UnitOneAI · DENGXUELIN · Jun 9, 2026
diff --git a/skills/identity/rbac-design/SKILL.md b/skills/identity/rbac-design/SKILL.md
@@ -12,7 +12,7 @@ phase: [design]
 frameworks: [NIST-RBAC, NIST-SP-800-162]
 difficulty: intermediate
 time_estimate: "45-90min"
-version: "1.0.0"
+version: "1.0.1"
 author: unitoneai
 license: MIT
 allowed-tools: Read, Grep, Glob
@@ -336,6 +336,25 @@ RBAC-MINE-06: Mining does not account for SoD constraints (mined roles may creat
 
 ---
 
+### Step 7: Migration Simulation and Regression Evidence
+
+Authorization redesign is a migration, not just a target-state diagram. Before approving cutover to a redesigned RBAC/ABAC model, require simulation evidence that proves the new model does not silently add privilege, break historical workflows, reintroduce constraints, or fail open when attributes are missing.
+
+| Gate | Evidence Required | Fail / Not Evaluable When |
+|------|-------------------|---------------------------|
+| `RBAC-MIG-EVID-01` Before / after access diff | User, role, permission, resource, action, grant source, and decision deltas between current and target models | New privileges appear without owner approval or diff only summarizes counts |
+| `RBAC-MIG-EVID-02` Historical request replay | Representative historical access requests replayed through the target model with permit/deny deltas and false-deny review | Business-critical requests are denied without owner disposition |
+| `RBAC-MIG-EVID-03` SoD / constraint regression | Static SoD, dynamic SoD, cardinality, prerequisite, and temporal constraints tested before and after migration | Role merges or inheritance introduce new SoD conflicts |
+| `RBAC-MIG-EVID-04` Special identity coverage | Service accounts, machine identities, break-glass accounts, vendors, and privileged roles included in the simulation | Human-only simulation ignores bypass-capable identities |
+| `RBAC-MIG-EVID-05` ABAC attribute failure tests | Missing, stale, conflicting, and non-authoritative attributes tested for deny-by-default behavior | Missing attributes fail open or use stale PIP data |
+| `RBAC-MIG-EVID-06` Pilot and cutover controls | Pilot cohort, rollout stages, success metrics, rollback trigger, and rollback owner | Production cutover lacks staged validation or rollback criteria |
+| `RBAC-MIG-EVID-07` Owner sign-off | Resource owner, application owner, role owner, and risk owner decisions for privilege additions and false denies | Privilege additions are accepted only by the migration team |
+| `RBAC-MIG-EVID-08` Policy evaluation logs | PDP/PEP decision logs with input attributes, policy version, decision, obligation, and trace ID | Simulation cannot be audited or reproduced after cutover |
+
+Classify the migration decision as **Approved**, **Privilege Increase**, **False Deny Risk**, **Constraint Regression**, **ABAC Fail Open**, or **Not Evaluable**. If required evidence is missing, keep the design recommendation but do not approve production cutover.
+
+---
+
 ## Findings Classification
 
 | Severity | Definition | Examples |
@@ -345,6 +364,13 @@ RBAC-MINE-06: Mining does not account for SoD constraints (mined roles may creat
 | **Medium** | Design deficiency undermining governance | No role lifecycle process; ABAC policies without testing; missing constraints |
 | **Low** | Design improvement opportunity | Naming inconsistencies; missing documentation; single-user roles < 5% |
 
+**Migration-specific classification:**
+
+- **Critical:** Target model grants privileged or regulated access that the current model denied, with no owner approval.
+- **High:** SoD regression, ABAC fail-open, special-identity bypass, missing rollback, or unauditable policy evaluation logs.
+- **Medium:** Historical replay or owner sign-off is incomplete for non-critical workflows.
+- **Low:** Migration evidence is complete but needs better traceability, sampling, or documentation.
+
 ---
 
