generated from coulomb/repo-seed
68 lines
2.8 KiB
Markdown
68 lines
2.8 KiB
Markdown
# SCOPE
|
|
|
|
## One-Liner
|
|
|
|
Headless user-domain and identity-domain integration engine for accounts,
|
|
identity links, actor/principal/subject context, preferences, memberships,
|
|
application catalogs, projections, evidence references, audit, and events.
|
|
|
|
## In Scope
|
|
|
|
- user and account records;
|
|
- account lifecycle state;
|
|
- external identity links;
|
|
- actor, authenticated subject, authorization principal, account, and user
|
|
context mappings;
|
|
- global, tenant, application, and membership profile values;
|
|
- preference values;
|
|
- tenant, application, team, and scope memberships;
|
|
- identity-context read models for domain consumers;
|
|
- canon interface cards, entity mappings, relationship mappings, and explicit
|
|
gap records;
|
|
- application registry for profile consumers;
|
|
- customization catalog registry and validation;
|
|
- effective profile resolution;
|
|
- projection APIs for self-service, admin, application runtime, audit, and
|
|
agent contexts;
|
|
- audit records and lifecycle/profile-change events;
|
|
- local evidence references derived from audit and event records;
|
|
- local standalone development mode;
|
|
- integration ports for identity claims, authorization checks, events, and
|
|
runtime secrets;
|
|
- adapter contracts for evidence export, policy/control references, and
|
|
lifecycle task handoff.
|
|
|
|
## Out Of Scope
|
|
|
|
- login and authentication flows;
|
|
- password, passkey, session, and MFA lifecycle;
|
|
- OIDC/SAML token issuance;
|
|
- final authorization policy decisions;
|
|
- durable authorization grant authority outside user-engine-owned memberships;
|
|
- policy, control, access-review, exception, and organization source-of-truth
|
|
ownership;
|
|
- runtime secret custody;
|
|
- UI implementation in the current MVP; optional registration and access
|
|
management UI work is proposed separately under `USER-WP-0014`;
|
|
- full SCIM server or enterprise directory replacement in the initial product.
|
|
|
|
## Boundary Rule
|
|
|
|
user-engine owns user-domain facts, identity-context mappings, and projections.
|
|
Other systems may provide authentication, IAM claims, authorization decisions,
|
|
policy/control authority, deployment, event transport, durable audit, secrets,
|
|
organization records, or UI surfaces, but they must integrate through explicit
|
|
interfaces rather than becoming hidden sources of profile or identity-domain
|
|
truth.
|
|
|
|
## Current Planning
|
|
|
|
Implementation and planning work is tracked in `workplans/USER-WP-0001`
|
|
through `USER-WP-0015`. `USER-WP-0010` implements the first headless
|
|
registration and factor-evidence slice. `USER-WP-0011` implements prepared
|
|
accounts and entitlement claims. `USER-WP-0012` implements hats, realms,
|
|
services, assets, access profiles, active context, and exportable
|
|
access-control facts. `USER-WP-0013` implements onboarding journeys and
|
|
welcome protocols. `USER-WP-0014` and `USER-WP-0015` remain proposed future
|
|
workplans for optional UI and security conformance.
|