@open-mercato/shared 0.6.4-develop.3996.1.430e257cfc → 0.6.4-develop.4000.1.450e315cec

package/.turbo/turbo-build.log

@@ -1,2 +1,2 @@
-[build:shared] found 211 entry points
+[build:shared] found 212 entry points
 [build:shared] built successfully

package/dist/lib/version.js

@@ -1,4 +1,4 @@
-const APP_VERSION = "0.6.4-develop.3996.1.430e257cfc";
+const APP_VERSION = "0.6.4-develop.4000.1.450e315cec";
 const appVersion = APP_VERSION;
 export {
   APP_VERSION,

package/dist/lib/version.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../src/lib/version.ts"],
-  "sourcesContent": ["// Build-time generated version\nexport const APP_VERSION = '0.6.4-develop.3996.1.430e257cfc'\nexport const appVersion = APP_VERSION\n"],
+  "sourcesContent": ["// Build-time generated version\nexport const APP_VERSION = '0.6.4-develop.4000.1.450e315cec'\nexport const appVersion = APP_VERSION\n"],
   "mappings": "AACO,MAAM,cAAc;AACpB,MAAM,aAAa;",
   "names": []
 }

package/dist/security/aclDependencies.js

@@ -0,0 +1,106 @@
+import { hasFeature } from "./features.js";
+const EMPTY_DIAGNOSTICS = Object.freeze({
+  missingDependencies: Object.freeze([]),
+  orphanedDependents: Object.freeze([]),
+  unknownReferences: Object.freeze([])
+});
+function normalizeGranted(granted) {
+  if (!Array.isArray(granted)) return [];
+  const set = /* @__PURE__ */ new Set();
+  for (const entry of granted) {
+    if (typeof entry !== "string") continue;
+    const trimmed = entry.trim();
+    if (!trimmed) continue;
+    set.add(trimmed);
+  }
+  return Array.from(set);
+}
+function indexCatalog(catalog) {
+  const map = /* @__PURE__ */ new Map();
+  for (const descriptor of catalog) {
+    if (!descriptor || typeof descriptor.id !== "string") continue;
+    const id = descriptor.id.trim();
+    if (!id) continue;
+    if (!map.has(id)) map.set(id, descriptor);
+  }
+  return map;
+}
+function resolveAclDependencyDiagnostics(granted, catalog) {
+  if (!Array.isArray(catalog) || catalog.length === 0) return EMPTY_DIAGNOSTICS;
+  const grantedList = normalizeGranted(granted);
+  if (grantedList.includes("*")) return EMPTY_DIAGNOSTICS;
+  const catalogIndex = indexCatalog(catalog);
+  const missingDependencies = [];
+  const unknownReferences = [];
+  const dependentsByDependency = /* @__PURE__ */ new Map();
+  for (const descriptor of catalog) {
+    if (!descriptor || typeof descriptor.id !== "string") continue;
+    const featureId = descriptor.id.trim();
+    if (!featureId) continue;
+    const deps = Array.isArray(descriptor.dependsOn) ? descriptor.dependsOn : [];
+    if (deps.length === 0) continue;
+    if (!hasFeature(grantedList, featureId)) continue;
+    const missing = [];
+    const unknown = [];
+    for (const rawDep of deps) {
+      if (typeof rawDep !== "string") continue;
+      const dep = rawDep.trim();
+      if (!dep) continue;
+      const isRegistered = catalogIndex.has(dep) || dep.endsWith(".*") || dep === "*";
+      if (!isRegistered) {
+        unknown.push(dep);
+        continue;
+      }
+      if (!hasFeature(grantedList, dep)) {
+        missing.push(dep);
