linuxfoundation
diff --git a/‎README.md‎
Lines changed: 2 additions & 0 deletions b/‎README.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎docs/fga-contract.md‎
Lines changed: 133 additions & 0 deletions b/‎docs/fga-contract.md‎
Lines changed: 133 additions & 0 deletions
diff --git a/‎docs/indexer-contract.md‎
Lines changed: 33 additions & 1 deletion b/‎docs/indexer-contract.md‎
Lines changed: 33 additions & 1 deletion
diff --git a/‎internal/domain/model/committee_member.go‎
Lines changed: 12 additions & 0 deletions b/‎internal/domain/model/committee_member.go‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎internal/domain/model/committee_member_test.go‎
Lines changed: 39 additions & 0 deletions b/‎internal/domain/model/committee_member_test.go‎
Lines changed: 39 additions & 0 deletions
diff --git a/‎internal/domain/model/committee_message.go‎
Lines changed: 31 additions & 14 deletions b/‎internal/domain/model/committee_message.go‎
Lines changed: 31 additions & 14 deletions
@@ -52,6 +52,8 @@ The LFX v2 Committee Service is a RESTful API service that manages committees an
 ## Documentation
 
 - [Invite & Application Flows](docs/invite-application-flows.md) — membership modes, invite/application lifecycle, state transitions, and edge cases
+- [Indexer Contract](docs/indexer-contract.md) — authoritative reference for all messages sent to the indexer service
+- [FGA Contract](docs/fga-contract.md) — authoritative reference for all messages sent to the fga-sync service
 
