snipe-auth-rbac 0.5.0 → 0.6.0

package/dist/admin/index.d.cts

@@ -54,6 +54,21 @@ interface AdminResourceDependency {
     child_resource: string;
     action: Action;
 }
+/**
+ * One row of `rbac.role_permission_overrides` — an explicit
+ * per-role suppression that takes a cell OFF even when the
+ * dependency graph would otherwise imply it (or when a direct
+ * grant row exists). Used to express "Anwalt has tenants:read
+ * but should NOT see payments, even though tenants.dependsOn
+ * includes payments".
+ *
+ * Available since 0.6.0.
+ */
+interface AdminRolePermissionOverride {
+    role_id: string;
+    resource: string;
+    action: Action;
+}
 interface AdminCompany {
     id: string;
     name: string;
@@ -144,6 +159,26 @@ interface AdminTransport {
      * cascade on a parent toggle.
      */
     listResourceDependencies(): Promise<AdminResourceDependency[]>;
+    /**
+     * 0.6.0+. Read every per-role override for the given role.
+     * Returns the (resource, action) cells that the admin has
+     * explicitly suppressed, even though dependency-graph expansion
+     * would otherwise grant them.
+     */
+    listRolePermissionOverrides(roleId: string): Promise<AdminRolePermissionOverride[]>;
+    /**
+     * 0.6.0+. Set or clear a per-role override:
+     *   * suppress=true  → INSERT (idempotent via ON CONFLICT)
+     *   * suppress=false → DELETE
+     * Resolver functions subtract the row from the user's expanded
+     * grant set as soon as it's written.
+     */
+    setRolePermissionOverride(args: {
+        role_id: string;
+        resource: string;
+        action: Action;
+        suppress: boolean;
+    }): Promise<void>;
     /**
      * Materialise `rbac.role_permissions` rows from a template role's
      * `default_permissions` JSONB pattern. Calls the SQL function
@@ -342,6 +377,25 @@ declare function useAdminResourceDependencies(): {
     isLoading: boolean;
     error: Error | null;
 };
+/**
+ * 0.6.0+. Per-role override map. Returns a Set of
+ * `"<resource>:<action>"` keys for the given role plus a
+ * `setOverride(resource, action, suppress)` mutator. Optimistic —
+ * the local set flips immediately, then a re-fetch reconciles.
+ *
+ * Use this in tandem with `useRolePermissionGrid` to render a
+ * matrix UI that distinguishes:
+ *   * direct grants (the row is on rbac.role_permissions)
+ *   * implied grants (resource_dependencies expansion)
+ *   * overrides (this hook's set — admin clicked an implied cell
+ *     off to carve it out for this specific role)
+ */
+declare function useRolePermissionOverrides(roleId: string | null): {
+    overrides: Set<string>;
+    setOverride: (resource: string, action: Action, suppress: boolean) => Promise<void>;
+    error: Error | null;
+    refresh: () => Promise<void>;
+};
 declare function useCreateCompany(): {
     isPending: boolean;
     error: Error | null;
@@ -368,15 +422,19 @@ interface RolePermissionGrid {
     };
 }
 /**
- * 0.4.0+ shape (0.5.0 semantics): per-cell origin marker. `'direct'`
- * for an explicit admin grant, the name of the parent resource for
- * an implied grant (from rbac.resource_dependencies), or `null` /
- * absent when neither.
+ * Per-cell origin marker:
+ *   * `'direct'`     — explicit admin grant on rbac.role_permissions
+ *   * `'override'`   — admin set an override on rbac.role_permission_overrides
+ *                      (0.6.0+; cell is OFF even if a direct or
+ *                      implied grant would otherwise apply)
+ *   * `<string>`     — name of the parent resource that implies this
+ *                      cell via rbac.resource_dependencies
+ *   * `null`         — neither granted nor implied
  *
  * In 0.4.x this was driven by the `<action>_granted_via` columns on
- * rbac.role_permissions. In 0.5.0 implied rows are no longer
+ * rbac.role_permissions. In 0.5.0+ implied rows are no longer
  * materialised — origin is computed client-side from the dependency
- * graph + the role's direct grants.
+ * graph + the role's direct grants + (0.6.0+) any overrides.
