Access kit
The least-privilege answer. Pick a feature and Skemia derives the exact permission set a user needs to run it, from source, with a reason for every grant.
Pick a feature
An app, a Lightning component, a flow, or an Apex controller. Skemia walks its entire dependency closure and turns what it touches into a permission set.
Every grant explained
Class access, object access, and the specific fields touched, each with a confidence level (certain, likely, uncertain) and a plain reason. Minimal mode keeps the confident grants; Safe mode also includes the uncertain ones, the access touched in system mode or dynamic code.
Deployable, and honest
A ready permission set to copy or download. It flags blind spots where dynamic code could hide a requirement, and does not guess at record-level sharing. There is also a CLI audit (ske access-audit) that scores a derived set against a real one, for CI gates.