npm - ownerlens - Versions diffs - 0.1.0 - Mend

ownerlens 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (144) hide show

package/src/providers/azure/identities/buildAzureManagedIdentityAssignmentIndex.ts ADDED Viewed

@@ -0,0 +1,35 @@
+import type { AzureResource } from "../../../core/azure/resources";
+import type { AzureManagedIdentityResourceAssignment } from "./azureIdentityTypes";
+import { normalizeUserAssignedIdentityAssignments } from "./userAssignedIdentityAssignments";
+export function getResourceManagedIdentityAssignments(resource: AzureResource): AzureManagedIdentityResourceAssignment[] {
+  const assignments = normalizeUserAssignedIdentityAssignments(resource.userAssignedIdentities).map((assignment) => ({
+    ...assignment,
+    assignedResourceId: resource.resourceId,
+    assignedResourceName: resource.resourceName,
+    assignedResourceType: resource.resourceType,
+    assignedResourceGroup: resource.resourceGroup,
+    subscriptionId: resource.subscriptionId,
+    subscriptionName: resource.subscriptionName
+  }));
+  if (hasSystemAssignedIdentity(resource)) {
+    assignments.push({
+      resourceId: resource.resourceId,
+      clientId: null,
+      principalId: resource.identityPrincipalId,
+      assignedResourceId: resource.resourceId,
+      assignedResourceName: resource.resourceName,
+      assignedResourceType: resource.resourceType,
+      assignedResourceGroup: resource.resourceGroup,
+      subscriptionId: resource.subscriptionId,
+      subscriptionName: resource.subscriptionName
+    });
+  }
+  return assignments;
+}
+function hasSystemAssignedIdentity(resource: AzureResource): boolean {
+  return Boolean(resource.identityPrincipalId && resource.identityType?.toLowerCase().includes("systemassigned"));
+}

package/src/providers/azure/identities/userAssignedIdentityAssignments.ts ADDED Viewed

@@ -0,0 +1,52 @@
+import type { AzureUserAssignedIdentityAssignment } from "../../../core/azure/resources";
+export function normalizeUserAssignedIdentityAssignments(
+  userAssignedIdentities: unknown
+): AzureUserAssignedIdentityAssignment[] {
+  if (!isRecord(userAssignedIdentities)) {
+    return Array.isArray(userAssignedIdentities)
+      ? userAssignedIdentities.map(normalizeExistingAssignment).filter(isAssignment)
+      : [];
+  }
+  return Object.entries(userAssignedIdentities).map(([resourceId, details]) => ({
+    resourceId,
+    clientId: getStringProperty(details, "clientId"),
+    principalId: getStringProperty(details, "principalId")
+  }));
+}
+function normalizeExistingAssignment(value: unknown): AzureUserAssignedIdentityAssignment | null {
+  if (!isRecord(value)) {
+    return null;
+  }
+  const resourceId = getStringProperty(value, "resourceId");
+  if (!resourceId) {
+    return null;
+  }
+  return {
+    resourceId,
+    clientId: getStringProperty(value, "clientId"),
+    principalId: getStringProperty(value, "principalId")
+  };
+}
+function isAssignment(value: AzureUserAssignedIdentityAssignment | null): value is AzureUserAssignedIdentityAssignment {
+  return value !== null;
+}
+function getStringProperty(value: unknown, propertyName: string): string | null {
+  if (!isRecord(value)) {
+    return null;
+  }
+  const matchingKey = Object.keys(value).find((key) => key.toLowerCase() === propertyName.toLowerCase());
+  const propertyValue = matchingKey ? value[matchingKey] : null;
+  return typeof propertyValue === "string" && propertyValue.trim() ? propertyValue.trim() : null;
+}
+function isRecord(value: unknown): value is Record<string, unknown> {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}

package/src/providers/azure/inputTransferObject/entra/EntraAppRoleAssignment.ts ADDED Viewed

@@ -0,0 +1,10 @@
+export type EntraAppRoleAssignment = {
+  id: string;
+  appRoleId: string;
+  appRoleDisplayName: string | null;
+  appRoleValue: string | null;
+  principalId: string;
+  principalDisplayName: string | null;
+  resourceId: string;
+  resourceDisplayName: string | null;
+};

package/src/providers/azure/inputTransferObject/entra/EntraApplication.ts ADDED Viewed

