I'm having a little trouble wrapping my head around ZedTokens. Lets say my schema looks something like this:

definition user {}

definition tenant {
    // roles etc
}

definition employee {
    relation tenant: tenant
    relation user: user
    permission view = tenant->employee_viewer + tenant->employee_editor + tenant->employee_admin
    permission update = tenant->employee_editor + tenant->employee_admin
    permission delete = tenant->employee_admin
}

definition project {
    relation tenant: tenant
    relation assigned: employee#user
    permission view = ((tenant->all_projects + assigned) & (tenant->project_viewer + tenant->project_editor + tenant->project_admin))
    permission update = ((tenant->all_projects + assigned) & (tenant->project_editor + tenant->project_admin))
    permission delete = ((tenant->all_projects + assigned) & tenant->project_admin)
}

definition project_data {
    relation project: project
    permission view = project->view
    permission update = project->update
    permission delete = project->delete
}

Assume I have an unlinked employee and a project that I've set up and stored ZedTokens for. If I would say check

project_data:foo#view@user:bar

, it would return no permission. If I were to write the relationship

assigned

between the

project

and

employee

thats associated with

user:bar

, I would guess that I'd write a new ZedToken to the

project

(and maybe

employee

?). However, if I were to immediately check

project_data:foo#view@user:bar

using the ZedToken stored near

project_data

it would possible fail (and I'm seeing it periodically fail in tests). Am I missing something here? I must be doing something wrong.