SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions.

SpiceDB

ah got it... thanks.
follow up question, using your example here,
say i have a 
``` 
definition sub_resource {
  relation resource: resource
  relation writer: user
  permission edit = writer + resource->writer  // or writer + resource->edit
}
``` 
you could say either resource writers can edit sub resources, or those with permission to edit resource can also edit sub resources.... both are correct, right?  is there a practical effect on the back end of using one or the other (i.e. an extra traversal walking back a computed permission vs. a relation)?  or is that so small that it's negligible?