feat: add spellcheck CI

.github/workflows/spellcheck.yaml

@@ -0,0 +1,30 @@
+---
+name: "Spellcheck"
+on:
+  push:
+    branches:
+      - "main"
+    paths:
+      - "**/*.md"
+      - "**/*.mdx"
+      - "spellcheck.yaml"
+      - "wordlist.txt"
+      - ".github/workflows/spellcheck.yaml"
+  pull_request:
+    paths:
+      - "**/*.md"
+      - "**/*.mdx"
+      - "spellcheck.yaml"
+      - "wordlist.txt"
+      - ".github/workflows/spellcheck.yaml"
+
+jobs:
+  spellcheck:
+    name: "Spellcheck"
+    runs-on: "ubuntu-latest"
+    steps:
+      - uses: "actions/checkout@v4"
+      - uses: "rojopolis/spellcheck-github-actions@dbd2f1da869c05ad874fffeb6fe1ed50cd1a6e98" # v0.36.0
+        name: "Spellcheck"
+        with:
+          config_path: "spellcheck.yaml"

pages/authzed/concepts/authzed-materialize.mdx

@@ -17,7 +17,7 @@ In summary, AuthZed Materialize allows you to:
 - Speed up `CheckPermission` and `CheckBulkPermissions`.
 - Speed up `LookupResources` and `LookupSubjects`, especially when there is a large number of resources.
 - Build authorization-aware UIs, e.g. by providing a filtered and/or sorted list of more than several thousand authorized objects.
-- Perform ACL filtering in other secondary indexes, like a search index (e.g. ElasticSearch).
+- Perform ACL filtering in other secondary indexes, like a search index (e.g. Elasticsearch).
 
 [Dedicated]: ../guides/picking-a-product#dedicated
 
@@ -273,7 +273,7 @@ SELECT d.id FROM documents d
 
 This is an update stream of all the permissions Materialize is configured to watch.
 You can use this to store all permissions tracked in the system closer to your application database to be used in database-native ACL filtering.
-Permissions can also be stored in secondary indexes like ElasticSearch.
+Permissions can also be stored in secondary indexes like Elasticsearch.
 
 The API consists of various event types that capture deltas that occurred since a client started listening.
 It will also notify of events like a [breaking schema change] that necessitate rebuilding of the index.

pages/authzed/concepts/restricted-api-access.mdx

@@ -92,7 +92,7 @@ The following variables are provided the CEL expression varying based on the req
 
 Policies are what bind Roles to a Service Account.
 
-Each policy is composed of a unique identifer for the policy itself, the principal (the target of the role assignment), and any roles being assigned.
+Each policy is composed of a unique identifier for the policy itself, the principal (the target of the role assignment), and any roles being assigned.
 
 ## Task-Specific Configuration
 
@@ -272,7 +272,7 @@ If you want to apply a configuration to an existing SpiceDB cluster without down
      1. You may want to start with FGAM tokens bound to a admin-like Role, since that's what the original PSKs effectively were.
         This is probably lower risk, and then from there you can move to start trimming down permissions.
      2. Or you may want to move directly to downscoped tokens for your individual services, creating the tokens you need.
-        This may be simple if you have few clients, but more complex as the number of clients grow, and with a bigger blast radious of impact on rollout.
+        This may be simple if you have few clients, but more complex as the number of clients grow, and with a bigger blast radius of impact on rollout.
    A minimal configuration would look something like:
 
    ```yaml

pages/spicedb/concepts/consistency.mdx

@@ -112,7 +112,7 @@ Consistency { fully_consistent: true }
 A ZedToken is an opaque token representing a point-in-time of the SpiceDB datastore, encoded for easy storage and transmission.
 ZedTokens are used for data consistency guarantees when using the SpiceDB API.
 
-ZedToken is the SpiceDB equivalant of Google Zanzibar's [Zookie] concept which protects users from the [New Enemy Problem].
+ZedToken is the SpiceDB equivalent of Google Zanzibar's [Zookie] concept which protects users from the [New Enemy Problem].
 
