diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml index 3097fd2a..5bfec3da 100644 --- a/.github/workflows/claude-code-review.yml +++ b/.github/workflows/claude-code-review.yml @@ -2,15 +2,7 @@ name: "Claude Code Review" "on": pull_request: - types: - [ - "opened", - "synchronize", - "ready_for_review", - "reopened", - "labeled", - "edited", - ] + types: ["opened", "synchronize", "ready_for_review", "reopened", "labeled", "edited"] # Optional: Only run on specific file changes # paths: # - "src/**/*.ts" diff --git a/.oxfmtrc.jsonc b/.oxfmtrc.jsonc new file mode 100644 index 00000000..5184924e --- /dev/null +++ b/.oxfmtrc.jsonc @@ -0,0 +1,4 @@ +{ + "$schema": "./node_modules/oxfmt/configuration_schema.json", + "ignorePatterns": ["pnpm-lock.yaml", "app/spicedb/concepts/commands/page.mdx"], +} diff --git a/.prettierignore b/.prettierignore deleted file mode 100644 index 00e57a42..00000000 --- a/.prettierignore +++ /dev/null @@ -1,2 +0,0 @@ -pnpm-lock.yaml -app/spicedb/concepts/commands/page.mdx diff --git a/app/authzed/concepts/authzed-materialize/page.mdx b/app/authzed/concepts/authzed-materialize/page.mdx index 4155a44a..0c8a51af 100644 --- a/app/authzed/concepts/authzed-materialize/page.mdx +++ b/app/authzed/concepts/authzed-materialize/page.mdx @@ -3,9 +3,9 @@ import { Callout } from "nextra/components"; # AuthZed Materialize - AuthZed Materialize is available to users of AuthZed [Dedicated] as part of an - early access program. Don't hesitate to get in touch with your AuthZed account - team if you would like to participate. + AuthZed Materialize is available to users of AuthZed [Dedicated] as part of an early access + program. Don't hesitate to get in touch with your AuthZed account team if you would like to + participate. AuthZed Materialize takes inspiration from the Leopard index component described in the [Zanzibar paper](https://zanzibar.tech/2IoYDUFMAE:0:T). @@ -74,8 +74,8 @@ In situations like these, one may want to store the events in batches, and in su If a failure happened in between those batches, the consumer will be able to restart processing from the start of the revision and idempotently overwrite whatever events were already in place. - Change events are stored up to 24h to make sure Materialize storage does not - grow unbounded and affect its performance. + Change events are stored up to 24h to make sure Materialize storage does not grow unbounded and + affect its performance. ## Configuration @@ -90,9 +90,8 @@ resource#edit@user ``` - During early access provisioning, Materialize instances are not self-service, - so you’ll need to provide the permissions to be computed by Materialize - directly to your AuthZed account team. + During early access provisioning, Materialize instances are not self-service, so you’ll need to + provide the permissions to be computed by Materialize directly to your AuthZed account team. ### Relational Database @@ -427,8 +426,8 @@ The AuthZed team has optimized Materialize to reduce the number of instances whe To determine if a schema change is breaking, we provide the `materialize-cli` tool. - `materialize-cli` is still in early development, please reach out to us if you - want to try it as part of AuthZed Materialize early access. + `materialize-cli` is still in early development, please reach out to us if you want to try it as + part of AuthZed Materialize early access. #### Errors @@ -458,10 +457,9 @@ This is useful when the client has been notified a [breaking schema change] occu If both `optional_at_revision` and `optional_starting_after` are provided, the latter always takes precedence. - Client **must** provide the revision token after a [breaking schema change] - through `optional_starting_after`, otherwise Materialize will start streaming - permission sets for whatever snapshot revision is available at the moment, and - won't reflect the schema changes. + Client **must** provide the revision token after a [breaking schema change] through + `optional_starting_after`, otherwise Materialize will start streaming permission sets for whatever + snapshot revision is available at the moment, and won't reflect the schema changes. The current cursor is provided with each event in the stream, so if the consumer client crashes it knows where to restart from, alongside the revision at which the data is computed. @@ -478,10 +476,10 @@ In the event of the customer consumer being restarted, it should: - Resume ingestion as usual - While AuthZed treats correctness very seriously, bugs may be identified that - affect the correctness of the denormalized permissions computed by - Materialize. Those incidents should be rare, but consumers must have all the - machinery in place to re-index via [LookupPermissionSets] at any given time. + While AuthZed treats correctness very seriously, bugs may be identified that affect the + correctness of the denormalized permissions computed by Materialize. Those incidents should be + rare, but consumers must have all the machinery in place to re-index via [LookupPermissionSets] at + any given time. #### Reindexing After A Breaking Schema Change @@ -519,8 +517,8 @@ Once your index is ingested and is updated with [WatchPermissionSets], your appl This strategy requires more steps and careful planning, but in exchange completely avoids any lag. - For the time being, Materialize instances are not self-serve, so you'll need - to work with your Account Team to execute the off-band ingestion strategy. + For the time being, Materialize instances are not self-serve, so you'll need to work with your + Account Team to execute the off-band ingestion strategy. #### Request