diff --git a/app/authzed/concepts/restricted-api-access/page.mdx b/app/authzed/concepts/restricted-api-access/page.mdx
index b8ca1e6..56429df 100644
--- a/app/authzed/concepts/restricted-api-access/page.mdx
+++ b/app/authzed/concepts/restricted-api-access/page.mdx
@@ -99,6 +99,15 @@ Policies are what bind Roles to a Service Account.
Each policy is composed of a unique identifier for the policy itself, the principal (the target of the role assignment), and any roles being assigned.
+
+ **Policies are additive.** When multiple policies apply to the same Service
+ Account, the resulting permissions are the union of all permissions granted by
+ those policies. This means a Service Account with multiple policies will have
+ access to any API method allowed by any of its policies. For example, if one
+ policy grants read access and another grants write access, the Service Account
+ will have both read and write access.
+
+
## Task-Specific Configuration
### `zed backup`/`zed restore`
diff --git a/app/spicedb/concepts/commands/page.mdx b/app/spicedb/concepts/commands/page.mdx
index 8fd57da..e41f4eb 100644
--- a/app/spicedb/concepts/commands/page.mdx
+++ b/app/spicedb/concepts/commands/page.mdx
@@ -27,13 +27,12 @@ A database that stores and computes permissions
### Children commands
-- [spicedb datastore](#reference-spicedb-datastore) - datastore operations
-- [spicedb lsp](#reference-spicedb-lsp) - serve language server protocol
-- [spicedb man](#reference-spicedb-man) - Generate man page
-- [spicedb serve](#reference-spicedb-serve) - serve the permissions database
-- [spicedb serve-testing](#reference-spicedb-serve-testing) - test server with an in-memory datastore
-- [spicedb version](#reference-spicedb-version) - displays the version of SpiceDB
-
+- [spicedb datastore](#reference-spicedb-datastore) - datastore operations
+- [spicedb lsp](#reference-spicedb-lsp) - serve language server protocol
+- [spicedb man](#reference-spicedb-man) - Generate man page
+- [spicedb serve](#reference-spicedb-serve) - serve the permissions database
+- [spicedb serve-testing](#reference-spicedb-serve-testing) - test server with an in-memory datastore
+- [spicedb version](#reference-spicedb-version) - displays the version of SpiceDB
## Reference: `spicedb datastore`
@@ -49,11 +48,10 @@ Operations against the configured datastore
### Children commands
-- [spicedb datastore gc](#reference-spicedb-datastore-gc) - executes garbage collection
-- [spicedb datastore head](#reference-spicedb-datastore-head) - compute the head (latest) database migration revision available
-- [spicedb datastore migrate](#reference-spicedb-datastore-migrate) - execute datastore schema migrations
-- [spicedb datastore repair](#reference-spicedb-datastore-repair) - executes datastore repair
-
+- [spicedb datastore gc](#reference-spicedb-datastore-gc) - executes garbage collection
+- [spicedb datastore head](#reference-spicedb-datastore-head) - compute the head (latest) database migration revision available
+- [spicedb datastore migrate](#reference-spicedb-datastore-migrate) - execute datastore schema migrations
+- [spicedb datastore repair](#reference-spicedb-datastore-repair) - executes datastore repair
## Reference: `spicedb datastore gc`
@@ -148,8 +146,6 @@ spicedb datastore gc [flags]
--skip-release-check if true, skips checking for new SpiceDB releases
```
-
-
## Reference: `spicedb datastore head`
compute the head (latest) database migration revision available
@@ -181,8 +177,6 @@ spicedb datastore head [flags]
--skip-release-check if true, skips checking for new SpiceDB releases
```
-
-
## Reference: `spicedb datastore migrate`
Executes datastore schema migrations for the datastore.
@@ -222,8 +216,6 @@ spicedb datastore migrate [revision] [flags]
--skip-release-check if true, skips checking for new SpiceDB releases
```
-
-
## Reference: `spicedb datastore repair`
Executes a repair operation for the datastore
@@ -317,8 +309,6 @@ spicedb datastore repair [flags]
--skip-release-check if true, skips checking for new SpiceDB releases
```
-
-
## Reference: `spicedb lsp`
serve language server protocol
@@ -342,12 +332,10 @@ spicedb lsp [flags]
--skip-release-check if true, skips checking for new SpiceDB releases
```
-
-
## Reference: `spicedb man`
Generate a man page for SpiceDB.
