@checkstack/backend 0.2.0 → 0.3.0

package/CHANGELOG.md

@@ -1,5 +1,87 @@
 # @checkstack/backend
 
+## 0.3.0
+
+### Minor Changes
+
+- 9faec1f: # Unified AccessRule Terminology Refactoring
+
+  This release completes a comprehensive terminology refactoring from "permission" to "accessRule" across the entire codebase, establishing a consistent and modern access control vocabulary.
+
+  ## Changes
+
+  ### Core Infrastructure (`@checkstack/common`)
+
+  - Introduced `AccessRule` interface as the primary access control type
+  - Added `accessPair()` helper for creating read/manage access rule pairs
+  - Added `access()` builder for individual access rules
+  - Replaced `Permission` type with `AccessRule` throughout
+
+  ### API Changes
+
+  - `env.registerPermissions()` → `env.registerAccessRules()`
+  - `meta.permissions` → `meta.access` in RPC contracts
+  - `usePermission()` → `useAccess()` in frontend hooks
+  - Route `permission:` field → `accessRule:` field
+
+  ### UI Changes
+
+  - "Roles & Permissions" tab → "Roles & Access Rules"
+  - "You don't have permission..." → "You don't have access..."
+  - All permission-related UI text updated
+
+  ### Documentation & Templates
+
+  - Updated 18 documentation files with AccessRule terminology
+  - Updated 7 scaffolding templates with `accessPair()` pattern
+  - All code examples use new AccessRule API
+
+  ## Migration Guide
+
+  ### Backend Plugins
+
+  ```diff
+  - import { permissionList } from "./permissions";
+  - env.registerPermissions(permissionList);
+  + import { accessRules } from "./access";
+  + env.registerAccessRules(accessRules);
+  ```
+
+  ### RPC Contracts
+
+  ```diff
+  - .meta({ userType: "user", permissions: [permissions.read.id] })
+  + .meta({ userType: "user", access: [access.read] })
+  ```
+
+  ### Frontend Hooks
+
+  ```diff
+  - const canRead = accessApi.usePermission(permissions.read.id);
+  + const canRead = accessApi.useAccess(access.read);
+  ```
+
+  ### Routes
+
+  ```diff
+  - permission: permissions.entityRead.id,
+  + accessRule: access.read,
+  ```
+
+### Patch Changes
+
+- Updated dependencies [9faec1f]
+- Updated dependencies [827b286]
+- Updated dependencies [f533141]
+- Updated dependencies [aa4a8ab]
+  - @checkstack/api-docs-common@0.1.0
+  - @checkstack/auth-common@0.2.0
+  - @checkstack/backend-api@0.3.0
+  - @checkstack/common@0.2.0
+  - @checkstack/signal-backend@0.1.0
+  - @checkstack/signal-common@0.1.0
+  - @checkstack/queue-api@0.0.5
+
 ## 0.2.0
 
 ### Minor Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@checkstack/backend",
-  "version": "0.2.0",
+  "version": "0.3.0",
   "type": "module",
   "scripts": {
     "dev": "bun --env-file=../../.env --watch src/index.ts",

package/src/index.ts

@@ -25,9 +25,8 @@ import {
 import { createPluginAdminRouter } from "./plugin-manager/plugin-admin-router";
 import {
   pluginMetadata as apiDocsMetadata,
-  permissions as apiDocsPermissions,
+  apiDocsAccess,
 } from "@checkstack/api-docs-common";
-import { qualifyPermissionId } from "@checkstack/common";
 
 import { cors } from "hono/cors";
 
@@ -241,10 +240,7 @@ const init = async () => {
       pluginManager,
       authService,
       baseUrl,
-      requiredPermission: qualifyPermissionId(
-        apiDocsMetadata,
-        apiDocsPermissions.apiDocsView
-      ),
+      requiredAccessRule: `${apiDocsMetadata.pluginId}.${apiDocsAccess.view.id}`,
     });
     app.get("/api/openapi.json", async (c) => {
       const response = await openApiHandler(c.req.raw);
@@ -260,7 +256,7 @@ const init = async () => {
   // 3. Load Plugins
   await pluginManager.loadPlugins(app);
 