@@ -0,0 +1,27 @@
+import type { EntraOwner, EntraAppRole } from "./EntraServicePrincipal";
+export type EntraApplicationCredential = Record<string, unknown>;
+export type EntraApplication = {
+  id: string;
+  appId: string;
+  displayName: string;
+  signInAudience: string | null;
+  publisherDomain: string | null;
+  identifierUris: string[];
+  tags: string[];
+  appRoles: EntraAppRole[];
+  oauth2PermissionScopes: Record<string, unknown>[];
+  requiredResourceAccess: Record<string, unknown>[];
+  web: Record<string, unknown> | null;
+  spa: Record<string, unknown> | null;
+  publicClient: Record<string, unknown> | null;
+  passwordCredentials: EntraApplicationCredential[];
+  keyCredentials: EntraApplicationCredential[];
+  createdDateTime: string | null;
+  deletedDateTime: string | null;
+  disabledByMicrosoftStatus: string | null;
+  info: Record<string, unknown> | null;
+  notes: string | null;
+  owners: EntraOwner[];
+};

package/src/providers/azure/inputTransferObject/entra/EntraOAuth2PermissionGrant.ts ADDED Viewed

@@ -0,0 +1,8 @@
+export type EntraOAuth2PermissionGrant = {
+  id: string;
+  clientId: string;
+  consentType: "Principal" | "AllPrincipals" | string;
+  principalId: string | null;
+  resourceId: string;
+  scope: string;
+};

package/src/providers/azure/inputTransferObject/entra/EntraServicePrincipal.ts ADDED Viewed

@@ -0,0 +1,43 @@
+export type ServicePrincipalType = "Application" | "ManagedIdentity" | "SocialIdp" | "Legacy";
+export type ServicePrincipalAppRole = {
+  id: string;
+  value: string | null;
+  displayName: string | null;
+  description: string | null;
+  isEnabled: boolean | null;
+  allowedMemberTypes: string[];
+};
+export type ServicePrincipalOwner = {
+  id?: string | null;
+  displayName?: string | null;
+  userPrincipalName?: string | null;
+  mail?: string | null;
+  ownerType?: string | null;
+};
+export type EntraServicePrincipal = {
+  id: string;
+  appId: string;
+  displayName: string;
+  appDisplayName: string | null;
+  servicePrincipalType: ServicePrincipalType;
+  publisherName: string | null;
+  accountEnabled: boolean;
+  appOwnerOrganizationId: string | null;
+  homepage: string | null;
+  loginUrl: string | null;
+  replyUrls: string[];
+  servicePrincipalNames: string[];
+  tags: string[];
+  appRoles?: ServicePrincipalAppRole[];
+  owners?: ServicePrincipalOwner[];
+  appOwners?: ServicePrincipalOwner[];
+  servicePrincipalOwners?: ServicePrincipalOwner[];
+  applicationOwners?: ServicePrincipalOwner[];
+  metadata?: Record<string, unknown> | null;
+};
+export type EntraAppRole = ServicePrincipalAppRole;
+export type EntraOwner = ServicePrincipalOwner;

package/src/providers/azure/inputTransferObject/entra/EntraSnapshot.ts ADDED Viewed

@@ -0,0 +1,13 @@
+import type { EntraApplication } from "./EntraApplication";
+import type { EntraAppRoleAssignment } from "./EntraAppRoleAssignment";
+import type { EntraOAuth2PermissionGrant } from "./EntraOAuth2PermissionGrant";
+import type { EntraServicePrincipal } from "./EntraServicePrincipal";
+import type { EntraSnapshotMeta } from "./EntraSnapshotMeta";
+export type EntraSnapshot = {
+  meta: EntraSnapshotMeta;
+  servicePrincipals: EntraServicePrincipal[];
+  applications?: EntraApplication[];
+  oauth2PermissionGrants?: EntraOAuth2PermissionGrant[];
+  appRoleAssignments?: EntraAppRoleAssignment[];
+};

package/src/providers/azure/inputTransferObject/entra/EntraSnapshotMeta.ts ADDED Viewed