  */
 interface RolePermissionOriginGrid {
     [resource: string]: {
@@ -390,6 +448,15 @@ declare function useRolePermissionGrid(roleId: string | null): {
         parent: string;
         action: Action;
     }[]>;
+    /** 0.6.0+. Set of `"<resource>:<action>"` for this role's overrides. */
+    overrides: Set<string>;
+    /**
+     * 0.6.0+. Suppress (`suppress=true`) or restore (`suppress=false`)
+     * an implied permission for this role. The grid + originGrid
+     * re-render with `'override'` state on the cell as soon as the
+     * optimistic flip lands.
+     */
+    setOverride: (resource: string, action: Action, suppress: boolean) => Promise<void>;
     isLoading: boolean;
     error: Error | null;
     refresh: () => Promise<void>;
@@ -405,26 +472,38 @@ interface MatrixGroup {
 interface MatrixRenderArgs {
     /** Resources grouped by their `group` label, original insertion order. */
     groups: MatrixGroup[];
-    /** Read a single cell from the current grid. */
+    /**
+     * Effective state of a cell after applying direct grants, the
+     * resource-dependency expansion, and any per-role overrides.
+     * What the resolver would answer for a user holding this role.
+     */
     isCellEnabled: (resource: string, action: Action) => boolean;
     /**
-     * Origin of a single cell — `'direct'` for a direct admin grant
-     * (or off), or the name of the parent resource whose `dependsOn`
-     * edge implied the row. The consumer renders an "Implied by …"
-     * badge whenever this returns a non-`'direct'` value.
+     * Origin of a single cell:
+     *   * `'direct'`     — explicit admin grant on rbac.role_permissions
+     *   * `'override'`   — admin suppressed it via rbac.role_permission_overrides
+     *                       (0.6.0+; cell is off even if a parent would imply)
+     *   * `<string>`     — the name of the parent resource whose
+     *                      `dependsOn` edge implies this cell
      *
-     * Available since 0.4.0. With pre-0.4.0 SQL (no granted_via
-     * columns) this always returns `'direct'`.
+     * Available since 0.4.0; the `'override'` value is 0.6.0+.
      */
-    cellOrigin: (resource: string, action: Action) => "direct" | string;
+    cellOrigin: (resource: string, action: Action) => "direct" | "override" | string;
     /**
-     * Write a single cell. Optimistic in the local cache + writes
-     * through. On toggle-on, also writes implied rows for every
-     * `dependsOn` edge whose `actions` include the toggled action —
-     * those rows carry the parent's name in
-     * `<action>_granted_via`. Toggle-off never cascades.
+     * Toggle a DIRECT grant on rbac.role_permissions. Use for cells
+     * that the matrix UI shows as "direct" (no implied parent). For
+     * cells that are implied, use `setOverride` instead — that's what
+     * lets the admin opt a single role out of a cascade without
+     * touching the parent grant or the registry.
      */
     setCell: (resource: string, action: Action, value: boolean) => Promise<void>;
+    /**
+     * 0.6.0+. Suppress (`suppress=true`) or restore (`suppress=false`)
+     * an implied permission for this role via
+     * rbac.role_permission_overrides. Writes are optimistic; the
+     * `cellOrigin` reflects the new state immediately.
+     */
+    setOverride: (resource: string, action: Action, suppress: boolean) => Promise<void>;
     isLoading: boolean;
     isUpdating: boolean;
     error: Error | null;
@@ -492,4 +571,4 @@ interface InviteMemberFormProps {
 }
 declare function InviteMemberForm(props: InviteMemberFormProps): react_jsx_runtime.JSX.Element;
 
-export { type AdminCompany, type AdminMember, type AdminResourceDependency, type AdminRole, type AdminRolePermission, type AdminTransport, AdminTransportProvider, type AdminTransportProviderProps, InviteMemberForm, type InviteMemberFormProps, type InviteMemberFormRenderArgs, type MatrixGroup, type MatrixRenderArgs, PermissionsMatrix, type PermissionsMatrixProps, type RolePermissionGrid, type RolePermissionOriginGrid, RolesList, type RolesListProps, type RolesListRenderArgs, type SupabaseAdminClientOptions, createSupabaseAdminClient, extractResourceDependencies, useAdminCompanies, useAdminCompanyMembers, useAdminResourceDependencies, useAdminRolePermissions, useAdminRoles, useApplyTemplateDefaults, useCreateCompany, useCreateRole, useDeleteRole, useInviteCompanyMember, useRolePermissionGrid, useSetRolePermissionCell, useUpdateRole };
+export { type AdminCompany, type AdminMember, type AdminResourceDependency, type AdminRole, type AdminRolePermission, type AdminRolePermissionOverride, type AdminTransport, AdminTransportProvider, type AdminTransportProviderProps, InviteMemberForm, type InviteMemberFormProps, type InviteMemberFormRenderArgs, type MatrixGroup, type MatrixRenderArgs, PermissionsMatrix, type PermissionsMatrixProps, type RolePermissionGrid, type RolePermissionOriginGrid, RolesList, type RolesListProps, type RolesListRenderArgs, type SupabaseAdminClientOptions, createSupabaseAdminClient, extractResourceDependencies, useAdminCompanies, useAdminCompanyMembers, useAdminResourceDependencies, useAdminRolePermissions, useAdminRoles, useApplyTemplateDefaults, useCreateCompany, useCreateRole, useDeleteRole, useInviteCompanyMember, useRolePermissionGrid, useRolePermissionOverrides, useSetRolePermissionCell, useUpdateRole };

package/dist/admin/index.d.ts

@@ -54,6 +54,21 @@ interface AdminResourceDependency {
     child_resource: string;
     action: Action;
 }
+/**
+ * One row of `rbac.role_permission_overrides` — an explicit
+ * per-role suppression that takes a cell OFF even when the
+ * dependency graph would otherwise imply it (or when a direct
+ * grant row exists). Used to express "Anwalt has tenants:read
+ * but should NOT see payments, even though tenants.dependsOn
+ * includes payments".