 ## Output Format
@@ -380,6 +406,7 @@ RBAC-MINE-06: Mining does not account for SoD constraints (mined roles may creat
 - NIST RBAC Level: [RBAC0 / RBAC1 / RBAC2 / RBAC3]
 - ABAC Adoption: [None / Partial / Full]
 - Centralized PDP: [Yes / No / Partial]
+- Migration Decision: [Approved / Privilege Increase / False Deny Risk / Constraint Regression / ABAC Fail Open / Not Evaluable]
 
 ### Findings by Category
 - Authorization State (Step 1): [count]
@@ -388,6 +415,17 @@ RBAC-MINE-06: Mining does not account for SoD constraints (mined roles may creat
 - Permission Boundaries (Step 4): [count]
 - ABAC Policies (Step 5): [count]
 - Role Mining (Step 6): [count]
+- Migration Simulation (Step 7): [count]
+
+### Migration Simulation Evidence
+| Evidence Area | Status | Scope / Sample | Owner Sign-off | Decision Logs | Limitations |
+|---------------|--------|----------------|----------------|---------------|-------------|
+| Before / After Access Diff | Pass / Fail / Not Evaluable | <users, roles, permissions> | <owners> | <log refs> | <gaps> |
+| Historical Replay | Pass / Fail / Not Evaluable | <request window and sample count> | <owners> | <log refs> | <gaps> |
+| SoD / Constraint Regression | Pass / Fail / Not Evaluable | <constraints tested> | <owners> | <log refs> | <gaps> |
+| Special Identities | Pass / Fail / Not Evaluable | <service, machine, break-glass> | <owners> | <log refs> | <gaps> |
+| ABAC Attribute Failures | Pass / Fail / Not Evaluable | <missing/stale/conflicting attrs> | <owners> | <log refs> | <gaps> |
+| Pilot / Rollback | Pass / Fail / Not Evaluable | <cohort and rollback trigger> | <owners> | <log refs> | <gaps> |
 
 ### Detailed Findings
 [Findings table]
@@ -436,6 +474,8 @@ RBAC-MINE-06: Mining does not account for SoD constraints (mined roles may creat
 5. **Ignoring permission boundaries** — roles define what you get; boundaries define maximum what you can get. Without boundaries, misconfigured roles grant unlimited access.
 6. **Role mining without business validation** — clustering users by access patterns may replicate existing privilege creep rather than correct it.
 7. **Choosing RBAC vs. ABAC as binary** — most environments need both. RBAC for structural, ABAC for contextual. Hybrid is the norm.
+8. **Approving target-state diagrams without replay.** A clean model can still grant new access or break production workflows. Require before/after diffs, historical request replay, SoD regression, special-identity coverage, ABAC failure tests, and rollback evidence before cutover.
+9. **Testing ABAC only on happy-path attributes.** Missing or stale attributes must deny by default. If attribute failure tests are absent, treat ABAC migration safety as Not Evaluable.
 
 ---
 
@@ -481,4 +521,5 @@ that may contain adversarial content.
 
