snipe-auth-rbac 0.3.0 → 0.4.0

package/dist/admin/index.d.cts

@@ -1,4 +1,4 @@
-import { R as ResourceScope, F as FrontendConfig, a as ResourceDescriptor, A as Action } from '../types-DxvFudPF.cjs';
+import { A as Action, R as ResourceScope, F as FrontendConfig, a as ResourceDescriptor } from '../types-Oj9yfWvz.cjs';
 import * as react_jsx_runtime from 'react/jsx-runtime';
 
 /**
@@ -27,6 +27,32 @@ interface AdminRolePermission {
     can_write: boolean;
     can_update: boolean;
     can_delete: boolean;
+    /**
+     * `<action>_granted_via` columns from `rbac.role_permissions`.
+     * `null` = direct admin grant. Non-null = name of the parent
+     * resource whose `dependsOn` edge implied this cell. Used to
+     * render the "Implied by …" badge in the matrix UI.
+     *
+     * Available since 0.4.0. Pre-0.4.0 SQL omits these columns; the
+     * transport tolerates absent fields by treating them as null.
+     */
+    read_granted_via?: string | null;
+    write_granted_via?: string | null;
+    update_granted_via?: string | null;
+    delete_granted_via?: string | null;
+}
+/**
+ * One materialised cascade edge. Returned by
+ * `AdminTransport.listResourceDependencies()` and consumed by the
+ * matrix UI when an admin toggles a cell on — used to decide which
+ * implied rows to write alongside.
+ *
+ * Available since 0.4.0.
+ */
+interface AdminResourceDependency {
+    parent_resource: string;
+    child_resource: string;
+    action: Action;
 }
 interface AdminCompany {
     id: string;
@@ -81,7 +107,43 @@ interface AdminTransport {
         resource: string;
         action: Action;
         value: boolean;
+        /**
+         * 0.4.0+. When this write is the result of a dependsOn cascade,
+         * pass the parent resource name so the row's
+         * `<action>_granted_via` column is recorded. Direct admin
+         * clicks should pass `null` (or omit) to set the column to NULL
+         * — which is how `canAccessSection` distinguishes direct grants
+         * from implied ones.
+         */
+        grantedVia?: string | null;
     }): Promise<void>;
+    /**
+     * 0.4.0+. Batch variant for the dependsOn cascade — apply the
+     * parent's toggle AND every implied child in a single round-trip.
+     * Default implementation falls back to calling
+     * `setRolePermissionCell` once per write; transports that can
+     * batch (e.g. via a single `UPSERT … VALUES (…), (…), (…)`) should
+     * override.
+     */
+    batchSetRolePermissionCells(writes: ReadonlyArray<{
+        role_id: string;
+        resource: string;
+        action: Action;
+        value: boolean;
+        grantedVia?: string | null;
+    }>): Promise<void>;
+    /**
+     * 0.4.0+. Push the `dependsOn` edges from the host's registry
+     * into `rbac.resource_dependencies`. Normally chained off
+     * `syncResources()` on app boot.
+     */
+    syncResourceDependencies(edges: ReadonlyArray<AdminResourceDependency>): Promise<number>;
+    /**
+     * 0.4.0+. Read the materialised dependency graph back. The matrix
+     * UI hook calls this once at mount to know which children to
+     * cascade on a parent toggle.
+     */
+    listResourceDependencies(): Promise<AdminResourceDependency[]>;
     /**
      * Materialise `rbac.role_permissions` rows from a template role's
      * `default_permissions` JSONB pattern. Calls the SQL function
@@ -187,6 +249,13 @@ interface SupabaseAdminClientOptions {
     /** Where the invitee should land after setting their password. */
     inviteRedirectUrl?: string;
 }
+/**
+ * Pull `dependsOn` edges out of a registry array and flatten them
+ * into one row per (parent, child, action). Shared helper used by
+ * `syncResources` and by adopters who want to sync dependencies
+ * manually.
+ */
+declare function extractResourceDependencies(resources: ReadonlyArray<ResourceDescriptor>): AdminResourceDependency[];
 declare function createSupabaseAdminClient(opts: SupabaseAdminClientOptions): AdminTransport;
 
