diff --git a/hermes_web_cli/crud_ops.py b/hermes_web_cli/crud_ops.py
index c0eef4a..64587f7 100644
--- a/hermes_web_cli/crud_ops.py
+++ b/hermes_web_cli/crud_ops.py
@@ -7,6 +7,13 @@ from typing import Dict, List, Optional
 from datetime import datetime
 
 # Services CRUD operations
+# NOTE: The orgid field is automatically populated by the backend layer:
+#   - In .dspy files, orgid is obtained via `orgid = await get_userorgid()`
+#   - The orgid is passed from .dspy to Python functions (create_service, delete_service, etc.)
+#   - SQL templates use orgid for all WHERE clauses (data isolation by organization)
+#   - orgid is EXCLUDED from UI: hidden in both list view (browserfields.exclouded)
+#     and edit form (editexclouded), users never see or edit this field
+#   - logined_userorgid param in CRUD definition enables framework-level org filtering
 SERVICES_CRUD = {
     "module": "hermes-web-cli",
     "table": "services",
diff --git a/json/hermes_services.json b/json/hermes_services.json
index 5721118..976419d 100644
--- a/json/hermes_services.json
+++ b/json/hermes_services.json
@@ -1,4 +1,5 @@
 {
+    "_comment": "orgid字段说明: 该字段在编辑/新建时自动从登录用户orgid获取，不从表单输入；列表中也不显示，仅在后台SQL中用于数据隔离。前端通过get_userorgid()获取orgid并传给后端函数。",
     "tblname": "hermes_services",
     "title": "Hermes Services",
     "params": {
@@ -6,7 +7,7 @@
         "logined_userorgid": "orgid",
         "confidential_fields": ["apikey"],
         "browserfields": {
-            "exclouded": ["id", "service_url", "created_at", "updated_at"],
+            "exclouded": ["id", "orgid", "service_url", "created_at", "updated_at"],
             "alters": {
                 "status": {
                     "uitype": "code",
@@ -19,7 +20,7 @@
                 }
             }
         },
-        "editexclouded": ["id", "created_at", "updated_at"],
+        "editexclouded": ["id", "orgid", "created_at", "updated_at"],
         "subtables": []
     }
 }
\ No newline at end of file