feat: show effective permissions + roles per location in the browse hovercard

Hovering a folder/file now shows "Your permissions" (the rwcda verbs you
hold there) and "Your roles" (the cascade roles you're a member of at that
location — e.g. document_controller, project_team). Roles are cascade-
scoped, so they can differ by location; this answers "does the system think
I'm a document_controller here?".

- server: RolesForPrincipalInChain(chain, email) resolves the caller's role
  memberships at a path (honouring fences/resets, incl. embedded standard
  roles); /.profile/access?path= now returns path_roles alongside path_verbs.
- browse hovercard: "Your permissions" from node.verbs (sync); "Your roles"
  async-filled from /.profile/access?path= via zddc.cap.at (memoised).
  Offline mode shows "local folder (filesystem)" and no roles row.

Tests: RolesForPrincipalInChain unit tests (member union, wildcard members,
non-member, fence-hides-ancestor-role, empty email).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

browse/js/hovercard.js

@@ -89,6 +89,24 @@
         return 'File';
     }
 
+    var VERB_NAMES = { r: 'read', w: 'write', c: 'create', d: 'delete', a: 'admin' };
+    function verbsLabel(verbs) {
+        return ['r', 'w', 'c', 'd', 'a']
+            .filter(function (v) { return verbs.indexOf(v) !== -1; })
+            .map(function (v) { return VERB_NAMES[v]; })
+            .join(', ');
+    }
+    // permsValue renders the per-entry verb set the principal holds here.
+    // Server mode: node.verbs ("rwcda" subset). Offline (FS-API) mode has
+    // no ACL — access is whatever the filesystem grants.
+    function permsValue(verbs) {
+        if (typeof verbs !== 'string') {
+            return state.source === 'fs' ? 'local folder (filesystem)' : 'unknown';
+        }
+        if (!verbs) return 'none (read-only)';
+        return verbsLabel(verbs) + ' (' + verbs + ')';
+    }
+
     function buildRowsHtml(node) {
         var tree = window.app.modules.tree;
         var z = window.zddc;
@@ -147,6 +165,18 @@
         if (node.modTime) html += kv('Modified', fmtDate(node.modTime));
         if (node.virtual) html += kv('Virtual', 'Not yet created on disk');
 
+        // ── Effective access for the current principal at this location ──
+        // "Your permissions" is the per-entry verb set (sync, from the
+        // listing). "Your roles" is cascade-scoped — it can differ by
+        // location — so it needs a path-scoped fetch; render a placeholder
+        // that fillRoles() updates once /.profile/access?path= resolves.
+        html += '<div class="tree-hovercard__sep"></div>';
+        html += kv('Your permissions', permsValue(node.verbs));
+        if (state.source === 'server') {
+            html += '<span class="tree-hovercard__key">Your roles</span>'
+                + '<span class="tree-hovercard__val" id="hc-roles">…</span>';
+        }
+
         // Path comes last (longest, most likely to wrap).
         var path = tree ? tree.pathFor(node) : '';
         if (path) html += kv('Path', path, true);
@@ -239,6 +269,25 @@
         render(node);
         position(row);
         card.classList.add('is-visible');
+        fillRoles(row, node);
+    }
+
+    // Async-fill the "Your roles" row from the path-scoped access view
+    // (zddc.cap.at memoises per path, so repeat hovers are instant).
+    // Bails if the card has moved to another row before the fetch lands.
+    async function fillRoles(row, node) {
+        if (state.source !== 'server') return;
+        if (!window.zddc || !window.zddc.cap) return;
+        var tree = window.app.modules.tree;
+        var path = tree ? tree.pathFor(node) : '';
+        if (!path) return;
+        var view;
+        try { view = await window.zddc.cap.at(path); } catch (_e) { return; }
+        if (currentRow !== row) return;
+        var el = card && card.querySelector('#hc-roles');
+        if (!el) return;
+        var roles = (view && Array.isArray(view.path_roles)) ? view.path_roles : [];
+        el.textContent = roles.length ? roles.join(', ') : 'none';
     }
 
     function init() {

zddc/internal/handler/profilehandler.go

@@ -175,6 +175,12 @@ type AccessView struct {
 	PathVerbs           string `json:"path_verbs,omitempty"`
 	PathIsAdmin         bool   `json:"path_is_admin,omitempty"`
 	PathCanElevateGrant string `json:"path_can_elevate_grant,omitempty"`
+	// PathRoles is the set of cascade roles the caller belongs to AT
+	// THIS PATH (e.g. ["document_controller", "project_team"]). Roles
+	// are cascade-scoped, so this can differ between locations — it's
+	// the "which roles do I hold here?" answer the browse hovercard
+	// surfaces. Elevation-independent (role membership, not admin).
+	PathRoles []string `json:"path_roles,omitempty"`
 }
 