 interface AdminTransportProviderProps {
@@ -251,6 +320,7 @@ declare function useSetRolePermissionCell(): {
         resource: string;
         action: Action;
         value: boolean;
+        grantedVia?: string | null;
     }) => Promise<void>;
 };
 declare function useApplyTemplateDefaults(): {
@@ -261,6 +331,17 @@ declare function useApplyTemplateDefaults(): {
         only_missing?: boolean;
     }) => Promise<number>;
 };
+/**
+ * 0.4.0+. Materialised dependency edges. Loaded once per admin
+ * session — the underlying table mutates only on app boot (via
+ * `syncResources` → `syncResourceDependencies`).
+ */
+declare function useAdminResourceDependencies(): {
+    refresh: () => Promise<void>;
+    data: AdminResourceDependency[] | null;
+    isLoading: boolean;
+    error: Error | null;
+};
 declare function useCreateCompany(): {
     isPending: boolean;
     error: Error | null;
@@ -286,8 +367,20 @@ interface RolePermissionGrid {
         [A in Action]: boolean;
     };
 }
+/**
+ * 0.4.0+. Per-cell origin tracking — `null` means a direct admin
+ * grant, a string is the name of the parent resource whose
+ * `dependsOn` edge implied the row. Used by the matrix UI to render
+ * the "Implied by …" badge.
+ */
+interface RolePermissionOriginGrid {
+    [resource: string]: {
+        [A in Action]: string | null;
+    };
+}
 declare function useRolePermissionGrid(roleId: string | null): {
     grid: RolePermissionGrid;
+    originGrid: RolePermissionOriginGrid;
     isLoading: boolean;
     error: Error | null;
     refresh: () => Promise<void>;
@@ -305,7 +398,23 @@ interface MatrixRenderArgs {
     groups: MatrixGroup[];
     /** Read a single cell from the current grid. */
     isCellEnabled: (resource: string, action: Action) => boolean;
-    /** Write a single cell. Optimistic in the local cache + writes through. */
+    /**
+     * Origin of a single cell — `'direct'` for a direct admin grant
+     * (or off), or the name of the parent resource whose `dependsOn`
+     * edge implied the row. The consumer renders an "Implied by …"
+     * badge whenever this returns a non-`'direct'` value.
+     *
+     * Available since 0.4.0. With pre-0.4.0 SQL (no granted_via
+     * columns) this always returns `'direct'`.
+     */
+    cellOrigin: (resource: string, action: Action) => "direct" | string;
+    /**
+     * Write a single cell. Optimistic in the local cache + writes
+     * through. On toggle-on, also writes implied rows for every
+     * `dependsOn` edge whose `actions` include the toggled action —
+     * those rows carry the parent's name in
+     * `<action>_granted_via`. Toggle-off never cascades.
+     */
     setCell: (resource: string, action: Action, value: boolean) => Promise<void>;
     isLoading: boolean;
     isUpdating: boolean;
@@ -374,4 +483,4 @@ interface InviteMemberFormProps {
 }
 declare function InviteMemberForm(props: InviteMemberFormProps): react_jsx_runtime.JSX.Element;
 
-export { type AdminCompany, type AdminMember, type AdminRole, type AdminRolePermission, type AdminTransport, AdminTransportProvider, type AdminTransportProviderProps, InviteMemberForm, type InviteMemberFormProps, type InviteMemberFormRenderArgs, type MatrixGroup, type MatrixRenderArgs, PermissionsMatrix, type PermissionsMatrixProps, type RolePermissionGrid, RolesList, type RolesListProps, type RolesListRenderArgs, type SupabaseAdminClientOptions, createSupabaseAdminClient, useAdminCompanies, useAdminCompanyMembers, useAdminRolePermissions, useAdminRoles, useApplyTemplateDefaults, useCreateCompany, useCreateRole, useDeleteRole, useInviteCompanyMember, useRolePermissionGrid, useSetRolePermissionCell, useUpdateRole };
+export { type AdminCompany, type AdminMember, type AdminResourceDependency, type AdminRole, type AdminRolePermission, type AdminTransport, AdminTransportProvider, type AdminTransportProviderProps, InviteMemberForm, type InviteMemberFormProps, type InviteMemberFormRenderArgs, type MatrixGroup, type MatrixRenderArgs, PermissionsMatrix, type PermissionsMatrixProps, type RolePermissionGrid, type RolePermissionOriginGrid, RolesList, type RolesListProps, type RolesListRenderArgs, type SupabaseAdminClientOptions, createSupabaseAdminClient, extractResourceDependencies, useAdminCompanies, useAdminCompanyMembers, useAdminResourceDependencies, useAdminRolePermissions, useAdminRoles, useApplyTemplateDefaults, useCreateCompany, useCreateRole, useDeleteRole, useInviteCompanyMember, useRolePermissionGrid, useSetRolePermissionCell, useUpdateRole };

