4.2 KiB
Registration And Access Management UI
Status: implemented headless UI contract slice Date: 2026-06-15 Related workplan: USER-WP-0014
Purpose
This slice adds an optional NetKingdom registration and access-management UI
contract over the headless UserEngineService. It is not a credential UI and
does not own browser state. It provides transport-neutral screen models,
route contracts, and an accessible HTML renderer that web, desktop, or CLI
adapters can serve.
Information Architecture
The implemented UI facade exposes these primary areas:
- registration
- prepared rights
- active hat
- profile
- onboarding
- admin
The supported views cover registration start/resume, factor status, registration completion, prepared-account review and claim, active hat selection, onboarding status, admin prepared accounts, admin access profiles, and admin onboarding diagnostics.
Public Facade
RegistrationAccessManagementUi lives in user_engine.ui and is exported from
user_engine.
It exposes:
information_architecture()api_contract()start_registration(...)attach_factor(...)complete_registration(...)registration_screen(...)prepared_rights_review(...)accept_prepared_claim(...)deny_prepared_claim(...)hat_selection_view(...)select_hat(...)admin_dashboard(...)render_html(...)
Route Contract
The UI route contract maps thin transport routes to existing headless service facades:
registration.start->start_registrationregistration.factor->attach_registration_factorregistration.complete->complete_registrationprepared_account.review->list_prepared_accountsprepared_account.accept->claim_prepared_accountprepared_account.deny-> UI dismiss decisionaccess_profile.select_hat->select_active_hatadmin.dashboard-> diagnostics/list views
Proofing, IAM, authorization, notification, and protected service consoles remain adapter boundaries.
Registration Flow
The self-service UI facade can start registration, attach adapter-supplied factor evidence, show safe factor status by type, enforce UI terms/consent before completion, and show the resulting NetKingdom ID.
Factor values are never rendered. The flow displays factor types and status, not email addresses, phone numbers, postal addresses, eID payloads, provider tokens, or challenge material.
Prepared Rights
Prepared-account review displays pending packages by id, display name,
required factor types, entitlement kinds, and status. Required factor values
are redacted. Accepting a package calls claim_prepared_account. Denying a
package is an explicit UI dismiss state and does not mutate prepared-account
domain state.
Hats And Active Context
The active-hat view lists access profiles and the current active context.
Selecting a hat calls select_active_hat; the domain service still enforces
tenant, membership, factor, approval, and authorization rules. The UI does not
display hidden policy logic or final authorization decisions.
Admin Surface
The admin dashboard composes existing diagnostics and list operations:
- registration diagnostics
- tenant diagnostics
- prepared-account counts
- access-profile counts
- onboarding diagnostics
The dashboard intentionally reports counts and lifecycle gaps without exposing factor values, prepared-account factor matches, profile default values, claim values, or raw proofing payloads.
Accessibility And Layout
The renderer emits semantic landmarks:
bannernavigationmain
Sections are linked from navigation, action controls expose aria-label, and
mobile/desktop layout metadata is available through the screen model. Mobile
screens use one column with a 44px minimum touch target; desktop screens use a
two-column workbench layout.
Current Limits
- This slice does not ship a web server, JavaScript client, or CSS bundle.
- Browser persistence is not authoritative over domain state.
- The HTML renderer is a verification artifact and adapter starting point, not a final branded application.
- Credential entry, password reset, passkeys, MFA challenges, token issuance, notifications, and service-specific consoles remain outside user-engine.