+        const bucket = dependentsByDependency.get(dep) ?? /* @__PURE__ */ new Set();
+        bucket.add(featureId);
+        dependentsByDependency.set(dep, bucket);
+      }
+    }
+    if (missing.length > 0) {
+      missingDependencies.push({ feature: featureId, missing: dedupe(missing) });
+    }
+    if (unknown.length > 0) {
+      unknownReferences.push({ feature: featureId, missing: dedupe(unknown) });
+    }
+  }
+  const orphanedDependents = [];
+  for (const [dep, dependents] of dependentsByDependency) {
+    const known = catalogIndex.has(dep);
+    if (!known) continue;
+    orphanedDependents.push({
+      dependency: dep,
+      dependents: Array.from(dependents).sort((a, b) => a.localeCompare(b))
+    });
+  }
+  orphanedDependents.sort((a, b) => a.dependency.localeCompare(b.dependency));
+  return {
+    missingDependencies,
+    orphanedDependents,
+    unknownReferences: unknownReferences.sort((a, b) => a.feature.localeCompare(b.feature))
+  };
+}
+function dedupe(values) {
+  return Array.from(new Set(values)).sort((a, b) => a.localeCompare(b));
+}
+function applyAddMissingDependency(granted, dependency) {
+  if (!dependency || !dependency.trim()) return [...granted];
+  if (granted.includes(dependency)) return [...granted];
+  return [...granted, dependency];
+}
+function applyRemoveDependents(granted, dependents) {
+  if (!dependents.length) return [...granted];
+  const dropSet = new Set(dependents);
+  return granted.filter((feature) => !dropSet.has(feature));
+}
+function applyRestoreDependency(granted, dependency) {
+  return applyAddMissingDependency(granted, dependency);
+}
+export {
+  applyAddMissingDependency,
+  applyRemoveDependents,
+  applyRestoreDependency,
+  resolveAclDependencyDiagnostics
+};
+//# sourceMappingURL=aclDependencies.js.map

package/dist/security/aclDependencies.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../src/security/aclDependencies.ts"],
+  "sourcesContent": ["import { hasFeature } from './features'\n\nexport type FeatureDescriptor = {\n  id: string\n  title?: string\n  module?: string\n  dependsOn?: readonly string[]\n}\n\nexport type MissingDependency = {\n  feature: string\n  missing: readonly string[]\n}\n\nexport type OrphanedDependent = {\n  dependency: string\n  dependents: readonly string[]\n}\n\nexport type UnknownReference = {\n  feature: string\n  missing: readonly string[]\n}\n\nexport type AclDependencyDiagnostics = {\n  missingDependencies: readonly MissingDependency[]\n  orphanedDependents: readonly OrphanedDependent[]\n  unknownReferences: readonly UnknownReference[]\n}\n\nconst EMPTY_DIAGNOSTICS: AclDependencyDiagnostics = Object.freeze({\n  missingDependencies: Object.freeze([]),\n  orphanedDependents: Object.freeze([]),\n  unknownReferences: Object.freeze([]),\n})\n\nfunction normalizeGranted(granted: readonly string[] | undefined): string[] {\n  if (!Array.isArray(granted)) return []\n  const set = new Set<string>()\n  for (const entry of granted) {\n    if (typeof entry !