 // enumerateAccess builds an AccessView for the given caller. Used by the
@@ -241,6 +247,9 @@ func populatePathScopedAccess(ctx context.Context, decider policy.Decider, cfg c
 	verbs := policy.EffectiveVerbsFromChainP(ctx, decider, chain, p, pathQuery)
 	view.PathVerbs = verbs.String()
 	view.PathIsAdmin = p.Elevated && p.Email != "" && zddc.IsAdminForChain(chain, p.Email)
+	// Which cascade roles the caller holds at this path — the answer to
+	// "the system thinks I'm a document_controller here, right?".
+	view.PathRoles = zddc.RolesForPrincipalInChain(chain, p.Email)
 	// would_elevate_grant: only meaningful when (a) the caller isn't
 	// already elevated and (b) elevation would actually change the
 	// verb set. Avoid noise — an empty value tells the client there

zddc/internal/zddc/roles.go

@@ -215,3 +215,43 @@ func MatchingPrincipals(chain PolicyChain, levelIdx int, email string) []string
 	sort.Strings(out)
 	return out
 }
+
+// RolesForPrincipalInChain returns the sorted, de-duplicated role names
+// that email is a member of, as roles resolve at the chain's leaf level —
+// honouring inherit:false fences and role resets via MatchesPrincipal.
+// Role names declared anywhere in the visible chain OR in the embedded
+// defaults are considered (so a standard role like document_controller
+// that ships empty but gains members from an on-disk .zddc is reported).
+// Returns nil for an empty email or empty chain.
+//
+// This is "which roles do I hold HERE" — roles are cascade-scoped, so the
+// answer can differ between locations. The file handler surfaces it via
+// /.profile/access?path=… (AccessView.PathRoles).
+func RolesForPrincipalInChain(chain PolicyChain, email string) []string {
+	if email == "" || len(chain.Levels) == 0 {
+		return nil
+	}
+	leaf := len(chain.Levels) - 1
+	seen := make(map[string]struct{})
+	var out []string
+	consider := func(name string) {
+		if _, dup := seen[name]; dup {
+			return
+		}
+		seen[name] = struct{}{}
+		if MatchesPrincipal(name, email, chain, leaf) {
+			out = append(out, name)
+		}
+	}
+	floor := chain.VisibleStart(leaf)
+	for i := leaf; i >= floor; i-- {
+		for name := range chain.Levels[i].Roles {
+			consider(name)
+		}
+	}
+	for name := range chain.Embedded.Roles {
+		consider(name)
+	}
+	sort.Strings(out)
+	return out
+}

zddc/internal/zddc/roles_test.go

@@ -163,3 +163,61 @@ func TestMatchesPrincipalRoleNamePrefersRole(t *testing.T) {
 		t.Errorf("rep@other.com should NOT match role vendor_acme — fallback to pattern would wrongly succeed")
 	}
 }
+
+func sameStrs(a, b []string) bool {
+	if len(a) != len(b) {
+		return false
+	}
+	for i := range a {
+		if a[i] != b[i] {
+			return false
+		}
+	}
+	return true
+}
+
+// TestRolesForPrincipalInChain — "which roles do I hold here?" honours
+// member unions across the visible chain, wildcard members, and reports
+// nothing for non-members / empty email. Output is sorted.
+func TestRolesForPrincipalInChain(t *testing.T) {
+	chain := buildChain(
+		ZddcFile{
+			Roles: map[string]Role{
+				"document_controller": {Members: []string{"dc@example.com"}},
+				"project_team":        {Members: []string{"*@example.com"}},
+			},
+			ACL: aclOpen(map[string]string{"*@example.com": "r"}),
+		},
+		// A deeper level adds another DC; the root members still union in.
+		ZddcFile{
+			Roles: map[string]Role{
+				"document_controller": {Members: []string{"vendor-dc@example.com"}},
+			},
+		},
+	)
+
+	if got := RolesForPrincipalInChain(chain, "dc@example.com"); !sameStrs(got, []string{"document_controller", "project_team"}) {
+		t.Errorf("dc: got %v, want [document_controller project_team]", got)
+	}
+	if got := RolesForPrincipalInChain(chain, "alice@example.com"); !sameStrs(got, []string{"project_team"}) {
+		t.Errorf("alice: got %v, want [project_team]", got)
+	}
+	if got := RolesForPrincipalInChain(chain, "x@other.com"); len(got) != 0 {
+		t.Errorf("outsider: got %v, want none", got)
+	}
+	if got := RolesForPrincipalInChain(chain, ""); got != nil {
+		t.Errorf("empty email: got %v, want nil", got)
+	}
+}
+
+// A role defined above an inherit:false fence is invisible below it, so
+// membership there reports no such role.
+func TestRolesForPrincipalInChain_FenceHidesAncestorRole(t *testing.T) {
+	chain := buildChain(
+		ZddcFile{Roles: map[string]Role{"document_controller": {Members: []string{"dc@example.com"}}}},
+		ZddcFile{ACL: aclFenced(map[string]string{"*@vendor.com": "rwcd"}, false)},
+	)
+	if got := RolesForPrincipalInChain(chain, "dc@example.com"); len(got) != 0 {
+		t.Errorf("role above fence must be invisible below it; got %v", got)
+	}
+}