feat(thalos-bff): wire rest runtime and grpc service adapter

src/Thalos.Bff.Application/Adapters/IdentityEdgeContractAdapter.cs

@@ -0,0 +1,41 @@
+using Thalos.Bff.Application.Contracts;
+using Thalos.Bff.Contracts.Api;
+using Thalos.Service.Identity.Abstractions.Contracts;
+
+namespace Thalos.Bff.Application.Adapters;
+
+/// <summary>
+/// Default adapter implementation for identity edge API and service contracts.
+/// </summary>
+public sealed class IdentityEdgeContractAdapter : IIdentityEdgeContractAdapter
+{
+    /// <inheritdoc />
+    public EvaluateIdentityPolicyRequest ToPolicyRequest(IssueTokenApiRequest request, string permissionCode)
+    {
+        return new EvaluateIdentityPolicyRequest(request.SubjectId, request.TenantId, permissionCode);
+    }
+
+    /// <inheritdoc />
+    public IssueIdentityTokenRequest ToIssueTokenRequest(IssueTokenApiRequest request)
+    {
+        return new IssueIdentityTokenRequest(request.SubjectId, request.TenantId);
+    }
+
+    /// <inheritdoc />
+    public IssueTokenApiResponse ToIssueTokenApiResponse(IssueIdentityTokenResponse response)
+    {
+        return new IssueTokenApiResponse(response.Token, response.ExpiresInSeconds);
+    }
+
+    /// <inheritdoc />
+    public RefreshIdentitySessionRequest ToRefreshSessionRequest(RefreshSessionApiRequest request)
+    {
+        return new RefreshIdentitySessionRequest(request.RefreshToken, request.CorrelationId);
+    }
+
+    /// <inheritdoc />
+    public RefreshSessionApiResponse ToRefreshSessionApiResponse(RefreshIdentitySessionResponse response)
+    {
+        return new RefreshSessionApiResponse(response.Token, response.ExpiresInSeconds);
+    }
+}

src/Thalos.Bff.Application/Adapters/IdentityEdgeGrpcContractAdapter.cs

@@ -0,0 +1,22 @@
+using Thalos.Bff.Application.Grpc;
+using Thalos.Bff.Contracts.Api;
+
+namespace Thalos.Bff.Application.Adapters;
+
+/// <summary>
+/// Default adapter implementation for identity edge gRPC contract translation.
+/// </summary>
+public sealed class IdentityEdgeGrpcContractAdapter : IIdentityEdgeGrpcContractAdapter
+{
+    /// <inheritdoc />
+    public IssueIdentityTokenGrpcContract ToGrpc(IssueTokenApiRequest request)
+    {
+        return new IssueIdentityTokenGrpcContract(request.SubjectId, request.TenantId, request.CorrelationId);
+    }
+
+    /// <inheritdoc />
+    public IssueTokenApiRequest FromGrpc(IssueIdentityTokenGrpcContract contract)
+    {
+        return new IssueTokenApiRequest(contract.SubjectId, contract.TenantId, contract.CorrelationId);
+    }
+}

src/Thalos.Bff.Application/DependencyInjection/ThalosBffApplicationServiceCollectionExtensions.cs

@@ -0,0 +1,30 @@
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection.Extensions;
+using Thalos.Bff.Application.Adapters;
+using Thalos.Bff.Application.Handlers;
+using Thalos.Bff.Application.Security;
+
+namespace Thalos.Bff.Application.DependencyInjection;
+
+/// <summary>
+/// Registers application-layer runtime wiring for thalos-bff.
+/// </summary>
+public static class ThalosBffApplicationServiceCollectionExtensions
+{
+    /// <summary>
+    /// Adds thalos-bff application handlers and adapter implementations.
+    /// </summary>
+    /// <param name="services">Service collection.</param>
+    /// <returns>Service collection for fluent chaining.</returns>
+    public static IServiceCollection AddThalosBffApplicationRuntime(this IServiceCollection services)
+    {
+        services.TryAddSingleton<IIdentityEdgeContractAdapter, IdentityEdgeContractAdapter>();
+        services.TryAddSingleton<IIdentityEdgeGrpcContractAdapter, IdentityEdgeGrpcContractAdapter>();
+        services.TryAddSingleton<IPermissionGuard, IdentityPermissionGuard>();
+
+        services.TryAddScoped<IIssueTokenHandler, IssueTokenHandler>();
+        services.TryAddScoped<IRefreshSessionHandler, RefreshSessionHandler>();
+
+        return services;
+    }
+}

