feat: implement prepared account claims

docs/contracts.md

@@ -9,6 +9,9 @@ HTTP or RPC adapters should preserve these operation names:
 - `start_registration`, `attach_registration_factor`, `complete_registration`,
   `abandon_registration`, `expire_registration`, `resume_registration`,
   `registration_diagnostics`
+- `prepare_account`, `update_prepared_account`, `list_prepared_accounts`,
+  `revoke_prepared_account`, `expire_prepared_account`,
+  `claim_prepared_account`
 - `me`, `create_user`, `set_account_status`, `link_identity`
 - `resolve_tenant_context`, `set_tenant_account_status`, `add_membership`,
   `tenant_diagnostics`
@@ -40,6 +43,25 @@ user-engine does not verify factors itself, issue credentials, perform MFA,
 run eID proofing, or issue tokens. Those remain external IAM/proofing adapter
 responsibilities.
 
+## Prepared Account Contract
+
+Prepared accounts are pending user-domain facts for people who have not yet
+registered or have not yet claimed their prepared rights. They can carry
+required factor matches, entitlement intent, preparer metadata, expiry, and
+claim lifecycle state, but they do not create credentials.
+
+`claim_prepared_account` requires a completed registration session and
+unexpired verified `IdentityFactor` records that satisfy every prepared factor
+requirement. A successful claim marks the package claimed and converts
+prepared entitlements into user-engine-owned facts: tenant account state,
+memberships, catalog validated profile values, application bindings, and
+onboarding-request events.
+
+Expired, revoked, claimed, mismatching, ambiguous, duplicate, or
+approval-required packages fail closed. Denied claim decisions are audited
+without outbox events. Mutation outbox payloads include ids, counts, statuses,
+factor types, and journey names, but not normalized factor values.
+
 ## Identity Context Contract
 
 `identity_context` is the first canon-facing read model for NetKingdom