feat: implement access profiles and hats

src/user_engine/ports.py

@@ -12,6 +12,9 @@ from typing import Any, Iterable, Mapping, Protocol
 
 from user_engine.domain import (
     Account,
+    AccessControlFact,
+    AccessProfile,
+    ActiveAccessContext,
     Actor,
     Application,
     ApplicationBinding,
@@ -160,6 +163,28 @@ class UserEngineStore(Protocol):
     ) -> tuple[PreparedAccount, ...]:
         """Return prepared account packages for a tenant."""
 
+    def save_access_profile(self, profile: AccessProfile) -> None:
+        """Create or replace an access profile template."""
+
+    def access_profile(self, access_profile_id: str) -> AccessProfile | None:
+        """Return an access profile template by id."""
+
+    def access_profiles_for_tenant(self, tenant: str) -> tuple[AccessProfile, ...]:
+        """Return access profile templates for a tenant."""
+
+    def save_active_access_context(self, context: ActiveAccessContext) -> None:
+        """Create or replace the user's active access context for a tenant."""
+
+    def active_access_context(
+        self, user_id: str, tenant: str
+    ) -> ActiveAccessContext | None:
+        """Return the user's active access context for a tenant."""
+
+    def active_access_contexts_for_tenant(
+        self, tenant: str
+    ) -> tuple[ActiveAccessContext, ...]:
+        """Return active access contexts for a tenant."""
+
     def save_profile_value(self, value: ProfileValue) -> None:
         """Create or replace a profile value."""
 
@@ -228,6 +253,13 @@ class MembershipFactExporter(Protocol):
         """Return an adapter-neutral membership fact manifest."""
 
 
+class AccessControlFactExporter(Protocol):
+    """Export access-control facts to an external policy or ACL system."""
+
+    def export(self, facts: Iterable[AccessControlFact]) -> Mapping[str, Any]:
+        """Return an adapter-neutral access-control fact manifest."""
+
+
 class EventOutbox(Protocol):
     """Persist and publish durable domain events."""