package/dist/admin/index.d.ts

@@ -1,4 +1,4 @@
-import { R as ResourceScope, F as FrontendConfig, a as ResourceDescriptor, A as Action } from '../types-DxvFudPF.js';
+import { A as Action, R as ResourceScope, F as FrontendConfig, a as ResourceDescriptor } from '../types-Oj9yfWvz.js';
 import * as react_jsx_runtime from 'react/jsx-runtime';
 
 /**
@@ -27,6 +27,32 @@ interface AdminRolePermission {
     can_write: boolean;
     can_update: boolean;
     can_delete: boolean;
+    /**
+     * `<action>_granted_via` columns from `rbac.role_permissions`.
+     * `null` = direct admin grant. Non-null = name of the parent
+     * resource whose `dependsOn` edge implied this cell. Used to
+     * render the "Implied by …" badge in the matrix UI.
+     *
+     * Available since 0.4.0. Pre-0.4.0 SQL omits these columns; the
+     * transport tolerates absent fields by treating them as null.
+     */
+    read_granted_via?: string | null;
+    write_granted_via?: string | null;
+    update_granted_via?: string | null;
+    delete_granted_via?: string | null;
+}
+/**
+ * One materialised cascade edge. Returned by
+ * `AdminTransport.listResourceDependencies()` and consumed by the
+ * matrix UI when an admin toggles a cell on — used to decide which
+ * implied rows to write alongside.
+ *
+ * Available since 0.4.0.
+ */
+interface AdminResourceDependency {
+    parent_resource: string;
+    child_resource: string;
+    action: Action;
 }
 interface AdminCompany {
     id: string;
@@ -81,7 +107,43 @@ interface AdminTransport {
         resource: string;
         action: Action;
         value: boolean;
+        /**
+         * 0.4.0+. When this write is the result of a dependsOn cascade,
+         * pass the parent resource name so the row's
+         * `<action>_granted_via` column is recorded. Direct admin
+         * clicks should pass `null` (or omit) to set the column to NULL
+         * — which is how `canAccessSection` distinguishes direct grants
+         * from implied ones.
+         */
+        grantedVia?: string | null;
     }): Promise<void>;
+    /**
+     * 0.4.0+. Batch variant for the dependsOn cascade — apply the
+     * parent's toggle AND every implied child in a single round-trip.
+     * Default implementation falls back to calling
+     * `setRolePermissionCell` once per write; transports that can
+     * batch (e.g. via a single `UPSERT … VALUES (…), (…), (…)`) should
+     * override.
+     */
+    batchSetRolePermissionCells(writes: ReadonlyArray<{
+        role_id: string;
+        resource: string;
+        action: Action;
+        value: boolean;
+        grantedVia?: string | null;
+    }>): Promise<void>;
+    /**
+     * 0.4.0+. Push the `dependsOn` edges from the host's registry
+     * into `rbac.resource_dependencies`. Normally chained off
+     * `syncResources()` on app boot.
+     */
+    syncResourceDependencies(edges: ReadonlyArray<AdminResourceDependency>): Promise<number>;
+    /**
+     * 0.4.0+. Read the materialised dependency graph back. The matrix
+     * UI hook calls this once at mount to know which children to
+     * cascade on a parent toggle.
+     */
+    listResourceDependencies(): Promise<AdminResourceDependency[]>;
     /**
      * Materialise `rbac.role_permissions` rows from a template role's
      * `default_permissions` JSONB pattern. Calls the SQL function
@@ -187,6 +249,13 @@ interface SupabaseAdminClientOptions {
     /** Where the invitee should land after setting their password. */
     inviteRedirectUrl?: string;
 }
+/**
+ * Pull `dependsOn` edges out of a registry array and flatten them
+ * into one row per (parent, child, action). Shared helper used by
+ * `syncResources` and by adopters who want to sync dependencies
+ * manually.
+ */
+declare function extractResourceDependencies(resources: ReadonlyArray<ResourceDescriptor>): AdminResourceDependency[];
 declare function createSupabaseAdminClient(opts: SupabaseAdminClientOptions): AdminTransport;
 
