# Thalos BFF Identity Boundary

## Purpose
Keep thalos-bff as an edge adapter layer that consumes thalos-service and adopted identity capability contracts.

## BFF Responsibilities
- Edge contract handling
- Service client adaptation
- Correlation/tracing propagation
- Single active edge protocol policy enforcement (`rest`)
- Provider metadata propagation (`InternalJwt`, `AzureAd`, `Google`)
- OIDC edge flow orchestration (Google start/callback with PKCE/state/nonce)
- Session-cookie issuance policy (secure/domain settings for cross-subdomain web auth)

## Prohibited
- Direct DAL access
- Identity policy decision ownership
- Identity persistence concerns
- Provider secret-manager coupling inside domain/service logic