coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
28da204cf29c0c84e7bebe5d96a3c97c1ea4d75d
net-kingdom/workplans/NK-WP-0017-user-engine-multi-application-catalogs.md

144 lines
4.0 KiB
Markdown
Raw Blame History

---
id: NK-WP-0017
type: workplan
title: "User Engine Multi-Application And Catalog Support"
domain: netkingdom
repo: net-kingdom
status: ready
owner: codex
topic_slug: netkingdom
planning_priority: high
planning_order: 17
created: "2026-05-22"
updated: "2026-05-22"
depends_on:
- NK-WP-0015
state_hub_workstream_id: "08398d26-cadf-44bc-97ee-67da790040e6"
---
# NK-WP-0017 - User Engine Multi-Application And Catalog Support
## Goal
Extend user-engine from a single-app MVP into a governed multi-application
profile and customization service. Applications should be able to register as
profile consumers, own catalog namespaces, publish versioned customization
catalogs, and receive application-specific projections without attribute
collisions or data leakage.
## Scope
In scope:
- application registry and bindings;
- catalog namespace ownership;
- catalog lifecycle and migration checks;
- application-specific profile layers;
- application runtime projections;
- optional claims-enrichment boundary;
- multi-app tests and examples.
Out of scope:
- UI implementation;
- full marketplace or plugin ecosystem;
- enterprise SCIM server;
- making user-engine a token issuer.
## Tasks
```task
id: NK-WP-0017-T1
status: todo
priority: high
state_hub_task_id: "9363492d-49af-4929-bb64-576ed8c47ddb"
```
**Application registry split.** Implement user-engine application records as
profile-consumer records with explicit bindings to IAM OIDC clients,
flex-auth protected systems, catalog namespaces, event identities, and
deployment metadata.
```task
id: NK-WP-0017-T2
status: todo
priority: high
state_hub_task_id: "cd9dff26-d570-4f9f-9ebf-6f20eddf3ef0"
```
**Catalog namespace governance.** Implement namespace ownership, catalog
semantic versions, lifecycle states, compatibility checks, sensitivity
downgrade prevention, and activation/deprecation flows.
```task
id: NK-WP-0017-T3
status: todo
priority: high
state_hub_task_id: "6bbe4250-a6e7-4ecf-b916-7e79eddd76f6"
```
**Application profile layer.** Add application-specific profile values,
preferences, defaults, and effective-profile precedence rules that compose
with global and tenant layers.
```task
id: NK-WP-0017-T4
status: todo
priority: high
state_hub_task_id: "29012ed5-f6c2-455f-8999-037a653d14e1"
```
**Application runtime projections.** Implement app-specific projection
requests with allowed projection types, attribute-level visibility,
mutability, sensitivity, and redaction rules.
```task
id: NK-WP-0017-T5
status: todo
priority: medium
state_hub_task_id: "a3226c20-1278-409e-a49d-965e4783dc7a"
```
**Claims-enrichment adapter boundary.** Specify and, if appropriate, prototype
an optional cache-backed projection used by IAM-side claims enrichment. The
implementation must not place user-engine synchronously in the default token
issuance path.
```task
id: NK-WP-0017-T6
status: todo
priority: high
state_hub_task_id: "ada5a9f5-19f6-4e9e-a176-b1b47ec36ca7"
```
**Multi-app tests.** Add tests for namespace collisions, catalog activation
failure, application-specific profile values, projection redaction,
application access denial, catalog migration checks, and onboarding two demo
applications side by side.
```task
id: NK-WP-0017-T7
status: todo
priority: medium
state_hub_task_id: "09f38d5c-af6c-4d95-a570-e5a5c25d7cfe"
```
**Developer-facing integration examples.** Provide examples or fixtures that
show how a new application registers, owns a catalog namespace, requests
runtime projections, and handles profile-change events.
## Acceptance Criteria
- Multiple applications can register without attribute collisions.
- Catalog ownership and lifecycle are enforced.
- Application-specific profile values resolve consistently with global and
tenant layers.
- Runtime projections expose only eligible attributes.
- Claims enrichment is explicitly optional and adapter-owned.
- Tests cover multi-app positive, negative, and migration paths.
## Dependencies And Sequencing
- Depends on NK-WP-0015.
- Coordinates with NK-WP-0016 where application behavior is tenant-scoped.
Reference in New Issue View Git Blame Copy Permalink