- The output can be redirected to a file and installed to the system:
+The output can be redirected to a file and installed to the system:
```
spicedb man > spicedb.1
@@ -355,7 +343,6 @@ Generate a man page for SpiceDB.
sudo mandb # Update man page database
```
-
```
spicedb man
```
@@ -368,8 +355,6 @@ spicedb man
--skip-release-check if true, skips checking for new SpiceDB releases
```
-
-
## Reference: `spicedb serve`
start a SpiceDB server
@@ -558,8 +543,6 @@ spicedb serve [flags]
--skip-release-check if true, skips checking for new SpiceDB releases
```
-
-
## Reference: `spicedb serve-testing`
An in-memory spicedb server which serves completely isolated datastores per client-supplied auth token used.
@@ -621,8 +604,6 @@ spicedb serve-testing [flags]
--skip-release-check if true, skips checking for new SpiceDB releases
```
-
-
## Reference: `spicedb version`
displays the version of SpiceDB
@@ -644,6 +625,3 @@ spicedb version [flags]
--log-level string verbosity of logging ("trace", "debug", "info", "warn", "error") (default "info")
--skip-release-check if true, skips checking for new SpiceDB releases
```
-
-
-
diff --git a/app/spicedb/getting-started/installing-zed/page.mdx b/app/spicedb/getting-started/installing-zed/page.mdx
index df4abc9..83b0a0e 100644
--- a/app/spicedb/getting-started/installing-zed/page.mdx
+++ b/app/spicedb/getting-started/installing-zed/page.mdx
@@ -1,4 +1,4 @@
-import { Callout } from 'nextra/components'
+import { Callout } from "nextra/components";
# Installing Zed
@@ -123,7 +123,6 @@ You can find more commands for tasks such as testing, linting in the repository'
[CONTRIBUTING.md]: https://github.com/authzed/zed/blob/main/CONTRIBUTING.md
-
## Reference: `zed`
A command-line client for managing SpiceDB clusters.
@@ -161,17 +160,16 @@ zed permission check --explain document:firstdoc writer user:emilia
### Children commands
-- [zed backup](#reference-zed-backup) - Create, restore, and inspect permissions system backups
-- [zed context](#reference-zed-context) - Manage configurations for connecting to SpiceDB deployments
-- [zed import](#reference-zed-import) - Imports schema and relationships from a file or url
-- [zed mcp](#reference-zed-mcp) - MCP (Model Context Protocol) server commands
-- [zed permission](#reference-zed-permission) - Query the permissions in a permissions system
-- [zed relationship](#reference-zed-relationship) - Query and mutate the relationships in a permissions system
-- [zed schema](#reference-zed-schema) - Manage schema for a permissions system
-- [zed use](#reference-zed-use) - Alias for `zed context use`
-- [zed validate](#reference-zed-validate) - Validates the given validation file (.yaml, .zaml) or schema file (.zed)
-- [zed version](#reference-zed-version) - Display zed and SpiceDB version information
-
+- [zed backup](#reference-zed-backup) - Create, restore, and inspect permissions system backups
+- [zed context](#reference-zed-context) - Manage configurations for connecting to SpiceDB deployments
+- [zed import](#reference-zed-import) - Imports schema and relationships from a file or url
+- [zed mcp](#reference-zed-mcp) - MCP (Model Context Protocol) server commands
+- [zed permission](#reference-zed-permission) - Query the permissions in a permissions system
+- [zed relationship](#reference-zed-relationship) - Query and mutate the relationships in a permissions system
+- [zed schema](#reference-zed-schema) - Manage schema for a permissions system
+- [zed use](#reference-zed-use) - Alias for `zed context use`
+- [zed validate](#reference-zed-validate) - Validates the given validation file (.yaml, .zaml) or schema file (.zed)
+- [zed version](#reference-zed-version) - Display zed and SpiceDB version information
## Reference: `zed backup`
@@ -210,13 +208,12 @@ zed backup [flags]
### Children commands
-- [zed backup create](#reference-zed-backup-create) - Backup a permission system to a file
-- [zed backup parse-relationships](#reference-zed-backup-parse-relationships) - Extract the relationships from a backup file
-- [zed backup parse-revision](#reference-zed-backup-parse-revision) - Extract the revision from a backup file
-- [zed backup parse-schema](#reference-zed-backup-parse-schema) - Extract the schema from a backup file
-- [zed backup redact](#reference-zed-backup-redact) - Redact a backup file to remove sensitive information
-- [zed backup restore](#reference-zed-backup-restore) - Restore a permission system from a file
-
+- [zed backup create](#reference-zed-backup-create) - Backup a permission system to a file
+- [zed backup parse-relationships](#reference-zed-backup-parse-relationships) - Extract the relationships from a backup file
