npm - tlc-claude-code - Versions diffs - 1.2.29 → 1.4.0 - Mend

tlc-claude-code 1.2.29 → 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (182) hide show

package/dashboard/dist/components/AuditPane.d.ts +30 -0
package/dashboard/dist/components/AuditPane.js +127 -0
package/dashboard/dist/components/AuditPane.test.d.ts +1 -0
package/dashboard/dist/components/AuditPane.test.js +339 -0
package/dashboard/dist/components/CompliancePane.d.ts +39 -0
package/dashboard/dist/components/CompliancePane.js +96 -0
package/dashboard/dist/components/CompliancePane.test.d.ts +1 -0
package/dashboard/dist/components/CompliancePane.test.js +183 -0
package/dashboard/dist/components/SSOPane.d.ts +36 -0
package/dashboard/dist/components/SSOPane.js +71 -0
package/dashboard/dist/components/SSOPane.test.d.ts +1 -0
package/dashboard/dist/components/SSOPane.test.js +155 -0
package/dashboard/dist/components/UsagePane.d.ts +13 -0
package/dashboard/dist/components/UsagePane.js +51 -0
package/dashboard/dist/components/UsagePane.test.d.ts +1 -0
package/dashboard/dist/components/UsagePane.test.js +142 -0
package/dashboard/dist/components/WorkspaceDocsPane.d.ts +19 -0
package/dashboard/dist/components/WorkspaceDocsPane.js +130 -0
package/dashboard/dist/components/WorkspaceDocsPane.test.d.ts +1 -0
package/dashboard/dist/components/WorkspaceDocsPane.test.js +242 -0
package/dashboard/dist/components/WorkspacePane.d.ts +18 -0
package/dashboard/dist/components/WorkspacePane.js +17 -0
package/dashboard/dist/components/WorkspacePane.test.d.ts +1 -0
package/dashboard/dist/components/WorkspacePane.test.js +84 -0
package/dashboard/dist/components/ZeroRetentionPane.d.ts +44 -0
package/dashboard/dist/components/ZeroRetentionPane.js +83 -0
package/dashboard/dist/components/ZeroRetentionPane.test.d.ts +1 -0
package/dashboard/dist/components/ZeroRetentionPane.test.js +160 -0
package/package.json +1 -1
package/server/lib/access-control-doc.js +541 -0
package/server/lib/access-control-doc.test.js +672 -0
package/server/lib/adr-generator.js +423 -0
package/server/lib/adr-generator.test.js +586 -0
package/server/lib/agent-progress-monitor.js +223 -0
package/server/lib/agent-progress-monitor.test.js +202 -0
package/server/lib/architecture-command.js +450 -0
package/server/lib/architecture-command.test.js +754 -0
package/server/lib/ast-analyzer.js +324 -0
package/server/lib/ast-analyzer.test.js +437 -0
package/server/lib/audit-attribution.js +191 -0
package/server/lib/audit-attribution.test.js +359 -0
package/server/lib/audit-classifier.js +202 -0
package/server/lib/audit-classifier.test.js +209 -0
package/server/lib/audit-command.js +275 -0
package/server/lib/audit-command.test.js +325 -0
package/server/lib/audit-exporter.js +380 -0
package/server/lib/audit-exporter.test.js +464 -0
package/server/lib/audit-logger.js +236 -0
package/server/lib/audit-logger.test.js +364 -0
package/server/lib/audit-query.js +257 -0
package/server/lib/audit-query.test.js +352 -0
package/server/lib/audit-storage.js +269 -0
package/server/lib/audit-storage.test.js +272 -0
package/server/lib/auth-system.test.js +4 -1
package/server/lib/boundary-detector.js +427 -0
package/server/lib/boundary-detector.test.js +320 -0
package/server/lib/budget-alerts.js +138 -0
package/server/lib/budget-alerts.test.js +235 -0
package/server/lib/bulk-repo-init.js +342 -0
package/server/lib/bulk-repo-init.test.js +388 -0
package/server/lib/candidates-tracker.js +210 -0
package/server/lib/candidates-tracker.test.js +300 -0
package/server/lib/checkpoint-manager.js +251 -0
package/server/lib/checkpoint-manager.test.js +474 -0
package/server/lib/circular-detector.js +337 -0
package/server/lib/circular-detector.test.js +353 -0
