merge(thalos-dal): integrate provider adapters baseline

2026-02-25 14:31:53 -06:00 · 2026-02-25 14:31:53 -06:00 · db497944a7
commit db497944a7
parent 3f83efec42 2d3f939e8f
27 changed files with 718 additions and 8 deletions
--- a/docs/architecture/dal-domain-alignment.md
+++ b/docs/architecture/dal-domain-alignment.md
@ -0,0 +1,13 @@
 # Thalos DAL Domain Alignment
 ## Goal
 Align DAL with thalos-domain abstractions while keeping DAL technical.
 ## DAL Responsibilities
 - Identity persistence and retrieval
 - Technical data translation
 - Provider/repository boundaries
 ## Prohibited
 - Identity policy decision ownership
 - Service orchestration concerns
--- a/docs/dal/identity-provider-boundaries.md
+++ b/docs/dal/identity-provider-boundaries.md
@ -16,3 +16,7 @@
 - Provider boundaries remain internal to Thalos DAL.
 - DAL interfaces expose only transport-neutral contracts and read ports.
 - Identity abstractions remain Thalos-owned.
 - Runtime provider routes currently support:
  - `InternalJwt`
  - `AzureAd`
  - `Google`
--- a/docs/migration/dal-port-alignment-map.md
+++ b/docs/migration/dal-port-alignment-map.md
@ -0,0 +1,6 @@
 # Thalos DAL Port Alignment Map
 ## Alignment Areas
 - DAL read/write ports map to domain contracts.
 - Technical DTO translation remains in DAL adapters.
 - Domain policy semantics are not reimplemented in DAL.
--- a/docs/migration/technical-mapping-rules.md
+++ b/docs/migration/technical-mapping-rules.md
@ -0,0 +1,6 @@
 # Thalos DAL Technical Mapping Rules
 ## Rules
 - Mapping logic remains technical and deterministic.
 - No policy evaluation branching in DAL mapping layer.
 - Correlation and metadata pass-through remains unchanged.
--- a/src/Thalos.DAL/Adapters/IdentityDalGrpcContractAdapter.cs
+++ b/src/Thalos.DAL/Adapters/IdentityDalGrpcContractAdapter.cs
@ -0,0 +1,47 @@
 using Core.Blueprint.Common.Runtime;
 using Thalos.DAL.Contracts;
 using Thalos.DAL.Grpc;
 namespace Thalos.DAL.Adapters;
 /// <summary>
 /// Default adapter implementation for DAL gRPC contract translation.
 /// </summary>
 public sealed class IdentityDalGrpcContractAdapter(IBlueprintSystemClock clock) : IIdentityDalGrpcContractAdapter
 {
    /// <inheritdoc />
    public IdentityPolicyDalGrpcContract ToGrpcPolicyRequest(IdentityPolicyLookupRequest request)
    {
        return new IdentityPolicyDalGrpcContract(request.SubjectId, request.TenantId, request.PermissionCode);
    }
    /// <inheritdoc />
    public IdentityPolicyLookupRequest FromGrpcPolicyRequest(IdentityPolicyDalGrpcContract contract)
    {
        return new IdentityPolicyLookupRequest(
            CreateEnvelope(),
            contract.SubjectId,
            contract.TenantId,
            contract.PermissionCode);
    }
    /// <inheritdoc />
    public IdentityTokenDalGrpcContract ToGrpcTokenRequest(IdentityTokenLookupRequest request)
    {
        return new IdentityTokenDalGrpcContract(request.SubjectId, request.TenantId);
    }
    /// <inheritdoc />
    public IdentityTokenLookupRequest FromGrpcTokenRequest(IdentityTokenDalGrpcContract contract)
    {
        return new IdentityTokenLookupRequest(
            CreateEnvelope(),
            contract.SubjectId,
            contract.TenantId);
    }
    private IdentityContractEnvelope CreateEnvelope()
    {
        return new IdentityContractEnvelope("1.0.0", $"corr-{clock.UtcNow:yyyyMMddHHmmssfff}");
    }
 }
--- a/src/Thalos.DAL/Contracts/IdentityPermissionRecord.cs
