This repository contains a minimal end-to-end demo showing how to test a permission-aware RAG (Retrieval-Augmented Generation) using SpiceDB running inside a Testcontainer.
The goal of the project is to demonstrate how a real authorization system — SpiceDB — can be embedded into automated tests to validate that your RAG pipeline only returns documents a user is allowed to see.
Each test run creates a fresh, isolated in-memory SpiceDB instance using the community testcontainers-spicedb-go module.
The test writes a small SpiceDB schema:
userdocumentownerandviewerrelationsreadpermission (owner + viewer)
It also seeds sample relationships:
- Emilia owns
doc1 - Beatrice can view
doc2 - Everyone can view
doc3
The RAG pipeline does:
- Trivial retrieval (string match)
- Post-filtering via SpiceDB using
CheckPermission
Even though retrieval is simple, the post-filter pattern mirrors how real RAG systems use SpiceDB alongside a vector database.
The test checks that:
- Emilia sees
doc1anddoc3, but notdoc2 - Beatrice sees
doc2anddoc3, but notdoc1 - Charlie only sees
doc3
This proves that permissions are enforced correctly even inside automated tests.
.
├── rag.go # Minimal RAG pipeline with SpiceDB post-filtering
├── rag_spicedb_test.go # Main test using Testcontainers + SpiceDB
└── go.mod # Dependencies
No external vector DBs or LLMs are used here — the goal is to keep the demo lightweight and focused on authorization testing.
- For a self-guided workshop on fine-grained authorization using pre-filter and post-filter visit this repo
- To build a production-grade multi-tenant RAG pipeline, follow this guide
- Go 1.21+
- Docker Desktop
# First, tidy dependencies
go mod tidy
# Then run tests
go test -vYou should see:
- Testcontainers starting a SpiceDB container
- Schema being written
- Relationships being inserted
- Permission-aware RAG results being asserted
- Test passing 🎉