== 'string') continue\n    const trimmed = entry.trim()\n    if (!trimmed) continue\n    set.add(trimmed)\n  }\n  return Array.from(set)\n}\n\nfunction indexCatalog(catalog: readonly FeatureDescriptor[]): Map<string, FeatureDescriptor> {\n  const map = new Map<string, FeatureDescriptor>()\n  for (const descriptor of catalog) {\n    if (!descriptor || typeof descriptor.id !== 'string') continue\n    const id = descriptor.id.trim()\n    if (!id) continue\n    if (!map.has(id)) map.set(id, descriptor)\n  }\n  return map\n}\n\nexport function resolveAclDependencyDiagnostics(\n  granted: readonly string[] | undefined,\n  catalog: readonly FeatureDescriptor[] | undefined,\n): AclDependencyDiagnostics {\n  if (!Array.isArray(catalog) || catalog.length === 0) return EMPTY_DIAGNOSTICS\n  const grantedList = normalizeGranted(granted)\n  if (grantedList.includes('*')) return EMPTY_DIAGNOSTICS\n\n  const catalogIndex = indexCatalog(catalog)\n\n  const missingDependencies: MissingDependency[] = []\n  const unknownReferences: UnknownReference[] = []\n  const dependentsByDependency = new Map<string, Set<string>>()\n\n  for (const descriptor of catalog) {\n    if (!descriptor || typeof descriptor.id !== 'string') continue\n    const featureId = descriptor.id.trim()\n    if (!featureId) continue\n    const deps = Array.isArray(descriptor.dependsOn) ? descriptor.dependsOn : []\n    if (deps.length === 0) continue\n\n    if (!hasFeature(grantedList, featureId)) continue\n\n    const missing: string[] = []\n    const unknown: string[] = []\n    for (const rawDep of deps) {\n      if (typeof rawDep !== 'string') continue\n      const dep = rawDep.trim()\n      if (!dep) continue\n      const isRegistered = catalogIndex.has(dep) || dep.endsWith('.*') || dep === '*'\n      if (!isRegistered) {\n        unknown.push(dep)\n        continue\n      }\n      if (!hasFeature(grantedList, dep)) {\n        missing.push(dep)\n        const bucket = dependentsByDependency.get(dep) ?? new Set<string>()\n        bucket.add(featureId)\n        dependentsByDependency.set(dep, bucket)\n      }\n    }\n\n    if (missing.length > 0) {\n      missingDependencies.push({ feature: featureId, missing: dedupe(missing) })\n    }\n    if (unknown.length > 0) {\n      unknownReferences.push({ feature: featureId, missing: dedupe(unknown) })\n    }\n  }\n\n  const orphanedDependents: OrphanedDependent[] = []\n  for (const [dep, dependents] of dependentsByDependency) {\n    const known = catalogIndex.has(dep)\n    if (!known) continue\n    orphanedDependents.push({\n      dependency: dep,\n      dependents: Array.from(dependents).sort((a, b) => a.localeCompare(b)),\n    })\n  }\n  orphanedDependents.sort((a, b) => a.dependency.localeCompare(b.dependency))\n\n  return {\n    missingDependencies,\n    orphanedDependents,\n    unknownReferences: unknownReferences.sort((a, b) => a.feature.localeCompare(b.feature)),\n  }\n}\n\nfunction dedupe(values: readonly string[]): string[] {\n  return Array.from(new Set(values)).sort((a, b) => a.localeCompare(b))\n}\n\nexport function applyAddMissingDependency(\n  granted: readonly string[],\n  dependency: string,\n): string[] {\n  if (!dependency || !dependency.trim()) return [...granted]\n  if (granted.includes(dependency)) return [...granted]\n  return [...granted, dependency]\n}\n\nexport function applyRemoveDependents(\n  granted: readonly string[],\n  dependents: readonly string[],\n): string[] {\n  if (!dependents.length) return [...granted]\n  const dropSet = new Set(dependents)\n  return granted.filter((feature) => !dropSet.has(feature))\n}\n\nexport function applyRestoreDependency(\n  granted: readonly string[],\n  dependency: string,\n): string[] {\n  return applyAddMissingDependency(granted, dependency)\n}\n"],