+++ b/src/Thalos.DAL/Contracts/IdentityPermissionRecord.cs
@ -1,3 +1,5 @@
 using BuildingBlock.Identity.Contracts.Conventions;
 namespace Thalos.DAL.Contracts;
 /// <summary>
@ -6,7 +8,9 @@ namespace Thalos.DAL.Contracts;
 /// <param name="Envelope">Contract envelope metadata.</param>
 /// <param name="PermissionCode">Permission code identifier.</param>
 /// <param name="SourceRoleCode">Role code that grants the permission.</param>
 /// <param name="Provider">Auth provider for the permission grant.</param>
 public sealed record IdentityPermissionRecord(
    IdentityContractEnvelope Envelope,
    string PermissionCode,
-    string SourceRoleCode);
+    string SourceRoleCode,
    IdentityAuthProvider Provider = IdentityAuthProvider.InternalJwt);
--- a/src/Thalos.DAL/Contracts/IdentityPermissionSetLookupRequest.cs
+++ b/src/Thalos.DAL/Contracts/IdentityPermissionSetLookupRequest.cs
@ -1,3 +1,5 @@
 using BuildingBlock.Identity.Contracts.Conventions;
 namespace Thalos.DAL.Contracts;
 /// <summary>
@ -6,7 +8,9 @@ namespace Thalos.DAL.Contracts;
 /// <param name="Envelope">Contract envelope metadata.</param>
 /// <param name="SubjectId">Identity subject identifier.</param>
 /// <param name="TenantId">Tenant scope identifier.</param>
 /// <param name="Provider">Auth provider for the lookup flow.</param>
 public sealed record IdentityPermissionSetLookupRequest(
    IdentityContractEnvelope Envelope,
    string SubjectId,
-    string TenantId);
+    string TenantId,
    IdentityAuthProvider Provider = IdentityAuthProvider.InternalJwt);
--- a/src/Thalos.DAL/Contracts/IdentityPolicyLookupRequest.cs
+++ b/src/Thalos.DAL/Contracts/IdentityPolicyLookupRequest.cs
@ -1,3 +1,5 @@
 using BuildingBlock.Identity.Contracts.Conventions;
 namespace Thalos.DAL.Contracts;
 /// <summary>
@ -7,8 +9,10 @@ namespace Thalos.DAL.Contracts;
 /// <param name="SubjectId">Identity subject identifier.</param>
 /// <param name="TenantId">Tenant scope identifier.</param>
 /// <param name="PermissionCode">Permission code to evaluate.</param>
 /// <param name="Provider">Auth provider for the lookup flow.</param>
 public sealed record IdentityPolicyLookupRequest(
    IdentityContractEnvelope Envelope,
    string SubjectId,
    string TenantId,
-    string PermissionCode);
+    string PermissionCode,
    IdentityAuthProvider Provider = IdentityAuthProvider.InternalJwt);
--- a/src/Thalos.DAL/Contracts/IdentityPolicyRecord.cs
+++ b/src/Thalos.DAL/Contracts/IdentityPolicyRecord.cs
@ -1,3 +1,5 @@
 using BuildingBlock.Identity.Contracts.Conventions;
 namespace Thalos.DAL.Contracts;
 /// <summary>
@ -7,8 +9,10 @@ namespace Thalos.DAL.Contracts;
 /// <param name="SubjectId">Identity subject identifier.</param>
 /// <param name="PermissionCode">Permission code evaluated.</param>
 /// <param name="ContextSatisfied">Indicates whether policy context is satisfied.</param>
 /// <param name="Provider">Auth provider used for policy evaluation.</param>
 public sealed record IdentityPolicyRecord(
    IdentityContractEnvelope Envelope,
    string SubjectId,
    string PermissionCode,
-    bool ContextSatisfied);
+    bool ContextSatisfied,
    IdentityAuthProvider Provider = IdentityAuthProvider.InternalJwt);
--- a/src/Thalos.DAL/Contracts/IdentityTokenLookupRequest.cs
+++ b/src/Thalos.DAL/Contracts/IdentityTokenLookupRequest.cs
@ -1,3 +1,5 @@
 using BuildingBlock.Identity.Contracts.Conventions;
 namespace Thalos.DAL.Contracts;