package/server/lib/cohesion-analyzer.js +310 -0
package/server/lib/cohesion-analyzer.test.js +447 -0
package/server/lib/compliance-checklist.js +866 -0
package/server/lib/compliance-checklist.test.js +476 -0
package/server/lib/compliance-command.js +616 -0
package/server/lib/compliance-command.test.js +551 -0
package/server/lib/compliance-reporter.js +692 -0
package/server/lib/compliance-reporter.test.js +707 -0
package/server/lib/contract-testing.js +625 -0
package/server/lib/contract-testing.test.js +342 -0
package/server/lib/conversion-planner.js +469 -0
package/server/lib/conversion-planner.test.js +361 -0
package/server/lib/convert-command.js +351 -0
package/server/lib/convert-command.test.js +608 -0
package/server/lib/coupling-calculator.js +189 -0
package/server/lib/coupling-calculator.test.js +509 -0
package/server/lib/data-flow-doc.js +665 -0
package/server/lib/data-flow-doc.test.js +659 -0
package/server/lib/dependency-graph.js +367 -0
package/server/lib/dependency-graph.test.js +516 -0
package/server/lib/duplication-detector.js +349 -0
package/server/lib/duplication-detector.test.js +401 -0
package/server/lib/ephemeral-storage.js +249 -0
package/server/lib/ephemeral-storage.test.js +254 -0
package/server/lib/evidence-collector.js +627 -0
package/server/lib/evidence-collector.test.js +901 -0
package/server/lib/example-service.js +616 -0
package/server/lib/example-service.test.js +397 -0
package/server/lib/flow-diagram-generator.js +474 -0
package/server/lib/flow-diagram-generator.test.js +446 -0
package/server/lib/idp-manager.js +626 -0
package/server/lib/idp-manager.test.js +587 -0
package/server/lib/impact-scorer.js +184 -0
package/server/lib/impact-scorer.test.js +211 -0
package/server/lib/memory-exclusion.js +326 -0
package/server/lib/memory-exclusion.test.js +241 -0
package/server/lib/mermaid-generator.js +358 -0
package/server/lib/mermaid-generator.test.js +301 -0
package/server/lib/messaging-patterns.js +750 -0
package/server/lib/messaging-patterns.test.js +213 -0
package/server/lib/mfa-handler.js +452 -0
package/server/lib/mfa-handler.test.js +490 -0
package/server/lib/microservice-template.js +386 -0
package/server/lib/microservice-template.test.js +325 -0
package/server/lib/new-project-microservice.js +450 -0
package/server/lib/new-project-microservice.test.js +600 -0
package/server/lib/oauth-flow.js +375 -0
package/server/lib/oauth-flow.test.js +487 -0
package/server/lib/oauth-registry.js +190 -0
package/server/lib/oauth-registry.test.js +306 -0
package/server/lib/readme-generator.js +490 -0
package/server/lib/readme-generator.test.js +493 -0
package/server/lib/refactor-command.js +326 -0
package/server/lib/refactor-command.test.js +528 -0
package/server/lib/refactor-executor.js +254 -0
package/server/lib/refactor-executor.test.js +305 -0
package/server/lib/refactor-observer.js +292 -0
package/server/lib/refactor-observer.test.js +422 -0
package/server/lib/refactor-progress.js +193 -0
package/server/lib/refactor-progress.test.js +251 -0
package/server/lib/refactor-reporter.js +237 -0
package/server/lib/refactor-reporter.test.js +247 -0
package/server/lib/repo-dependency-tracker.js +261 -0
package/server/lib/repo-dependency-tracker.test.js +350 -0
package/server/lib/retention-policy.js +281 -0
package/server/lib/retention-policy.test.js +486 -0
package/server/lib/role-mapper.js +236 -0
package/server/lib/role-mapper.test.js +395 -0
package/server/lib/saml-provider.js +765 -0
package/server/lib/saml-provider.test.js +643 -0
package/server/lib/security-policy-generator.js +682 -0
package/server/lib/security-policy-generator.test.js +544 -0
package/server/lib/semantic-analyzer.js +198 -0
package/server/lib/semantic-analyzer.test.js +474 -0