 ## Releases
 
 
@@ -0,0 +1,133 @@
+# FGA Contract — Committee Service
+
+This document is the authoritative reference for all messages the committee service sends to the fga-sync service, which writes and deletes [OpenFGA](https://openfga.dev/) relationship tuples to enforce access control.
+
+The full OpenFGA type definitions (relations, schema) for all object types are defined in the [platform model](https://github.com/linuxfoundation/lfx-v2-helm/blob/main/charts/lfx-platform/templates/openfga/model.yaml).
+
+**Update this document in the same PR as any change to FGA message construction.**
+
+---
+
+## Object Types
+
+- [Committee](#committee)
+
+---
+
+## Message Format
+
+All messages use the generic FGA message format on the following NATS subjects:
+
+| Subject | Used for |
+|---|---|
+| `lfx.fga-sync.update_access` | Create and update operations |
+| `lfx.fga-sync.delete_access` | Delete operations |
+| `lfx.fga-sync.member_put` | Add or update individual committee members |
+| `lfx.fga-sync.member_remove` | Remove individual committee members |
+
+Each message carries `object_type`, `operation`, and a `data` map. The sections below describe the `data` contents for each operation.
+
+---
+
+## Committee
+
+**Source struct:** `internal/domain/model/` — `Committee` (base + settings)
+
+**Synced on:** create, update of committee base, update of committee settings, delete of a committee. Committee member changes are synced separately via `member_put`.
+
+### update_access
+
+Published to `lfx.fga-sync.update_access` on committee create or update (base or settings).
+
+#### Message Envelope
+
+| Field | Value |
+|---|---|
+| `object_type` | `committee` |
+| `operation` | `update_access` |
+
+#### Data Fields
+
+These fields are carried inside the message `data` object.
+
+| Field | Value |
+|---|---|
+| `uid` | `CommitteeBase.UID` |
+| `public` | `CommitteeBase.Public` (passed through directly) |
+
+#### Relations
+
+| Relation | Value | Condition |
+|---|---|---|
+| `writer` | Usernames from `CommitteeSettings.Writers` | Only when `Writers` is non-empty |
+| `auditor` | Usernames from `CommitteeSettings.Auditors` | Only when `Auditors` is non-empty |
+
+> Usernames are the `Username` field of each `CommitteeUser` entry (Auth0 `sub` values). Users with an empty `Username` are skipped.
+
+#### References
+
+| Reference | Value | Condition |
+|---|---|---|
+| `project` | `CommitteeBase.ProjectUID` | Always |
+
+#### Exclude Relations
+
+`exclude_relations: ["member"]` — always set. Individual committee members are managed via `member_put` and must not be overwritten by the `update_access` handler.
+
+### member_put (Committee Member Create/Update)
+
+Published to `lfx.fga-sync.member_put` when a committee member is created or updated and the member has a non-empty `Username`.
+
+The object UID is the **committee UID** (`CommitteeBase.UID`), not the member UID.
+
+#### Message Envelope
+
+| Field | Value |
+|---|---|
+| `object_type` | `committee` |
+| `operation` | `member_put` |
+
+#### Data (`FGAMemberData`)
+
+| Field | Value | Condition |
+|---|---|---|
+| `uid` | `CommitteeMember.CommitteeUID` (parent committee) | Always |
+| `username` | `CommitteeMember.Username` (Auth0 `sub`) | Always (skipped if `Username` is empty) |
+| `relations` | `["member"]` | Always |
+
+### member_remove (Committee Member Delete)
+
+Published to `lfx.fga-sync.member_remove` when a committee member is deleted and the member has a non-empty `Username`. Sends an empty `relations` array, which instructs fga-sync to remove all tuples for that user on the committee object.
+
+#### Message Envelope
+
+| Field | Value |
+|---|---|
+| `object_type` | `committee` |
+| `operation` | `member_remove` |
+
+#### Data (`FGAMemberData`)
+
+| Field | Value | Condition |
+|---|---|---|
+| `uid` | `CommitteeMember.CommitteeUID` (parent committee) | Always |
+| `username` | `CommitteeMember.Username` (Auth0 `sub`) | Always (skipped if `Username` is empty) |
+| `relations` | `[]` (empty — remove all) | Always |
+
+### Delete
+
+On delete, a `delete_access` message is sent to `lfx.fga-sync.delete_access` with only the committee `uid` — all FGA tuples for `committee:{uid}` are removed by the fga-sync service.
+
+---
+
+## Triggers
+
+| Operation | Object Type | Subject | Notes |
+|---|---|---|---|
+| Create committee | `committee` | `lfx.fga-sync.update_access` | Always sent |
+| Update committee base | `committee` | `lfx.fga-sync.update_access` | Always sent |
+| Update committee settings | `committee` | `lfx.fga-sync.update_access` | Always sent |
+| Delete committee | `committee` | `lfx.fga-sync.delete_access` | Always sent |
+| Create committee member (with username) | `committee` | `lfx.fga-sync.member_put` | Skipped if `Username` is empty |
+| Update committee member (with username) | `committee` | `lfx.fga-sync.member_put` | Skipped if `Username` is empty |
+| Delete committee member (with username) | `committee` | `lfx.fga-sync.member_remove` | Skipped if `Username` is empty; empty relations removes all tuples for the user |
@@ -20,6 +20,10 @@ This document is the authoritative reference for all data the committee service
 
 ## Committee
 
+**Object type:** `committee`
+
+**NATS subject:** `lfx.index.committee`
+
 **Source struct:** `internal/domain/model/committee_base.go` — `CommitteeBase`
 
 **Indexed on:** create, update, delete of a committee.
@@ -94,6 +98,10 @@ These fields are indexed and queryable via `filters` or `cel_filter` in the quer
 
 ## Committee Settings
 
+**Object type:** `committee_settings`
+
+**NATS subject:** `lfx.index.committee_settings`
+
 **Source struct:** `internal/domain/model/committee_settings.go` — `CommitteeSettings`
 
 **Indexed on:** create, update, delete of committee settings. Settings share the same UID as their parent committee.
@@ -143,6 +151,10 @@ _(none)_
 
 ## Committee Member
 
+**Object type:** `committee_member`
+
+**NATS subject:** `lfx.index.committee_member`
+
 **Source struct:** `internal/domain/model/committee_member.go` — `CommitteeMember`
 
