getbetweenrows
diff --git a/‎.claude/CLAUDE.md‎
Lines changed: 41 additions & 0 deletions b/‎.claude/CLAUDE.md‎
Lines changed: 41 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 66 additions & 33 deletions b/‎README.md‎
Lines changed: 66 additions & 33 deletions
diff --git a/‎admin-ui/CLAUDE.md‎
Lines changed: 15 additions & 0 deletions b/‎admin-ui/CLAUDE.md‎
Lines changed: 15 additions & 0 deletions
@@ -32,6 +32,47 @@ git config core.hooksPath .githooks
 
 Use `/release` to prepare the changelog, bump versions, commit, and tag. Use `/commit` for day-to-day commits.
 
+## Planning & Feature Design
+
+### Design-First, Discuss Before Building
+For any non-trivial feature, enter plan mode and work through the design iteratively with the user before writing code. Don't jump to implementation — discuss trade-offs, edge cases, and security implications first. The goal is alignment on approach before any code is written.
+
+**Planning workflow:**
+1. **Explore** — read the relevant code paths end-to-end. Understand what exists before proposing what to build.
+2. **Design** — propose the approach with concrete trade-offs. Present options with pros/cons, not just one solution.
+3. **Discuss** — ask the user targeted questions about design decisions. Don't make assumptions on ambiguous points. Use AskUserQuestion for specific choices, not open-ended "what do you think?" questions.
+4. **Harden** — after the core design is agreed, proactively ask: "What else can we improve?" Look for security gaps, edge cases, performance concerns, and missing test coverage. Iterate until the user says "enough."
+5. **Finalize** — write the plan with all decisions documented, then exit plan mode.
+
+### Test Vector Design During Planning (Non-Optional)
+Every feature plan MUST include a comprehensive test case inventory before implementation begins. Tests are designed during planning, not added as an afterthought. The test cases serve as the specification — if you can't write the test case, you don't understand the feature well enough.
+
+**Systematic test categories to cover for every feature:**
+
+| Category | What to ask | Examples |
+|----------|------------|---------|
+| **Happy path** | Does the basic flow work? | CRUD operations, expected inputs, normal usage |
+| **Attack vectors** | Can it be exploited? | SQL injection, parameter tampering, scope mismatches, privilege escalation |
+| **Deny-wins / security invariants** | Do security guarantees hold? | Deny overrides allow, deactivation blocks access, audit can't be tampered |
+| **State interactions** | How does it interact with existing features? | is_active flags, is_enabled flags, access_mode, template variables |
+| **FK cascades / data integrity** | What happens when related entities are deleted? | Delete parent → child cleanup, unique constraint violations |
+| **Cache consistency** | Do changes take effect immediately? | Mutation → cache invalidation → next query reflects change |
+| **Timing / concurrency** | What about race conditions? | Mid-session changes, concurrent mutations, rapid successive operations |
+| **Edge cases** | What about boundary conditions? | Empty sets, max lengths, zero members, duplicate entries |
+| **API validation** | Are invalid inputs rejected? | Missing fields, wrong types, out-of-range values, conflicting parameters |
+| **Audit integrity** | Are all mutations tracked? | Every CRUD op logged, correct actor, accurate before/after snapshots |
+| **Multi-entity interaction** | How do multiple instances interact? | Multiple roles, multiple datasources, overlapping policies, priority conflicts |
+| **Backward compatibility** | Does existing functionality still work? | Old API formats, migration of existing data, default values |
+
+**Test naming convention:** Group tests by category with descriptive names. Map security-relevant tests to vector numbers in `docs/permission-security-tests.md`.
+
+### Security-First Thinking
+This is a data security product. Every feature that touches access control, policy resolution, or data visibility must be evaluated through a security lens:
+- **What can an attacker do?** — enumerate bypass vectors before building defenses
+- **What breaks when state changes?** — deactivation, deletion, membership changes, policy mutations
+- **What's the blast radius?** — how many users/connections are affected by a change?
+- **Is the audit trail complete?** — can every mutation be traced back to who did it and when?
+
 ## Migrations (`migration/`)
 
