hellas-ai · georgewhewell · Sep 11, 2025
diff --git a/crates/core/src/access/mod.rs b/crates/core/src/access/mod.rs
@@ -6,5 +6,5 @@ pub use identity::{
     Authentication, AuthenticationError, IdentityContext, ObjectId, ObjectIdentity, ObjectKind,
     SubjectIdentity, TargetNamespace,
 };
-pub use permissions::{Action, PermissionDenied, PermissionManager, PermissionResult, Permissions};
+pub use permissions::{Action, PermissionDenied, PermissionResult, Permissions};
 pub use policies::{PolicyDecision, PolicyLimit};
diff --git a/crates/core/src/access/permissions.rs b/crates/core/src/access/permissions.rs
@@ -44,20 +44,27 @@ pub enum PermissionDenied {
 
 pub type PermissionResult = Result<(), PermissionDenied>;
 
-/// Checks if a subject can perform an action on an object
+/// Unified permissions interface (check + grant/revoke/store)
 #[async_trait]
 pub trait Permissions<C: IdentityContext>: Send + Sync {
+    /// Check if a subject may perform an action on an object
     async fn check(
         &self,
         subject: &SubjectIdentity<C>,
         action: Action,
         object: &ObjectIdentity,
     ) -> PermissionResult;
-}
 
-/// Manages permission grants and revocations
-#[async_trait]
-pub trait PermissionManager<C: IdentityContext>: Permissions<C> {
+    /// Convenience wrapper around `check`
+    async fn require(
+        &self,
+        subject: &SubjectIdentity<C>,
+        action: Action,
+        object: &ObjectIdentity,
+    ) -> PermissionResult {
+        self.check(subject, action, object).await
+    }
+
     /// Grant a permission to a subject
     async fn grant(
         &self,

diff --git a/crates/daemon/src/helpers/admin.rs b/crates/daemon/src/helpers/admin.rs
diff --git a/crates/daemon/src/helpers/mod.rs b/crates/daemon/src/helpers/mod.rs
@@ -1,5 +1,4 @@
 //! Helper modules to reduce code complexity and duplication
 
-pub mod admin;
 pub mod errors;
 pub mod services;
diff --git a/crates/daemon/src/permissions.rs b/crates/daemon/src/permissions.rs
@@ -1,8 +1,8 @@
 use async_trait::async_trait;
 use gate_core::StateBackend;
 use gate_core::access::{
-    Action, IdentityContext, ObjectIdentity, PermissionDenied, PermissionManager, PermissionResult,
-    Permissions, SubjectIdentity,
+    Action, IdentityContext, ObjectIdentity, PermissionDenied, PermissionResult, Permissions,
+    SubjectIdentity,
 };
 use gate_http::services::identity::HttpIdentity;
 use serde::{Deserialize, Serialize};
@@ -110,10 +110,7 @@ impl Permissions<LocalContext> for LocalPermissionManager {
             Err(e) => Err(PermissionDenied::Custom(format!("Database error: {e}"))),
         }
     }
-}
 
-#[async_trait]
-impl PermissionManager<LocalContext> for LocalPermissionManager {
     async fn grant(
         &self,
         granter: &SubjectIdentity<LocalContext>,