 **Indexed on:** create, update, delete of a committee member.
@@ -155,6 +167,8 @@ _(none)_
 | `committee_uid` | string | UID of the committee this member belongs to |
 | `committee_name` | string | Name of the committee |
 | `committee_category` | string | Category of the committee |
+| `project_uid` | string (optional) | UID of the owning project |
+| `project_slug` | string (optional) | Slug of the owning project |
 | `username` | string | Member's username |
 | `email` | string | Member's email address |
 | `first_name` | string | Member's first name |
@@ -189,8 +203,10 @@ _(none)_
 | `organization_id:{value}` | `organization_id:org-789` | Find members by organization ID |
 | `organization_name:{value}` | `organization_name:The Linux Foundation` | Find members by organization name |
 | `organization_website:{value}` | `organization_website:linuxfoundation.org` | Find members by organization website |
+| `project_uid:{value}` | `project_uid:cbef1ed5-17dc-4a50-84e2-6cddd70f6878` | Find members by project UID |
+| `project_slug:{value}` | `project_slug:test-project` | Find members by project slug |
 
-> Tags for `username`, `email`, `voting_status`, `organization_id`, `organization_name`, and `organization_website` are only emitted when the value is non-empty.
+> Tags for `username`, `email`, `voting_status`, `organization_id`, `organization_name`, `organization_website`, `project_uid`, and `project_slug` are only emitted when the value is non-empty.
 
 ### Access Control (IndexingConfig)
 
@@ -220,6 +236,10 @@ _(none)_
 
 ## Committee Invite
 
+**Object type:** `committee_invite`
+
+**NATS subject:** `lfx.index.committee_invite`
+
 **Source struct:** `internal/domain/model/committee_invite.go` — `CommitteeInvite`
 
 **Indexed on:** create, update, delete of a committee invite.
@@ -275,6 +295,10 @@ _(none)_
 
 ## Committee Application
 
+**Object type:** `committee_application`
+
+**NATS subject:** `lfx.index.committee_application`
+
 **Source struct:** `internal/domain/model/committee_application.go` — `CommitteeApplication`
 
 **Indexed on:** create, update, delete of a committee application.
@@ -331,6 +355,10 @@ _(none)_
 
 ## Committee Link
 
+**Object type:** `committee_link`
+
+**NATS subject:** `lfx.index.committee_link`
+
 **Source struct:** `internal/domain/model/committee_link.go` — `CommitteeLink`
 
 **Indexed on:** create, update, delete of a committee link.
@@ -390,6 +418,10 @@ _(none)_
 
 ## Committee Link Folder
 
+**Object type:** `committee_link_folder`
+
+**NATS subject:** `lfx.index.committee_link_folder`
+
 **Source struct:** `internal/domain/model/committee_link.go` — `CommitteeLinkFolder`
 
 **Indexed on:** create, update, delete of a committee link folder.
 
@@ -38,6 +38,8 @@ type CommitteeMemberBase struct {
 	CommitteeUID      string                      `json:"committee_uid"`
 	CommitteeName     string                      `json:"committee_name"`
 	CommitteeCategory string                      `json:"committee_category"`
+	ProjectUID        string                      `json:"project_uid,omitempty"`
+	ProjectSlug       string                      `json:"project_slug,omitempty"`
 	CreatedAt         time.Time                   `json:"created_at"`
 	UpdatedAt         time.Time                   `json:"updated_at"`
 }
@@ -117,6 +119,16 @@ func (cm *CommitteeMember) Tags() []string {
 		tags = append(tags, tag)
 	}
 
+	if cm.ProjectUID != "" {
+		tag := fmt.Sprintf("project_uid:%s", cm.ProjectUID)
+		tags = append(tags, tag)
+	}
+
+	if cm.ProjectSlug != "" {
+		tag := fmt.Sprintf("project_slug:%s", cm.ProjectSlug)
+		tags = append(tags, tag)
+	}
+
 	if cm.Username != "" {
 		tag := fmt.Sprintf("username:%s", cm.Username)
 		tags = append(tags, tag)
 