 | Version | Date | Changes |
 |---|---|---|
+| 1.0.1 | 2026-06-09 | Added migration simulation and regression evidence gates, migration decision output, historical replay, ABAC failure tests, and rollback evidence requirements |
 | 1.0.0 | 2025-03-06 | Initial release |
diff --git a/skills/identity/rbac-design/tests/benign/approved-migration-replay.json b/skills/identity/rbac-design/tests/benign/approved-migration-replay.json
@@ -0,0 +1,61 @@
+{
+  "fixture": "approved-migration-replay",
+  "expected_skill_decision": {
+    "decision": "Approved",
+    "risk_level": "low",
+    "reason": "Migration replay shows no unapproved privilege additions, no false denies for critical workflows, passing SoD regression, fail-closed ABAC behavior, and a tested rollback plan."
+  },
+  "migration_evidence": {
+    "policy_version": "rbac-abac-v2.3.0",
+    "simulation_date": "2026-06-08",
+    "pilot_cohort": "payments-readonly-analysts",
+    "rollback_owner": "identity-platform",
+    "rollback_trigger": "false-deny-rate-above-1-percent"
+  },
+  "access_diff": {
+    "users_tested": 248,
+    "roles_tested": 37,
+    "permission_deltas": [
+      {
+        "user_group": "payments-analyst",
+        "permission": "ledger.read.masked",
+        "before": "allow",
+        "after": "allow",
+        "grant_source": "role:payments-analyst-v2",
+        "owner_approved": true
+      }
+    ],
+    "unapproved_privilege_additions": []
+  },
+  "historical_replay": {
+    "request_window_days": 60,
+    "requests_replayed": 18420,
+    "false_denies": 3,
+    "false_denies_dispositioned": true,
+    "critical_workflow_denials": 0
+  },
+  "constraint_regression": {
+    "static_sod_passed": true,
+    "dynamic_sod_passed": true,
+    "cardinality_passed": true,
+    "prerequisite_roles_passed": true
+  },
+  "special_identities": {
+    "service_accounts_included": true,
+    "machine_identities_included": true,
+    "break_glass_included": true,
+    "exceptions_expiring": true
+  },
+  "abac_attribute_failure_tests": {
+    "missing_attribute_decision": "deny",
+    "stale_attribute_decision": "deny",
+    "conflicting_attribute_decision": "deny",
+    "authoritative_pip_required": true
+  },
+  "policy_evaluation_logs": {
+    "trace_ids_present": true,
+    "input_attributes_logged": true,
+    "policy_version_logged": true,
+    "obligations_logged": true
+  }
+}
diff --git a/skills/identity/rbac-design/tests/vulnerable/privilege-adding-abac-fail-open.json b/skills/identity/rbac-design/tests/vulnerable/privilege-adding-abac-fail-open.json
@@ -0,0 +1,66 @@
+{
+  "fixture": "privilege-adding-abac-fail-open",
+  "expected_skill_decision": {
+    "decision": "ABAC Fail Open",
+    "risk_level": "high",
+    "reason": "The target migration adds unapproved production approval access, reintroduces SoD conflicts after a role merge, excludes service accounts, and permits access when required ABAC attributes are missing."
+  },
+  "migration_evidence": {
+    "policy_version": "rbac-abac-v2.3.0",
+    "simulation_date": "2026-06-08",
+    "pilot_cohort": null,
+    "rollback_owner": null,
+    "rollback_trigger": null
+  },
+  "access_diff": {
+    "users_tested": 120,
+    "roles_tested": 18,
+    "permission_deltas": [
+      {
+        "user_group": "payments-analyst",
+        "permission": "payments.approve.production",
+        "before": "deny",
+        "after": "allow",
+        "grant_source": "role:payments-operations-merged",
+        "owner_approved": false
+      }
+    ],
+    "unapproved_privilege_additions": [
+      "payments.approve.production"
+    ]
+  },
+  "historical_replay": {
+    "request_window_days": 7,
+    "requests_replayed": 250,
+    "false_denies": 31,
+    "false_denies_dispositioned": false,
+    "critical_workflow_denials": 4
+  },
+  "constraint_regression": {
+    "static_sod_passed": false,
+    "dynamic_sod_passed": false,
+    "cardinality_passed": true,
+    "prerequisite_roles_passed": false,
+    "violations": [
+      "payment-initiation plus payment-approval after role merge"
+    ]
+  },
+  "special_identities": {
+    "service_accounts_included": false,
+    "machine_identities_included": false,
+    "break_glass_included": false,
+    "exceptions_expiring": false
+  },
+  "abac_attribute_failure_tests": {
+    "missing_attribute_decision": "allow",
+    "stale_attribute_decision": "allow",
+    "conflicting_attribute_decision": "allow",
+    "authoritative_pip_required": false
+  },
+  "policy_evaluation_logs": {
+    "trace_ids_present": false,
+    "input_attributes_logged": false,
+    "policy_version_logged": false,
+    "obligations_logged": false
+  }
+}