 /// <summary>
@ -6,4 +8,11 @@ namespace Thalos.DAL.Contracts;
 /// <param name="Envelope">Contract envelope metadata.</param>
 /// <param name="SubjectId">Identity subject identifier.</param>
 /// <param name="TenantId">Tenant scope identifier.</param>
-public sealed record IdentityTokenLookupRequest(IdentityContractEnvelope Envelope, string SubjectId, string TenantId);
+/// <param name="Provider">Auth provider for the lookup flow.</param>
 /// <param name="ExternalToken">External provider token when applicable.</param>
 public sealed record IdentityTokenLookupRequest(
    IdentityContractEnvelope Envelope,
    string SubjectId,
    string TenantId,
    IdentityAuthProvider Provider = IdentityAuthProvider.InternalJwt,
    string ExternalToken = "");
--- a/src/Thalos.DAL/Contracts/IdentityTokenRecord.cs
+++ b/src/Thalos.DAL/Contracts/IdentityTokenRecord.cs
@ -1,3 +1,5 @@
 using BuildingBlock.Identity.Contracts.Conventions;
 namespace Thalos.DAL.Contracts;
 /// <summary>
@ -8,9 +10,11 @@ namespace Thalos.DAL.Contracts;
 /// <param name="TenantId">Tenant scope identifier.</param>
 /// <param name="Token">Issued access token value.</param>
 /// <param name="ExpiresInSeconds">Token expiration in seconds.</param>
 /// <param name="Provider">Auth provider used for token issuance.</param>
 public sealed record IdentityTokenRecord(
    IdentityContractEnvelope Envelope,
    string SubjectId,
    string TenantId,
    string Token,
-    int ExpiresInSeconds);
+    int ExpiresInSeconds,
    IdentityAuthProvider Provider = IdentityAuthProvider.InternalJwt);
--- a/src/Thalos.DAL/Contracts/IdentityUserLookupRequest.cs
+++ b/src/Thalos.DAL/Contracts/IdentityUserLookupRequest.cs
@ -1,3 +1,5 @@
 using BuildingBlock.Identity.Contracts.Conventions;
 namespace Thalos.DAL.Contracts;
 /// <summary>
@ -5,4 +7,12 @@ namespace Thalos.DAL.Contracts;
 /// </summary>
 /// <param name="Envelope">Contract envelope metadata.</param>
 /// <param name="SubjectId">Identity subject identifier.</param>
-public sealed record IdentityUserLookupRequest(IdentityContractEnvelope Envelope, string SubjectId);
+/// <param name="TenantId">Tenant identifier.</param>
 /// <param name="Provider">Auth provider for the lookup flow.</param>
 /// <param name="ExternalToken">External provider token when applicable.</param>
 public sealed record IdentityUserLookupRequest(
    IdentityContractEnvelope Envelope,
    string SubjectId,
    string TenantId,
    IdentityAuthProvider Provider = IdentityAuthProvider.InternalJwt,
    string ExternalToken = "");
--- a/src/Thalos.DAL/Contracts/IdentityUserRecord.cs
+++ b/src/Thalos.DAL/Contracts/IdentityUserRecord.cs
@ -7,8 +7,14 @@ namespace Thalos.DAL.Contracts;
 /// <param name="SubjectId">Identity subject identifier.</param>
 /// <param name="TenantId">Tenant scope identifier.</param>
 /// <param name="Status">Current user status.</param>
 /// <param name="Token">Persisted token projection for subject/tenant.</param>
 /// <param name="ExpiresInSeconds">Persisted token expiration in seconds.</param>
 /// <param name="ContextSatisfied">Persisted policy context projection.</param>
 public sealed record IdentityUserRecord(
    IdentityContractEnvelope Envelope,
    string SubjectId,
    string TenantId,
-    string Status);
+    string Status,
    string Token,
    int ExpiresInSeconds,
    bool ContextSatisfied);
--- a/src/Thalos.DAL/DependencyInjection/ThalosDalServiceCollectionExtensions.cs
+++ b/src/Thalos.DAL/DependencyInjection/ThalosDalServiceCollectionExtensions.cs
@ -0,0 +1,46 @@
 using Core.Blueprint.Common.DependencyInjection;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.DependencyInjection.Extensions;
 using Thalos.DAL.Adapters;
 using Thalos.DAL.Health;
 using Thalos.DAL.Providers;
 using Thalos.DAL.Providers.InMemory;
 using Thalos.DAL.Repositories;
 namespace Thalos.DAL.DependencyInjection;
 /// <summary>
 /// Registers thalos dal runtime provider, repository, and adapter implementations.
 /// </summary>
 public static class ThalosDalServiceCollectionExtensions
 {
    /// <summary>
    /// Adds thalos dal runtime implementations aligned with blueprint runtime core.
    /// </summary>
    /// <param name="services">Service collection.</param>
    /// <returns>Service collection for fluent chaining.</returns>
    public static IServiceCollection AddThalosDalRuntime(this IServiceCollection services)
    {
        services.AddBlueprintRuntimeCore();
        services.TryAddSingleton<InternalJwtUserDataProvider>();
        services.TryAddSingleton<AzureAdUserDataProvider>();
        services.TryAddSingleton<GoogleUserDataProvider>();
        services.TryAddSingleton<IUserDataProvider, RoutedUserDataProvider>();
        services.TryAddSingleton<InternalJwtPermissionDataProvider>();
        services.TryAddSingleton<AzureAdPermissionDataProvider>();
        services.TryAddSingleton<GooglePermissionDataProvider>();
        services.TryAddSingleton<IPermissionDataProvider, RoutedPermissionDataProvider>();
        services.TryAddSingleton<IRoleDataProvider, InMemoryRoleDataProvider>();
        services.TryAddSingleton<IModuleDataProvider, InMemoryModuleDataProvider>();
        services.TryAddSingleton<ITenantDataProvider, InMemoryTenantDataProvider>();
        services.TryAddSingleton<IIdentityRepository, IdentityRepository>();
        services.TryAddSingleton<IIdentityDalGrpcContractAdapter, IdentityDalGrpcContractAdapter>();
        services.TryAddSingleton<IDalDependencyHealthCheck, DalDependencyHealthCheck>();
        return services;
    }
 }
--- a/src/Thalos.DAL/Health/DalDependencyHealthCheck.cs
+++ b/src/Thalos.DAL/Health/DalDependencyHealthCheck.cs
@ -0,0 +1,27 @@
 using Core.Blueprint.Common.Runtime;
 using Thalos.DAL.Contracts;
 namespace Thalos.DAL.Health;
 /// <summary>
 /// Default DAL dependency health check implementation.
 /// </summary>
 public sealed class DalDependencyHealthCheck(IBlueprintSystemClock clock) : IDalDependencyHealthCheck
 {
    /// <inheritdoc />
    public Task<DalDependencyHealthStatus> CheckAsync(CancellationToken cancellationToken = default)
    {
        var envelope = new IdentityContractEnvelope("1.0.0", $"corr-{clock.UtcNow:yyyyMMddHHmmssfff}");
        IReadOnlyList<string> dependencyNames =
        [
            "IUserDataProvider",
            "IRoleDataProvider",
            "IPermissionDataProvider",
            "IModuleDataProvider",
            "ITenantDataProvider"
        ];
        var status = new DalDependencyHealthStatus(envelope, true, dependencyNames);
        return Task.FromResult(status);
    }
 }
--- a/src/Thalos.DAL/Providers/InMemory/InMemoryModuleDataProvider.cs
+++ b/src/Thalos.DAL/Providers/InMemory/InMemoryModuleDataProvider.cs
@ -0,0 +1,22 @@
 using Thalos.DAL.Contracts;
 namespace Thalos.DAL.Providers.InMemory;
 /// <summary>
 /// In-memory provider for identity module lookup contracts.
