From 715c6054a9e0b2f3e2bf59a9fe49b2323d7724b3 Mon Sep 17 00:00:00 2001
From: Charlie Park <charlie@oxidecomputer.com>
Date: Fri, 31 Oct 2025 05:37:46 -0700
Subject: [PATCH 01/25] Bump Omicron version and add limited_collaborator role

---
 OMICRON_VERSION                       | 2 +-
 app/api/__generated__/Api.ts          | 6 +++---
 app/api/__generated__/OMICRON_VERSION | 2 +-
 app/api/__generated__/validate.ts     | 4 ++--
 app/api/roles.spec.ts                 | 2 +-
 app/api/roles.ts                      | 3 ++-
 app/forms/access-util.tsx             | 5 ++++-
 app/util/access.ts                    | 1 +
 mock-api/msw/handlers.ts              | 9 ++++++++-
 mock-api/msw/util.ts                  | 3 ++-
 10 files changed, 25 insertions(+), 12 deletions(-)

diff --git a/OMICRON_VERSION b/OMICRON_VERSION
index 542956ae1b..65554c7f10 100644
--- a/OMICRON_VERSION
+++ b/OMICRON_VERSION
@@ -1 +1 @@
-9617f40aa6f35b58ffd6b4e92c02ba8e7dd95033
+ceaeadcdcd83c3bfa2e22736c0c4803280bef59f
diff --git a/app/api/__generated__/Api.ts b/app/api/__generated__/Api.ts
index 1697a6c0a7..72bbed88ff 100644
--- a/app/api/__generated__/Api.ts
+++ b/app/api/__generated__/Api.ts
@@ -3297,7 +3297,7 @@ export type ProjectResultsPage = {
   nextPage?: string | null
 }
 
-export type ProjectRole = 'admin' | 'collaborator' | 'viewer'
+export type ProjectRole = 'admin' | 'collaborator' | 'limited_collaborator' | 'viewer'
 
 /**
  * Describes the assignment of a particular role on a particular resource to a particular identity (user, group, etc.)
@@ -3738,7 +3738,7 @@ export type SiloResultsPage = {
   nextPage?: string | null
 }
 
-export type SiloRole = 'admin' | 'collaborator' | 'viewer'
+export type SiloRole = 'admin' | 'collaborator' | 'limited_collaborator' | 'viewer'
 
 /**
  * Describes the assignment of a particular role on a particular resource to a particular identity (user, group, etc.)
@@ -10110,7 +10110,7 @@ export class Api extends HttpClient {
       })
     },
     /**
-     * Fetch system release repository description by version
+     * Fetch system release repository by version
      */
     systemUpdateRepositoryView: (
       { path }: { path: SystemUpdateRepositoryViewPathParams },
diff --git a/app/api/__generated__/OMICRON_VERSION b/app/api/__generated__/OMICRON_VERSION
index c5a25f06b0..dedfb3ec7e 100644
--- a/app/api/__generated__/OMICRON_VERSION
+++ b/app/api/__generated__/OMICRON_VERSION
@@ -1,2 +1,2 @@
 # generated file. do not update manually. see docs/update-pinned-api.md
-9617f40aa6f35b58ffd6b4e92c02ba8e7dd95033
+ceaeadcdcd83c3bfa2e22736c0c4803280bef59f
diff --git a/app/api/__generated__/validate.ts b/app/api/__generated__/validate.ts
index f7a6949eaa..a1af9104e7 100644
--- a/app/api/__generated__/validate.ts
+++ b/app/api/__generated__/validate.ts
@@ -3056,7 +3056,7 @@ export const ProjectResultsPage = z.preprocess(
 
 export const ProjectRole = z.preprocess(
   processResponseBody,
-  z.enum(['admin', 'collaborator', 'viewer'])
+  z.enum(['admin', 'collaborator', 'limited_collaborator', 'viewer'])
 )
 
 /**
@@ -3438,7 +3438,7 @@ export const SiloResultsPage = z.preprocess(
 
 export const SiloRole = z.preprocess(
   processResponseBody,
-  z.enum(['admin', 'collaborator', 'viewer'])
+  z.enum(['admin', 'collaborator', 'limited_collaborator', 'viewer'])
 )
 
 /**
diff --git a/app/api/roles.spec.ts b/app/api/roles.spec.ts
index 81b6418f4f..e8b44c6381 100644
--- a/app/api/roles.spec.ts
+++ b/app/api/roles.spec.ts
@@ -157,5 +157,5 @@ test('byGroupThenName sorts as expected', () => {
 })
 
 test('allRoles', () => {
-  expect(allRoles).toEqual(['admin', 'collaborator', 'viewer'])
+  expect(allRoles).toEqual(['admin', 'collaborator', 'limited_collaborator', 'viewer'])
 })
diff --git a/app/api/roles.ts b/app/api/roles.ts
index e5c9125382..8c7467dcd1 100644
--- a/app/api/roles.ts
+++ b/app/api/roles.ts
@@ -33,7 +33,8 @@ const flatRoles = (roleOrder: Record<RoleKey, number>): RoleKey[] =>
 export const roleOrder: Record<RoleKey, number> = {
   collaborator: 1,
   admin: 0,
-  viewer: 2,
+  viewer: 3,
+  limited_collaborator: 2,
 }
 
 /** `roleOrder` record converted to a sorted array of roles. */
diff --git a/app/forms/access-util.tsx b/app/forms/access-util.tsx
index cff6f0ee33..26d30fcee1 100644
--- a/app/forms/access-util.tsx
+++ b/app/forms/access-util.tsx
@@ -27,7 +27,10 @@ export const defaultValues: AddUserValues = {
   roleName: '',
 }
 
-export const roleItems = allRoles.map((role) => ({ value: role, label: capitalize(role) }))
+export const roleItems = allRoles.map((role) => ({
+  value: role,
+  label: role.split('_').map(capitalize).join(' '),
+}))
 
 export const actorToItem = (actor: Actor): ListboxItem => ({
   value: actor.id,
diff --git a/app/util/access.ts b/app/util/access.ts
index e70ec007c0..0e7b374cde 100644
--- a/app/util/access.ts
+++ b/app/util/access.ts
@@ -18,5 +18,6 @@ export const identityTypeLabel: Record<IdentityType, string> = {
 export const roleColor: Record<RoleKey, BadgeColor> = {
   admin: 'default',
   collaborator: 'purple',
+  limited_collaborator: 'purple',
   viewer: 'blue',
 }
diff --git a/mock-api/msw/handlers.ts b/mock-api/msw/handlers.ts
index 0a2c996ec9..f496ac207b 100644
--- a/mock-api/msw/handlers.ts
+++ b/mock-api/msw/handlers.ts
@@ -22,6 +22,7 @@ import {
   type AffinityGroupMember,
   type AntiAffinityGroupMember,
   type ApiTypes as Api,
+  type FleetRole,
   type InstanceDiskAttachment,
   type SamlIdentityProvider,
 } from '@oxide/api'
@@ -1626,9 +1627,15 @@ export const handlers = makeHandlers({
   systemPolicyView({ cookies }) {
     requireFleetViewer(cookies)
 
+    const fleetRoles: FleetRole[] = ['admin', 'collaborator', 'viewer']
     const role_assignments = db.roleAssignments
       .filter((r) => r.resource_type === 'fleet' && r.resource_id === FLEET_ID)
-      .map((r) => R.pick(r, ['identity_id', 'identity_type', 'role_name']))
+      .filter((r) => fleetRoles.includes(r.role_name as FleetRole))
+      .map((r) => ({
+        identity_id: r.identity_id,
+        identity_type: r.identity_type,
+        role_name: r.role_name as FleetRole,
+      }))
 
     return { role_assignments }
   },
diff --git a/mock-api/msw/util.ts b/mock-api/msw/util.ts
index 741d99733a..1ce6acdc18 100644
--- a/mock-api/msw/util.ts
+++ b/mock-api/msw/util.ts
@@ -304,7 +304,8 @@ export function currentUser(cookies: Record<string, string>): Json<User> {
 // could implement with `takeUntil(allRoles, r => r === role)`, but that is so
 // much harder to understand
 const roleOrStronger: Record<RoleKey, RoleKey[]> = {
-  viewer: ['viewer', 'collaborator', 'admin'],
+  viewer: ['viewer', 'limited_collaborator', 'collaborator', 'admin'],
+  limited_collaborator: ['limited_collaborator', 'collaborator', 'admin'],
   collaborator: ['collaborator', 'admin'],
   admin: ['admin'],
 }

From 2a6079ff6eaec5afb90de81da4a43bf4e88f2781 Mon Sep 17 00:00:00 2001
From: Charlie Park <charlie@oxidecomputer.com>
Date: Fri, 31 Oct 2025 07:12:14 -0700
Subject: [PATCH 02/25] Add restriction in MSW around VPC creation and add
 tests

---
 mock-api/msw/handlers.ts    |  3 ++-
 mock-api/role-assignment.ts |  9 ++++++-
 test/e2e/vpcs.e2e.ts        | 50 ++++++++++++++++++++++++++++++++++++-
 3 files changed, 59 insertions(+), 3 deletions(-)

diff --git a/mock-api/msw/handlers.ts b/mock-api/msw/handlers.ts
index f496ac207b..b6995b6f22 100644
--- a/mock-api/msw/handlers.ts
+++ b/mock-api/msw/handlers.ts
@@ -1155,8 +1155,9 @@ export const handlers = makeHandlers({
     const vpcs = db.vpcs.filter((v) => v.project_id === project.id)
     return paginated(query, vpcs)
   },
-  vpcCreate({ body, query }) {
+  vpcCreate({ body, query, cookies }) {
     const project = lookup.project(query)
+    requireRole(cookies, 'project', project.id, 'collaborator')
     errIfExists(db.vpcs, { name: body.name, project_id: project.id })
 
     const newVpc: Json<Api.Vpc> = {
diff --git a/mock-api/role-assignment.ts b/mock-api/role-assignment.ts
index 3fcf4c4e79..bc28a950b7 100644
--- a/mock-api/role-assignment.ts
+++ b/mock-api/role-assignment.ts
@@ -9,7 +9,7 @@ import { FLEET_ID, type IdentityType, type RoleKey } from '@oxide/api'
 
 import { project } from './project'
 import { defaultSilo } from './silo'
-import { user1, user3, user5 } from './user'
+import { user1, user2, user3, user5 } from './user'
 import { userGroup2, userGroup3 } from './user-group'
 
 // For most other resources, we can store the API types directly in the DB. But
@@ -72,4 +72,11 @@ export const roleAssignments: DbRoleAssignment[] = [
     identity_type: 'silo_group',
     role_name: 'viewer',
   },
+  {
+    resource_type: 'project',
+    resource_id: project.id,
+    identity_id: user2.id, // Hans Jonas
+    identity_type: 'silo_user',
+    role_name: 'limited_collaborator',
+  },
 ]
diff --git a/test/e2e/vpcs.e2e.ts b/test/e2e/vpcs.e2e.ts
index fc8aff4c6d..85ab10877c 100644
--- a/test/e2e/vpcs.e2e.ts
+++ b/test/e2e/vpcs.e2e.ts
@@ -7,7 +7,7 @@
  */
 import { expect, test } from '@playwright/test'
 
