Per-category access overrides

The role system shipped this morning gives you forum-wide permission knobs. Sometimes that's not granular enough.

You want #announcements to be staff-only even though your Member role can otherwise post threads. You want #beta to require a Trusted role even though Member otherwise has access. You want guests to be able to read #lounge but not the rest of the forum.

That's what category access overrides are for. Open any category in admin mode and you'll see a new chip — Category access. Click it.

You get a grid: one column per role, one row per permission, grouped by capability area. Each cell has three states:

• Allow — lift the role's grant for this category specifically
• Deny — block it for this category, even if the role normally allows
• Inherit — fall back to whatever the role grants forum-wide (the default)

Deny still wins. A member who holds two roles where one allows and one denies in the same category gets denied. Same precedence rule as the global system — overrides just stack on top.

Each cell also shows the inherited state inline (↑ allow / ↑ deny / ↑ none) so you can see what you're overriding without bouncing back to the role editor.

By default the grid hides Administration, Member-management, and Ownership permissions — those are forum-wide concerns where "but only in this category" doesn't quite make sense. Hit "Show all areas" if you have a use case for them.

Saves are per-click. No save bar to remember, no batch commit — flip a cell, it's saved, done.

The schema for this has been live since the role system shipped. We deferred the editor by a day to ship the simpler forum-wide editor first. Now both are in your hands.