Account provisioning/deprovisioning documented

Undocumented account provisioning means departing employees retain access indefinitely and new joiners receive inconsistent permissions — two direct violations of NIST 800-53 rev5 AC-2 (Account Management), which requires formal procedures for account creation, modification, review, and termination. CMMC 2.0 AC.L1-3.1.1 makes this a baseline requirement for any contractor handling federal information. FedRAMP rev5 AC-2 adds an auditable trail requirement. Without documented deprovisioning steps, a disgruntled ex-employee's credentials may remain valid long after their last day, and an auditor will flag the absence of written procedures as a control gap regardless of what the code does.

Create docs/account-management.md covering all four lifecycle stages. Write steps specifically enough that an on-call engineer with no prior context can execute them without asking questions.

# Account Management

## Provisioning (new user)
1. Admin navigates to Settings > Users > Invite
2. Enters email and selects role (viewer / auditor / admin)
3. System sends time-limited invite link (24 h expiry)
4. User completes registration and sets a password meeting policy

## Role Assignment
- Roles follow least-privilege: default is viewer
- Elevation to auditor or admin requires written approval in the team ticket tracker
- Role changes logged automatically in audit_logs table

## Deprovisioning (user departure)
1. Admin deactivates account in Settings > Users > [User] > Deactivate
2. All active sessions invalidated immediately (Supabase: `auth.admin.deleteUser`)
3. API keys and personal tokens revoked
4. Access confirmed revoked within 1 business day of departure notice

• ID: gov-fisma-fedramp.documentation-readiness.account-provisioning-documented

• Severity: low

• What to look for: Look for documentation files (README, docs/, SECURITY.md, etc.) that describe how user accounts are created, assigned roles, and deprovisioned. Count the number of lifecycle stages documented (creation, role assignment, suspension, deletion, access revocation). Check for runbooks, wiki pages, or inline comments describing account management procedures.

• Pass criteria: Documentation clearly describes at least 4 stages of the account lifecycle: how new users are created, how permissions are assigned, how accounts are suspended/deleted, and how access is revoked when users leave. Each stage has at least 2 steps described.

• Fail criteria: No documentation found for account management, or documentation covers fewer than 4 lifecycle stages. Must not pass when only a partial lifecycle is documented (e.g., creation only without deprovisioning).

• Skip (N/A) when: The site has no user authentication.

• Detail on fail: "No documentation found for account provisioning/deprovisioning. Onboarding procedures are unclear."

• Remediation: Create account management documentation:

  # Account Management
  
  ## Creating a User Account
  1. Admin logs into the system
  2. Navigates to Settings > Users > Add User
  3. Enters user email, selects role (admin/auditor/user)
  4. System sends invitation email with secure registration link
  5. User completes registration and sets password
  
  ## Assigning Permissions
  - Roles are assigned at account creation or via Settings > Users > Edit
  - Available roles: Admin (full access), Auditor (read+write), User (read-only)
  - Permissions are enforced server-side via RBAC
  
  ## Deprovisioning
  1. Admin navigates to Settings > Users > [User] > Deactivate
  2. User's account is immediately deactivated
  3. All active sessions are invalidated
  4. User cannot log in
  5. Historical data remains for audit purposes