docs: design oidc jwt claims

server-rs/crates/module-auth/README.md

@@ -31,6 +31,7 @@
 5. [../../../docs/technical/SPACETIMEDB_AUTH_RISK_BLOCK_TABLE_DESIGN_2026-04-21.md](../../../docs/technical/SPACETIMEDB_AUTH_RISK_BLOCK_TABLE_DESIGN_2026-04-21.md)
 6. [../../../docs/technical/SPACETIMEDB_SMS_AUTH_EVENT_TABLE_DESIGN_2026-04-21.md](../../../docs/technical/SPACETIMEDB_SMS_AUTH_EVENT_TABLE_DESIGN_2026-04-21.md)
 7. [../../../docs/technical/SPACETIMEDB_WECHAT_AUTH_STATE_TABLE_DESIGN_2026-04-21.md](../../../docs/technical/SPACETIMEDB_WECHAT_AUTH_STATE_TABLE_DESIGN_2026-04-21.md)
+8. [../../../docs/technical/OIDC_JWT_CLAIMS_DESIGN_2026-04-21.md](../../../docs/technical/OIDC_JWT_CLAIMS_DESIGN_2026-04-21.md)
 
 ## 3. 边界约束
 

server-rs/crates/platform-auth/README.md

@@ -23,6 +23,10 @@
 3. 落地短信发送、校验与风控适配
 4. 落地微信 OAuth start / callback 适配
 
+当前优先冻结依据：
+
+1. [../../../docs/technical/OIDC_JWT_CLAIMS_DESIGN_2026-04-21.md](../../../docs/technical/OIDC_JWT_CLAIMS_DESIGN_2026-04-21.md)
+
 ## 3. 边界约束
 
 1. `platform-auth` 只承接平台适配，不承接 `module-auth` 的业务规则和状态真相。

server-rs/crates/spacetime-module/README.md

@@ -23,6 +23,10 @@
 3. 接入身份 claims 透传
 4. 在实体 module scaffold 落地后接入 publish / dev 循环
 
+当前身份透传设计依据：
+
+1. [../../../docs/technical/OIDC_JWT_CLAIMS_DESIGN_2026-04-21.md](../../../docs/technical/OIDC_JWT_CLAIMS_DESIGN_2026-04-21.md)
+
 当前本地开发脚本约定：
 
 1. `../../scripts/spacetime-dev.ps1` 与 `../../scripts/spacetime-dev.sh` 当前固定执行 `spacetime start` 的 standalone 模式。