-import { clickRowAction, expectRowVisible, selectOption } from './utils'
+import { clickRowAction, expectRowVisible, getPageAsUser, selectOption } from './utils'
 
 test('can nav to VpcPage from /', async ({ page }) => {
   await page.goto('/')
@@ -414,3 +414,51 @@ test('internet gateway shows proper list of routes targeting it', async ({ page
     '/projects/mock-project/vpcs/mock-vpc/routers/mock-custom-router'
   )
 })
+
+test('collaborator can create VPC', async ({ browser }) => {
+  const page = await getPageAsUser(browser, 'Jacob Klein')
+  await page.goto('/projects/mock-project/vpcs')
+
+  const table = page.getByRole('table')
+
+  // Create a new VPC
+  await page.getByRole('link', { name: 'New Vpc' }).click()
+  await page.getByRole('textbox', { name: 'Name', exact: true }).fill('collab-test-vpc')
+  await page.getByRole('textbox', { name: 'DNS name' }).fill('collab-test-vpc')
+  await page.getByRole('button', { name: 'Create VPC' }).click()
+
+  // Should succeed and navigate to the VPC detail page
+  await expect(page.getByRole('heading', { name: 'collab-test-vpc' })).toBeVisible()
+  await expect(page.getByRole('tab', { name: 'Firewall Rules' })).toBeVisible()
+
+  // Navigate back to VPCs list to verify it was created
+  const breadcrumbs = page.getByRole('navigation', { name: 'Breadcrumbs' })
+  await breadcrumbs.getByRole('link', { name: 'VPCs' }).click()
+
+  await expectRowVisible(table, {
+    name: 'collab-test-vpc',
+    'DNS name': 'collab-test-vpc',
+  })
+})
+
+test('limited collaborator cannot create VPC', async ({ browser }) => {
+  const page = await getPageAsUser(browser, 'Hans Jonas')
+  await page.goto('/projects/mock-project/vpcs')
+
+  // Try to create a new VPC
+  await page.getByRole('link', { name: 'New Vpc' }).click()
+  await page.getByRole('textbox', { name: 'Name', exact: true }).fill('limited-test-vpc')
+  await page.getByRole('textbox', { name: 'DNS name' }).fill('limited-test-vpc')
+  await page.getByRole('button', { name: 'Create VPC' }).click()
+
+  // Expect the action to fail; Limited Collaborator role does not allow VPC creation
+  await expect(page.getByText('Action not authorized')).toBeVisible()
+
+  // Close the modal
+  await page.getByRole('button', { name: 'Close' }).click()
+  await page.getByRole('button', { name: 'Leave form' }).click()
+
+  // Verify we're still on the VPCs list page and the VPC was not created
+  await expect(page.getByRole('heading', { name: 'VPCs' })).toBeVisible()
+  await expect(page.getByRole('cell', { name: 'limited-test-vpc' })).toBeHidden()
+})

From 1a3d6dc75d4fb6a4540c2d8a44f4931b5d43a7dd Mon Sep 17 00:00:00 2001
From: Charlie Park <charlie@oxidecomputer.com>
Date: Fri, 31 Oct 2025 09:28:53 -0700
Subject: [PATCH 03/25] Use radio buttons for forms; refactor

---
 app/forms/access-util.tsx    | 51 ++++++++++++++++++++++++++++++++++++
 app/forms/project-access.tsx | 18 +++----------
 app/forms/silo-access.tsx    | 19 +++-----------
 app/ui/lib/Radio.tsx         |  9 ++++---
 4 files changed, 63 insertions(+), 34 deletions(-)

diff --git a/app/forms/access-util.tsx b/app/forms/access-util.tsx
index 26d30fcee1..143571d9e4 100644
--- a/app/forms/access-util.tsx
+++ b/app/forms/access-util.tsx
@@ -5,6 +5,8 @@
  *
  * Copyright Oxide Computer Company
  */
+import type { Control } from 'react-hook-form'
+
 import {
   allRoles,
   type Actor,
@@ -14,7 +16,9 @@ import {
 } from '@oxide/api'
 import { Badge } from '@oxide/design-system/ui'
 
+import { RadioFieldDyn } from '~/components/form/fields/RadioField'
 import { type ListboxItem } from '~/ui/lib/Listbox'
+import { Radio } from '~/ui/lib/Radio'
 import { capitalize } from '~/util/str'
 
 type AddUserValues = {
@@ -32,6 +36,23 @@ export const roleItems = allRoles.map((role) => ({
   label: role.split('_').map(capitalize).join(' '),
 }))
 
+// Role descriptions for project-level roles
+const projectRoleDescriptions: Record<RoleKey, string> = {
+  admin: 'Complete control over the project',
+  collaborator: 'Can manage all resources, including networking',
+  limited_collaborator: 'Can manage compute resources, can not manage networking',
+  viewer: 'Can read most resources within the project',
+}
+
+// Role descriptions for silo-level roles
+const siloRoleDescriptions: Record<RoleKey, string> = {
+  admin: 'Superuser for the silo',
+  collaborator: 'Can create and own projects; grants project admin role on all projects',
+  limited_collaborator:
+    'Can read most resources within the silo; grants limited collaborator role on all projects',
+  viewer: 'Can read most resources within the silo; grants project viewer role',
+}
+
 export const actorToItem = (actor: Actor): ListboxItem => ({
   value: actor.id,
   label: (
@@ -58,3 +79,33 @@ export type EditRoleModalProps = AddRoleModalProps & {
   identityType: IdentityType
   defaultValues: { roleName: RoleKey }
 }
+
+type RoleRadioFieldProps = {
+  control: Control<AddUserValues> | Control<{ roleName: RoleKey }>
+  scope: 'Silo' | 'Project'
+}
+
+export function RoleRadioField({ control, scope }: RoleRadioFieldProps) {
+  const roleDescriptions = scope === 'Silo' ? siloRoleDescriptions : projectRoleDescriptions
+  return (
+    <RadioFieldDyn
+      name="roleName"
+      label={`${scope} role`}
+      required
+      control={control as Control<AddUserValues>}
+      column
+      className="mt-2"
+    >
+      {allRoles.map((role) => (
+        <Radio key={role} value={role} alignTop className="pt-1">
+          <div className="-mt-0.5 ml-1">
+            <div className="text-sans-md text-raise">
+              {capitalize(role).replace('_', ' ')}
+            </div>
+            <div className="text-sans-sm text-secondary my-1">{roleDescriptions[role]}</div>
+          </div>
+        </Radio>
+      ))}
+    </RadioFieldDyn>
+  )
+}
diff --git a/app/forms/project-access.tsx b/app/forms/project-access.tsx
index ae9551cd37..10b720750d 100644
--- a/app/forms/project-access.tsx
+++ b/app/forms/project-access.tsx
@@ -22,7 +22,7 @@ import { addToast } from '~/stores/toast'
 import {
   actorToItem,
   defaultValues,
-  roleItems,
+  RoleRadioField,
   type AddRoleModalProps,
   type EditRoleModalProps,
 } from './access-util'
@@ -75,13 +75,7 @@ export function ProjectAccessAddUserSideModal({ onDismiss, policy }: AddRoleModa
         required
         control={form.control}
       />
-      <ListboxField
-        name="roleName"
-        label="Role"
-        items={roleItems}
-        required
-        control={form.control}
-      />
+      <RoleRadioField control={form.control} scope="Project" />
     </SideModalForm>
   )
 }
@@ -124,13 +118,7 @@ export function ProjectAccessEditUserSideModal({
       submitError={updatePolicy.error}
       onDismiss={onDismiss}
     >
-      <ListboxField
-        name="roleName"
-        label="Role"
-        items={roleItems}
-        required
-        control={form.control}
-      />
+      <RoleRadioField control={form.control} scope="Project" />
     </SideModalForm>
   )
 }
diff --git a/app/forms/silo-access.tsx b/app/forms/silo-access.tsx
index 6eb2e2f701..7fb253b6c4 100644
--- a/app/forms/silo-access.tsx
+++ b/app/forms/silo-access.tsx
@@ -20,7 +20,7 @@ import { SideModalForm } from '~/components/form/SideModalForm'
 import {
   actorToItem,
   defaultValues,
-  roleItems,
+  RoleRadioField,
   type AddRoleModalProps,
   type EditRoleModalProps,
 } from './access-util'
@@ -69,13 +69,7 @@ export function SiloAccessAddUserSideModal({ onDismiss, policy }: AddRoleModalPr
         required
         control={form.control}
       />
-      <ListboxField
-        name="roleName"
-        label="Role"
-        items={roleItems}
-        required
-        control={form.control}
-      />
+      <RoleRadioField control={form.control} scope="Silo" />
     </SideModalForm>
   )
 }
@@ -99,7 +93,6 @@ export function SiloAccessEditUserSideModal({
 
   return (
     <SideModalForm
-      // TODO: show user name in header or SOMEWHERE
       form={form}
       formType="edit"
       resourceName="role"
@@ -113,13 +106,7 @@ export function SiloAccessEditUserSideModal({
       submitError={updatePolicy.error}
       onDismiss={onDismiss}
     >
-      <ListboxField
-        name="roleName"
-        label="Role"
-        items={roleItems}
-        required
-        control={form.control}
-      />
+      <RoleRadioField control={form.control} scope="Silo" />
     </SideModalForm>
   )
 }
diff --git a/app/ui/lib/Radio.tsx b/app/ui/lib/Radio.tsx
index 646c8a364c..dc3523567d 100644
--- a/app/ui/lib/Radio.tsx
+++ b/app/ui/lib/Radio.tsx
@@ -17,7 +17,10 @@ import cn from 'classnames'
 import type { ComponentProps } from 'react'
 
 // input type is fixed to "radio"
-export type RadioProps = Omit<React.ComponentProps<'input'>, 'type'>
+export type RadioProps = Omit<React.ComponentProps<'input'>, 'type'> & {
+  /** Align radio button with top of content instead of center (useful for multi-line content) */
+  alignTop?: boolean
+}
 
 const fieldStyles = `
   peer appearance-none absolute outline-hidden
@@ -26,8 +29,8 @@ const fieldStyles = `
   disabled:hover:bg-transparent
 `
 
-export const Radio = ({ children, className, ...inputProps }: RadioProps) => (
-  <label className="inline-flex items-center">
+export const Radio = ({ children, className, alignTop, ...inputProps }: RadioProps) => (
+  <label className={cn('inline-flex', alignTop ? 'items-start' : 'items-center')}>
     <span className="relative h-4 w-4">
       <input className={cn(fieldStyles, className)} type="radio" {...inputProps} />
       {/* the dot in the middle. hide by default, use peer-checked to show if checked */}

From eb5d2a454dbf847dd6c20f5f0d1475472068ed97 Mon Sep 17 00:00:00 2001
From: Charlie Park <charlie@oxidecomputer.com>
Date: Fri, 31 Oct 2025 10:38:29 -0700
Subject: [PATCH 04/25] Better spacing, copy

---
 app/forms/access-util.tsx | 27 ++++++++++++++++-----------
 1 file changed, 16 insertions(+), 11 deletions(-)

diff --git a/app/forms/access-util.tsx b/app/forms/access-util.tsx
index 143571d9e4..54dffb6969 100644
--- a/app/forms/access-util.tsx
+++ b/app/forms/access-util.tsx
@@ -38,15 +38,15 @@ export const roleItems = allRoles.map((role) => ({
 
 // Role descriptions for project-level roles
 const projectRoleDescriptions: Record<RoleKey, string> = {
-  admin: 'Complete control over the project',
+  admin: 'Can control all aspects of the project',
   collaborator: 'Can manage all resources, including networking',
-  limited_collaborator: 'Can manage compute resources, can not manage networking',
+  limited_collaborator: 'Can manage compute resources; can not manage networking',
   viewer: 'Can read most resources within the project',
 }
 
 // Role descriptions for silo-level roles
 const siloRoleDescriptions: Record<RoleKey, string> = {
-  admin: 'Superuser for the silo',
+  admin: 'Can control all aspects of the silo',
   collaborator: 'Can create and own projects; grants project admin role on all projects',
   limited_collaborator:
     'Can read most resources within the silo; grants limited collaborator role on all projects',
@@ -96,15 +96,20 @@ export function RoleRadioField({ control, scope }: RoleRadioFieldProps) {
       column
       className="mt-2"
     >
-      {allRoles.map((role) => (
-        <Radio key={role} value={role} alignTop className="pt-1">
-          <div className="-mt-0.5 ml-1">
-            <div className="text-sans-md text-raise">
-              {capitalize(role).replace('_', ' ')}
+      {allRoles.map((role, index) => (
+        <div className={index === 0 ? 'mt-2' : 'mt-1'} key={role}>
+          <Radio key={role} value={role} alignTop>
+            {/* negative top margin to control spacing with radio button and label */}
+            <div className="-mt-0.5 ml-1">
+              <div className="text-sans-md text-raise">
+                {capitalize(role).replace('_', ' ')}
+              </div>
+              <div className="text-sans-sm text-secondary mt-0.5">
+                {roleDescriptions[role]}
+              </div>
             </div>
-            <div className="text-sans-sm text-secondary my-1">{roleDescriptions[role]}</div>
-          </div>
-        </Radio>
+          </Radio>
+        </div>
       ))}
     </RadioFieldDyn>
   )

From 6650f4a721d6d29bdb7487f382884a2db62555e8 Mon Sep 17 00:00:00 2001
From: Charlie Park <charlie@oxidecomputer.com>
Date: Fri, 31 Oct 2025 10:55:35 -0700
Subject: [PATCH 05/25] More spacing tweaks; message about stacked role rules