package/server/lib/sensitive-detector.js +112 -0
package/server/lib/sensitive-detector.test.js +209 -0
package/server/lib/service-interaction-diagram.js +700 -0
package/server/lib/service-interaction-diagram.test.js +638 -0
package/server/lib/service-scaffold.js +486 -0
package/server/lib/service-scaffold.test.js +373 -0
package/server/lib/service-summary.js +553 -0
package/server/lib/service-summary.test.js +619 -0
package/server/lib/session-purge.js +460 -0
package/server/lib/session-purge.test.js +312 -0
package/server/lib/shared-kernel.js +578 -0
package/server/lib/shared-kernel.test.js +255 -0
package/server/lib/sso-command.js +544 -0
package/server/lib/sso-command.test.js +552 -0
package/server/lib/sso-session.js +492 -0
package/server/lib/sso-session.test.js +670 -0
package/server/lib/traefik-config.js +282 -0
package/server/lib/traefik-config.test.js +312 -0
package/server/lib/usage-command.js +218 -0
package/server/lib/usage-command.test.js +391 -0
package/server/lib/usage-formatter.js +192 -0
package/server/lib/usage-formatter.test.js +267 -0
package/server/lib/usage-history.js +122 -0
package/server/lib/usage-history.test.js +206 -0
package/server/lib/workspace-command.js +249 -0
package/server/lib/workspace-command.test.js +264 -0
package/server/lib/workspace-config.js +270 -0
package/server/lib/workspace-config.test.js +312 -0
package/server/lib/workspace-docs-command.js +547 -0
package/server/lib/workspace-docs-command.test.js +692 -0
package/server/lib/workspace-memory.js +451 -0
package/server/lib/workspace-memory.test.js +403 -0
package/server/lib/workspace-scanner.js +452 -0
package/server/lib/workspace-scanner.test.js +677 -0
package/server/lib/workspace-test-runner.js +315 -0
package/server/lib/workspace-test-runner.test.js +294 -0
package/server/lib/zero-retention-command.js +439 -0
package/server/lib/zero-retention-command.test.js +448 -0
package/server/lib/zero-retention.js +322 -0
package/server/lib/zero-retention.test.js +258 -0
package/server/package-lock.json +14 -0
package/server/package.json +1 -0

package/server/lib/access-control-doc.test.js ADDED Viewed

@@ -0,0 +1,672 @@
+/**
+ * Access Control Documenter Tests
+ * TDD: RED phase - Write failing tests first
+ */
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import {
+  createAccessControlDoc,
+  listUsers,
+  listRoles,
+  getRolePermissions,
+  getSSOMapping,
+  getAccessMatrix,
+  trackPermissionChange,
+  getPermissionHistory,
+  exportAsEvidence,
+  formatAccessReport,
+  detectOrphanedPermissions,
+} from './access-control-doc.js';
+describe('access-control-doc', () => {
+  describe('listUsers', () => {
+    it('returns all users with roles', () => {
+      const users = [
+        { id: '1', email: 'alice@example.com', name: 'Alice', role: 'admin' },
+        { id: '2', email: 'bob@example.com', name: 'Bob', role: 'engineer' },
+        { id: '3', email: 'carol@example.com', name: 'Carol', role: 'qa' },
+      ];
+      const result = listUsers(users);
+      expect(result).toHaveLength(3);
+      expect(result[0]).toEqual({
+        id: '1',
+        email: 'alice@example.com',
+        name: 'Alice',
+        role: 'admin',
+      });
+      expect(result[1]).toEqual({
+        id: '2',
+        email: 'bob@example.com',
+        name: 'Bob',
+        role: 'engineer',
+      });
+    });
+    it('returns empty array for empty users', () => {
+      expect(listUsers([])).toEqual([]);
+      expect(listUsers(null)).toEqual([]);
+      expect(listUsers(undefined)).toEqual([]);
+    });
+    it('filters out sensitive fields', () => {
+      const users = [
+        {
+          id: '1',
+          email: 'alice@example.com',
+          name: 'Alice',
+          role: 'admin',
