Skip to content

[LFXV2-1555] fix: align vote_response FGA tuples with model#30

Merged
bramwelt merged 2 commits into
mainfrom
tbramwell/LFXV2-1555-fix-vote-response-fga-tuples
Apr 22, 2026
Merged

[LFXV2-1555] fix: align vote_response FGA tuples with model#30
bramwelt merged 2 commits into
mainfrom
tbramwell/LFXV2-1555-fix-vote-response-fga-tuples

Conversation

@bramwelt
Copy link
Copy Markdown
Contributor

@bramwelt bramwelt commented Apr 22, 2026

Summary

  • Change writerowner relation for vote_response (matches the owner check in the Heimdall update rule)
  • Remove viewer relation for vote_response (not defined in the FGA model)
  • Remove project reference for vote_response (not defined in the FGA model)
  • Update docs (fga-contract.md, event-processing.md, api-contracts.md) to reflect the correct tuples

Root cause: The publisher was sending three tuples (writer, viewer, project) that don't exist in the vote_response FGA type, causing all batch writes to fail with relation 'vote_response#...' not found errors (2,658/24h in production per LFXV2-1555).

Valid vote_response FGA relations: owner, auditor (computed via vote reference), vote (reference only).

Test plan

  • make build passes
  • make test passes
  • Grep confirms no remaining invalid viewer or project tuples published for vote_response
  • After deploy: FGA batch write errors for vote_response drop to zero

🤖 Generated with Claude Code

@bramwelt @claude
fix: align vote_response FGA tuples with model
32b74e8 
The vote_response FGA model defines only `owner`,
`auditor`, and a `vote` reference. The publisher
was sending `writer`, `viewer`, and a `project`
reference — none of which exist in the model —
causing all batch writes to fail.

- Change `writer` → `owner` (matches update rule)
- Remove `viewer` relation (not in model)
- Remove `project` reference (not in model)
- Update docs to reflect correct tuples

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Issue: LFXV2-1555
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
Copilot AI review requested due to automatic review settings April 22, 2026 06:49
@bramwelt bramwelt requested a review from a team as a code owner April 22, 2026 06:49
@bramwelt bramwelt mentioned this pull request Apr 22, 2026
Closed
Copilot AI reviewed Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Aligns vote_response FGA tuple publishing with the OpenFGA model to stop invalid relation/reference writes that are currently failing in production.

Changes:

  • Update vote response access tuple publishing from writer/viewer to owner, and remove unsupported viewer and project tuples.
  • Update FGA and event-processing documentation to reflect the correct vote_response relations/references.
  • Fix API contracts documentation to require owner on vote_response:{vote_response_uid} where applicable.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File Description
internal/infrastructure/eventing/nats_publisher.go Publishes vote_response access messages using owner and removes unsupported viewer/project tuple emission.
docs/fga-contract.md Updates documented vote_response relations/references and skip condition wording to match the updated publisher behavior.
docs/event-processing.md Updates narrative docs to reflect owner (instead of writer/viewer) for vote response permissions.
docs/api-contracts.md Updates required permission wording for the resend endpoint to owner on vote_response:{vote_response_uid}.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread docs/fga-contract.md
@bramwelt @claude
docs: fix vote_response skip condition in triggers
bed73cd 
Remove ProjectUID from skip condition for create/update
vote_response FGA tuples - only Username and VoteUID are
checked, matching the updated vote_response section.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Issue: LFXV2-1555
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
@bramwelt
Copy link
Copy Markdown
Contributor Author

bramwelt commented Apr 22, 2026

Review Feedback Addressed

Commit: bed73cd

Changes Made

  • docs/fga-contract.md (lines 103-104): Removed ProjectUID from the skip condition for Create vote response and Update vote response in the Triggers table — now reads "Skipped if `Username` and `VoteUID` are both empty" (per copilot-pull-request-reviewer[bot])

Threads Resolved

1 of 1 unresolved threads addressed in this iteration.

@bramwelt bramwelt merged commit c0d0e44 into main Apr 22, 2026
9 checks passed
@bramwelt bramwelt deleted the tbramwell/LFXV2-1555-fix-vote-response-fga-tuples branch April 22, 2026 18:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@andrest50 andrest50 andrest50 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bramwelt @andrest50