coulomb/user-engine
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2ceecf6463ad411baea4b7509c475869b182036c
user-engine/workplans/USER-WP-0015-registration-scenario-and-security-conformance.md

4.9 KiB
Raw Blame History

id, type, title, domain, repo, status, owner, topic_slug, planning_priority, planning_order, created, updated, depends_on, state_hub_workstream_id
id type title domain repo status owner topic_slug planning_priority planning_order created updated depends_on state_hub_workstream_id
USER-WP-0015 workplan Registration Scenario And Security Conformance netkingdom user-engine finished codex netkingdom medium 15 2026-06-15 2026-06-15
USER-WP-0010
USER-WP-0011
USER-WP-0012
USER-WP-0013
USER-WP-0014
4f21e1c9-ad27-4ac9-888f-8f78c6abfb3b

USER-WP-0015 - Registration Scenario And Security Conformance

Goal

Prove the full NetKingdom registration and onboarding model through executable scenarios, security negative paths, redaction checks, adapter conformance, and operability diagnostics.

Scope Direction

This workplan turns the registration roadmap into a testable contract. It should cover both headless APIs and the optional UI surface where present.

Non-Goals

  • Do not add new product surface unless a test exposes a missing contract.
  • Do not assert provider-specific IAM, eID, SMS, email, or authorization engine internals.
  • Do not require production infrastructure for local conformance tests.

Tasks

id: USER-WP-0015-T1
status: done
priority: high
state_hub_task_id: "5ca0a269-559d-4138-b702-9984a411f2ed"

Define the registration scenario matrix: self-registration, prepared account claim, privileged role requiring approval, eID-backed assurance, family invite, tenant admin invite, group access, and denied cross-tenant claim.

id: USER-WP-0015-T2
status: done
priority: high
state_hub_task_id: "6ee492b1-923f-4aa0-8e17-b69f522c4898"

Add end-to-end headless tests covering registration through identity context, claims enrichment, active hat selection, and onboarding event emission.

id: USER-WP-0015-T3
status: done
priority: high
state_hub_task_id: "b813a88f-ced6-40ce-9a25-d1c666fb73c9"

Add security negative tests for weak factor evidence, duplicate identity links, prepared-account hijack attempts, expired claims, missing tenant context, privileged role escalation, and stale approvals.

id: USER-WP-0015-T4
status: done
priority: medium
state_hub_task_id: "5a03ac1a-1f8e-455b-8f75-691e8bdda286"

Add redaction and diagnostics tests for factor values, profile sensitivity, prepared-account metadata, active hat context, and access-profile evidence.

id: USER-WP-0015-T5
status: done
priority: medium
state_hub_task_id: "fcf32b4d-d050-4989-bb05-844e0d13e548"

Add adapter conformance tests for factor verification, authorization checks, access fact export, onboarding handoff, audit export, outbox replay, and durable store behavior.

id: USER-WP-0015-T6
status: done
priority: medium
state_hub_task_id: "a7850784-3b86-453f-bbc7-1d53d0813f82"

Add UI flow tests once USER-WP-0014 exists: registration happy path, resume, prepared rights review, hat selection, admin preparation, and blocked journey.

Acceptance Criteria

  • The main registration and onboarding journeys are executable as tests.
  • Security negative paths fail closed and leave audit evidence.
  • Sensitive factor and profile data is redacted from diagnostics and UI output.
  • Adapter contracts are testable without production infrastructure.
  • The registration UI, if implemented, is covered by workflow-level tests.

Expected Outputs

  • Registration scenario matrix.
  • Headless and UI conformance tests.
  • Security negative-path test suite.
  • Adapter conformance harness for registration dependencies.

Implementation Notes

Implemented on 2026-06-15:

  • Extended SCENARIO_MATRIX and added REGISTRATION_SCENARIO_MATRIX covering self-registration, prepared account claim, privileged role approval gates, eID-backed assurance, family invite, tenant admin invite, group access, and denied cross-tenant claim.
  • Added tests/test_registration_security_conformance.py for a full local registration -> prepared claim -> active hat -> claims projection -> identity context -> access fact export -> onboarding -> UI diagnostics path.
  • Added security negative-path tests for weak factor requirements, duplicate identity links, prepared-account hijack attempts, expired claims, cross-tenant/missing tenant context, privileged prepared-role approval, and stale approval through approval-required access profiles.
  • Added redaction and diagnostics checks for factor values, prepared-account email metadata, sensitive profile values, access-profile claims/defaults, and proofing adapter secrets.
  • Added adapter conformance coverage for factor verification normalization, authorization harness capture, access fact export, onboarding handoff/resume, audit availability, outbox replay, and local durable-store behavior.
  • Extended UI workflow coverage from USER-WP-0014 through the conformance path and documented the local conformance contract in docs/registration-scenario-and-security-conformance.md.

Verification:

make test
Ran 75 tests in 1.506s
OK
Reference in New Issue View Git Blame Copy Permalink