chore(openfga): replace member-type bootstrap script with cleanup

[emsearcy]

Summary

Removes scripts/create-membership-auditors-team.sh and replaces it with scripts/cleanup-openfga-member-type.sh, a one-time data migration script to accompany the removal of the stub member OpenFGA type in lfx-v2-helm#120.

Jira

LFXV2-1356

What the cleanup script does

1. Deletes all member:* object tuples — team:membership-auditors#member -> auditor -> member:<uuid> (7,451 tuples in prod, 0 in dev)
2. Deletes all team:membership-auditors user membership tuples — user:* -> member -> team:membership-auditors (5 users in prod)

The member type is being replaced by the new b2b_org, project_membership, and key_contact types.

Usage

# Dry run first (recommended)
./scripts/cleanup-openfga-member-type.sh --dry-run

# Then for real (requires port-forward to target OpenFGA on localhost:8080)
./scripts/cleanup-openfga-member-type.sh

Environment variables OPENFGA_URL and OPENFGA_STORE_ID can be overridden if needed.

[Copilot]

Pull request overview

Replaces the prior OpenFGA bootstrap script for the membership-auditors team with a one-time cleanup/migration script intended to remove tuples associated with the deprecated member OpenFGA type.

Changes:

• Remove scripts/create-membership-auditors-team.sh (NATS/fga-sync bootstrap helper).
• Add scripts/cleanup-openfga-member-type.sh to enumerate and delete member-type tuples (with optional --dry-run) via the OpenFGA HTTP API.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.

File	Description
scripts/create-membership-auditors-team.sh	Deleted legacy bootstrap script that published membership updates via NATS/fga-sync.
scripts/cleanup-openfga-member-type.sh	Added one-time cleanup script to collect and delete tuples tied to the removed member type.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Both /write and /read calls use curl -s without failing on non-2xx HTTP responses. If OpenFGA returns an HTTP error with an empty/non-JSON body (or a proxy returns HTML), the .code check can be bypassed and the script may incorrectly treat the operation as successful. Use curl --fail-with-body (or -f plus capturing the status code) and validate that the response is valid JSON before parsing error fields.

Suggested change

	local resp
	resp=$(curl -s -X POST "${BASE_URL}/stores/${STORE_ID}/write" \
	-H 'Content-Type: application/json' \
	-d "$payload")
	# OpenFGA returns an empty body on success, or a JSON error object on failure
	if echo "$resp" | jq -e '.code' >/dev/null 2>&1; then
	echo "ERROR deleting batch: $(echo "$resp" | jq -r '.message')"
	local http_status
	local resp
	local http_output
	http_output=$(curl -sS -w '%{http_code}' -X POST "${BASE_URL}/stores/${STORE_ID}/write" \
	-H 'Content-Type: application/json' \
	-d "$payload") || {
	echo "ERROR deleting batch: HTTP request to OpenFGA failed"
	echo "Raw response:"
	echo "$http_output"
	exit 1
	}
	http_status=${http_output: -3}
	resp=${http_output::-3}
	# Treat any non-2xx HTTP status as an error
	if [[ "$http_status" != 2?? ]]; then
	echo "ERROR deleting batch: OpenFGA returned HTTP status $http_status"
	if [[ -n "$resp" ]] && echo "$resp" | jq -e . >/dev/null 2>&1; then
	# Try to surface a JSON error message if present
	if echo "$resp" | jq -e '.message' >/dev/null 2>&1; then
	echo "Message: $(echo "$resp" | jq -r '.message')"
	else
	echo "Response body (JSON):"
	echo "$resp" | jq .
	fi
	elif [[ -n "$resp" ]]; then
	echo "Response body (non-JSON):"
	echo "$resp"
	fi
	exit 1
	fi
	# OpenFGA returns an empty body on success, or a JSON error object on failure.
	# If a JSON body with a .code field is present, treat it as an error.
	if [[ -n "$resp" ]] && echo "$resp" | jq -e . >/dev/null 2>&1 && \
	echo "$resp" | jq -e '.code' >/dev/null 2>&1; then
	echo "ERROR deleting batch: $(echo "$resp" | jq -r '.message // "Unknown error"')"

[emsearcy]

This has now been run successfully against production. PR just for reference.