authzed · barakmich · Oct 29, 2025 · Oct 29, 2025 · Oct 29, 2025 · Oct 29, 2025
@@ -4,9 +4,7 @@
 package integrationtesting_test
 
 import (
-	"fmt"
 	"path/filepath"
-	"strings"
 	"testing"
 
 	"github.com/stretchr/testify/require"
@@ -108,50 +106,68 @@ func runQueryPlanAssertions(t *testing.T, handle *queryPlanConsistencyHandle) {
 					for _, assertion := range entry.assertions {
 						assertion := assertion
 						t.Run(assertion.RelationshipWithContextString, func(t *testing.T) {
-							require := require.New(t)
-
-							rel := assertion.Relationship
-							it, err := query.BuildIteratorFromSchema(handle.schema, rel.Resource.ObjectType, rel.Resource.Relation)
-							require.NoError(err)
-
-							qctx := handle.buildContext(t)
+							// Run both unoptimized and optimized versions
+							for _, optimizationMode := range []struct {
+								name     string
+								optimize bool
+							}{
+								{"unoptimized", false},
+								{"optimized", true},
+							} {
+								optimizationMode := optimizationMode
+								t.Run(optimizationMode.name, func(t *testing.T) {
+									require := require.New(t)
+
+									rel := assertion.Relationship
+									it, err := query.BuildIteratorFromSchema(handle.schema, rel.Resource.ObjectType, rel.Resource.Relation)
+									require.NoError(err)
+
+									// Apply static optimizations if requested
+									if optimizationMode.optimize {
+										it, _, err = query.ApplyOptimizations(it, query.StaticOptimizations)
+										require.NoError(err)
+									}
 
-							// Add caveat context from assertion if available
-							if len(assertion.CaveatContext) > 0 {
-								qctx.CaveatContext = assertion.CaveatContext
-							}
+									qctx := handle.buildContext(t)
 
-							seq, err := qctx.Check(it, []query.Object{query.GetObject(rel.Resource)}, rel.Subject)
-							require.NoError(err)
+									// Add caveat context from assertion if available
+									if len(assertion.CaveatContext) > 0 {
+										qctx.CaveatContext = assertion.CaveatContext
+									}
 
-							rels, err := query.CollectAll(seq)
-							require.NoError(err)
+									seq, err := qctx.Check(it, []query.Object{query.GetObject(rel.Resource)}, rel.Subject)
+									require.NoError(err)
+
+									rels, err := query.CollectAll(seq)
+									require.NoError(err)
+
+									// Print trace if test fails
+									if qctx.TraceLogger != nil {
+										defer func() {
+											if t.Failed() {
+												t.Logf("Trace for %s:\n%s", entry.name, qctx.TraceLogger.DumpTrace())
+												// Also print the tree structure for debugging
+												if it != nil {
+													t.Logf("Tree structure:\n%s", it.Explain().String())
+												}
+											}
+										}()
+									}
 
-							// Print trace if test fails
-							if qctx.TraceLogger != nil {
-								defer func() {
-									if t.Failed() {
-										t.Logf("Trace for %s:\n%s", entry.name, qctx.TraceLogger.DumpTrace())
-										// Also print the tree structure for debugging
-										if it != nil {
-											t.Logf("Tree structure:\n%s", explainTree(it, 0))
+									switch entry.expectedPermissionship {
+									case v1.CheckPermissionResponse_PERMISSIONSHIP_CONDITIONAL_PERMISSION:
+										require.Len(rels, 1)
+										require.NotNil(rels[0].Caveat)
+									case v1.CheckPermissionResponse_PERMISSIONSHIP_HAS_PERMISSION:
+										require.Len(rels, 1)
+										require.Nil(rels[0].Caveat)
+									case v1.CheckPermissionResponse_PERMISSIONSHIP_NO_PERMISSION:
+										if len(rels) != 0 && qctx.TraceLogger != nil {
+											t.Logf("Expected 0 relations but got %d. Trace:\n%s", len(rels), qctx.TraceLogger.DumpTrace())
 										}
+										require.Len(rels, 0)
 									}
-								}()
-							}
-
-							switch entry.expectedPermissionship {
-							case v1.CheckPermissionResponse_PERMISSIONSHIP_CONDITIONAL_PERMISSION:
-								require.Len(rels, 1)
-								require.NotNil(rels[0].Caveat)
-							case v1.CheckPermissionResponse_PERMISSIONSHIP_HAS_PERMISSION:
-								require.Len(rels, 1)
-								require.Nil(rels[0].Caveat)
-							case v1.CheckPermissionResponse_PERMISSIONSHIP_NO_PERMISSION:
-								if len(rels) != 0 && qctx.TraceLogger != nil {
-									t.Logf("Expected 0 relations but got %d. Trace:\n%s", len(rels), qctx.TraceLogger.DumpTrace())
-								}
-								require.Len(rels, 0)
+								})
 							}
 						})
 					}
@@ -160,21 +176,3 @@ func runQueryPlanAssertions(t *testing.T, handle *queryPlanConsistencyHandle) {
 		}
 	})
 }
-
-// explainTree recursively explains the tree structure for debugging
-func explainTree(iter query.Iterator, depth int) string {
-	indent := strings.Repeat("  ", depth)
-	explain := iter.Explain()
-	result := fmt.Sprintf("%s%s: %s\n", indent, explain.Name, explain.Info)
-
-	for _, subExplain := range explain.SubExplain {
-		// For SubExplain, we need to create a dummy iterator to get the tree structure
-		// This is a simplified approach - in practice we'd need access to the actual sub-iterators
-		subResult := fmt.Sprintf("%s  %s: %s\n", indent, subExplain.Name, subExplain.Info)
-		result += subResult
-		// Note: We can't recursively call explainTree on SubExplain because it's not an Iterator
-		// This gives us one level of detail which should be sufficient for debugging
-	}
-
-	return result
-}
@@ -39,7 +39,8 @@ func (a *Alias) CheckImpl(ctx *Context, resources []Object, subject ObjectAndRel
 				return nil, err
 			}
 