@@ -0,0 +1,12 @@
+export type EntraSnapshotMeta = {
+  provider: "entra";
+  snapshotVersion: string;
+  createdAt: string;
+  tenantId: string;
+  account: string;
+  scopes: string[];
+  servicePrincipalCount: number;
+  applicationCount?: number;
+  oauth2PermissionGrantCount?: number;
+  appRoleAssignmentCount?: number;
+};

package/src/providers/azure/inputTransferObject/resources/AzureActivityLog.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export type { AzureActivityLog } from "../../../../core/azure/resources";

package/src/providers/azure/inputTransferObject/resources/AzureResource.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export type { AzureResource, AzureUserAssignedIdentityAssignment } from "../../../../core/azure/resources";

package/src/providers/azure/inputTransferObject/resources/AzureResourceGroup.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export type { AzureResourceGroup, AzureResourceTags } from "../../../../core/azure/resources";

package/src/providers/azure/inputTransferObject/resources/AzureRoleAssignment.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export type { AzureRoleAssignment } from "../../../../core/azure/resources";

package/src/providers/azure/inputTransferObject/resources/AzureSnapshot.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export type { AzureSnapshot } from "../../../../core/azure/resources";

package/src/providers/azure/inputTransferObject/resources/AzureSnapshotMeta.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export type { AzureSnapshotMeta } from "../../../../core/azure/resources";

package/src/providers/azure/inputTransferObject/resources/AzureSubscription.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export type { AzureSubscription, AzureSubscriptionState } from "../../../../core/azure/resources";

package/src/providers/azure/inputTransferObject/resources/AzureUserAssignedManagedIdentity.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export type { AzureUserAssignedManagedIdentity } from "../../../../core/azure/resources";

package/src/providers/azure/ownership/azureActivityOwnershipEvidence.ts ADDED Viewed

@@ -0,0 +1,60 @@
+import type { EntraServicePrincipal } from "../inputTransferObject/entra/EntraServicePrincipal";
+import type { AzureActivityLog } from "../../../core/azure/resources";
+export function normalizeOwner(value: string): string {
+  return value.trim().toLowerCase();
+}
+export function getTagValue(tags: Record<string, string> | null, key: string): string | null {
+  if (!tags) {
+    return null;
+  }
+  const matchingKey = Object.keys(tags).find((tagKey) => tagKey.toLowerCase() === key.toLowerCase());
+  const value = matchingKey ? tags[matchingKey] : null;
+  return value?.trim() ? value.trim() : null;
+}
+export function getActivityIndexKey(subscriptionId: string, resourceGroupName: string | null): string {
+  return `${subscriptionId.toLowerCase()}::${(resourceGroupName ?? "").toLowerCase()}`;
+}
+export function isOwnerActivity(log: AzureActivityLog): boolean {
+  if (log.category !== "Administrative" || log.status !== "Succeeded" || !log.caller?.trim()) {
+    return false;
+  }
+  const action = `${log.authorizationAction ?? ""} ${log.operationNameValue ?? ""}`.toLowerCase();
+  return action.includes("/write") || action.includes("/action");
+}
+export function compareLogsNewestFirst(left: AzureActivityLog, right: AzureActivityLog): number {
+  return getTime(right.eventTimestamp) - getTime(left.eventTimestamp);
+}
+export function getTime(value: string): number {
+  const parsed = new Date(value).getTime();
+  return Number.isNaN(parsed) ? 0 : parsed;
+}
+export function buildServicePrincipalIndex(servicePrincipals: EntraServicePrincipal[]): Map<string, EntraServicePrincipal> {
+  const index = new Map<string, EntraServicePrincipal>();
+  for (const servicePrincipal of servicePrincipals) {
+    index.set(servicePrincipal.id.toLowerCase(), servicePrincipal);
+    index.set(servicePrincipal.appId.toLowerCase(), servicePrincipal);
+  }
+  return index;
+}
+export function describeIdentity(identity: string, servicePrincipalIndex: Map<string, EntraServicePrincipal>): string {
+  const normalized = normalizeOwner(identity);
+  const servicePrincipal = servicePrincipalIndex.get(normalized);
+  if (!servicePrincipal) {
+    return normalized;
+  }
+  return `${servicePrincipal.displayName} (${normalized})`;
+}

package/src/providers/azure/ownership/azureOwnerReportTypes.ts ADDED Viewed

@@ -0,0 +1,13 @@
+import type { OwnerResolution } from "../../../core/ownership/types";
+export type OwnerReportRow = OwnerResolution & {
+  kind: "subscription" | "resourceGroup";
+  resourceGroup: string | null;
+  subscriptionId: string;
+  subscriptionName: string;
+  targetKey: string;
+};
+export type OwnerReport = {
+  owners: OwnerReportRow[];
+};

