Skip to content

feat: Add pre-filter authorization via LookupResources + remove fail_open#4

Merged
sohanmaheshwar merged 25 commits into
mainfrom
feat/pre-filter-authorization
May 19, 2026
Merged

feat: Add pre-filter authorization via LookupResources + remove fail_open#4
sohanmaheshwar merged 25 commits into
mainfrom
feat/pre-filter-authorization

Conversation

@sohanmaheshwar

@sohanmaheshwar sohanmaheshwar commented Apr 17, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Summary

  • New: `SpiceDBPreFilterRetriever` — LangChain `BaseRetriever` that calls SpiceDB's `LookupResources` first, then runs a filtered vector store search. Use when users have access to a small fraction of a large corpus.
  • New: `create_lookup_resources_node` — LangGraph node that combines LookupResources + filtered vector search in one step. Reads `subject_id` + `question` from state, writes `authorized_documents`.
  • New: `SpiceDBAuthorizer.lookup_resources()` — underlying method wrapping SpiceDB's `LookupResources` gRPC streaming API.
  • Breaking: `create_auth_node` renamed to `create_check_permissions_node` — aligns with SpiceDB API naming.
  • Breaking: `fail_open` removed from all components — errors now always propagate.
  • Breaking: `SpiceDBRetriever` removed — superseded by `SpiceDBAuthFilter`.
  • Breaking: `SpiceDBAuthLambda` removed — superseded by `SpiceDBAuthFilter`.

Breaking Changes

This release bumps to v0.2.0. See CHANGELOG.md for full details.

Symbol Change Migration
`SpiceDBRetriever` Removed Use `base_retriever | SpiceDBAuthFilter` and pass `subject_id` via `config={"configurable": {"subject_id": "alice"}}`
`SpiceDBAuthLambda` Removed Use `SpiceDBAuthFilter` directly: `RunnableLambda(retriever) | auth_filter`
`create_auth_node` Renamed to `create_check_permissions_node` Update imports and call sites
`fail_open` parameter Removed Remove the argument — errors now surface instead of silently granting access

Component Lineup After This PR

Component Pattern Interface
`SpiceDBAuthFilter` Post-filter `Runnable` (pipe operator)
`SpiceDBPreFilterRetriever` Pre-filter `BaseRetriever`
`SpiceDBPermissionTool` / `SpiceDBBulkPermissionTool` Check LangChain Tool
`create_check_permissions_node` Post-filter LangGraph node
`create_lookup_resources_node` Pre-filter LangGraph node

Test Plan

  • 41/41 unit tests pass (`pytest tests/unit_tests/`)
  • Manually test `SpiceDBPreFilterRetriever` with a live SpiceDB instance
  • Manually test `create_lookup_resources_node` in a LangGraph workflow
  • Verify SpiceDB errors raise instead of silently passing (fail_open removed)

@sohanmaheshwar
chore: Ignore docs/superpowers/ from version control
7773bed
@sohanmaheshwar
security: Remove fail_open from SpiceDBAuthorizer — errors now always…
b03c728 
… raise
@sohanmaheshwar
security: Remove fail_open from all components — breaking change, v0.1.0
09db7d7 
Removes the fail_open parameter from SpiceDBRetriever, SpiceDBAuthFilter,
SpiceDBAuthLambda, SpiceDBAuthTool, create_auth_node, and AuthorizationNode.
Also removes fail_open-related tests from unit and integration test suites.
@sohanmaheshwar
style: Fix blank lines in test_tools.py after fail_open removal
987e96a
@sohanmaheshwar
feat: Add lookup_resources() to SpiceDBAuthorizer
cd8c501 
Implements LookupResources streaming API on SpiceDBAuthorizer, enabling
pre-filter authorization by returning all resource IDs a subject can access.
@sohanmaheshwar
test: Strengthen lookup_resources unit test assertions
74dee3e
@sohanmaheshwar
feat: Add SpiceDBPreFilterRetriever with LookupResources pre-filtering
8780602
@sohanmaheshwar
fix: Use is not None guard in with_config, strengthen k test
ab8ab0e
@sohanmaheshwar
docs: Add pre-filter to README decision table and add example
30df202
@sohanmaheshwar
docs: Fix dead import in example, add pre-filter to README features
033b978
@sohanmaheshwar
breaking: Remove SpiceDBRetriever — use base_retriever | SpiceDBAuthF…
b72eef4 
…ilter instead
@sohanmaheshwar
breaking: Remove SpiceDBAuthLambda — use SpiceDBAuthFilter directly i…
f7f41ff 
…n chains
@sohanmaheshwar
feat: Add create_pre_filter_auth_node for LangGraph pre-filter author…
c1950ec 
…ization
@sohanmaheshwar
fix: Update tool_example prerequisites with schema including edit/del…
4cd7dd3 
…ete permissions
@sohanmaheshwar
fix: Make tool_example self-contained — write schema and relationship…
71fa414 
…s at startup
@sohanmaheshwar
fix: Make langgraph_visualization_example self-contained, remove dead…
e8c7efa 
… methods, fix summary
@sohanmaheshwar
refactor: Rename langgraph_visualization_example to langgraph_postfil…
a23c903 
…ter_example
@sohanmaheshwar
fix: Expand langgraph_postfilter_example schema to avoid conflict wit…
4fced71 
…h tool_example
@sohanmaheshwar
feat: Add real LLM answer generation to langgraph_postfilter_example
ae34431
@sohanmaheshwar
chore: Remove Method 4 side-by-side comparison and summary from langg…
4b7b008 
…raph example
@sohanmaheshwar
feat: Add SpiceDBPreFilterRetriever and create_pre_filter_auth_node e…
cd8980c 
…xamples
@sohanmaheshwar
docs: Rewrite READMEs — add missing components to main, overhaul exam…
3d11dd4 
…ples guide
@sohanmaheshwar
refactor: Rename create_auth_node→create_check_permissions_node, crea…
0f7b792 
…te_pre_filter_auth_node→create_lookup_resources_node
@sohanmaheshwar
chore: Bump version to 0.2.0, add CHANGELOG with breaking changes
e187ce7
@sohanmaheshwar
fix: Replace lambda assignment with def to satisfy ruff E731
7bc6ba0
@sohanmaheshwar sohanmaheshwar merged commit ba8fd90 into main May 19, 2026
3 of 10 checks passed
@github-actions github-actions Bot locked and limited conversation to collaborators May 19, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sohanmaheshwar