chore(thalos-bff): add container run assets

Why: align BFF runtime packaging and remove cross-repo proto coupling in container builds.

What: add Docker assets and runbook, map /health, and vendor grpc proto locally.

Rule: keep technical intent only and avoid orchestration references.

.dockerignore

@@ -0,0 +1,9 @@
+**/bin/
+**/obj/
+.vs/
+TestResults/
+.git/
+.repo-tasks/
+.repo-context/
+.tasks/
+.agile/

Dockerfile

@@ -0,0 +1,22 @@
+# syntax=docker/dockerfile:1.7
+ARG SDK_IMAGE=mcr.microsoft.com/dotnet/sdk:10.0
+ARG RUNTIME_IMAGE=mcr.microsoft.com/dotnet/aspnet:10.0
+
+FROM ${SDK_IMAGE} AS build
+ARG NUGET_FEED_URL=http://192.168.10.100:3000/api/packages/AgileWebs/nuget/index.json
+ARG NUGET_FEED_USERNAME=
+ARG NUGET_FEED_TOKEN=
+WORKDIR /src
+COPY . .
+
+RUN if [ -n "$NUGET_FEED_USERNAME" ] && [ -n "$NUGET_FEED_TOKEN" ]; then       dotnet nuget add source "$NUGET_FEED_URL"         --name gitea-org         --username "$NUGET_FEED_USERNAME"         --password "$NUGET_FEED_TOKEN"         --store-password-in-clear-text         --allow-insecure-connections         --configfile /root/.nuget/NuGet/NuGet.Config;     fi
+
+RUN dotnet restore "src/Thalos.Bff.Rest/Thalos.Bff.Rest.csproj" --configfile /root/.nuget/NuGet/NuGet.Config
+RUN dotnet publish "src/Thalos.Bff.Rest/Thalos.Bff.Rest.csproj" -c Release -o /app/publish /p:UseAppHost=false --no-restore
+
+FROM ${RUNTIME_IMAGE} AS runtime
+WORKDIR /app
+ENV ASPNETCORE_URLS=http://+:8080     ASPNETCORE_ENVIRONMENT=Production
+EXPOSE 8080
+COPY --from=build /app/publish .
+ENTRYPOINT ["dotnet", "Thalos.Bff.Rest.dll"]

docs/runbooks/containerization.md

@@ -0,0 +1,26 @@
+# Containerization Runbook
+
+## Image Build
+
+If the repo consumes internal packages from Gitea, pass feed credentials as build args.
+
+```bash
+docker build   --build-arg NUGET_FEED_USERNAME=<gitea-login>   --build-arg NUGET_FEED_TOKEN=<gitea-token>   -t agilewebs/thalos-bff:dev .
+```
+
+## Local Run
+
+```bash
+docker run --rm -p 8080:8080 --name thalos-bff agilewebs/thalos-bff:dev
+```
+
+## Health Probe
+
+- Path: `/health`
+- Fallback path: `/healthz`
+- Port: `8080`
+
+## Runtime Notes
+
+- Requires `ThalosService__GrpcAddress` to target thalos-service in distributed runs.
+- gRPC client contract protobuf is vendored at `src/Thalos.Bff.Rest/Protos/identity_runtime.proto` to keep image builds repo-local.

src/Thalos.Bff.Rest/Program.cs

@@ -69,6 +69,7 @@ app.MapPost($"{EndpointConventions.ApiPrefix}/session/refresh", async (
 });
 
 app.MapHealthChecks("/healthz");
+app.MapHealthChecks("/health");
 
 app.Run();
 

src/Thalos.Bff.Rest/Protos/identity_runtime.proto

@@ -0,0 +1,35 @@
+syntax = "proto3";
+
+option csharp_namespace = "Thalos.Service.Grpc";
+
+package thalos.service.grpc;
+
+service IdentityRuntime {
+  rpc IssueIdentityToken (IssueIdentityTokenGrpcRequest) returns (IssueIdentityTokenGrpcResponse);
+  rpc EvaluateIdentityPolicy (EvaluateIdentityPolicyGrpcRequest) returns (EvaluateIdentityPolicyGrpcResponse);
+}
+
+message IssueIdentityTokenGrpcRequest {
+  string subject_id = 1;
+  string tenant_id = 2;
+  string provider = 3;
+  string external_token = 4;
+}
+
+message IssueIdentityTokenGrpcResponse {
+  string token = 1;
+  int32 expires_in_seconds = 2;
+}
+
+message EvaluateIdentityPolicyGrpcRequest {
+  string subject_id = 1;
+  string tenant_id = 2;
+  string permission_code = 3;
+  string provider = 4;
+}
+
+message EvaluateIdentityPolicyGrpcResponse {
+  string subject_id = 1;
+  string permission_code = 2;
+  bool is_allowed = 3;
+}

src/Thalos.Bff.Rest/Thalos.Bff.Rest.csproj

@@ -15,7 +15,7 @@
     </PackageReference>
   </ItemGroup>
   <ItemGroup>
-    <Protobuf Include="..\..\..\thalos-service\src\Thalos.Service.Grpc\Protos\identity_runtime.proto" GrpcServices="Client" Link="Protos\identity_runtime.proto" />
+    <Protobuf Include="Protos\identity_runtime.proto" GrpcServices="Client" />
   </ItemGroup>
   <ItemGroup>
     <ProjectReference Include="..\Thalos.Bff.Application\Thalos.Bff.Application.csproj" />