---
 app/forms/access-util.tsx | 62 ++++++++++++++++++++++++---------------
 1 file changed, 39 insertions(+), 23 deletions(-)

diff --git a/app/forms/access-util.tsx b/app/forms/access-util.tsx
index 54dffb6969..27bc56a490 100644
--- a/app/forms/access-util.tsx
+++ b/app/forms/access-util.tsx
@@ -17,7 +17,9 @@ import {
 import { Badge } from '@oxide/design-system/ui'
 
 import { RadioFieldDyn } from '~/components/form/fields/RadioField'
+import { HL } from '~/components/HL'
 import { type ListboxItem } from '~/ui/lib/Listbox'
+import { Message } from '~/ui/lib/Message'
 import { Radio } from '~/ui/lib/Radio'
 import { capitalize } from '~/util/str'
 
@@ -88,29 +90,43 @@ type RoleRadioFieldProps = {
 export function RoleRadioField({ control, scope }: RoleRadioFieldProps) {
   const roleDescriptions = scope === 'Silo' ? siloRoleDescriptions : projectRoleDescriptions
   return (
-    <RadioFieldDyn
-      name="roleName"
-      label={`${scope} role`}
-      required
-      control={control as Control<AddUserValues>}
-      column
-      className="mt-2"
-    >
-      {allRoles.map((role, index) => (
-        <div className={index === 0 ? 'mt-2' : 'mt-1'} key={role}>
-          <Radio key={role} value={role} alignTop>
-            {/* negative top margin to control spacing with radio button and label */}
-            <div className="-mt-0.5 ml-1">
-              <div className="text-sans-md text-raise">
-                {capitalize(role).replace('_', ' ')}
-              </div>
-              <div className="text-sans-sm text-secondary mt-0.5">
-                {roleDescriptions[role]}
+    <>
+      <RadioFieldDyn
+        name="roleName"
+        label={`${scope} role`}
+        required
+        control={control as Control<AddUserValues>}
+        column
+        className="mt-2"
+      >
+        {allRoles.map((role, index) => (
+          <div className={index === 0 ? 'mt-2' : 'mt-1'} key={role}>
+            <Radio key={role} value={role} alignTop>
+              {/* negative top margin to control spacing with radio button and label */}
+              <div className="-mt-0.5 ml-1">
+                <div className="text-sans-md text-raise">
+                  {capitalize(role).replace('_', ' ')}
+                </div>
+                <div className="text-sans-sm text-secondary mt-0.5">
+                  {roleDescriptions[role]}
+                </div>
               </div>
-            </div>
-          </Radio>
-        </div>
-      ))}
-    </RadioFieldDyn>
+            </Radio>
+          </div>
+        ))}
+      </RadioFieldDyn>
+      {scope === 'Project' && (
+        <Message
+          variant="info"
+          content={
+            <>
+              A user’s highest role determines their actual permissions. For example, a silo{' '}
+              <HL>admin</HL> assigned a <HL>viewer</HL> role on a project will still have{' '}
+              <HL>admin</HL> permissions on that project.
+            </>
+          }
+        />
+      )}
+    </>
   )
 }

From 3cc46c8b50a99686b54122fe614d50aae93af07c Mon Sep 17 00:00:00 2001
From: Charlie Park <charlie@oxidecomputer.com>
Date: Fri, 31 Oct 2025 11:08:17 -0700
Subject: [PATCH 06/25] copy

---
 app/forms/access-util.tsx | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/forms/access-util.tsx b/app/forms/access-util.tsx
index 27bc56a490..58271e9178 100644
--- a/app/forms/access-util.tsx
+++ b/app/forms/access-util.tsx
@@ -120,9 +120,9 @@ export function RoleRadioField({ control, scope }: RoleRadioFieldProps) {
           variant="info"
           content={
             <>
-              A user’s highest role determines their actual permissions. For example, a silo{' '}
-              <HL>admin</HL> assigned a <HL>viewer</HL> role on a project will still have{' '}
-              <HL>admin</HL> permissions on that project.
+              A user’s strongest role determines their actual permissions. For example, a
+              silo <HL>admin</HL> assigned a <HL>viewer</HL> role on a project will still
+              have <HL>admin</HL> permissions on that project.
             </>
           }
         />

From 955df891859d45cb969b5edd3516150456886de5 Mon Sep 17 00:00:00 2001
From: Charlie Park <charlie@oxidecomputer.com>
Date: Fri, 31 Oct 2025 13:04:18 -0700
Subject: [PATCH 07/25] Show current state in form

---
 app/forms/access-util.tsx    | 12 +++++++++---
 app/forms/project-access.tsx |  1 -
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/app/forms/access-util.tsx b/app/forms/access-util.tsx
index 58271e9178..d8fe2df0ce 100644
--- a/app/forms/access-util.tsx
+++ b/app/forms/access-util.tsx
@@ -89,6 +89,7 @@ type RoleRadioFieldProps = {
 
 export function RoleRadioField({ control, scope }: RoleRadioFieldProps) {
   const roleDescriptions = scope === 'Silo' ? siloRoleDescriptions : projectRoleDescriptions
+  const currentRole = control._formValues.roleName || ''
   return (
     <>
       <RadioFieldDyn
@@ -99,9 +100,14 @@ export function RoleRadioField({ control, scope }: RoleRadioFieldProps) {
         column
         className="mt-2"
       >
-        {allRoles.map((role, index) => (
-          <div className={index === 0 ? 'mt-2' : 'mt-1'} key={role}>
-            <Radio key={role} value={role} alignTop>
+        {allRoles.map((role) => (
+          <div className="mt-1" key={role}>
+            <Radio
+              name="roleName"
+              value={role}
+              defaultChecked={currentRole === role}
+              alignTop
+            >
               {/* negative top margin to control spacing with radio button and label */}
               <div className="-mt-0.5 ml-1">
                 <div className="text-sans-md text-raise">
diff --git a/app/forms/project-access.tsx b/app/forms/project-access.tsx
index 10b720750d..b8665ca3dc 100644
--- a/app/forms/project-access.tsx
+++ b/app/forms/project-access.tsx
@@ -103,7 +103,6 @@ export function ProjectAccessEditUserSideModal({
 
   return (
     <SideModalForm
-      // TODO: show user name in header or SOMEWHERE
       form={form}
       formType="edit"
       resourceName="role"

From c1dd1b2f5c36d0db544ccbafef5669842faf9b4f Mon Sep 17 00:00:00 2001
From: Charlie Park <charlie@oxidecomputer.com>
Date: Fri, 31 Oct 2025 13:11:04 -0700
Subject: [PATCH 08/25] Cleanup unused variable

---
 app/forms/access-util.tsx | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/app/forms/access-util.tsx b/app/forms/access-util.tsx
index d8fe2df0ce..e44c687aa2 100644
--- a/app/forms/access-util.tsx
+++ b/app/forms/access-util.tsx
@@ -33,11 +33,6 @@ export const defaultValues: AddUserValues = {
   roleName: '',
 }
 
-export const roleItems = allRoles.map((role) => ({
-  value: role,
-  label: role.split('_').map(capitalize).join(' '),
-}))
-
 // Role descriptions for project-level roles
 const projectRoleDescriptions: Record<RoleKey, string> = {
   admin: 'Can control all aspects of the project',

From 4b3731df2fdca87c9bb9eb284ca901b35698b55f Mon Sep 17 00:00:00 2001
From: David Crespo <david.crespo@oxidecomputer.com>
Date: Sun, 2 Nov 2025 15:27:26 -0600
Subject: [PATCH 09/25] let RadioFieldDyn handle its own radio state

the div wrapping the radios was messing up the way RadioFieldDyn passes
checked state to its child radios because they're expected to be direct
children
---
 app/components/form/fields/RadioField.tsx |  6 ++++
 app/forms/access-util.tsx                 | 34 +++++++++--------------
 app/forms/project-access.tsx              |  4 ---
 app/forms/silo-access.tsx                 |  4 ---
 4 files changed, 19 insertions(+), 29 deletions(-)

diff --git a/app/components/form/fields/RadioField.tsx b/app/components/form/fields/RadioField.tsx
index 2d0813950a..0c8430c2f3 100644
--- a/app/components/form/fields/RadioField.tsx
+++ b/app/components/form/fields/RadioField.tsx
@@ -19,6 +19,8 @@ import { FieldLabel } from '~/ui/lib/FieldLabel'
 import { Radio, type RadioProps } from '~/ui/lib/Radio'
 import { RadioGroup, type RadioGroupProps } from '~/ui/lib/RadioGroup'
 import { TextInputHint } from '~/ui/lib/TextInput'
+import { isOneOf } from '~/util/children'
+import { invariant } from '~/util/invariant'
 import { capitalize } from '~/util/str'
 
 export type RadioFieldProps<
@@ -126,6 +128,10 @@ export function RadioFieldDyn<
 }: RadioFieldDynProps<TFieldValues, TName>) {
   const id = useId()
   const { field } = useController({ name, control })
+  invariant(
+    isOneOf(children, [Radio, RadioCard]),
+    'Children of RadioFieldDyn must be Radio or RadioCard'
+  )
   return (
     <div>
       <div className="mb-2">
diff --git a/app/forms/access-util.tsx b/app/forms/access-util.tsx
index e44c687aa2..c00f3eb24d 100644
--- a/app/forms/access-util.tsx
+++ b/app/forms/access-util.tsx
@@ -6,6 +6,7 @@
  * Copyright Oxide Computer Company
  */
 import type { Control } from 'react-hook-form'
+import * as R from 'remeda'
 
 import {
   allRoles,
@@ -25,12 +26,12 @@ import { capitalize } from '~/util/str'
 
 type AddUserValues = {
   identityId: string
-  roleName: RoleKey | ''
+  roleName: RoleKey
 }
 
 export const defaultValues: AddUserValues = {
   identityId: '',
-  roleName: '',
+  roleName: 'viewer',
 }
 
 // Role descriptions for project-level roles
@@ -84,7 +85,6 @@ type RoleRadioFieldProps = {
 
 export function RoleRadioField({ control, scope }: RoleRadioFieldProps) {
   const roleDescriptions = scope === 'Silo' ? siloRoleDescriptions : projectRoleDescriptions
-  const currentRole = control._formValues.roleName || ''
   return (
     <>
       <RadioFieldDyn
@@ -95,25 +95,17 @@ export function RoleRadioField({ control, scope }: RoleRadioFieldProps) {
         column
         className="mt-2"
       >
-        {allRoles.map((role) => (
-          <div className="mt-1" key={role}>
-            <Radio
-              name="roleName"
-              value={role}
-              defaultChecked={currentRole === role}
-              alignTop
-            >
-              {/* negative top margin to control spacing with radio button and label */}
-              <div className="-mt-0.5 ml-1">
-                <div className="text-sans-md text-raise">
-                  {capitalize(role).replace('_', ' ')}
-                </div>
-                <div className="text-sans-sm text-secondary mt-0.5">
-                  {roleDescriptions[role]}
-                </div>
+        {R.reverse(allRoles).map((role) => (
+          <Radio name="roleName" key={role} value={role} alignTop>
+            <div className="ml-1">
+              <div className="text-sans-md text-raise">
+                {capitalize(role).replace('_', ' ')}
               </div>
-            </Radio>
-          </div>
+              <div className="text-sans-sm text-secondary mt-0.5">
+                {roleDescriptions[role]}
+              </div>
+            </div>
+          </Radio>
         ))}
       </RadioFieldDyn>
       {scope === 'Project' && (
diff --git a/app/forms/project-access.tsx b/app/forms/project-access.tsx
index b8665ca3dc..359987bb8a 100644
--- a/app/forms/project-access.tsx
+++ b/app/forms/project-access.tsx
@@ -51,10 +51,6 @@ export function ProjectAccessAddUserSideModal({ onDismiss, policy }: AddRoleModa
       form={form}
       formType="create"
       onSubmit={({ identityId, roleName }) => {
-        // can't happen because roleName is validated not to be '', but TS
-        // wants to be sure
-        if (roleName === '') return
-
         // actor is guaranteed to be in the list because it came from there
         const identityType = actors.find((a) => a.id === identityId)!.identityType
 
diff --git a/app/forms/silo-access.tsx b/app/forms/silo-access.tsx
index 7fb253b6c4..b4f334bb84 100644
--- a/app/forms/silo-access.tsx
+++ b/app/forms/silo-access.tsx
@@ -46,10 +46,6 @@ export function SiloAccessAddUserSideModal({ onDismiss, policy }: AddRoleModalPr
       title="Add user or group"
       onDismiss={onDismiss}
       onSubmit={({ identityId, roleName }) => {
-        // can't happen because roleName is validated not to be '', but TS
-        // wants to be sure
-        if (roleName === '') return
-
         // TODO: DRY logic
         // actor is guaranteed to be in the list because it came from there
         const identityType = actors.find((a) => a.id === identityId)!.identityType