 interface AdminTransportProviderProps {
@@ -251,6 +320,7 @@ declare function useSetRolePermissionCell(): {
         resource: string;
         action: Action;
         value: boolean;
+        grantedVia?: string | null;
     }) => Promise<void>;
 };
 declare function useApplyTemplateDefaults(): {
@@ -261,6 +331,17 @@ declare function useApplyTemplateDefaults(): {
         only_missing?: boolean;
     }) => Promise<number>;
 };
+/**
+ * 0.4.0+. Materialised dependency edges. Loaded once per admin
+ * session — the underlying table mutates only on app boot (via
+ * `syncResources` → `syncResourceDependencies`).
+ */
+declare function useAdminResourceDependencies(): {
+    refresh: () => Promise<void>;
+    data: AdminResourceDependency[] | null;
+    isLoading: boolean;
+    error: Error | null;
+};
 declare function useCreateCompany(): {
     isPending: boolean;
     error: Error | null;
@@ -286,8 +367,20 @@ interface RolePermissionGrid {
         [A in Action]: boolean;
     };
 }
+/**
+ * 0.4.0+. Per-cell origin tracking — `null` means a direct admin
+ * grant, a string is the name of the parent resource whose
+ * `dependsOn` edge implied the row. Used by the matrix UI to render
+ * the "Implied by …" badge.
+ */
+interface RolePermissionOriginGrid {
+    [resource: string]: {
+        [A in Action]: string | null;
+    };
+}
 declare function useRolePermissionGrid(roleId: string | null): {
     grid: RolePermissionGrid;
+    originGrid: RolePermissionOriginGrid;
     isLoading: boolean;
     error: Error | null;
     refresh: () => Promise<void>;
@@ -305,7 +398,23 @@ interface MatrixRenderArgs {
     groups: MatrixGroup[];
     /** Read a single cell from the current grid. */
     isCellEnabled: (resource: string, action: Action) => boolean;
-    /** Write a single cell. Optimistic in the local cache + writes through. */
+    /**
+     * Origin of a single cell — `'direct'` for a direct admin grant
+     * (or off), or the name of the parent resource whose `dependsOn`
+     * edge implied the row. The consumer renders an "Implied by …"
+     * badge whenever this returns a non-`'direct'` value.
+     *
+     * Available since 0.4.0. With pre-0.4.0 SQL (no granted_via
+     * columns) this always returns `'direct'`.
+     */
+    cellOrigin: (resource: string, action: Action) => "direct" | string;
+    /**
+     * Write a single cell. Optimistic in the local cache + writes
+     * through. On toggle-on, also writes implied rows for every
+     * `dependsOn` edge whose `actions` include the toggled action —
+     * those rows carry the parent's name in
+     * `<action>_granted_via`. Toggle-off never cascades.
+     */
     setCell: (resource: string, action: Action, value: boolean) => Promise<void>;
     isLoading: boolean;
     isUpdating: boolean;
@@ -374,4 +483,4 @@ interface InviteMemberFormProps {
 }
 declare function InviteMemberForm(props: InviteMemberFormProps): react_jsx_runtime.JSX.Element;
 
