@auth rule with (inner) OR condition fails if an empty list is given as variable

Have you tried running the GraphQL query outside of auth? Meaning remove the auth rules and just try running that query by itself.

I don’t think it is a problem with the auth rule, but a possible bug in the query itself to look in a list that is potentially nil itself.