+          passwordHash: 'secret',
+          passwordSalt: 'salt',
+        },
+      ];
+      const result = listUsers(users);
+      expect(result[0]).not.toHaveProperty('passwordHash');
+      expect(result[0]).not.toHaveProperty('passwordSalt');
+    });
+    it('sorts users by role then name', () => {
+      const users = [
+        { id: '2', email: 'bob@example.com', name: 'Bob', role: 'engineer' },
+        { id: '1', email: 'alice@example.com', name: 'Alice', role: 'admin' },
+        { id: '3', email: 'carol@example.com', name: 'Carol', role: 'engineer' },
+      ];
+      const result = listUsers(users);
+      expect(result[0].role).toBe('admin');
+      expect(result[1].name).toBe('Bob');
+      expect(result[2].name).toBe('Carol');
+    });
+  });
+  describe('listRoles', () => {
+    it('returns all roles with permissions', () => {
+      const result = listRoles();
+      expect(result).toHaveProperty('admin');
+      expect(result).toHaveProperty('engineer');
+      expect(result).toHaveProperty('qa');
+      expect(result).toHaveProperty('po');
+    });
+    it('admin has wildcard permission', () => {
+      const result = listRoles();
+      expect(result.admin.permissions).toContain('*');
+    });
+    it('engineer has expected permissions', () => {
+      const result = listRoles();
+      expect(result.engineer.permissions).toContain('read');
+      expect(result.engineer.permissions).toContain('write');
+      expect(result.engineer.permissions).toContain('deploy');
+      expect(result.engineer.permissions).toContain('claim');
+      expect(result.engineer.permissions).toContain('release');
+    });
+    it('qa has expected permissions', () => {
+      const result = listRoles();
+      expect(result.qa.permissions).toContain('read');
+      expect(result.qa.permissions).toContain('verify');
+      expect(result.qa.permissions).toContain('bug');
+      expect(result.qa.permissions).toContain('test');
+    });
+    it('po has expected permissions', () => {
+      const result = listRoles();
+      expect(result.po.permissions).toContain('read');
+      expect(result.po.permissions).toContain('plan');
+      expect(result.po.permissions).toContain('verify');
+      expect(result.po.permissions).toContain('approve');
+    });
+    it('includes role descriptions', () => {
+      const result = listRoles();
+      expect(result.admin).toHaveProperty('description');
+      expect(result.engineer).toHaveProperty('description');
+    });
+  });
+  describe('getRolePermissions', () => {
+    it('returns permissions for role', () => {
+      const result = getRolePermissions('engineer');
+      expect(result).toEqual(['read', 'write', 'deploy', 'claim', 'release']);
+    });
+    it('returns wildcard for admin', () => {
+      const result = getRolePermissions('admin');
+      expect(result).toEqual(['*']);
+    });
+    it('returns empty array for unknown role', () => {
+      const result = getRolePermissions('unknown');
+      expect(result).toEqual([]);
+    });
+    it('handles null/undefined role', () => {
+      expect(getRolePermissions(null)).toEqual([]);
+      expect(getRolePermissions(undefined)).toEqual([]);
+    });
+    it('expands admin wildcard when requested', () => {
+      const result = getRolePermissions('admin', { expand: true });
+      expect(result).toContain('read');
+      expect(result).toContain('write');
+      expect(result).toContain('deploy');
+      expect(result).toContain('verify');
+      expect(result).toContain('plan');
+      expect(result).toContain('approve');
+    });
+  });
+  describe('getSSOMapping', () => {
+    it('returns IdP group mappings', () => {
+      const config = {
+        sso: {