package/src/providers/azure/ownership/azureOwnershipConfig.ts ADDED Viewed

@@ -0,0 +1,21 @@
+import { appConfig } from "../../../core/config";
+import { azureOwnerAdapter } from "./resolveAzureOwner";
+import type { AzureOwnerTagConfigMap, AzureReportConfig } from "./azureOwnershipTypes";
+export const azureOwnershipConfig: AzureReportConfig = {
+  tags: buildOwnerTagConfigMap(appConfig.azure.ownership.ownerTags),
+  ownerTargets: [
+    {
+      kind: "subscription",
+      adapter: azureOwnerAdapter
+    },
+    {
+      kind: "resourceGroup",
+      adapter: azureOwnerAdapter
+    }
+  ]
+};
+function buildOwnerTagConfigMap(ownerTags: typeof appConfig.azure.ownership.ownerTags): AzureOwnerTagConfigMap {
+  return Object.fromEntries(ownerTags.map(({ name, confidence }) => [name, { confidence }]));
+}

package/src/providers/azure/ownership/azureOwnershipTypes.ts ADDED Viewed

@@ -0,0 +1,46 @@
+import type {
+  AzureActivityLog,
+  AzureResourceGroup,
+  AzureSnapshot,
+  AzureSubscription
+} from "../../../core/azure/resources";
+import type { OwnerResolver } from "../../../core/ownership/resolveOwner";
+import type { OwnerResolution } from "../../../core/ownership/types";
+import type { EntraSnapshot } from "../inputTransferObject/entra/EntraSnapshot";
+import type { EntraServicePrincipal } from "../inputTransferObject/entra/EntraServicePrincipal";
+export type AzureScopeOwnershipTarget =
+  | {
+      kind: "subscription";
+      subscription: AzureSubscription;
+    }
+  | {
+      kind: "resourceGroup";
+      resourceGroup: AzureResourceGroup;
+    };
+export type OwnerResolverContext = {
+  resourceSnapshot: AzureSnapshot;
+  entraSnapshot: EntraSnapshot;
+  tags: AzureOwnerTagConfigMap;
+  activityLogIndex: ActivityLogIndex;
+  servicePrincipalIndex: Map<string, EntraServicePrincipal>;
+};
+export type OwnerResolverAdapter = OwnerResolver<AzureScopeOwnershipTarget, OwnerResolverContext>;
+export type AzureOwnerTargetConfig = {
+  kind: AzureScopeOwnershipTarget["kind"];
+  adapter: OwnerResolverAdapter;
+};
+export type AzureReportConfig = {
+  tags: AzureOwnerTagConfigMap;
+  ownerTargets: AzureOwnerTargetConfig[];
+};
+export type ActivityLogIndex = Map<string, AzureActivityLog[]>;
+export type AzureOwnerTagConfig = Pick<OwnerResolution, "confidence">;
+export type AzureOwnerTagConfigMap = Record<string, AzureOwnerTagConfig>;

package/src/providers/azure/ownership/buildAzureOwnershipReport.test.ts ADDED Viewed