src/Thalos.Bff.Application/Security/IdentityPermissionGuard.cs

@@ -0,0 +1,15 @@
+using Thalos.Service.Identity.Abstractions.Contracts;
+
+namespace Thalos.Bff.Application.Security;
+
+/// <summary>
+/// Default permission guard backed by thalos-service policy evaluation responses.
+/// </summary>
+public sealed class IdentityPermissionGuard : IPermissionGuard
+{
+    /// <inheritdoc />
+    public bool CanAccess(EvaluateIdentityPolicyResponse policyResponse)
+    {
+        return policyResponse.IsAllowed;
+    }
+}

src/Thalos.Bff.Application/Thalos.Bff.Application.csproj

@@ -5,6 +5,7 @@
     <Nullable>enable</Nullable>
   </PropertyGroup>
   <ItemGroup>
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="10.0.0" />
     <ProjectReference Include="..\Thalos.Bff.Contracts\Thalos.Bff.Contracts.csproj" />
     <ProjectReference Include="..\..\..\thalos-service\src\Thalos.Service.Identity.Abstractions\Thalos.Service.Identity.Abstractions.csproj" />
   </ItemGroup>

src/Thalos.Bff.Rest/Adapters/ThalosServiceGrpcClientAdapter.cs

@@ -0,0 +1,107 @@
+using Grpc.Core;
+using Microsoft.Extensions.Primitives;
+using Thalos.Bff.Application.Adapters;
+using Thalos.Bff.Application.Contracts;
+using Thalos.Service.Grpc;
+using Thalos.Service.Identity.Abstractions.Contracts;
+
+namespace Thalos.Bff.Rest.Adapters;
+
+/// <summary>
+/// gRPC-backed adapter for downstream thalos-service calls.
+/// </summary>
+public sealed class ThalosServiceGrpcClientAdapter(
+    IdentityRuntime.IdentityRuntimeClient grpcClient,
+    IHttpContextAccessor httpContextAccessor,
+    IConfiguration configuration) : IThalosServiceClient
+{
+    private const string CorrelationHeaderName = "x-correlation-id";
+    private readonly string refreshTenantId = configuration["ThalosService:RefreshTenantId"] ?? "refresh";
+
+    /// <inheritdoc />
+    public async Task<IssueIdentityTokenResponse> IssueTokenAsync(IssueIdentityTokenRequest request)
+    {
+        var correlationId = ResolveCorrelationId();
+        var grpcRequest = new IssueIdentityTokenGrpcRequest
+        {
+            SubjectId = request.SubjectId,
+            TenantId = request.TenantId
+        };
+
+        var grpcResponse = await grpcClient.IssueIdentityTokenAsync(
+            grpcRequest,
+            headers: CreateHeaders(correlationId));
+
+        return new IssueIdentityTokenResponse(grpcResponse.Token, grpcResponse.ExpiresInSeconds);
+    }
+
+    /// <inheritdoc />
+    public async Task<EvaluateIdentityPolicyResponse> EvaluatePolicyAsync(EvaluateIdentityPolicyRequest request)
+    {
+        var correlationId = ResolveCorrelationId();
+        var grpcRequest = new EvaluateIdentityPolicyGrpcRequest
+        {
+            SubjectId = request.SubjectId,
+            TenantId = request.TenantId,
+            PermissionCode = request.PermissionCode
+        };
+
+        var grpcResponse = await grpcClient.EvaluateIdentityPolicyAsync(
+            grpcRequest,
+            headers: CreateHeaders(correlationId));
+
+        return new EvaluateIdentityPolicyResponse(
+            grpcResponse.SubjectId,
+            grpcResponse.PermissionCode,
+            grpcResponse.IsAllowed);
+    }
+
+    /// <inheritdoc />