+          roleMappings: [
+            { pattern: '^admin$', role: 'admin', priority: 1 },
+            { pattern: '^dev-.*', role: 'engineer', priority: 2 },
+          ],
+          defaultRole: 'engineer',
+        },
+      };
+      const result = getSSOMapping(config);
+      expect(result.mappings).toHaveLength(2);
+      expect(result.defaultRole).toBe('engineer');
+    });
+    it('returns empty mappings when no SSO config', () => {
+      const result = getSSOMapping({});
+      expect(result.mappings).toEqual([]);
+      expect(result.defaultRole).toBeNull();
+    });
+    it('includes mapping details', () => {
+      const config = {
+        sso: {
+          roleMappings: [
+            {
+              pattern: '^admin$',
+              role: 'admin',
+              priority: 1,
+              description: 'Admin group',
+            },
+          ],
+        },
+      };
+      const result = getSSOMapping(config);
+      expect(result.mappings[0]).toHaveProperty('pattern');
+      expect(result.mappings[0]).toHaveProperty('role');
+      expect(result.mappings[0]).toHaveProperty('priority');
+    });
+    it('sorts mappings by priority', () => {
+      const config = {
+        sso: {
+          roleMappings: [
+            { pattern: '^qa$', role: 'qa', priority: 3 },
+            { pattern: '^admin$', role: 'admin', priority: 1 },
+            { pattern: '^dev$', role: 'engineer', priority: 2 },
+          ],
+        },
+      };
+      const result = getSSOMapping(config);
+      expect(result.mappings[0].role).toBe('admin');
+      expect(result.mappings[1].role).toBe('engineer');
+      expect(result.mappings[2].role).toBe('qa');
+    });
+  });
+  describe('getAccessMatrix', () => {
+    it('generates user/permission matrix', () => {
+      const users = [
+        { id: '1', email: 'alice@example.com', name: 'Alice', role: 'admin' },
+        { id: '2', email: 'bob@example.com', name: 'Bob', role: 'engineer' },
+      ];
+      const result = getAccessMatrix(users);
+      expect(result.users).toContain('alice@example.com');
+      expect(result.users).toContain('bob@example.com');
+      expect(result.permissions).toContain('read');
+      expect(result.permissions).toContain('write');
+      expect(result.matrix['alice@example.com'].read).toBe(true);
+      expect(result.matrix['alice@example.com'].write).toBe(true);
+      expect(result.matrix['bob@example.com'].read).toBe(true);
+      expect(result.matrix['bob@example.com'].write).toBe(true);
+    });
+    it('admin has all permissions', () => {
+      const users = [
+        { id: '1', email: 'admin@example.com', name: 'Admin', role: 'admin' },
+      ];
+      const result = getAccessMatrix(users);
+      // Admin should have all permissions due to wildcard
+      expect(result.matrix['admin@example.com'].read).toBe(true);
+      expect(result.matrix['admin@example.com'].write).toBe(true);
+      expect(result.matrix['admin@example.com'].deploy).toBe(true);
+      expect(result.matrix['admin@example.com'].verify).toBe(true);
+    });
+    it('qa has limited permissions', () => {
+      const users = [
+        { id: '1', email: 'qa@example.com', name: 'QA', role: 'qa' },
+      ];
+      const result = getAccessMatrix(users);
+      expect(result.matrix['qa@example.com'].read).toBe(true);
+      expect(result.matrix['qa@example.com'].verify).toBe(true);
+      expect(result.matrix['qa@example.com'].write).toBe(false);
+      expect(result.matrix['qa@example.com'].deploy).toBe(false);
+    });
+    it('returns empty matrix for no users', () => {
+      const result = getAccessMatrix([]);
+      expect(result.users).toEqual([]);
+      expect(result.permissions).toBeDefined();
