feat: new page (querying data)

app/authzed/guides/setting-up-private-networking/page.mdx

@@ -114,30 +114,30 @@ Most users of AuthZed Dedicated on GCP privately connect to SpiceDB with GCP [Pr
 1. Navigate to “Private Service Connect” and make sure you are on the “Connected Endpoints” tab.
 1. Click “Connect Endpoint”
 
-    | Option                 | Selection                                      |
-    |------------------------|------------------------------------------------|
-    | Target                 | “Published service”                            |
-    | Target service         | This will be provided to you by Authzed        |
-    | Endpoint name          | Name this whatever you want                    |
-    | Network and subnetwork | Select the networks you need connectivity from |
-    | IP address             | Choose whatever IP you'd like                  |
+   | Option                 | Selection                                      |
+   | ---------------------- | ---------------------------------------------- |
+   | Target                 | “Published service”                            |
+   | Target service         | This will be provided to you by Authzed        |
+   | Endpoint name          | Name this whatever you want                    |
+   | Network and subnetwork | Select the networks you need connectivity from |
+   | IP address             | Choose whatever IP you'd like                  |
 
 ### Enable DNS
 
 1. Navigate to Cloud DNS and create a zone
 
-    | Option    | Selection                                                                 |
-    |-----------|---------------------------------------------------------------------------|
-    | Zone type | private                                                                   |
-    | DNS Name  | This will be provided to you by Authzed                                   |
-    | Networks  | Select the network where the Private Service Connect endpoint is deployed |
+   | Option    | Selection                                                                 |
+   | --------- | ------------------------------------------------------------------------- |
+   | Zone type | private                                                                   |
+   | DNS Name  | This will be provided to you by Authzed                                   |
+   | Networks  | Select the network where the Private Service Connect endpoint is deployed |
 
 1. Add record set
 
-    | Option     | Selection                                      |
-    |------------|------------------------------------------------|
-    | DNS name   | This will be provided to you by Authzed        |
-    | IP address | Enter your Private Service Connect endpoint IP |
+   | Option     | Selection                                      |
+   | ---------- | ---------------------------------------------- |
+   | DNS name   | This will be provided to you by Authzed        |
+   | IP address | Enter your Private Service Connect endpoint IP |
 
 ### Add Permission System
 
@@ -150,15 +150,15 @@ Most users of AuthZed Dedicated on GCP privately connect to SpiceDB with GCP [Pr
 
 Verify connectivity from client machine with the [Zed CLI tool](https://github.com/authzed/zed)
 
-``` zed
+```zed
 zed context set permission_system_name example.com:443 sdbst_h256_123
 ```
 
-``` zed
+```zed
 zed schema write example.yaml
 ```
 
-``` zed
+```zed
 zed schema read
 ```
 

app/spicedb/concepts/_meta.ts

@@ -4,6 +4,7 @@ export default {
   relationships: "Writing Relationships",
   caveats: "Writing Relationships with Caveats",
   "expiring-relationships": "Writing Relationships that Expire",
+  "querying-data": "Querying Data",
   commands: "SpiceDB Commands & Parameters",
   consistency: "Consistency",
   datastores: "Datastores",

app/spicedb/concepts/commands/page.mdx

@@ -27,13 +27,12 @@ A database that stores and computes permissions
 
 ### Children commands
 
-- [spicedb datastore](#reference-spicedb-datastore)	 - datastore operations
-- [spicedb lsp](#reference-spicedb-lsp)	 - serve language server protocol
-- [spicedb man](#reference-spicedb-man)	 - Generate man page
-- [spicedb serve](#reference-spicedb-serve)	 - serve the permissions database
-- [spicedb serve-testing](#reference-spicedb-serve-testing)	 - test server with an in-memory datastore
-- [spicedb version](#reference-spicedb-version)	 - displays the version of SpiceDB
-
+- [spicedb datastore](#reference-spicedb-datastore) - datastore operations
+- [spicedb lsp](#reference-spicedb-lsp) - serve language server protocol
+- [spicedb man](#reference-spicedb-man) - Generate man page
+- [spicedb serve](#reference-spicedb-serve) - serve the permissions database
+- [spicedb serve-testing](#reference-spicedb-serve-testing) - test server with an in-memory datastore
+- [spicedb version](#reference-spicedb-version) - displays the version of SpiceDB
 
 ## Reference: `spicedb datastore`
 
@@ -49,11 +48,10 @@ Operations against the configured datastore
 
 ### Children commands
 
-- [spicedb datastore gc](#reference-spicedb-datastore-gc)	 - executes garbage collection
-- [spicedb datastore head](#reference-spicedb-datastore-head)	 - compute the head (latest) database migration revision available
-- [spicedb datastore migrate](#reference-spicedb-datastore-migrate)	 - execute datastore schema migrations
-- [spicedb datastore repair](#reference-spicedb-datastore-repair)	 - executes datastore repair
-
+- [spicedb datastore gc](#reference-spicedb-datastore-gc) - executes garbage collection
+- [spicedb datastore head](#reference-spicedb-datastore-head) - compute the head (latest) database migration revision available
+- [spicedb datastore migrate](#reference-spicedb-datastore-migrate) - execute datastore schema migrations
+- [spicedb datastore repair](#reference-spicedb-datastore-repair) - executes datastore repair
 
 ## Reference: `spicedb datastore gc`
 
@@ -148,8 +146,6 @@ spicedb datastore gc [flags]
       --skip-release-check   if true, skips checking for new SpiceDB releases
 ```
 