@@ -0,0 +1,99 @@
+import { buildAzureOwnershipReport } from "./buildAzureOwnershipReport";
+import { azureOwnerAdapter } from "./resolveAzureOwner";
+import type { EntraSnapshot } from "../inputTransferObject/entra/EntraSnapshot";
+import type { AzureSnapshot } from "../../../core/azure/resources";
+test("resolves owners from configurable tag names", () => {
+  const report = buildAzureOwnershipReport(resourceSnapshot(), entraSnapshot(), {
+    tags: {
+      businessOwner: {
+        confidence: "high"
+      },
+      technicalOwner: {
+        confidence: "medium"
+      }
+    },
+    ownerTargets: [
+      {
+        kind: "resourceGroup",
+        adapter: azureOwnerAdapter
+      }
+    ]
+  });
+  expect(report.owners).toEqual([
+    expect.objectContaining({
+      resourceGroup: "rg-payments",
+      owner: "sg-payments-platform",
+      confidence: "high",
+      source: "tag.businessOwner",
+      evidence: [{ user: "businessOwner=sg-payments-platform", date: null }]
+    }),
+    expect.objectContaining({
+      resourceGroup: "rg-billing",
+      owner: "alice@example.com",
+      confidence: "medium",
+      source: "tag.technicalOwner",
+      evidence: [{ user: "technicalOwner=Alice@Example.com", date: null }]
+    })
+  ]);
+});
+function resourceSnapshot(): AzureSnapshot {
+  return {
+    meta: {
+      provider: "azure",
+      snapshotVersion: "1",
+      createdAt: "2026-05-01T00:00:00.000Z",
+      activityDays: 30,
+      activityStartTime: "2026-04-01T00:00:00.000Z",
+      maxActivityRecords: 1000,
+      requestedSubscriptions: [],
+      subscriptionCount: 1,
+      resourceGroupCount: 2,
+      resourceCount: 0,
+      userAssignedManagedIdentityCount: 0,
+      activityLogCount: 0
+    },
+    subscriptions: [],
+    resourceGroups: [
+      {
+        subscriptionId: "sub-1",
+        subscriptionName: "Subscription Alpha",
+        resourceGroup: "rg-payments",
+        location: "westeurope",
+        tags: {
+          businessOwner: "sg-payments-platform"
+        }
+      },
+      {
+        subscriptionId: "sub-1",
+        subscriptionName: "Subscription Alpha",
+        resourceGroup: "rg-billing",
+        location: "westeurope",
+        tags: {
+          technicalOwner: "Alice@Example.com"
+        }
+      }
+    ],
+    resources: [],
+    userAssignedManagedIdentities: [],
+    roleAssignments: [],
+    activityLogs: []
+  };
+}
+function entraSnapshot(): EntraSnapshot {
+  return {
+    meta: {
+      provider: "entra",
+      snapshotVersion: "1",
+      createdAt: "2026-05-01T00:00:00.000Z",
+      tenantId: "tenant-1",
+      account: "admin@example.com",
+      scopes: [],
+      servicePrincipalCount: 0
+    },
+    servicePrincipals: []
+  };
+}

package/src/providers/azure/ownership/buildAzureOwnershipReport.ts ADDED Viewed

@@ -0,0 +1,90 @@
+import type { AzureSnapshot } from "../../../core/azure/resources";
+import type { EntraSnapshot } from "../inputTransferObject/entra/EntraSnapshot";
+import type { OwnerReport, OwnerReportRow } from "./azureOwnerReportTypes";
+import { azureOwnershipConfig } from "./azureOwnershipConfig";
+import { buildActivityIndex } from "./resolveAzureOwner";
+import { buildServicePrincipalIndex } from "./azureActivityOwnershipEvidence";
+import type { AzureReportConfig, AzureScopeOwnershipTarget } from "./azureOwnershipTypes";
+export function buildAzureOwnershipReport(
+  resourceSnapshot: AzureSnapshot,
+  entraSnapshot: EntraSnapshot,
+  config: AzureReportConfig = azureOwnershipConfig
+): OwnerReport {
+  const context = {
+    resourceSnapshot,
+    entraSnapshot,
+    tags: config.tags,
+    activityLogIndex: buildActivityIndex(resourceSnapshot.activityLogs),
+    servicePrincipalIndex: buildServicePrincipalIndex(entraSnapshot.servicePrincipals)
+  };
+  const owners = config.ownerTargets.flatMap((targetConfig) => {
+    const targets = getTargets(targetConfig.kind, resourceSnapshot);
+    return targets.map((target): OwnerReportRow => {
+      const resolution = targetConfig.adapter.resolveOwner(target, context);
+      const identity = getTargetIdentity(target);
+      return {
+        ...identity,
+        ...resolution
+      };
+    });
+  });
+  return {
+    owners
+  };
+}
+function getTargets(
+  kind: AzureScopeOwnershipTarget["kind"],
+  resourceSnapshot: AzureSnapshot
+): AzureScopeOwnershipTarget[] {
+  if (kind === "subscription") {
+    return resourceSnapshot.subscriptions.map((subscription) => ({
+      kind,
+      subscription
+    }));
+  }
+  return resourceSnapshot.resourceGroups.map((resourceGroup) => ({
+    kind,
+    resourceGroup
+  }));
+}
+function getTargetIdentity(target: AzureScopeOwnershipTarget): Pick<
+  OwnerReportRow,
+  "targetKey" | "kind" | "subscriptionId" | "subscriptionName" | "resourceGroup"
+> {
+  if (target.kind === "subscription") {
+    return {
+      targetKey: getAzureOwnerTargetKey(target.kind, target.subscription.subscriptionId, null),
+      kind: target.kind,
+      subscriptionId: target.subscription.subscriptionId,
+      subscriptionName: target.subscription.subscriptionName,
+      resourceGroup: null
+    };
+  }
+  return {
+    targetKey: getAzureOwnerTargetKey(
+      target.kind,
+      target.resourceGroup.subscriptionId,
+      target.resourceGroup.resourceGroup
+    ),
+    kind: target.kind,
+    subscriptionId: target.resourceGroup.subscriptionId,
+    subscriptionName: target.resourceGroup.subscriptionName,
+    resourceGroup: target.resourceGroup.resourceGroup
+  };
+}
+function getAzureOwnerTargetKey(
+  kind: OwnerReportRow["kind"],
+  subscriptionId: string,
+  resourceGroup: string | null
+): string {
+  return [kind, subscriptionId.toLowerCase(), (resourceGroup ?? "").toLowerCase()].join(":");
+}

