angee.mcp.middleware
Per-call MCP middleware: bracket each tool body in the authenticated REBAC actor.
The MCP analog of rebac's ActorMiddleware. The transport authenticates the bearer (:class:~angee.mcp.verifier.RebacTokenVerifier) and FastMCP stashes the resolved actor on the request; this reads it back off :func:~fastmcp.server.dependencies.get_access_token and enters rebac.actor_context for the duration of the tool call. Tool bodies — and any GraphQL execution they drive — then scope to that actor through rebac's ambient :func:rebac.current_actor; no per-tool actor plumbing. A call that resolved to no actor runs actor-less, and rebac denies it (fail-closed).
ActorMiddleware
class ActorMiddleware(Middleware)Enter the authenticated REBAC actor's context around every tool call.
on_call_tool
async def on_call_tool(context: MiddlewareContext, call_next)Run the tool body under actor_context so its querysets scope to the actor.