Improve access review effective entitlement expansion gates by MAUROCERON · Pull Request #1408 · UnitOneAI/SecuritySkills

MAUROCERON · 2026-06-06T11:14:58Z

Implements #1404.

Summary

Adds an effective entitlement expansion gate before access certification decisions.
Requires direct entitlement, transitive path, dynamic/birthright source, effective permission, source of authority, certifier visibility, and Not Evaluable handling.
Adds edge-case fixtures for nested groups, dynamic group rules, inherited cloud IAM bindings, application-local roles, and complete expanded evidence.

Markdown fence balance check for touched files.
Marker checks for AR-EFF rules, transitive path, dynamic/birthright source, effective permission, certifier visibility, Not Evaluable, and the effective entitlement expansion matrix.
Reference URL checks for Microsoft Graph transitive memberOf, Google Cloud Policy Analyzer, and AWS IAM Access Analyzer unused access.
Private payment details were not included in files or public issue/PR text.

Payment details can be provided privately after maintainer acceptance.

Add access review effective entitlement gates

00e0b41

MAUROCERON mentioned this pull request Jun 6, 2026

[REVIEW] access-review: add effective entitlement expansion evidence gates #1404

Open

4 tasks