feat(openfga): add b2b_org, project_membership, and key_contact types

[emsearcy]

Summary

• Add b2b_org, project_membership, and key_contact OpenFGA types for the v2 member service architecture
• Replace the unused stub member type with these three first-class types
• Bump model version to 11.0.0 (major — type additions/deletions per in-file guidelines)
• Add @fgadoc structural annotations to all three new types
• Extend PERMISSIONS.md via the render-permissions skill with sections for each new type

Jira

LFXV2-1356 — part of epic LFXV2-1344

Changes

b2b_org — represents a Salesforce Account (B2B company):

• global_org_admin: [team#member] — platform-wide machine user team stamped on every instance at creation (@fgadoc:hide — not directly assignable by humans)
• owner: [user] — human owners only; reserved for future owner-only gates (transfer, deletion)
• writer: [user] or owner or global_org_admin — machine users get writer-level access (not owner)
• auditor: [user, team#member] or writer

project_membership — Salesforce Asset record with parent refs to b2b_org and project:

• writer inherits from b2b_org only (org owners + global org-admin team); project-level writers can audit but not modify memberships
• auditor inherits from both b2b_org and project

key_contact — Salesforce Project_Role__c record, same parent refs:

• writer inherits from both b2b_org (org owners + global org-admin) and project (LF staff managing contacts on behalf of members)
• auditor inherits from both b2b_org and project

PERMISSIONS.md

b2b_org renders as a prose section (direct-grant roles exist but no @fgadoc:jtbd yet — API routes not yet implemented; will be populated by the populate-jtbds skill once LFXV2-1360–1362 land). project_membership and key_contact render as prose-only inheritance sections since all access is inherited.

Testing

Existing FGA checks (project auditor/writer) are unaffected. New types will be exercised when the member service write handlers are implemented (LFXV2-1360–1362).

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Bumped OpenFGA model major version 10 → 11. Removed the standalone type member and added b2b_org, project_membership, and key_contact types with parent pointers and revised derived relations for owner, writer, and auditor.

Changes

Cohort / File(s)

Summary

OpenFGA Authorization Model charts/lfx-platform/templates/openfga/model.yaml

Model major version 10 → 11. Removed type member. Added type b2b_org with relations global_org_admin: [team#member], owner: [user], writer: [user] or owner or global_org_admin, auditor: [user, team#member] or writer. Added type project_membership with parent pointers to b2b_org and project, writer derived from b2b_org, auditor from b2b_org or project. Added type key_contact with parent pointers to b2b_org and project, writer and auditor derived from those parents.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: adding three new OpenFGA types (b2b_org, project_membership, and key_contact) to replace the unused member type.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check	✅ Passed	The PR description comprehensively explains the changes: adding three new OpenFGA types (b2b_org, project_membership, key_contact), removing the unused member type, and bumping the model version. It details each type's purpose, relations, and inheritance patterns, along with testing considerations and related Jira tickets.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Updates the OpenFGA authorization model used by the lfx-platform Helm chart to support the v2 member service architecture by introducing first-class org/membership/contact object types and versioning the model accordingly.

Changes:

• Bumps the authorization model version to 10.1.0.
• Replaces the unused member type with new b2b_org, project_membership, and key_contact types.
• Adds new parent-reference and inherited-permission relations for membership and key contact records.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

charts/lfx-platform/templates/openfga/model.yaml (1)

362-365: Minor doc inconsistency: comment says "owners" but relation grants "writers".

