--- id: USER-WP-0002 type: workplan title: "User Engine Isolated MVP" domain: netkingdom repo: user-engine status: finished owner: codex topic_slug: netkingdom planning_priority: high planning_order: 2 created: "2026-05-22" updated: "2026-05-22" depends_on: - USER-WP-0001 state_hub_workstream_id: "780ce3bb-9af0-43dc-85cd-a9288e3d74c7" --- # USER-WP-0002 - User Engine Isolated MVP ## Goal Implement the smallest useful headless service in isolation: users, accounts, identity links, one application, one catalog, profile values, effective profile resolution, projections, audit, outbox, and tests. ## Tasks ```task id: USER-WP-0002-T1 status: done priority: high state_hub_task_id: "0b43c19e-7ca4-4d32-93f4-3c083a200092" ``` Implement the domain model and local persistence migrations. ```task id: USER-WP-0002-T2 status: done priority: high state_hub_task_id: "d6404f5c-292f-4eb5-819b-42fe8c237c60" ``` Implement IAM Profile-compatible fixture actor handling and local identity linking by `(issuer, subject)`. ```task id: USER-WP-0002-T3 status: done priority: high state_hub_task_id: "b0b0ad70-d590-4faf-916e-41dbf25d6c5f" ``` Implement the authorization check port with a deterministic local test adapter. ```task id: USER-WP-0002-T4 status: done priority: high state_hub_task_id: "ce310565-75e3-4fb4-9358-0aaff14a8ada" ``` Implement headless APIs for health, readiness, `me`, users, account lifecycle, identity links, applications, catalogs, profiles, projections, and audit. ```task id: USER-WP-0002-T5 status: done priority: high state_hub_task_id: "4ebb8649-e3ff-4da8-80cd-eef8b1488129" ``` Implement catalog validation, profile value validation, defaults, global plus application profile layers, and inspectable effective profile resolution. ```task id: USER-WP-0002-T6 status: done priority: high state_hub_task_id: "a238bbd8-95bb-499a-85f4-744acce188d4" ``` Persist audit records and outbox events atomically with mutations. ```task id: USER-WP-0002-T7 status: done priority: high state_hub_task_id: "a9826644-1fea-4ada-bc21-7c545e790ffc" ``` Add tests for lifecycle, identity linking, catalog validation, profile update authorization, projections, redaction, audit/outbox atomicity, and deny paths. ## Acceptance Criteria - A demo application can register, publish a catalog, write profile values, and read an effective projection. - Self-service and admin-style operations work through the local auth adapter. - Sensitive values are redacted in non-eligible projections. - MVP tests cover positive and negative use cases.