 SpiceDB returns ZedTokens from the APIs that perform permission checks or modify data:
 

pages/spicedb/concepts/datastores.mdx

@@ -6,7 +6,7 @@ In order to reduce operational complexity, SpiceDB leverages existing, popular s
 
 AuthZed has standardized our managed services on CockroachDB, but we give self-hosted customers the option to pick the datastore that best suits their operational requirements.
 
-- [CockroachDB](#cockroachdb) - Recomended for self hosted deployments with high throughput and/or multi-region requirements
+- [CockroachDB](#cockroachdb) - Recommended for self hosted deployments with high throughput and/or multi-region requirements
 - [Cloud Spanner](#cloud-spanner) - Recommended for self-hosted Google Cloud deployments
 - [PostgreSQL](#postgresql) - Recommended for self-hosted single-region deployments
 - [MySQL](#mysql) - Not recommended; only use if you cannot use PostgreSQL
@@ -93,7 +93,7 @@ The available strategies are:
 | --- | --- |
 | `static` (default) | All writes overlap to guarantee safety at the cost of write throughput |
 | `prefix` | Only writes that contain objects with same prefix overlap (e.g. `tenant1/user` and `tenant2/user` can be written in concurrently) |
-| `request` | Only writes with the same `io.spicedb.requestoverlapkey` header overlap enabling applications to decide on-the-fly which writes have causual dependencies. Writes without any header act the same as `insecure`. |
+| `request` | Only writes with the same `io.spicedb.requestoverlapkey` header overlap enabling applications to decide on-the-fly which writes have causal dependencies. Writes without any header act the same as `insecure`. |
 | `insecure` | No writes overlap, providing the best write throughput, but possibly leaving you vulnerable to the [New Enemy Problem] |
 
 For more information, refer to the [CockroachDB datastore README][crdb-readme] or our blog post "[The One Crucial Difference Between Spanner and CockroachDB][crdb-blog]".
@@ -257,7 +257,7 @@ Because this counter is instance-specific, there are ways in which the data in t
 Two concrete examples are the use of `pg_dump` and `pg_restore` to transfer data between an old instance and a new instance and setting up
 logical replication between a previously-existing instance and a newly-created instance.
 
-If you encounter this, SpiceDB can behave as though there is no schema written, because the data (including the schema) is associated with a future transaction ID and therefore isn't "visible" to Spicedb.
+If you encounter this, SpiceDB can behave as though there is no schema written, because the data (including the schema) is associated with a future transaction ID and therefore isn't "visible" to SpiceDB.
 If you run into this issue, the fix is [documented here](https://authzed.com/docs/spicedb/concepts/commands#reference-spicedb-datastore-repair)
 
 ### Configuration

pages/spicedb/getting-started/faq.mdx

@@ -25,7 +25,7 @@ SpiceDB is a database designed to be integrated into applications.
 There are some organizations with homegrown IT use-cases that use SpiceDB.
 However, for most IT use cases, this is probably more low-level than what you need.
 
-We recommend looking into tools designed around specific IT workflows such as auditing ([Orca], [PrismaCloud]), goverance, access management ([Indent], [ConductorOne]).
+We recommend looking into tools designed around specific IT workflows such as auditing ([Orca], [PrismaCloud]), governance, access management ([Indent], [ConductorOne]).
 
 [Orca]: https://orca.security/platform/cloud-security-posture-management-cspm/
 [PrismaCloud]: https://www.paloaltonetworks.com/prisma/cloud

pages/spicedb/getting-started/install/debian.mdx

@@ -7,7 +7,7 @@ This document outlines how to install SpiceDB for systems running [Debian-like L
 Every release of SpiceDB publishes `.deb` packages, [snap] packages, and tarballs for AMD64 and ARM64 Linux.
 
 Looking for `.rpm` packages?
-Visit the doc on [Installing SpiceDB on RHEL/Centos][rhel]
+Visit the doc on [Installing SpiceDB on RHEL/CentOS][rhel]
 
 [debianlike]: https://en.wikipedia.org/wiki/List_of_Linux_distributions#Debian-based
 [rhel]: ./rhel

pages/spicedb/modeling/developing-a-schema.mdx

@@ -371,7 +371,7 @@ of relations.
 
