Implement identity canon alignment

docs/evidence-gap-examples.md

@@ -0,0 +1,62 @@
+# Evidence Gap Examples
+
+Status: candidate
+Updated: 2026-06-05
+
+`user-engine` should not pretend missing review or governance material exists.
+When identity-domain context lacks evidence, policy, control, review, or task
+references, the gap must be explicit and handoff-ready.
+
+## Gap Shape
+
+```yaml
+gap_id: evidence:no-audit-records
+subject:
+  concept: Account
+  identifier: acct_example
+scope: tenant:acme
+reason: No local audit or external evidence reference supports this identity-domain claim.
+proposed_disposition: create_or_link_lifecycle_task
+owner: user-engine adapter boundary
+```
+
+## Privileged Membership Without External Review
+
+```yaml
+gap_id: review:tenant-admin-membership
+subject:
+  concept: Access Grant
+  identifier: mem_example
+scope: tenant:acme
+reason: Tenant admin membership has local audit evidence but no external access review reference.
+proposed_disposition: link AccessReview through EvidenceReferenceExporter or create review task through LifecycleTaskSink.
+```
+
+## Policy Or Control Reference Missing
+
+```yaml
+gap_id: control:tenant-isolation-reference
+subject:
+  concept: Membership Relationship
+  identifier: mem_example
+scope: tenant:acme
+reason: Membership is tenant-scoped, but no external policy/control reference was supplied.
+proposed_disposition: resolve policy and control through PolicyControlReferenceResolver.
+```
+
+## Lifecycle Task Handoff
+
+```yaml
+task_reference:
+  concept: Task
+  identifier: task_from_lifecycle_sink
+source_gap: review:tenant-admin-membership
+summary: Review tenant-admin membership for tenant:acme.
+evidence:
+  - concept: Evidence Source
+    identifier: aud_example
+```
+
+These examples are intentionally adapter-neutral. The task, review, policy, and
+control source of truth belongs to the surrounding NetKingdom systems unless a
+future workplan assigns one of those responsibilities to `user-engine`.