3.5 KiB
id, type, title, domain, repo, status, owner, topic_slug, planning_priority, planning_order, created, updated, depends_on, state_hub_workstream_id
| id | type | title | domain | repo | status | owner | topic_slug | planning_priority | planning_order | created | updated | depends_on | state_hub_workstream_id | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| USER-WP-0011 | workplan | Prepared Accounts And Entitlement Claims | netkingdom | user-engine | proposed | codex | netkingdom | high | 11 | 2026-06-15 | 2026-06-15 |
|
39ac9f87-c61d-42d8-a45f-bece4848ed47 |
USER-WP-0011 - Prepared Accounts And Entitlement Claims
Goal
Allow NetKingdom operators, tenant admins, family owners, service owners, or upstream systems to prepare account intent and access packages before the user registers. When the user later proves matching factors, user-engine can attach the prepared package to the canonical user and activate the right lifecycle steps.
Scope Direction
Prepared accounts are not credentials. They are pending user-domain facts: expected factor matches, tenant or group references, planned memberships, profile defaults, onboarding journey hints, approval gates, expiry, and audit history.
Non-Goals
- Do not create login credentials for users who have not registered.
- Do not bypass factor verification or approval policies.
- Do not make user-engine the source of truth for external organization, HR, or directory records.
- Do not implement final authorization policy decisions.
Tasks
id: USER-WP-0011-T1
status: todo
priority: high
state_hub_task_id: "11508f77-170b-4b22-bfdc-115a69bfe4db"
Add prepared account and prepared entitlement models with status, expiry, preparer identity, tenant/scope references, factor match requirements, and audit metadata.
id: USER-WP-0011-T2
status: todo
priority: high
state_hub_task_id: "86ca36d4-721b-48fe-8c0c-c6a1e6740d2f"
Implement create, update, revoke, expire, and list operations for prepared accounts, guarded by the authorization port.
id: USER-WP-0011-T3
status: todo
priority: high
state_hub_task_id: "fe5a08e8-1101-4cec-b02f-b2eee8928604"
Implement claim matching during registration. Match verified factor evidence to prepared account requirements and produce explicit claim decisions.
id: USER-WP-0011-T4
status: todo
priority: high
state_hub_task_id: "8aef6d9e-5e76-4e44-bf81-58049b22a25c"
Convert claimed prepared entitlements into user-engine-owned facts: memberships, tenant accounts, profile defaults, application bindings, and onboarding journey starts.
id: USER-WP-0011-T5
status: todo
priority: medium
state_hub_task_id: "527519a1-48ed-45fc-a6fc-739986ae6303"
Add conflict and safety rules for duplicate prepared accounts, weak factor matches, expired packages, privileged roles, and manual approval requirements.
id: USER-WP-0011-T6
status: todo
priority: medium
state_hub_task_id: "9530c8d6-82af-4635-8af8-aa79c54be94d"
Add audit/outbox events and evidence references for preparation, claim, activation, denial, expiry, and revocation.
Acceptance Criteria
- A prepared account can be created before user registration without issuing credentials.
- A registering user can claim prepared rights only when required factor evidence matches.
- Claimed rights become explicit user-engine memberships, profile values, tenant account state, and onboarding events.
- Expired, revoked, ambiguous, or privileged claims fail closed.
- Every preparation and claim decision is auditable.
Expected Outputs
- Prepared account domain model.
- Prepared entitlement activation facade.
- Claim matching rules and tests.
- Documentation for account preparation boundaries.