--- id: USER-WP-0014 type: workplan title: "Registration And Access Management UI" domain: communication repo: user-engine status: finished owner: codex topic_slug: netkingdom planning_priority: medium planning_order: 14 created: "2026-06-15" updated: "2026-06-15" depends_on: - USER-WP-0010 - USER-WP-0011 - USER-WP-0012 - USER-WP-0013 state_hub_workstream_id: "011f7d20-5c9d-42a9-b7a3-b20a8ae9f557" --- # USER-WP-0014 - Registration And Access Management UI ## Goal Build an optional NetKingdom registration and access management UI backed by user-engine APIs. The UI should make registration, factor status, prepared rights, hat selection, profile completion, and onboarding journeys convenient without hiding IAM, authorization, proofing, or service-runtime boundaries. ## Scope Direction The UI is an operating surface over user-engine domain APIs. It should be thin, workflow-oriented, and suitable for self-service users, tenant admins, family owners, and operators. ## Non-Goals - Do not implement credential entry, password reset, passkeys, MFA challenges, or token issuance in the UI. - Do not embed final authorization policy rules in frontend code. - Do not replace service-specific admin consoles. - Do not make UI state authoritative over domain records. ## Tasks ```task id: USER-WP-0014-T1 status: done priority: high state_hub_task_id: "983087e1-c512-419f-86a6-b954d0a1ab54" ``` Define UI information architecture for registration, factor status, prepared-account claim, hat selection, profile completion, onboarding journey, and admin setup views. ```task id: USER-WP-0014-T2 status: done priority: high state_hub_task_id: "0af5d8ef-0d1e-44bd-b807-bc40e87afef2" ``` Define UI API contracts or route handlers over the headless service facades. Keep proofing, IAM, authorization, and notification calls behind adapters. ```task id: USER-WP-0014-T3 status: done priority: high state_hub_task_id: "a2e00aa3-5849-469c-a3a3-f4f5bd2df6c8" ``` Implement the self-service registration flow with resume, prepared rights review, factor status, terms/consent, and completion states. ```task id: USER-WP-0014-T4 status: done priority: medium state_hub_task_id: "36d49049-cfe7-4f87-9a7f-78e37de9188a" ``` Implement hat selection and active access context views for realms, services, groups, and assets. ```task id: USER-WP-0014-T5 status: done priority: medium state_hub_task_id: "e58038fc-6138-40cc-bb6b-4cbf7a8b0b87" ``` Implement admin views for prepared accounts, invitations, access profiles, group membership, realms/services/assets, and onboarding diagnostics. ```task id: USER-WP-0014-T6 status: done priority: medium state_hub_task_id: "4de949d6-e330-41b2-87cf-9b9425f0f8be" ``` Add usability, accessibility, error-state, redaction, and mobile/desktop tests for the registration and admin flows. ## Acceptance Criteria - A new user can complete a registration flow through the UI using adapter supplied factor evidence. - A prepared account claim can be reviewed and accepted or denied through the UI. - Users can choose an active hat and see available realms/services without exposing internal policy logic. - Admins can prepare accounts and inspect onboarding state. - The UI does not store or display secrets, raw proofing payloads, or hidden authorization decisions. ## Expected Outputs - Registration UI and API contract. - Hat/access management UI views. - Admin prepared-account and onboarding views. - Frontend verification artifacts. ## Implementation Notes Implemented on 2026-06-15: - Added `user_engine.ui` with transport-neutral UI contracts: `UiRoute`, `UiApiContract`, `UiInformationArchitecture`, `UiScreen`, `UiSection`, `UiField`, `UiAction`, `UiRegistrationFlow`, and `RegistrationAccessManagementUi`. - Defined information architecture for registration, prepared rights, active hat, profile, onboarding, and admin views, with mobile and desktop layout metadata. - Added UI route contracts for registration start/factor/complete, prepared-rights review/accept/deny, active hat selection, and admin dashboard. - Implemented self-service registration helpers with resume/status rendering, adapter-supplied factor evidence, terms/consent gating, and completion state. - Implemented prepared-rights review and accept/dismiss screens while redacting factor values. - Implemented active hat selection views over access profiles and active access context without exposing hidden policy logic. - Implemented admin dashboard composition for registration diagnostics, prepared accounts, tenant membership state, access profiles, and onboarding diagnostics. - Added accessible HTML verification rendering with semantic landmarks, labeled section navigation, action labels, and mobile/desktop layout metadata. - Added `docs/registration-and-access-management-ui.md`, UI contract updates, and tests for route contracts, self-service registration, prepared claims, hat selection, admin redaction, accessibility, and responsive metadata. Verification: ```text make test Ran 71 tests in 1.332s OK ```