-  // 4. Wire up auth client for permission-based signal filtering
+  // 4. Wire up auth client for access-based signal filtering
   // This must happen AFTER plugins load so auth-backend is available
   const rpcClient = await pluginManager.getService(coreServices.rpcClient);
   if (rpcClient) {
@@ -268,7 +264,7 @@ const init = async () => {
     const authClient = rpcClient.forPlugin(AuthApi);
     signalService.setAuthClient(authClient);
     rootLogger.debug(
-      "SignalService: Auth client configured for permission filtering"
+      "SignalService: Auth client configured for access filtering"
     );
   } else {
     rootLogger.warn(

package/src/integration/event-bus.integration.test.ts

@@ -19,43 +19,43 @@ describe("EventBus Integration Tests", () => {
     eventBus = new EventBus(mockQueueManager, mockLogger);
   });
 
-  describe("Permission Sync Scenario", () => {
-    it("should sync permissions across plugins using work-queue mode", async () => {
-      // Simulate the permissionsRegistered hook
-      const permissionsRegistered = createHook<{
+  describe("Access Rule Sync Scenario", () => {
+    it("should sync access rules across plugins using work-queue mode", async () => {
+      // Simulate the accessRulesRegistered hook
+      const accessRulesRegistered = createHook<{
         pluginId: string;
-        permissions: Array<{ id: string; description?: string }>;
-      }>("core.permissionsRegistered");
+        accessRules: Array<{ id: string; description?: string }>;
+      }>("core.accessRulesRegistered");
 
-      const syncedPermissions: Array<{ id: string; description?: string }> = [];
+      const syncedAccessRules: Array<{ id: string; description?: string }> = [];
 
-      // Auth-backend subscribes to sync permissions (work-queue mode)
+      // Auth-backend subscribes to sync access rules (work-queue mode)
       await eventBus.subscribe(
         "auth-backend",
-        permissionsRegistered,
-        async ({ permissions }) => {
+        accessRulesRegistered,
+        async ({ accessRules }) => {
           // Simulate DB sync
-          syncedPermissions.push(...permissions);
+          syncedAccessRules.push(...accessRules);
         },
         {
           mode: "work-queue",
-          workerGroup: "permission-db-sync",
+          workerGroup: "access-rule-db-sync",
           maxRetries: 3,
         }
       );
 
-      // Emit permission registration events from different plugins
-      await eventBus.emit(permissionsRegistered, {
+      // Emit access rule registration events from different plugins
+      await eventBus.emit(accessRulesRegistered, {
         pluginId: "catalog",
-        permissions: [
+        accessRules: [
           { id: "catalog-backend.read", description: "Read catalog" },
           { id: "catalog-backend.manage", description: "Manage catalog" },
         ],
       });
 
-      await eventBus.emit(permissionsRegistered, {
+      await eventBus.emit(accessRulesRegistered, {
         pluginId: "queue",
-        permissions: [
+        accessRules: [
           { id: "queue-backend.read", description: "Read queue" },
           { id: "queue-backend.manage", description: "Manage queue" },
         ],
@@ -64,18 +64,18 @@ describe("EventBus Integration Tests", () => {
       // Wait for async processing
       await new Promise((resolve) => setTimeout(resolve, 100));
 
-      // All permissions should be synced
-      expect(syncedPermissions.length).toBe(4);
-      expect(syncedPermissions.map((p) => p.id)).toContain(
+      // All access rules should be synced
+      expect(syncedAccessRules.length).toBe(4);
+      expect(syncedAccessRules.map((p) => p.id)).toContain(
         "catalog-backend.read"
       );
-      expect(syncedPermissions.map((p) => p.id)).toContain(
+      expect(syncedAccessRules.map((p) => p.id)).toContain(
         "catalog-backend.manage"
       );
-      expect(syncedPermissions.map((p) => p.id)).toContain(
+      expect(syncedAccessRules.map((p) => p.id)).toContain(
         "queue-backend.read"
       );
-      expect(syncedPermissions.map((p) => p.id)).toContain(
+      expect(syncedAccessRules.map((p) => p.id)).toContain(
         "queue-backend.manage"
       );
     });

package/src/openapi-router.ts

@@ -12,16 +12,16 @@ import type { PluginManager } from "./plugin-manager";
 import type { AuthService } from "@checkstack/backend-api";
 
