Add debug trace support to bulk check API

authzed/api/v1/debug.proto

@@ -23,6 +23,9 @@ message DebugInformation {
 
   // schema_used holds the schema used for the request.
   string schema_used = 2;
+
+  // checks holds debug information about the individual checks made in a bulk check request.
+  repeated CheckDebugTrace checks = 3;
 }
 
 // CheckDebugTrace is a recursive trace of the requests made for resolving a CheckPermission
@@ -82,6 +85,10 @@ message CheckDebugTrace {
   // optional_expires_at is the time at which at least one of the relationships used to
   // compute this result, expires (if any). This is *not* related to the caching window.
   google.protobuf.Timestamp optional_expires_at = 10;
+
+  // trace_id is a unique identifier for this trace. This identifier is only guanranteed
+  // to be unique within the same overall Check or CheckBulk operation.
+  string trace_id = 11;
 }
 
 // CaveatEvalInfo holds information about a caveat expression that was evaluated.

authzed/api/v1/permission_service.proto

@@ -421,6 +421,11 @@ message CheckBulkPermissionsRequest {
   Consistency consistency = 1;
 
   repeated CheckBulkPermissionsRequestItem items = 2 [ (validate.rules).repeated .items.message.required = true ];
+
+  // with_tracing, if true, indicates that each response should include a debug trace.
+  // This can be useful for debugging and performance analysis, but adds a small amount
+  // of compute overhead to the request.
+  bool with_tracing = 3;
 }
 
 message CheckBulkPermissionsRequestItem {
@@ -454,6 +459,9 @@ message CheckBulkPermissionsResponseItem {
   CheckPermissionResponse.Permissionship permissionship = 1 [ (validate.rules).enum = {defined_only: true, not_in: [0]} ];
 
   PartialCaveatInfo partial_caveat_info = 2 [ (validate.rules).message.required = false ];
+
+  // debug_trace is the debugging trace of this check, if requested.
+  DebugInformation debug_trace = 3;
 }
 
 // ExpandPermissionTreeRequest returns a tree representing the expansion of all