+  "mappings": "AAAA,SAAS,kBAAkB;AA8B3B,MAAM,oBAA8C,OAAO,OAAO;AAAA,EAChE,qBAAqB,OAAO,OAAO,CAAC,CAAC;AAAA,EACrC,oBAAoB,OAAO,OAAO,CAAC,CAAC;AAAA,EACpC,mBAAmB,OAAO,OAAO,CAAC,CAAC;AACrC,CAAC;AAED,SAAS,iBAAiB,SAAkD;AAC1E,MAAI,CAAC,MAAM,QAAQ,OAAO,EAAG,QAAO,CAAC;AACrC,QAAM,MAAM,oBAAI,IAAY;AAC5B,aAAW,SAAS,SAAS;AAC3B,QAAI,OAAO,UAAU,SAAU;AAC/B,UAAM,UAAU,MAAM,KAAK;AAC3B,QAAI,CAAC,QAAS;AACd,QAAI,IAAI,OAAO;AAAA,EACjB;AACA,SAAO,MAAM,KAAK,GAAG;AACvB;AAEA,SAAS,aAAa,SAAuE;AAC3F,QAAM,MAAM,oBAAI,IAA+B;AAC/C,aAAW,cAAc,SAAS;AAChC,QAAI,CAAC,cAAc,OAAO,WAAW,OAAO,SAAU;AACtD,UAAM,KAAK,WAAW,GAAG,KAAK;AAC9B,QAAI,CAAC,GAAI;AACT,QAAI,CAAC,IAAI,IAAI,EAAE,EAAG,KAAI,IAAI,IAAI,UAAU;AAAA,EAC1C;AACA,SAAO;AACT;AAEO,SAAS,gCACd,SACA,SAC0B;AAC1B,MAAI,CAAC,MAAM,QAAQ,OAAO,KAAK,QAAQ,WAAW,EAAG,QAAO;AAC5D,QAAM,cAAc,iBAAiB,OAAO;AAC5C,MAAI,YAAY,SAAS,GAAG,EAAG,QAAO;AAEtC,QAAM,eAAe,aAAa,OAAO;AAEzC,QAAM,sBAA2C,CAAC;AAClD,QAAM,oBAAwC,CAAC;AAC/C,QAAM,yBAAyB,oBAAI,IAAyB;AAE5D,aAAW,cAAc,SAAS;AAChC,QAAI,CAAC,cAAc,OAAO,WAAW,OAAO,SAAU;AACtD,UAAM,YAAY,WAAW,GAAG,KAAK;AACrC,QAAI,CAAC,UAAW;AAChB,UAAM,OAAO,MAAM,QAAQ,WAAW,SAAS,IAAI,WAAW,YAAY,CAAC;AAC3E,QAAI,KAAK,WAAW,EAAG;AAEvB,QAAI,CAAC,WAAW,aAAa,SAAS,EAAG;AAEzC,UAAM,UAAoB,CAAC;AAC3B,UAAM,UAAoB,CAAC;AAC3B,eAAW,UAAU,MAAM;AACzB,UAAI,OAAO,WAAW,SAAU;AAChC,YAAM,MAAM,OAAO,KAAK;AACxB,UAAI,CAAC,IAAK;AACV,YAAM,eAAe,aAAa,IAAI,GAAG,KAAK,IAAI,SAAS,IAAI,KAAK,QAAQ;AAC5E,UAAI,CAAC,cAAc;AACjB,gBAAQ,KAAK,GAAG;AAChB;AAAA,MACF;AACA,UAAI,CAAC,WAAW,aAAa,GAAG,GAAG;AACjC,gBAAQ,KAAK,GAAG;AAChB,cAAM,SAAS,uBAAuB,IAAI,GAAG,KAAK,oBAAI,IAAY;AAClE,eAAO,IAAI,SAAS;AACpB,+BAAuB,IAAI,KAAK,MAAM;AAAA,MACxC;AAAA,IACF;AAEA,QAAI,QAAQ,SAAS,GAAG;AACtB,0BAAoB,KAAK,EAAE,SAAS,WAAW,SAAS,OAAO,OAAO,EAAE,CAAC;AAAA,IAC3E;AACA,QAAI,QAAQ,SAAS,GAAG;AACtB,wBAAkB,KAAK,EAAE,SAAS,WAAW,SAAS,OAAO,OAAO,EAAE,CAAC;AAAA,IACzE;AAAA,EACF;AAEA,QAAM,qBAA0C,CAAC;AACjD,aAAW,CAAC,KAAK,UAAU,KAAK,wBAAwB;AACtD,UAAM,QAAQ,aAAa,IAAI,GAAG;AAClC,QAAI,CAAC,MAAO;AACZ,uBAAmB,KAAK;AAAA,MACtB,YAAY;AAAA,MACZ,YAAY,MAAM,KAAK,UAAU,EAAE,KAAK,CAAC,GAAG,MAAM,EAAE,cAAc,CAAC,CAAC;AAAA,IACtE,CAAC;AAAA,EACH;AACA,qBAAmB,KAAK,CAAC,GAAG,MAAM,EAAE,WAAW,cAAc,EAAE,UAAU,CAAC;AAE1E,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,mBAAmB,kBAAkB,KAAK,CAAC,GAAG,MAAM,EAAE,QAAQ,cAAc,EAAE,OAAO,CAAC;AAAA,EACxF;AACF;AAEA,SAAS,OAAO,QAAqC;AACnD,SAAO,MAAM,KAAK,IAAI,IAAI,MAAM,CAAC,EAAE,KAAK,CAAC,GAAG,MAAM,EAAE,cAAc,CAAC,CAAC;AACtE;AAEO,SAAS,0BACd,SACA,YACU;AACV,MAAI,CAAC,cAAc,CAAC,WAAW,KAAK,EAAG,QAAO,CAAC,GAAG,OAAO;AACzD,MAAI,QAAQ,SAAS,UAAU,EAAG,QAAO,CAAC,GAAG,OAAO;AACpD,SAAO,CAAC,GAAG,SAAS,UAAU;AAChC;AAEO,SAAS,sBACd,SACA,YACU;AACV,MAAI,CAAC,WAAW,OAAQ,QAAO,CAAC,GAAG,OAAO;AAC1C,QAAM,UAAU,IAAI,IAAI,UAAU;AAClC,SAAO,QAAQ,OAAO,CAAC,YAAY,CAAC,QAAQ,IAAI,OAAO,CAAC;AAC1D;AAEO,SAAS,uBACd,SACA,YACU;AACV,SAAO,0BAA0B,SAAS,UAAU;AACtD;",