 /// </summary>
 public sealed class InMemoryModuleDataProvider : IModuleDataProvider
 {
    /// <inheritdoc />
    public Task<IReadOnlyList<IdentityModuleRecord>> ReadModulesAsync(
        IdentityModuleLookupRequest request,
        CancellationToken cancellationToken = default)
    {
        IReadOnlyList<IdentityModuleRecord> records =
        [
            new IdentityModuleRecord(request.Envelope, "identity", true)
        ];
        return Task.FromResult(records);
    }
 }
--- a/src/Thalos.DAL/Providers/InMemory/InMemoryPermissionDataProvider.cs
+++ b/src/Thalos.DAL/Providers/InMemory/InMemoryPermissionDataProvider.cs
@ -0,0 +1,23 @@
 using Thalos.DAL.Contracts;
 namespace Thalos.DAL.Providers.InMemory;
 /// <summary>
 /// In-memory provider for identity permission lookup contracts.
 /// </summary>
 public sealed class InMemoryPermissionDataProvider : IPermissionDataProvider
 {
    /// <inheritdoc />
    public Task<IReadOnlyList<IdentityPermissionRecord>> ReadPermissionsAsync(
        IdentityPermissionSetLookupRequest request,
        CancellationToken cancellationToken = default)
    {
        IReadOnlyList<IdentityPermissionRecord> records =
        [
            new IdentityPermissionRecord(request.Envelope, "identity.token.issue", "identity.admin"),
            new IdentityPermissionRecord(request.Envelope, "identity.policy.evaluate", "identity.admin")
        ];
        return Task.FromResult(records);
    }
 }
--- a/src/Thalos.DAL/Providers/InMemory/InMemoryRoleDataProvider.cs
+++ b/src/Thalos.DAL/Providers/InMemory/InMemoryRoleDataProvider.cs
@ -0,0 +1,22 @@
 using Thalos.DAL.Contracts;
 namespace Thalos.DAL.Providers.InMemory;
 /// <summary>
 /// In-memory provider for identity role lookup contracts.
 /// </summary>
 public sealed class InMemoryRoleDataProvider : IRoleDataProvider
 {
    /// <inheritdoc />
    public Task<IReadOnlyList<IdentityRoleRecord>> ReadRolesAsync(
        IdentityRoleLookupRequest request,
        CancellationToken cancellationToken = default)
    {
        IReadOnlyList<IdentityRoleRecord> records =
        [
            new IdentityRoleRecord(request.Envelope, "identity.admin", request.TenantId)
        ];
        return Task.FromResult(records);
    }
 }
--- a/src/Thalos.DAL/Providers/InMemory/InMemoryTenantDataProvider.cs
+++ b/src/Thalos.DAL/Providers/InMemory/InMemoryTenantDataProvider.cs
@ -0,0 +1,23 @@
 using Thalos.DAL.Contracts;
 namespace Thalos.DAL.Providers.InMemory;
 /// <summary>
 /// In-memory provider for identity tenant lookup contracts.