 ### Rules (violations here cause hard-to-fix production incidents)
 
@@ -117,7 +117,7 @@ psql / app
     ↓  PostgreSQL wire protocol (port 5434)
 QueryProxy (Rust)
     ├─ Authenticates user (Argon2id)
-    ├─ Checks data source access (user_data_source table)
+    ├─ Checks data source access (data_source_access table — direct, role-based, or all)
     ├─ Runs query hook pipeline:
     │      ReadOnlyHook  — blocks writes (SQLSTATE 25006)
     │      PolicyHook    — row filters, column masks, column access control
@@ -147,7 +147,7 @@ Upstream PostgreSQL
 ```
 betweenrows/
 ├── Cargo.toml                        workspace root (proxy, migration crates)
-├── migration/src/                    SeaORM migrations (7 total)
+├── migration/src/                    SeaORM migrations (41 total)
 ├── docs/                             User-facing documentation
 │   ├── permission-system.md          Policy system user guide
 │   ├── permission-security-tests.md  Security test plan
@@ -159,9 +159,10 @@ betweenrows/
 │       ├── api/                      axios + fetch-event-source clients
 │       ├── auth/                     AuthContext, ProtectedRoute, LoginPage
 │       ├── components/               Layout, DataSourceForm, CatalogDiscoveryWizard,
-│       │                             PolicyForm, PolicyAssignmentPanel, …
+│       │                             PolicyForm, PolicyAssignmentPanel, RoleForm,
+│       │                             RoleMemberPanel, RoleInheritancePanel, AuditTimeline, …
 │       ├── pages/                    Users*, DataSources*, DataSourceCatalogPage,
-│       │                             Policies*, QueryAuditPage
+│       │                             Policies*, Roles*, QueryAuditPage
 │       └── types/                    TypeScript interfaces
 └── proxy/src/
     ├── main.rs                       entry point: CLI, DB init, EngineCache, servers
@@ -170,11 +171,14 @@ betweenrows/
     ├── auth.rs                       Argon2 auth, user creation
     ├── crypto.rs                     AES-256-GCM encrypt/decrypt
     ├── admin/                        REST API: mod, dto, jwt, handlers, discovery_job,
-    │                                 policy_handlers, audit_handlers, policy_yaml
+    │                                 policy_handlers, role_handlers, audit_handlers,
+    │                                 admin_audit
     ├── discovery/                    DiscoveryProvider trait + Postgres impl
-    ├── entity/                       SeaORM entities (proxy_user, data_source, policy,
-    │                                 policy_assignment, policy_version,
-    │                                 query_audit_log, …)
+    ├── entity/                       SeaORM entities (proxy_user, data_source, role,
+    │                                 role_member, role_inheritance, data_source_access,
+    │                                 policy, policy_assignment, policy_version,
+    │                                 admin_audit_log, query_audit_log, …)
+    ├── role_resolver.rs              BFS role resolution, cycle detection, effective assignments
     ├── engine/mod.rs                 EngineCache, VirtualCatalogProvider, build_arrow_schema()
     └── hooks/                        QueryHook trait, ReadOnlyHook, PolicyHook
 ```
@@ -301,16 +305,16 @@ After authentication succeeds in `handler.rs`, a background task pre-builds the
 Access control is enforced **before** any query reaches the engine:
 
 1. `validate_data_source()` — datasource must exist and be active
-2. `check_access(user_id, datasource_name)` — user must have an explicit `user_data_source` row
+2. `check_access(user_id, datasource_name)` — user must have access via `data_source_access` (direct, role-based, or all-scoped)
 3. If either check fails → `FATAL` PG error, connection rejected before `get_ctx()` is ever called
 
 ### Why the Shared Pool Is Safe
 
 The upstream connection pool carries **no user identity** — it is pure TCP connectivity to the upstream Postgres server. All identity and access decisions are made at the pgwire auth layer (steps 1–2 above), not at the pool layer.
 