From a5646b8ead3f5878405af5e18f47b8c1af3ba5ca Mon Sep 17 00:00:00 2001
From: Charlie Park <charlie@oxidecomputer.com>
Date: Sun, 2 Nov 2025 22:15:48 -0800
Subject: [PATCH 10/25] update import

---
 app/components/form/fields/RadioField.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/components/form/fields/RadioField.tsx b/app/components/form/fields/RadioField.tsx
index 0c8430c2f3..4e376decc9 100644
--- a/app/components/form/fields/RadioField.tsx
+++ b/app/components/form/fields/RadioField.tsx
@@ -16,7 +16,7 @@ import {
 } from 'react-hook-form'
 
 import { FieldLabel } from '~/ui/lib/FieldLabel'
-import { Radio, type RadioProps } from '~/ui/lib/Radio'
+import { Radio, RadioCard, type RadioProps } from '~/ui/lib/Radio'
 import { RadioGroup, type RadioGroupProps } from '~/ui/lib/RadioGroup'
 import { TextInputHint } from '~/ui/lib/TextInput'
 import { isOneOf } from '~/util/children'

From 38881d4a6bc8368f8edb59da50d0e8429dd0730b Mon Sep 17 00:00:00 2001
From: Charlie Park <charlie@oxidecomputer.com>
Date: Mon, 3 Nov 2025 01:01:57 -0800
Subject: [PATCH 11/25] improve tests; add silo-to-project authz conferral
 mechanism to msw

---
 mock-api/msw/util.ts           | 52 ++++++++++++++++++++++++++++++----
 mock-api/role-assignment.ts    |  4 +--
 mock-api/user.ts               |  8 +++++-
 test/e2e/project-access.e2e.ts | 34 +++++++++++-----------
 test/e2e/silo-access.e2e.ts    | 20 +++++--------
 test/e2e/utils.ts              |  7 ++++-
 test/e2e/vpcs.e2e.ts           | 30 +++++++++++++++++++-
 7 files changed, 115 insertions(+), 40 deletions(-)

diff --git a/mock-api/msw/util.ts b/mock-api/msw/util.ts
index 1ce6acdc18..bd3aad2eca 100644
--- a/mock-api/msw/util.ts
+++ b/mock-api/msw/util.ts
@@ -312,10 +312,9 @@ const roleOrStronger: Record<RoleKey, RoleKey[]> = {
 
 /**
  * Determine whether a user has a role at least as strong as `role` on the
- * specified resource. Note that this does not yet do parent-child inheritance
- * like Nexus does, i.e., if a user has collaborator on a silo, then it inherits
- * collaborator on all projects in the silo even if it has no explicit role on
- * those projects. This does NOT do that.
+ * specified resource. Implements parent-child inheritance like Nexus does:
+ * if a user has a role on a silo, they inherit that role on all projects
+ * in the silo.
  */
 export function userHasRole(
   user: Json<User>,
@@ -329,6 +328,8 @@ export function userHasRole(
     .filter((g) => !!g)
     .map((g) => g.id)
 
+  const actorIds = [user.id, ...userGroupIds]
+
   /** All actors with *at least* the specified role on the resource */
   const actorsWithRole = db.roleAssignments
     .filter(
@@ -339,8 +340,47 @@ export function userHasRole(
     )
     .map((ra) => ra.identity_id)
 
-  // user has role if their own ID or any of their groups is associated with the role
-  return [user.id, ...userGroupIds].some((id) => actorsWithRole.includes(id))
+  // Direct role on the resource
+  if (actorIds.some((id) => actorsWithRole.includes(id))) {
+    return true
+  }
+
+  // Check for inherited roles: if checking project role, also check parent silo roles
+  // Silo role inheritance to project roles:
+  // - silo admin → project admin
+  // - silo collaborator → project admin (note collaborator → admin)
+  // - silo limited_collaborator → project limited_collaborator
+  // - silo viewer → project viewer
+  if (resourceType === 'project') {
+    const project = db.projects.find((p) => p.id === resourceId)
+    if (!project) return false
+
+    // Map requested project role to silo roles that confer authority
+    const siloRolesForProjectRole: Record<RoleKey, RoleKey[]> = {
+      admin: ['admin', 'collaborator'], // silo collaborator grants project admin
+      collaborator: ['admin', 'collaborator'],
+      limited_collaborator: ['admin', 'collaborator', 'limited_collaborator'],
+      viewer: ['admin', 'collaborator', 'limited_collaborator', 'viewer'],
+    }
+
+    const requiredSiloRoles = siloRolesForProjectRole[role] || []
+
+    // Check if user has any silo role that grants the requested project role
+    const siloActorsWithRole = db.roleAssignments
+      .filter(
+        (ra) =>
+          ra.resource_type === 'silo' &&
+          ra.resource_id === user.silo_id &&
+          requiredSiloRoles.includes(ra.role_name)
+      )
+      .map((ra) => ra.identity_id)
+
+    if (actorIds.some((id) => siloActorsWithRole.includes(id))) {
+      return true
+    }
+  }
+
+  return false
 }
 
 /**
diff --git a/mock-api/role-assignment.ts b/mock-api/role-assignment.ts
index bc28a950b7..a19fc2c7e2 100644
--- a/mock-api/role-assignment.ts
+++ b/mock-api/role-assignment.ts
@@ -9,7 +9,7 @@ import { FLEET_ID, type IdentityType, type RoleKey } from '@oxide/api'
 
 import { project } from './project'
 import { defaultSilo } from './silo'
-import { user1, user2, user3, user5 } from './user'
+import { user1, user3, user5, user6 } from './user'
 import { userGroup2, userGroup3 } from './user-group'
 
 // For most other resources, we can store the API types directly in the DB. But
@@ -75,7 +75,7 @@ export const roleAssignments: DbRoleAssignment[] = [
   {
     resource_type: 'project',
     resource_id: project.id,
-    identity_id: user2.id, // Hans Jonas
+    identity_id: user6.id, // Herbert Marcuse
     identity_type: 'silo_user',
     role_name: 'limited_collaborator',
   },
diff --git a/mock-api/user.ts b/mock-api/user.ts
index 56ec885f6c..04433a596f 100644
--- a/mock-api/user.ts
+++ b/mock-api/user.ts
@@ -40,4 +40,10 @@ export const user5: Json<User> = {
   silo_id: defaultSilo.id,
 }
 
-export const users = [user1, user2, user3, user4, user5]
+export const user6: Json<User> = {
+  id: 'f8c2b4d3-6e7a-4b9c-8d1e-3a4f5b6c7d8e',
+  display_name: 'Herbert Marcuse',
+  silo_id: defaultSilo.id,
+}
+
+export const users = [user1, user2, user3, user4, user5, user6]
diff --git a/test/e2e/project-access.e2e.ts b/test/e2e/project-access.e2e.ts
index 474cea46d4..43fcbc2eff 100644
--- a/test/e2e/project-access.e2e.ts
+++ b/test/e2e/project-access.e2e.ts
@@ -13,7 +13,7 @@ test('Click through project access page', async ({ page }) => {
   await page.goto('/projects/mock-project')
   await page.click('role=link[name*="Access"]')
 
-  // page is there, we see user 1 and 3 but not 2 or 4
+  // we see groups and users 1, 3, 6 but not users 2, 4, 5
   await expectVisible(page, ['role=heading[name*="Access"]'])
   const table = page.locator('table')
   await expectRowVisible(table, {
@@ -26,6 +26,11 @@ test('Click through project access page', async ({ page }) => {
     Type: 'User',
     Role: 'project.collaborator',
   })
+  await expectRowVisible(table, {
+    Name: 'Herbert Marcuse',
+    Type: 'User',
+    Role: 'project.limited_collaborator',
+  })
   await expectRowVisible(table, {
     Name: 'real-estate-devs',
     Type: 'Group',
@@ -48,7 +53,10 @@ test('Click through project access page', async ({ page }) => {
 
   await page.click('role=button[name*="User or group"]')
   // only users not already on the project should be visible
-  await expectNotVisible(page, ['role=option[name="Jacob Klein"]'])
+  await expectNotVisible(page, [
+    'role=option[name="Jacob Klein"]',
+    'role=option[name="Herbert Marcuse"]',
+  ])
 
   await expectVisible(page, [
     'role=option[name="Hannah Arendt"]',
@@ -57,15 +65,7 @@ test('Click through project access page', async ({ page }) => {
   ])
 
   await page.click('role=option[name="Simone de Beauvoir"]')
-
-  await page.click('role=button[name*="Role"]')
-  await expectVisible(page, [
-    'role=option[name="Admin"]',
-    'role=option[name="Collaborator"]',
-    'role=option[name="Viewer"]',
-  ])
-
-  await page.click('role=option[name="Collaborator"]')
+  await page.getByRole('radio', { name: /^Collaborator / }).click()
   await page.click('role=button[name="Assign role"]')
 
   // User 4 shows up in the table
@@ -85,10 +85,12 @@ test('Click through project access page', async ({ page }) => {
   await expectVisible(page, [
     'role=heading[name*="Change project role for Simone de Beauvoir"]',
   ])
-  await expectVisible(page, ['button:has-text("Collaborator")'])
 
-  await page.click('role=button[name*="Role"]')
-  await page.click('role=option[name="Viewer"]')
+  // Verify Collaborator is currently selected
+  await expect(page.getByRole('radio', { name: /^Collaborator / })).toBeChecked()
+
+  // Select Viewer role
+  await page.getByRole('radio', { name: /^Viewer / }).click()
   await page.click('role=button[name="Update role"]')
 
   await expectRowVisible(table, { Name: user4.display_name, Role: 'project.viewer' })
@@ -106,8 +108,8 @@ test('Click through project access page', async ({ page }) => {
   await page.click('role=button[name="Add user or group"]')
   await page.click('role=button[name*="User or group"]')
   await page.click('role=option[name="Hannah Arendt"]')
-  await page.click('role=button[name*="Role"]')
-  await page.click('role=option[name="Viewer"]')
+  // Select Viewer role
+  await page.getByRole('radio', { name: /^Viewer / }).click()
   await page.click('role=button[name="Assign role"]')
   // because we only show the "effective" role, we should still see the silo admin role, but should now have an additional count value
   await expectRowVisible(table, {
diff --git a/test/e2e/silo-access.e2e.ts b/test/e2e/silo-access.e2e.ts
index 515bb5acf0..9c6bbcceb4 100644
--- a/test/e2e/silo-access.e2e.ts
+++ b/test/e2e/silo-access.e2e.ts
@@ -14,7 +14,7 @@ test('Click through silo access page', async ({ page }) => {
 
   const table = page.locator('role=table')
 
-  // page is there, we see user 1 and 2 but not 3
+  // page is there; we see user 1 and 2 but not 3
   await page.click('role=link[name*="Access"]')
 
   await expectVisible(page, ['role=heading[name*="Access"]'])
@@ -44,15 +44,7 @@ test('Click through silo access page', async ({ page }) => {
   ])
 
   await page.click('role=option[name="Jacob Klein"]')
-
-  await page.click('role=button[name*="Role"]')
-  await expectVisible(page, [
-    'role=option[name="Admin"]',
-    'role=option[name="Collaborator"]',
-    'role=option[name="Viewer"]',
-  ])
-
-  await page.click('role=option[name="Collaborator"]')
+  await page.getByRole('radio', { name: /^Collaborator / }).click()
   await page.click('role=button[name="Assign role"]')
 
   // User 3 shows up in the table
@@ -70,10 +62,12 @@ test('Click through silo access page', async ({ page }) => {
   await page.click('role=menuitem[name="Change role"]')
 
   await expectVisible(page, ['role=heading[name*="Change silo role for Jacob Klein"]'])
-  await expectVisible(page, ['button:has-text("Collaborator")'])
 