-export { type AdminCompany, type AdminMember, type AdminRole, type AdminRolePermission, type AdminTransport, AdminTransportProvider, type AdminTransportProviderProps, InviteMemberForm, type InviteMemberFormProps, type InviteMemberFormRenderArgs, type MatrixGroup, type MatrixRenderArgs, PermissionsMatrix, type PermissionsMatrixProps, type RolePermissionGrid, RolesList, type RolesListProps, type RolesListRenderArgs, type SupabaseAdminClientOptions, createSupabaseAdminClient, useAdminCompanies, useAdminCompanyMembers, useAdminRolePermissions, useAdminRoles, useApplyTemplateDefaults, useCreateCompany, useCreateRole, useDeleteRole, useInviteCompanyMember, useRolePermissionGrid, useSetRolePermissionCell, useUpdateRole };
+export { type AdminCompany, type AdminMember, type AdminResourceDependency, type AdminRole, type AdminRolePermission, type AdminTransport, AdminTransportProvider, type AdminTransportProviderProps, InviteMemberForm, type InviteMemberFormProps, type InviteMemberFormRenderArgs, type MatrixGroup, type MatrixRenderArgs, PermissionsMatrix, type PermissionsMatrixProps, type RolePermissionGrid, type RolePermissionOriginGrid, RolesList, type RolesListProps, type RolesListRenderArgs, type SupabaseAdminClientOptions, createSupabaseAdminClient, extractResourceDependencies, useAdminCompanies, useAdminCompanyMembers, useAdminResourceDependencies, useAdminRolePermissions, useAdminRoles, useApplyTemplateDefaults, useCreateCompany, useCreateRole, useDeleteRole, useInviteCompanyMember, useRolePermissionGrid, useSetRolePermissionCell, useUpdateRole };

package/dist/admin/index.js

@@ -1,6 +1,6 @@
 import {
   groupResources
-} from "../chunk-C76JHCKM.js";
+} from "../chunk-XHPBUCFN.js";
 