 Per-user isolation is enforced by:
-- **Data plane** — `user_data_source` allowlist (no row → connection rejected)
-- **RLS hook** — per-query `WHERE tenant = '<value>'` filter injected via DataFusion's logical plan tree, based on the authenticated user's tenant metadata
+- **Data plane** — `data_source_access` allowlist (no matching row → connection rejected). Access can be granted directly to a user, via role membership (including inherited roles), or to all users.
+- **Policy hook** — per-query row filters, column masks, and access controls injected via DataFusion's logical plan tree, based on the authenticated user's policy assignments (direct, role-based, or wildcard)
 - **Virtual catalog** — the stored catalog is an allowlist; tables/columns not explicitly saved are invisible to the engine
 
 The shared pool is safe for all authorized users of a datasource: Pool = "how to talk to upstream". Auth + RLS = "what this user can see". These are orthogonal.
@@ -328,16 +332,16 @@ QueryProxy enforces a two-layer access control model:
 **Management plane** — controlled by `is_admin` flag. Admins manage users, data sources, policies, and catalogs via the Admin API. Non-admins have no Admin API access.
 
 **Data plane** — controlled by two independent mechanisms:
-1. *Connection access* — explicit `user_data_source` assignment. A user can only connect to a datasource with an explicit row. Being an admin does **not** automatically grant data plane access.
-2. *Query policy* — `PolicyHook` applies row filters, column masks, and column access controls per-query based on assigned policies. If the datasource `access_mode` is `"policy_required"`, tables with no matching permit policy return empty results.
+1. *Connection access* — `data_source_access` entries. A user can connect to a datasource via direct assignment, role membership (including inherited roles), or all-user scope. Being an admin does **not** automatically grant data plane access.
+2. *Query policy* — `PolicyHook` applies row filters, column masks, and column access controls per-query based on assigned policies (direct, role-based, or all-scoped). If the datasource `access_mode` is `"policy_required"`, tables with no matching permit policy return empty results.
 
 See `docs/permission-system.md` for the full policy system user guide.
 
 Connection flow:
 1. Client connects: `psql -d <datasource_name> -U <username>`
 2. Proxy authenticates (Argon2id)
 3. Proxy validates data source exists and is active
-4. Proxy checks `user_data_source` — denied if no row
+4. Proxy checks `data_source_access` — denied if no matching row (direct, role, or all scope)
 5. Background task pre-warms `SessionContext` + pool
 6. First query: fast path — context and pool already ready
 
@@ -377,7 +381,24 @@ All endpoints require `Authorization: Bearer <token>` (obtained from `/auth/logi
 | DELETE | `/datasources/{id}` | Delete data source |
 | POST | `/datasources/{id}/test` | Test upstream connection |
 | GET | `/datasources/{id}/users` | List assigned users |
-| PUT | `/datasources/{id}/users` | Replace user assignments |
+| PUT | `/datasources/{id}/users` | Replace user assignments (user-scoped access) |
+| PUT | `/datasources/{id}/access/roles` | Set role-based access `{ role_ids: [uuid] }` |
+
+### Roles
+
+| Method | Path | Description |
+|--------|------|-------------|
+| GET | `/roles` | List roles (paginated, searchable) |
+| POST | `/roles` | Create role `{ name, description? }` |
+| GET | `/roles/{id}` | Get role + members + inheritance + policy assignments |
+| PUT | `/roles/{id}` | Update name/description/is_active |
+| DELETE | `/roles/{id}` | Delete role → returns impact `{ affected_users, affected_assignments }` |
+| GET | `/roles/{id}/effective-members` | All users inheriting policies (direct + inherited), with source |
+| GET | `/roles/{id}/impact` | Preview impact of deleting this role |
+| POST | `/roles/{id}/members` | Add members `{ user_ids: [uuid] }` |
+| DELETE | `/roles/{id}/members/{user_id}` | Remove member |
+| POST | `/roles/{id}/parents` | Add parent `{ parent_role_id }` (cycle detection + depth check) |
+| DELETE | `/roles/{id}/parents/{parent_id}` | Remove parent |
 
