# SCOPE

## One-Liner

Headless user-domain and profile engine for accounts, identity links,
preferences, memberships, application catalogs, projections, audit, and
events.

## In Scope

- user and account records;
- account lifecycle state;
- external identity links;
- global, tenant, application, and membership profile values;
- preference values;
- tenant, application, team, and scope memberships;
- application registry for profile consumers;
- customization catalog registry and validation;
- effective profile resolution;
- projection APIs for self-service, admin, application runtime, audit, and
  agent contexts;
- audit records and lifecycle/profile-change events;
- local standalone development mode;
- integration ports for identity claims, authorization checks, events, and
  runtime secrets.

## Out Of Scope

- login and authentication flows;
- password, passkey, session, and MFA lifecycle;
- OIDC/SAML token issuance;
- final authorization policy decisions;
- runtime secret custody;
- UI implementation;
- full SCIM server or enterprise directory replacement in the initial product.

## Boundary Rule

user-engine owns user-domain facts and projections. Other systems may provide
identity, authorization, deployment, event transport, or UI surfaces, but they
must integrate through explicit interfaces rather than becoming hidden sources
of profile truth.

## Current Planning

Implementation work is tracked in `workplans/USER-WP-0001` through
`USER-WP-0006`.