Add implementation workplans and integration boundaries

SCOPE.md

@@ -0,0 +1,47 @@
+# SCOPE
+
+## One-Liner
+
+Headless user-domain and profile engine for accounts, identity links,
+preferences, memberships, application catalogs, projections, audit, and
+events.
+
+## In Scope
+
+- user and account records;
+- account lifecycle state;
+- external identity links;
+- global, tenant, application, and membership profile values;
+- preference values;
+- tenant, application, team, and scope memberships;
+- application registry for profile consumers;
+- customization catalog registry and validation;
+- effective profile resolution;
+- projection APIs for self-service, admin, application runtime, audit, and
+  agent contexts;
+- audit records and lifecycle/profile-change events;
+- local standalone development mode;
+- integration ports for identity claims, authorization checks, events, and
+  runtime secrets.
+
+## Out Of Scope
+
+- login and authentication flows;
+- password, passkey, session, and MFA lifecycle;
+- OIDC/SAML token issuance;
+- final authorization policy decisions;
+- runtime secret custody;
+- UI implementation;
+- full SCIM server or enterprise directory replacement in the initial product.
+
+## Boundary Rule
+
+user-engine owns user-domain facts and projections. Other systems may provide
+identity, authorization, deployment, event transport, or UI surfaces, but they
+must integrate through explicit interfaces rather than becoming hidden sources
+of profile truth.
+
+## Current Planning
+
+Implementation work is tracked in `workplans/USER-WP-0001` through
+`USER-WP-0006`.