+      expect(result.matrix).toEqual({});
+    });
+  });
+  describe('trackPermissionChange', () => {
+    it('logs permission changes', () => {
+      const store = createPermissionStore();
+      const change = trackPermissionChange(store, {
+        userId: '1',
+        oldRole: 'engineer',
+        newRole: 'admin',
+        changedBy: 'system',
+        reason: 'Promotion',
+      });
+      expect(change).toHaveProperty('id');
+      expect(change).toHaveProperty('timestamp');
+      expect(change.userId).toBe('1');
+      expect(change.oldRole).toBe('engineer');
+      expect(change.newRole).toBe('admin');
+    });
+    it('records timestamp automatically', () => {
+      const store = createPermissionStore();
+      const before = new Date().toISOString();
+      const change = trackPermissionChange(store, {
+        userId: '1',
+        oldRole: 'engineer',
+        newRole: 'qa',
+        changedBy: 'admin@example.com',
+      });
+      const after = new Date().toISOString();
+      expect(change.timestamp >= before).toBe(true);
+      expect(change.timestamp <= after).toBe(true);
+    });
+    it('stores change in history', () => {
+      const store = createPermissionStore();
+      trackPermissionChange(store, {
+        userId: '1',
+        oldRole: 'engineer',
+        newRole: 'admin',
+        changedBy: 'system',
+      });
+      expect(store.getHistory()).toHaveLength(1);
+    });
+  });
+  describe('getPermissionHistory', () => {
+    it('returns change history', () => {
+      const store = createPermissionStore();
+      trackPermissionChange(store, {
+        userId: '1',
+        oldRole: 'engineer',
+        newRole: 'admin',
+        changedBy: 'system',
+      });
+      trackPermissionChange(store, {
+        userId: '2',
+        oldRole: 'qa',
+        newRole: 'engineer',
+        changedBy: 'admin@example.com',
+      });
+      const history = getPermissionHistory(store);
+      expect(history).toHaveLength(2);
+    });
+    it('filters by user', () => {
+      const store = createPermissionStore();
+      trackPermissionChange(store, {
+        userId: '1',
+        oldRole: 'engineer',
+        newRole: 'admin',
+        changedBy: 'system',
+      });
+      trackPermissionChange(store, {
+        userId: '2',
+        oldRole: 'qa',
+        newRole: 'engineer',
+        changedBy: 'admin@example.com',
+      });
+      const history = getPermissionHistory(store, { userId: '1' });
+      expect(history).toHaveLength(1);
+      expect(history[0].userId).toBe('1');
+    });
+    it('filters by date range', () => {
+      const store = createPermissionStore();
+      const now = new Date();
+      const yesterday = new Date(now.getTime() - 24 * 60 * 60 * 1000);
+      const tomorrow = new Date(now.getTime() + 24 * 60 * 60 * 1000);
+      trackPermissionChange(store, {
+        userId: '1',
+        oldRole: 'engineer',
+        newRole: 'admin',
+        changedBy: 'system',
+      });
+      const history = getPermissionHistory(store, {
+        from: yesterday.toISOString(),
+        to: tomorrow.toISOString(),
+      });
+      expect(history).toHaveLength(1);
+    });
+    it('returns empty array for empty store', () => {
+      const store = createPermissionStore();
+      const history = getPermissionHistory(store);
+      expect(history).toEqual([]);
+    });
+    it('returns history in reverse chronological order', () => {
+      const store = createPermissionStore();
+      trackPermissionChange(store, {
+        userId: '1',
+        oldRole: 'engineer',
+        newRole: 'qa',
+        changedBy: 'system',
+      });
+      // Small delay to ensure different timestamps
+      trackPermissionChange(store, {