diff --git a/app/authzed/concepts/private-networking/page.mdx b/app/authzed/concepts/private-networking/page.mdx index fb525a1a..f8d0b3ac 100644 --- a/app/authzed/concepts/private-networking/page.mdx +++ b/app/authzed/concepts/private-networking/page.mdx @@ -10,8 +10,8 @@ By adding this additional layer of security, entire classes of security risk are In the scenario you choose not to use Private Networking, AuthZed Dedicated can alternatively be configured for access over the open internet. - Private networking is recommended, but optional. Authzed Dedicated can be - configured to allow for connecting from the public internet. + Private networking is recommended, but optional. Authzed Dedicated can be configured to allow for + connecting from the public internet. ## Architecture diff --git a/app/authzed/concepts/restricted-api-access/page.mdx b/app/authzed/concepts/restricted-api-access/page.mdx index 56429dff..3a55da9c 100644 --- a/app/authzed/concepts/restricted-api-access/page.mdx +++ b/app/authzed/concepts/restricted-api-access/page.mdx @@ -31,15 +31,12 @@ SpiceDB clients must provide a Token in the Authorization header of an API reque Service Accounts can have an arbitrary number of Tokens. - We recommend deploying new Tokens before deprovisioning any old Tokens to - avoid downtime. + We recommend deploying new Tokens before deprovisioning any old Tokens to avoid downtime. #### Token Format - - The entire contents of a Token is considered secret. - +The entire contents of a Token is considered secret. Tokens come in the form of `{prefix}_{key}`. @@ -100,11 +97,10 @@ Policies are what bind Roles to a Service Account. Each policy is composed of a unique identifier for the policy itself, the principal (the target of the role assignment), and any roles being assigned. - **Policies are additive.** When multiple policies apply to the same Service - Account, the resulting permissions are the union of all permissions granted by - those policies. This means a Service Account with multiple policies will have - access to any API method allowed by any of its policies. For example, if one - policy grants read access and another grants write access, the Service Account + **Policies are additive.** When multiple policies apply to the same Service Account, the resulting + permissions are the union of all permissions granted by those policies. This means a Service + Account with multiple policies will have access to any API method allowed by any of its policies. + For example, if one policy grants read access and another grants write access, the Service Account will have both read and write access. @@ -221,8 +217,7 @@ Use the following command-line flags: If you set `--extender-authzed-fgam-endpoint` to a file, it must be a YAML configuration file. - This configuration file should be treated like a secret because it contains - token hashes. + This configuration file should be treated like a secret because it contains token hashes. Here's an example showcasing the structure of static configuration: diff --git a/app/authzed/guides/setting-up-private-networking/page.mdx b/app/authzed/guides/setting-up-private-networking/page.mdx index 9a429399..8c209256 100644 --- a/app/authzed/guides/setting-up-private-networking/page.mdx +++ b/app/authzed/guides/setting-up-private-networking/page.mdx @@ -8,8 +8,8 @@ This guide walks through setting up AuthZed Dedicated [Private Networking]. [Private Networking]: ../concepts/private-networking - Private networking is recommended, but optional. Authzed Dedicated can be - configured to allow for connecting from the public internet. + Private networking is recommended, but optional. Authzed Dedicated can be configured to allow for + connecting from the public internet. ## AWS Steps diff --git a/app/layout.tsx b/app/layout.tsx index 22034822..78de1e2b 100644 --- a/app/layout.tsx +++ b/app/layout.tsx @@ -44,8 +44,7 @@ export const generateMetadata = async ( export default async function RootLayout({ children }) { const pageMap = await getPageMap(); - const enableSearch = - process.env.NEXT_PUBLIC_ENABLE_SEARCH_BLOG_INTEGRATION === "true"; + const enableSearch = process.env.NEXT_PUBLIC_ENABLE_SEARCH_BLOG_INTEGRATION === "true"; const navbar = ( - +

SpiceDB Documentation

diff --git a/app/spicedb/concepts/caveats/page.mdx b/app/spicedb/concepts/caveats/page.mdx index 7129ee21..3b4eaf08 100644 --- a/app/spicedb/concepts/caveats/page.mdx +++ b/app/spicedb/concepts/caveats/page.mdx @@ -207,9 +207,9 @@ zed check -r resource:specificresource#view -p view -s user:specificuser --cavea ``` - Please note the use of single quotes to escape the characters in the JSON - representation of the context. You don't need character escaping when - providing context using zed in the Authzed Playground. + Please note the use of single quotes to escape the characters in the JSON representation of the + context. You don't need character escaping when providing context using zed in the Authzed + Playground. ## Full Example diff --git a/app/spicedb/concepts/consistency/page.mdx b/app/spicedb/concepts/consistency/page.mdx index 82dbb906..ab86dc1e 100644 --- a/app/spicedb/concepts/consistency/page.mdx +++ b/app/spicedb/concepts/consistency/page.mdx @@ -52,8 +52,7 @@ Consistency is provided via the [Consistency message][msg] on supported API call `minimize_latency` will attempt to minimize the latency of the API call by selecting data that is most likely to exist in the cache. - If used exclusively, this can lead to a window of time where the [New Enemy - Problem] can occur. + If used exclusively, this can lead to a window of time where