 ### Catalog Discovery
 
@@ -431,14 +452,21 @@ All policy endpoints require admin (`is_admin = true`).
 | GET | `/policies/export` | Export all policies as YAML |
 | POST | `/policies/import` | Import YAML (`?dry_run=true` to preview) |
 | GET | `/datasources/{id}/policies` | List policy assignments for datasource |
-| POST | `/datasources/{id}/policies` | Assign policy to datasource (optionally scoped to a user) |
+| POST | `/datasources/{id}/policies` | Assign policy to datasource (scope: user/role/all) |
 | DELETE | `/datasources/{id}/policies/{assignment_id}` | Remove assignment |
 
 ### Audit Log
 
 | Method | Path | Description |
 |--------|------|-------------|
-| GET | `/audit/queries` | Paginated query audit log (filter by user, datasource, date range) |
+| GET | `/audit/queries` | Paginated query audit log (filter by user, datasource, date range, status) |
+| GET | `/audit/admin` | Paginated admin audit log (filter by resource_type, resource_id, actor_id, date range) |
+
+### Effective Policies
+
+| Method | Path | Description |
+|--------|------|-------------|
+| GET | `/users/{id}/effective-policies?datasource_id=X` | All policies applying to user (with source annotation) |
 
 ## Catalog Workflow
 
@@ -458,21 +486,26 @@ The catalog is an **allowlist** — the proxy can never expose tables or columns
 All primary keys are UUIDs. The admin store uses SQLite by default (configurable via `DATABASE_URL`).
 
 ```
-proxy_user        (id UUID, username, password_hash, tenant, is_admin, is_active, …)
-data_source       (id UUID, name, ds_type, config JSON, secure_config encrypted,
-                   is_active, access_mode, last_sync_at, last_sync_result, …)
-user_data_source  (id UUID, user_id → proxy_user, data_source_id → data_source)
-discovered_schema (id UUID v5, data_source_id, schema_name, is_selected)
-discovered_table  (id UUID v5, discovered_schema_id, table_name, table_type, is_selected)
-discovered_column (id UUID v5, discovered_table_id, column_name, ordinal_position,
-                   data_type, is_nullable, column_default, arrow_type)
-
-policy            (id UUID v7, name, description, policy_type, is_enabled, version, targets JSON, definition JSON, …)
-policy_version    (id UUID v7, policy_id, version, snapshot JSON, change_type, changed_by)
-policy_assignment (id UUID v7, policy_id, data_source_id, user_id?, priority)
-query_audit_log   (id UUID v7, user_id, username, data_source_id, datasource_name,
-                   original_query, rewritten_query, policies_applied JSON,
-                   execution_time_ms, client_ip, client_info, created_at)
+proxy_user         (id UUID, username, password_hash, tenant, is_admin, is_active, …)
+data_source        (id UUID, name, ds_type, config JSON, secure_config encrypted,
+                    is_active, access_mode, last_sync_at, last_sync_result, …)
+data_source_access (id UUID, user_id?, role_id?, data_source_id, assignment_scope, …)
+role               (id UUID, name UNIQUE, description, is_active, …)
+role_member        (id UUID, role_id → role, user_id → proxy_user)
+role_inheritance   (id UUID, parent_role_id → role, child_role_id → role)
+discovered_schema  (id UUID v5, data_source_id, schema_name, is_selected)
+discovered_table   (id UUID v5, discovered_schema_id, table_name, table_type, is_selected)
+discovered_column  (id UUID v5, discovered_table_id, column_name, ordinal_position,
+                    data_type, is_nullable, column_default, arrow_type)
+
+policy             (id UUID v7, name, description, policy_type, is_enabled, version, targets JSON, definition JSON, …)
+policy_version     (id UUID v7, policy_id, version, snapshot JSON, change_type, changed_by)
+policy_assignment  (id UUID v7, policy_id, data_source_id, user_id?, role_id?,
+                    assignment_scope, priority)
+admin_audit_log    (id UUID v7, resource_type, resource_id, action, actor_id, changes JSON, created_at)
+query_audit_log    (id UUID v7, user_id, username, data_source_id, datasource_name,
+                    original_query, rewritten_query, policies_applied JSON,
+                    execution_time_ms, client_ip, client_info, created_at)
 ```
 
