ivanauth · 2025-12-19T22:39:16Z

When writing permission expressions like viewer - blocked & editor, it's easy to assume arithmetic-style precedence. But SpiceDB's actual precedence (exclusion binds loosest, then intersection, then union) can lead to unexpected behavior.

This adds a lint warning that flags mixed operators at the same scope, nudging users to add parentheses and make their intent explicit.

Example:

permission view = viewer - blocked & editor  // warns
permission view = (viewer - blocked) & editor  // ok
permission view = viewer + editor + blocked  // ok (same operator)

The warning can be suppressed with:

// spicedb-ignore-warning: mixed-operators-without-parentheses
permission view = viewer - blocked & editor

Fixes authzed/zed#598

codecov · 2025-12-19T22:44:24Z

Codecov Report

❌ Patch coverage is 58.22785% with 66 lines in your changes missing coverage. Please review.
✅ Project coverage is 73.58%. Comparing base (9b516fc) to head (9d55095).
⚠️ Report is 19 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/namespace/metadata.go	28.08%	36 Missing and 5 partials ⚠️
pkg/development/warningdefs.go	29.42%	11 Missing and 1 partial ⚠️
pkg/schemadsl/compiler/translator.go	81.97%	7 Missing and 4 partials ⚠️
pkg/namespace/builder.go	75.00%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2786      +/-   ##
==========================================
+ Coverage   73.49%   73.58%   +0.10%     
==========================================
  Files         497      499       +2     
  Lines       59685    60325     +640     
==========================================
+ Hits        43860    44387     +527     
- Misses      12651    12734      +83     
- Partials     3174     3204      +30

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

josephschorr · 2026-01-06T22:50:22Z

@ivanauth this won't actually work in all cases, because expressions can cross multiple lines. Instead, this should likely be done by marking the expression during compilation with a piece of metadata, and having the warnings generator read that metadata

ivanauth · 2026-01-07T20:54:04Z

Switched from source-scanning to compile-time metadata detection per review feedback. Added NodeTypeParenthesizedExpression wrapper in parser to track explicit grouping, then detect mixed operators during AST translation. Also fixed edge case where top-level parentheses like (a + b - c) would skip the warning.

Add a lint warning when permission expressions mix operators (union, intersection, exclusion) at the same scope level without explicit parentheses (e.g., `viewer - blocked & editor`). The warning is suppressible via `// spicedb-ignore-warning: mixed-operators-without-parentheses`. Introduces NodeTypeParenthesizedExpression in the parser to track explicit parentheses in the AST, enabling accurate detection of mixed operators at the same scope level. Fixes authzed/zed#598

…meter

…perators-warning # Conflicts: # CHANGELOG.md

ivanauth requested a review from a team as a code owner December 19, 2025 22:39

github-actions bot added the area/tooling Affects the dev or user toolchain (e.g. tests, ci, build tools) label Dec 19, 2025

ivanauth force-pushed the fix/issue-598-mixed-operators-warning branch from aa2be07 to 6a03a3d Compare December 19, 2025 22:40

ivanauth changed the title ~~Warn when permission expressions mix operators without parentheses~~ feat: add warning for mixed operators without parentheses Dec 19, 2025

github-actions bot added area/schema Affects the Schema Language area/dependencies Affects dependencies labels Jan 7, 2026

ivanauth force-pushed the fix/issue-598-mixed-operators-warning branch from 88ff553 to 6952dbd Compare January 8, 2026 21:59

ivanauth force-pushed the fix/issue-598-mixed-operators-warning branch from e292e69 to 5c2b616 Compare January 23, 2026 21:48

ivanauth force-pushed the fix/issue-598-mixed-operators-warning branch from ebb6aa6 to 23d2a00 Compare March 30, 2026 19:05

github-actions bot removed the area/dependencies Affects dependencies label Mar 30, 2026

ivanauth force-pushed the fix/issue-598-mixed-operators-warning branch from f5d430a to 87f6a1e Compare April 3, 2026 14:58

ivanauth added 3 commits April 7, 2026 11:25

fix: update AddDefinitionWarnings call sites for new schemaLines para…

18f5471

…meter

chore: add CHANGELOG entry for mixed operators warning

1742057

ivanauth force-pushed the fix/issue-598-mixed-operators-warning branch from 87f6a1e to 1742057 Compare April 7, 2026 15:25

ivanauth added 3 commits April 10, 2026 11:20

Merge remote-tracking branch 'origin/main' into fix/issue-598-mixed-o…

7e0a9de

…perators-warning # Conflicts: # CHANGELOG.md

ci: retrigger CI checks

0ec72ac

ci: retrigger CI (transient Go proxy error)

9d55095

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: add warning for mixed operators without parentheses#2786

feat: add warning for mixed operators without parentheses#2786
ivanauth wants to merge 6 commits intoauthzed:mainfrom
ivanauth:fix/issue-598-mixed-operators-warning

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

Uh oh!

Uh oh!

Codecov Report

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants