I've been looking for exactly this functionality and have been amazed that it’s not been around. For me it would reduce multi-site administration of capabilities across all sub-sites, where the sites are really just an extension of the main site.
In trialling for a multi-site install I've been looking at the code and can see that if the SHARED_USER_TABLE_ROLES_PREFIX constant is based on a sub-site (e.g. default “wp_6_” prefix say) then the plugin shouldn't be enabled on the primary site (e.g. default “wp_” prefix).
If the SHARED_USER_TABLE_ROLES_PREFIX constant is the base site itself (e.g. default “wp_” prefix) then it could be enabled over the whole network.
So doing this and Network activating what I’ve found is that the main role of a user gets propagated fine, but I’m not seeing other roles or capabilities propagating.
I don't see the roles propagated down from physically in the wp_options, so for example table wp_17_options and option_name = ‘wp_17_user_roles’ is not the same as table wp_options and option_name = ‘wp_user_roles’… however I would expect them not to be the same from the code hooking on the filter and replacing the capabilities.
What I don’t see is all the roles or capabilities showing up in each site on the admin side. Using the plugin “User Role Editor” the roles/capabilities can't be seen would you expect to visually see all roles/capabilities there?
or is this an issue with the time the hook/filtering occurs?
Really glad your sharing your code :-).