Currently the constraints related to audit logging don't do anything – they are just stubs written pending the audit logging patch. So these need completion.
I believe this is just implementing the TODOs in AuditConstraint and NonAuditConstraint and then updating the tests to check the roles work properly. I envisioned the TODO as being a simple test of the target resource address, i.e. does it start with /host=*/core-service=management/access=audit.