Existing /.profile/access stays unchanged when called without ?path=;
the path-scoped fields are populated only when the caller passes a
URL path, so each tool can fetch its root capabilities in one round
trip and gate top-of-page affordances (transmittal Publish, tables
+Add row, browse +New folder) accordingly.
Three new fields (all omitempty so the global shape doesn't change):
- path_verbs: rwcda subset granted at the requested path under the
caller's CURRENT elevation state.
- path_is_admin: subtree-admin authority at the requested path,
again under current elevation. Distinct from "verbs include 'a'":
admin authority is WORM-bypass capability, not just .zddc edits.
- path_can_elevate_grant: verb set the caller would hold AT THIS
PATH if they elevated — empty when elevation wouldn't change
anything (already elevated, or no admin grant on chain). Drives
toast offers like "Elevate to delete this file".
Path resolution mirrors serveProfileEffectivePolicy: must start with
"/", must not escape ZDDC_ROOT. Validation failures leave the fields
empty rather than 400ing — the global view is still useful, and the
client can detect absence.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
ZDDC
477c8826a7