Permissions on the Graph
Artifact permissions now resolve from the relationship graph, with template-instance access inherited at query time and fail-closed defaults.
A foundational rewrite of how the platform decides who can see what. Access is now derived from a single source of truth (the relationship graph) instead of a denormalized access list per artifact.
Single Source of Truth
The relationships table is now authoritative for who can read or write what. The legacy denormalized access arrays and Firestore fallback paths have been removed entirely (~1,150 lines of code retired). Every permission check resolves the same way, every time.
Inherited Template Instances
Template instances inherit access from their template at query time. Sharing a template now implicitly shares every instance. No per-instance edges, no cascade backfills. Add a teammate to a template once and they see every record produced from it.
Fail-Closed by Default
Access checks now fail closed: if the cache misses and the graph can't confirm permission, the answer is "no." This is the safer default for a permission system and rules out accidental over-sharing during cache rebuilds.
Sharing UX
The Share modal always fetches fresh permission data when opened, so what you see in the picker matches what's actually true on the server. We also fixed a long-standing bug where users with write access were silently excluded from read-access lists.