-			return func(yield func(Path, error) bool) {
+			// Create combined sequence with self-edge and rewritten paths
+			combined := func(yield func(Path, error) bool) {
 				// Yield the self-edge first
 				if !yield(selfPath, nil) {
 					return
@@ -57,7 +58,10 @@ func (a *Alias) CheckImpl(ctx *Context, resources []Object, subject ObjectAndRel
 						return
 					}
 				}
-			}, nil
+			}
+
+			// Wrap with deduplication to handle duplicate paths after rewriting
+			return DeduplicatePathSeq(combined), nil
 		}
 	}
 
@@ -67,7 +71,7 @@ func (a *Alias) CheckImpl(ctx *Context, resources []Object, subject ObjectAndRel
 		return nil, err
 	}
 
-	return func(yield func(Path, error) bool) {
+	rewritten := func(yield func(Path, error) bool) {
 		for path, err := range subSeq {
 			if err != nil {
 				yield(Path{}, err)
@@ -79,7 +83,10 @@ func (a *Alias) CheckImpl(ctx *Context, resources []Object, subject ObjectAndRel
 				return
 			}
 		}
-	}, nil
+	}
+
+	// Wrap with deduplication to handle duplicate paths after rewriting
+	return DeduplicatePathSeq(rewritten), nil
 }
 
 func (a *Alias) IterSubjectsImpl(ctx *Context, resource Object) (PathSeq, error) {