 /// </summary>
 public sealed class InMemoryTenantDataProvider : ITenantDataProvider
 {
    /// <inheritdoc />
    public Task<IdentityTenantRecord?> ReadTenantAsync(
        IdentityTenantLookupRequest request,
        CancellationToken cancellationToken = default)
    {
        var record = new IdentityTenantRecord(
            request.Envelope,
            request.TenantId,
            $"tenant-{request.TenantId}",
            true);
        return Task.FromResult<IdentityTenantRecord?>(record);
    }
 }
--- a/src/Thalos.DAL/Providers/InMemory/InMemoryUserDataProvider.cs
+++ b/src/Thalos.DAL/Providers/InMemory/InMemoryUserDataProvider.cs
@ -0,0 +1,31 @@
 using Thalos.DAL.Contracts;
 namespace Thalos.DAL.Providers.InMemory;
 /// <summary>
 /// In-memory provider for identity user lookup contracts.
 /// </summary>
 public sealed class InMemoryUserDataProvider : IUserDataProvider
 {
    /// <inheritdoc />
    public Task<IdentityUserRecord?> ReadUserAsync(
        IdentityUserLookupRequest request,
        CancellationToken cancellationToken = default)
    {
        if (request.SubjectId.StartsWith("missing-", StringComparison.OrdinalIgnoreCase))
        {
            return Task.FromResult<IdentityUserRecord?>(null);
        }
        var record = new IdentityUserRecord(
            request.Envelope,
            request.SubjectId,
            request.TenantId,
            "active",
            $"{request.SubjectId}:{request.TenantId}:token",
            1800,
            true);
        return Task.FromResult<IdentityUserRecord?>(record);
    }
 }
--- a/src/Thalos.DAL/Providers/ProviderPermissionDataProviders.cs
+++ b/src/Thalos.DAL/Providers/ProviderPermissionDataProviders.cs
@ -0,0 +1,89 @@
 using BuildingBlock.Identity.Contracts.Conventions;
 using Thalos.DAL.Contracts;
 namespace Thalos.DAL.Providers;
 /// <summary>
 /// Internal JWT permission provider implementation.
 /// </summary>
 public sealed class InternalJwtPermissionDataProvider : IPermissionDataProvider
 {
    /// <inheritdoc />
    public Task<IReadOnlyList<IdentityPermissionRecord>> ReadPermissionsAsync(
        IdentityPermissionSetLookupRequest request,
        CancellationToken cancellationToken = default)
    {
        IReadOnlyList<IdentityPermissionRecord> records =
        [
            new IdentityPermissionRecord(request.Envelope, "identity.token.issue", "identity.admin", IdentityAuthProvider.InternalJwt),
            new IdentityPermissionRecord(request.Envelope, "identity.policy.evaluate", "identity.admin", IdentityAuthProvider.InternalJwt)
        ];
        return Task.FromResult(records);
    }
 }
 /// <summary>
 /// Azure AD permission provider implementation.
 /// </summary>
 public sealed class AzureAdPermissionDataProvider : IPermissionDataProvider
 {
    /// <inheritdoc />
    public Task<IReadOnlyList<IdentityPermissionRecord>> ReadPermissionsAsync(
        IdentityPermissionSetLookupRequest request,
        CancellationToken cancellationToken = default)
    {
        IReadOnlyList<IdentityPermissionRecord> records =
        [
            new IdentityPermissionRecord(request.Envelope, "identity.token.issue", "identity.azure.user", IdentityAuthProvider.AzureAd),
            new IdentityPermissionRecord(request.Envelope, "identity.policy.evaluate", "identity.azure.user", IdentityAuthProvider.AzureAd),
            new IdentityPermissionRecord(request.Envelope, "identity.oauth.exchange", "identity.azure.user", IdentityAuthProvider.AzureAd)
        ];
        return Task.FromResult(records);
    }
 }
 /// <summary>
 /// Google permission provider implementation.
