looking at the documentation for caveats:

definition user {}

caveat has_valid_ip(user_ip ipaddress, allowed_range string) {
  user_ip.in_cidr(allowed_range)
}

definition resource {
    relation viewer: user | user with has_valid_ip
    permission view = viewer
}

does

relation viewer: user | user with has_valid_ip

mean "a user who has the relation or all users with a valid IP" or does that mean "a user who has the relation or (a user who has the relation and also has a valid IP)"?