the [New Enemy Problem] can occur. [New Enemy Problem]: ./zanzibar#new-enemy-problem diff --git a/app/spicedb/concepts/datastore-migrations/page.mdx b/app/spicedb/concepts/datastore-migrations/page.mdx index 8ff88191..c53e0e8a 100644 --- a/app/spicedb/concepts/datastore-migrations/page.mdx +++ b/app/spicedb/concepts/datastore-migrations/page.mdx @@ -9,10 +9,9 @@ Transitioning between versions is often as simple as executing a new binary or c Releases that include changes to datastore (for example, adding a new index) can require that users run a command to update the datastore version. - This page explains migrating the schema of a datastore underlying SpiceDB. If - you need information about migrating between SpiceDB instances, go - [here](/spicedb/ops/data/migrations). If you need information about making - changes to a SpiceDB schema that result in a migration, go + This page explains migrating the schema of a datastore underlying SpiceDB. If you need information + about migrating between SpiceDB instances, go [here](/spicedb/ops/data/migrations). If you need + information about making changes to a SpiceDB schema that result in a migration, go [here](/spicedb/modeling/migrating-schema). @@ -26,9 +25,8 @@ Releases that include changes to datastore (for example, adding a new index) can Before a datastore can be used by SpiceDB or before running a new version of SpiceDB, you must execute all available migrations. - All datastores supported by SpiceDB (CockroachDB, MySQL, etc) support - migrations. The only exception is the [memdb datastore](datastores#memdb) - because it does not persist any data. + All datastores supported by SpiceDB (CockroachDB, MySQL, etc) support migrations. The only + exception is the [memdb datastore](datastores#memdb) because it does not persist any data. For this purpose, the SpiceDB binary contains a migration command, `spicedb datastore migrate`. To migrate your datastore to the latest revision, run the following command with your desired values: diff --git a/app/spicedb/concepts/datastores/page.mdx b/app/spicedb/concepts/datastores/page.mdx index b1f7a4b3..2d5d97f0 100644 --- a/app/spicedb/concepts/datastores/page.mdx +++ b/app/spicedb/concepts/datastores/page.mdx @@ -325,8 +325,8 @@ If you run into this issue, the fix is [documented here](https://authzed.com/doc ### Read Replicas - Do not use a load balancer between SpiceDB and MySQL replicas because SpiceDB - will not be able to maintain consistency guarantees. + Do not use a load balancer between SpiceDB and MySQL replicas because SpiceDB will not be able to + maintain consistency guarantees. SpiceDB supports MySQL read replicas and does it while retaining consistency guarantees. @@ -360,8 +360,7 @@ Read replicas are configured with the `--datastore-read-replica-*` family of fla | `datastore-conn-uri` | connection string used to connect to MySQL | `--datastore-conn-uri="user:password@(localhost:3306)/spicedb?parseTime=True"` | - SpiceDB requires `--datastore-conn-uri` to contain the query parameter - `parseTime=True`. + SpiceDB requires `--datastore-conn-uri` to contain the query parameter `parseTime=True`. #### Optional Parameters @@ -402,8 +401,8 @@ Read replicas are configured with the `--datastore-read-replica-*` family of fla - Cannot be ran highly-available as multiple instances will not share the same in-memory data - If you need an ephemeral datastore designed for validation or testing, see the - test server system in [Validating and Testing] + If you need an ephemeral datastore designed for validation or testing, see the test server system + in [Validating and Testing] [validating and testing]: /spicedb/modeling/validation-testing-debugging diff --git a/app/spicedb/concepts/expiring-relationships/page.mdx b/app/spicedb/concepts/expiring-relationships/page.mdx index 36832ced..f477c225 100644 --- a/app/spicedb/concepts/expiring-relationships/page.mdx +++ b/app/spicedb/concepts/expiring-relationships/page.mdx @@ -21,13 +21,12 @@ The time must be specified in [RFC 3339 format]. [RFC 3339 format]: https://datatracker.ietf.org/doc/html/rfc3339#section-5.8 - The clock used to determine if a relationship is expired is that of the - underlying SpiceDB datastore. This gets trickier when using distributed - databases like CockroachDB or Spanner, where clocks have an uncertainty range. - When operating your own database, it's key to keep node clocks in sync - we - recommend services like [Amazon Time Sync - Service](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html). - You should evaluate the impact of clock drift in your application. + The clock used to determine if a relationship is expired is that of the underlying SpiceDB + datastore. This gets trickier when using distributed databases like CockroachDB or Spanner, where + clocks have an uncertainty range. When operating your own database, it's key to keep node clocks + in sync - we recommend services like [Amazon Time Sync + Service](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html). You should evaluate + the impact of clock drift in your application. ## Schema @@ -72,10 +71,9 @@ WriteRelationshipsRequest { ``` - When using the WriteRelationships API, it is recommended to always use the - TOUCH operation to create and update expiring relationships. If a relationship - has expired but has not yet been garbage collected, using the CREATE operation - will return an error for that relationship. + When using the WriteRelationships API, it is recommended to always use the TOUCH operation to + create and update expiring relationships. If a relationship has expired but has not yet been + garbage collected, using the CREATE operation will return an error for that relationship. ## Playground @@ -115,11 +113,11 @@ the datastore chosen. Relationships will be reclaimed after 24 hours by default. - The GC Window should be adjusted according to the application's needs. How far - back in time does your application need to go? If this is a common use case, - we recommend drastically reducing the GC window (e.g., 1 hour or 30 minutes). - This means SpiceDB will have to evaluate less data when serving authorization - checks, which can improve performance drastically in large-scale deployments. + The GC Window should be adjusted according to the application's needs. How far back in time does + your application need to go? If this is a common use case, we recommend drastically reducing the + GC window (e.g., 1 hour or 30 minutes). This means SpiceDB will have to evaluate less data when + serving authorization checks, which can improve performance drastically in large-scale + deployments. ## Migrating Off Of Expiration With Caveats diff --git a/app/spicedb/concepts/querying-data/page.mdx b/app/spicedb/concepts/querying-data/page.mdx index 395135d8..8df40614 100644 --- a/app/spicedb/concepts/querying-data/page.mdx +++ b/app/spicedb/concepts/querying-data/page.mdx @@ -5,16 +5,14 @@ import { Callout } from "nextra/components"; This page walks through the main ways to query data in SpiceDB. The options are listed roughly in the order of how often you should be calling them, and roughly in order of their expected performance. Choose the one that makes sense for your use case, but consider whether your use case actually requires the call you're looking at. - In most of the APIs below, if you want to be able to read your write, you can - pass a `consistency` parameter to the queries. Use either `fully_consistent` - or `at_least_as_fresh(revision)` depending on how strict you need to be. See - [Consistency](consistency) for more details. + In most of the APIs below, if you want to be able to read your write, you can pass a `consistency` + parameter to the queries. Use either `fully_consistent` or `at_least_as_fresh(revision)` depending + on how strict you need to be. See [Consistency](consistency) for more details. - When invoking any of our APIs, you can send a header `X-Request-ID=somevalue` - and it will be echoed back in the response, which makes correlating logs or - tracing requests easy. + When invoking any of our APIs, you can send a header `X-Request-ID=somevalue` and it will be + echoed back in the response, which makes correlating logs or tracing requests easy. ## Check Permission diff --git a/app/spicedb/concepts/schema/page.mdx b/app/spicedb/concepts/schema/page.mdx index 8c207be1..5661da16 100644 --- a/app/spicedb/concepts/schema/page.mdx +++ b/app/spicedb/concepts/schema/page.mdx @@ -145,8 +145,8 @@ document:public#viewer@user:* Now _any_ user (present or future) that exists in SpiceDB is a `viewer` of object `document:public`. - Be **very careful** with wildcard support in your schema! **Only** grant it to - read permissions, unless you intend to allow for universal writing. + Be **very careful** with wildcard support in your schema! **Only** grant it to read permissions, + unless you intend to allow for universal writing. ### Naming Relations @@ -189,9 +189,9 @@ definition document { ``` - When writing relationships in SpiceDB, you cannot write a relationship that - references a *permission*, only a relationship that references a *relation*. - This means that it's easy to change a permission, but not a relation. + When writing relationships in SpiceDB, you cannot write a relationship that references a + *permission*, only a relationship that references a *relation*. This means that it's easy to + change a permission, but not a relation. ### Operations @@ -323,9 +323,8 @@ definition document { ``` - It is _recommended_ that the right side of all arrows refer to - **permissions**, instead of relations, as this allows for easy nested - computation, and is more readable. + It is _recommended_ that the right side of all arrows refer to **permissions**, instead of + relations, as this allows for easy nested computation, and is more readable. ##### Subject relations and Arrows @@ -344,12 +343,10 @@ definition resource { The arrow `parent->something` refers to the `something` permission on the **group**, and `#member` will be ignored. - It is recommended to not use arrows over relations that allow for subject - relations without noting that fact via a comment. Why? In one word: - performance. If arrows operated over the subject's relation or permission, a - full LookupSubjects call would be necessary for the arrow to correctly "walk", - which would make these CheckPermission requests potentially *incredibly* - expensive. + It is recommended to not use arrows over relations that allow for subject relations without noting + that fact via a comment. Why? In one word: performance. If arrows operated over the subject's + relation or permission, a full LookupSubjects call would be necessary for the arrow to correctly + "walk", which would make these CheckPermission requests potentially *incredibly* expensive. #### .any (Arrow) @@ -413,8 +410,8 @@ definition document { In the above example, the user must be in the `member` relation for _all_ groups defined on the `group` relation of a document in order to have the `view` permission. - Intersection arrows can impact performance since they require loading **all** - results for the arrow. + Intersection arrows can impact performance since they require loading **all** results for the + arrow. ### The `self` Keyword @@ -461,10 +458,9 @@ Examples: | `member` | is member of the object | - You'll note that we also used `member` above in the relation example. Defining - `member` as a **permission** might be found when you have multiple "ways" a - subject can be a member of a resource, thus changing it from a simple relation - to a _computed_ set of subjects. + You'll note that we also used `member` above in the relation example. Defining `member` as a + **permission** might be found when you have multiple "ways" a subject can be a member of a + resource, thus changing it from a simple relation to a _computed_ set of subjects. ### Private/Internal Identifiers @@ -501,8 +497,7 @@ This convention is useful for: ### Documentation Comments - It is **highly** recommended to put doc comments on all definitions, relations - and permissions. + It is **highly** recommended to put doc comments on all definitions, relations and permissions. ```zed diff --git a/app/spicedb/concepts/watch/page.mdx b/app/spicedb/concepts/watch/page.mdx index 24d0f608..7f814457 100644 --- a/app/spicedb/concepts/watch/page.mdx +++ b/app/spicedb/concepts/watch/page.mdx @@ -60,9 +60,8 @@ for resp in watcher: ``` - Historical changes can only be requested until the configured garbage - collection window on the underlying datastore. This is typically 24 hours, but - may differ based on the datastore used. + Historical changes can only be requested until the configured garbage collection window on the + underlying datastore. This is typically 24 hours, but may differ based on the datastore used. ### Ensuring continuous processing diff --git a/app/spicedb/getting-started/client-libraries/page.mdx b/app/spicedb/getting-started/client-libraries/page.mdx index b90fc4a2..650a0668 100644 --- a/app/spicedb/getting-started/client-libraries/page.mdx +++ b/app/spicedb/getting-started/client-libraries/page.mdx @@ -36,9 +36,8 @@ If SpiceDB is started without TLS, use insecure plaintext credentials: `credentials: :this_channel_is_insecure` `.usePlaintext()` - `ChannelCredentials.Insecure` with `UnsafeUseInsecureChannelCallCredentials - = true` (also requires - `AppContext.SetSwitch("System.Net.Http.SocketsHttpHandler.Http2UnencryptedSupport", + `ChannelCredentials.Insecure` with `UnsafeUseInsecureChannelCallCredentials = true` (also + requires `AppContext.SetSwitch("System.Net.Http.SocketsHttpHandler.Http2UnencryptedSupport", true)`) diff --git a/app/spicedb/getting-started/coming-from/cancancan/page.mdx b/app/spicedb/getting-started/coming-from/cancancan/page.mdx index 5a8834c5..2bffbe9b 100644 --- a/app/spicedb/getting-started/coming-from/cancancan/page.mdx +++ b/app/spicedb/getting-started/coming-from/cancancan/page.mdx @@ -11,8 +11,8 @@ import SpiceDBDark from "@/public/images/ps-spicedb-dark.svg"; This document is designed to cover the conceptual differences between SpiceDB and the popular Ruby on Rails gem CanCanCan. - The focus of the content below is not intended to be a competitive analysis, - but rather a bridge to understand SpiceDB for existing Rails users. + The focus of the content below is not intended to be a competitive analysis, but rather a bridge + to understand SpiceDB for existing Rails users. ## SpiceDB vs CanCanCan diff --git a/app/spicedb/getting-started/coming-from/opa/page.mdx b/app/spicedb/getting-started/coming-from/opa/page.mdx index 70fe2fda..bc946b68 100644 --- a/app/spicedb/getting-started/coming-from/opa/page.mdx +++ b/app/spicedb/getting-started/coming-from/opa/page.mdx @@ -11,8 +11,8 @@ import SpiceDBDark from "@/public/images/ps-spicedb-dark.svg"; This document is designed to cover the conceptual differences between SpiceDB and Open Policy Agent (OPA). - The focus of the content below is not intended to be a competitive analysis, - but rather a bridge to understand SpiceDB for existing OPA users. + The focus of the content below is not intended to be a competitive analysis, but rather a bridge + to understand SpiceDB for existing OPA users. ## SpiceDB vs OPA diff --git a/app/spicedb/getting-started/discovering-spicedb/page.mdx b/app/spicedb/getting-started/discovering-spicedb/page.mdx index feead7ad..bd9eb976 100644 --- a/app/spicedb/getting-started/discovering-spicedb/page.mdx +++ b/app/spicedb/getting-started/discovering-spicedb/page.mdx @@ -1,9 +1,5 @@ import { Cards } from "nextra/components"; -import { - faQuestion, - faHand, - faDollarSign, -} from "@fortawesome/free-solid-svg-icons"; +import { faQuestion, faHand, faDollarSign } from "@fortawesome/free-solid-svg-icons"; import { FontAwesomeIcon } from "@fortawesome/react-fontawesome"; # SpiceDB Documentation diff --git a/app/spicedb/getting-started/install/kubernetes/page.mdx b/app/spicedb/getting-started/install/kubernetes/page.mdx index 3955d768..08c57891 100644 --- a/app/spicedb/getting-started/install/kubernetes/page.mdx +++ b/app/spicedb/getting-started/install/kubernetes/page.mdx @@ -73,8 +73,7 @@ If you're looking for something production-ready, install the [SpiceDB Operator] ## Installing SpiceDB using Helm - **Warning:** There is no officially supported Helm Chart for SpiceDB; use this - at your own risk. + **Warning:** There is no officially supported Helm Chart for SpiceDB; use this at your own risk. There is a [community maintained Chart][chart] by the folks over at [Bushel]. diff --git a/app/spicedb/getting-started/protecting-a-blog/page.mdx b/app/spicedb/getting-started/protecting-a-blog/page.mdx index 14ccc5c4..1bbd1398 100644 --- a/app/spicedb/getting-started/protecting-a-blog/page.mdx +++ b/app/spicedb/getting-started/protecting-a-blog/page.mdx @@ -141,8 +141,7 @@ EOF ``` - If, later on, you wish to make updates to this schema, please read the - [migration guide]. + If, later on, you wish to make updates to this schema, please read the [migration guide]. @@ -322,8 +321,8 @@ Because the relationships stored in the system can change at runtime, this is a When applications modify or create rows in their database, they will also typically create or update relationships. - Writing relationships returns a [ZedToken] which is critical to ensuring - performance and [consistency]. + Writing relationships returns a [ZedToken] which is critical to ensuring performance and + [consistency]. [ZedToken]: /spicedb/concepts/consistency#zedtokens @@ -648,9 +647,8 @@ For example, in our example schema, writers have both write and read permissions Let's perform some permission checks: - If developing locally against SpiceDB, see - [this](./client-libraries#local-development) for full details on how to setup - credentials. Always switch to secure credentials before launching to + If developing locally against SpiceDB, see [this](./client-libraries#local-development) for full + details on how to setup credentials. Always switch to secure credentials before launching to production. @@ -702,8 +700,7 @@ const emiliaCanRead = await client.checkPermission( }), ); console.log( - emiliaCanRead.permissionship === - v1.CheckPermissionResponse_Permissionship.HAS_PERMISSION, + emiliaCanRead.permissionship === v1.CheckPermissionResponse_Permissionship.HAS_PERMISSION, ); const emiliaCanWrite = await client.checkPermission( @@ -716,8 +713,7 @@ const emiliaCanWrite = await client.checkPermission( }), ); console.log( - emiliaCanWrite.permissionship === - v1.CheckPermissionResponse_Permissionship.HAS_PERMISSION, + emiliaCanWrite.permissionship === v1.CheckPermissionResponse_Permissionship.HAS_PERMISSION, ); const beatriceCanRead = await client.checkPermission( @@ -730,8 +726,7 @@ const beatriceCanRead = await client.checkPermission( }), ); console.log( - beatriceCanRead.permissionship === - v1.CheckPermissionResponse_Permissionship.HAS_PERMISSION, + beatriceCanRead.permissionship === v1.CheckPermissionResponse_Permissionship.HAS_PERMISSION, ); const beatriceCanWrite = await client.checkPermission( @@ -744,8 +739,7 @@ const beatriceCanWrite = await client.checkPermission( }), ); console.log( - beatriceCanWrite.permissionship === - v1.CheckPermissionResponse_Permissionship.HAS_PERMISSION, + beatriceCanWrite.permissionship === v1.CheckPermissionResponse_Permissionship.HAS_PERMISSION, ); ``` diff --git a/app/spicedb/modeling/access-control-audit/page.mdx b/app/spicedb/modeling/access-control-audit/page.mdx index ada635b7..40ab8af5 100644 --- a/app/spicedb/modeling/access-control-audit/page.mdx +++ b/app/spicedb/modeling/access-control-audit/page.mdx @@ -59,18 +59,17 @@ If you wanted to understand how the access grants to the `kubernetes` repository ## Auditing Permissions: How Have Permissions Changed? - Auditing permission changes is a very complex problem to solve at scale: - that's why we built [Authzed Materialize]. + Auditing permission changes is a very complex problem to solve at scale: that's why we built + [Authzed Materialize]. SpiceDB does not offer an API to stream permission changes, but you could use a combination of APIs to compute a limited audit trail of permission changes. This strategy could also be used to build a materialized index of permissions to [Protect a List Endpoint] in your application's database. - Please note this strategy is **very computationally intensive**, and it would - very likely require scaling out a SpiceDB cluster. It's only likely to work - under very narrow use cases that can exploit domain awareness to reduce how - many computations need to be run. + Please note this strategy is **very computationally intensive**, and it would very likely require + scaling out a SpiceDB cluster. It's only likely to work under very narrow use cases that can + exploit domain awareness to reduce how many computations need to be run. 1. Use the [Watch] API to stream all relationship changes in the system diff --git a/app/spicedb/modeling/attributes/page.mdx b/app/spicedb/modeling/attributes/page.mdx index d832116e..c17cd66b 100644 --- a/app/spicedb/modeling/attributes/page.mdx +++ b/app/spicedb/modeling/attributes/page.mdx @@ -36,11 +36,10 @@ and that document is related to itself with `edit_enabled`. - There is no mechanism in the SpiceDB schema language that enforces that a - relation be used as a loop relation. In order to avoid accidentally misusing a - loop relation (e.g. relating an object to a different instance of the same - type) it is recommended to implement client side logic that enforces only - using the loop relation for its intended purpose. + There is no mechanism in the SpiceDB schema language that enforces that a relation be used as a + loop relation. In order to avoid accidentally misusing a loop relation (e.g. relating an object to + a different instance of the same type) it is recommended to implement client side logic that + enforces only using the loop relation for its intended purpose. ### Wildcards @@ -55,9 +54,8 @@ To enable document editing, you need to establish a relationship that connects a - Wildcards are adequate for most binary attribute scenarios; however, wildcards - are not currently supported by [Authzed - Materialize](/authzed/concepts/authzed-materialize). Those who plan to use + Wildcards are adequate for most binary attribute scenarios; however, wildcards are not currently + supported by [Authzed Materialize](/authzed/concepts/authzed-materialize). Those who plan