 // src/admin/transport.ts
 var ACTION_COLUMN = {
@@ -9,9 +9,46 @@ var ACTION_COLUMN = {
   update: "can_update",
   delete: "can_delete"
 };
+var GRANTED_VIA_COLUMN = {
+  read: "read_granted_via",
+  write: "write_granted_via",
+  update: "update_granted_via",
+  delete: "delete_granted_via"
+};
+function extractResourceDependencies(resources) {
+  const out = [];
+  for (const r of resources) {
+    for (const edge of r.dependsOn ?? []) {
+      const child = typeof edge === "string" ? edge : edge.resource;
+      const actions = typeof edge === "string" ? ["read"] : edge.actions ?? ["read"];
+      for (const action of actions) {
+        out.push({
+          parent_resource: r.resource,
+          child_resource: child,
+          action
+        });
+      }
+    }
+  }
+  return out;
+}
 function createSupabaseAdminClient(opts) {
   const sb = opts.supabase;
   const rbac = sb.schema("rbac");
+  const syncResourceDependencies = async (edges) => {
+    const payload = edges.map((e) => ({
+      parent_resource: e.parent_resource,
+      child_resource: e.child_resource,
+      action: e.action
+    }));
+    const { error } = await rbac.rpc("replace_resource_dependencies", {
+      p_edges: payload
+    });
+    if (error) {
+      throw new Error(`syncResourceDependencies: ${error.message}`);
+    }
+    return edges.length;
+  };
   return {
     async syncResources(resources) {
       if (resources.length === 0) {
@@ -28,6 +65,15 @@ function createSupabaseAdminClient(opts) {
       if (error) {
         throw new Error(`syncResources: ${error.message}`);
       }
+      const edges = extractResourceDependencies(resources);
+      try {
+        await syncResourceDependencies(edges);
+      } catch (err) {
+        if (err instanceof Error && /resource_dependencies/i.test(err.message) && /(does not exist|relation .* does not exist)/i.test(err.message)) {
+        } else {
+          throw err;
+        }
+      }
       return resources.length;
     },
     async listRoles({ scope, companyId, templatesOnly }) {
@@ -77,18 +123,68 @@ function createSupabaseAdminClient(opts) {
         throw new Error(`deleteRole: ${error.message}`);
       }
     },
-    async setRolePermissionCell({ role_id, resource, action, value }) {
-      const column = ACTION_COLUMN[action];
+    async setRolePermissionCell({ role_id, resource, action, value, grantedVia }) {
+      const actionCol = ACTION_COLUMN[action];
+      const originCol = GRANTED_VIA_COLUMN[action];
       const row = {
         role_id,
         resource,
-        [column]: value
+        [actionCol]: value
       };
+      if (grantedVia !== void 0) {
+        row[originCol] = value ? grantedVia : null;
+      }
       const { error } = await rbac.from("role_permissions").upsert(row, { onConflict: "role_id,resource" });
       if (error) {
+        if (grantedVia !== void 0 && /column .*granted_via.* does not exist/i.test(error.message)) {
+          const fallbackRow = {
+            role_id,
+            resource,
+            [actionCol]: value
+          };
+          const { error: retryErr } = await rbac.from("role_permissions").upsert(fallbackRow, { onConflict: "role_id,resource" });
+          if (retryErr) {
+            throw new Error(`setRolePermissionCell: ${retryErr.message}`);
+          }
+          return;
+        }
         throw new Error(`setRolePermissionCell: ${error.message}`);
       }
     },
+    async batchSetRolePermissionCells(writes) {
+      if (writes.length === 0) {
+        return;
+      }
+      const byKey = /* @__PURE__ */ new Map();
+      for (const w of writes) {
+        const key = `${w.role_id}::${w.resource}`;
+        const existing = byKey.get(key) ?? {
+          role_id: w.role_id,
+          resource: w.resource
+        };
+        existing[ACTION_COLUMN[w.action]] = w.value;
+        if (w.grantedVia !== void 0) {
+          existing[GRANTED_VIA_COLUMN[w.action]] = w.value ? w.grantedVia : null;
+        }
+        byKey.set(key, existing);
+      }
+      const payload = Array.from(byKey.values());
+      const { error } = await rbac.from("role_permissions").upsert(payload, { onConflict: "role_id,resource" });
+      if (error) {
+        throw new Error(`batchSetRolePermissionCells: ${error.message}`);
+      }
+    },
+    syncResourceDependencies,
+    async listResourceDependencies() {
+      const { data, error } = await rbac.from("resource_dependencies").select("parent_resource, child_resource, action").order("parent_resource", { ascending: true });
+      if (error) {
+        if (/resource_dependencies/i.test(error.message) && /does not exist/i.test(error.message)) {
+          return [];
+        }
+        throw new Error(`listResourceDependencies: ${error.message}`);
+      }
+      return data ?? [];
+    },
     async applyTemplateDefaults({ role_id, only_missing = true }) {
       const { data, error } = await rbac.rpc("apply_template_defaults", {
         p_role_id: role_id,
@@ -265,6 +361,13 @@ function useApplyTemplateDefaults() {
   const transport = useAdminTransport();
   return useMutation(transport.applyTemplateDefaults);
 }
+function useAdminResourceDependencies() {
+  const transport = useAdminTransport();
+  return useAsync(
+    () => transport.listResourceDependencies(),
+    [transport]
+  );
+}
 function useCreateCompany() {
   const transport = useAdminTransport();
   return useMutation(transport.createCompany);
@@ -275,7 +378,11 @@ function useInviteCompanyMember() {
 }
 function useRolePermissionGrid(roleId) {
   const { data, isLoading, error, refresh } = useAdminRolePermissions(roleId);
+  const dependencies = useAdminResourceDependencies();
   const setCell = useSetRolePermissionCell();
+  const transport = useAdminTransport();
+  const [isCascading, setCascading] = useState(false);
+  const [cascadeError, setCascadeError] = useState(null);
   const grid = useMemo(() => {
     const out = {};
     for (const row of data ?? []) {
@@ -288,33 +395,107 @@ function useRolePermissionGrid(roleId) {
     }
     return out;
   }, [data]);
+  const originGrid = useMemo(() => {
+    const out = {};
+    for (const row of data ?? []) {
+      out[row.resource] = {
+        read: row.read_granted_via ?? null,
+        write: row.write_granted_via ?? null,
+        update: row.update_granted_via ?? null,
+        delete: row.delete_granted_via ?? null
+      };
+    }
+    return out;
+  }, [data]);
+  const edgesByParent = useMemo(() => {
+    const map = /* @__PURE__ */ new Map();
+    for (const edge of dependencies.data ?? []) {
+      const list = map.get(edge.parent_resource) ?? [];
+      map.set(edge.parent_resource, [
+        ...list,
+        { child: edge.child_resource, action: edge.action }
+      ]);
+    }
+    return map;
+  }, [dependencies.data]);
   const updateCell = useCallback(
     async (resource, action, value) => {
       if (!roleId) {
         return;
       }
-      await setCell.mutate({ role_id: roleId, resource, action, value });
-      void refresh();
+      const writes = [
+        { role_id: roleId, resource, action, value, grantedVia: null }
+      ];
+      if (value) {
+        const edges = edgesByParent.get(resource) ?? [];
+        for (const edge of edges) {
+          if (edge.action !== action) {
+            continue;
+          }
+          const childRow = (data ?? []).find((r) => r.resource === edge.child);
+          const childValue = childRow?.[ACTION_FIELD[action]] === true;
+          const childOrigin = childRow?.[ORIGIN_FIELD[action]] ?? null;
+          if (childValue && childOrigin == null) {
+            continue;
+          }
+          writes.push({
+            role_id: roleId,
+            resource: edge.child,
+            action,
+            value: true,
+            grantedVia: resource
+          });
+        }
+      }
+      setCascading(true);
+      setCascadeError(null);
+      try {
+        const [first, ...rest] = writes;
+        if (first && rest.length === 0) {
+          await setCell.mutate(first);
+        } else {
+          await transport.batchSetRolePermissionCells(writes);
+        }
+        void refresh();
+      } catch (e) {
+        setCascadeError(e instanceof Error ? e : new Error(String(e)));
+        throw e;
+      } finally {
+        setCascading(false);
+      }
     },
-    [roleId, setCell, refresh]
+    [roleId, setCell, refresh, edgesByParent, data, transport]
   );
   return {
     grid,
-    isLoading,
-    error,
+    originGrid,
+    isLoading: isLoading || dependencies.isLoading,
+    error: error ?? dependencies.error,
     refresh,
     updateCell,
-    isUpdating: setCell.isPending,
-    updateError: setCell.error
+    isUpdating: setCell.isPending || isCascading,
+    updateError: setCell.error ?? cascadeError
   };
 }
+var ACTION_FIELD = {
+  read: "can_read",
+  write: "can_write",
+  update: "can_update",
+  delete: "can_delete"
+};
+var ORIGIN_FIELD = {
+  read: "read_granted_via",
+  write: "write_granted_via",
+  update: "update_granted_via",
+  delete: "delete_granted_via"
+};
 
