test: add registration security conformance

2026-06-15 23:59:45 +02:00
parent aaefa48212
commit 2ceecf6463
10 changed files with 846 additions and 11 deletions
--- a/docs/contracts.md
+++ b/docs/contracts.md
@@ -43,6 +43,19 @@ accessible HTML verification. It does not handle credential entry, MFA
 challenges, token issuance, hidden policy decisions, notifications, or
 service-specific admin consoles.

+## Scenario And Security Conformance Contract
+
+`user_engine.testing.scenarios` defines `SCENARIO_MATRIX` and
+`REGISTRATION_SCENARIO_MATRIX` for local conformance. The matrix covers
+self-registration, prepared-account claims, privileged approval gates,
+eID-backed assurance, family invite, tenant admin invite, group access,
+cross-tenant denial, and USER-WP-0014 UI workflows.
+
+Conformance tests must run without production IAM, proofing, notification,
+workflow, authorization-engine, or database infrastructure. They exercise
+adapter seams with local harnesses and assert fail-closed behavior, audit
+evidence, outbox replay, redaction, and durable transaction semantics.
+
 ## Registration Contract

 Registration is a headless user-entry facade. It creates a
--- a/docs/netkingdom-registration-onboarding-vision.md
+++ b/docs/netkingdom-registration-onboarding-vision.md
@@ -236,8 +236,8 @@ once.
 ## Recommended Workplans

 As of 2026-06-15, `USER-WP-0010`, `USER-WP-0011`, `USER-WP-0012`,
-`USER-WP-0013`, and `USER-WP-0014` are implemented as user-engine slices. The
-later security-conformance workplan remains recommended follow-on work.
+`USER-WP-0013`, `USER-WP-0014`, and `USER-WP-0015` are implemented as
+user-engine slices.

 | Workplan | Title | Purpose |
 | --- | --- | --- |
--- a/docs/registration-scenario-and-security-conformance.md
+++ b/docs/registration-scenario-and-security-conformance.md
@@ -0,0 +1,108 @@
+# Registration Scenario And Security Conformance
+
+Status: implemented conformance slice
+Date: 2026-06-15
+Related workplan: USER-WP-0015
+
+## Purpose
+
+This slice turns the NetKingdom registration and onboarding roadmap into an
+executable local conformance contract. It proves that the headless APIs and the
+optional UI contract can complete the main registration journey, fail closed on
+security negative paths, redact sensitive values, and exercise adapter seams
+without production infrastructure.
+
+## Scenario Matrix
+
+The registration matrix is defined in `user_engine.testing.scenarios` as
+`REGISTRATION_SCENARIO_MATRIX`.
+
+It covers:
+
+- self-registration;
+- prepared account claim;
+- privileged role requiring approval;
+- eID-backed assurance;
+- family invite;
+- tenant admin invite;
+- group access;
+- denied cross-tenant claim.
+
+The broader `SCENARIO_MATRIX` now also names registration/onboarding,
+prepared-claim, group-access hat, denied cross-tenant claim, and UI workflow
+coverage.
+
+## End-To-End Conformance
+
+`tests/test_registration_security_conformance.py` includes a full local flow:
+
+```text
+register application/catalog
+prepare account with onboarding hint
+complete email-backed registration
+claim prepared account
+select active hat
+read claims projection and identity context
+export access-control facts
+render admin UI
+assert onboarding event emission and redaction
+```
+
+This proves the path from registration through identity context, claims
+enrichment, active access context, access fact export, onboarding, and UI
+diagnostics.
+
+## Security Negative Paths
+
+The conformance suite exercises fail-closed behavior for:
+
+- weak factor requirements;
+- duplicate identity links;
+- prepared-account hijack attempts;
+- expired prepared claims;
+- missing or cross-tenant context;
+- privileged prepared roles requiring approval;
+- stale approval through approval-required access profiles.
+
+Denied prepared-account claim decisions leave audit evidence without creating
+memberships for the attacker or emitting successful activation events.
+
+## Redaction And Diagnostics
+
+Conformance checks assert that these values do not leak through diagnostics,
+events, or UI output:
+
+- normalized factor values;
+- email addresses used for prepared account matching;
+- sensitive profile values;
+- access profile claim/default values;
+- proofing adapter secret input.
+
+Sensitive profile values are redacted in runtime projections as
+`<redacted>`.
+
+## Adapter Conformance
+
+The local adapter conformance path covers:
+
+- factor verification adapter normalization;
+- authorization harness request capture and obligations;
+- access-control fact export;
+- onboarding handoff lifecycle gaps and resume;
+- audit record availability;
+- outbox replay through pending events;
+- in-memory durable-store rollback behavior in existing port tests.
+
+No provider-specific IAM, eID, SMS, email, authorization-engine, notification,
+or workflow infrastructure is required.
+
+## Commands
+
+```bash
+make test
+make test-conformance
+```
+
+The Makefile targets currently run the same standard-library test suite. They
+remain separate entry points so CI can split unit, integration, scenario, and
+conformance execution later.
--- a/docs/scenarios.md
+++ b/docs/scenarios.md
@@ -16,6 +16,27 @@ projection, audit, and event behavior testable without a UI.
 | audit_event_replay | Mutations carry audit records, outbox events, and correlation ids. |
 | identity_canon_context | Actor, user, account, authenticated subject, authorization principal, tenant, membership, grant-like facts, and evidence references stay distinguishable. |
 | family_dataspace_onboarding | A family tenant can register a personal dataspace, invite members, accept SSO identities, project claims context, and deny cross-family access. |
+| registration_onboarding_full | Registration, prepared claim, active hat, claims projection, onboarding, access fact export, and UI diagnostics work as one local flow. |
+| prepared_account_claim | Prepared rights can be claimed only after matching verified factors. |
+| privileged_role_requires_approval | Privileged prepared roles fail closed without approval. |
+| eid_assurance_registration | eID-backed factor evidence can participate in registration conformance. |
+| tenant_admin_invite | Tenant admins can prepare users and inspect diagnostics without issuing credentials. |
+| group_access_hat | Group-derived memberships can produce active hat and access-control facts. |
+| denied_cross_tenant_claim | Cross-tenant prepared claims and tenant overreach fail closed. |
+| ui_registration_access_flow | USER-WP-0014 UI contracts cover registration, prepared rights, hats, admin diagnostics, redaction, and responsive metadata. |
+
+## Registration Scenario Matrix
+
+`REGISTRATION_SCENARIO_MATRIX` covers:
+
+- self-registration;
+- prepared account claim;
+- privileged role requiring approval;
+- eID-backed assurance;
+- family invite;
+- tenant admin invite;
+- group access;
+- denied cross-tenant claim.

 ## Fixture Actors