 ### Adding an administrator user
 
-Now that we've declared that all users in `administrator` on the organization are also granted the `view` permission, let's define at least one user in our test data to be an adminstrator:
+Now that we've declared that all users in `administrator` on the organization are also granted the `view` permission, let's define at least one user in our test data to be an administrator:
 
 ```relationship filename="Test Relationships"
 organization:someorg#administrator@user:someadminuser

pages/spicedb/modeling/representing-users.mdx

@@ -38,7 +38,7 @@ If you have *multiple* authentication providers, then the recommendation is to d
 /** githubuser represents a user from GitHub */
 definition githubuser {}
 
-/** gitlabuser represents a user from Gitlab */
+/** gitlabuser represents a user from GitLab */
 definition gitlabuser {}
 ```
 

pages/spicedb/ops/ai-agent-authorization.mdx

@@ -6,7 +6,7 @@ This guide shows how to build a secure Retrieval-Augmented Generation (RAG) pipe
 Authorization decisions are enforced by SpiceDB.
 You can also get summary of only the documents the AI Agent is authorized to view.
 
-This guide uses OpenAI, Pinecone, Langchain, Jupyter Notebook and SpiceDB
+This guide uses OpenAI, Pinecone, LangChain, Jupyter Notebook and SpiceDB
 
 ## Setup and Prerequisites
 

pages/spicedb/ops/data/migrations.mdx

@@ -10,7 +10,7 @@ import { Callout } from 'nextra/components'
 
 The options provided below enable you to consistently migrate between datastores with minimal downtime.
 
-All options utilize the [Zed CLI tool](https://github.com/authzed/zed?tab=readme-ov-file#zed).
+All options utilize the [Zed CLI tool](https://github.com/authzed/zed#readme).
 
 ### Write Downtime Migration
 

pages/spicedb/ops/eks.mdx

@@ -175,7 +175,7 @@ metadata:
   namespace: spicedb
 spec:
   isCA: true
-  commonName: dev.spicedb   # Change optional: in this example, "dev" is the name of the SpiceDBCluster object (defined at the "Configure SpiceDB settings" step below). If you don't wan't use "dev", change "dev" to what you will use.
+  commonName: dev.spicedb   # Change optional: in this example, "dev" is the name of the SpiceDBCluster object (defined at the "Configure SpiceDB settings" step below). If you don't want to use "dev", change "dev" to what you will use.
   dnsNames:
   - dev.spicedb             # Change optional: (see above)
   secretName: dispatch-root-secret

pages/spicedb/ops/load-testing.mdx

@@ -275,7 +275,7 @@ steps:
   - op: "CheckPermission"
     # This is Golang template syntax and various values from the runtime can be
     # inserted. Documentation of the available values is available in the readme:
-    # https://github.com/authzed/thumper?tab=readme-ov-file#go-template-properties
+    # https://github.com/authzed/thumper#go-template-properties
     resource: "{{ .Prefix }}resource:firstdoc"
     subject: "{{ .Prefix }}user:tom"
     permission: "view"

pages/spicedb/ops/secure-rag-pipelines.mdx

@@ -5,7 +5,7 @@ import JupyterNotebookViewer from "@/components/JupyterNotebookViewer";
 Here's how you can use SpiceDB to safeguard sensitive data in RAG pipelines.
 You will learn how to pre-filter and post-filter vector database queries with a list of authorized object IDs to improve security and efficiency.
 
-This guide uses OpenAI, Pinecone, Langchain, Jupyter Notebook and SpiceDB
+This guide uses OpenAI, Pinecone, LangChain, Jupyter Notebook and SpiceDB
 
 ## Why is this important?
 

spellcheck.yaml

@@ -0,0 +1,21 @@
+---
+matrix:
+  - name: "Markdown"
+    sources:
+      - "pages/**/*.md"
+      - "pages/**/*.mdx"
+      - "*.md"
+    default_encoding: "utf-8"
+    aspell:
+      lang: "en"
+    dictionary:
+      wordlists:
+        - "wordlist.txt"
+      encoding: "utf-8"
+    pipeline:
+      - "pyspelling.filters.markdown":
+      - "pyspelling.filters.html":
+          comments: false
+          ignores:
+            - "code"
+            - "pre"