authzed · ivanauth · Feb 9, 2026
diff --git a/internal/thumperrunner/exec.go b/internal/thumperrunner/exec.go
@@ -6,14 +6,28 @@ import (
 	"time"
 
 	v1 "github.com/authzed/authzed-go/proto/authzed/api/v1"
-	"github.com/authzed/authzed-go/v1"
 	"github.com/rs/zerolog/log"
+	"google.golang.org/grpc"
 )
 
+// Client is an interface that abstracts the SpiceDB API calls used by thumper.
+// *authzed.Client satisfies this interface.
+type Client interface {
+	CheckPermission(ctx context.Context, in *v1.CheckPermissionRequest, opts ...grpc.CallOption) (*v1.CheckPermissionResponse, error)
+	ReadRelationships(ctx context.Context, in *v1.ReadRelationshipsRequest, opts ...grpc.CallOption) (v1.PermissionsService_ReadRelationshipsClient, error)
+	DeleteRelationships(ctx context.Context, in *v1.DeleteRelationshipsRequest, opts ...grpc.CallOption) (*v1.DeleteRelationshipsResponse, error)
+	ExpandPermissionTree(ctx context.Context, in *v1.ExpandPermissionTreeRequest, opts ...grpc.CallOption) (*v1.ExpandPermissionTreeResponse, error)
+	LookupResources(ctx context.Context, in *v1.LookupResourcesRequest, opts ...grpc.CallOption) (v1.PermissionsService_LookupResourcesClient, error)
+	LookupSubjects(ctx context.Context, in *v1.LookupSubjectsRequest, opts ...grpc.CallOption) (v1.PermissionsService_LookupSubjectsClient, error)
+	WriteRelationships(ctx context.Context, in *v1.WriteRelationshipsRequest, opts ...grpc.CallOption) (*v1.WriteRelationshipsResponse, error)
+	WriteSchema(ctx context.Context, in *v1.WriteSchemaRequest, opts ...grpc.CallOption) (*v1.WriteSchemaResponse, error)
+	CheckBulkPermissions(ctx context.Context, in *v1.CheckBulkPermissionsRequest, opts ...grpc.CallOption) (*v1.CheckBulkPermissionsResponse, error)
+}
+
 type executableStep struct {
 	op          string
 	consistency string
-	body        func(context.Context, *authzed.Client, *v1.ZedToken) (*v1.ZedToken, error)
+	body        func(context.Context, Client, *v1.ZedToken) (*v1.ZedToken, error)
 }
 
 // ExecutableScript is a thumper yaml script that has been post-processed for
@@ -26,7 +40,7 @@ type ExecutableScript struct {
 
 type ExecutableContext struct {
 	script *ExecutableScript
-	client *authzed.Client
+	client Client
 
 	numExecuted int
 	zedToken    *v1.ZedToken
@@ -65,7 +79,7 @@ func (s *ExecutableContext) StepForward(workerIndex int, stepTimeout time.Durati
 }
 
 // RunOnce runs all steps in a script and then stops.
-func (s *ExecutableScript) RunOnce(client *authzed.Client) error {
+func (s *ExecutableScript) RunOnce(client Client) error {
 	log.Info().Str("script", s.name).Msg("running migration script")
 
 	ctx, cancel := context.WithTimeout(context.Background(), 3600*time.Second)

diff --git a/internal/thumperrunner/prepare.go b/internal/thumperrunner/prepare.go
@@ -10,7 +10,6 @@ import (
 	"github.com/authzed/internal/thumper/internal/config"
 
 	v1 "github.com/authzed/authzed-go/proto/authzed/api/v1"
-	"github.com/authzed/authzed-go/v1"
 	"github.com/rs/zerolog/log"
 	"google.golang.org/grpc"
 	"google.golang.org/protobuf/proto"
@@ -85,7 +84,7 @@ func prepareStep(step config.ScriptStep) (executableStep, error) {
 			expected = v1.CheckPermissionResponse_PERMISSIONSHIP_CONDITIONAL_PERMISSION
 		}
 
-		execStep.body = func(ctx context.Context, client *authzed.Client, zt *v1.ZedToken) (*v1.ZedToken, error) {
+		execStep.body = func(ctx context.Context, client Client, zt *v1.ZedToken) (*v1.ZedToken, error) {
 			req.Consistency = consistencyForZedToken(zt)
 
 			resp, err := client.CheckPermission(ctx, req)
@@ -115,7 +114,7 @@ func prepareStep(step config.ScriptStep) (executableStep, error) {
 			RelationshipFilter: filter,
 		}
 
