// Package permission is the permission subsystem: the consumer-implementable
// Handler for Allow/Deny/Ask decisions, the Checker that orchestrates it
// with rules / classifiers / denial tracking, and the AI-based
// SecurityClassifier for automatic classification of tool calls.
//
// Consumer integration surfaces fall into three shapes. For the full
// taxonomy see `docs/api-reference.md` section "API 消费形态 / API
// Consumption Patterns".
//
// Synchronous callback — form 3:
//   - Handler (func type): consumer-supplied callback for permission
//     decisions; injected via engine.Config.PermissionHandler
//   - SecurityClassifier.Classify: consumers can plug an alternate
//     classifier backend; engine or a Handler calls Classify synchronously
//
// Pull — form 2:
//   - DenialTracker.Stats() DenialStats: cumulative denial snapshot for
//     UI / audit / circuit-breaker decisions
//   - Classifier.Classify returns *ClassifyResult as a pull-side payload
//     (consumer reads Decision / Reason / Thinking / Stage / Usage /
//     DurationMs to drive UX)
//
// Package permission 是权限子系统: 消费者可实现的 Handler 用于 Allow/Deny/Ask
// 决策, Checker 负责编排规则 / 分类器 / 拒绝追踪, AI 的 SecurityClassifier
// 做工具调用的自动分类.
//
// 消费者接入面分三种形态. 完整分类见 `docs/api-reference.md` "API 消费形态 /
// API Consumption Patterns" 章节.
//
// 同步回调 (callback) —— 形态三:
//   - Handler (函数类型): 消费者回调, 经 engine.Config.PermissionHandler 注入
//   - SecurityClassifier.Classify: 消费者可换 classifier 后端; 引擎或 Handler
//     同步调 Classify
//
// 调取 (pull) —— 形态二:
//   - DenialTracker.Stats() DenialStats: 累计拒绝快照, 供 UI / 审计 /
//     熔断决策消费
//   - Classifier.Classify 返回的 *ClassifyResult 亦作 pull payload (消费者
//     读 Decision / Reason / Thinking / Stage / Usage / DurationMs 驱动 UX)
package permission