Implement identity canon alignment

2026-06-05 16:04:43 +02:00
parent fe446711de
commit c6d211f472
15 changed files with 1008 additions and 21 deletions
--- a/src/user_engine/ports.py
+++ b/src/user_engine/ports.py
@@ -15,6 +15,7 @@ from user_engine.domain import (
    AuditRecord,
    AuthorizationDecision,
    AuthorizationRequest,
+    CanonEntityReference,
    Membership,
    OutboxEvent,
 )
@@ -76,6 +77,37 @@ class AuditWriter(Protocol):
        """Persist an audit record."""


+class EvidenceReferenceExporter(Protocol):
+    """Export audit/review material as identity-canon evidence references."""
+
+    def export(
+        self, audit_records: Iterable[AuditRecord]
+    ) -> tuple[CanonEntityReference, ...]:
+        """Return evidence references without owning the platform audit sink."""
+
+
+class PolicyControlReferenceResolver(Protocol):
+    """Resolve policy/control references for identity-domain traces."""
+
+    def references_for(
+        self, request: AuthorizationRequest, decision: AuthorizationDecision
+    ) -> Mapping[str, CanonEntityReference]:
+        """Return policy, control, review, or exception references when known."""
+
+
+class LifecycleTaskSink(Protocol):
+    """Handoff identity-domain gaps or lifecycle work to a task system."""
+
+    def create_or_link(
+        self,
+        *,
+        summary: str,
+        subject: CanonEntityReference,
+        evidence: Iterable[CanonEntityReference] = (),
+    ) -> CanonEntityReference:
+        """Return the task reference created or linked by the downstream system."""
+
+
 class SecretProvider(Protocol):
    """Load runtime secret material from the active environment."""