Merge pull request #30 from linuxfoundation/tbramwell/LFXV2-1555-fix-vote-response-fga-tuples

[LFXV2-1555] fix: align vote_response FGA tuples with model

Author: bramwelt

docs/api-contracts.md

@@ -1157,7 +1157,7 @@ x-scope: manage:voting
 
 **Endpoint**: `POST /vote_responses/{vote_response_uid}/resend`
 
-**Required permission**: `writer` on `vote:{vote_response_uid}`
+**Required permission**: `owner` on `vote_response:{vote_response_uid}`
 
 **Headers**:
 

docs/event-processing.md

@@ -148,7 +148,7 @@ The voting service implements NATS KV bucket event processing to automatically s
 - `poll_id` → `vote_uid` (parent reference)
 - Integer ranked choice ranks
 - Mapped project UIDs
-- User-specific permissions (writer/viewer)
+- User-specific permissions (owner)
 
 **Example Ranked Choice Transformation**:
 

docs/fga-contract.md

@@ -77,17 +77,15 @@ On delete, only `uid` is sent — all FGA tuples for `vote:{uid}` are removed by
 
 | Relation | Value | Condition |
 |---|---|---|
-| `writer` | `Username` (Auth0 username) | Only when `Username` is non-empty |
-| `viewer` | `Username` (Auth0 username) | Only when `Username` is non-empty |
+| `owner` | `Username` (Auth0 username) | Only when `Username` is non-empty |
 
 ### References
 
 | Reference | Value | Condition |
 |---|---|---|
-| `project` | `ProjectUID` | Only when `ProjectUID` is non-empty |
 | `vote` | `VoteUID` | Only when `VoteUID` is non-empty |
 
-> The update message is skipped entirely if `Username`, `ProjectUID`, and `VoteUID` are all empty.
+> The update message is skipped entirely if `Username` and `VoteUID` are both empty.
 
 ### Delete
 
@@ -102,6 +100,6 @@ On delete, only `uid` is sent — all FGA tuples for `vote_response:{uid}` are r
 | Create vote | `vote` | `lfx.fga-sync.update_access` | Skipped if both `ProjectUID` and `CommitteeUID` are empty |
 | Update vote | `vote` | `lfx.fga-sync.update_access` | Skipped if both `ProjectUID` and `CommitteeUID` are empty |
 | Delete vote | `vote` | `lfx.fga-sync.delete_access` | Always sent |
-| Create vote response | `vote_response` | `lfx.fga-sync.update_access` | Skipped if `Username`, `ProjectUID`, and `VoteUID` are all empty |
-| Update vote response | `vote_response` | `lfx.fga-sync.update_access` | Skipped if `Username`, `ProjectUID`, and `VoteUID` are all empty |
+| Create vote response | `vote_response` | `lfx.fga-sync.update_access` | Skipped if `Username` and `VoteUID` are both empty |
+| Update vote response | `vote_response` | `lfx.fga-sync.update_access` | Skipped if `Username` and `VoteUID` are both empty |
 | Delete vote response | `vote_response` | `lfx.fga-sync.delete_access` | Always sent |

internal/infrastructure/eventing/nats_publisher.go

@@ -220,14 +220,10 @@ func (p *NATSPublisher) sendVoteResponseIndexerMessage(ctx context.Context, subj
 func (p *NATSPublisher) sendVoteResponseAccessMessage(data *domain.VoteResponseData) error {
 	relations := map[string][]string{}
 	if data.Username != "" {
-		relations["writer"] = []string{data.Username}
-		relations["viewer"] = []string{data.Username}
+		relations["owner"] = []string{data.Username}
 	}
 
 	references := map[string][]string{}
-	if data.ProjectUID != "" {
-		references["project"] = []string{data.ProjectUID}
-	}
 	if data.VoteUID != "" {
 		references["vote"] = []string{data.VoteUID}
 	}