 /**
- * Check if a user has a specific permission.
+ * Check if a user has a specific access rule.
  * Supports wildcard (*) for admin access.
  */
-function hasPermission(
-  user: { permissions?: string[] },
-  permission: string
+function hasAccess(
+  user: { accessRules?: string[] },
+  accessRule: string
 ): boolean {
-  if (!user.permissions) return false;
+  if (!user.accessRules) return false;
   return (
-    user.permissions.includes("*") || user.permissions.includes(permission)
+    user.accessRules.includes("*") || user.accessRules.includes(accessRule)
   );
 }
 
@@ -30,9 +30,9 @@ function hasPermission(
  */
 function extractProcedureMetadata(
   contract: unknown
-): { userType?: string; permissions?: string[] } | undefined {
+): { userType?: string; accessRules?: string[] } | undefined {
   const orpcData = (contract as Record<string, unknown>)?.["~orpc"] as
-    | { meta?: { userType?: string; permissions?: string[] } }
+    | { meta?: { userType?: string; accessRules?: string[] } }
     | undefined;
   return orpcData?.meta;
 }
@@ -43,10 +43,10 @@ function extractProcedureMetadata(
  */
 function buildMetadataLookup(
   contracts: Map<string, AnyContractRouter>
-): Map<string, { userType?: string; permissions?: string[] }> {
+): Map<string, { userType?: string; accessRules?: string[] }> {
   const lookup = new Map<
     string,
-    { userType?: string; permissions?: string[] }
+    { userType?: string; accessRules?: string[] }
   >();
 
   for (const [pluginId, contract] of contracts) {
@@ -141,12 +141,12 @@ export function createOpenApiHandler({
   pluginManager,
   authService,
   baseUrl,
-  requiredPermission,
+  requiredAccessRule,
 }: {
   pluginManager: PluginManager;
   authService: AuthService;
   baseUrl: string;
-  requiredPermission: string;
+  requiredAccessRule: string;
 }): (req: Request) => Promise<Response> {
   return async (req: Request) => {
     // Authenticate request
@@ -156,9 +156,9 @@ export function createOpenApiHandler({
       return Response.json({ error: "Unauthorized" }, { status: 401 });
     }
 
-    // Check permission (applications.manage from auth plugin)
-    // Services don't have permissions, so deny them access to docs
-    if (user.type === "service" || !hasPermission(user, requiredPermission)) {
+    // Check access rule (applications.manage from auth plugin)
+    // Services don't have accesss, so deny them access to docs
+    if (user.type === "service" || !hasAccess(user, requiredAccessRule)) {
       return Response.json({ error: "Forbidden" }, { status: 403 });
     }
 

package/src/plugin-lifecycle.test.ts

@@ -233,18 +233,18 @@ describe("Plugin Lifecycle", () => {
       expect(pluginRpcRouters.has("test-plugin")).toBe(false);
     });
 
-    it("should clear permissions for plugin", async () => {
-      const registeredPermissions = (pluginManager as never)[
-        "registeredPermissions"
+    it("should clear access rules for plugin", async () => {
+      const registeredAccessRules = (pluginManager as never)[
+        "registeredAccessRules"
       ] as { pluginId: string; id: string }[];
 
-      // Clear existing permissions first
-      while (registeredPermissions.length > 0) {
-        registeredPermissions.pop();
+      // Clear existing access rules first
+      while (registeredAccessRules.length > 0) {
+        registeredAccessRules.pop();
       }
 
-      // Add test permissions
-      registeredPermissions.push(
+      // Add test access rules
+      registeredAccessRules.push(
         { pluginId: "test-plugin", id: "test-plugin.perm1" },
         { pluginId: "test-plugin", id: "test-plugin.perm2" },
         { pluginId: "other-plugin", id: "other-plugin.perm1" }
@@ -254,8 +254,8 @@ describe("Plugin Lifecycle", () => {
         deleteSchema: false,
       });
 
-      // Use getAllPermissions() which returns the current array
-      const remaining = pluginManager.getAllPermissions();
+      // Use getAllAccessRules() which returns the current array
+      const remaining = pluginManager.getAllAccessRules();
       expect(remaining).toHaveLength(1);
       expect(remaining[0].id).toBe("other-plugin.perm1");
     });

package/src/plugin-manager/core-services.ts

@@ -100,8 +100,8 @@ export function registerCoreServices({
   });
 