+ *
+ * Available since 0.6.0.
+ */
+interface AdminRolePermissionOverride {
+    role_id: string;
+    resource: string;
+    action: Action;
+}
 interface AdminCompany {
     id: string;
     name: string;
@@ -144,6 +159,26 @@ interface AdminTransport {
      * cascade on a parent toggle.
      */
     listResourceDependencies(): Promise<AdminResourceDependency[]>;
+    /**
+     * 0.6.0+. Read every per-role override for the given role.
+     * Returns the (resource, action) cells that the admin has
+     * explicitly suppressed, even though dependency-graph expansion
+     * would otherwise grant them.
+     */
+    listRolePermissionOverrides(roleId: string): Promise<AdminRolePermissionOverride[]>;
+    /**
+     * 0.6.0+. Set or clear a per-role override:
+     *   * suppress=true  → INSERT (idempotent via ON CONFLICT)
+     *   * suppress=false → DELETE
+     * Resolver functions subtract the row from the user's expanded
+     * grant set as soon as it's written.
+     */
+    setRolePermissionOverride(args: {
+        role_id: string;
+        resource: string;
+        action: Action;
+        suppress: boolean;
+    }): Promise<void>;
     /**
      * Materialise `rbac.role_permissions` rows from a template role's
      * `default_permissions` JSONB pattern. Calls the SQL function
@@ -342,6 +377,25 @@ declare function useAdminResourceDependencies(): {
     isLoading: boolean;
     error: Error | null;
 };
+/**
+ * 0.6.0+. Per-role override map. Returns a Set of
+ * `"<resource>:<action>"` keys for the given role plus a
+ * `setOverride(resource, action, suppress)` mutator. Optimistic —
+ * the local set flips immediately, then a re-fetch reconciles.
+ *
+ * Use this in tandem with `useRolePermissionGrid` to render a
+ * matrix UI that distinguishes:
+ *   * direct grants (the row is on rbac.role_permissions)
+ *   * implied grants (resource_dependencies expansion)
+ *   * overrides (this hook's set — admin clicked an implied cell
+ *     off to carve it out for this specific role)
+ */
+declare function useRolePermissionOverrides(roleId: string | null): {
+    overrides: Set<string>;
+    setOverride: (resource: string, action: Action, suppress: boolean) => Promise<void>;
+    error: Error | null;
+    refresh: () => Promise<void>;
+};
 declare function useCreateCompany(): {
     isPending: boolean;
     error: Error | null;
@@ -368,15 +422,19 @@ interface RolePermissionGrid {
     };
 }
 /**
- * 0.4.0+ shape (0.5.0 semantics): per-cell origin marker. `'direct'`
- * for an explicit admin grant, the name of the parent resource for
- * an implied grant (from rbac.resource_dependencies), or `null` /
- * absent when neither.