-  await page.click('role=button[name*="Role"]')
-  await page.click('role=option[name="Viewer"]')
+  // Verify Collaborator is currently selected
+  await expect(page.getByRole('radio', { name: /^Collaborator / })).toBeChecked()
+
+  // Select Viewer role
+  await page.getByRole('radio', { name: /^Viewer / }).click()
   await page.click('role=button[name="Update role"]')
 
   await expectRowVisible(table, { Name: user3.display_name, Role: 'silo.viewer' })
diff --git a/test/e2e/utils.ts b/test/e2e/utils.ts
index b9a27bb2ee..f549562bcc 100644
--- a/test/e2e/utils.ts
+++ b/test/e2e/utils.ts
@@ -191,7 +191,12 @@ export async function selectOption(
 
 export async function getPageAsUser(
   browser: Browser,
-  user: 'Hans Jonas' | 'Simone de Beauvoir' | 'Jacob Klein' | 'Jane Austen'
+  user:
+    | 'Hans Jonas'
+    | 'Simone de Beauvoir'
+    | 'Jacob Klein'
+    | 'Jane Austen'
+    | 'Herbert Marcuse'
 ): Promise<Page> {
   const browserContext = await browser.newContext()
   await browserContext.addCookies([
diff --git a/test/e2e/vpcs.e2e.ts b/test/e2e/vpcs.e2e.ts
index 85ab10877c..6efb700cb1 100644
--- a/test/e2e/vpcs.e2e.ts
+++ b/test/e2e/vpcs.e2e.ts
@@ -441,10 +441,38 @@ test('collaborator can create VPC', async ({ browser }) => {
   })
 })
 
-test('limited collaborator cannot create VPC', async ({ browser }) => {
+test('user in group with silo collaborator role can create VPC', async ({ browser }) => {
+  // Hans Jonas is in real-estate-devs group, which has silo.collaborator role
+  // Silo collaborator grants project admin, so he should be able to create VPCs
   const page = await getPageAsUser(browser, 'Hans Jonas')
   await page.goto('/projects/mock-project/vpcs')
 
+  const table = page.getByRole('table')
+
+  // Create a new VPC
+  await page.getByRole('link', { name: 'New Vpc' }).click()
+  await page.getByRole('textbox', { name: 'Name', exact: true }).fill('group-test-vpc')
+  await page.getByRole('textbox', { name: 'DNS name' }).fill('group-test-vpc')
+  await page.getByRole('button', { name: 'Create VPC' }).click()
+
+  // Should succeed and navigate to the VPC detail page
+  await expect(page.getByRole('heading', { name: 'group-test-vpc' })).toBeVisible()
+  await expect(page.getByRole('tab', { name: 'Firewall Rules' })).toBeVisible()
+
+  // Navigate back to VPCs list to verify it was created
+  const breadcrumbs = page.getByRole('navigation', { name: 'Breadcrumbs' })
+  await breadcrumbs.getByRole('link', { name: 'VPCs' }).click()
+
+  await expectRowVisible(table, {
+    name: 'group-test-vpc',
+    'DNS name': 'group-test-vpc',
+  })
+})
+
+test('limited collaborator cannot create VPC', async ({ browser }) => {
+  const page = await getPageAsUser(browser, 'Herbert Marcuse')
+  await page.goto('/projects/mock-project/vpcs')
+
   // Try to create a new VPC
   await page.getByRole('link', { name: 'New Vpc' }).click()
   await page.getByRole('textbox', { name: 'Name', exact: true }).fill('limited-test-vpc')

From 59167e51f4c2fc82d5592e3ec087f3449e1f04fb Mon Sep 17 00:00:00 2001
From: Charlie Park <charlie@oxidecomputer.com>
Date: Mon, 3 Nov 2025 04:56:53 -0800
Subject: [PATCH 12/25] Add new unit test for silo limited-collaborator

---
 mock-api/msw/util.spec.ts | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/mock-api/msw/util.spec.ts b/mock-api/msw/util.spec.ts
index 022f1279cf..a9c05d2022 100644
--- a/mock-api/msw/util.spec.ts
+++ b/mock-api/msw/util.spec.ts
@@ -81,6 +81,7 @@ describe('userHasRole', () => {
       ['Jacob Klein', false],
       ['Simone de Beauvoir', false],
       ['Jane Austen', true],
+      ['Herbert Marcuse', false],
     ])
   })
 
@@ -93,6 +94,7 @@ describe('userHasRole', () => {
       ['Jacob Klein', false],
       ['Simone de Beauvoir', false],
       ['Jane Austen', false],
+      ['Herbert Marcuse', false],
     ])
   })
 
@@ -105,6 +107,23 @@ describe('userHasRole', () => {
       ['Jacob Klein', false],
       ['Simone de Beauvoir', false],
       ['Jane Austen', true],
+      ['Herbert Marcuse', false],
+    ])
+  })
+
+  it('silo limited_collaborator', () => {
+    expect(
+      users.map((u) => [
+        u.display_name,
+        userHasRole(u, 'silo', defaultSilo.id, 'limited_collaborator'),
+      ])
+    ).toEqual([
+      ['Hannah Arendt', true],
+      ['Hans Jonas', true],
+      ['Jacob Klein', false],
+      ['Simone de Beauvoir', false],
+      ['Jane Austen', true],
+      ['Herbert Marcuse', false],
     ])
   })
 
@@ -120,6 +139,7 @@ describe('userHasRole', () => {
       ['Jacob Klein', false],
       ['Simone de Beauvoir', false],
       ['Jane Austen', true],
+      ['Herbert Marcuse', false],
     ])
   })
 
@@ -132,6 +152,7 @@ describe('userHasRole', () => {
       ['Jacob Klein', false],
       ['Simone de Beauvoir', false],
       ['Jane Austen', false],
+      ['Herbert Marcuse', false],
     ])
   })
 })

From f63e66ca6715f17dcaa46c33dfc2dffaaf834bb7 Mon Sep 17 00:00:00 2001
From: Charlie Park <charlie@oxidecomputer.com>
Date: Mon, 3 Nov 2025 05:01:43 -0800
Subject: [PATCH 13/25] Microcopy tweaks

---
 app/forms/access-util.tsx | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/app/forms/access-util.tsx b/app/forms/access-util.tsx
index c00f3eb24d..61b4bce063 100644
--- a/app/forms/access-util.tsx
+++ b/app/forms/access-util.tsx
@@ -36,19 +36,19 @@ export const defaultValues: AddUserValues = {
 
 // Role descriptions for project-level roles
 const projectRoleDescriptions: Record<RoleKey, string> = {
-  admin: 'Can control all aspects of the project',
-  collaborator: 'Can manage all resources, including networking',
-  limited_collaborator: 'Can manage compute resources; can not manage networking',
-  viewer: 'Can read most resources within the project',
+  admin: 'Can control all aspects of the project.',
+  collaborator: 'Can manage all resources, including networking.',
+  limited_collaborator: 'Can manage compute resources. Cannot manage networking.',
+  viewer: 'Can read most resources within the project.',
 }
 
 // Role descriptions for silo-level roles
 const siloRoleDescriptions: Record<RoleKey, string> = {
-  admin: 'Can control all aspects of the silo',
-  collaborator: 'Can create and own projects; grants project admin role on all projects',
+  admin: 'Can control all aspects of the silo.',
+  collaborator: 'Can create and own projects. Grants project admin role on all projects.',
   limited_collaborator:
-    'Can read most resources within the silo; grants limited collaborator role on all projects',
-  viewer: 'Can read most resources within the silo; grants project viewer role',
+    'Can read most resources within the silo. Grants limited collaborator role on all projects.',
+  viewer: 'Can read most resources within the silo. Grants project viewer role.',
 }
 
 export const actorToItem = (actor: Actor): ListboxItem => ({

From 7e40272de77a3af5ab0da960cbc4bb6caafeb9df Mon Sep 17 00:00:00 2001
From: Charlie Park <charlie@oxidecomputer.com>
Date: Mon, 3 Nov 2025 06:08:16 -0800
Subject: [PATCH 14/25] Move silo and project access forms into regular modal

---
 app/forms/access-util.tsx                     | 10 +++-------
 app/forms/project-access.tsx                  | 19 ++++++++-----------
 app/forms/silo-access.tsx                     | 19 ++++++++-----------
 app/pages/SiloAccessPage.tsx                  |  9 +++------
 .../project/access/ProjectAccessPage.tsx      |  8 ++++----
 app/ui/lib/Radio.tsx                          |  2 +-
 6 files changed, 27 insertions(+), 40 deletions(-)

diff --git a/app/forms/access-util.tsx b/app/forms/access-util.tsx
index 61b4bce063..5a53e6aec3 100644
--- a/app/forms/access-util.tsx
+++ b/app/forms/access-util.tsx
@@ -97,14 +97,10 @@ export function RoleRadioField({ control, scope }: RoleRadioFieldProps) {
       >
         {R.reverse(allRoles).map((role) => (
           <Radio name="roleName" key={role} value={role} alignTop>
-            <div className="ml-1">
-              <div className="text-sans-md text-raise">
-                {capitalize(role).replace('_', ' ')}
-              </div>
-              <div className="text-sans-sm text-secondary mt-0.5">
-                {roleDescriptions[role]}
-              </div>
+            <div className="text-sans-md text-raise">
+              {capitalize(role).replace('_', ' ')}
             </div>
+            <div className="text-sans-sm text-secondary">{roleDescriptions[role]}</div>
           </Radio>
         ))}
       </RadioFieldDyn>
diff --git a/app/forms/project-access.tsx b/app/forms/project-access.tsx
index 359987bb8a..023dfaafd7 100644
--- a/app/forms/project-access.tsx
+++ b/app/forms/project-access.tsx
@@ -15,7 +15,7 @@ import {
 } from '@oxide/api'
 
 import { ListboxField } from '~/components/form/fields/ListboxField'
-import { SideModalForm } from '~/components/form/SideModalForm'
+import { ModalForm } from '~/components/form/ModalForm'
 import { useProjectSelector } from '~/hooks/use-params'
 import { addToast } from '~/stores/toast'
 
@@ -27,7 +27,7 @@ import {
   type EditRoleModalProps,
 } from './access-util'
 
-export function ProjectAccessAddUserSideModal({ onDismiss, policy }: AddRoleModalProps) {
+export function ProjectAccessAddUserModal({ onDismiss, policy }: AddRoleModalProps) {
   const { project } = useProjectSelector()
 
   const actors = useActorsNotInPolicy(policy)
@@ -45,11 +45,9 @@ export function ProjectAccessAddUserSideModal({ onDismiss, policy }: AddRoleModa
   const form = useForm({ defaultValues })
 
   return (
-    <SideModalForm
+    <ModalForm
       title="Add user or group"
-      resourceName="role"
       form={form}
-      formType="create"
       onSubmit={({ identityId, roleName }) => {
         // actor is guaranteed to be in the list because it came from there
         const identityType = actors.find((a) => a.id === identityId)!.identityType
@@ -72,11 +70,11 @@ export function ProjectAccessAddUserSideModal({ onDismiss, policy }: AddRoleModa
         control={form.control}
       />
       <RoleRadioField control={form.control} scope="Project" />
-    </SideModalForm>
+    </ModalForm>
   )
 }
 
-export function ProjectAccessEditUserSideModal({
+export function ProjectAccessEditUserModal({
   onDismiss,
   name,
   identityId,
@@ -98,10 +96,8 @@ export function ProjectAccessEditUserSideModal({
   const form = useForm({ defaultValues })
 
   return (
-    <SideModalForm
+    <ModalForm
       form={form}
-      formType="edit"
-      resourceName="role"
       title={`Change project role for ${name}`}
       onSubmit={({ roleName }) => {
         updatePolicy.mutate({
@@ -111,9 +107,10 @@ export function ProjectAccessEditUserSideModal({
       }}
       loading={updatePolicy.isPending}
       submitError={updatePolicy.error}
+      submitLabel="Update role"
       onDismiss={onDismiss}
     >
       <RoleRadioField control={form.control} scope="Project" />
-    </SideModalForm>
+    </ModalForm>
   )
 }
diff --git a/app/forms/silo-access.tsx b/app/forms/silo-access.tsx
index b4f334bb84..78a11920c5 100644
--- a/app/forms/silo-access.tsx
+++ b/app/forms/silo-access.tsx
@@ -15,7 +15,7 @@ import {
 } from '@oxide/api'
 
 import { ListboxField } from '~/components/form/fields/ListboxField'
-import { SideModalForm } from '~/components/form/SideModalForm'
+import { ModalForm } from '~/components/form/ModalForm'
 
 import {
   actorToItem,
@@ -25,7 +25,7 @@ import {
   type EditRoleModalProps,
 } from './access-util'
 
