Groups and one-level expansion

If a subject is a group and a user is a member of that group, granting a relation to the group authorizes every member as that relation.

(user:alice,        member, team:engineering)
(team:engineering,  editor, document:42)

Given these two tuples, is_authorized(user:alice, editor, document:42) returns true. Alice inherits editor through her membership in team:engineering.

One level deep, always

Group expansion is one level deep. Groups-of-groups are not resolved transitively:

(user:alice,    member, team:platform)
(team:platform, member, team:engineering)
(team:engineering, editor, document:42)

This does NOT authorize alice as editor of document 42. The second membership tuple is not traversed during the check.

This is a deliberate restriction. Bounded expansion keeps check cost predictable at edge latency and the mental model tractable. A configurable depth limit is a candidate for later versions but is blocked on use-case evidence.