refactor: consolidate authentication and authorization services in documentation

hotlong · hotlong · commit c58400a389fa · 2026-02-09T22:36:22.000+08:00
diff --git a/content/docs/concepts/implementation-status.mdx b/content/docs/concepts/implementation-status.mdx
@@ -250,31 +250,28 @@ This matrix is generated from actual codebase analysis and represents the curren
 **Plugin-Provided Service** — The kernel does NOT handle authentication or authorization. Security services must be provided by plugins (e.g., `@objectstack/plugin-auth`). The Discovery API reports auth as `unavailable` until a plugin is registered.
 </Callout>
 
-### Authentication
-
-| Protocol | @objectstack/spec | Kernel | Plugin Required | Status |
-|:---------|:-----------------:|:------:|:---------------:|:------:|
-| **Identity** | ✅ | ❌ | ✅ | 📋 Plugin |
-| **Auth Config** | ✅ | ❌ | ✅ | 📋 Plugin |
-| **Role** | ✅ | ❌ | ✅ | 📋 Plugin |
-| **Organization** | ✅ | ❌ | ✅ | 📋 Plugin |
-| **Policy** | ✅ | ❌ | ✅ | 📋 Plugin |
-| **SCIM** | ✅ | ❌ | ✅ | 📋 Plugin |
-
-### Authorization
-
-| Protocol | @objectstack/spec | Kernel | Plugin Required | Status |
-|:---------|:-----------------:|:------:|:---------------:|:------:|
-| **Permission** | ✅ | ❌ | ✅ | 📋 Plugin |
-| **Sharing** | ✅ | ❌ | ✅ | 📋 Plugin |
-| **RLS** | ✅ | ❌ | ✅ | 📋 Plugin |
-| **Territory** | ✅ | ❌ | ✅ | 📋 Plugin |
+### Auth Service (`plugin-auth`)
+
+The `auth` service in `CoreServiceName` covers both **authentication** (identity) and **authorization** (permissions). There is no separate `permission` service — it is part of `auth`.
+
+| Protocol | Area | @objectstack/spec | Kernel | Plugin Required | Status |
+|:---------|:-----|:-----------------:|:------:|:---------------:|:------:|
+| **Identity** | Authentication | ✅ | ❌ | ✅ | 📋 Plugin |
+| **Auth Config** | Authentication | ✅ | ❌ | ✅ | 📋 Plugin |
+| **Role** | Authentication | ✅ | ❌ | ✅ | 📋 Plugin |
+| **Organization** | Authentication | ✅ | ❌ | ✅ | 📋 Plugin |
+| **Policy** | Authentication | ✅ | ❌ | ✅ | 📋 Plugin |
+| **SCIM** | Authentication | ✅ | ❌ | ✅ | 📋 Plugin |
+| **Permission** | Authorization | ✅ | ❌ | ✅ | 📋 Plugin |
+| **Sharing** | Authorization | ✅ | ❌ | ✅ | 📋 Plugin |
+| **RLS** | Authorization | ✅ | ❌ | ✅ | 📋 Plugin |
+| **Territory** | Authorization | ✅ | ❌ | ✅ | 📋 Plugin |
 
 **Notes:**
-- Complete security protocols defined in spec — ready for plugin implementation
-- Client SDK supports bearer token header — but token validation requires an auth plugin
-- Auth route (`/auth/*`) only appears in Discovery when an auth plugin is registered
-- Fine-grained authorization (RLS, sharing, territory) requires dedicated plugins
+- All security protocols (identity + permission) are delivered by a single `auth` plugin — matching `CoreServiceName`
+- Client SDK supports bearer token header — but token validation requires the auth plugin
+- Auth route (`/auth/*`) only appears in Discovery when the auth plugin is registered
+- Fine-grained authorization (RLS, sharing, territory) is internal to the auth plugin
 
 ---
 
@@ -412,19 +409,18 @@ This matrix is generated from actual codebase analysis and represents the curren
 | **UI** | 10 | 0 | 0 | 10 |
 | **API** | 14 | 11 | 1 | 2 |
 | **System** | 39 | 8 | 1 | 30 |
-| **Auth** (plugin) | 6 | 0 | 0 | 6 |
-| **Permission** (plugin) | 4 | 0 | 0 | 4 |
+| **Auth** (plugin) | 10 | 0 | 0 | 10 |
 | **Automation** (plugin) | 7 | 1 | 0 | 6 |
 | **AI** | 12 | 0 | 0 | 12 |
 | **Integration** | 7 | 0 | 0 | 7 |
 | **QA** | 1 | 1 | 0 | 0 |
-| **TOTAL** | **116** | **28** | **5** | **83** |
+| **TOTAL** | **112** | **28** | **5** | **79** |
 
 ### Implementation Coverage
 
-- **Fully Implemented**: 24.1% (28/116)
-- **Partially Implemented**: 4.3% (5/116)
-- **Not Implemented**: 71.6% (83/116)
+- **Fully Implemented**: 25.0% (28/112)
+- **Partially Implemented**: 4.5% (5/112)
+- **Not Implemented**: 70.5% (79/112)
 
 ### Core Functionality Status
 
diff --git a/content/docs/guides/kernel-services.mdx b/content/docs/guides/kernel-services.mdx
@@ -196,14 +196,20 @@ The discovery endpoint returns a `services` map so clients know what is availabl
 
 ### Plugin Requirements
 
-| Module | Description | Priority |
-|:-------|:------------|:--------:|
-| **Identity Provider** | JWT issuance/verification, session management | P0 |
-| **User CRUD** | Create / read / update / delete users | P0 |
-| **Role Management** | Role definitions, role-user associations | P0 |
-| **OAuth2 / OIDC** | Third-party login (Google, GitHub, etc.) | P1 |
-| **Multi-tenancy** | Space / Tenant isolation | P1 |
-| **SCIM** | Enterprise user provisioning protocol | P2 |
+The `auth` service covers both **authentication** (identity) and **authorization** (permissions). There is no separate `permission` service in `CoreServiceName`.
+
+| Module | Area | Description | Priority |
+|:-------|:-----|:------------|:--------:|
+| **Identity Provider** | Authentication | JWT issuance/verification, session management | P0 |
+| **User CRUD** | Authentication | Create / read / update / delete users | P0 |
+| **Role Management** | Authentication | Role definitions, role-user associations | P0 |
+| **Permission Engine** | Authorization | Object-level and field-level permissions | P0 |
+| **OAuth2 / OIDC** | Authentication | Third-party login (Google, GitHub, etc.) | P1 |
+| **Sharing Rules** | Authorization | Record-level sharing and visibility | P1 |
+| **Row-Level Security** | Authorization | Automatic query filtering by user context | P1 |
+| **Multi-tenancy** | Authentication | Space / Tenant isolation | P1 |
+| **Territory Management** | Authorization | Data territory assignment and access | P2 |
+| **SCIM** | Authentication | Enterprise user provisioning protocol | P2 |
 
 ### Spec Files: `identity.zod.ts`, `role.zod.ts`, `organization.zod.ts`, `auth-config.zod.ts`, `tenant.zod.ts`
 
