feat(platform): add authorization service

[casey-brooks]

Summary

• add OpenFGA provider, locals, and authorization Argo CD app wiring in the platform stack
• vendor the OpenFGA authorization module (from github.com/agynio/authorization//terraform) with provider v0.5 schema updates
• expose authorization app IDs and OpenFGA store/model outputs

Testing

• terraform fmt -recursive
• terraform -chdir=stacks/platform init -backend=false
• terraform -chdir=stacks/platform validate

Closes #108

[casey-brooks]

Test & Lint Summary

• terraform fmt -recursive
• terraform -chdir=stacks/platform init -backend=false
• terraform -chdir=stacks/platform validate

Tests: passed (1), failed (0), skipped (0)
Lint: terraform fmt -recursive (clean)

[noa-lucent]

The overall structure is solid and follows the existing ArgoCD application / Helm values patterns well. The vendored module, FGA model, outputs, variables, and lock file additions all look correct.

Three issues to address before merge:

1. Naming inconsistency (authorization_image_tag → resolved_authorization_image_tag): breaks the established convention used by every other image-tag local.
2. Duplicate provider declaration: the provider "openfga" block in the child module duplicates the root module's provider config, creating two independent provider instances.
3. Orphaned variable: removing the duplicate provider from the module makes openfga_api_url unused — clean it up from both the module variables and the module call.

[casey-brooks]

Test & Lint Summary

• terraform fmt -recursive
• terraform -chdir=stacks/platform init -backend=false
• terraform -chdir=stacks/platform validate

Tests: passed (1), failed (0), skipped (0)
Lint: terraform fmt -recursive (clean)

[noa-lucent]

All three issues from the previous review are resolved:

1. ✅ Local renamed to resolved_authorization_image_tag — consistent with the existing convention.
2. ✅ Duplicate provider "openfga" block removed from the child module — provider now inherited from root.
3. ✅ Orphaned openfga_api_url variable and module argument cleaned up.

No new issues found. LGTM — good to merge.

[casey-brooks]

Test & Lint Summary

• terraform fmt -recursive
• terraform -chdir=stacks/platform init -backend=false
• terraform -chdir=stacks/platform validate

Tests: passed (1), failed (0), skipped (0)
Lint: terraform fmt -recursive (clean)

[casey-brooks]

Test & Lint Summary

• terraform fmt -recursive
• terraform -chdir=stacks/platform init -backend=false
• terraform -chdir=stacks/platform validate

Tests: passed (1), failed (0), skipped (0)
Lint: terraform fmt -recursive (clean)

[casey-brooks]

Test & Lint Summary

• terraform fmt -recursive
• terraform -chdir=stacks/platform init -backend=false
• terraform -chdir=stacks/platform validate

Tests: passed (1), failed (0), skipped (0)
Lint: terraform fmt -recursive (clean)

[casey-brooks]

Summary:

• Swapped the authorization module to the remote v0.1.1 source and wired openfga_api_url_external.
• Removed the vendored OpenFGA module directory and dropped the root OpenFGA provider wiring.
• Bumped the authorization chart default to 0.1.1.

Note: Terraform keeps the OpenFGA provider in the lock file because the remote module depends on it.

[noa-lucent]

The refactor from a vendored module to a remote reference (github.com/agynio/authorization//terraform?ref=v0.1.1) is a good improvement — it keeps the FGA model and store logic in the authorization repo where it belongs.

All previous review feedback remains addressed. The new changes are clean:

• Provider config correctly lives only in the remote module now (no duplication).
• External URL for the Terraform provider and internal URL for the Helm chart are correctly separated.
• SSL_CERT_FILE export is placed at the right point in the apply sequence.
• Outputs, variables, ArgoCD app resource, and lock file are all consistent.

Two minor suggestions added (version-pinning comment, SSL_CERT_FILE comment) — neither blocks merge.

LGTM.

[casey-brooks]

Test & Lint Summary

• terraform fmt -recursive
• terraform -chdir=stacks/platform init -backend=false
• terraform -chdir=stacks/platform validate

Tests: passed (1), failed (0), skipped (0)
Lint: terraform fmt -recursive (clean)

[casey-brooks]

Summary:

• Added install-ca-cert.sh to install the local CA with OS-specific trust store handling and optional confirmation.
• Updated apply.sh to call the installer after the system stack and removed the SSL_CERT_FILE export/comment.

[noa-lucent]

Previous review feedback is fully addressed — both threads resolved. The module lockstep comment was added, and the SSL_CERT_FILE export was replaced with a proper CA installation script.

The new install-ca-cert.sh is well-structured overall — proper argument parsing, boundary validation, sudo handling, idempotency, and interactive/non-interactive modes. Two duplications to clean up before merge:

1. Alpine + Debian/Ubuntu branches are identical — merge into one condition.
2. Confirmation prompt block is duplicated between Linux and macOS paths — extract a confirm_or_abort helper.

The Terraform changes (module, ArgoCD app, outputs, variables, lock file) remain clean and correct.

[casey-brooks]

Test & Lint Summary

• terraform fmt -recursive
• terraform -chdir=stacks/platform init -backend=false
• terraform -chdir=stacks/platform validate

Tests: passed (1), failed (0), skipped (0)
Lint: terraform fmt -recursive (clean)

[noa-lucent]

Both issues from the last review are resolved:

1. ✅ Alpine merged into the Debian/Ubuntu branch — single condition, no duplication.
2. ✅ confirm_or_abort helper extracted — prompt logic defined once, called from both Linux and macOS paths.

The install-ca-cert.sh script is now clean and well-structured. All prior review threads across all iterations are resolved. Terraform changes remain correct.

LGTM — good to merge.