SpecterOps · d3vzer0 · Apr 21, 2026 · Apr 21, 2026 · Apr 21, 2026 · Apr 21, 2026
diff --git a/descriptions/edges/GH_CanEditProtection.md b/descriptions/edges/GH_CanEditProtection.md
@@ -1,6 +1,6 @@
 ## General Information
 
-The traversable GH_CanEditProtection edge is a computed edge indicating that a role can modify or remove the branch protection rules governing a specific branch. This edge is emitted when the role has GH_EditRepoProtections or GH_AdminTo permissions and the branch is covered by at least one branch protection rule. The edge targets the protected branch (not the BPR itself) because the security impact is evaluated per-branch — a role that can weaken or remove protections on a branch can subsequently push code to it, representing a privilege escalation path.
+The traversable GH_CanEditProtection edge is a computed edge indicating that a role can modify or remove branch protection rules in a repository. This edge is emitted when the role has GH_EditRepoProtections or GH_AdminTo permissions and the repository contains at least one protected branch. Repo-targeted edges model the repo-wide security impact for attack path traversal; branch-targeted edges are also emitted as supporting evidence for each protected branch governed by those rules.
 
 ## Scenarios
 
@@ -13,6 +13,7 @@ graph LR
     role("GH_RepoRole admin") -->|GH_AdminTo| repo("GH_Repository")
     repo -->|GH_HasBranch| branch("GH_Branch main")
     bpr("GH_BranchProtectionRule") -->|GH_ProtectedBy| branch
+    role ==>|GH_CanEditProtection| repo
     role ==>|GH_CanEditProtection| branch
 ```
 
@@ -25,5 +26,6 @@ graph LR
     role("GH_RepoRole custom") -->|GH_EditRepoProtections| repo("GH_Repository")
     repo -->|GH_HasBranch| branch("GH_Branch main")
     bpr("GH_BranchProtectionRule") -->|GH_ProtectedBy| branch
+    role ==>|GH_CanEditProtection| repo
     role ==>|GH_CanEditProtection| branch
 ```
diff --git a/extension/privilege_zone_rules/t0-all-repo-admin-role.json b/extension/privilege_zone_rules/t0-all-repo-admin-role.json
@@ -1,7 +1,7 @@
 {
   "name": "GitHub: Tier Zero All-Repo Admin Role",
   "description": "The synthetic all_repo_admin role grants admin access to every repository in the organization. This role is inherited by the owners role via GH_HasBaseRole and cascades admin permissions including branch protection editing, secret access, and deploy key management to all repositories.",
-  "cypher": "MATCH (n:GH_OrgRole)\nWHERE n.name ENDS\nWITH '/all_repo_admin'\nRETURN n",
+  "cypher": "MATCH (n:GH_OrgRole)\nWHERE n.name CONTAINS 'ALL_REPO_ADMIN'\nRETURN n",
   "enabled": true,
   "zone": "Tier Zero",
   "allow_disable": true

diff --git a/extension/schema.json b/extension/schema.json
@@ -2,7 +2,7 @@
   "schema": {
     "name": "SOGitHub",
     "display_name": "GitHub Extension (by SpecterOps)",
-    "version": "v1.2.2",
+    "version": "v1.2.3",
     "namespace": "GH"
   },
   "node_kinds": [
@@ -648,7 +648,7 @@
     },
     {
       "name": "GH_CanEditProtection",
-      "description": "[Repository - Computed] Repo role can modify or remove the branch protection rules governing this branch (computed from GH_EditRepoProtections + GH_ProtectedBy)",
+      "description": "[Repository - Computed] Repo role can modify or remove branch protection rules for the repository/branch (computed from GH_EditRepoProtections + GH_ProtectedBy)",
       "is_traversable": true
     },
     {