coulomb/user-engine
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

test: add registration security conformance

Browse Source
This commit is contained in:
Bernd Worsch
2026-06-15 23:59:45 +02:00
parent aaefa48212
commit 2ceecf6463
10 changed files with 846 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
workplans/USER-WP-0015-registration-scenario-and-security-conformance.md
View File

@@ -4,7 +4,7 @@ type: workplan
title: "Registration Scenario And Security Conformance"
domain: netkingdom
repo: user-engine
status: proposed
status: finished
owner: codex
topic_slug: netkingdom
planning_priority: medium
@@ -44,7 +44,7 @@ should cover both headless APIs and the optional UI surface where present.
```task
id: USER-WP-0015-T1
status: todo
status: done
priority: high
state_hub_task_id: "5ca0a269-559d-4138-b702-9984a411f2ed"
```
@@ -55,7 +55,7 @@ tenant admin invite, group access, and denied cross-tenant claim.
```task
id: USER-WP-0015-T2
status: todo
status: done
priority: high
state_hub_task_id: "6ee492b1-923f-4aa0-8e17-b69f522c4898"
```
@@ -65,7 +65,7 @@ claims enrichment, active hat selection, and onboarding event emission.
```task
id: USER-WP-0015-T3
status: todo
status: done
priority: high
state_hub_task_id: "b813a88f-ced6-40ce-9a25-d1c666fb73c9"
```
@@ -76,7 +76,7 @@ privileged role escalation, and stale approvals.
```task
id: USER-WP-0015-T4
status: todo
status: done
priority: medium
state_hub_task_id: "5a03ac1a-1f8e-455b-8f75-691e8bdda286"
```
@@ -86,7 +86,7 @@ prepared-account metadata, active hat context, and access-profile evidence.
```task
id: USER-WP-0015-T5
status: todo
status: done
priority: medium
state_hub_task_id: "fcf32b4d-d050-4989-bb05-844e0d13e548"
```
@@ -97,7 +97,7 @@ durable store behavior.
```task
id: USER-WP-0015-T6
status: todo
status: done
priority: medium
state_hub_task_id: "a7850784-3b86-453f-bbc7-1d53d0813f82"
```
@@ -119,3 +119,36 @@ prepared rights review, hat selection, admin preparation, and blocked journey.
- Headless and UI conformance tests.
- Security negative-path test suite.
- Adapter conformance harness for registration dependencies.
## Implementation Notes
Implemented on 2026-06-15:
- Extended `SCENARIO_MATRIX` and added `REGISTRATION_SCENARIO_MATRIX` covering
self-registration, prepared account claim, privileged role approval gates,
eID-backed assurance, family invite, tenant admin invite, group access, and
denied cross-tenant claim.
- Added `tests/test_registration_security_conformance.py` for a full local
registration -> prepared claim -> active hat -> claims projection ->
identity context -> access fact export -> onboarding -> UI diagnostics path.
- Added security negative-path tests for weak factor requirements, duplicate
identity links, prepared-account hijack attempts, expired claims,
cross-tenant/missing tenant context, privileged prepared-role approval, and
stale approval through approval-required access profiles.
- Added redaction and diagnostics checks for factor values, prepared-account
email metadata, sensitive profile values, access-profile claims/defaults,
and proofing adapter secrets.
- Added adapter conformance coverage for factor verification normalization,
authorization harness capture, access fact export, onboarding handoff/resume,
audit availability, outbox replay, and local durable-store behavior.
- Extended UI workflow coverage from USER-WP-0014 through the conformance
path and documented the local conformance contract in
`docs/registration-scenario-and-security-conformance.md`.
Verification:
```text
make test
Ran 75 tests in 1.506s
OK
```