Incremental rebuilding of the transitive closure for `Entities`

[nakedible-p]

Describe the improvement you'd like to request

Currently whenever any entities are added to an Entities instance, the transitive closure is rebuilt from scratch. If a schema is used, this also means that all the action entities are part of the set and also are included in the rebuild. Implementing incremental rebuilding of the transitive closure that only traverses the new objects to be added should be possible, which would reduce the performance penalty of adding a few entities to an already existing large set of entities. This is especially useful in cases where a principal is shared for many requests (the entities for the principal can be cached) while the resource is often absent but sometimes present (the entities for the resource should be added to the existing set of entities).

Describe alternatives you've considered

An alternative would be to be able to specify two (or more) sets of entities for a single authorization check. In that case, there wouldn't be a need to copy all the Entities to form a union of the entities for the principal and the resource, but instead both could be cached independently. However, there would likely be a performance penalty in entity traversal to do this, and the code may end up complex. Also, adding just two sets of entities doesn't solve the general issue of possibly needing entities referenced by the Context into the entity set as well.

Additional context

May require formal verification of the incremental algorithm.

Is this something that you'd be interested in working on?

• 👋 I may be able to implement this internal improvement
• ⚠️ This feature might incur a breaking change