---
id: USER-WP-0015
type: workplan
title: "Registration Scenario And Security Conformance"
domain: communication
repo: user-engine
status: finished
owner: codex
topic_slug: netkingdom
planning_priority: medium
planning_order: 15
created: "2026-06-15"
updated: "2026-06-15"
depends_on:
  - USER-WP-0010
  - USER-WP-0011
  - USER-WP-0012
  - USER-WP-0013
  - USER-WP-0014
state_hub_workstream_id: "4f21e1c9-ad27-4ac9-888f-8f78c6abfb3b"
---

# USER-WP-0015 - Registration Scenario And Security Conformance

## Goal

Prove the full NetKingdom registration and onboarding model through executable
scenarios, security negative paths, redaction checks, adapter conformance, and
operability diagnostics.

## Scope Direction

This workplan turns the registration roadmap into a testable contract. It
should cover both headless APIs and the optional UI surface where present.

## Non-Goals

- Do not add new product surface unless a test exposes a missing contract.
- Do not assert provider-specific IAM, eID, SMS, email, or authorization engine
  internals.
- Do not require production infrastructure for local conformance tests.

## Tasks

```task
id: USER-WP-0015-T1
status: done
priority: high
state_hub_task_id: "5ca0a269-559d-4138-b702-9984a411f2ed"
```

Define the registration scenario matrix: self-registration, prepared account
claim, privileged role requiring approval, eID-backed assurance, family invite,
tenant admin invite, group access, and denied cross-tenant claim.

```task
id: USER-WP-0015-T2
status: done
priority: high
state_hub_task_id: "6ee492b1-923f-4aa0-8e17-b69f522c4898"
```

Add end-to-end headless tests covering registration through identity context,
claims enrichment, active hat selection, and onboarding event emission.

```task
id: USER-WP-0015-T3
status: done
priority: high
state_hub_task_id: "b813a88f-ced6-40ce-9a25-d1c666fb73c9"
```

Add security negative tests for weak factor evidence, duplicate identity links,
prepared-account hijack attempts, expired claims, missing tenant context,
privileged role escalation, and stale approvals.

```task
id: USER-WP-0015-T4
status: done
priority: medium
state_hub_task_id: "5a03ac1a-1f8e-455b-8f75-691e8bdda286"
```

Add redaction and diagnostics tests for factor values, profile sensitivity,
prepared-account metadata, active hat context, and access-profile evidence.

```task
id: USER-WP-0015-T5
status: done
priority: medium
state_hub_task_id: "fcf32b4d-d050-4989-bb05-844e0d13e548"
```

Add adapter conformance tests for factor verification, authorization checks,
access fact export, onboarding handoff, audit export, outbox replay, and
durable store behavior.

```task
id: USER-WP-0015-T6
status: done
priority: medium
state_hub_task_id: "a7850784-3b86-453f-bbc7-1d53d0813f82"
```

Add UI flow tests once USER-WP-0014 exists: registration happy path, resume,
prepared rights review, hat selection, admin preparation, and blocked journey.

## Acceptance Criteria

- The main registration and onboarding journeys are executable as tests.
- Security negative paths fail closed and leave audit evidence.
- Sensitive factor and profile data is redacted from diagnostics and UI output.
- Adapter contracts are testable without production infrastructure.
- The registration UI, if implemented, is covered by workflow-level tests.

## Expected Outputs

- Registration scenario matrix.
- Headless and UI conformance tests.
- Security negative-path test suite.
- Adapter conformance harness for registration dependencies.

## Implementation Notes

Implemented on 2026-06-15:

- Extended `SCENARIO_MATRIX` and added `REGISTRATION_SCENARIO_MATRIX` covering
  self-registration, prepared account claim, privileged role approval gates,
  eID-backed assurance, family invite, tenant admin invite, group access, and
  denied cross-tenant claim.
- Added `tests/test_registration_security_conformance.py` for a full local
  registration -> prepared claim -> active hat -> claims projection ->
  identity context -> access fact export -> onboarding -> UI diagnostics path.
- Added security negative-path tests for weak factor requirements, duplicate
  identity links, prepared-account hijack attempts, expired claims,
  cross-tenant/missing tenant context, privileged prepared-role approval, and
  stale approval through approval-required access profiles.
- Added redaction and diagnostics checks for factor values, prepared-account
  email metadata, sensitive profile values, access-profile claims/defaults,
  and proofing adapter secrets.
- Added adapter conformance coverage for factor verification normalization,
  authorization harness capture, access fact export, onboarding handoff/resume,
  audit availability, outbox replay, and local durable-store behavior.
- Extended UI workflow coverage from USER-WP-0014 through the conformance
  path and documented the local conformance contract in
  `docs/registration-scenario-and-security-conformance.md`.

Verification:

```text
make test
Ran 75 tests in 1.506s
OK
```