Start user-engine implementation scaffold

2026-05-22 20:55:27 +02:00
parent e618b4e286
commit 58d9de26d3
14 changed files with 763 additions and 7 deletions
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -0,0 +1,44 @@
+# Configuration Boundaries
+
+## Standalone Mode
+
+Standalone mode is for local development, tests, prototypes, and small
+single-service deployments.
+
+Expected characteristics:
+
+- local configuration file or environment variables;
+- local database or file-backed persistence during early development;
+- fixture or local identity claims adapter;
+- deterministic authorization test adapter;
+- no password, MFA, or token issuance responsibility inside user-engine.
+
+## Platform Mode
+
+Platform mode is for a NetKingdom-aligned shared service deployment.
+
+Expected characteristics:
+
+- verified IAM Profile claims arrive from an identity layer;
+- authorization decisions are requested through the authorization check port;
+- runtime secrets are delivered through a scoped secret provider;
+- audit records and outbox events are correlated with platform sinks;
+- tenant and application bindings are explicit.
+
+## Secret Names
+
+The code should refer to logical secret names, not platform paths. Concrete
+secret lookup is owned by the active `SecretProvider` adapter.
+
+Initial logical names:
+
+- `database.url`
+- `event.signing_key`
+- `webhook.shared_secret`
+
+## Production Guardrails
+
+- Local issuers must be rejected by production adapters.
+- Sensitive writes must fail closed when authorization is unavailable.
+- Claims enrichment must be optional and must not make user-engine a token
+  issuer.