feat(api.iam): workspace authz schema alignment

[jsell-rh]

Summary by CodeRabbit

• New Features

  • API key entity for managed access and revocation
  • Workspace hierarchies to support nested workspaces
  • Tenant membership model with member and admin roles

• Updates

  • Permissions reworked: admin + member visibility, admin-managed edits and management
  • Tenant administrate capability added

• Tests

  • Removed legacy checks for deprecated workspace relation and delete permission

[coderabbitai]

Walkthrough

The pull request updates SpiceDB schema and related types/tests. It adds a new public entity api_key with owner and tenant relations and view/revoke permissions; refactors workspace to replace owner with admin, add tenant and parent: workspace relations, and change permissions (view, edit, manage); updates tenant to add member relation and administrate permission; removes WORKSPACE and DELETE enum members from authorization types and deletes corresponding unit tests.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'workspace authz schema alignment' accurately reflects the main changes, which involve restructuring the workspace authorization schema with role-based access control improvements.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch jsell/feat/AIHCM-146-workspace-authz

---

No actionable comments were generated in the recent review. 🎉

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

deploy/apps/kartograph/base/spicedb-schema-configmap.yaml (1)

1-144: ⚠️ Potential issue | 🟠 Major

Schemas are out of sync; generate ConfigMap from source schema.

The ConfigMap and source schema differ in indentation (tabs vs. spaces), character encoding (→ vs. -> in comments), and whitespace handling. Generate the ConfigMap from src/api/shared_kernel/authorization/spicedb/schema.zed to maintain consistency and prevent future drift.

🧹 Nitpick comments (2)

src/api/shared_kernel/authorization/spicedb/schema.zed (1)

124-127: Future commented code references removed owner relation.

The commented knowledge_graph definition references workspace->owner which no longer exists after the owner→admin migration. Update for consistency when this is implemented.

 *     permission view = viewer + editor + workspace->member
-*     permission edit = editor + workspace->owner
-*     permission delete = workspace->owner
+*     permission edit = editor + workspace->admin
+*     permission delete = workspace->admin

deploy/apps/kartograph/base/spicedb-schema-configmap.yaml (1)

131-134: Same inconsistency: future code references removed owner relation.

Update the commented knowledge_graph definition to reference workspace->admin instead of workspace->owner for consistency with the current schema.