+        userId: '2',
+        oldRole: 'qa',
+        newRole: 'admin',
+        changedBy: 'system',
+      });
+      const history = getPermissionHistory(store);
+      expect(history[0].userId).toBe('2'); // Most recent first
+    });
+  });
+  describe('exportAsEvidence', () => {
+    it('generates compliance format', () => {
+      const users = [
+        { id: '1', email: 'alice@example.com', name: 'Alice', role: 'admin' },
+        { id: '2', email: 'bob@example.com', name: 'Bob', role: 'engineer' },
+      ];
+      const config = {
+        sso: {
+          roleMappings: [{ pattern: '^admin$', role: 'admin', priority: 1 }],
+        },
+      };
+      const evidence = exportAsEvidence(users, config, {});
+      expect(evidence).toHaveProperty('exportDate');
+      expect(evidence).toHaveProperty('users');
+      expect(evidence).toHaveProperty('roles');
+      expect(evidence).toHaveProperty('ssoMappings');
+      expect(evidence).toHaveProperty('accessMatrix');
+    });
+    it('includes metadata', () => {
+      const evidence = exportAsEvidence([], {}, {});
+      expect(evidence).toHaveProperty('version');
+      expect(evidence).toHaveProperty('exportDate');
+      expect(evidence).toHaveProperty('exportedBy');
+    });
+    it('supports JSON format', () => {
+      const evidence = exportAsEvidence([], {}, { format: 'json' });
+      expect(typeof evidence).toBe('object');
+    });
+    it('supports CSV format', () => {
+      const users = [
+        { id: '1', email: 'alice@example.com', name: 'Alice', role: 'admin' },
+      ];
+      const evidence = exportAsEvidence(users, {}, { format: 'csv' });
+      expect(typeof evidence).toBe('string');
+      expect(evidence).toContain('email');
+      expect(evidence).toContain('alice@example.com');
+    });
+    it('includes permission history when available', () => {
+      const store = createPermissionStore();
+      trackPermissionChange(store, {
+        userId: '1',
+        oldRole: 'engineer',
+        newRole: 'admin',
+        changedBy: 'system',
+      });
+      const evidence = exportAsEvidence([], {}, { permissionStore: store });
+      expect(evidence).toHaveProperty('permissionHistory');
+      expect(evidence.permissionHistory).toHaveLength(1);
+    });
+  });
+  describe('formatAccessReport', () => {
+    it('generates readable report', () => {
+      const users = [
+        { id: '1', email: 'alice@example.com', name: 'Alice', role: 'admin' },
+        { id: '2', email: 'bob@example.com', name: 'Bob', role: 'engineer' },
+      ];
+      const report = formatAccessReport(users);
+      expect(report).toContain('Access Control Report');
+      expect(report).toContain('alice@example.com');
+      expect(report).toContain('admin');
+    });
+    it('includes role summary', () => {
+      const users = [
+        { id: '1', email: 'alice@example.com', name: 'Alice', role: 'admin' },
+        { id: '2', email: 'bob@example.com', name: 'Bob', role: 'engineer' },
+        { id: '3', email: 'carol@example.com', name: 'Carol', role: 'engineer' },
+      ];
+      const report = formatAccessReport(users);
+      expect(report).toContain('Role Summary');
+      expect(report).toContain('admin: 1');
+      expect(report).toContain('engineer: 2');
+    });
+    it('includes permission matrix section', () => {
+      const users = [
+        { id: '1', email: 'alice@example.com', name: 'Alice', role: 'admin' },
+      ];
+      const report = formatAccessReport(users, { includeMatrix: true });
+      expect(report).toContain('Permission Matrix');
+    });
+    it('includes SSO mappings when config provided', () => {
+      const users = [];
+      const config = {