 /// </summary>
 public sealed class GooglePermissionDataProvider : IPermissionDataProvider
 {
    /// <inheritdoc />
    public Task<IReadOnlyList<IdentityPermissionRecord>> ReadPermissionsAsync(
        IdentityPermissionSetLookupRequest request,
        CancellationToken cancellationToken = default)
    {
        IReadOnlyList<IdentityPermissionRecord> records =
        [
            new IdentityPermissionRecord(request.Envelope, "identity.token.issue", "identity.google.user", IdentityAuthProvider.Google),
            new IdentityPermissionRecord(request.Envelope, "identity.policy.evaluate", "identity.google.user", IdentityAuthProvider.Google),
            new IdentityPermissionRecord(request.Envelope, "identity.oauth.exchange", "identity.google.user", IdentityAuthProvider.Google)
        ];
        return Task.FromResult(records);
    }
 }
 /// <summary>
 /// Routes permission lookups to the matching provider implementation.
 /// </summary>
 public sealed class RoutedPermissionDataProvider(
    InternalJwtPermissionDataProvider internalJwtProvider,
    AzureAdPermissionDataProvider azureProvider,
    GooglePermissionDataProvider googleProvider) : IPermissionDataProvider
 {
    /// <inheritdoc />
    public Task<IReadOnlyList<IdentityPermissionRecord>> ReadPermissionsAsync(
        IdentityPermissionSetLookupRequest request,
        CancellationToken cancellationToken = default)
    {
        return request.Provider switch
        {
            IdentityAuthProvider.InternalJwt => internalJwtProvider.ReadPermissionsAsync(request, cancellationToken),
            IdentityAuthProvider.AzureAd => azureProvider.ReadPermissionsAsync(request, cancellationToken),
            IdentityAuthProvider.Google => googleProvider.ReadPermissionsAsync(request, cancellationToken),
            _ => Task.FromResult<IReadOnlyList<IdentityPermissionRecord>>([])
        };
    }
 }
--- a/src/Thalos.DAL/Providers/ProviderUserDataProviders.cs
+++ b/src/Thalos.DAL/Providers/ProviderUserDataProviders.cs
@ -0,0 +1,143 @@
 using BuildingBlock.Identity.Contracts.Conventions;
 using Thalos.DAL.Contracts;
 namespace Thalos.DAL.Providers;
 /// <summary>
 /// Internal JWT provider implementation for identity user reads.
 /// </summary>
 public sealed class InternalJwtUserDataProvider : IUserDataProvider
 {
    /// <inheritdoc />
    public Task<IdentityUserRecord?> ReadUserAsync(
        IdentityUserLookupRequest request,
        CancellationToken cancellationToken = default)
    {
        if (request.SubjectId.StartsWith("missing-", StringComparison.OrdinalIgnoreCase))
        {
            return Task.FromResult<IdentityUserRecord?>(null);
        }
        var record = new IdentityUserRecord(
            request.Envelope,
            request.SubjectId,
            request.TenantId,
            "active",
            $"{request.SubjectId}:{request.TenantId}:token",
            1800,
            true);
        return Task.FromResult<IdentityUserRecord?>(record);
    }
 }
 /// <summary>
 /// Azure AD provider implementation for identity user reads.
 /// </summary>
 public sealed class AzureAdUserDataProvider : IUserDataProvider
 {
    /// <inheritdoc />
    public Task<IdentityUserRecord?> ReadUserAsync(
        IdentityUserLookupRequest request,
        CancellationToken cancellationToken = default)
    {
        var subjectId = ResolveSubjectId(request, "azure-sub");
        if (string.IsNullOrWhiteSpace(subjectId))
        {
            return Task.FromResult<IdentityUserRecord?>(null);
        }
        var record = new IdentityUserRecord(
            request.Envelope,
            subjectId,
            request.TenantId,
            "active",
            $"azure:{subjectId}:{request.TenantId}:token",
            3600,
            true);
        return Task.FromResult<IdentityUserRecord?>(record);
    }
    private static string ResolveSubjectId(IdentityUserLookupRequest request, string prefix)
    {
        if (!string.IsNullOrWhiteSpace(request.SubjectId))
        {
            return request.SubjectId;
        }
        if (string.IsNullOrWhiteSpace(request.ExternalToken))
        {
            return string.Empty;
        }
        return $"{prefix}-{Math.Abs(request.ExternalToken.GetHashCode(StringComparison.Ordinal))}";
    }
 }
 /// <summary>
 /// Google provider implementation for identity user reads.
