[LFXV2-989] Update OpenFGA authorization model to v9

[andrest50]

Summary

Updates the OpenFGA authorization model from version 8 to version 9 with enhanced vote and survey authorization:

• Rename individual_vote to vote_response with owner relation
• Add participant and results_viewer relations to vote type
• Introduce survey and survey_response types with similar access patterns
• Add conditional access for participants to view aggregate results
• Improve auditor access definitions across vote and survey types

Ticket

LFXV2-989

🤖 Generated with Claude Code

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

The OpenFGA model is bumped from version 8 to 9, restructuring vote and survey access control. Type individual_vote is renamed to vote_response, vote_results is replaced by survey, and a new survey_response type is introduced. Relations across vote, survey, and survey_response are expanded to add participant access, adjust auditor/writer semantics, and introduce aggregated results viewer constructs.

Changes

Cohort / File(s)

Summary

OpenFGA model changes charts/lfx-platform/templates/openfga/model.yaml

Version bump v8 → v9. Renamed individual_vote → vote_response; replaced vote_results with survey; added survey_response. Expanded vote relations: added participant, changed auditor semantics, broadened viewer, added vote_for_participant_result_access and results_viewer. Added survey relations: committee, project, updated writer/auditor, added participant, survey_for_participant_result_access, and results_viewer. Added survey_response with survey, owner, and auditor derived from owner or survey. Comments added clarifying ownership and access paths.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Linked Issues check	⚠️ Warning	The PR updates the OpenFGA authorization model for vote and survey types as part of enabling vote/survey data ingestion, but the linked issue requires implementing handlers in the v1 sync helper service, which is not present in this changeset.	This PR appears to address only the authorization model portion of LFXV2-989. Add the v1 sync helper handlers for ingesting vote and survey data to fully meet the linked issue requirements.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: updating the OpenFGA authorization model to version 9, with a ticket reference for traceability.
Description check	✅ Passed	The description is detailed and directly related to the changeset, outlining the specific enhancements made to the OpenFGA model including type renames, new relations, and improved access definitions.
Out of Scope Changes check	✅ Passed	All changes are focused on updating the OpenFGA model file with authorization rule enhancements for votes and surveys, which is directly scoped to the ticket and PR objectives.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch andrest50/openfga-surveys

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR updates the OpenFGA authorization model from version 8 to version 9, introducing a new survey feature and refactoring the vote authorization model for better access control and consistency.

Changes:

• Renamed individual_vote to vote_response with an owner relation and removed vote_results type
• Enhanced vote type with participant, results_viewer, and conditional vote_for_participant_result_access relations
• Introduced survey and survey_response types mirroring the vote authorization patterns

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@charts/lfx-platform/templates/openfga/model.yaml`:
- Around line 298-301: Update the outdated comment above the OpenFGA definitions
to reflect current semantics: replace or remove the line stating "auditor has
access to participants, viewer does not" because the `viewer` relationship now
includes `participant` (as seen in the `define participant: [user]` and `define
viewer: [user:*] or auditor or participant` entries used in `vote` and
`survey`); ensure the comment accurately describes that `viewer` includes
`participant` access or simply remove the misleading sentence and add a concise
note naming the three definitions (`auditor`, `participant`, `viewer`) and their
effective membership.