The comment states "Write access is granted to b2b_org owners" but the relation writer: writer from b2b_org actually grants access to anyone with writer on the parent b2b_org (which includes both direct [user] assignments and owner). Consider updating the comment to reflect the actual inheritance:

Suggested comment update

         # The key_contact type represents a Salesforce Project_Role__c record: a named
-        # contact role assigned to a b2b_org for a specific project membership. Write
-        # access is granted to b2b_org owners (and transitively the global org-admin team).
+        # contact role assigned to a b2b_org for a specific project membership. Write
+        # access is granted to b2b_org writers (including owners and the global org-admin team).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@charts/lfx-platform/templates/openfga/model.yaml` around lines 362 - 365, The
comment for the OpenFGA type "key_contact" is inaccurate: it says "Write access
is granted to b2b_org owners" but the relation uses "writer: writer from
b2b_org", which grants write access to any principal with the writer relation on
the parent b2b_org (including direct writers and owners via inheritance). Update
the comment above type key_contact to state that write access is granted to
b2b_org writers (including owners via inheritance) or otherwise describe the
actual inheritance model to match the relation "writer: writer from b2b_org".

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@charts/lfx-platform/templates/openfga/model.yaml`:
- Around line 21-24: The version block currently sets major: 10 minor: 1 patch:
0 but the change adds types b2b_org, project_membership, key_contact and removes
type member, which per the in-file guidelines requires a major bump; update the
version block (the version: major/minor/patch fields) to major: 11 minor: 0
patch: 0 so the model version becomes 11.0.0.

---

Nitpick comments:
In `@charts/lfx-platform/templates/openfga/model.yaml`:
- Around line 362-365: The comment for the OpenFGA type "key_contact" is
inaccurate: it says "Write access is granted to b2b_org owners" but the relation
uses "writer: writer from b2b_org", which grants write access to any principal
with the writer relation on the parent b2b_org (including direct writers and
owners via inheritance). Update the comment above type key_contact to state that
write access is granted to b2b_org writers (including owners via inheritance) or
otherwise describe the actual inheritance model to match the relation "writer:
writer from b2b_org".

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: cb9acaaa-81cc-4ccd-9d7a-d61b31bdd706

📥 Commits

Reviewing files that changed from the base of the PR and between 39225ab and e8b9c4c.

📒 Files selected for processing (1)

• charts/lfx-platform/templates/openfga/model.yaml

[coderabbitai]

🧹 Nitpick comments (1)

charts/lfx-platform/templates/openfga/model.yaml (1)

341-349: Make global_org_admin stamping part of the org-create transaction.

project_membership and key_contact inherit their service-writer path from b2b_org.writer. If a b2b_org can be created without this tuple, follow-on member-service writes will be stranded until repaired.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@charts/lfx-platform/templates/openfga/model.yaml` around lines 341 - 349, The
b2b_org model allows project_membership and key_contact to inherit writer from
b2b_org.writer, so ensure the tuple for relation "global_org_admin" on type
"b2b_org" is written as part of the same org creation transaction: update the
org creation flow (e.g., the CreateOrg or createOrgTransaction path) to include
the OpenFGA tuple write for b2b_org#global_org_admin -> team#member within the
same atomic operation (or use the OpenFGA multi-write/transaction API) so
follow-on member-service writes never see a b2b_org without that tuple; also add
idempotent/exists checks so replayed org-creates don’t duplicate the tuple.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@charts/lfx-platform/templates/openfga/model.yaml`:
- Around line 341-349: The b2b_org model allows project_membership and
key_contact to inherit writer from b2b_org.writer, so ensure the tuple for
relation "global_org_admin" on type "b2b_org" is written as part of the same org
creation transaction: update the org creation flow (e.g., the CreateOrg or
createOrgTransaction path) to include the OpenFGA tuple write for
b2b_org#global_org_admin -> team#member within the same atomic operation (or use
the OpenFGA multi-write/transaction API) so follow-on member-service writes
never see a b2b_org without that tuple; also add idempotent/exists checks so
replayed org-creates don’t duplicate the tuple.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3edb7ce2-d8ad-4051-9a36-37651be45d3a

📥 Commits

Reviewing files that changed from the base of the PR and between a23b883 and 4fcc7c9.

📒 Files selected for processing (1)

• charts/lfx-platform/templates/openfga/model.yaml