+    public async Task<RefreshIdentitySessionResponse> RefreshSessionAsync(RefreshIdentitySessionRequest request)
+    {
+        var correlationId = ResolveCorrelationId(request.CorrelationId);
+        var grpcRequest = new IssueIdentityTokenGrpcRequest
+        {
+            SubjectId = request.RefreshToken,
+            TenantId = refreshTenantId
+        };
+
+        var grpcResponse = await grpcClient.IssueIdentityTokenAsync(
+            grpcRequest,
+            headers: CreateHeaders(correlationId));
+
+        return new RefreshIdentitySessionResponse(grpcResponse.Token, grpcResponse.ExpiresInSeconds);
+    }
+
+    private string ResolveCorrelationId(string? preferred = null)
+    {
+        if (!string.IsNullOrWhiteSpace(preferred))
+        {
+            return preferred;
+        }
+
+        var context = httpContextAccessor.HttpContext;
+        if (context?.Items.TryGetValue(CorrelationHeaderName, out var itemValue) == true &&
+            itemValue is string itemCorrelationId &&
+            !string.IsNullOrWhiteSpace(itemCorrelationId))
+        {
+            return itemCorrelationId;
+        }
+
+        if (context?.Request.Headers.TryGetValue(CorrelationHeaderName, out var headerValue) == true &&
+            !StringValues.IsNullOrEmpty(headerValue))
+        {
+            return headerValue.ToString();
+        }
+
+        return context?.TraceIdentifier ?? $"corr-{Guid.NewGuid():N}";
+    }
+
+    private static Metadata CreateHeaders(string correlationId)
+    {
+        return new Metadata
+        {
+            { CorrelationHeaderName, correlationId }
+        };
+    }
+}

src/Thalos.Bff.Rest/Program.cs

@@ -1,18 +1,93 @@
+using Core.Blueprint.Common.DependencyInjection;
+using Microsoft.Extensions.Primitives;
+using Thalos.Bff.Application.Adapters;
+using Thalos.Bff.Application.DependencyInjection;
+using Thalos.Bff.Application.Handlers;
 using Thalos.Bff.Contracts.Api;
+using Thalos.Bff.Rest.Adapters;
+using Thalos.Bff.Rest.Endpoints;
+using Thalos.Service.Grpc;
+
+const string CorrelationHeaderName = "x-correlation-id";
 
 var builder = WebApplication.CreateBuilder(args);
 
-// Stage 3 skeleton: single active external protocol for this deployment is REST.
+builder.Services.AddHttpContextAccessor();
+builder.Services.AddHealthChecks();
+builder.Services.AddBlueprintRuntimeCore();
+builder.Services.AddThalosBffApplicationRuntime();
+builder.Services.AddScoped<IThalosServiceClient, ThalosServiceGrpcClientAdapter>();
+builder.Services.AddGrpcClient<IdentityRuntime.IdentityRuntimeClient>(options =>
+{
+    var serviceAddress = builder.Configuration["ThalosService:GrpcAddress"] ?? "http://localhost:5251";
+    options.Address = new Uri(serviceAddress);
+});
+
 var app = builder.Build();
 
-app.MapPost("/api/identity/token", (IssueTokenApiRequest request) =>
+app.Use(async (context, next) =>
 {
-    return Results.Ok(new IssueTokenApiResponse("", 0));
+    var correlationId = ResolveCorrelationId(context);
+    context.Items[CorrelationHeaderName] = correlationId;
+    context.Request.Headers[CorrelationHeaderName] = correlationId;
+    context.Response.Headers[CorrelationHeaderName] = correlationId;
+    await next();
 });
 
-app.MapPost("/api/identity/session/refresh", (RefreshSessionApiRequest request) =>
+app.MapPost($"{EndpointConventions.ApiPrefix}/token", async (
+    IssueTokenApiRequest request,
+    HttpContext context,
+    IIssueTokenHandler handler) =>
 {
-    return Results.Ok(new RefreshSessionApiResponse("", 0));
+    var normalizedRequest = request with { CorrelationId = ResolveCorrelationId(context, request.CorrelationId) };
+
+    try
+    {
+        var response = await handler.HandleAsync(normalizedRequest);
+        return Results.Ok(response);
+    }
+    catch (UnauthorizedAccessException)
+    {
+        return Results.Unauthorized();
+    }
 });
 
+app.MapPost($"{EndpointConventions.ApiPrefix}/session/refresh", async (
+    RefreshSessionApiRequest request,
+    HttpContext context,
+    IRefreshSessionHandler handler) =>
+{
+    var normalizedRequest = request with { CorrelationId = ResolveCorrelationId(context, request.CorrelationId) };
+    var response = await handler.HandleAsync(normalizedRequest);
+    return Results.Ok(response);
+});
+
+app.MapHealthChecks("/healthz");
+
 app.Run();
+
+string ResolveCorrelationId(HttpContext context, string? preferred = null)
+{
+    if (!string.IsNullOrWhiteSpace(preferred))
+    {
+        context.Items[CorrelationHeaderName] = preferred;
+        context.Request.Headers[CorrelationHeaderName] = preferred;
+        context.Response.Headers[CorrelationHeaderName] = preferred;
+        return preferred;
+    }
+
+    if (context.Items.TryGetValue(CorrelationHeaderName, out var itemValue) &&
+        itemValue is string itemCorrelationId &&
+        !string.IsNullOrWhiteSpace(itemCorrelationId))
+    {
+        return itemCorrelationId;
+    }
+
+    if (context.Request.Headers.TryGetValue(CorrelationHeaderName, out var headerValue) &&
+        !StringValues.IsNullOrEmpty(headerValue))
+    {
+        return headerValue.ToString();
+    }
+
+    return context.TraceIdentifier;
+}

src/Thalos.Bff.Rest/Thalos.Bff.Rest.csproj

@@ -4,8 +4,22 @@
     <Nullable>enable</Nullable>
     <ImplicitUsings>enable</ImplicitUsings>
   </PropertyGroup>
+  <ItemGroup>
+    <PackageReference Include="Google.Protobuf" Version="3.31.1" />
+    <PackageReference Include="Grpc.Core.Api" Version="2.71.0" />
+    <PackageReference Include="Grpc.Net.Client" Version="2.71.0" />
+    <PackageReference Include="Grpc.Net.ClientFactory" Version="2.71.0" />
+    <PackageReference Include="Grpc.Tools" Version="2.71.0">
+      <PrivateAssets>all</PrivateAssets>
+      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+    </PackageReference>
+  </ItemGroup>
+  <ItemGroup>
+    <Protobuf Include="..\..\..\thalos-service\src\Thalos.Service.Grpc\Protos\identity_runtime.proto" GrpcServices="Client" Link="Protos\identity_runtime.proto" />
+  </ItemGroup>
   <ItemGroup>
     <ProjectReference Include="..\Thalos.Bff.Application\Thalos.Bff.Application.csproj" />
     <ProjectReference Include="..\Thalos.Bff.Contracts\Thalos.Bff.Contracts.csproj" />
+    <ProjectReference Include="..\..\..\blueprint-platform\src\Core.Blueprint.Common\Core.Blueprint.Common.csproj" />
   </ItemGroup>
 </Project>