-
-
 ## Reference: `spicedb datastore head`
 
 compute the head (latest) database migration revision available
@@ -181,8 +177,6 @@ spicedb datastore head [flags]
       --skip-release-check   if true, skips checking for new SpiceDB releases
 ```
 
-
-
 ## Reference: `spicedb datastore migrate`
 
 Executes datastore schema migrations for the datastore.
@@ -222,8 +216,6 @@ spicedb datastore migrate [revision] [flags]
       --skip-release-check   if true, skips checking for new SpiceDB releases
 ```
 
-
-
 ## Reference: `spicedb datastore repair`
 
 Executes a repair operation for the datastore
@@ -317,8 +309,6 @@ spicedb datastore repair [flags]
       --skip-release-check   if true, skips checking for new SpiceDB releases
 ```
 
-
-
 ## Reference: `spicedb lsp`
 
 serve language server protocol
@@ -342,20 +332,17 @@ spicedb lsp [flags]
       --skip-release-check   if true, skips checking for new SpiceDB releases
 ```
 
-
-
 ## Reference: `spicedb man`
 
 Generate a man page for SpiceDB.
- The output can be redirected to a file and installed to the system:
+The output can be redirected to a file and installed to the system:
 
 ```
   spicedb man > spicedb.1
   sudo mv spicedb.1 /usr/share/man/man1/
   sudo mandb  # Update man page database
 ```
 
-
 ```
 spicedb man
 ```
@@ -368,8 +355,6 @@ spicedb man
       --skip-release-check   if true, skips checking for new SpiceDB releases
 ```
 
-
-
 ## Reference: `spicedb serve`
 
 start a SpiceDB server
@@ -558,8 +543,6 @@ spicedb serve [flags]
       --skip-release-check   if true, skips checking for new SpiceDB releases
 ```
 
-
-
 ## Reference: `spicedb serve-testing`
 
 An in-memory spicedb server which serves completely isolated datastores per client-supplied auth token used.
@@ -621,8 +604,6 @@ spicedb serve-testing [flags]
       --skip-release-check   if true, skips checking for new SpiceDB releases
 ```
 
-
-
 ## Reference: `spicedb version`
 
 displays the version of SpiceDB
@@ -644,6 +625,3 @@ spicedb version [flags]
       --log-level string     verbosity of logging ("trace", "debug", "info", "warn", "error") (default "info")
       --skip-release-check   if true, skips checking for new SpiceDB releases
 ```
-
-
-

