test(02-01): scaffold export service test stubs for PERM-05 and PERM-06

- CsvExportServiceTests.cs: 3 real [Fact] tests (header row, empty list, merge rows) — PERM-05
- HtmlExportServiceTests.cs: 3 real [Fact] tests (user names, empty HTML, external user marker) — PERM-06
- Both files reference CsvExportService/HtmlExportService from Plan 03 — compile errors expected until Plan 03 creates the services

SharepointToolbox.Tests/Services/Export/CsvExportServiceTests.cs

@@ -0,0 +1,71 @@
+using SharepointToolbox.Core.Models;
+using SharepointToolbox.Services.Export;
+
+namespace SharepointToolbox.Tests.Services.Export;
+
+/// <summary>
+/// Tests for PERM-05: CSV export output.
+/// These tests reference CsvExportService which will be implemented in Plan 03.
+/// Until Plan 03 runs they will fail to compile — that is expected.
+/// </summary>
+public class CsvExportServiceTests
+{
+    private static PermissionEntry MakeEntry(
+        string objectType, string title, string url,
+        bool hasUnique, string users, string userLogins,
+        string permissionLevels, string grantedThrough, string principalType) =>
+        new(objectType, title, url, hasUnique, users, userLogins, permissionLevels, grantedThrough, principalType);
+
+    [Fact]
+    public void BuildCsv_WithKnownEntries_ProducesHeaderRow()
+    {
+        var entry = MakeEntry("Web", "Site A", "https://contoso.sharepoint.com/sites/A",
+            true, "alice@contoso.com", "i:0#.f|membership|alice@contoso.com",
+            "Contribute", "Direct Permissions", "User");
+
+        var svc = new CsvExportService();
+        var csv = svc.BuildCsv(new[] { entry });
+
+        Assert.Contains("Object", csv);
+        Assert.Contains("Title", csv);
+        Assert.Contains("URL", csv);
+        Assert.Contains("HasUniquePermissions", csv);
+        Assert.Contains("Users", csv);
+        Assert.Contains("UserLogins", csv);
+        Assert.Contains("Type", csv);
+        Assert.Contains("Permissions", csv);
+        Assert.Contains("GrantedThrough", csv);
+    }
+
+    [Fact]
+    public void BuildCsv_WithEmptyList_ReturnsHeaderOnly()
+    {
+        var svc = new CsvExportService();
+        var csv = svc.BuildCsv(Array.Empty<PermissionEntry>());
+
+        // Should have exactly one line (header) or header + empty body
+        Assert.NotEmpty(csv);
+        Assert.Contains("Object", csv);
+    }
+
+    [Fact]
+    public void BuildCsv_WithDuplicateUserPermissionGrantedThrough_MergesLocations()
+    {
+        // PERM-05 Merge-PermissionRows: two entries with same Users+PermissionLevels+GrantedThrough
+        // but different URLs must be merged into one row with URLs pipe-joined.
+        var entryA = MakeEntry("Web", "Site A", "https://contoso.sharepoint.com/sites/A",
+            true, "alice@contoso.com", "i:0#.f|membership|alice@contoso.com",
+            "Contribute", "Direct Permissions", "User");
+        var entryB = MakeEntry("Web", "Site B", "https://contoso.sharepoint.com/sites/B",
+            true, "alice@contoso.com", "i:0#.f|membership|alice@contoso.com",
+            "Contribute", "Direct Permissions", "User");
+
+        var svc = new CsvExportService();
+        var csv = svc.BuildCsv(new[] { entryA, entryB });
+
+        // Merged row must contain both URLs separated by " | "
+        Assert.Contains("sites/A", csv);
+        Assert.Contains("sites/B", csv);
+        Assert.Contains("|", csv);
+    }
+}

SharepointToolbox.Tests/Services/Export/HtmlExportServiceTests.cs

@@ -0,0 +1,53 @@
+using SharepointToolbox.Core.Models;
+using SharepointToolbox.Services.Export;
+
+namespace SharepointToolbox.Tests.Services.Export;
+
+/// <summary>
+/// Tests for PERM-06: HTML export output.
+/// These tests reference HtmlExportService which will be implemented in Plan 03.
+/// Until Plan 03 runs they will fail to compile — that is expected.
+/// </summary>
+public class HtmlExportServiceTests
+{
+    private static PermissionEntry MakeEntry(
+        string users, string userLogins,
+        string url = "https://contoso.sharepoint.com/sites/A") =>
+        new("Web", "Site A", url, true, users, userLogins, "Read", "Direct Permissions", "User");
+
+    [Fact]
+    public void BuildHtml_WithKnownEntries_ContainsUserNames()
+    {
+        var entry = MakeEntry("Bob Smith", "bob@contoso.com");
+        var svc = new HtmlExportService();
+        var html = svc.BuildHtml(new[] { entry });
+
+        Assert.Contains("Bob Smith", html);
+    }
+
+    [Fact]
+    public void BuildHtml_WithEmptyList_ReturnsValidHtml()
+    {
+        var svc = new HtmlExportService();
+        var html = svc.BuildHtml(Array.Empty<PermissionEntry>());
+
+        // Must be non-empty well-formed HTML even with no data rows
+        Assert.NotEmpty(html);
+        Assert.Contains("<html", html, StringComparison.OrdinalIgnoreCase);
+    }
+
+    [Fact]
+    public void BuildHtml_WithExternalUser_ContainsExtHashMarker()
+    {
+        // External users have #EXT# in their login — HTML output should make them distinguishable
+        var entry = MakeEntry(
+            users: "Ext User",
+            userLogins: "ext_user_domain.com#EXT#@contoso.onmicrosoft.com");
+
+        var svc = new HtmlExportService();
+        var html = svc.BuildHtml(new[] { entry });
+
+        // The HTML should surface the external marker so admins can identify guests
+        Assert.Contains("EXT", html, StringComparison.OrdinalIgnoreCase);
+    }
+}