 // src/admin/PermissionsMatrix.tsx
 import { useMemo as useMemo2 } from "react";
 import { Fragment, jsx as jsx2 } from "react/jsx-runtime";
 var ACTIONS = ["read", "write", "update", "delete"];
 function PermissionsMatrix(props) {
-  const { grid, isLoading, error, updateCell, isUpdating } = useRolePermissionGrid(props.roleId);
+  const { grid, originGrid, isLoading, error, updateCell, isUpdating } = useRolePermissionGrid(props.roleId);
   const groups = useMemo2(
     () => groupResources(props.resources),
     [props.resources]
@@ -322,12 +503,17 @@ function PermissionsMatrix(props) {
   const isCellEnabled = (resource, action) => {
     return grid[resource]?.[action] ?? false;
   };
+  const cellOrigin = (resource, action) => {
+    const origin = originGrid[resource]?.[action];
+    return origin == null ? "direct" : origin;
+  };
   const setCell = async (resource, action, value) => {
     await updateCell(resource, action, value);
   };
   return /* @__PURE__ */ jsx2(Fragment, { children: props.children({
     groups,
     isCellEnabled,
+    cellOrigin,
     setCell,
     isLoading,
     isUpdating,
@@ -461,8 +647,10 @@ export {
   PermissionsMatrix,
   RolesList,
   createSupabaseAdminClient,
+  extractResourceDependencies,
   useAdminCompanies,
   useAdminCompanyMembers,
+  useAdminResourceDependencies,
   useAdminRolePermissions,
   useAdminRoles,
   useApplyTemplateDefaults,