+  "names": []
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@open-mercato/shared",
-  "version": "0.6.4-develop.3996.1.430e257cfc",
+  "version": "0.6.4-develop.4000.1.450e315cec",
   "type": "module",
   "main": "./dist/index.js",
   "scripts": {
@@ -92,7 +92,7 @@
     "@mikro-orm/core": "^7.1.1",
     "@mikro-orm/decorators": "^7.1.1",
     "@mikro-orm/postgresql": "^7.1.1",
-    "@open-mercato/cache": "0.6.4-develop.3996.1.430e257cfc",
+    "@open-mercato/cache": "0.6.4-develop.4000.1.450e315cec",
     "dotenv": "^17.4.2",
     "rate-limiter-flexible": "^11.1.0",
     "re2js": "2.8.3",

package/src/security/__tests__/aclDependencies.test.ts

@@ -0,0 +1,177 @@
+import {
+  applyAddMissingDependency,
+  applyRemoveDependents,
+  applyRestoreDependency,
+  resolveAclDependencyDiagnostics,
+  type FeatureDescriptor,
+} from '../aclDependencies'
+
+const catalog: FeatureDescriptor[] = [
+  { id: 'customers.people.view', title: 'View people', module: 'customers' },
+  {
+    id: 'customers.people.manage',
+    title: 'Manage people',
+    module: 'customers',
+    dependsOn: ['customers.people.view'],
+  },
+  { id: 'customers.deals.view', title: 'View deals', module: 'customers', dependsOn: ['customers.people.view'] },
+  { id: 'customers.deals.manage', title: 'Manage deals', module: 'customers', dependsOn: ['customers.deals.view'] },
+  { id: 'customers.activities.view', title: 'View activities', module: 'customers' },
+  {
+    id: 'customers.widgets.todos',
+    title: 'Todos widget',
+    module: 'customers',
+    dependsOn: ['customers.activities.view'],
+  },
+  {
+    id: 'sales.orders.view',
+    title: 'View orders',
+    module: 'sales',
+    dependsOn: ['customers.people.view', 'sales.channels.view-doesnt-exist'],
+  },
+]
+
+describe('resolveAclDependencyDiagnostics', () => {
+  it('returns empty diagnostics when granted is empty', () => {
+    const result = resolveAclDependencyDiagnostics([], catalog)
+    expect(result.missingDependencies).toEqual([])
+    expect(result.orphanedDependents).toEqual([])
+    expect(result.unknownReferences).toEqual([])
+  })
+
+  it('returns empty diagnostics when granted contains global wildcard', () => {
+    const result = resolveAclDependencyDiagnostics(['*'], catalog)
+    expect(result.missingDependencies).toEqual([])
+    expect(result.orphanedDependents).toEqual([])
+    expect(result.unknownReferences).toEqual([])
+  })
+
+  it('returns empty diagnostics when all granted features have their deps satisfied', () => {
+    const result = resolveAclDependencyDiagnostics(
+      ['customers.people.view', 'customers.people.manage', 'customers.deals.view', 'customers.deals.manage'],
+      catalog,
+    )
+    expect(result.missingDependencies).toEqual([])
+    expect(result.orphanedDependents).toEqual([])
+  })
+
+  it('flags a granted feature whose declared dependency is missing', () => {
+    const result = resolveAclDependencyDiagnostics(['customers.people.manage'], catalog)
+    expect(result.missingDependencies).toEqual([
+      { feature: 'customers.people.manage', missing: ['customers.people.view'] },