-export function SiloAccessAddUserSideModal({ onDismiss, policy }: AddRoleModalProps) {
+export function SiloAccessAddUserModal({ onDismiss, policy }: AddRoleModalProps) {
   const actors = useActorsNotInPolicy(policy)
 
   const queryClient = useApiQueryClient()
@@ -39,10 +39,8 @@ export function SiloAccessAddUserSideModal({ onDismiss, policy }: AddRoleModalPr
   const form = useForm({ defaultValues })
 
   return (
-    <SideModalForm
+    <ModalForm
       form={form}
-      formType="create"
-      resourceName="role"
       title="Add user or group"
       onDismiss={onDismiss}
       onSubmit={({ identityId, roleName }) => {
@@ -66,11 +64,11 @@ export function SiloAccessAddUserSideModal({ onDismiss, policy }: AddRoleModalPr
         control={form.control}
       />
       <RoleRadioField control={form.control} scope="Silo" />
-    </SideModalForm>
+    </ModalForm>
   )
 }
 
-export function SiloAccessEditUserSideModal({
+export function SiloAccessEditUserModal({
   onDismiss,
   name,
   identityId,
@@ -88,10 +86,8 @@ export function SiloAccessEditUserSideModal({
   const form = useForm({ defaultValues })
 
   return (
-    <SideModalForm
+    <ModalForm
       form={form}
-      formType="edit"
-      resourceName="role"
       title={`Change silo role for ${name}`}
       onSubmit={({ roleName }) => {
         updatePolicy.mutate({
@@ -100,9 +96,10 @@ export function SiloAccessEditUserSideModal({
       }}
       loading={updatePolicy.isPending}
       submitError={updatePolicy.error}
+      submitLabel="Update role"
       onDismiss={onDismiss}
     >
       <RoleRadioField control={form.control} scope="Silo" />
-    </SideModalForm>
+    </ModalForm>
   )
 }
diff --git a/app/pages/SiloAccessPage.tsx b/app/pages/SiloAccessPage.tsx
index bcb84c8a37..ad2759d5ef 100644
--- a/app/pages/SiloAccessPage.tsx
+++ b/app/pages/SiloAccessPage.tsx
@@ -25,10 +25,7 @@ import { Badge } from '@oxide/design-system/ui'
 
 import { DocsPopover } from '~/components/DocsPopover'
 import { HL } from '~/components/HL'
-import {
-  SiloAccessAddUserSideModal,
-  SiloAccessEditUserSideModal,
-} from '~/forms/silo-access'
+import { SiloAccessAddUserModal, SiloAccessEditUserModal } from '~/forms/silo-access'
 import { confirmDelete } from '~/stores/confirm-delete'
 import { getActionsCol } from '~/table/columns/action-col'
 import { Table } from '~/table/Table'
@@ -178,13 +175,13 @@ export default function SiloAccessPage() {
         <CreateButton onClick={() => setAddModalOpen(true)}>Add user or group</CreateButton>
       </TableActions>
       {siloPolicy && addModalOpen && (
-        <SiloAccessAddUserSideModal
+        <SiloAccessAddUserModal
           onDismiss={() => setAddModalOpen(false)}
           policy={siloPolicy}
         />
       )}
       {siloPolicy && editingUserRow?.siloRole && (
-        <SiloAccessEditUserSideModal
+        <SiloAccessEditUserModal
           onDismiss={() => setEditingUserRow(null)}
           policy={siloPolicy}
           name={editingUserRow.name}
diff --git a/app/pages/project/access/ProjectAccessPage.tsx b/app/pages/project/access/ProjectAccessPage.tsx
index f3b6f4e8bc..ae3f633359 100644
--- a/app/pages/project/access/ProjectAccessPage.tsx
+++ b/app/pages/project/access/ProjectAccessPage.tsx
@@ -30,8 +30,8 @@ import { DocsPopover } from '~/components/DocsPopover'
 import { HL } from '~/components/HL'
 import { ListPlusCell } from '~/components/ListPlusCell'
 import {
-  ProjectAccessAddUserSideModal,
-  ProjectAccessEditUserSideModal,
+  ProjectAccessAddUserModal,
+  ProjectAccessEditUserModal,
 } from '~/forms/project-access'
 import { getProjectSelector, useProjectSelector } from '~/hooks/use-params'
 import { confirmDelete } from '~/stores/confirm-delete'
@@ -217,13 +217,13 @@ export default function ProjectAccessPage() {
         <CreateButton onClick={() => setAddModalOpen(true)}>Add user or group</CreateButton>
       </TableActions>
       {projectPolicy && addModalOpen && (
-        <ProjectAccessAddUserSideModal
+        <ProjectAccessAddUserModal
           onDismiss={() => setAddModalOpen(false)}
           policy={projectPolicy}
         />
       )}
       {projectPolicy && editingUserRow?.projectRole && (
-        <ProjectAccessEditUserSideModal
+        <ProjectAccessEditUserModal
           onDismiss={() => setEditingUserRow(null)}
           policy={projectPolicy}
           name={editingUserRow.name}
diff --git a/app/ui/lib/Radio.tsx b/app/ui/lib/Radio.tsx
index dc3523567d..c674eec145 100644
--- a/app/ui/lib/Radio.tsx
+++ b/app/ui/lib/Radio.tsx
@@ -31,7 +31,7 @@ const fieldStyles = `
 
 export const Radio = ({ children, className, alignTop, ...inputProps }: RadioProps) => (
   <label className={cn('inline-flex', alignTop ? 'items-start' : 'items-center')}>
-    <span className="relative h-4 w-4">
+    <span className="relative h-4 w-4 shrink-0">
       <input className={cn(fieldStyles, className)} type="radio" {...inputProps} />
       {/* the dot in the middle. hide by default, use peer-checked to show if checked */}
       <div className="bg-accent pointer-events-none absolute top-1 left-1 hidden h-2 w-2 rounded-full peer-checked:block" />

From a5ce69bcb1a33f7f3d2662be6a98458105d90b9b Mon Sep 17 00:00:00 2001
From: Charlie Park <charlie@oxidecomputer.com>
Date: Mon, 3 Nov 2025 08:29:41 -0800
Subject: [PATCH 15/25] Move back to side modal

---
 app/forms/project-access.tsx                  | 20 ++++++++++---------
 app/forms/silo-access.tsx                     | 20 ++++++++++---------
 app/pages/SiloAccessPage.tsx                  |  9 ++++++---
 .../project/access/ProjectAccessPage.tsx      |  8 ++++----
 4 files changed, 32 insertions(+), 25 deletions(-)

diff --git a/app/forms/project-access.tsx b/app/forms/project-access.tsx
index 023dfaafd7..b457b78599 100644
--- a/app/forms/project-access.tsx
+++ b/app/forms/project-access.tsx
@@ -15,7 +15,7 @@ import {
 } from '@oxide/api'
 
 import { ListboxField } from '~/components/form/fields/ListboxField'
-import { ModalForm } from '~/components/form/ModalForm'
+import { SideModalForm } from '~/components/form/SideModalForm'
 import { useProjectSelector } from '~/hooks/use-params'
 import { addToast } from '~/stores/toast'
 
@@ -27,7 +27,7 @@ import {
   type EditRoleModalProps,
 } from './access-util'
 
-export function ProjectAccessAddUserModal({ onDismiss, policy }: AddRoleModalProps) {
+export function ProjectAccessAddUserSideModal({ onDismiss, policy }: AddRoleModalProps) {
   const { project } = useProjectSelector()
 
   const actors = useActorsNotInPolicy(policy)
@@ -45,9 +45,11 @@ export function ProjectAccessAddUserModal({ onDismiss, policy }: AddRoleModalPro
   const form = useForm({ defaultValues })
 
   return (
-    <ModalForm
+    <SideModalForm
       title="Add user or group"
+      resourceName="role"
       form={form}
+      formType="create"
       onSubmit={({ identityId, roleName }) => {
         // actor is guaranteed to be in the list because it came from there
         const identityType = actors.find((a) => a.id === identityId)!.identityType
@@ -59,7 +61,6 @@ export function ProjectAccessAddUserModal({ onDismiss, policy }: AddRoleModalPro
       }}
       loading={updatePolicy.isPending}
       submitError={updatePolicy.error}
-      submitLabel="Assign role"
       onDismiss={onDismiss}
     >
       <ListboxField
@@ -70,11 +71,11 @@ export function ProjectAccessAddUserModal({ onDismiss, policy }: AddRoleModalPro
         control={form.control}
       />
       <RoleRadioField control={form.control} scope="Project" />
-    </ModalForm>
+    </SideModalForm>
   )
 }
 
-export function ProjectAccessEditUserModal({
+export function ProjectAccessEditUserSideModal({
   onDismiss,
   name,
   identityId,
@@ -96,8 +97,10 @@ export function ProjectAccessEditUserModal({
   const form = useForm({ defaultValues })
 
   return (
-    <ModalForm
+    <SideModalForm
       form={form}
+      formType="edit"
+      resourceName="role"
       title={`Change project role for ${name}`}
       onSubmit={({ roleName }) => {
         updatePolicy.mutate({
@@ -107,10 +110,9 @@ export function ProjectAccessEditUserModal({
       }}
       loading={updatePolicy.isPending}
       submitError={updatePolicy.error}
-      submitLabel="Update role"
       onDismiss={onDismiss}
     >
       <RoleRadioField control={form.control} scope="Project" />
-    </ModalForm>
+    </SideModalForm>
   )
 }
diff --git a/app/forms/silo-access.tsx b/app/forms/silo-access.tsx
index 78a11920c5..63c4fbdecb 100644
--- a/app/forms/silo-access.tsx
+++ b/app/forms/silo-access.tsx
@@ -15,7 +15,7 @@ import {
 } from '@oxide/api'
 
 import { ListboxField } from '~/components/form/fields/ListboxField'
-import { ModalForm } from '~/components/form/ModalForm'
+import { SideModalForm } from '~/components/form/SideModalForm'
 
 import {
   actorToItem,
@@ -25,7 +25,7 @@ import {
   type EditRoleModalProps,
 } from './access-util'
 
-export function SiloAccessAddUserModal({ onDismiss, policy }: AddRoleModalProps) {
+export function SiloAccessAddUserSideModal({ onDismiss, policy }: AddRoleModalProps) {
   const actors = useActorsNotInPolicy(policy)
 
   const queryClient = useApiQueryClient()
@@ -39,8 +39,10 @@ export function SiloAccessAddUserModal({ onDismiss, policy }: AddRoleModalProps)
   const form = useForm({ defaultValues })
 
   return (
-    <ModalForm
+    <SideModalForm
       form={form}
+      formType="create"
+      resourceName="role"
       title="Add user or group"
       onDismiss={onDismiss}
       onSubmit={({ identityId, roleName }) => {
@@ -54,7 +56,6 @@ export function SiloAccessAddUserModal({ onDismiss, policy }: AddRoleModalProps)
       }}
       loading={updatePolicy.isPending}
       submitError={updatePolicy.error}
-      submitLabel="Assign role"
     >
       <ListboxField
         name="identityId"
@@ -64,11 +65,11 @@ export function SiloAccessAddUserModal({ onDismiss, policy }: AddRoleModalProps)
         control={form.control}
       />
       <RoleRadioField control={form.control} scope="Silo" />
-    </ModalForm>
+    </SideModalForm>
   )
 }
 