+ * Per-cell origin marker:
+ *   * `'direct'`     — explicit admin grant on rbac.role_permissions
+ *   * `'override'`   — admin set an override on rbac.role_permission_overrides
+ *                      (0.6.0+; cell is OFF even if a direct or
+ *                      implied grant would otherwise apply)
+ *   * `<string>`     — name of the parent resource that implies this
+ *                      cell via rbac.resource_dependencies
+ *   * `null`         — neither granted nor implied
  *
  * In 0.4.x this was driven by the `<action>_granted_via` columns on
- * rbac.role_permissions. In 0.5.0 implied rows are no longer
+ * rbac.role_permissions. In 0.5.0+ implied rows are no longer
  * materialised — origin is computed client-side from the dependency
- * graph + the role's direct grants.
+ * graph + the role's direct grants + (0.6.0+) any overrides.
  */
 interface RolePermissionOriginGrid {
     [resource: string]: {
@@ -390,6 +448,15 @@ declare function useRolePermissionGrid(roleId: string | null): {
         parent: string;
         action: Action;
     }[]>;
+    /** 0.6.0+. Set of `"<resource>:<action>"` for this role's overrides. */
+    overrides: Set<string>;
+    /**
+     * 0.6.0+. Suppress (`suppress=true`) or restore (`suppress=false`)
+     * an implied permission for this role. The grid + originGrid
+     * re-render with `'override'` state on the cell as soon as the
+     * optimistic flip lands.
+     */
+    setOverride: (resource: string, action: Action, suppress: boolean) => Promise<void>;
     isLoading: boolean;
     error: Error | null;
     refresh: () => Promise<void>;
@@ -405,26 +472,38 @@ interface MatrixGroup {
 interface MatrixRenderArgs {
     /** Resources grouped by their `group` label, original insertion order. */
     groups: MatrixGroup[];
-    /** Read a single cell from the current grid. */
+    /**
+     * Effective state of a cell after applying direct grants, the
+     * resource-dependency expansion, and any per-role overrides.
+     * What the resolver would answer for a user holding this role.
+     */
     isCellEnabled: (resource: string, action: Action) => boolean;
     /**
-     * Origin of a single cell — `'direct'` for a direct admin grant
-     * (or off), or the name of the parent resource whose `dependsOn`
-     * edge implied the row. The consumer renders an "Implied by …"
-     * badge whenever this returns a non-`'direct'` value.
+     * Origin of a single cell:
+     *   * `'direct'`     — explicit admin grant on rbac.role_permissions
+     *   * `'override'`   — admin suppressed it via rbac.role_permission_overrides
+     *                       (0.6.0+; cell is off even if a parent would imply)
+     *   * `<string>`     — the name of the parent resource whose
+     *                      `dependsOn` edge implies this cell
      *
-     * Available since 0.4.0. With pre-0.4.0 SQL (no granted_via
-     * columns) this always returns `'direct'`.
+     * Available since 0.4.0; the `'override'` value is 0.6.0+.
      */
-    cellOrigin: (resource: string, action: Action) => "direct" | string;
+    cellOrigin: (resource: string, action: Action) => "direct" | "override" | string;
     /**
-     * Write a single cell. Optimistic in the local cache + writes
-     * through. On toggle-on, also writes implied rows for every
-     * `dependsOn` edge whose `actions` include the toggled action —
-     * those rows carry the parent's name in
-     * `<action>_granted_via`. Toggle-off never cascades.
+     * Toggle a DIRECT grant on rbac.role_permissions. Use for cells
+     * that the matrix UI shows as "direct" (no implied parent). For
+     * cells that are implied, use `setOverride` instead — that's what
+     * lets the admin opt a single role out of a cascade without
+     * touching the parent grant or the registry.
      */
     setCell: (resource: string, action: Action, value: boolean) => Promise<void>;
+    /**
+     * 0.6.0+. Suppress (`suppress=true`) or restore (`suppress=false`)
+     * an implied permission for this role via
+     * rbac.role_permission_overrides. Writes are optimistic; the
+     * `cellOrigin` reflects the new state immediately.