@@ -363,6 +363,45 @@ func TestCommitteeMember_Tags(t *testing.T) {
 				"organization_name:The Linux Foundation",
 			},
 		},
+		{
+			name: "member with project uid and slug",
+			member: &CommitteeMember{
+				CommitteeMemberBase: CommitteeMemberBase{
+					UID:          "member-123",
+					CommitteeUID: "committee-456",
+					Email:        "[email protected]",
+					ProjectUID:   "cbef1ed5-17dc-4a50-84e2-6cddd70f6878",
+					ProjectSlug:  "test-project",
+				},
+			},
+			expected: []string{
+				"member-123",
+				"committee_member_uid:member-123",
+				"committee_uid:committee-456",
+				"project_uid:cbef1ed5-17dc-4a50-84e2-6cddd70f6878",
+				"project_slug:test-project",
+				"email:[email protected]",
+			},
+		},
+		{
+			name: "member with project uid only",
+			member: &CommitteeMember{
+				CommitteeMemberBase: CommitteeMemberBase{
+					UID:          "member-123",
+					CommitteeUID: "committee-456",
+					Email:        "[email protected]",
+					ProjectUID:   "cbef1ed5-17dc-4a50-84e2-6cddd70f6878",
+					// Missing ProjectSlug
+				},
+			},
+			expected: []string{
+				"member-123",
+				"committee_member_uid:member-123",
+				"committee_uid:committee-456",
+				"project_uid:cbef1ed5-17dc-4a50-84e2-6cddd70f6878",
+				"email:[email protected]",
+			},
+		},
 	}
 
 	for _, tt := range tests {
 
@@ -100,23 +100,40 @@ func (c *CommitteeIndexerMessage) Build(ctx context.Context, input any) (*Commit
 
 }
 
-// CommitteeAccessMessage is the schema for the data in the message sent to the fga-sync service.
-// These are the fields that the fga-sync service needs in order to update the OpenFGA permissions.
-type CommitteeAccessMessage struct {
+// GenericFGAMessage is the envelope for all FGA sync operations.
+// It uses the generic, resource-agnostic FGA sync handlers.
+type GenericFGAMessage struct {
+	ObjectType string `json:"object_type"` // Resource type, e.g. "committee"
+	Operation  string `json:"operation"`   // Operation name, e.g. "update_access"
+	Data       any    `json:"data"`        // Operation-specific payload
+}
+
+// FGAUpdateAccessData is the data payload for update_access operations.
+// This is a full sync — any relations not listed (and not excluded) will be removed.
+type FGAUpdateAccessData struct {
+	UID              string              `json:"uid"`
+	Public           bool                `json:"public"`
+	Relations        map[string][]string `json:"relations,omitempty"`
+	References       map[string][]string `json:"references,omitempty"`
+	ExcludeRelations []string            `json:"exclude_relations,omitempty"`
+}
+
+// FGADeleteAccessData is the data payload for delete_access operations.
+type FGADeleteAccessData struct {
 	UID string `json:"uid"`
-	// object_type is the type of the object that the message is about, e.g. "committee" or "project".
-	ObjectType string `json:"object_type"`
-	// public is the public flag for the object.
-	Public bool `json:"public"`
-	// relations are used to store the relations of the object, e.g. "writer"
-	// and it's value is a list of principals.
-	Relations map[string][]string `json:"relations"`
-	// references are used to store the references of the object,
-	// e.g. "project" and it's value is the project UID.
-	// e.g. "parent" and it's value is the parent UID.
-	References map[string]string `json:"references"`
 }
 
+// FGAMemberData is the data payload for member FGA operations (member_put and member_remove).
+type FGAMemberData struct {
+	UID                   string   `json:"uid"`
+	Username              string   `json:"username"`
+	Relations             []string `json:"relations"`
+	MutuallyExclusiveWith []string `json:"mutually_exclusive_with,omitempty"`
+}
+
+// FGAMemberPutData is a backward-compatible alias for FGAMemberData.
+type FGAMemberPutData = FGAMemberData
+
 // CommitteeMemberUpdateEventData represents the data structure for committee member update events
 type CommitteeMemberUpdateEventData struct {
 	MemberUID string           `json:"member_uid"`