Built-in Roles & permissions admin screen (todo §5); /admin/roles list (search/sort/paginate) + create/delete + assign-to-users/groups + "effective access" (Keto expand → transitive members), writing only to Keto — gated admin-only + CSRF-guarded like Users/Groups (Kratos read only to label members). A role = Keto subject set Role:<name>#members; reuses the Groups membership helpers (now-exported pagedTuples/memberCandidates/safeDecode); added a Roles nav entry (i-shield) + a .plain-list CSS rule. Stability-reviewer run as a local PR: APPROVE, no Critical/High; addressed its explicit-expand-depth nit. Live boot-verify caught a real bug the tests missed — Keto v26.2.0 nests the expand subject under tuple (not node top-level as the §4 ExpandTree type guessed), so expandToEffectiveUsers returned []; fixed type+walker+fixtures, re-verified a group-only member surfaces in effective access. 237→243 units + typecheck green; expand chain boot-verified live then torn down.

src/keto-client.ts

@@ -30,12 +30,12 @@ export interface RelationList {
   tuples: RelationTuple[];
 }
 
-// Keto's expand tree: a node is a set operation (union/…) or a leaf, with the resolved
-// subject(s). Shape kept loose — callers walk it as needed (§5 "effective access" view).
+// Keto's expand tree: a node is a set operation (union/…) or a leaf. The resolved subject
+// (subject_id xor subject_set) rides on `tuple`, not the node itself — verified against Keto
+// v26.2.0. A `subject_set` node carries its members as `children` (§5 "effective access" view).
 export interface ExpandTree {
   children?: ExpandTree[];
-  subject_id?: string;
-  subject_set?: SubjectSet;
+  tuple?: RelationTuple;
   type: string;
 }