-export function SiloAccessEditUserModal({
+export function SiloAccessEditUserSideModal({
   onDismiss,
   name,
   identityId,
@@ -86,8 +87,10 @@ export function SiloAccessEditUserModal({
   const form = useForm({ defaultValues })
 
   return (
-    <ModalForm
+    <SideModalForm
       form={form}
+      formType="edit"
+      resourceName="role"
       title={`Change silo role for ${name}`}
       onSubmit={({ roleName }) => {
         updatePolicy.mutate({
@@ -96,10 +99,9 @@ export function SiloAccessEditUserModal({
       }}
       loading={updatePolicy.isPending}
       submitError={updatePolicy.error}
-      submitLabel="Update role"
       onDismiss={onDismiss}
     >
       <RoleRadioField control={form.control} scope="Silo" />
-    </ModalForm>
+    </SideModalForm>
   )
 }
diff --git a/app/pages/SiloAccessPage.tsx b/app/pages/SiloAccessPage.tsx
index ad2759d5ef..bcb84c8a37 100644
--- a/app/pages/SiloAccessPage.tsx
+++ b/app/pages/SiloAccessPage.tsx
@@ -25,7 +25,10 @@ import { Badge } from '@oxide/design-system/ui'
 
 import { DocsPopover } from '~/components/DocsPopover'
 import { HL } from '~/components/HL'
-import { SiloAccessAddUserModal, SiloAccessEditUserModal } from '~/forms/silo-access'
+import {
+  SiloAccessAddUserSideModal,
+  SiloAccessEditUserSideModal,
+} from '~/forms/silo-access'
 import { confirmDelete } from '~/stores/confirm-delete'
 import { getActionsCol } from '~/table/columns/action-col'
 import { Table } from '~/table/Table'
@@ -175,13 +178,13 @@ export default function SiloAccessPage() {
         <CreateButton onClick={() => setAddModalOpen(true)}>Add user or group</CreateButton>
       </TableActions>
       {siloPolicy && addModalOpen && (
-        <SiloAccessAddUserModal
+        <SiloAccessAddUserSideModal
           onDismiss={() => setAddModalOpen(false)}
           policy={siloPolicy}
         />
       )}
       {siloPolicy && editingUserRow?.siloRole && (
-        <SiloAccessEditUserModal
+        <SiloAccessEditUserSideModal
           onDismiss={() => setEditingUserRow(null)}
           policy={siloPolicy}
           name={editingUserRow.name}
diff --git a/app/pages/project/access/ProjectAccessPage.tsx b/app/pages/project/access/ProjectAccessPage.tsx
index ae3f633359..f3b6f4e8bc 100644
--- a/app/pages/project/access/ProjectAccessPage.tsx
+++ b/app/pages/project/access/ProjectAccessPage.tsx
@@ -30,8 +30,8 @@ import { DocsPopover } from '~/components/DocsPopover'
 import { HL } from '~/components/HL'
 import { ListPlusCell } from '~/components/ListPlusCell'
 import {
-  ProjectAccessAddUserModal,
-  ProjectAccessEditUserModal,
+  ProjectAccessAddUserSideModal,
+  ProjectAccessEditUserSideModal,
 } from '~/forms/project-access'
 import { getProjectSelector, useProjectSelector } from '~/hooks/use-params'
 import { confirmDelete } from '~/stores/confirm-delete'
@@ -217,13 +217,13 @@ export default function ProjectAccessPage() {
         <CreateButton onClick={() => setAddModalOpen(true)}>Add user or group</CreateButton>
       </TableActions>
       {projectPolicy && addModalOpen && (
-        <ProjectAccessAddUserModal
+        <ProjectAccessAddUserSideModal
           onDismiss={() => setAddModalOpen(false)}
           policy={projectPolicy}
         />
       )}
       {projectPolicy && editingUserRow?.projectRole && (
-        <ProjectAccessEditUserModal
+        <ProjectAccessEditUserSideModal
           onDismiss={() => setEditingUserRow(null)}
           policy={projectPolicy}
           name={editingUserRow.name}

From 58611cb819d771a3aec41d2cd4a461e934a70e43 Mon Sep 17 00:00:00 2001
From: Charlie Park <charlie@oxidecomputer.com>
Date: Mon, 3 Nov 2025 10:21:21 -0800
Subject: [PATCH 16/25] update button copy

---
 app/forms/project-access.tsx | 1 +
 app/forms/silo-access.tsx    | 1 +
 2 files changed, 2 insertions(+)

diff --git a/app/forms/project-access.tsx b/app/forms/project-access.tsx
index b457b78599..50f53ca485 100644
--- a/app/forms/project-access.tsx
+++ b/app/forms/project-access.tsx
@@ -50,6 +50,7 @@ export function ProjectAccessAddUserSideModal({ onDismiss, policy }: AddRoleModa
       resourceName="role"
       form={form}
       formType="create"
+      submitLabel="Assign role"
       onSubmit={({ identityId, roleName }) => {
         // actor is guaranteed to be in the list because it came from there
         const identityType = actors.find((a) => a.id === identityId)!.identityType
diff --git a/app/forms/silo-access.tsx b/app/forms/silo-access.tsx
index 63c4fbdecb..bb0fc8472d 100644
--- a/app/forms/silo-access.tsx
+++ b/app/forms/silo-access.tsx
@@ -44,6 +44,7 @@ export function SiloAccessAddUserSideModal({ onDismiss, policy }: AddRoleModalPr
       formType="create"
       resourceName="role"
       title="Add user or group"
+      submitLabel="Assign role"
       onDismiss={onDismiss}
       onSubmit={({ identityId, roleName }) => {
         // TODO: DRY logic

From f3fc0283087d49fa864ccffc9adf98286fd672e5 Mon Sep 17 00:00:00 2001
From: Charlie Park <charlie@oxidecomputer.com>
Date: Mon, 3 Nov 2025 10:35:59 -0800
Subject: [PATCH 17/25] Update header for edit modals

---
 app/forms/project-access.tsx | 9 ++++++++-
 app/forms/silo-access.tsx    | 9 ++++++++-
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/app/forms/project-access.tsx b/app/forms/project-access.tsx
index 50f53ca485..6f967ac2ac 100644
--- a/app/forms/project-access.tsx
+++ b/app/forms/project-access.tsx
@@ -13,11 +13,13 @@ import {
   useApiMutation,
   useApiQueryClient,
 } from '@oxide/api'
+import { Access16Icon } from '@oxide/design-system/icons/react'
 
 import { ListboxField } from '~/components/form/fields/ListboxField'
 import { SideModalForm } from '~/components/form/SideModalForm'
 import { useProjectSelector } from '~/hooks/use-params'
 import { addToast } from '~/stores/toast'
+import { ResourceLabel } from '~/ui/lib/SideModal'
 
 import {
   actorToItem,
@@ -102,7 +104,12 @@ export function ProjectAccessEditUserSideModal({
       form={form}
       formType="edit"
       resourceName="role"
-      title={`Change project role for ${name}`}
+      title="Edit role"
+      subtitle={
+        <ResourceLabel>
+          <Access16Icon /> {name}
+        </ResourceLabel>
+      }
       onSubmit={({ roleName }) => {
         updatePolicy.mutate({
           path: { project },
diff --git a/app/forms/silo-access.tsx b/app/forms/silo-access.tsx
index bb0fc8472d..b254d4c833 100644
--- a/app/forms/silo-access.tsx
+++ b/app/forms/silo-access.tsx
@@ -13,9 +13,11 @@ import {
   useApiMutation,
   useApiQueryClient,
 } from '@oxide/api'
+import { Access16Icon } from '@oxide/design-system/icons/react'
 
 import { ListboxField } from '~/components/form/fields/ListboxField'
 import { SideModalForm } from '~/components/form/SideModalForm'
+import { ResourceLabel } from '~/ui/lib/SideModal'
 
 import {
   actorToItem,
@@ -92,7 +94,12 @@ export function SiloAccessEditUserSideModal({
       form={form}
       formType="edit"
       resourceName="role"
-      title={`Change silo role for ${name}`}
+      title="Edit role"
+      subtitle={
+        <ResourceLabel>
+          <Access16Icon /> {name}
+        </ResourceLabel>
+      }
       onSubmit={({ roleName }) => {
         updatePolicy.mutate({
           body: updateRole({ identityId, identityType, roleName }, policy),

From c6bffdc30ca0527df91f0f7a7fd779811e587244 Mon Sep 17 00:00:00 2001
From: Charlie Park <charlie@oxidecomputer.com>
Date: Mon, 3 Nov 2025 11:10:26 -0800
Subject: [PATCH 18/25] Update string matching in tests

---
 test/e2e/project-access.e2e.ts | 4 +---
 test/e2e/silo-access.e2e.ts    | 2 +-
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/test/e2e/project-access.e2e.ts b/test/e2e/project-access.e2e.ts
index 43fcbc2eff..d4f34d8ce5 100644
--- a/test/e2e/project-access.e2e.ts
+++ b/test/e2e/project-access.e2e.ts
@@ -82,9 +82,7 @@ test('Click through project access page', async ({ page }) => {
     .click()
   await page.click('role=menuitem[name="Change role"]')
 
-  await expectVisible(page, [
-    'role=heading[name*="Change project role for Simone de Beauvoir"]',
-  ])
+  await expectVisible(page, ['role=heading[name*="Edit role"]'])
 
   // Verify Collaborator is currently selected
   await expect(page.getByRole('radio', { name: /^Collaborator / })).toBeChecked()
diff --git a/test/e2e/silo-access.e2e.ts b/test/e2e/silo-access.e2e.ts
index 9c6bbcceb4..720ef8ba19 100644
--- a/test/e2e/silo-access.e2e.ts
+++ b/test/e2e/silo-access.e2e.ts
@@ -61,7 +61,7 @@ test('Click through silo access page', async ({ page }) => {
     .click()
   await page.click('role=menuitem[name="Change role"]')
 
-  await expectVisible(page, ['role=heading[name*="Change silo role for Jacob Klein"]'])
+  await expectVisible(page, ['role=heading[name*="Edit role"]'])
 
   // Verify Collaborator is currently selected
   await expect(page.getByRole('radio', { name: /^Collaborator / })).toBeChecked()

From 0f86eaf92e6dbfd866eba0bde88ec76bd7598ff9 Mon Sep 17 00:00:00 2001
From: David Crespo <david.crespo@oxidecomputer.com>
Date: Mon, 3 Nov 2025 13:20:07 -0600
Subject: [PATCH 19/25] go to great lengths to avoid casting

---
 app/components/form/fields/RadioField.tsx | 14 +++++++++++++-
 app/forms/access-util.tsx                 | 22 ++++++++++++++--------
 app/forms/project-access.tsx              |  4 ++--
 app/forms/silo-access.tsx                 |  4 ++--
 4 files changed, 31 insertions(+), 13 deletions(-)

diff --git a/app/components/form/fields/RadioField.tsx b/app/components/form/fields/RadioField.tsx
index 4e376decc9..f21b97e1e4 100644
--- a/app/components/form/fields/RadioField.tsx
+++ b/app/components/form/fields/RadioField.tsx
@@ -101,11 +101,23 @@ export function RadioField<
 
 type RadioElt = React.ReactElement<RadioProps>
 
+// we do not extend RadioFieldProps here because it limits our ability to type
+// components like RoleRadioField. see https://tsplay.dev/ND13Om
+
 export type RadioFieldDynProps<
   TFieldValues extends FieldValues,
   TName extends FieldPath<TFieldValues>,
-> = Omit<RadioFieldProps<TFieldValues, TName>, 'parseValue' | 'items'> & {
+> = {
+  name: TName
+  label?: string
+  description?: string | React.ReactNode
+  units?: string
+  control: Control<TFieldValues>
   children: RadioElt | RadioElt[]
+  column?: boolean
+  className?: string
+  required?: boolean
+  disabled?: boolean
 }
 
 /**
diff --git a/app/forms/access-util.tsx b/app/forms/access-util.tsx
index 5a53e6aec3..5908dfef26 100644
--- a/app/forms/access-util.tsx
+++ b/app/forms/access-util.tsx
@@ -5,7 +5,7 @@
  *
  * Copyright Oxide Computer Company
  */
-import type { Control } from 'react-hook-form'
+import type { Control, FieldPath, FieldValues } from 'react-hook-form'
 import * as R from 'remeda'
 
 import {
@@ -78,20 +78,26 @@ export type EditRoleModalProps = AddRoleModalProps & {
   defaultValues: { roleName: RoleKey }
 }
 