+- [zed backup parse-revision](#reference-zed-backup-parse-revision) - Extract the revision from a backup file
+- [zed backup parse-schema](#reference-zed-backup-parse-schema) - Extract the schema from a backup file
+- [zed backup redact](#reference-zed-backup-redact) - Redact a backup file to remove sensitive information
+- [zed backup restore](#reference-zed-backup-restore) - Restore a permission system from a file
## Reference: `zed backup create`
@@ -253,8 +250,6 @@ zed backup create [flags]
--token string token used to authenticate to SpiceDB
```
-
-
## Reference: `zed backup parse-relationships`
Extract the relationships from a backup file
@@ -289,8 +284,6 @@ zed backup parse-relationships [flags]
--token string token used to authenticate to SpiceDB
```
-
-
## Reference: `zed backup parse-revision`
Extract the revision from a backup file
@@ -318,8 +311,6 @@ zed backup parse-revision
--token string token used to authenticate to SpiceDB
```
-
-
## Reference: `zed backup parse-schema`
Extract the schema from a backup file
@@ -354,8 +345,6 @@ zed backup parse-schema [flags]
--token string token used to authenticate to SpiceDB
```
-
-
## Reference: `zed backup redact`
Redact a backup file to remove sensitive information
@@ -392,8 +381,6 @@ zed backup redact [flags]
--token string token used to authenticate to SpiceDB
```
-
-
## Reference: `zed backup restore`
Restore a permission system from a file
@@ -433,8 +420,6 @@ zed backup restore [flags]
--token string token used to authenticate to SpiceDB
```
-
-
## Reference: `zed context`
Manage configurations for connecting to SpiceDB deployments
@@ -460,11 +445,10 @@ Manage configurations for connecting to SpiceDB deployments
### Children commands
-- [zed context list](#reference-zed-context-list) - Lists all available contexts
-- [zed context remove](#reference-zed-context-remove) - Removes a context by name
-- [zed context set](#reference-zed-context-set) - Creates or overwrite a context
-- [zed context use](#reference-zed-context-use) - Sets a context as the current context
-
+- [zed context list](#reference-zed-context-list) - Lists all available contexts
+- [zed context remove](#reference-zed-context-remove) - Removes a context by name
+- [zed context set](#reference-zed-context-set) - Creates or overwrite a context
+- [zed context use](#reference-zed-context-use) - Sets a context as the current context
## Reference: `zed context list`
@@ -499,8 +483,6 @@ zed context list [flags]
--token string token used to authenticate to SpiceDB
```
-
-
## Reference: `zed context remove`
Removes a context by name
@@ -528,8 +510,6 @@ zed context remove
--token string token used to authenticate to SpiceDB
```
-
-
## Reference: `zed context set`
Creates or overwrite a context
@@ -557,8 +537,6 @@ zed context set
--token string token used to authenticate to SpiceDB
```
-
-
## Reference: `zed context use`
Sets a context as the current context
@@ -586,8 +564,6 @@ zed context use
--token string token used to authenticate to SpiceDB
```
-
-
## Reference: `zed import`
Imports schema and relationships from a file or url
@@ -658,8 +634,6 @@ zed import [flags]
--token string token used to authenticate to SpiceDB
```
-
-
## Reference: `zed mcp`
MCP (Model Context Protocol) server commands.
@@ -689,8 +663,7 @@ To use with Claude Code, run `zed mcp experimental-run` to start the SpiceDB Dev
### Children commands
-- [zed mcp experimental-run](#reference-zed-mcp-experimental-run) - Run the Experimental MCP server
-
+- [zed mcp experimental-run](#reference-zed-mcp-experimental-run) - Run the Experimental MCP server
## Reference: `zed mcp experimental-run`
@@ -725,8 +698,6 @@ zed mcp experimental-run [flags]
--token string token used to authenticate to SpiceDB
```
-
-
## Reference: `zed permission`
Query the permissions in a permissions system
@@ -752,12 +723,11 @@ Query the permissions in a permissions system
### Children commands
-- [zed permission bulk](#reference-zed-permission-bulk) - Check permissions in bulk exist for resource-permission-subject triplets
-- [zed permission check](#reference-zed-permission-check) - Check if a subject has permission on a resource
-- [zed permission expand](#reference-zed-permission-expand) - Expand the structure of a permission
-- [zed permission lookup-resources](#reference-zed-permission-lookup-resources) - Enumerates the resources of a given type for which a subject has permission
-- [zed permission lookup-subjects](#reference-zed-permission-lookup-subjects) - Enumerates the subjects of a given type for which the subject has permission on the resource
-
+- [zed permission bulk](#reference-zed-permission-bulk) - Check permissions in bulk exist for resource-permission-subject triplets