   // 3. Auth Factory (Scoped)
-  // Cache for anonymous permissions to avoid repeated DB queries
-  let anonymousPermissionsCache: string[] | undefined;
+  // Cache for anonymous access rules to avoid repeated DB queries
+  let anonymousAccessRulesCache: string[] | undefined;
   let anonymousCacheTime = 0;
   const CACHE_TTL_MS = 60_000; // 1 minute cache
 
@@ -146,33 +146,33 @@ export function registerCoreServices({
         return { headers: { Authorization: `Bearer ${token}` } };
       },
 
-      getAnonymousPermissions: async (): Promise<string[]> => {
+      getAnonymousAccessRules: async (): Promise<string[]> => {
         const now = Date.now();
         // Return cached value if still valid
         if (
-          anonymousPermissionsCache !== undefined &&
+          anonymousAccessRulesCache !== undefined &&
           now - anonymousCacheTime < CACHE_TTL_MS
         ) {
-          return anonymousPermissionsCache;
+          return anonymousAccessRulesCache;
         }
 
-        // Use RPC client to call auth-backend's getAnonymousPermissions endpoint
+        // Use RPC client to call auth-backend's getAnonymousAccessRules endpoint
         try {
           const rpcClient = await registry.get(coreServices.rpcClient, {
             pluginId: "core",
           });
           const authClient = rpcClient.forPlugin(AuthApi);
-          const permissions = await authClient.getAnonymousPermissions();
+          const accessRulesResult = await authClient.getAnonymousAccessRules();
 
           // Update cache
-          anonymousPermissionsCache = permissions;
+          anonymousAccessRulesCache = accessRulesResult;
           anonymousCacheTime = now;
 
-          return permissions;
+          return accessRulesResult;
         } catch (error) {
           // RPC client not available yet (during startup), return empty
           rootLogger.warn(
-            `[auth] getAnonymousPermissions: RPC failed, returning empty array. Error: ${error}`
+            `[auth] getAnonymousAccessRules: RPC failed, returning empty array. Error: ${error}`
           );
           return [];
         }
@@ -186,8 +186,8 @@ export function registerCoreServices({
           const authClient = rpcClient.forPlugin(AuthApi);
           return await authClient.checkResourceTeamAccess(params);
         } catch {
-          // Fall back to global permission on error
-          return { hasAccess: params.hasGlobalPermission };
+          // Fall back to global access on error
+          return { hasAccess: params.hasGlobalAccess };
         }
       },
 
@@ -199,8 +199,8 @@ export function registerCoreServices({
           const authClient = rpcClient.forPlugin(AuthApi);
           return await authClient.getAccessibleResourceIds(params);
         } catch {
-          // Fall back to global permission on error
-          return params.hasGlobalPermission ? params.resourceIds : [];
+          // Fall back to global access on error
+          return params.hasGlobalAccess ? params.resourceIds : [];
         }
       },
     };

package/src/plugin-manager/plugin-loader.ts

@@ -18,7 +18,7 @@ import {
   HookSubscribeOptions,
   RpcContext,
 } from "@checkstack/backend-api";
-import type { Permission } from "@checkstack/common";
+import type { AccessRule } from "@checkstack/common";
 import { getPluginSchemaName } from "@checkstack/drizzle-helper";
 import { rootLogger } from "../logger";
 import type { ServiceRegistry } from "../services/service-registry";
@@ -41,8 +41,8 @@ export interface PluginLoaderDeps {
   pluginRpcRouters: Map<string, unknown>;
   pluginHttpHandlers: Map<string, (req: Request) => Promise<Response>>;
   extensionPointManager: ExtensionPointManager;
-  registeredPermissions: (Permission & { pluginId: string })[];
-  getAllPermissions: () => Permission[];
+  registeredAccessRules: (AccessRule & { pluginId: string })[];
+  getAllAccessRules: () => AccessRule[];
   db: NodePgDatabase<Record<string, unknown>>;
   /**
    * Map of pluginId -> PluginMetadata for request-time context injection.
@@ -121,18 +121,16 @@ export function registerPlugin({
     getExtensionPoint: (ref) => {
       return deps.extensionPointManager.getExtensionPoint(ref);
     },
-    registerPermissions: (permissions: Permission[]) => {
-      // Store permissions with pluginId prefix to namespace them
-      const prefixed = permissions.map((p) => ({
+    registerAccessRules: (accessRules: AccessRule[]) => {
+      // Store access rules with pluginId prefix to namespace them
+      const prefixed = accessRules.map((rule) => ({
+        ...rule,
         pluginId: pluginId,
-        id: `${pluginId}.${p.id}`,
-        description: p.description,
-        isAuthenticatedDefault: p.isAuthenticatedDefault,
-        isPublicDefault: p.isPublicDefault,
+        id: `${pluginId}.${rule.id}`,
       }));
-      deps.registeredPermissions.push(...prefixed);
+      deps.registeredAccessRules.push(...prefixed);
       rootLogger.debug(
-        `   -> Registered ${prefixed.length} permissions for ${pluginId}`
+        `   -> Registered ${prefixed.length} access rules for ${pluginId}`
       );
     },
     registerRouter: (
@@ -150,7 +148,7 @@ export function registerPlugin({
       rootLogger.debug(`   -> Registered cleanup handler for ${pluginId}`);
     },
     pluginManager: {
-      getAllPermissions: () => deps.getAllPermissions(),
+      getAllAccessRules: () => deps.getAllAccessRules(),
     },
   });
 }
@@ -374,29 +372,24 @@ export async function loadPlugins({
   // Phase 3: Run afterPluginsReady callbacks
   rootLogger.debug("🔄 Running afterPluginsReady callbacks...");
 
-  // Emit permission registration hooks at start of Phase 3
+  // Emit access rule registration hooks at start of Phase 3
   // (EventBus already retrieved above, all plugins can receive notifications)
-  const permissionsByPlugin = new Map<string, Permission[]>();
-  for (const perm of deps.registeredPermissions) {
-    if (!permissionsByPlugin.has(perm.pluginId)) {
-      permissionsByPlugin.set(perm.pluginId, []);
+  const accessRulesByPlugin = new Map<string, AccessRule[]>();
+  for (const { pluginId, ...rule } of deps.registeredAccessRules) {
+    if (!accessRulesByPlugin.has(pluginId)) {
+      accessRulesByPlugin.set(pluginId, []);
     }
-    permissionsByPlugin.get(perm.pluginId)!.push({
-      id: perm.id,
-      description: perm.description,
-      isAuthenticatedDefault: perm.isAuthenticatedDefault,
-      isPublicDefault: perm.isPublicDefault,
-    });
+    accessRulesByPlugin.get(pluginId)!.push(rule);
   }
-  for (const [pluginId, permissions] of permissionsByPlugin) {
+  for (const [pluginId, accessRules] of accessRulesByPlugin) {
     try {
-      await eventBus.emit(coreHooks.permissionsRegistered, {
+      await eventBus.emit(coreHooks.accessRulesRegistered, {
         pluginId,
-        permissions,
+        accessRules,
       });
     } catch (error) {
       rootLogger.error(
-        `Failed to emit permissionsRegistered hook for ${pluginId}:`,
+        `Failed to emit accessRulesRegistered hook for ${pluginId}:`,
         error
       );
     }

package/src/plugin-manager.test.ts

@@ -375,54 +375,76 @@ describe("PluginManager", () => {
     });
   });
 
-  describe("Permission Registration", () => {
-    it("should store permissions in the registry", () => {
-      // Permissions are now stored directly via the registeredPermissions array
+  describe("Access Rule Registration", () => {
+    it("should store access rules in the registry", () => {
+      // Access rules are now stored directly via the registeredAccessRules array
       // and hooks are emitted in Phase 3 (afterPluginsReady)
       const perms = (
         pluginManager as unknown as {
-          registeredPermissions: {
+          registeredAccessRules: {
             pluginId: string;
             id: string;
-            description?: string;
+            resource: string;
+            level: string;
+            description: string;
           }[];
         }
-      ).registeredPermissions;
+      ).registeredAccessRules;
 
-      // Add permissions directly (simulating what plugin-loader does)
+      // Add access rules directly (simulating what plugin-loader does)
       perms.push({
         pluginId: "test-plugin",
-        id: "test-plugin.test.permission",
-        description: "Test permission",
+        id: "test-plugin.test.accessRule",
+        resource: "test",
+        level: "read",
+        description: "Test access rule",
       });
 
-      // getAllPermissions should return them (without pluginId in the output)
-      const all = pluginManager.getAllPermissions();
+      // getAllAccessRules should return them (without pluginId in the output)
+      const all = pluginManager.getAllAccessRules();
       expect(all.length).toBe(1);
-      expect(all[0]).toEqual({
-        id: "test-plugin.test.permission",
-        description: "Test permission",
-      });
+      expect(all[0].id).toBe("test-plugin.test.accessRule");
+      expect(all[0].description).toBe("Test access rule");
     });
 
-    it("should aggregate permissions from multiple plugins", () => {
+    it("should aggregate access rules from multiple plugins", () => {
       const perms = (
         pluginManager as unknown as {
-          registeredPermissions: {
+          registeredAccessRules: {
             pluginId: string;
             id: string;
-            description?: string;
+            resource: string;
+            level: string;
+            description: string;
           }[];
         }
-      ).registeredPermissions;
+      ).registeredAccessRules;
 
       perms.push(
-        { pluginId: "plugin-1", id: "plugin-1.perm.1", description: undefined },
-        { pluginId: "plugin-1", id: "plugin-1.perm.2", description: undefined },
-        { pluginId: "plugin-2", id: "plugin-2.perm.3", description: undefined }
+        {
+          pluginId: "plugin-1",
+          id: "plugin-1.perm.1",
+          resource: "perm",
+          level: "read",
+          description: "Access Rule 1",
+        },
+        {
+          pluginId: "plugin-1",
+          id: "plugin-1.perm.2",
+          resource: "perm",
+          level: "manage",
+          description: "Access Rule 2",
+        },
+        {
+          pluginId: "plugin-2",
+          id: "plugin-2.perm.3",
+          resource: "perm",
+          level: "read",
+          description: "Access Rule 3",
+        }
       );
 
-      const all = pluginManager.getAllPermissions();
+      const all = pluginManager.getAllAccessRules();
       expect(all.length).toBe(3);
     });
   });

package/src/plugin-manager.ts

@@ -11,7 +11,7 @@ import {
   HookUnsubscribe,
 } from "@checkstack/backend-api";
 import type { AnyContractRouter } from "@orpc/contract";
-import type { Permission, PluginMetadata } from "@checkstack/common";
+import type { AccessRule, PluginMetadata } from "@checkstack/common";
 
 // Extracted modules
 import { registerCoreServices } from "./plugin-manager/core-services";
@@ -32,8 +32,8 @@ export class PluginManager {
   >();
   private extensionPointManager = createExtensionPointManager();
 
-  // Permission registry - stores all registered permissions with pluginId for hook emission
-  private registeredPermissions: (Permission & { pluginId: string })[] = [];
+  // Access rule registry - stores all registered access rules with pluginId for hook emission
+  private registeredAccessRules: (AccessRule & { pluginId: string })[] = [];
 
   // Plugin metadata registry - stores PluginMetadata for request-time context injection
   private pluginMetadataRegistry = new Map<string, PluginMetadata>();
@@ -77,14 +77,9 @@ export class PluginManager {
     this.pluginRpcRouters.set(routerId, router);
   }
 
-  getAllPermissions(): Permission[] {
-    return this.registeredPermissions.map(
-      ({ id, description, isAuthenticatedDefault, isPublicDefault }) => ({
-        id,
-        description,
-        isAuthenticatedDefault,
-        isPublicDefault,
-      })
+  getAllAccessRules(): AccessRule[] {
+    return this.registeredAccessRules.map(
+      ({ pluginId: _pluginId, ...rule }) => rule
     );
   }
 
@@ -110,8 +105,8 @@ export class PluginManager {
         pluginRpcRouters: this.pluginRpcRouters,
         pluginHttpHandlers: this.pluginHttpHandlers,
         extensionPointManager: this.extensionPointManager,
-        registeredPermissions: this.registeredPermissions,
-        getAllPermissions: () => this.getAllPermissions(),
+        registeredAccessRules: this.registeredAccessRules,
+        getAllAccessRules: () => this.getAllAccessRules(),
         db,
         pluginMetadataRegistry: this.pluginMetadataRegistry,
         cleanupHandlers: this.cleanupHandlers,
@@ -178,15 +173,15 @@ export class PluginManager {
     );
     this.collectorRegistry.unregisterByMissingStrategies(loadedPluginIds);
 