-type RoleRadioFieldProps = {
-  control: Control<AddUserValues> | Control<{ roleName: RoleKey }>
+export function RoleRadioField<
+  TFieldValues extends FieldValues,
+  TName extends FieldPath<TFieldValues>,
+>({
+  name,
+  control,
+  scope,
+}: {
+  name: TName
+  control: Control<TFieldValues>
   scope: 'Silo' | 'Project'
-}
-
-export function RoleRadioField({ control, scope }: RoleRadioFieldProps) {
+}) {
   const roleDescriptions = scope === 'Silo' ? siloRoleDescriptions : projectRoleDescriptions
   return (
     <>
       <RadioFieldDyn
-        name="roleName"
+        name={name}
         label={`${scope} role`}
         required
-        control={control as Control<AddUserValues>}
+        control={control}
         column
         className="mt-2"
       >
diff --git a/app/forms/project-access.tsx b/app/forms/project-access.tsx
index 6f967ac2ac..9addcd85af 100644
--- a/app/forms/project-access.tsx
+++ b/app/forms/project-access.tsx
@@ -73,7 +73,7 @@ export function ProjectAccessAddUserSideModal({ onDismiss, policy }: AddRoleModa
         required
         control={form.control}
       />
-      <RoleRadioField control={form.control} scope="Project" />
+      <RoleRadioField name="roleName" control={form.control} scope="Project" />
     </SideModalForm>
   )
 }
@@ -120,7 +120,7 @@ export function ProjectAccessEditUserSideModal({
       submitError={updatePolicy.error}
       onDismiss={onDismiss}
     >
-      <RoleRadioField control={form.control} scope="Project" />
+      <RoleRadioField name="roleName" control={form.control} scope="Project" />
     </SideModalForm>
   )
 }
diff --git a/app/forms/silo-access.tsx b/app/forms/silo-access.tsx
index b254d4c833..e816a3095d 100644
--- a/app/forms/silo-access.tsx
+++ b/app/forms/silo-access.tsx
@@ -67,7 +67,7 @@ export function SiloAccessAddUserSideModal({ onDismiss, policy }: AddRoleModalPr
         required
         control={form.control}
       />
-      <RoleRadioField control={form.control} scope="Silo" />
+      <RoleRadioField name="roleName" control={form.control} scope="Silo" />
     </SideModalForm>
   )
 }
@@ -109,7 +109,7 @@ export function SiloAccessEditUserSideModal({
       submitError={updatePolicy.error}
       onDismiss={onDismiss}
     >
-      <RoleRadioField control={form.control} scope="Silo" />
+      <RoleRadioField name="roleName" control={form.control} scope="Silo" />
     </SideModalForm>
   )
 }

From b607d6bbc24cf9734e03190ba12bc1ab17e7b451 Mon Sep 17 00:00:00 2001
From: David Crespo <david.crespo@oxidecomputer.com>
Date: Mon, 3 Nov 2025 17:20:18 -0600
Subject: [PATCH 20/25] also show message box on silo access

---
 app/forms/access-util.tsx | 22 ++++++++++------------
 1 file changed, 10 insertions(+), 12 deletions(-)

diff --git a/app/forms/access-util.tsx b/app/forms/access-util.tsx
index 5908dfef26..b18d7600cf 100644
--- a/app/forms/access-util.tsx
+++ b/app/forms/access-util.tsx
@@ -110,18 +110,16 @@ export function RoleRadioField<
           </Radio>
         ))}
       </RadioFieldDyn>
-      {scope === 'Project' && (
-        <Message
-          variant="info"
-          content={
-            <>
-              A user’s strongest role determines their actual permissions. For example, a
-              silo <HL>admin</HL> assigned a <HL>viewer</HL> role on a project will still
-              have <HL>admin</HL> permissions on that project.
-            </>
-          }
-        />
-      )}
+      <Message
+        variant="info"
+        content={
+          <>
+            A user’s strongest role determines their actual permissions. For example, a silo{' '}
+            <HL>admin</HL> assigned a <HL>viewer</HL> role on a project will still have{' '}
+            <HL>admin</HL> permissions on that project.
+          </>
+        }
+      />
     </>
   )
 }

From c7d60a50aae94a80a394ee31ba64dd487dfc5a69 Mon Sep 17 00:00:00 2001
From: David Crespo <david.crespo@oxidecomputer.com>
Date: Mon, 3 Nov 2025 17:22:23 -0600
Subject: [PATCH 21/25] add space under role radio heading

---
 app/components/form/fields/RadioField.tsx |  4 ++--
 app/forms/instance-create.tsx             | 21 +++------------------
 2 files changed, 5 insertions(+), 20 deletions(-)

diff --git a/app/components/form/fields/RadioField.tsx b/app/components/form/fields/RadioField.tsx
index f21b97e1e4..9319b4996c 100644
--- a/app/components/form/fields/RadioField.tsx
+++ b/app/components/form/fields/RadioField.tsx
@@ -131,7 +131,7 @@ export function RadioFieldDyn<
   TName extends FieldPath<TFieldValues>,
 >({
   name,
-  label = capitalize(name),
+  label,
   description,
   units,
   control,
@@ -146,7 +146,7 @@ export function RadioFieldDyn<
   )
   return (
     <div>
-      <div className="mb-2">
+      <div className="mb-3">
         {label && (
           <FieldLabel id={`${id}-label`}>
             {label} {units && <span className="text-default ml-1">({units})</span>}
diff --git a/app/forms/instance-create.tsx b/app/forms/instance-create.tsx
index 41827bf958..28dc4552d8 100644
--- a/app/forms/instance-create.tsx
+++ b/app/forms/instance-create.tsx
@@ -394,34 +394,19 @@ export default function CreateInstanceForm() {
             </Tabs.Trigger>
           </Tabs.List>
           <Tabs.Content value="general">
-            <RadioFieldDyn
-              name="presetId"
-              label=""
-              control={control}
-              disabled={isSubmitting}
-            >
+            <RadioFieldDyn name="presetId" control={control} disabled={isSubmitting}>
               {renderLargeRadioCards('general')}
             </RadioFieldDyn>
           </Tabs.Content>
 
           <Tabs.Content value="highCPU">
-            <RadioFieldDyn
-              name="presetId"
-              label=""
-              control={control}
-              disabled={isSubmitting}
-            >
+            <RadioFieldDyn name="presetId" control={control} disabled={isSubmitting}>
               {renderLargeRadioCards('highCPU')}
             </RadioFieldDyn>
           </Tabs.Content>
 
           <Tabs.Content value="highMemory">
-            <RadioFieldDyn
-              name="presetId"
-              label=""
-              control={control}
-              disabled={isSubmitting}
-            >
+            <RadioFieldDyn name="presetId" control={control} disabled={isSubmitting}>
               {renderLargeRadioCards('highMemory')}
             </RadioFieldDyn>
           </Tabs.Content>

From 04db59b68608dd537606f86fb1a4a1ad557e8999 Mon Sep 17 00:00:00 2001
From: Charlie Park <charlie@oxidecomputer.com>
Date: Mon, 3 Nov 2025 16:02:33 -0800
Subject: [PATCH 22/25] Bump Omicron version

---
 OMICRON_VERSION                       | 2 +-
 app/api/__generated__/OMICRON_VERSION | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/OMICRON_VERSION b/OMICRON_VERSION
index 65554c7f10..ad0d5dd2e1 100644
--- a/OMICRON_VERSION
+++ b/OMICRON_VERSION
@@ -1 +1 @@
-ceaeadcdcd83c3bfa2e22736c0c4803280bef59f
+a6e111cf72ab987b2ea5acd7d26610ea2a55bf0f
diff --git a/app/api/__generated__/OMICRON_VERSION b/app/api/__generated__/OMICRON_VERSION
index dedfb3ec7e..c092490dd7 100644
--- a/app/api/__generated__/OMICRON_VERSION
+++ b/app/api/__generated__/OMICRON_VERSION
@@ -1,2 +1,2 @@
 # generated file. do not update manually. see docs/update-pinned-api.md
-ceaeadcdcd83c3bfa2e22736c0c4803280bef59f
+a6e111cf72ab987b2ea5acd7d26610ea2a55bf0f

From 580818066652758a0d6818b96182c303f3a12e7c Mon Sep 17 00:00:00 2001
From: David Crespo <david.crespo@oxidecomputer.com>
Date: Mon, 3 Nov 2025 18:03:13 -0600
Subject: [PATCH 23/25] special message text for project and silo access, link
 to docs

---
 app/forms/access-util.tsx | 24 +++++++++++++++++++-----
 1 file changed, 19 insertions(+), 5 deletions(-)

diff --git a/app/forms/access-util.tsx b/app/forms/access-util.tsx
index b18d7600cf..bcf8fc3e16 100644
--- a/app/forms/access-util.tsx
+++ b/app/forms/access-util.tsx
@@ -22,6 +22,7 @@ import { HL } from '~/components/HL'
 import { type ListboxItem } from '~/ui/lib/Listbox'
 import { Message } from '~/ui/lib/Message'
 import { Radio } from '~/ui/lib/Radio'
+import { links } from '~/util/links'
 import { capitalize } from '~/util/str'
 
 type AddUserValues = {
@@ -78,6 +79,11 @@ export type EditRoleModalProps = AddRoleModalProps & {
   defaultValues: { roleName: RoleKey }
 }
 
+const AccessDocs = () => (
+  <a href={links.accessDocs} target="_blank" rel="noreferrer">
+    Access Control
+  </a>
+)
 export function RoleRadioField<
   TFieldValues extends FieldValues,
   TName extends FieldPath<TFieldValues>,
@@ -113,11 +119,19 @@ export function RoleRadioField<
       <Message
         variant="info"
         content={
-          <>
-            A user’s strongest role determines their actual permissions. For example, a silo{' '}
-            <HL>admin</HL> assigned a <HL>viewer</HL> role on a project will still have{' '}
-            <HL>admin</HL> permissions on that project.
-          </>
+          scope === 'Silo' ? (
+            <>
+              Silo roles are inherited by all projects in the silo and override weaker
+              roles. For example, a silo viewer is <em>at least</em> a viewer on all
+              projects in the silo. Learn more in the <AccessDocs /> guide.
+            </>
+          ) : (
+            <>
+              Project roles can be overridden by a stronger role on the silo. For example, a
+              silo viewer is <em>at least</em> a viewer on all projects in the silo. Learn
+              more in the <AccessDocs /> guide.
+            </>
+          )
         }
       />
     </>

From 3d2dd5a376ed721037d0a087776136ac2e490ace Mon Sep 17 00:00:00 2001
From: Charlie Park <charlie@oxidecomputer.com>
Date: Mon, 3 Nov 2025 16:22:50 -0800
Subject: [PATCH 24/25] remove unneeded import

---
 app/forms/access-util.tsx | 1 -
 1 file changed, 1 deletion(-)

diff --git a/app/forms/access-util.tsx b/app/forms/access-util.tsx
index bcf8fc3e16..601acefdea 100644
--- a/app/forms/access-util.tsx
+++ b/app/forms/access-util.tsx
@@ -18,7 +18,6 @@ import {
 import { Badge } from '@oxide/design-system/ui'
 
 import { RadioFieldDyn } from '~/components/form/fields/RadioField'
-import { HL } from '~/components/HL'
 import { type ListboxItem } from '~/ui/lib/Listbox'
 import { Message } from '~/ui/lib/Message'
 import { Radio } from '~/ui/lib/Radio'

From 18c257cee4d10867c79459e22d3c366b5f505a44 Mon Sep 17 00:00:00 2001
From: David Crespo <david.crespo@oxidecomputer.com>
Date: Mon, 3 Nov 2025 18:25:10 -0600
Subject: [PATCH 25/25] final copy

---
 app/forms/access-util.tsx | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/app/forms/access-util.tsx b/app/forms/access-util.tsx
index 601acefdea..e30aa44785 100644
--- a/app/forms/access-util.tsx
+++ b/app/forms/access-util.tsx
@@ -36,19 +36,18 @@ export const defaultValues: AddUserValues = {
 
 // Role descriptions for project-level roles
 const projectRoleDescriptions: Record<RoleKey, string> = {
-  admin: 'Can control all aspects of the project.',
-  collaborator: 'Can manage all resources, including networking.',
-  limited_collaborator: 'Can manage compute resources. Cannot manage networking.',
-  viewer: 'Can read most resources within the project.',
+  admin: 'Control all aspects of the project',
+  collaborator: 'Manage all project resources, including networking',
+  limited_collaborator: 'Manage project resources except networking configuration',
+  viewer: 'View resources within the project',
 }
 
 // Role descriptions for silo-level roles
 const siloRoleDescriptions: Record<RoleKey, string> = {
-  admin: 'Can control all aspects of the silo.',
-  collaborator: 'Can create and own projects. Grants project admin role on all projects.',
-  limited_collaborator:
-    'Can read most resources within the silo. Grants limited collaborator role on all projects.',
-  viewer: 'Can read most resources within the silo. Grants project viewer role.',
+  admin: 'Control all aspects of the silo',
+  collaborator: 'Create and administer projects',
+  limited_collaborator: 'Manage project resources except networking configuration',
+  viewer: 'View resources within the silo',
 }
 
 export const actorToItem = (actor: Actor): ListboxItem => ({