Implement family dataspace onboarding

docs/contracts.md

@@ -11,6 +11,9 @@ HTTP or RPC adapters should preserve these operation names:
   `tenant_diagnostics`
 - `register_application`, `publish_catalog`
 - `set_profile_value`, `effective_profile`, `projection`, `identity_context`
+- `onboard_family_dataspace`, `invite_family_member`,
+  `resend_family_invitation`, `revoke_family_invitation`,
+  `accept_family_invitation`
 - `audit_records`, `outbox_events`
 
 ## Identity Context Contract
@@ -36,6 +39,24 @@ policy, control, access-review, exception, and lifecycle task references belong
 to adapter contracts and remain non-owned unless a later workplan assigns
 source-of-truth responsibility to user-engine.
 
+## Family Dataspace Onboarding Contract
+
+`onboard_family_dataspace` is a convenience facade for personal-family
+identity-domain setup. It composes existing user, account, tenant-account,
+membership, application, catalog, profile, audit, outbox, projection, and
+identity-context operations.
+
+The facade represents a family as a NetKingdom tenant plus a `family` scope. It
+does not provision the tenant, issue SSO tokens, own credentials, or implement
+the protected dataspace runtime. Family roles are scoped membership facts such
+as `owner`, `adult`, `child`, `guest`, and `delegated-caretaker`; authorization
+systems decide how those facts affect access.
+
+Invitation acceptance requires already-verified claims. user-engine stores
+local invitation lifecycle, links the verified external identity, activates
+account state, and returns both `identity_context` and a
+`CLAIMS_ENRICHMENT` projection for SSO adapters.
+
 ## Error Taxonomy
 
 - `ValidationError`: caller supplied an invalid shape, state transition, or