+     */
+    setOverride: (resource: string, action: Action, suppress: boolean) => Promise<void>;
     isLoading: boolean;
     isUpdating: boolean;
     error: Error | null;
@@ -492,4 +571,4 @@ interface InviteMemberFormProps {
 }
 declare function InviteMemberForm(props: InviteMemberFormProps): react_jsx_runtime.JSX.Element;
 
-export { type AdminCompany, type AdminMember, type AdminResourceDependency, type AdminRole, type AdminRolePermission, type AdminTransport, AdminTransportProvider, type AdminTransportProviderProps, InviteMemberForm, type InviteMemberFormProps, type InviteMemberFormRenderArgs, type MatrixGroup, type MatrixRenderArgs, PermissionsMatrix, type PermissionsMatrixProps, type RolePermissionGrid, type RolePermissionOriginGrid, RolesList, type RolesListProps, type RolesListRenderArgs, type SupabaseAdminClientOptions, createSupabaseAdminClient, extractResourceDependencies, useAdminCompanies, useAdminCompanyMembers, useAdminResourceDependencies, useAdminRolePermissions, useAdminRoles, useApplyTemplateDefaults, useCreateCompany, useCreateRole, useDeleteRole, useInviteCompanyMember, useRolePermissionGrid, useSetRolePermissionCell, useUpdateRole };
+export { type AdminCompany, type AdminMember, type AdminResourceDependency, type AdminRole, type AdminRolePermission, type AdminRolePermissionOverride, type AdminTransport, AdminTransportProvider, type AdminTransportProviderProps, InviteMemberForm, type InviteMemberFormProps, type InviteMemberFormRenderArgs, type MatrixGroup, type MatrixRenderArgs, PermissionsMatrix, type PermissionsMatrixProps, type RolePermissionGrid, type RolePermissionOriginGrid, RolesList, type RolesListProps, type RolesListRenderArgs, type SupabaseAdminClientOptions, createSupabaseAdminClient, extractResourceDependencies, useAdminCompanies, useAdminCompanyMembers, useAdminResourceDependencies, useAdminRolePermissions, useAdminRoles, useApplyTemplateDefaults, useCreateCompany, useCreateRole, useDeleteRole, useInviteCompanyMember, useRolePermissionGrid, useRolePermissionOverrides, useSetRolePermissionCell, useUpdateRole };

package/dist/admin/index.js

@@ -185,6 +185,32 @@ function createSupabaseAdminClient(opts) {
       }
       return data ?? [];
     },
+    async listRolePermissionOverrides(roleId) {
+      const { data, error } = await rbac.from("role_permission_overrides").select("role_id, resource, action").eq("role_id", roleId);
+      if (error) {
+        if (/role_permission_overrides/i.test(error.message) && /does not exist/i.test(error.message)) {
+          return [];
+        }
+        throw new Error(`listRolePermissionOverrides: ${error.message}`);
+      }
+      return data ?? [];
+    },
+    async setRolePermissionOverride({ role_id, resource, action, suppress }) {
+      if (suppress) {
+        const { error: error2 } = await rbac.from("role_permission_overrides").upsert(
+          { role_id, resource, action },
+          { onConflict: "role_id,resource,action" }
+        );
+        if (error2) {
+          throw new Error(`setRolePermissionOverride(insert): ${error2.message}`);
+        }
+        return;
+      }
+      const { error } = await rbac.from("role_permission_overrides").delete().eq("role_id", role_id).eq("resource", resource).eq("action", action);
+      if (error) {
+        throw new Error(`setRolePermissionOverride(delete): ${error.message}`);
+      }
+    },
     async applyTemplateDefaults({ role_id, only_missing = true }) {
       const { data, error } = await rbac.rpc("apply_template_defaults", {
         p_role_id: role_id,
@@ -368,6 +394,57 @@ function useAdminResourceDependencies() {
     [transport]
   );
 }
+function useRolePermissionOverrides(roleId) {
+  const transport = useAdminTransport();
+  const [overrides, setOverrides] = useState(() => /* @__PURE__ */ new Set());
+  const [error, setError] = useState(null);
+  const fetchOverrides = useCallback(async () => {
+    if (!roleId) {
+      setOverrides(/* @__PURE__ */ new Set());
+      return;
+    }
+    try {
+      const rows = await transport.listRolePermissionOverrides(roleId);
+      setOverrides(new Set(rows.map((r) => `${r.resource}:${r.action}`)));
+      setError(null);
+    } catch (e) {
+      setError(e instanceof Error ? e : new Error(String(e)));
+    }
+  }, [transport, roleId]);
+  useEffect(() => {
+    void fetchOverrides();
+  }, [fetchOverrides]);
+  const setOverride = useCallback(
+    async (resource, action, suppress) => {
+      if (!roleId) {
+        return;
+      }
+      const key = `${resource}:${action}`;
+      setOverrides((prev) => {
