Add executive_director relation to project FGA type

[bramwelt]

Summary

Adds executive_director as a named user relation on the project OpenFGA type and includes it in auditor, granting executive directors auditor → viewer access transitively.

Problem

The project-service assigns executive_director tuples to project objects, but this relation didn't exist in the model:

Invalid tuple 'project:UUID#executive_director@user:auth0|ajoshipura'.
Reason: relation 'project#executive_director' not found

This caused 51 failed batch writes per reconciliation cycle, leaving affected projects with no FGA tuples (no viewer, no parent).

Change

 type project
   relations
     define parent: [project]
     define owner: [team#member] or owner from parent
     define writer: [user] or owner or writer from parent
-    define auditor: [user, team#member] or writer or auditor from parent
+    define auditor: [user, team#member] or executive_director or writer or auditor from parent
     # The meeting_coordinator relation identifies a user who can manage any meeting
     # for a given project.
     define meeting_coordinator: [user]
+    # executive_director identifies a user with the executive director role for a project,
+    # as assigned by the project-service. executive_directors are auditors of the project.
+    define executive_director: [user]
     define viewer: [user:*] or auditor or auditor from parent

Related

• LFXV2-1556 — this issue
• LFXV2-1554 — fga-sync batch write retry fix
• LFXV2-1555 / PR Add missing relations to vote_response FGA type #131 — vote_response missing relations (same class of bug)

Closes LFXV2-1556

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: fd911ad3-f0db-49bc-a6cd-a9053fedb6dc

📥 Commits

Reviewing files that changed from the base of the PR and between c1b500a and 6117aa2.

📒 Files selected for processing (1)

• charts/lfx-platform/templates/openfga/model.yaml

---

Walkthrough

Bumped OpenFGA model minor version from 1→2; added define executive_director: [user]; added/ documented define meeting_coordinator; and included executive_director in the project type's auditor relation.

Changes

Cohort / File(s)	Summary
OpenFGA Authorization Model charts/lfx-platform/templates/openfga/model.yaml	Incremented model minor version from 1 to 2; added define executive_director: [user]; added/documented define meeting_coordinator; updated project's auditor relation to include executive_director alongside existing relations.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely describes the primary change: adding the executive_director relation to the project FGA type.
Description check	✅ Passed	The description clearly explains the problem, the solution, related issues, and impact in detail, all directly related to the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch tbramwell/LFXV2-1556-executive-director

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Updates the OpenFGA authorization model used by the lfx-platform Helm chart to align the model with relations being written by backend services (notably project#executive_director).

Changes:

• Add project#executive_director relation and grant it transitive access by including it in project#auditor.
• Update the vote_response type relations (adds project, writer, viewer) as part of the same model change.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

charts/lfx-platform/templates/openfga/model.yaml (1)

21-24: ⚠️ Potential issue | 🟠 Major

Bump the authorization model version.

This PR adds new relations, but the model version stays 10.0.0. The note in this file says relation additions require a minor bump; without that, existing environments can keep the old model and never pick up the new executive_director and vote_response relations.

🔧 Proposed change

     - version:
         major: 10
-        minor: 0
+        minor: 1
         patch: 0

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@charts/lfx-platform/templates/openfga/model.yaml` around lines 21 - 24, The
model version block currently lists major: 10, minor: 0, patch: 0 but new
relations (executive_director and vote_response) require a minor version bump;
update the version mapping in the model.yaml (the version / major / minor /
patch keys) to increment the minor version (e.g., set minor: 1 and patch: 0,
keeping major: 10) so environments will pick up the new relations.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@charts/lfx-platform/templates/openfga/model.yaml`:
- Around line 21-24: The model version block currently lists major: 10, minor:
0, patch: 0 but new relations (executive_director and vote_response) require a
minor version bump; update the version mapping in the model.yaml (the version /
major / minor / patch keys) to increment the minor version (e.g., set minor: 1
and patch: 0, keeping major: 10) so environments will pick up the new relations.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 61b88374-3c74-4475-8fb4-92e808c65846

📥 Commits

Reviewing files that changed from the base of the PR and between a575e9f and ae6be8e.

📒 Files selected for processing (1)

• charts/lfx-platform/templates/openfga/model.yaml

[bramwelt]

Review Feedback Addressed

Commits: 0b3e1ac (rebased executive_director onto main), c1b500a (version bump)

Changes Made

• model.yaml: Rebased branch onto main — vote_response changes no longer appear in this diff (per copilot-pull-request-reviewer, coderabbitai[bot])
• model.yaml:22: Bumped model version from 10.0.0 to 10.1.0 (per copilot-pull-request-reviewer, coderabbitai[bot])

Threads Resolved

2 of 2 unresolved threads addressed.

[Copilot]

Pull request overview

Updates the OpenFGA authorization model for the project type to support tuples written by project-service for executive directors, preventing validation failures during reconciliation and ensuring access is computed correctly.

Changes:

• Bumps the OpenFGA model version from 10.1.0 to 10.2.0 to trigger reconciliation.
• Adds a new project#executive_director relation ([user]).
• Extends project#auditor to include executive_director, granting executive directors auditor (and therefore viewer) access.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.