# Thalos BFF Identity Boundary

## Purpose
Keep thalos-bff as an edge adapter layer that consumes thalos-service and adopted identity capability contracts.

## BFF Responsibilities
- Edge contract handling
- Service client adaptation
- Correlation/tracing propagation
- Single active edge protocol policy enforcement (`rest`)
- Provider metadata propagation (`InternalJwt`, `AzureAd`, `Google`)

## Prohibited
- Direct DAL access
- Identity policy decision ownership
- Identity persistence concerns