refactor: decompose rule decoders, and refactor permission decoding

[jeffsmale90]

Explanation

Refactor of permission decoding logic in order to:

• clarify terminology (decoders rather than rules - rule is a highly overloaded term)
• make rule (as in 7155 rules) more composable, rather than inherently part of the decoding process
• prepare the permission decoders for potential decomposition into a separate package
  no functional change, therefore no changelog required

References

Checklist

• I've updated the test suite for new or updated code as appropriate
• I've updated documentation (JSDoc, Markdown, etc.) for new or updated code as appropriate
• I've communicated my changes to consumers by updating changelogs for packages I've changed
• I've introduced breaking changes in this PR and have prepared draft pull requests for clients and consumer packages to resolve them

---

Note

Medium Risk
Refactors core permission-type identification/decoding logic to a new decoder architecture; while intended to be behavior-preserving, mistakes could change how caveats are matched/validated or which rules/expiry values are surfaced to consumers.

Overview
Refactors permission decoding to use PermissionDecoders (and composable per-rule RuleDecoders) instead of monolithic PermissionRules, updating GatorPermissionsController and the decodePermission selection flow accordingly.

Adds new composable rule decoders for expiry, redeemer, and payee (native and ERC-20), introduces a new expiry rule type constant, and rewires all native/ERC-20 permission decoders to assemble these rule decoders while preserving existing validation of caveat terms.

Removes the legacy rules/ implementation (makePermissionRule, createPermissionRulesForContracts) and updates/extends tests to cover the new decoder and rule-decoder behavior (including stricter payee caveat error cases and ensuring ERC20 revocation now returns an explicit expiry rule in rules).

^{Reviewed by Cursor Bugbot for commit 240c8cd. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit f94844b. Configure here.}

[cursor]

Expiry now added to rules array, changing API output

Medium Severity

The expiryRule decoder now appends { type: 'expiry', data: { timestamp } } to the rules array of the decoded permission output. Previously, expiry was extracted internally and never surfaced in rules. This changes the shape of DecodedPermission returned to consumers — permissions with a TimestampEnforcer caveat now have a non-empty rules array where they previously had undefined. The PR description states "no functional change" and omits a changelog, but this is an observable API-level change that could affect downstream consumers checking rules.

Additional Locations (1)

• packages/gator-permissions-controller/src/decodePermission/decoders/erc20TokenRevocation.test.ts#L224-L230

 

^{Reviewed by Cursor Bugbot for commit f94844b. Configure here.}