test: add registration security conformance

docs/scenarios.md

@@ -16,6 +16,27 @@ projection, audit, and event behavior testable without a UI.
 | audit_event_replay | Mutations carry audit records, outbox events, and correlation ids. |
 | identity_canon_context | Actor, user, account, authenticated subject, authorization principal, tenant, membership, grant-like facts, and evidence references stay distinguishable. |
 | family_dataspace_onboarding | A family tenant can register a personal dataspace, invite members, accept SSO identities, project claims context, and deny cross-family access. |
+| registration_onboarding_full | Registration, prepared claim, active hat, claims projection, onboarding, access fact export, and UI diagnostics work as one local flow. |
+| prepared_account_claim | Prepared rights can be claimed only after matching verified factors. |
+| privileged_role_requires_approval | Privileged prepared roles fail closed without approval. |
+| eid_assurance_registration | eID-backed factor evidence can participate in registration conformance. |
+| tenant_admin_invite | Tenant admins can prepare users and inspect diagnostics without issuing credentials. |
+| group_access_hat | Group-derived memberships can produce active hat and access-control facts. |
+| denied_cross_tenant_claim | Cross-tenant prepared claims and tenant overreach fail closed. |
+| ui_registration_access_flow | USER-WP-0014 UI contracts cover registration, prepared rights, hats, admin diagnostics, redaction, and responsive metadata. |
+
+## Registration Scenario Matrix
+
+`REGISTRATION_SCENARIO_MATRIX` covers:
+
+- self-registration;
+- prepared account claim;
+- privileged role requiring approval;
+- eID-backed assurance;
+- family invite;
+- tenant admin invite;
+- group access;
+- denied cross-tenant claim.
 
 ## Fixture Actors