to use Materialize should use loop relationships for binary attributes. diff --git a/app/spicedb/modeling/developing-a-schema/page.mdx b/app/spicedb/modeling/developing-a-schema/page.mdx index 35b13e38..aba366ab 100644 --- a/app/spicedb/modeling/developing-a-schema/page.mdx +++ b/app/spicedb/modeling/developing-a-schema/page.mdx @@ -322,8 +322,7 @@ document:specificdocument#docorg@organization:someorg ``` - **Info:** Note the use of the organization as the **subject** in this - relationship + **Info:** Note the use of the organization as the **subject** in this relationship ### Inheriting permissions @@ -366,9 +365,8 @@ The expression `docorg->view_all_documents` indicates to SpiceDB or Authzed to f By use of this expression, any user defined as an administrator of the organization that owns the document will also be able to view the document! - **Info:** It is _recommended_ that the right side of all arrows refer to - **permissions**, instead of relations. This allows for easy nested - computation, and is more readable. + **Info:** It is _recommended_ that the right side of all arrows refer to **permissions**, instead + of relations. This allows for easy nested computation, and is more readable. ### Adding an administrator user diff --git a/app/spicedb/modeling/migrating-schema/page.mdx b/app/spicedb/modeling/migrating-schema/page.mdx index 3e8711f5..2cb8261c 100644 --- a/app/spicedb/modeling/migrating-schema/page.mdx +++ b/app/spicedb/modeling/migrating-schema/page.mdx @@ -3,11 +3,10 @@ import { Callout } from "nextra/components"; # Migrating a Schema in SpiceDB - This page explains how to migrate a SpiceDB schema. If you need information - about migrating the schema of a datastore underlying SpiceDB, like Postgres or - CockroachDB, go [here](/spicedb/concepts/datastore-migrations). If you need - information about migrating between SpiceDB instances, go - [here](/spicedb/ops/data/migrations). + This page explains how to migrate a SpiceDB schema. If you need information about migrating the + schema of a datastore underlying SpiceDB, like Postgres or CockroachDB, go + [here](/spicedb/concepts/datastore-migrations). If you need information about migrating between + SpiceDB instances, go [here](/spicedb/ops/data/migrations). A [Schema] in SpiceDB is the file that represents the structural definitions of which relationships are allowed @@ -67,10 +66,9 @@ Removing a permission is always allowed, so long as it is not referenced by anot permission or relation. - While this cannot break the schema, it *can* break API callers if they are - making checks or other API requests against the permission. It is up to your - own CI system to verify that removed permissions are no longer referenced - externally. + While this cannot break the schema, it *can* break API callers if they are making checks or other + API requests against the permission. It is up to your own CI system to verify that removed + permissions are no longer referenced externally. ## Contingent Migrations diff --git a/app/spicedb/modeling/protecting-a-list-endpoint/page.mdx b/app/spicedb/modeling/protecting-a-list-endpoint/page.mdx index f66bdceb..432a9ac0 100644 --- a/app/spicedb/modeling/protecting-a-list-endpoint/page.mdx +++ b/app/spicedb/modeling/protecting-a-list-endpoint/page.mdx @@ -80,17 +80,16 @@ This approach is handy for search interfaces since the filters on a search can r to the point where checking them via bulk check is relatively easy. - It's recommended to run the various [`CheckBulkPermissions`] API calls at the - same revision to get a consistent view of the permissions. (i.e. take the - ZedToken from the first call, and use it in all subsequent calls). + It's recommended to run the various [`CheckBulkPermissions`] API calls at the same revision to get + a consistent view of the permissions. (i.e. take the ZedToken from the first call, and use it in + all subsequent calls). ## Using Materialize - Materialize is currently in Early Access. Additional documentation and product - information will be coming soon. In the meantime, if you're interested, - [schedule a call!][Schedule Call] + Materialize is currently in Early Access. Additional documentation and product information will be + coming soon. In the meantime, if you're interested, [schedule a call!][Schedule Call] [Authzed Materialize] is Authzed's version of the [Leopard cache] referenced in the Zanzibar paper, which provides a denormalized view diff --git a/app/spicedb/modeling/validation-testing-debugging/page.mdx b/app/spicedb/modeling/validation-testing-debugging/page.mdx index 04973c1b..854dfacd 100644 --- a/app/spicedb/modeling/validation-testing-debugging/page.mdx +++ b/app/spicedb/modeling/validation-testing-debugging/page.mdx @@ -60,8 +60,8 @@ assertFalse: [] #### Caveat Context In Assertions - In order to escape JSON representation of the caveat context in an assertion - you should use single-quotes. + In order to escape JSON representation of the caveat context in an assertion you should use + single-quotes. You can provide caveat context as part of an assertion: @@ -155,8 +155,8 @@ SpiceDB supports tracing of check requests to view the path(s) taken to compute Request tracing information by setting `with_tracing: true` in the request message and the information will be found in the response message. - **Warning:** In versions older than v1.31.0, request tracing information via a - header and the information will be found in the response footer as JSON. + **Warning:** In versions older than v1.31.0, request tracing information via a header and the + information will be found in the response