+    ])
+  })
+
+  it('treats module wildcards as satisfying matching deps', () => {
+    const result = resolveAclDependencyDiagnostics(['customers.*', 'customers.people.manage'], catalog)
+    expect(result.missingDependencies).toEqual([])
+  })
+
+  it('reports orphaned dependents when a parent is not granted but children are', () => {
+    const result = resolveAclDependencyDiagnostics(['customers.people.manage', 'customers.deals.view'], catalog)
+    // people.manage depends on people.view (not granted) → orphan parent: customers.people.view
+    // deals.view depends on people.view → also orphan parent: customers.people.view
+    expect(result.orphanedDependents).toEqual([
+      {
+        dependency: 'customers.people.view',
+        dependents: ['customers.deals.view', 'customers.people.manage'],
+      },
+    ])
+  })
+
+  it('flags unknown references for deps that do not resolve to a registered feature', () => {
+    const result = resolveAclDependencyDiagnostics(['sales.orders.view'], catalog)
+    expect(result.unknownReferences).toEqual([
+      {
+        feature: 'sales.orders.view',
+        missing: ['sales.channels.view-doesnt-exist'],
+      },
+    ])
+  })
+
+  it('skips wildcard dep targets from unknown-reference checks', () => {
+    const wildcardCatalog: FeatureDescriptor[] = [
+      { id: 'compose.feature', dependsOn: ['something.*'] },
+    ]
+    const result = resolveAclDependencyDiagnostics(['compose.feature'], wildcardCatalog)
+    expect(result.unknownReferences).toEqual([])
+    expect(result.missingDependencies).toEqual([
+      { feature: 'compose.feature', missing: ['something.*'] },
+    ])
+  })
+
+  it('does not double-count when the same dep is missing from multiple granted features', () => {
+    const result = resolveAclDependencyDiagnostics(
+      ['customers.deals.view', 'customers.deals.manage'],
+      catalog,
+    )
+    // both depend (directly or transitively) on customers.people.view
+    expect(result.orphanedDependents).toEqual([
+      {
+        dependency: 'customers.people.view',
+        dependents: ['customers.deals.view'],
+      },
+    ])
+    // deals.manage depends on deals.view which IS granted → no missing
+    expect(result.missingDependencies).toEqual([
+      { feature: 'customers.deals.view', missing: ['customers.people.view'] },
+    ])
+  })
+
+  it('detects widget dependency violation when widget granted without underlying view', () => {
+    const result = resolveAclDependencyDiagnostics(['customers.widgets.todos'], catalog)
+    expect(result.missingDependencies).toEqual([
+      { feature: 'customers.widgets.todos', missing: ['customers.activities.view'] },
+    ])
+  })
+
+  it('ignores deps that are dropped/empty strings', () => {
+    const weirdCatalog: FeatureDescriptor[] = [
+      { id: 'a', dependsOn: ['', '   ', 'b'] },
+      { id: 'b' },
+    ]
+    const result = resolveAclDependencyDiagnostics(['a'], weirdCatalog)
+    expect(result.missingDependencies).toEqual([{ feature: 'a', missing: ['b'] }])
+  })
+
+  it('handles repeated entries in granted (dedupe via Set)', () => {
+    const result = resolveAclDependencyDiagnostics(
+      ['customers.people.manage', 'customers.people.manage'],
+      catalog,
+    )
+    expect(result.missingDependencies).toEqual([
+      { feature: 'customers.people.manage', missing: ['customers.people.view'] },
+    ])
+  })
+})
+
+describe('applyAddMissingDependency', () => {
+  it('appends the dependency if not already present', () => {
+    expect(applyAddMissingDependency(['a'], 'b')).toEqual(['a', 'b'])
+  })
+  it('is a no-op when already present', () => {
+    expect(applyAddMissingDependency(['a', 'b'], 'b')).toEqual(['a', 'b'])
+  })
+  it('skips empty strings', () => {
+    expect(applyAddMissingDependency(['a'], '')).toEqual(['a'])
+    expect(applyAddMissingDependency(['a'], '   ')).toEqual(['a'])
+  })
+})
+
+describe('applyRemoveDependents', () => {
+  it('removes listed features from granted', () => {
+    expect(applyRemoveDependents(['a', 'b', 'c'], ['b'])).toEqual(['a', 'c'])
+  })
+  it('removes multiple', () => {
+    expect(applyRemoveDependents(['a', 'b', 'c'], ['a', 'c'])).toEqual(['b'])
+  })
+  it('is a no-op for empty list', () => {
+    expect(applyRemoveDependents(['a', 'b'], [])).toEqual(['a', 'b'])
+  })
+})
+
+describe('applyRestoreDependency', () => {
+  it('adds the dependency back (alias of applyAddMissingDependency)', () => {
+    expect(applyRestoreDependency(['a'], 'b')).toEqual(['a', 'b'])
+  })
+})

package/src/security/aclDependencies.ts

@@ -0,0 +1,155 @@
+import { hasFeature } from './features'
+
+export type FeatureDescriptor = {
+  id: string
+  title?: string
+  module?: string
+  dependsOn?: readonly string[]
+}
+
+export type MissingDependency = {
+  feature: string
+  missing: readonly string[]
+}
+
+export type OrphanedDependent = {
+  dependency: string
+  dependents: readonly string[]
+}
+
+export type UnknownReference = {
+  feature: string
+  missing: readonly string[]
+}
+
+export type AclDependencyDiagnostics = {
+  missingDependencies: readonly MissingDependency[]
+  orphanedDependents: readonly OrphanedDependent[]
+  unknownReferences: readonly UnknownReference[]
+}
+
+const EMPTY_DIAGNOSTICS: AclDependencyDiagnostics = Object.freeze({
+  missingDependencies: Object.freeze([]),
+  orphanedDependents: Object.freeze([]),
+  unknownReferences: Object.freeze([]),
+})
+
+function normalizeGranted(granted: readonly string[] | undefined): string[] {
+  if (!Array.isArray(granted)) return []
+  const set = new Set<string>()
+  for (const entry of granted) {
+    if (typeof entry !== 'string') continue
+    const trimmed = entry.trim()
+    if (!trimmed) continue
+    set.add(trimmed)
+  }
+  return Array.from(set)
+}
+
+function indexCatalog(catalog: readonly FeatureDescriptor[]): Map<string, FeatureDescriptor> {
+  const map = new Map<string, FeatureDescriptor>()
+  for (const descriptor of catalog) {
+    if (!descriptor || typeof descriptor.id !== 'string') continue
+    const id = descriptor.id.trim()
+    if (!id) continue
+    if (!map.has(id)) map.set(id, descriptor)
+  }
+  return map
+}
+
+export function resolveAclDependencyDiagnostics(
+  granted: readonly string[] | undefined,
