refactor(events): inline agent collapse-to-404 check; drop one-off helper

[dm36]

Summary

Addresses @rpatel-scale's review comment on #257:

Shouldn't this already be implemented somewhere? How do we make this check for tasks?

check_agent_or_collapse_to_404 had exactly one caller (GET /events/{id}) and structurally duplicated:

• _check_api_key_or_collapse_to_404 — already on main from feat(AGX1-263): agent_api_keys route migration to FGAC (404 collapse + two-factor) #252
• check_task_or_collapse_to_404 — in flight in feat(tasks): per-RPC task permission rewire and 404/403 wrap #249

Rather than ship a third per-resource helper, inline the 4-line try/except in events.py and delete agent_authorization.py.

Wire behavior

Unchanged:

• One authorization.check(resource=AgentexResource.agent(event.agent_id), operation=read).
• On AuthorizationError, raise ItemDoesNotExist → FastAPI returns 404.
• Cross-tenant existence still hidden (403 vs 404 indistinguishable).

Follow-up

When #249 lands, all three of (task, api_key, events) will have the same try/except shape inline or in their own one-off helper. A small cleanup PR can then fold them into a single generic check_or_collapse_to_404(authorization, resource, operation) — with full context across all three callers in one place rather than piecemeal.

Diff

 agentex/src/api/routes/events.py         | 19 +++++++++++++++----
 agentex/src/utils/agent_authorization.py | 26 ----------------------------
 2 files changed, 12 insertions(+), 31 deletions(-)
 delete mode 100644 agentex/src/utils/agent_authorization.py

Test plan

• uv run pytest agentex/tests/integration/api/events/test_events_authz_api.py — the existing 5 cases assert wire behavior (resource type, operation, 200/404 status), so they should pass unchanged.

Greptile Summary

This refactor inlines the single-caller check_agent_or_collapse_to_404 helper directly into GET /events/{id} and deletes agent_authorization.py, eliminating an unnecessary abstraction. The wire behavior is unchanged: one authorization.check call on the parent agent, with AuthorizationError collapsed to ItemDoesNotExist (→ 404) to prevent cross-tenant probing.

• events.py: Imports AgentexResource, AuthorizationError, and ItemDoesNotExist directly; the inlined try/except block is functionally identical to the helper. The error message now uses event_id rather than agent_id, which is a subtle correctness improvement — callers look up events by event_id, so the 404 message should reference that ID.
• agent_authorization.py: Deleted. The file's TODO about restoring 403/404 semantics once agents carry tenant scope is dropped without a tracking ticket.

Confidence Score: 5/5

Safe to merge — the change is a straightforward inline of a 4-line helper with no behavioral difference.

The inlined try/except block is structurally identical to the deleted helper. The only observable difference — using event_id instead of agent_id in the 404 message — is an improvement, not a regression. No auth logic has changed.

No files require special attention.

Important Files Changed

Filename	Overview
agentex/src/api/routes/events.py	Inlines the 4-line try/except from the deleted helper; wire behavior preserved. Error message now correctly uses event_id instead of agent_id (subtle improvement over the original helper).
agentex/src/utils/agent_authorization.py	Deleted — single-caller helper with no remaining usages. Contained a TODO about restoring 403/404 split once agents carry tenant scope, which is dropped without a ticket reference.

Sequence Diagram

sequenceDiagram
    participant Client
    participant EventsRoute as GET /events/{id}
    participant EventUseCase
    participant Authorization

    Client->>EventsRoute: "GET /events/{event_id}"
    EventsRoute->>EventUseCase: get(event_id)
    EventUseCase-->>EventsRoute: event_entity
    EventsRoute->>Authorization: "check(resource=agent(event_entity.agent_id), operation=read)"
    alt Authorized
        Authorization-->>EventsRoute: OK
        EventsRoute-->>Client: 200 Event
    else AuthorizationError (denied or wrong tenant)
        Authorization-->>EventsRoute: AuthorizationError
        EventsRoute-->>Client: 404 ItemDoesNotExist(event_id)
    end

Loading

Prompt To Fix All With AI

Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
agentex/src/utils/agent_authorization.py:18
**Dropped TODO has no ticket**

The deleted file contained `TODO: Restore the 403/404 split once agents carry tenant scope.` This deferred work item is now gone from the codebase without a Linear/Jira ticket to track it. If restoring proper 403 vs 404 semantics when agents gain full tenant scope is still planned, it should be captured in a ticket before this merges — otherwise there's no signal to revisit it.

_{Reviews (2): Last reviewed commit: "refactor(events): inline agent collapse-..." | Re-trigger Greptile}

Context used:

• Rule used - Create Linear tasks for TODO comments in code and ... (source)

Learned From
scaleapi/scaleapi#127117