 Catalog entity IDs (schemas, tables, columns) are deterministic UUID v5 fingerprints derived from their natural keys. Re-discovering the same upstream object always produces the same ID, so re-syncs are safe upserts.
@@ -481,6 +514,6 @@ Catalog entity IDs (schemas, tables, columns) are deterministic UUID v5 fingerpr
 
 ```bash
 cargo build -p proxy          # compile
-cargo test -p proxy           # run tests (101 unit tests)
+cargo test -p proxy           # run tests (213 unit tests + integration tests)
 cd admin-ui && npm run build  # production UI bundle
 ```
@@ -6,8 +6,23 @@ React 19, Vite 6, Tailwind 4, TanStack Query 5, react-router-dom 7, Vitest 3, @t
 ## Key Files
 - `vite.config.ts` — proxies `/api` → `http://localhost:5435`
 - `src/api/client.ts` — axios instance with JWT interceptor and 401 redirect
+- `src/api/roles.ts` — Role CRUD, member management, inheritance, datasource role access
+- `src/api/adminAudit.ts` — Admin audit log queries
 - `src/auth/AuthContext.tsx` — `AuthProvider`, `useAuth`, localStorage-backed token/user
 - `src/components/CatalogDiscoveryWizard.tsx` — 4-step discovery wizard (schemas → tables → columns → save)
+- `src/components/RoleForm.tsx` — Reusable role name + description form
+- `src/components/RoleMemberPanel.tsx` — Effective member list (direct + inherited with source badges), add/remove for direct members
+- `src/components/RoleInheritancePanel.tsx` — Parent/child role management with cycle detection feedback
+- `src/components/RoleAccessPanel.tsx` — Checkbox-based role access panel for datasource edit page
+- `src/components/AuditTimeline.tsx` — Reusable admin audit timeline (used on role/user/policy/datasource detail pages)
+- `src/utils/auditBadge.ts` — Shared `actionBadgeClass()` for audit action badge styling (used by AuditTimeline + AdminAuditPage)
+- `src/components/PolicyAssignmentPanel.tsx` — Three components: `PolicyAssignmentsReadonly`, `PolicyAssignmentEditPanel` (with scope selector: all/user/role), `DatasourceAssignmentsReadonly`
+- `src/pages/RolesListPage.tsx` — Paginated list with search, member counts, active/inactive badges
+- `src/pages/RoleCreatePage.tsx` — Create form
+- `src/pages/RoleEditPage.tsx` — Tabbed view (Details, Members, Inheritance, Data Sources, Policies, Activity)
+- `src/pages/AdminAuditPage.tsx` — Centralized admin audit log with filters (resource type, actor, date range)
+- `src/types/policy.ts` — TypeScript interfaces for policies, assignments (`PolicyType`, `AssignmentScope`, `TargetEntry`)
+- `src/types/role.ts` — TypeScript interfaces for roles, members, audit entries
 - `src/test/test-utils.tsx` — `renderWithProviders` (QueryClient + AuthProvider + MemoryRouter)
 - `src/test/factories.ts` — `makeUser`, `makeDataSource`, `makeDataSourceType`, `makeDiscoveredSchema/Table/Column`