Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hi all! I'm trying out Keto.

I have this OPL

```class Project implements Namespace {
  related: {
    companies: Company[]
  }

  permits = {
    view: (ctx: Context) => this.related.companies.traverse(company => company.related.users.includes(ctx.subject))
  }
}

class User implements Namespace {}

class Company implements Namespace {
  related: {
    users: User[]
  }
}```
So User has view permit on Project if he is in Company.

I have these two relations which define a Project, User and Company:

```		{
			"namespace": "Company",
			"object": "zenmo",
			"relation": "users",
			"subject_id": "User:erik"
		},
		{
			"namespace": "Project",
			"object": "myproj",
			"relation": "companies",
			"subject_id": "Company:zenmo"
		}```
Yet when i do a permission check like so:
```POST /relation-tuples/check/openapi
{
    "namespace": "Project",
    "object": "myproj",
    "relation": "view",
	"subject_id": "User:erik"
}```
It returns allowed: false

What's going wrong? Is `includes` not implemented when inside `traverse` ?

(I know I can use SubjectSet here but it seems like a legitimate thing to do)