app/spicedb/concepts/querying-data/page.mdx

@@ -0,0 +1,167 @@
+import { Callout } from "nextra/components";
+
+# Querying Data
+
+This page walks through the main ways to query data in SpiceDB. The options are listed roughly in the order of how often you should be calling them, and roughly in order of their expected performance. Choose the one that makes sense for your use case, but consider whether your use case actually requires the call you're looking at.
+
+<Callout type="info">
+  In most of the APIs below, if you want to be able to read your write, you can
+  pass a `consistency` parameter to the queries. Use either `fully_consistent`
+  or `at_least_as_fresh(revision)` depending on how strict you need to be. See
+  [Consistency](consistency) for more details.
+</Callout>
+
+<Callout type="important">
+  When invoking any of our APIs, you can send a header `X-Request-ID=somevalue`
+  and it will be echoed back in the response, which makes correlating logs or
+  tracing requests easy.
+</Callout>
+
+## Check Permission
+
+Send:
+
+- Subject Type
+- Subject ID
+- Permission (or relation)
+- Object Type
+- Object ID
+
+Receive:
+
+- Yes/no (or a provisional response if missing caveat data)
+
+[`CheckPermission`](https://buf.build/authzed/api/docs/main:authzed.api.v1#authzed.api.v1.PermissionsService.CheckPermission) is the go-to for most access checks. It’s designed for high-traffic workloads.
+
+You can debug a check locally with `zed permission check resource:someresource somepermission user:someuser --explain` to understand how the decision was made.
+
+When your schema uses [caveats](caveats) and you don't provide all the required context in the request parameters, the API will tell you that in the response that the result is "conditional" instead of simply denying or allowing, and it's up to you to inspect that result.
+
+The `subject` of the query can be a single user (e.g. `user:someuser`) or a set of users (e.g. `group:engineering#member`).
+
+### CheckBulkPermissions
+
+Send Many:
+
+- Subject Type
+- Subject ID
+- Permission (or relation)
+- Object Type
+- Object ID
+
+Receive Many:
+
+- Yes/no (or a provisional response if missing caveat data)
+
+If your app needs to do multiple checks (for example, for various subjects), use the [`CheckBulkPermissions`](https://buf.build/authzed/api/docs/main:authzed.api.v1#authzed.api.v1.PermissionsService.CheckBulkPermissions) API. It's great for UI workloads where you need to check multiple permissions at once: think tables, lists, and dashboards.
+
+It's also the recommended way to ask "what permissions does a given subject have on a resource?"
+Make a check for each permission in your schema. This will require you to update calling code when you add permissions,
+but the consuming code will need to be changed to include the logic associated with the new permission in any case.
+
+It's always preferable to perform one call to `CheckBulkPermissions` with N checks than N calls to `CheckPermission`, unless you don't want to wait for the N checks to finish.
+
+## LookupResources
+
+Send Many:
+
+- Subject Type
+- Subject ID
+- Permission (or relation)
+- Object Type
+
+Receive many:
+
+- Object ID
+
+[`LookupResources`](https://buf.build/authzed/api/docs/main:authzed.api.v1#authzed.api.v1.PermissionsService.LookupResources) is a good choice when you need to find all resources of a given type that a specific subject can access. It supports cursoring and works well for moderate result sizes.
+
+It's a good way to do [prefiltering of results](/spicedb/modeling/protecting-a-list-endpoint#filtering-with-lookupresources) in
+a List endpoint, but it's a heavy request that can cause performance problems when more than 10k results are involved.
+In that case we recommend postfiltering with [CheckBulk](#checkbulkpermissions), and if that still doesn't work,
+we recommend evaluating [Materialize](/authzed/concepts/authzed-materialize).
+
+## LookupSubjects
+
+Send Many:
+
+- Subject Type
+- Permission (or relation)
+- Object Type
+- Object ID
+
+Receive many:
+
+- Subject ID
+
+[`LookupSubjects`](https://buf.build/authzed/api/docs/main:authzed.api.v1#authzed.api.v1.PermissionsService.LookupSubjects) returns
+all subjects that have access to a specific resource. It does not support cursoring.
+
+It's commonly used to drive UIs and APIs that list users with given permission or set of permissions, such as a table of Admins
+on a particular Organization.
+
+Note that LookupSubjects will do a full path walk between an object and a subject, and will consider all valid paths between object and subject.
+If you are looking to find all the subjects that are on a specific relation, use `ReadRelationships` instead of `LookupSubjects`.
+
+If your schema includes exclusions and wildcards, the response can include a list of subjects that have been explicitly excluded.
+
+For example, if the schema is
+
+```zed
+definition user {}
+
+definition document {
+   relation blocked: user
+   relation view: user:*
+   permission viewer = view - blocked
+}
+```
+
+and the relationships are
+
+```relationship filename="Relationships"
+document:finance#view@user:*
+document:finance#blocked@user:anne
+document:finance#blocked@user:bob
+```
+
+Then `LookupSubjects` for `document:finance` will return a response of the form `{user:* - [user:anne,user:bob]}`.
+
+## ReadRelationships
+
+[`ReadRelationships`](https://buf.build/authzed/api/docs/main:authzed.api.v1#authzed.api.v1.PermissionsService.ReadRelationships) is intended a an escape hatch,
+and should only be considered if no other API matches your use case.
+
+It's considerably more flexible in that you can send any combination of:
+
+- Subject Type
+- Subject ID
+- Permission (or relation)
+- Object Type
+- Object ID
+
+And receive all relationships that match that filter, but it comes with some important caveats:
+
+- It's generally less optimized than the `Check` and `Lookup` APIs because of that flexibility
+- It does no caching. The `Check` and `Lookup` APIs gain much of their performance by caching the results of subproblem computation; `ReadRelationships` does no caching and will go directly to the database every time.
+- The indexes in the backing [datastores](/spicedb/concepts/datastores) are optimized around the `Check` and `Lookup` APIs, so it's possible to
+  craft a `ReadRelationships` request that misses indexes and requires a full table scan. This is because covering all combinations of filters
+  with an index would impact write performance too much.
+
+Some use cases where `ReadRelationships` may be warranted:
+
+- Deleting all relationships in a subtree, where a simple [RelationshipFilter](https://buf.build/authzed/api/docs/main:authzed.api.v1#authzed.api.v1.RelationshipFilter) in a [DeleteRelationships](https://buf.build/authzed/api/docs/main:authzed.api.v1#authzed.api.v1.DeleteRelationshipsRequest) would be insufficient
+- Admin UIs that show lists of roles or relationships between objects
+
+## Watch
+
+The Watch API is not meant to answer permission questions but to serve other use-cases, like auditing. See [the Watch API documentation](/spicedb/concepts/watch) for more details.
+
+## ExpandPermissionTree
+
+This [ExpandPermissionTree](https://buf.build/authzed/api/docs/main:authzed.api.v1#authzed.api.v1.PermissionsService.ExpandPermissionTree) API
+comes from the [Zanzibar Paper](https://authzed.com/zanzibar#2.4.5-expand). It allows you to examine the subtree of relationships
+around a particular point in the graph, and is useful in scenarios like your UI needing to show which users _and groups_ have access to something.
+
+In practice we don't see many uses of this API, especially because it only resolves one "hop" in the graph at a time and must be called
+repeatedly to get a full picture of a subtree.