@@ -0,0 +1,97 @@
+package query
+
+// TypedOptimizerFunc is a function that transforms an iterator of a specific type T
+// into a potentially optimized iterator. It returns the optimized iterator, a boolean
+// indicating whether any optimization was performed, and an error if the optimization failed.
+//
+// The type parameter T constrains the function to operate only on specific iterator types,
+// providing compile-time type safety when creating typed optimizers.
+type TypedOptimizerFunc[T Iterator] func(it T) (Iterator, bool, error)
+
+// OptimizerFunc is a type-erased wrapper around TypedOptimizerFunc[T] that can be
+// stored in a homogeneous list while maintaining type safety at runtime.
+type OptimizerFunc func(it Iterator) (Iterator, bool, error)
+
+// WrapOptimizer wraps a typed TypedOptimizerFunc[T] into a type-erased OptimizerFunc.
+// This allows optimizer functions for different concrete iterator types to be stored
+// together in a heterogeneous list.
+func WrapOptimizer[T Iterator](fn TypedOptimizerFunc[T]) OptimizerFunc {
+	return func(it Iterator) (Iterator, bool, error) {
+		if v, ok := it.(T); ok {
+			return fn(v)
+		}
+		return it, false, nil
+	}
+}
+
+// StaticOptimizations is a list of optimization functions that can be safely applied
+// to any iterator tree without needing runtime information or context.
+var StaticOptimizations = []OptimizerFunc{
+	RemoveNullIterators,
+	ElideSingletonUnionAndIntersection,
+	WrapOptimizer(PushdownCaveatEvaluation),
+}
+
+// ApplyOptimizations recursively applies a list of optimizer functions to an iterator
+// tree, transforming it into an optimized form.
+//
+// The function operates bottom-up, optimizing leafs and subiterators first, and replacing the
+// subtrees up to the top, which it then returns.
+//
+// Parameters:
+//   - it: The iterator tree to optimize
+//   - fns: A list of optimizer functions to apply
+//
+// Returns:
+//   - The optimized iterator (which may be the same as the input if no optimizations applied)
+//   - A boolean indicating whether any changes were made
+//   - An error if any optimization failed
+func ApplyOptimizations(it Iterator, fns []OptimizerFunc) (Iterator, bool, error) {
+	var err error
+	origSubs := it.Subiterators()
+	changed := false
+	if len(origSubs) != 0 {
+		// Make a copy of the subiterators slice to avoid mutating the original iterator
+		subs := make([]Iterator, len(origSubs))
+		copy(subs, origSubs)
+
+		subChanged := false
+		for i, subit := range subs {
+			newit, ok, err := ApplyOptimizations(subit, fns)
+			if err != nil {
+				return nil, false, err
+			}
+			if ok {
+				subs[i] = newit
+				subChanged = true
+			}
+		}
+		if subChanged {
+			changed = true
+			it, err = it.ReplaceSubiterators(subs)
+			if err != nil {
+				return nil, false, err
+			}
+		}
+	}
+
+	// Apply each optimizer to the current iterator
+	// If any optimizer transforms the iterator, recursively optimize the new tree
+	for _, fn := range fns {
+		newit, fnChanged, err := fn(it)
+		if err != nil {
+			return nil, false, err
+		}
+		if fnChanged {
+			// The iterator was transformed - recursively optimize the new tree
+			// to ensure all optimizations are fully applied
+			optimizedIt, _, err := ApplyOptimizations(newit, fns)
+			if err != nil {
+				return nil, false, err
+			}
+			// Return true for changed since we did transform the iterator
+			return optimizedIt, true, nil
+		}
+	}
+	return it, changed, nil
+}
@@ -0,0 +1,93 @@
+package query
+
+import (
+	core "github.com/authzed/spicedb/pkg/proto/core/v1"
+	"github.com/authzed/spicedb/pkg/spiceerrors"
+)
+
+// PushdownCaveatEvaluation pushes caveat evaluation down through certain composite iterators
+// to allow earlier filtering and better performance.
+//
+// This optimization transforms:
+//
+//	Caveat(Union[A, B]) -> Union[Caveat(A), B] (if only A contains the caveat)
+//	Caveat(Union[A, B]) -> Union[Caveat(A), Caveat(B)] (if both contain the caveat)
+//
+// The pushdown does NOT occur through IntersectionArrow iterators, as they have special
+// semantics that require caveat evaluation to happen after the intersection.
+func PushdownCaveatEvaluation(c *CaveatIterator) (Iterator, bool, error) {
+	// Don't push through IntersectionArrow
+	if _, ok := c.subiterator.(*IntersectionArrow); ok {
+		return c, false, nil
+	}
+
+	// Don't push down if the subiterator is already a CaveatIterator
+	// This prevents infinite recursion
+	if _, ok := c.subiterator.(*CaveatIterator); ok {
+		return c, false, nil
+	}
+
+	// Get the subiterators of the child
+	subs := c.subiterator.Subiterators()
+	if len(subs) == 0 {
+		// No subiterators to push down into (e.g., leaf iterator)
+		return c, false, nil
+	}
+
+	// Find which subiterators contain relations with this caveat
+	newSubs := make([]Iterator, len(subs))
+	changed := false
+	for i, sub := range subs {
+		if containsCaveat(sub, c.caveat) {
+			// Wrap this subiterator with the caveat
+			newSubs[i] = NewCaveatIterator(sub, c.caveat)
+			changed = true
+		} else {
+			// Leave unchanged
+			newSubs[i] = sub
+		}
+	}
+
+	if !changed {
+		return c, false, nil
+	}
+
+	// Replace the subiterators in the child iterator
+	newChild, err := c.subiterator.ReplaceSubiterators(newSubs)
+	if err != nil {
+		return nil, false, err
+	}
+
+	// Return the child without the caveat wrapper
+	return newChild, true, nil
+}
+
+// containsCaveat checks if an iterator tree contains a RelationIterator
+// that references the given caveat.
+func containsCaveat(it Iterator, caveat *core.ContextualizedCaveat) bool {
+	found := false
+	_, err := Walk(it, func(node Iterator) (Iterator, error) {
+		if rel, ok := node.(*RelationIterator); ok {
+			if relationContainsCaveat(rel, caveat) {
+				found = true
+			}
+		}
+		return node, nil
+	})
+	if err != nil {
+		spiceerrors.MustPanicf("should never error -- callback contains no errors, but linters must always check")
+	}
+
+	return found
+}
+
+// relationContainsCaveat checks if a RelationIterator's base relation
+// has a caveat that matches the given caveat name.
+func relationContainsCaveat(rel *RelationIterator, caveat *core.ContextualizedCaveat) bool {
+	if rel.base == nil || caveat == nil {
+		return false
+	}
+
+	// Check if the relation has this caveat
+	return rel.base.Caveat() == caveat.CaveatName
+}