SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions.

SpiceDB

the only thing I see that may be an issue is this:

```
    relation disclosed_team: team
    relation disclosed_user: user
    permission read_document_group = disclosed_user + disclosed_team
```

the `disclosed_team` is a team, not its members, so that will return if a user or a team can read the group, but not the members *of* the team. If you want the members of the team, you need to either use an arrow ala `disclosed_team->team_member` or `#` reference the members in the relation itself