app/spicedb/getting-started/faq/page.mdx

@@ -60,6 +60,14 @@ Choose based on your scale: start with LookupResources, move to CheckBulkPermiss
 
 [Learn more]: ../modeling/protecting-a-list-endpoint
 
+## How do I get all of the permissions a subject has on a resource?
+
+There isn't an API that answers this question directly. Instead, you should use the
+[`CheckBulkPermissions`](https://buf.build/authzed/api/docs/main:authzed.api.v1#authzed.api.v1.PermissionsService.CheckBulkPermissions) API and send a check for each of the permissions you want to check.
+
+It means that you'll need to update your permission checks when you add a new permission, but you'd need to update the calling code
+to handle the concept that a new permission represents anyway.
+
 ## How can I get involved with SpiceDB?
 
 The best first step is to join [Discord].

app/spicedb/getting-started/first-steps/page.mdx

@@ -22,9 +22,9 @@ import { InlinePlayground } from "@/components/playground";
     We've documented the concepts SpiceDB users should understand:
 
     <Cards>
-        <Cards.Card arrow={true} title="Zanzibar" href="../concepts/zanzibar" />
         <Cards.Card arrow={true} title="Writing a Schema" href="../concepts/schema" />
         <Cards.Card arrow={true} title="Writing Relationships" href="../concepts/relationships" />
+        <Cards.Card arrow={true} title="Querying Data" href="../concepts/querying-data" />
     </Cards>
 
     After these, we recommend these concepts for running SpiceDB: