The foundational authentication kernel.
Auth is not Identity. Auth is the kernel: an IAuthConnector chain at the top of the request pipeline, an ActorContext as the canonical runtime identity, an AuthRuntimeCompiler producing per-project AuthPolicySnapshot, and a scope-chain merge that walks ancestors top-down. Identity providers (OIDC, SAML, passkeys, refresh-token families, MFA) build on top — they are not the foundation.
Connectors. ActorContext. Policy compilation.
IAuthConnector chain
Self-selecting connectors registered as DI services. ApiKeyAuthConnector validates platform credentials via PBKDF2; IdentityBearerAuthConnector validates session tokens; IdentitySessionAuthConnector validates browser cookies. Each returns null if it can't handle the request, ActorContext on success.
AuthConnectorPrefillMiddleware
Top-of-pipeline canonical authentication boundary. Runs before any downstream middleware. Every endpoint shape sees a fully populated HttpContext.User and HttpContext.Items[ActorContextKey] — controllers, GraphQL, gRPC, Minimal API, all alike.
ActorContext
The canonical runtime identity: SubjectId, SubjectType, TenantId, Roles, Claims, ContextSets, AuthStrength, ConnectorType, AuthTime. Carried on IRequestScope. The single source of truth for auth-aware predicates.
AuthRuntimeCompiler
Singleton service. Compiles persisted AuthPolicyBinding rows into an AuthRuntimeDescriptor per project. Scope chain walks the rooted hierarchy: target → ancestors → seeded root → tenant. Numeric merge by min/max.
AuthPolicySnapshot
Compiled effective policy. Carries MinimumAuthStrength. Middleware enforces per-request. Tightening a parent policy reclaims the descendants automatically.
Auth-aware AST predicates
HasRole, HasClaim, InContextSet, ContextValue, AuthStrengthAtLeast, AuthenticatedVia, SubjectTypeIs, SessionAgeLt — first-class BoolExpr nodes. SecurityPredicateResolver replaces them upstream so document providers get the same semantics.
Auth handles "is this caller authenticated?". Identity handles "who and how."
The Auth kernel runs every request. It produces an ActorContext. It enforces minimum auth strength. It populates IRequestScope. The Identity subsystem provides the providers (OIDC / SAML / OAuth2 / Passkey / Password / JWT / Custom / ServiceAccount / Anonymous), the entities (sessions, refresh tokens, challenges), the flows (federation, JIT provisioning, MFA). Two distinct modules. One canonical runtime identity.
Before every downstream middleware
Project → ancestors → tenant
Resolved before render
EnsureInitialized at every site
The kernel holds the line.
One canonical authentication boundary. One runtime identity object. One compiled policy per project. No second auth model, no privileged dashboard path.