feat: implement prepared account claims

workplans/USER-WP-0011-prepared-accounts-and-entitlement-claims.md

@@ -4,7 +4,7 @@ type: workplan
 title: "Prepared Accounts And Entitlement Claims"
 domain: netkingdom
 repo: user-engine
-status: proposed
+status: finished
 owner: codex
 topic_slug: netkingdom
 planning_priority: high
@@ -45,7 +45,7 @@ history.
 
 ```task
 id: USER-WP-0011-T1
-status: todo
+status: done
 priority: high
 state_hub_task_id: "11508f77-170b-4b22-bfdc-115a69bfe4db"
 ```
@@ -56,7 +56,7 @@ audit metadata.
 
 ```task
 id: USER-WP-0011-T2
-status: todo
+status: done
 priority: high
 state_hub_task_id: "86ca36d4-721b-48fe-8c0c-c6a1e6740d2f"
 ```
@@ -66,7 +66,7 @@ accounts, guarded by the authorization port.
 
 ```task
 id: USER-WP-0011-T3
-status: todo
+status: done
 priority: high
 state_hub_task_id: "fe5a08e8-1101-4cec-b02f-b2eee8928604"
 ```
@@ -76,7 +76,7 @@ prepared account requirements and produce explicit claim decisions.
 
 ```task
 id: USER-WP-0011-T4
-status: todo
+status: done
 priority: high
 state_hub_task_id: "8aef6d9e-5e76-4e44-bf81-58049b22a25c"
 ```
@@ -87,7 +87,7 @@ onboarding journey starts.
 
 ```task
 id: USER-WP-0011-T5
-status: todo
+status: done
 priority: medium
 state_hub_task_id: "527519a1-48ed-45fc-a6fc-739986ae6303"
 ```
@@ -97,7 +97,7 @@ matches, expired packages, privileged roles, and manual approval requirements.
 
 ```task
 id: USER-WP-0011-T6
-status: todo
+status: done
 priority: medium
 state_hub_task_id: "9530c8d6-82af-4635-8af8-aa79c54be94d"
 ```
@@ -122,3 +122,39 @@ activation, denial, expiry, and revocation.
 - Prepared entitlement activation facade.
 - Claim matching rules and tests.
 - Documentation for account preparation boundaries.
+
+## Implementation Notes
+
+Implemented on 2026-06-15:
+
+- Added `PreparedAccountStatus`, `PreparedEntitlementKind`,
+  `PreparedFactorRequirement`, `PreparedEntitlement`, and `PreparedAccount`
+  domain models.
+- Added prepared-account persistence to `UserEngineStore` and
+  `InMemoryUserEngineStore`, including transaction rollback snapshots and
+  adapter-neutral record counts.
+- Added `UserEngineService` prepared-account facade methods:
+  `prepare_account`, `update_prepared_account`, `list_prepared_accounts`,
+  `revoke_prepared_account`, `expire_prepared_account`, and
+  `claim_prepared_account`.
+- Added factor-match claim resolution for completed registrations, explicit
+  claim decisions, duplicate pending package checks, expiry handling,
+  weak-factor rejection, ambiguous-match rejection, expired-factor rejection,
+  and approval-required fail-closed behavior.
+- Added entitlement activation into tenant accounts, memberships, catalog
+  validated profile values, application bindings, and onboarding-request
+  outbox events.
+- Added audit/outbox behavior for preparation, update, claim, onboarding
+  request, expiry, and revocation while keeping normalized factor values out
+  of event payloads.
+- Added `docs/prepared-accounts-and-entitlement-claims.md`, public contract
+  updates, and scenario tests for successful claim, mismatch, ambiguity,
+  approval-required denial, list, and revoke behavior.
+
+Verification:
+
+```text
+make test
+Ran 55 tests in 0.362s
+OK
+```