Type auth rules, and resolved fields

Looking at the GraphQL Library @auth directive documention, it isn't clear to me at what point the auth rules are evaluated, or how to combine the rules to specify the behavior I want.


Given a simple Schema

type Author {
    id: ID! @id
    name: String!
    posts: [Post!] @relationship(type: "AUTHORED", direction: out)
}

type Post {
    id: ID! @id
    created: DateTime! @timestamp(operations: [CREATE])
    updated: DateTime @timestamp(operations: [UPDATE])
    published: DateTime 
    title: String!
    body: String!
    published: Boolean!
    author: Author! @relationship(type: "AUTHORED", direction: in)
}

extend Type Post @auth(rules: [<...>])

In my database I may have many authors, each having many posts, some of which may be unpublished.

Users of the API should be able to list all Authors, to view an "Author" page. When querying the author, the caller can retrieve the posts field to list posts for that author.

The caller could also use the posts query to list all posts, for example to show a timeline of recent posts by any author.

At what point are auth rules defined on types evaluated? Do the rules run on root generated queries, as well as when the type is resolved in the field of another type, or custom/cypher query/resolver?

I would like to express the access logic that the `Post` types to be returned should
- be unfiltered IFF the caller has an `Admin` role.
- include all posts, published or not where the callers sub matches the author id.
- includes only published posts which were created by other authors.

How can this access logic be expressed as a combination of the auth directives provided by the GraphQL Library?