generated from coulomb/repo-seed
Implement identity canon alignment
This commit is contained in:
29
SCOPE.md
29
SCOPE.md
@@ -2,27 +2,35 @@
|
||||
|
||||
## One-Liner
|
||||
|
||||
Headless user-domain and profile engine for accounts, identity links,
|
||||
preferences, memberships, application catalogs, projections, audit, and
|
||||
events.
|
||||
Headless user-domain and identity-domain integration engine for accounts,
|
||||
identity links, actor/principal/subject context, preferences, memberships,
|
||||
application catalogs, projections, evidence references, audit, and events.
|
||||
|
||||
## In Scope
|
||||
|
||||
- user and account records;
|
||||
- account lifecycle state;
|
||||
- external identity links;
|
||||
- actor, authenticated subject, authorization principal, account, and user
|
||||
context mappings;
|
||||
- global, tenant, application, and membership profile values;
|
||||
- preference values;
|
||||
- tenant, application, team, and scope memberships;
|
||||
- identity-context read models for domain consumers;
|
||||
- canon interface cards, entity mappings, relationship mappings, and explicit
|
||||
gap records;
|
||||
- application registry for profile consumers;
|
||||
- customization catalog registry and validation;
|
||||
- effective profile resolution;
|
||||
- projection APIs for self-service, admin, application runtime, audit, and
|
||||
agent contexts;
|
||||
- audit records and lifecycle/profile-change events;
|
||||
- local evidence references derived from audit and event records;
|
||||
- local standalone development mode;
|
||||
- integration ports for identity claims, authorization checks, events, and
|
||||
runtime secrets.
|
||||
runtime secrets;
|
||||
- adapter contracts for evidence export, policy/control references, and
|
||||
lifecycle task handoff.
|
||||
|
||||
## Out Of Scope
|
||||
|
||||
@@ -30,16 +38,21 @@ events.
|
||||
- password, passkey, session, and MFA lifecycle;
|
||||
- OIDC/SAML token issuance;
|
||||
- final authorization policy decisions;
|
||||
- durable authorization grant authority outside user-engine-owned memberships;
|
||||
- policy, control, access-review, exception, and organization source-of-truth
|
||||
ownership;
|
||||
- runtime secret custody;
|
||||
- UI implementation;
|
||||
- full SCIM server or enterprise directory replacement in the initial product.
|
||||
|
||||
## Boundary Rule
|
||||
|
||||
user-engine owns user-domain facts and projections. Other systems may provide
|
||||
identity, authorization, deployment, event transport, or UI surfaces, but they
|
||||
must integrate through explicit interfaces rather than becoming hidden sources
|
||||
of profile truth.
|
||||
user-engine owns user-domain facts, identity-context mappings, and projections.
|
||||
Other systems may provide authentication, IAM claims, authorization decisions,
|
||||
policy/control authority, deployment, event transport, durable audit, secrets,
|
||||
organization records, or UI surfaces, but they must integrate through explicit
|
||||
interfaces rather than becoming hidden sources of profile or identity-domain
|
||||
truth.
|
||||
|
||||
## Current Planning
|
||||
|
||||
|
||||
Reference in New Issue
Block a user