hm so you were writing all the permissions to the prodDB first and then to SpiceDB but for actual permission checks, file access, etc did you use SpiceDB first? and prodDB only for JOINs and/or m2m endpoints?