+- [zed permission check](#reference-zed-permission-check) - Check if a subject has permission on a resource
+- [zed permission expand](#reference-zed-permission-expand) - Expand the structure of a permission
+- [zed permission lookup-resources](#reference-zed-permission-lookup-resources) - Enumerates the resources of a given type for which a subject has permission
+- [zed permission lookup-subjects](#reference-zed-permission-lookup-subjects) - Enumerates the subjects of a given type for which the subject has permission on the resource
## Reference: `zed permission bulk`
@@ -799,8 +769,6 @@ zed permission bulk [flags]
--token string token used to authenticate to SpiceDB
```
-
-
## Reference: `zed permission expand`
Expand the structure of a permission
@@ -882,8 +848,6 @@ zed permission expand [flags]
--token string token used to authenticate to SpiceDB
```
-
-
## Reference: `zed permission lookup-resources`
Enumerates the resources of a given type for which a subject has permission
@@ -926,8 +890,6 @@ zed permission lookup-resources [flags]
--token string token used to authenticate to SpiceDB
```
-
-
## Reference: `zed permission lookup-subjects`
Enumerates the subjects of a given type for which the subject has permission on the resource
@@ -967,8 +929,6 @@ zed permission lookup-subjects [flags]
zed preview schema compile schema.zed 1> compiled.zed
Write to a file:
zed preview schema compile root.zed --out compiled.zed
-
+
```
### Options
@@ -1015,8 +975,6 @@ zed preview schema compile [flags]
--token string token used to authenticate to SpiceDB
```
-
-
## Reference: `zed relationship`
Query and mutate the relationships in a permissions system
@@ -1042,13 +1000,12 @@ Query and mutate the relationships in a permissions system
### Children commands
-- [zed relationship bulk-delete](#reference-zed-relationship-bulk-delete) - Deletes relationships matching the provided pattern en masse
-- [zed relationship create](#reference-zed-relationship-create) - Create a relationship for a subject
-- [zed relationship delete](#reference-zed-relationship-delete) - Deletes a relationship
-- [zed relationship read](#reference-zed-relationship-read) - Enumerates relationships matching the provided pattern
-- [zed relationship touch](#reference-zed-relationship-touch) - Idempotently updates a relationship for a subject
-- [zed relationship watch](#reference-zed-relationship-watch) - Watches the stream of relationship updates and schema updates from the server
-
+- [zed relationship bulk-delete](#reference-zed-relationship-bulk-delete) - Deletes relationships matching the provided pattern en masse
+- [zed relationship create](#reference-zed-relationship-create) - Create a relationship for a subject
+- [zed relationship delete](#reference-zed-relationship-delete) - Deletes a relationship
+- [zed relationship read](#reference-zed-relationship-read) - Enumerates relationships matching the provided pattern
+- [zed relationship touch](#reference-zed-relationship-touch) - Idempotently updates a relationship for a subject
+- [zed relationship watch](#reference-zed-relationship-watch) - Watches the stream of relationship updates and schema updates from the server
## Reference: `zed relationship bulk-delete`
@@ -1085,8 +1042,6 @@ zed relationship bulk-delete <
--token string token used to authenticate to SpiceDB
```
-
-
## Reference: `zed relationship touch`
Idempotently updates a relationship for a subject
@@ -1265,8 +1214,6 @@ zed relationship touch [flags]
--token string token used to authenticate to SpiceDB
```
-
-
## Reference: `zed schema diff`
Diff two schema files
@@ -1410,8 +1352,6 @@ zed schema diff
--token string token used to authenticate to SpiceDB
```
-
-
## Reference: `zed schema read`
Read the schema of a permissions system
@@ -1445,8 +1385,6 @@ zed schema read [flags]
--token string token used to authenticate to SpiceDB
```
-
-
## Reference: `zed schema write`
Write a schema file (.zed or stdin) to the current permissions system
@@ -1492,8 +1430,6 @@ zed schema write [flags]
--token string token used to authenticate to SpiceDB
```
-
-
## Reference: `zed use`
Alias for `zed context use`
@@ -1521,8 +1457,6 @@ zed use
--token string token used to authenticate to SpiceDB
```
-
-
## Reference: `zed validate`
Validates the given validation file (.yaml, .zaml) or schema file (.zed)
@@ -1581,8 +1515,6 @@ zed validate [flags]
--token string token used to authenticate to SpiceDB
```
-
-
## Reference: `zed version`
Display zed and SpiceDB version information
@@ -1616,6 +1548,3 @@ zed version [flags]
--skip-version-check if true, no version check is performed against the server
--token string token used to authenticate to SpiceDB
```
-
-
-