+  catalog: readonly FeatureDescriptor[] | undefined,
+): AclDependencyDiagnostics {
+  if (!Array.isArray(catalog) || catalog.length === 0) return EMPTY_DIAGNOSTICS
+  const grantedList = normalizeGranted(granted)
+  if (grantedList.includes('*')) return EMPTY_DIAGNOSTICS
+
+  const catalogIndex = indexCatalog(catalog)
+
+  const missingDependencies: MissingDependency[] = []
+  const unknownReferences: UnknownReference[] = []
+  const dependentsByDependency = new Map<string, Set<string>>()
+
+  for (const descriptor of catalog) {
+    if (!descriptor || typeof descriptor.id !== 'string') continue
+    const featureId = descriptor.id.trim()
+    if (!featureId) continue
+    const deps = Array.isArray(descriptor.dependsOn) ? descriptor.dependsOn : []
+    if (deps.length === 0) continue
+
+    if (!hasFeature(grantedList, featureId)) continue
+
+    const missing: string[] = []
+    const unknown: string[] = []
+    for (const rawDep of deps) {
+      if (typeof rawDep !== 'string') continue
+      const dep = rawDep.trim()
+      if (!dep) continue
+      const isRegistered = catalogIndex.has(dep) || dep.endsWith('.*') || dep === '*'
+      if (!isRegistered) {
+        unknown.push(dep)
+        continue
+      }
+      if (!hasFeature(grantedList, dep)) {
+        missing.push(dep)
+        const bucket = dependentsByDependency.get(dep) ?? new Set<string>()
+        bucket.add(featureId)
+        dependentsByDependency.set(dep, bucket)
+      }
+    }
+
+    if (missing.length > 0) {
+      missingDependencies.push({ feature: featureId, missing: dedupe(missing) })
+    }
+    if (unknown.length > 0) {
+      unknownReferences.push({ feature: featureId, missing: dedupe(unknown) })
+    }
+  }
+
+  const orphanedDependents: OrphanedDependent[] = []
+  for (const [dep, dependents] of dependentsByDependency) {
+    const known = catalogIndex.has(dep)
+    if (!known) continue
+    orphanedDependents.push({
+      dependency: dep,
+      dependents: Array.from(dependents).sort((a, b) => a.localeCompare(b)),
+    })
+  }
+  orphanedDependents.sort((a, b) => a.dependency.localeCompare(b.dependency))
+
+  return {
+    missingDependencies,
+    orphanedDependents,
+    unknownReferences: unknownReferences.sort((a, b) => a.feature.localeCompare(b.feature)),
+  }
+}
+
+function dedupe(values: readonly string[]): string[] {
+  return Array.from(new Set(values)).sort((a, b) => a.localeCompare(b))
+}
+
+export function applyAddMissingDependency(
+  granted: readonly string[],
+  dependency: string,
+): string[] {
+  if (!dependency || !dependency.trim()) return [...granted]
+  if (granted.includes(dependency)) return [...granted]
+  return [...granted, dependency]
+}
+
+export function applyRemoveDependents(
+  granted: readonly string[],
+  dependents: readonly string[],
+): string[] {
+  if (!dependents.length) return [...granted]
+  const dropSet = new Set(dependents)
+  return granted.filter((feature) => !dropSet.has(feature))
+}
+
+export function applyRestoreDependency(
+  granted: readonly string[],
+  dependency: string,
+): string[] {
+  return applyAddMissingDependency(granted, dependency)
+}