footer as JSON. ## Zed @@ -173,9 +173,8 @@ It will load and validate the schema using the same parsing logic that the Spice ensuring that a schema that passes validation will be considered a valid schema by your SpiceDB instance. - Note that a schema write can still fail if a relation is removed and there are - still instances of that relation in your database. `zed` doesn't know about - your data. + Note that a schema write can still fail if a relation is removed and there are still instances of + that relation in your database. `zed` doesn't know about your data. You can validate the functionality of your schema using validation yaml files, such as those exported @@ -267,8 +266,8 @@ steps: ### [authzed/action-spicedb-validate](https://github.com/marketplace/actions/validate-spicedb-schema) - **Info:** This tool is highly recommended because it can prevent deployments - of unverified changes. + **Info:** This tool is highly recommended because it can prevent deployments of unverified + changes. The Playground offers a variety of tools that are useful for validating a design, but running the playground isn't designed for operating within a typical CI/CD environment. diff --git a/app/spicedb/ops/_meta.ts b/app/spicedb/ops/_meta.ts index 05bbdada..029121c5 100644 --- a/app/spicedb/ops/_meta.ts +++ b/app/spicedb/ops/_meta.ts @@ -7,9 +7,7 @@ export default { resilience: "Improving Resilience", observability: "Observability Tooling", "load-testing": "Load Testing", - "spicedb-langchain-langgraph-rag": - "Secure your RAG Pipelines using LangChain & LangGraph", - "ai-agent-authorization": - "Tutorial: Authorization for AI Agents using SpiceDB", + "spicedb-langchain-langgraph-rag": "Secure your RAG Pipelines using LangChain & LangGraph", + "ai-agent-authorization": "Tutorial: Authorization for AI Agents using SpiceDB", "secure-rag-pipelines": "Tutorial: Securing RAG Pipelines with SpiceDB", }; diff --git a/app/spicedb/ops/data/migrations/page.mdx b/app/spicedb/ops/data/migrations/page.mdx index 3a446050..56ef77b6 100644 --- a/app/spicedb/ops/data/migrations/page.mdx +++ b/app/spicedb/ops/data/migrations/page.mdx @@ -7,11 +7,10 @@ This section covers migrating data from one SpiceDB instance to another with min [Authzed Cloud]: https://authzed.com/cloud/signup - If you need information about migrating the schema of a datastore underlying - SpiceDB, like Postgres or CockroachDB, go - [here](/spicedb/concepts/datastore-migrations#migrations). If you need - information about making changes to a SpiceDB schema that result in a - migration, go [here](/spicedb/modeling/migrating-schema). + If you need information about migrating the schema of a datastore underlying SpiceDB, like + Postgres or CockroachDB, go [here](/spicedb/concepts/datastore-migrations#migrations). If you need + information about making changes to a SpiceDB schema that result in a migration, go + [here](/spicedb/modeling/migrating-schema). diff --git a/app/spicedb/ops/eks/page.mdx b/app/spicedb/ops/eks/page.mdx index e975b32c..401c4166 100644 --- a/app/spicedb/ops/eks/page.mdx +++ b/app/spicedb/ops/eks/page.mdx @@ -37,10 +37,7 @@ In order for the cluster to dynamically configure DNS, the first step is grant a }, { "Effect": "Allow", - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets" - ], + "Action": ["route53:ChangeResourceRecordSets", "route53:ListResourceRecordSets"], "Resource": "arn:aws:route53:::hostedzone/*" }, { diff --git a/app/spicedb/ops/load-testing/page.mdx b/app/spicedb/ops/load-testing/page.mdx index e3fb07a2..560a304f 100644 --- a/app/spicedb/ops/load-testing/page.mdx +++ b/app/spicedb/ops/load-testing/page.mdx @@ -79,8 +79,8 @@ Here are some helpful tips (these tips assume you already have a schema finalize Now that you’ve completed the thought exercise, you’ll need to codify this information in relationship generating code. - **Info:** If you're struggling or want help, [reach out to the Authzed - team][reach out] or [the community in Discord][discord]. + **Info:** If you're struggling or want help, [reach out to the Authzed team][reach out] or [the + community in Discord][discord]. We highly recommend that you pre-seed your relationships data before a load test. @@ -283,6 +283,7 @@ steps: subject: "{{ .Prefix }}user:tom" permission: "view" + # Triple-dash means this is a separate yaml document within the same file --- name: "read" diff --git a/app/spicedb/ops/performance/page.mdx b/app/spicedb/ops/performance/page.mdx index 2681c9e9..3c488864 100644 --- a/app/spicedb/ops/performance/page.mdx +++ b/app/spicedb/ops/performance/page.mdx @@ -36,9 +36,8 @@ where `spicedb.default` is the Kubernetes `Service` in which SpiceDB is accessib ### Configuration in non-Kubernetes environments - Non-Kubernetes based dispatching relies upon DNS updates, which means it can - become stale if DNS is changing. This is not recommended unless DNS updates - are rare. + Non-Kubernetes based dispatching relies upon DNS updates, which means it can become stale if DNS + is changing. This is not recommended unless DNS updates are rare. To enable dispatch, the following flags must be specified: diff --git a/components/JupyterNotebookViewer.tsx b/components/JupyterNotebookViewer.tsx index 414bb6f1..ace914d6 100644 --- a/components/JupyterNotebookViewer.tsx +++ b/components/JupyterNotebookViewer.tsx @@ -4,19 +4,12 @@ interface JupyterNotebookViewerProps { fileUrl: string; } -const JupyterNotebookViewer: React.FC = ({ - fileUrl, -}) => { +const JupyterNotebookViewer: React.FC = ({ fileUrl }) => { const nbviewerUrl = `https://nbviewer.org/github/${encodeURIComponent(fileUrl)}`; return (
-