NK-WP-0018-T1 status: todo priority: high state_hub_task_id: "6da86ef6-ea8b-49b9-8897-cbed00f6e61d" ``` **Scenario matrix.** Define canonical scenarios: standalone single-app, standalone denied access, platform local-identity fixture, tenant admin, platform operator, cross-tenant denial, two applications with separate catalogs, sensitive projection redaction, and event/audit replay. ```task id: NK-WP-0018-T2 status: todo priority: high state_hub_task_id: "e3424148-90d6-4c43-8f15-988f2a21d166" ``` **Identity fixtures.** Add IAM Profile claim fixtures for human, service, agent, delegated agent, tenant admin, platform operator, break-glass, local development issuer, and invalid/expired/missing-tenant tokens. ```task id: NK-WP-0018-T3 status: todo priority: high state_hub_task_id: "23fa4617-e7ce-4cdc-b753-489ec361757b" ``` **Authorization harness.** Add a deterministic flex-auth-compatible test harness that supports allow, deny, obligation, tenant-boundary, assurance, and bulk decision scenarios. ```task id: NK-WP-0018-T4 status: todo priority: high state_hub_task_id: "33c53479-7856-42ee-b9ee-8795aa73c39a" ``` **End-to-end domain scenarios.** Test full flows from actor claims through authorization, mutation, profile resolution, projection, audit write, and outbox event creation. ```task id: NK-WP-0018-T5 status: todo priority: medium state_hub_task_id: "fc2d73e4-1f45-4891-9c31-1a4dc2f3a002" ``` **Performance and cache tests.** Add tests or benchmarks for effective-profile resolution, projection rendering, authorization batching, request-scoped memoization, and cache invalidation on catalog/profile/membership changes. ```task id: NK-WP-0018-T6 status: todo priority: high state_hub_task_id: "26b63aa0-deb6-4b4d-9388-6b7e531bd4ff" ``` **Security and privacy negative tests.** Cover local issuer rejection in production, sensitive attribute leakage, cross-tenant reads/writes, admin overreach, catalog sensitivity downgrade, namespace hijack, stale membership facts, and missing audit correlation. ```task id: NK-WP-0018-T7 status: todo priority: medium state_hub_task_id: "a46e6e78-71a1-4518-881f-85b39269f4a8" ``` **CI and readiness gates.** Add repeatable commands for unit, integration, scenario, and conformance-style tests. Document what must pass before a platform deployment or UI consumer can depend on user-engine. ## Acceptance Criteria - The test suite proves standalone, tenant, multi-app, authorization, profile, projection, audit, and event behavior. - Negative tests cover the architecture review risks. - Scenario fixtures are readable enough for future agents and developers to extend. - CI/readiness commands are documented and deterministic. ## Dependencies And Sequencing - Depends on NK-WP-0016 and NK-WP-0017. - Feeds the final implementation assessment in NK-WP-0019.