From bd067ba801d8989146b475f0b65a9a630ad87f18 Mon Sep 17 00:00:00 2001
From: jester <admin@zerolaghub.com>
Date: Sun, 28 Dec 2025 22:28:12 +0000
Subject: [PATCH] Add Authentication Ownership section - Portal/APIv2
 responsibilities and explicit non-responsibilities

---
 UPSTREAMS.md | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/UPSTREAMS.md b/UPSTREAMS.md
index 7744c3c..6a9d0c2 100644
--- a/UPSTREAMS.md
+++ b/UPSTREAMS.md
@@ -1,4 +1,4 @@
-# Upstreams – zlh-grind
+# Upstreams — zlh-grind
 
 This repository tracks GPT execution work across upstream projects.
 
@@ -24,3 +24,22 @@ This repository tracks GPT execution work across upstream projects.
 - Repo: `https://git.zerolaghub.com/jester/zlh-agent`
 - Role: Agent runtime for provisioning/install/verify/start workflows
 - Notes: Tagged `v0.1.0-dev` as the first dev snapshot.
+
+---
+
+## Authentication Ownership
+
+### Portal
+- Owns identity UX (login, logout, session handling)
+- Stores JWT token
+- Attaches Authorization header to API calls
+
+### APIv2
+- Validates credentials
+- Issues JWT tokens
+- Verifies tokens for protected routes
+- Persists user records
+
+### Explicit Non-Responsibilities
+- API does not manage frontend sessions
+- Portal does not validate credentials directly