test: add registration security conformance

docs/contracts.md

@@ -43,6 +43,19 @@ accessible HTML verification. It does not handle credential entry, MFA
 challenges, token issuance, hidden policy decisions, notifications, or
 service-specific admin consoles.
 
+## Scenario And Security Conformance Contract
+
+`user_engine.testing.scenarios` defines `SCENARIO_MATRIX` and
+`REGISTRATION_SCENARIO_MATRIX` for local conformance. The matrix covers
+self-registration, prepared-account claims, privileged approval gates,
+eID-backed assurance, family invite, tenant admin invite, group access,
+cross-tenant denial, and USER-WP-0014 UI workflows.
+
+Conformance tests must run without production IAM, proofing, notification,
+workflow, authorization-engine, or database infrastructure. They exercise
+adapter seams with local harnesses and assert fail-closed behavior, audit
+evidence, outbox replay, redaction, and durable transaction semantics.
+
 ## Registration Contract
 
 Registration is a headless user-entry facade. It creates a