+        const next = new Set(prev);
+        if (suppress) {
+          next.add(key);
+        } else {
+          next.delete(key);
+        }
+        return next;
+      });
+      try {
+        await transport.setRolePermissionOverride({
+          role_id: roleId,
+          resource,
+          action,
+          suppress
+        });
+      } catch (e) {
+        setError(e instanceof Error ? e : new Error(String(e)));
+      }
+      void fetchOverrides();
+    },
+    [transport, roleId, fetchOverrides]
+  );
+  return { overrides, setOverride, error, refresh: fetchOverrides };
+}
 function useCreateCompany() {
   const transport = useAdminTransport();
   return useMutation(transport.createCompany);
@@ -379,6 +456,7 @@ function useInviteCompanyMember() {
 function useRolePermissionGrid(roleId) {
   const { data, isLoading, error, refresh } = useAdminRolePermissions(roleId);
   const dependencies = useAdminResourceDependencies();
+  const overridesHook = useRolePermissionOverrides(roleId);
   const setCell = useSetRolePermissionCell();
   const transport = useAdminTransport();
   const grid = useMemo(() => {
@@ -410,6 +488,7 @@ function useRolePermissionGrid(roleId) {
     for (const child of parentsByChild.keys()) {
       resources.add(child);
     }
+    const overrides = overridesHook.overrides;
     for (const resource of resources) {
       const directs = grid[resource];
       const cellOrigins = {
@@ -419,6 +498,10 @@ function useRolePermissionGrid(roleId) {
         delete: null
       };
       for (const action of ACTIONS) {
+        if (overrides.has(`${resource}:${action}`)) {
+          cellOrigins[action] = "override";
+          continue;
+        }
         if (directs?.[action]) {
           cellOrigins[action] = "direct";
           continue;
@@ -432,7 +515,7 @@ function useRolePermissionGrid(roleId) {
       out[resource] = cellOrigins;
     }
     return out;
-  }, [grid, parentsByChild]);
+  }, [grid, parentsByChild, overridesHook.overrides]);
   const updateCell = useCallback(
     async (resource, action, value) => {
       if (!roleId) {
@@ -454,8 +537,17 @@ function useRolePermissionGrid(roleId) {
     grid,
     originGrid,
     parentsByChild,
+    /** 0.6.0+. Set of `"<resource>:<action>"` for this role's overrides. */
+    overrides: overridesHook.overrides,
+    /**
+     * 0.6.0+. Suppress (`suppress=true`) or restore (`suppress=false`)
+     * an implied permission for this role. The grid + originGrid
+     * re-render with `'override'` state on the cell as soon as the
+     * optimistic flip lands.
+     */
+    setOverride: overridesHook.setOverride,
     isLoading: isLoading || dependencies.isLoading,
-    error: error ?? dependencies.error,
+    error: error ?? dependencies.error ?? overridesHook.error,
     refresh,
     updateCell,
     isUpdating: setCell.isPending,
@@ -469,16 +561,25 @@ import { useMemo as useMemo2 } from "react";
 import { Fragment, jsx as jsx2 } from "react/jsx-runtime";
 var ACTIONS2 = ["read", "write", "update", "delete"];
 function PermissionsMatrix(props) {
-  const { grid, originGrid, isLoading, error, updateCell, isUpdating } = useRolePermissionGrid(props.roleId);
+  const {
+    grid,
+    originGrid,
+    isLoading,
+    error,
+    updateCell,
+    isUpdating,
+    setOverride: gridSetOverride
+  } = useRolePermissionGrid(props.roleId);
   const groups = useMemo2(
     () => groupResources(props.resources),
     [props.resources]
   );
   const isCellEnabled = (resource, action) => {
-    if (grid[resource]?.[action]) {
-      return true;
+    const origin = originGrid[resource]?.[action];
+    if (origin == null || origin === "override") {
+      return false;
     }
-    return originGrid[resource]?.[action] != null;
+    return true;
   };
   const cellOrigin = (resource, action) => {
     const origin = originGrid[resource]?.[action];
@@ -487,11 +588,15 @@ function PermissionsMatrix(props) {
   const setCell = async (resource, action, value) => {
     await updateCell(resource, action, value);
   };
+  const setOverride = async (resource, action, suppress) => {
+    await gridSetOverride(resource, action, suppress);
+  };
   return /* @__PURE__ */ jsx2(Fragment, { children: props.children({
     groups,
     isCellEnabled,
     cellOrigin,
     setCell,
+    setOverride,
     isLoading,
     isUpdating,
     error,
@@ -636,6 +741,7 @@ export {
   useDeleteRole,
   useInviteCompanyMember,
   useRolePermissionGrid,
+  useRolePermissionOverrides,
   useSetRolePermissionCell,
   useUpdateRole
 };