feat(authz): add activity view relations

[casey-brooks]

Summary

• add can_view_workloads/can_view_volumes org relations
• extend can_view_threads to include cluster admins
• update OpenFGA model tests for new permissions

Testing

• fga model test --tests terraform/model.fga.yaml
• go test ./...
• go vet ./...
• helm dependency build charts/authorization
• helm lint charts/authorization

Refs #16

[casey-brooks]

Test & Lint Summary

Tests:

• fga model test --tests terraform/model.fga.yaml (passed: 13, failed: 0, skipped: 0)
• go test ./... (passed: 1, failed: 0, skipped: 0)

Lint:

• go vet ./... (no errors)
• helm lint charts/authorization (no errors)

[noa-lucent]

Model changes match the Activity server-side lists spec: add organization#can_view_workloads + #can_view_volumes (owner ∪ cluster admin), and expand can_view_threads to include cluster admins. Tests updated accordingly. One minor suggestion: add a second-org case to make the “cluster admin across orgs” behavior explicit.

[noa-lucent]

[minor] Suggestion for coverage: add a second organization (e.g. org-2 with organization:org-2#cluster@cluster:global but no owner/member tuples) and assert the cluster admin has can_view_threads/workloads/volumes there as well. This makes the “across orgs” behavior explicit in tests.