Does SpiceDB caveat's support relationship-defined expressions? The Netflix blog specifies that "To support runtime-provided policies, the choice was to introduce expressions as arguments to a Caveat." Did this make it in to SpiceDB or are only static expressions (defined in the schema) supported for now? I was looking at Google Cloud's support for specifying conditions on role bindings and was curious if this could be replicated using Spice DB. (https://cloud.google.com/iam/docs/conditions-overview)

Dynamically defined expressions did not make it to SpiceDB. We decided in favour of static expressions because it aligns with the current model, where the authorization logic executed is centralized as a schema, it is type safe and auditable, and prevents runtime errors. That bit of the blog post seems inaccurate, and is surprising because I wrote part of it 😅. We DID evaluate having dynamic expressions, but eventually we figured a way that wasn't dynamic and worked for their use-case, using set algebra. That does not mean we wouldn't consider it in future iterations of OSS SpiceDB, so feel free to open an issue with your use-case, we just haven't heard of anyone needing it. In fact Authzed Dedicated's Fine Grained Access Management feature is implemented using dynamic expressions built on top of open-source SpiceDB: you can define tokens with an associated CEL expression. It's done by extending OSS SpiceDB, so you can build that too, or you can contribute it, we'd be happy to look into it.

Thanks for all of this. That makes sense