-    // 5. Remove permissions from registry
-    const beforeCount = this.registeredPermissions.length;
-    this.registeredPermissions = this.registeredPermissions.filter(
+    // 5. Remove access rules from registry
+    const beforeCount = this.registeredAccessRules.length;
+    this.registeredAccessRules = this.registeredAccessRules.filter(
       (p) => p.pluginId !== pluginId
     );
     rootLogger.debug(
       `   -> Removed ${
-        beforeCount - this.registeredPermissions.length
-      } permissions`
+        beforeCount - this.registeredAccessRules.length
+      } access rules`
     );
 
     // 6. Drop schema if requested
@@ -200,7 +195,7 @@ export class PluginManager {
       }
     }
 
-    // 7. Emit pluginDeregistered hook (for permission cleanup in auth-backend)
+    // 7. Emit pluginDeregistered hook (for access rule cleanup in auth-backend)
     await eventBus.emit(coreHooks.pluginDeregistered, { pluginId });
 
     rootLogger.info(`✅ Plugin deregistered: ${pluginId}`);
@@ -390,18 +385,18 @@ export class PluginManager {
             },
           });
         },
-        registerPermissions: (permissions) => {
-          const prefixed = permissions.map((p) => ({
+        registerAccessRules: (accessRules) => {
+          const prefixed = accessRules.map((p) => ({
             ...p,
             id: `${metaPluginId}.${p.id}`,
             pluginId: metaPluginId,
           }));
-          this.registeredPermissions.push(...prefixed);
+          this.registeredAccessRules.push(...prefixed);
 
-          // Emit permission hook
-          eventBus.emit(coreHooks.permissionsRegistered, {
+          // Emit access rule hook
+          eventBus.emit(coreHooks.accessRulesRegistered, {
             pluginId: metaPluginId,
-            permissions: prefixed,
+            accessRules: prefixed,
           });
         },
         registerService: (ref, impl) => {
@@ -422,7 +417,7 @@ export class PluginManager {
           this.pluginContractRegistry.set(metaPluginId, contract);
         },
         pluginManager: {
-          getAllPermissions: () => this.getAllPermissions(),
+          getAllAccessRules: () => this.getAllAccessRules(),
         },
       });
 

package/src/rpc-rest-compat.test.ts

@@ -19,11 +19,11 @@ describe("RPC REST Compatibility", () => {
     app = new Hono();
   });
 
-  it("should handle GET /api/auth/permissions via oRPC router", async () => {
+  it("should handle GET /api/auth/accessRules via oRPC router", async () => {
     // 1. Setup a mock auth router
     const authRouter = os.router({
-      permissions: os.handler(async () => {
-        return { permissions: ["test-perm"] };
+      accessRules: os.handler(async () => {
+        return { accessRules: ["test-perm"] };
       }),
     });
 
@@ -33,11 +33,11 @@ describe("RPC REST Compatibility", () => {
     // The new API auto-prefixes based on pluginId, but for test we need to manually set the map key
     // Since we're testing the router handler directly, we use the derived name "auth"
     // Second argument is the contract (for OpenAPI generation) - using a mock object for test
-    rpcService?.registerRouter(authRouter, { permissions: {} });
+    rpcService?.registerRouter(authRouter, { accessRules: {} });
 
     // 3. Mock the auth service to skip real authentication
     const mockAuth: any = {
-      authenticate: mock(async () => ({ id: "user-1", permissions: ["*"] })),
+      authenticate: mock(async () => ({ id: "user-1", accessRules: ["*"] })),
     };
     pluginManager.registerService(coreServices.auth, mockAuth);
 
@@ -63,7 +63,7 @@ describe("RPC REST Compatibility", () => {
     await pluginManager.loadPlugins(app);
 
     // 5. Simulate the request that frontend makes (now /api/auth instead of /api/auth-backend)
-    const res = await app.request("/api/auth/permissions", {
+    const res = await app.request("/api/auth/accessRules", {
       method: "GET",
     });
 
@@ -72,7 +72,7 @@ describe("RPC REST Compatibility", () => {
     if (res.status === 200) {
       const body = await res.json();
       console.log("Response body:", JSON.stringify(body));
-      expect(body.permissions).toContain("test-perm");
+      expect(body.accessRules).toContain("test-perm");
     } else {
       console.log("Response text:", await res.text());
     }