From 1e22c82e403d80cf713dee19af80fac85751618c Mon Sep 17 00:00:00 2001
From: Casey Brooks <casey.brooks@agyn.io>
Date: Sat, 18 Apr 2026 20:59:49 +0000
Subject: [PATCH] feat(authz): add can_view_threads relation

---
 terraform/model.fga      |  1 +
 terraform/model.fga.yaml | 18 ++++++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/terraform/model.fga b/terraform/model.fga
index b8089fd..be4ad21 100644
--- a/terraform/model.fga
+++ b/terraform/model.fga
@@ -16,6 +16,7 @@ type organization
     define can_invite: owner
     define can_manage_members: owner
     define can_add_member: admin from cluster
+    define can_view_threads: owner or admin from cluster
     define can_create_thread: [identity]
     define can_write_thread: [identity]
     define can_add_participant: [identity]
diff --git a/terraform/model.fga.yaml b/terraform/model.fga.yaml
index dca16b2..315addf 100644
--- a/terraform/model.fga.yaml
+++ b/terraform/model.fga.yaml
@@ -90,6 +90,24 @@ tests:
         object: "organization:org-1"
         assertions:
           can_add_member: false
+  - name: org owner can view threads
+    check:
+      - user: "identity:org-owner-id"
+        object: "organization:org-1"
+        assertions:
+          can_view_threads: true
+  - name: org member cannot view threads
+    check:
+      - user: "identity:org-member-id"
+        object: "organization:org-1"
+        assertions:
+          can_view_threads: false
+  - name: cluster admin can view threads
+    check:
+      - user: "identity:admin-user-id"
+        object: "organization:org-1"
+        assertions:
+          can_view_threads: true
   - name: installed app has thread permissions
     check:
       - user: "identity:app-installed-id"