generated from coulomb/repo-seed
3.1 KiB
3.1 KiB
Integrated Scenario Matrix
The scenario suite is the conformance target for repos that integrate user-engine. It keeps identity, authorization, tenant, application, profile, projection, audit, and event behavior testable without a UI.
| Scenario | Proves |
|---|---|
| standalone_self_service | A verified actor can resolve me, write profile values, and read a projection. |
| denied_access | Authorization denials do not mutate state or emit outbox events. |
| tenant_admin | Tenant admins can manage in-tenant account, membership, and profile state. |
| platform_operator | Platform operators can operate across tenants without tenant-admin overreach. |
| cross_tenant_denial | Tenant actors cannot manage another tenant or platform root. |
| two_applications | Catalog ownership and projections prevent application data leakage. |
| sensitive_redaction | Sensitive values are redacted in runtime and claims-enrichment projections. |
| audit_event_replay | Mutations carry audit records, outbox events, and correlation ids. |
| identity_canon_context | Actor, user, account, authenticated subject, authorization principal, tenant, membership, grant-like facts, and evidence references stay distinguishable. |
| family_dataspace_onboarding | A family tenant can register a personal dataspace, invite members, accept SSO identities, project claims context, and deny cross-family access. |
| registration_onboarding_full | Registration, prepared claim, active hat, claims projection, onboarding, access fact export, and UI diagnostics work as one local flow. |
| prepared_account_claim | Prepared rights can be claimed only after matching verified factors. |
| privileged_role_requires_approval | Privileged prepared roles fail closed without approval. |
| eid_assurance_registration | eID-backed factor evidence can participate in registration conformance. |
| tenant_admin_invite | Tenant admins can prepare users and inspect diagnostics without issuing credentials. |
| group_access_hat | Group-derived memberships can produce active hat and access-control facts. |
| denied_cross_tenant_claim | Cross-tenant prepared claims and tenant overreach fail closed. |
| ui_registration_access_flow | USER-WP-0014 UI contracts cover registration, prepared rights, hats, admin diagnostics, redaction, and responsive metadata. |
Registration Scenario Matrix
REGISTRATION_SCENARIO_MATRIX covers:
- self-registration;
- prepared account claim;
- privileged role requiring approval;
- eID-backed assurance;
- family invite;
- tenant admin invite;
- group access;
- denied cross-tenant claim.
Fixture Actors
user_engine.testing.scenarios provides fixtures for human, service, agent,
delegated agent, tenant admin, platform operator, break-glass, local issuer,
invalid, expired, and missing-tenant identities.
Commands
All suites currently run through the standard-library test runner:
make test
make test-scenarios
make test-integration
make test-conformance
The separate targets are aliases today. They are intentionally present so CI can split unit, scenario, integration, and conformance execution later without changing consumer documentation.