Files
net-kingdom/workplans/NK-WP-0018-user-engine-integrated-test-scenarios.md

141 lines
3.9 KiB
Markdown

---
id: NK-WP-0018
type: workplan
title: "User Engine Integrated Test Scenarios"
domain: netkingdom
repo: net-kingdom
status: ready
owner: codex
topic_slug: netkingdom
planning_priority: high
planning_order: 18
created: "2026-05-22"
updated: "2026-05-22"
depends_on:
- NK-WP-0016
- NK-WP-0017
state_hub_workstream_id: "6f75035a-e056-4eab-8fdb-00a18bacdf87"
---
# NK-WP-0018 - User Engine Integrated Test Scenarios
## Goal
Extend user-engine test coverage from isolated MVP tests to realistic
standalone, platform, multi-tenant, multi-application, audit, and performance
scenarios. The test suite should prove the architecture boundaries rather than
only individual functions.
## Scope
In scope:
- scenario matrix;
- local identity and IAM Profile fixtures;
- flex-auth authorization harness;
- multi-tenant and multi-application integration tests;
- audit/outbox/correlation tests;
- effective-profile performance tests;
- CI/readiness gates.
Out of scope:
- full production Railiance deployment;
- full enterprise SCIM conformance;
- UI end-to-end tests for future UI repos.
## Tasks
```task
id: NK-WP-0018-T1
status: todo
priority: high
state_hub_task_id: "6da86ef6-ea8b-49b9-8897-cbed00f6e61d"
```
**Scenario matrix.** Define canonical scenarios: standalone single-app,
standalone denied access, platform local-identity fixture, tenant admin,
platform operator, cross-tenant denial, two applications with separate
catalogs, sensitive projection redaction, and event/audit replay.
```task
id: NK-WP-0018-T2
status: todo
priority: high
state_hub_task_id: "e3424148-90d6-4c43-8f15-988f2a21d166"
```
**Identity fixtures.** Add IAM Profile claim fixtures for human, service,
agent, delegated agent, tenant admin, platform operator, break-glass, local
development issuer, and invalid/expired/missing-tenant tokens.
```task
id: NK-WP-0018-T3
status: todo
priority: high
state_hub_task_id: "23fa4617-e7ce-4cdc-b753-489ec361757b"
```
**Authorization harness.** Add a deterministic flex-auth-compatible test
harness that supports allow, deny, obligation, tenant-boundary, assurance, and
bulk decision scenarios.
```task
id: NK-WP-0018-T4
status: todo
priority: high
state_hub_task_id: "33c53479-7856-42ee-b9ee-8795aa73c39a"
```
**End-to-end domain scenarios.** Test full flows from actor claims through
authorization, mutation, profile resolution, projection, audit write, and
outbox event creation.
```task
id: NK-WP-0018-T5
status: todo
priority: medium
state_hub_task_id: "fc2d73e4-1f45-4891-9c31-1a4dc2f3a002"
```
**Performance and cache tests.** Add tests or benchmarks for effective-profile
resolution, projection rendering, authorization batching, request-scoped
memoization, and cache invalidation on catalog/profile/membership changes.
```task
id: NK-WP-0018-T6
status: todo
priority: high
state_hub_task_id: "26b63aa0-deb6-4b4d-9388-6b7e531bd4ff"
```
**Security and privacy negative tests.** Cover local issuer rejection in
production, sensitive attribute leakage, cross-tenant reads/writes, admin
overreach, catalog sensitivity downgrade, namespace hijack, stale membership
facts, and missing audit correlation.
```task
id: NK-WP-0018-T7
status: todo
priority: medium
state_hub_task_id: "a46e6e78-71a1-4518-881f-85b39269f4a8"
```
**CI and readiness gates.** Add repeatable commands for unit, integration,
scenario, and conformance-style tests. Document what must pass before a
platform deployment or UI consumer can depend on user-engine.
## Acceptance Criteria
- The test suite proves standalone, tenant, multi-app, authorization, profile,
projection, audit, and event behavior.
- Negative tests cover the architecture review risks.
- Scenario fixtures are readable enough for future agents and developers to
extend.
- CI/readiness commands are documented and deterministic.
## Dependencies And Sequencing
- Depends on NK-WP-0016 and NK-WP-0017.
- Feeds the final implementation assessment in NK-WP-0019.