diff --git a/descriptions/edges/GH_CanEditProtection.md b/descriptions/edges/GH_CanEditProtection.md
index 455e7eb..d36e4bf 100644
--- a/descriptions/edges/GH_CanEditProtection.md
+++ b/descriptions/edges/GH_CanEditProtection.md
@@ -1,6 +1,6 @@
 ## General Information
 
-The traversable GH_CanEditProtection edge is a computed edge indicating that a role can modify or remove the branch protection rules governing a specific branch. This edge is emitted when the role has GH_EditRepoProtections or GH_AdminTo permissions and the branch is covered by at least one branch protection rule. The edge targets the protected branch (not the BPR itself) because the security impact is evaluated per-branch — a role that can weaken or remove protections on a branch can subsequently push code to it, representing a privilege escalation path.
+The traversable GH_CanEditProtection edge is a computed edge indicating that a role can modify or remove branch protection rules in a repository. This edge is emitted when the role has GH_EditRepoProtections or GH_AdminTo permissions and the repository contains at least one protected branch. Repo-targeted edges model the repo-wide security impact for attack path traversal; branch-targeted edges are also emitted as supporting evidence for each protected branch governed by those rules.
 
 ## Scenarios
 
@@ -13,6 +13,7 @@ graph LR
     role("GH_RepoRole admin") -->|GH_AdminTo| repo("GH_Repository")
     repo -->|GH_HasBranch| branch("GH_Branch main")
     bpr("GH_BranchProtectionRule") -->|GH_ProtectedBy| branch
+    role ==>|GH_CanEditProtection| repo
     role ==>|GH_CanEditProtection| branch
 ```
 
@@ -25,5 +26,6 @@ graph LR
     role("GH_RepoRole custom") -->|GH_EditRepoProtections| repo("GH_Repository")
     repo -->|GH_HasBranch| branch("GH_Branch main")
     bpr("GH_BranchProtectionRule") -->|GH_ProtectedBy| branch
+    role ==>|GH_CanEditProtection| repo
     role ==>|GH_CanEditProtection| branch
 ```
diff --git a/extension/privilege_zone_rules/t0-all-repo-admin-role.json b/extension/privilege_zone_rules/t0-all-repo-admin-role.json
index eff2bed..4b61324 100644
--- a/extension/privilege_zone_rules/t0-all-repo-admin-role.json
+++ b/extension/privilege_zone_rules/t0-all-repo-admin-role.json
@@ -1,7 +1,7 @@
 {
   "name": "GitHub: Tier Zero All-Repo Admin Role",
   "description": "The synthetic all_repo_admin role grants admin access to every repository in the organization. This role is inherited by the owners role via GH_HasBaseRole and cascades admin permissions including branch protection editing, secret access, and deploy key management to all repositories.",
-  "cypher": "MATCH (n:GH_OrgRole)\nWHERE n.name ENDS\nWITH '/all_repo_admin'\nRETURN n",
+  "cypher": "MATCH (n:GH_OrgRole)\nWHERE n.name CONTAINS 'ALL_REPO_ADMIN'\nRETURN n",
   "enabled": true,
   "zone": "Tier Zero",
   "allow_disable": true
diff --git a/extension/schema.json b/extension/schema.json
index b0d2b87..026e5b3 100644
--- a/extension/schema.json
+++ b/extension/schema.json
@@ -2,7 +2,7 @@
   "schema": {
     "name": "SOGitHub",
     "display_name": "GitHub Extension (by SpecterOps)",
-    "version": "v1.2.2",
+    "version": "v1.2.3",
     "namespace": "GH"
   },
   "node_kinds": [
@@ -648,7 +648,7 @@
     },
     {
       "name": "GH_CanEditProtection",
-      "description": "[Repository - Computed] Repo role can modify or remove the branch protection rules governing this branch (computed from GH_EditRepoProtections + GH_ProtectedBy)",
+      "description": "[Repository - Computed] Repo role can modify or remove branch protection rules for the repository/branch (computed from GH_EditRepoProtections + GH_ProtectedBy)",
       "is_traversable": true
     },
     {