Add support for relationship expiration in the API

authzed/api/v1/core.proto

@@ -24,8 +24,11 @@ message Relationship {
   // subject is the subject to which the resource is related, in some manner.
   SubjectReference subject = 3 [ (validate.rules).message.required = true ];
 
-  // optional_caveat is a reference to a the caveat that must be enforced over the relationship
+  // optional_caveat is a reference to a the caveat that must be enforced over the relationship.
   ContextualizedCaveat optional_caveat = 4 [ (validate.rules).message.required = false ];
+
+  // optional_expires_at is the time at which the relationship expires, if any.
+  google.protobuf.Timestamp optional_expires_at = 5;
 }
 
 // ContextualizedCaveat represents a reference to a caveat to be used by caveated relationships.

authzed/api/v1/debug.proto

@@ -77,6 +77,10 @@ message CheckDebugTrace {
     // and a permissionship of PERMISSIONSHIP_HAS_PERMISSION indicates the subject was found within this relation.
     SubProblems sub_problems = 7;
   }
+
+  // optional_expires_at is the time at which at least one of the relationships used to
+  // compute this result, expires (if any). This is *not* related to the caching window.
+  google.protobuf.Timestamp optional_expires_at = 10;
 }
 
 // CaveatEvalInfo holds information about a caveat expression that was evaluated.

authzed/api/v1/permission_service.proto

@@ -405,6 +405,10 @@ message CheckPermissionResponse {
 
   // debug_trace is the debugging trace of this check, if requested.
   DebugInformation debug_trace = 4;
+
+  // optional_expires_at is the time at which at least one of the relationships used to
+  // compute this result, expires (if any). This is *not* related to the caching window.
+  google.protobuf.Timestamp optional_expires_at = 5;
 }
 
 // CheckBulkPermissionsRequest issues a check on whether a subject has permission