coulomb/user-engine
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
97cd03b551aacad6de827b96357a5b6c83f21e3a
user-engine/SCOPE.md

2.7 KiB
Raw Blame History

SCOPE

One-Liner

Headless user-domain and identity-domain integration engine for accounts, identity links, actor/principal/subject context, preferences, memberships, application catalogs, projections, evidence references, audit, and events.

In Scope

  • user and account records;
  • account lifecycle state;
  • external identity links;
  • actor, authenticated subject, authorization principal, account, and user context mappings;
  • global, tenant, application, and membership profile values;
  • preference values;
  • tenant, application, team, and scope memberships;
  • identity-context read models for domain consumers;
  • canon interface cards, entity mappings, relationship mappings, and explicit gap records;
  • application registry for profile consumers;
  • customization catalog registry and validation;
  • effective profile resolution;
  • projection APIs for self-service, admin, application runtime, audit, and agent contexts;
  • audit records and lifecycle/profile-change events;
  • local evidence references derived from audit and event records;
  • local standalone development mode;
  • integration ports for identity claims, authorization checks, events, and runtime secrets;
  • adapter contracts for evidence export, policy/control references, and lifecycle task handoff.

Out Of Scope

  • login and authentication flows;
  • password, passkey, session, and MFA lifecycle;
  • OIDC/SAML token issuance;
  • final authorization policy decisions;
  • durable authorization grant authority outside user-engine-owned memberships;
  • policy, control, access-review, exception, and organization source-of-truth ownership;
  • runtime secret custody;
  • UI implementation in the current MVP; optional registration and access management UI work is proposed separately under USER-WP-0014;
  • full SCIM server or enterprise directory replacement in the initial product.

Boundary Rule

user-engine owns user-domain facts, identity-context mappings, and projections. Other systems may provide authentication, IAM claims, authorization decisions, policy/control authority, deployment, event transport, durable audit, secrets, organization records, or UI surfaces, but they must integrate through explicit interfaces rather than becoming hidden sources of profile or identity-domain truth.

Current Planning

Implementation and planning work is tracked in workplans/USER-WP-0001 through USER-WP-0015. USER-WP-0010 implements the first headless registration and factor-evidence slice. USER-WP-0011 implements prepared accounts and entitlement claims. USER-WP-0012 through USER-WP-0015 remain proposed future workplans for hats/access profiles, onboarding journeys, optional UI, and security conformance.

Reference in New Issue View Git Blame Copy Permalink