-		execStep.body = func(ctx context.Context, client *authzed.Client, zt *v1.ZedToken) (*v1.ZedToken, error) {
+		execStep.body = func(ctx context.Context, client Client, zt *v1.ZedToken) (*v1.ZedToken, error) {
 			req.Consistency = consistencyForZedToken(zt)
 			resp, err := client.ReadRelationships(ctx, req)
 			if err != nil {
@@ -134,7 +133,7 @@ func prepareStep(step config.ScriptStep) (executableStep, error) {
 			RelationshipFilter: filter,
 		}
 
-		execStep.body = func(ctx context.Context, client *authzed.Client, _ *v1.ZedToken) (*v1.ZedToken, error) {
+		execStep.body = func(ctx context.Context, client Client, _ *v1.ZedToken) (*v1.ZedToken, error) {
 			resp, err := client.DeleteRelationships(ctx, req)
 			if err != nil {
 				return nil, err
@@ -152,7 +151,7 @@ func prepareStep(step config.ScriptStep) (executableStep, error) {
 			Permission: step.Permission,
 		}
 
-		execStep.body = func(ctx context.Context, client *authzed.Client, zt *v1.ZedToken) (*v1.ZedToken, error) {
+		execStep.body = func(ctx context.Context, client Client, zt *v1.ZedToken) (*v1.ZedToken, error) {
 			req.Consistency = consistencyForZedToken(zt)
 			resp, err := client.ExpandPermissionTree(ctx, req)
 			if err != nil {
@@ -174,7 +173,7 @@ func prepareStep(step config.ScriptStep) (executableStep, error) {
 			Context:            (*structpb.Struct)(step.Context),
 		}
 
-		execStep.body = func(ctx context.Context, client *authzed.Client, zt *v1.ZedToken) (*v1.ZedToken, error) {
+		execStep.body = func(ctx context.Context, client Client, zt *v1.ZedToken) (*v1.ZedToken, error) {
 			req.Consistency = consistencyForZedToken(zt)
 			resp, err := client.LookupResources(ctx, req)
 			if err != nil {
@@ -196,7 +195,7 @@ func prepareStep(step config.ScriptStep) (executableStep, error) {
 			Context:           (*structpb.Struct)(step.Context),
 		}
 
-		execStep.body = func(ctx context.Context, client *authzed.Client, zt *v1.ZedToken) (*v1.ZedToken, error) {
+		execStep.body = func(ctx context.Context, client Client, zt *v1.ZedToken) (*v1.ZedToken, error) {
 			req.Consistency = consistencyForZedToken(zt)
 			resp, err := client.LookupSubjects(ctx, req)
 			if err != nil {
@@ -214,7 +213,7 @@ func prepareStep(step config.ScriptStep) (executableStep, error) {
 			Updates: updates,
 		}
 
-		execStep.body = func(ctx context.Context, client *authzed.Client, _ *v1.ZedToken) (*v1.ZedToken, error) {
+		execStep.body = func(ctx context.Context, client Client, _ *v1.ZedToken) (*v1.ZedToken, error) {
 			resp, err := client.WriteRelationships(ctx, req)
 			if err != nil {
 				return nil, err
@@ -226,7 +225,7 @@ func prepareStep(step config.ScriptStep) (executableStep, error) {
 			Schema: step.Schema,
 		}
 
-		execStep.body = func(ctx context.Context, client *authzed.Client, zt *v1.ZedToken) (*v1.ZedToken, error) {
+		execStep.body = func(ctx context.Context, client Client, zt *v1.ZedToken) (*v1.ZedToken, error) {
 			_, err := client.WriteSchema(ctx, req)
 			if err != nil {
 				return nil, err
@@ -254,7 +253,7 @@ func prepareStep(step config.ScriptStep) (executableStep, error) {
 			})
 		}
 
-		execStep.body = func(ctx context.Context, client *authzed.Client, zt *v1.ZedToken) (*v1.ZedToken, error) {
+		execStep.body = func(ctx context.Context, client Client, zt *v1.ZedToken) (*v1.ZedToken, error) {
 			req := &v1.CheckBulkPermissionsRequest{
 				Consistency: consistencyForZedToken(zt),
 				Items:       items,