fix(rbac): read KB tuples with valid OpenFGA query

The data_source backfill attempted to use `knowledge_base:` as an
OpenFGA tuple-key prefix filter. OpenFGA rejects that shape because the
object id is empty, which blocked migration preview/status loading. Read
valid pages and filter knowledge_base objects client-side instead.

Assisted-by: Cursor:GPT-5.5
Signed-off-by: Sri Aradhyula <sraradhy@cisco.com>
Co-authored-by: Cursor <cursoragent@cursor.com>

Author: sriaradhyula

ui/src/lib/rbac/migrations/__tests__/agent-organization-inheritance.test.ts

@@ -2,7 +2,16 @@ jest.mock("@/lib/mongodb", () => ({
   getCollection: jest.fn(),
 }));
 
+const mockReadOpenFgaTuples = jest.fn();
+const mockWriteOpenFgaTuples = jest.fn();
+
+jest.mock("@/lib/rbac/openfga", () => ({
+  readOpenFgaTuples: (...args: unknown[]) => mockReadOpenFgaTuples(...args),
+  writeOpenFgaTuples: (...args: unknown[]) => mockWriteOpenFgaTuples(...args),
+}));
+
 import {
+  DATA_SOURCE_GRANTS_BACKFILL_MIGRATION_ID,
   deriveAdminSurfaceRagDatasourcesAdminGrantPlan,
   deriveAgentOrganizationInheritancePlan,
   deriveAgentSharedTeamGrantsPlan,
@@ -11,8 +20,13 @@ import {
   deriveMcpToolGrantsBackfillPlan,
   deriveOrganizationMembershipPlan,
   deriveSkillHubTeamGrantPlan,
+  planMigration,
 } from "../registry";
 
+beforeEach(() => {
+  jest.clearAllMocks();
+});
+
 describe("agent organization inheritance migration", () => {
   it("plans organization-admin manager tuples for existing dynamic agents", () => {
     const plan = deriveAgentOrganizationInheritancePlan([
@@ -380,6 +394,35 @@ describe("knowledge_base shared-team grants migration", () => {
 });
 
 describe("data_source grants backfill migration", () => {
+  it("plans from paginated OpenFGA reads without sending an invalid knowledge_base prefix filter", async () => {
+    mockReadOpenFgaTuples.mockResolvedValueOnce({
+      tuples: [
+        {
+          key: {
+            user: "team:platform#member",
+            relation: "reader",
+            object: "knowledge_base:kb-alpha",
+          },
+        },
+        {
+          key: {
+            user: "team:platform#member",
+            relation: "reader",
+            object: "agent:agent-1",
+          },
+        },
+      ],
+      continuationToken: undefined,
+    });
+
+    const plan = await planMigration(DATA_SOURCE_GRANTS_BACKFILL_MIGRATION_ID);
+
+    expect(mockReadOpenFgaTuples).toHaveBeenCalledWith({ pageSize: 100 });
+    expect(plan.tuples).toEqual([
+      { user: "team:platform#member", relation: "reader", object: "data_source:kb-alpha" },
+    ]);
+  });
+
   it("mirrors every knowledge_base tuple as a data_source tuple", () => {
     const plan = deriveDataSourceGrantsBackfillPlan([
       { user: "team:platform#member", relation: "reader", object: "knowledge_base:kb-alpha" },

ui/src/lib/rbac/migrations/registry.ts

@@ -1888,11 +1888,11 @@ async function loadKnowledgeBaseSharedTeamGrantsInputs(): Promise<{
 }
 
 /**
- * Read every existing `knowledge_base:*` tuple from OpenFGA. Used by
- * `deriveDataSourceGrantsBackfillPlan` so the data_source mirror set
- * is computed from the source of truth instead of Mongo. Iterates
- * the OpenFGA `read` API in pages until `continuationToken` is empty
- * so we don't blow up memory on large stores.
+ * Read existing `knowledge_base:*` tuples from OpenFGA. Used by
+ * `deriveDataSourceGrantsBackfillPlan` so the data_source mirror set is
+ * computed from the source of truth instead of Mongo. OpenFGA does not
+ * accept `knowledge_base:` as a tuple-key prefix filter, so this iterates
+ * the valid paginated read API and filters object type client-side.
  *
  * Failures (OpenFGA unreachable, model not loaded) bubble up so the
  * migration runner can surface the underlying error rather than
@@ -1903,11 +1903,13 @@ async function loadKnowledgeBaseTuples(): Promise<OpenFgaTupleKey[]> {
   let continuationToken: string | undefined;
   do {
     const page = await readOpenFgaTuples({
-      tuple: { user: "", relation: "", object: "knowledge_base:" },
       continuationToken,
+      pageSize: 100,
     });
     for (const entry of page.tuples) {
-      collected.push(entry.key);
+      if (entry.key.object.startsWith("knowledge_base:")) {
+        collected.push(entry.key);
+      }
     }
     continuationToken = page.continuationToken;
   } while (continuationToken);