refactor(agents): unify permissions into one vertical-slice package

Per-file verification of the slice-3 candidates showed receipts/ and date_filters.py are shared contracts (consumed by shared/state + shared middleware + subagents), so they correctly stay put. permissions was the real misfit: the rule *model* lived at shared/permissions.py while its enforcement lived at shared/middleware/permissions/. Unify them into a single self-contained subsystem: shared/permissions.py -> shared/permissions/model.py shared/middleware/permissions/{deny,ask,middleware} -> shared/permissions/{deny,ask,middleware} The package __init__ re-exports the model API + build_permission_mw, so the 32 external model consumers keep importing `from ...shared.permissions import Rule` unchanged; only the 8 internal files redirect to `.model` (cycle-safe, model loaded before middleware).
2026-06-08 20:25:19 +02:00 · 2026-06-05 13:29:48 +02:00 · 2026-06-05 13:29:48 +02:00 · 84b775c0ac
commit 84b775c0ac
parent f2a61bc0ef
27 changed files with 75 additions and 42 deletions
--- a/surfsense_backend/tests/unit/agents/multi_agent_chat/middleware/checkpointed_subagent_middleware/test_parallel_self_and_middleware_gated.py
+++ b/surfsense_backend/tests/unit/agents/multi_agent_chat/middleware/checkpointed_subagent_middleware/test_parallel_self_and_middleware_gated.py
@ -43,10 +43,10 @@ from app.agents.chat.multi_agent_chat.main_agent.middleware.checkpointed_subagen
 from app.agents.chat.multi_agent_chat.main_agent.middleware.checkpointed_subagent_middleware.task_tool import (
    build_task_tool_with_parent_config,
 )
-from app.agents.chat.multi_agent_chat.shared.middleware.permissions.ask.request import (
+from app.agents.chat.multi_agent_chat.shared.permissions import Rule
+from app.agents.chat.multi_agent_chat.shared.permissions.ask.request import (
    request_permission_decision,
 )
-from app.agents.chat.multi_agent_chat.shared.permissions import Rule
 from app.agents.chat.multi_agent_chat.subagents.shared.hitl.approvals.self_gated import (
    request_approval,
 )
--- a/surfsense_backend/tests/unit/agents/multi_agent_chat/middleware/shared/permissions/test_lc_hitl_wire.py
+++ b/surfsense_backend/tests/unit/agents/multi_agent_chat/middleware/shared/permissions/test_lc_hitl_wire.py
@ -16,10 +16,10 @@ from langgraph.graph import END, START, StateGraph
 from langgraph.types import Command
 from typing_extensions import TypedDict

-from app.agents.chat.multi_agent_chat.shared.middleware.permissions.ask.request import (
+from app.agents.chat.multi_agent_chat.shared.permissions import Rule
+from app.agents.chat.multi_agent_chat.shared.permissions.ask.request import (
    request_permission_decision,
 )
-from app.agents.chat.multi_agent_chat.shared.permissions import Rule


 class _State(TypedDict, total=False):
--- a/surfsense_backend/tests/unit/agents/multi_agent_chat/middleware/shared/permissions/test_permission_ask_mcp_context.py
+++ b/surfsense_backend/tests/unit/agents/multi_agent_chat/middleware/shared/permissions/test_permission_ask_mcp_context.py
@ -14,13 +14,14 @@ from pydantic import BaseModel
 from typing_extensions import TypedDict

 from app.agents.chat.multi_agent_chat.shared.feature_flags import AgentFeatureFlags
-from app.agents.chat.multi_agent_chat.shared.middleware.permissions import (
+from app.agents.chat.multi_agent_chat.shared.permissions import (
+    Rule,
+    Ruleset,
    build_permission_mw,
 )
-from app.agents.chat.multi_agent_chat.shared.middleware.permissions.ask.payload import (
+from app.agents.chat.multi_agent_chat.shared.permissions.ask.payload import (
    build_permission_ask_payload,
 )
-from app.agents.chat.multi_agent_chat.shared.permissions import Rule, Ruleset


 class _NoArgs(BaseModel):
--- a/surfsense_backend/tests/unit/agents/multi_agent_chat/middleware/shared/permissions/test_subagent_owned_ruleset.py
+++ b/surfsense_backend/tests/unit/agents/multi_agent_chat/middleware/shared/permissions/test_subagent_owned_ruleset.py
@ -24,10 +24,11 @@ from langgraph.types import Command
 from typing_extensions import TypedDict

 from app.agents.chat.multi_agent_chat.shared.feature_flags import AgentFeatureFlags
-from app.agents.chat.multi_agent_chat.shared.middleware.permissions import (
+from app.agents.chat.multi_agent_chat.shared.permissions import (
+    Rule,
+    Ruleset,
    build_permission_mw,
 )
-from app.agents.chat.multi_agent_chat.shared.permissions import Rule, Ruleset


 def _kb_style_ruleset() -> Ruleset:
--- a/surfsense_backend/tests/unit/agents/multi_agent_chat/middleware/shared/permissions/test_trusted_tool_save_on_always.py
+++ b/surfsense_backend/tests/unit/agents/multi_agent_chat/middleware/shared/permissions/test_trusted_tool_save_on_always.py
@ -15,10 +15,11 @@ from pydantic import BaseModel
 from typing_extensions import TypedDict

 from app.agents.chat.multi_agent_chat.shared.feature_flags import AgentFeatureFlags
-from app.agents.chat.multi_agent_chat.shared.middleware.permissions import (
+from app.agents.chat.multi_agent_chat.shared.permissions import (
+    Rule,
+    Ruleset,
    build_permission_mw,
 )
-from app.agents.chat.multi_agent_chat.shared.permissions import Rule, Ruleset


 class _NoArgs(BaseModel):
--- a/surfsense_backend/tests/unit/agents/multi_agent_chat/subagents/shared/test_subagent_builder.py
+++ b/surfsense_backend/tests/unit/agents/multi_agent_chat/subagents/shared/test_subagent_builder.py
@ -20,10 +20,10 @@ from langchain_core.messages import AIMessage, BaseMessage, HumanMessage
 from langchain_core.outputs import ChatGeneration, ChatResult

 from app.agents.chat.multi_agent_chat.shared.feature_flags import AgentFeatureFlags
-from app.agents.chat.multi_agent_chat.shared.middleware.permissions.middleware.core import (
+from app.agents.chat.multi_agent_chat.shared.permissions import Rule, Ruleset, evaluate
+from app.agents.chat.multi_agent_chat.shared.permissions.middleware.core import (
    PermissionMiddleware,
 )
-from app.agents.chat.multi_agent_chat.shared.permissions import Rule, Ruleset, evaluate
 from app.agents.chat.multi_agent_chat.subagents.shared.subagent_builder import (
    pack_subagent,
 )