refactor(reorg): extract notes/note_type/file_uploads/reports/risk_acceptance [9/10]

[valentijnscholten]

Stacked PRs

This is one of a stacked series that reorganizes dojo/ into self-contained dojo/{module}/ packages (matching the dojo/url/ reference). They are stacked — each PR is based on the previous one — so review and merge bottom-up in this order:

1. refactor(product_type): Extra ProductType models into dojo/product_type/ module [1/10] #14970 — product_type
2. refactor(test): Extract Test models into dojo/test/ module [2/10] #14971 — test
3. refactor(engagement): Extract Test models into dojo/test/ module [3/10] #14972 — engagement
4. refactor(product): Extract Product module into dojo/product/ [4/10] #14973 — product
5. refactor(finding): Reorganize finding into self-contained dojo/finding/ package [5/10] #14974 — finding (+ CWE & BurpRawRequestResponse fold-in)
6. refactor(reorg): extract user + system_settings modules [6/10] #14981 — peripheral: user + system_settings
7. refactor(reorg): extract endpoint + tool_type/tool_config/tool_product modules [7/10] #14982 — peripheral: endpoint + tool_type/tool_config/tool_product
8. refactor(reorg): extract survey + benchmark modules [8/10] #14983 — peripheral: survey + benchmark
9. refactor(reorg): extract notes/note_type/file_uploads/reports/risk_acceptance [9/10] #14986 — peripheral: notes/note_type + file_uploads + reports + risk_acceptance ◀ this PR
10. refactor(reorg): extract regulations/banner/announcement/development_environment/object [10/10] #14987 — peripheral: regulations + banner + announcement + development_environment + object

Merge #14970 first; each following branch is rebased onto the updated base and merged in turn. This PR continues the stack on top of #14983 — full implementation brief is the Phase 10 section in AGENTS.md.

Summary

Reorganizes the note_type, notes, file_uploads, reports, and risk_acceptance domains into self-contained dojo/{module}/ packages with ui/ and api/ sub-packages, matching the dojo/url/ reference layout. Pure code-movement: no behaviour or migration changes; backward-compat re-exports keep external consumers working.

note_type / notes / file_uploads / reports

• Move Note_Type, NoteHistory, Notes, FileUpload, FileAccessToken, Report_Type into their modules' {models,admin}.py with string-ref FKs. UniqueUploadNameProvider deliberately STAYS in dojo/models.py (migrations hardcode dojo.models.UniqueUploadNameProvider as upload_to; moving it would change the serialized path) and is imported by dojo/file_uploads/models.py.
• Move the DRF serializers into each module's api/serializer.py. NoteSerializer/NoteHistorySerializer/FileSerializer/NoteTypeSerializer are re-exported from api_v2/serializers.py — they are lazy-imported by finding/test/engagement and discovered by the prefetcher. Within notes/api/serializer.py, UserStubSerializer and NoteTypeSerializer are imported directly from their modules (not via api_v2) to avoid a cycle.
• Move NoteTypeViewSet/NotesViewSet into api/views.py with add_*_urls; move forms into each module's ui/forms.py; move views.py/urls.py into ui/. The report-generation forms (ReportOptionsForm/CustomReportOptionsForm) move into reports/ui/forms.py.

risk_acceptance (dojo/risk_acceptance/)

• Move Risk_Acceptance into dojo/risk_acceptance/{models,admin}.py (string-ref FKs).
• Reconcile the existing dojo/risk_acceptance/api.py into a proper api/ package: api/serializer.py (RiskAcceptanceSerializer/RiskAcceptanceProofSerializer/RiskAcceptanceToNotesSerializer, with NoteSerializer imported from notes and EngagementSerializer lazy-imported), api/views.py (RiskAcceptanceViewSet), api/filters.py (ApiRiskAcceptanceFilter), api/urls.py (add_risk_acceptance_urls), and api/mixins.py (the AcceptedRisksMixin/AcceptedFindingsMixin/AcceptedRiskSerializer). api/__init__.py re-exports the mixins so finding/test/engagement keep consuming them as ra_api.* unchanged.
• The moved serializers are re-exported from api_v2/serializers.py for finding's schema-override lazy import and prefetcher discovery. Move the risk-acceptance forms into ui/forms.py (re-exported from dojo/forms.py for engagement's UI views).