generated from coulomb/repo-seed
155 lines
4.9 KiB
Markdown
155 lines
4.9 KiB
Markdown
---
|
|
id: USER-WP-0015
|
|
type: workplan
|
|
title: "Registration Scenario And Security Conformance"
|
|
domain: netkingdom
|
|
repo: user-engine
|
|
status: finished
|
|
owner: codex
|
|
topic_slug: netkingdom
|
|
planning_priority: medium
|
|
planning_order: 15
|
|
created: "2026-06-15"
|
|
updated: "2026-06-15"
|
|
depends_on:
|
|
- USER-WP-0010
|
|
- USER-WP-0011
|
|
- USER-WP-0012
|
|
- USER-WP-0013
|
|
- USER-WP-0014
|
|
state_hub_workstream_id: "4f21e1c9-ad27-4ac9-888f-8f78c6abfb3b"
|
|
---
|
|
|
|
# USER-WP-0015 - Registration Scenario And Security Conformance
|
|
|
|
## Goal
|
|
|
|
Prove the full NetKingdom registration and onboarding model through executable
|
|
scenarios, security negative paths, redaction checks, adapter conformance, and
|
|
operability diagnostics.
|
|
|
|
## Scope Direction
|
|
|
|
This workplan turns the registration roadmap into a testable contract. It
|
|
should cover both headless APIs and the optional UI surface where present.
|
|
|
|
## Non-Goals
|
|
|
|
- Do not add new product surface unless a test exposes a missing contract.
|
|
- Do not assert provider-specific IAM, eID, SMS, email, or authorization engine
|
|
internals.
|
|
- Do not require production infrastructure for local conformance tests.
|
|
|
|
## Tasks
|
|
|
|
```task
|
|
id: USER-WP-0015-T1
|
|
status: done
|
|
priority: high
|
|
state_hub_task_id: "5ca0a269-559d-4138-b702-9984a411f2ed"
|
|
```
|
|
|
|
Define the registration scenario matrix: self-registration, prepared account
|
|
claim, privileged role requiring approval, eID-backed assurance, family invite,
|
|
tenant admin invite, group access, and denied cross-tenant claim.
|
|
|
|
```task
|
|
id: USER-WP-0015-T2
|
|
status: done
|
|
priority: high
|
|
state_hub_task_id: "6ee492b1-923f-4aa0-8e17-b69f522c4898"
|
|
```
|
|
|
|
Add end-to-end headless tests covering registration through identity context,
|
|
claims enrichment, active hat selection, and onboarding event emission.
|
|
|
|
```task
|
|
id: USER-WP-0015-T3
|
|
status: done
|
|
priority: high
|
|
state_hub_task_id: "b813a88f-ced6-40ce-9a25-d1c666fb73c9"
|
|
```
|
|
|
|
Add security negative tests for weak factor evidence, duplicate identity links,
|
|
prepared-account hijack attempts, expired claims, missing tenant context,
|
|
privileged role escalation, and stale approvals.
|
|
|
|
```task
|
|
id: USER-WP-0015-T4
|
|
status: done
|
|
priority: medium
|
|
state_hub_task_id: "5a03ac1a-1f8e-455b-8f75-691e8bdda286"
|
|
```
|
|
|
|
Add redaction and diagnostics tests for factor values, profile sensitivity,
|
|
prepared-account metadata, active hat context, and access-profile evidence.
|
|
|
|
```task
|
|
id: USER-WP-0015-T5
|
|
status: done
|
|
priority: medium
|
|
state_hub_task_id: "fcf32b4d-d050-4989-bb05-844e0d13e548"
|
|
```
|
|
|
|
Add adapter conformance tests for factor verification, authorization checks,
|
|
access fact export, onboarding handoff, audit export, outbox replay, and
|
|
durable store behavior.
|
|
|
|
```task
|
|
id: USER-WP-0015-T6
|
|
status: done
|
|
priority: medium
|
|
state_hub_task_id: "a7850784-3b86-453f-bbc7-1d53d0813f82"
|
|
```
|
|
|
|
Add UI flow tests once USER-WP-0014 exists: registration happy path, resume,
|
|
prepared rights review, hat selection, admin preparation, and blocked journey.
|
|
|
|
## Acceptance Criteria
|
|
|
|
- The main registration and onboarding journeys are executable as tests.
|
|
- Security negative paths fail closed and leave audit evidence.
|
|
- Sensitive factor and profile data is redacted from diagnostics and UI output.
|
|
- Adapter contracts are testable without production infrastructure.
|
|
- The registration UI, if implemented, is covered by workflow-level tests.
|
|
|
|
## Expected Outputs
|
|
|
|
- Registration scenario matrix.
|
|
- Headless and UI conformance tests.
|
|
- Security negative-path test suite.
|
|
- Adapter conformance harness for registration dependencies.
|
|
|
|
## Implementation Notes
|
|
|
|
Implemented on 2026-06-15:
|
|
|
|
- Extended `SCENARIO_MATRIX` and added `REGISTRATION_SCENARIO_MATRIX` covering
|
|
self-registration, prepared account claim, privileged role approval gates,
|
|
eID-backed assurance, family invite, tenant admin invite, group access, and
|
|
denied cross-tenant claim.
|
|
- Added `tests/test_registration_security_conformance.py` for a full local
|
|
registration -> prepared claim -> active hat -> claims projection ->
|
|
identity context -> access fact export -> onboarding -> UI diagnostics path.
|
|
- Added security negative-path tests for weak factor requirements, duplicate
|
|
identity links, prepared-account hijack attempts, expired claims,
|
|
cross-tenant/missing tenant context, privileged prepared-role approval, and
|
|
stale approval through approval-required access profiles.
|
|
- Added redaction and diagnostics checks for factor values, prepared-account
|
|
email metadata, sensitive profile values, access-profile claims/defaults,
|
|
and proofing adapter secrets.
|
|
- Added adapter conformance coverage for factor verification normalization,
|
|
authorization harness capture, access fact export, onboarding handoff/resume,
|
|
audit availability, outbox replay, and local durable-store behavior.
|
|
- Extended UI workflow coverage from USER-WP-0014 through the conformance
|
|
path and documented the local conformance contract in
|
|
`docs/registration-scenario-and-security-conformance.md`.
|
|
|
|
Verification:
|
|
|
|
```text
|
|
make test
|
|
Ran 75 tests in 1.506s
|
|
OK
|
|
```
|