+        sso: {
+          roleMappings: [{ pattern: '^admin$', role: 'admin', priority: 1 }],
+        },
+      };
+      const report = formatAccessReport(users, { config });
+      expect(report).toContain('SSO Role Mappings');
+    });
+    it('handles empty users', () => {
+      const report = formatAccessReport([]);
+      expect(report).toContain('Access Control Report');
+      expect(report).toContain('No users');
+    });
+  });
+  describe('detectOrphanedPermissions', () => {
+    it('finds unused permissions', () => {
+      const users = [
+        { id: '1', email: 'alice@example.com', name: 'Alice', role: 'qa' },
+      ];
+      const orphaned = detectOrphanedPermissions(users);
+      // QA doesn't have write, deploy, claim, release, plan, approve
+      expect(orphaned).toContain('write');
+      expect(orphaned).toContain('deploy');
+    });
+    it('returns empty when all permissions used', () => {
+      const users = [
+        { id: '1', email: 'admin@example.com', name: 'Admin', role: 'admin' },
+      ];
+      const orphaned = detectOrphanedPermissions(users);
+      // Admin has wildcard, so all permissions are used
+      expect(orphaned).toEqual([]);
+    });
+    it('handles multiple roles', () => {
+      const users = [
+        { id: '1', email: 'eng@example.com', name: 'Engineer', role: 'engineer' },
+        { id: '2', email: 'qa@example.com', name: 'QA', role: 'qa' },
+        { id: '3', email: 'po@example.com', name: 'PO', role: 'po' },
+      ];
+      const orphaned = detectOrphanedPermissions(users);
+      // All roles together should cover most permissions
+      // Only 'approve' might be unique to PO
+      expect(orphaned).not.toContain('read');
+      expect(orphaned).not.toContain('write');
+      expect(orphaned).not.toContain('verify');
+    });
+    it('returns all permissions when no users', () => {
+      const orphaned = detectOrphanedPermissions([]);
+      expect(orphaned.length).toBeGreaterThan(0);
+      expect(orphaned).toContain('read');
+      expect(orphaned).toContain('write');
+    });
+  });
+  describe('createAccessControlDoc', () => {
+    it('creates documenter instance', () => {
+      const doc = createAccessControlDoc();
+      expect(doc).toHaveProperty('listUsers');
+      expect(doc).toHaveProperty('listRoles');
+      expect(doc).toHaveProperty('getRolePermissions');
+      expect(doc).toHaveProperty('getSSOMapping');
+      expect(doc).toHaveProperty('getAccessMatrix');
+      expect(doc).toHaveProperty('trackPermissionChange');
+      expect(doc).toHaveProperty('getPermissionHistory');
+      expect(doc).toHaveProperty('exportAsEvidence');
+      expect(doc).toHaveProperty('formatAccessReport');
+      expect(doc).toHaveProperty('detectOrphanedPermissions');
+    });
+    it('accepts config on creation', () => {
+      const config = {
+        sso: {
+          roleMappings: [{ pattern: '^admin$', role: 'admin', priority: 1 }],
+        },
+      };
+      const doc = createAccessControlDoc({ config });
+      const mapping = doc.getSSOMapping();
+      expect(mapping.mappings).toHaveLength(1);
+    });
+    it('maintains internal permission store', () => {
+      const doc = createAccessControlDoc();
+      doc.trackPermissionChange({
+        userId: '1',
+        oldRole: 'engineer',
+        newRole: 'admin',
+        changedBy: 'system',
+      });
+      const history = doc.getPermissionHistory();
+      expect(history).toHaveLength(1);
+    });
+  });
+});
+// Helper for tests
+function createPermissionStore() {
+  const changes = [];
+  return {
+    add(change) {
+      changes.push(change);
+    },
+    getHistory() {
+      return [...changes];
+    },
+  };
+}