package/src/providers/azure/ownership/buildAzureOwnershipTargets.test.ts ADDED Viewed

@@ -0,0 +1,87 @@
+import { buildZeroTrustAssessmentAuditFindingTarget } from "../../../core/ownership/OwnershipTarget";
+import type { EntraServicePrincipal } from "../inputTransferObject/entra/EntraServicePrincipal";
+import type { AzureUserAssignedManagedIdentity } from "../../../core/azure/resources";
+import {
+  buildAzureManagedIdentityOwnershipTargets,
+  buildEntraServicePrincipalOwnershipTargets
+} from "./buildAzureOwnershipTargets";
+test("maps Azure managed identities to generic ownership targets", () => {
+  const identity: AzureUserAssignedManagedIdentity = {
+    subscriptionId: "sub-1",
+    subscriptionName: "Production",
+    resourceId: "/subscriptions/sub-1/resourceGroups/rg-1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id-1",
+    name: "id-1",
+    resourceGroup: "rg-1",
+    location: "westeurope",
+    clientId: "client-1",
+    principalId: "principal-1",
+    tenantId: "tenant-1",
+    tags: null
+  };
+  expect(buildAzureManagedIdentityOwnershipTargets([identity])).toEqual([
+    {
+      id: identity.resourceId,
+      kind: "azure.managedIdentity",
+      displayName: "id-1",
+      sourceProvider: "azure",
+      technicalId: "principal-1",
+      refs: [
+        { type: "azure.subscription", id: "sub-1", label: "Production" },
+        { type: "azure.resourceGroup", id: "rg-1" },
+        { type: "entra.servicePrincipal", id: "principal-1" },
+        { type: "entra.application", id: "client-1" },
+        { type: "entra.tenant", id: "tenant-1" }
+      ]
+    }
+  ]);
+});
+test("maps Entra service principals to generic ownership targets", () => {
+  const servicePrincipal: EntraServicePrincipal = {
+    id: "sp-1",
+    appId: "app-1",
+    displayName: "Payroll API",
+    appDisplayName: "Payroll",
+    servicePrincipalType: "Application",
+    publisherName: null,
+    accountEnabled: true,
+    appOwnerOrganizationId: "tenant-1",
+    homepage: null,
+    loginUrl: null,
+    replyUrls: [],
+    servicePrincipalNames: [],
+    tags: []
+  };
+  expect(buildEntraServicePrincipalOwnershipTargets([servicePrincipal])).toEqual([
+    {
+      id: "sp-1",
+      kind: "entra.servicePrincipal",
+      displayName: "Payroll API",
+      sourceProvider: "entra",
+      technicalId: "app-1",
+      refs: [
+        { type: "entra.application", id: "app-1", label: "Payroll" },
+        { type: "entra.tenant", id: "tenant-1" }
+      ]
+    }
+  ]);
+});
+test("creates a Zero Trust Assessment audit finding ownership target placeholder", () => {
+  expect(
+    buildZeroTrustAssessmentAuditFindingTarget({
+      id: "finding-1",
+      displayName: "Missing accountable owner",
+      riskLevel: "high"
+    })
+  ).toEqual({
+    id: "finding-1",
+    kind: "zta.auditFinding",
+    displayName: "Missing accountable owner",
+    sourceProvider: "zeroTrustAssessment",
+    riskLevel: "high"
+  });
+});