 /// </summary>
 public sealed class GoogleUserDataProvider : IUserDataProvider
 {
    /// <inheritdoc />
    public Task<IdentityUserRecord?> ReadUserAsync(
        IdentityUserLookupRequest request,
        CancellationToken cancellationToken = default)
    {
        var subjectId = ResolveSubjectId(request, "google-sub");
        if (string.IsNullOrWhiteSpace(subjectId))
        {
            return Task.FromResult<IdentityUserRecord?>(null);
        }
        var record = new IdentityUserRecord(
            request.Envelope,
            subjectId,
            request.TenantId,
            "active",
            $"google:{subjectId}:{request.TenantId}:token",
            3000,
            true);
        return Task.FromResult<IdentityUserRecord?>(record);
    }
    private static string ResolveSubjectId(IdentityUserLookupRequest request, string prefix)
    {
        if (!string.IsNullOrWhiteSpace(request.SubjectId))
        {
            return request.SubjectId;
        }
        if (string.IsNullOrWhiteSpace(request.ExternalToken))
        {
            return string.Empty;
        }
        return $"{prefix}-{Math.Abs(request.ExternalToken.GetHashCode(StringComparison.Ordinal))}";
    }
 }
 /// <summary>
 /// Routes user lookups to the matching provider implementation.
 /// </summary>
 public sealed class RoutedUserDataProvider(
    InternalJwtUserDataProvider internalJwtProvider,
    AzureAdUserDataProvider azureProvider,
    GoogleUserDataProvider googleProvider) : IUserDataProvider
 {
    /// <inheritdoc />
    public Task<IdentityUserRecord?> ReadUserAsync(
        IdentityUserLookupRequest request,
        CancellationToken cancellationToken = default)
    {
        return request.Provider switch
        {
            IdentityAuthProvider.InternalJwt => internalJwtProvider.ReadUserAsync(request, cancellationToken),
            IdentityAuthProvider.AzureAd => azureProvider.ReadUserAsync(request, cancellationToken),
            IdentityAuthProvider.Google => googleProvider.ReadUserAsync(request, cancellationToken),
            _ => Task.FromResult<IdentityUserRecord?>(null)
        };
    }
 }
--- a/src/Thalos.DAL/Repositories/IdentityRepository.cs
+++ b/src/Thalos.DAL/Repositories/IdentityRepository.cs
@ -0,0 +1,70 @@
 using Thalos.DAL.Contracts;
 using Thalos.DAL.Providers;
 namespace Thalos.DAL.Repositories;
 /// <summary>
 /// Default identity repository implementation composed from DAL providers.
 /// </summary>
 public sealed class IdentityRepository(
    IUserDataProvider userDataProvider,
    IPermissionDataProvider permissionDataProvider) : IIdentityRepository
 {
    /// <inheritdoc />
    public async Task<IdentityTokenRecord?> ReadIdentityTokenAsync(
        IdentityTokenLookupRequest request,
        CancellationToken cancellationToken = default)
    {
        var userRequest = new IdentityUserLookupRequest(
            request.Envelope,
            request.SubjectId,
            request.TenantId,
            request.Provider,
            request.ExternalToken);
        var userRecord = await userDataProvider.ReadUserAsync(userRequest, cancellationToken);
        if (userRecord is null)
        {
            return null;
        }
        return new IdentityTokenRecord(
            request.Envelope,
            userRecord.SubjectId,
            request.TenantId,
            userRecord.Token,
            userRecord.ExpiresInSeconds,
            request.Provider);
    }
    /// <inheritdoc />
    public async Task<IdentityPolicyRecord?> ReadIdentityPolicyAsync(
        IdentityPolicyLookupRequest request,
        CancellationToken cancellationToken = default)
    {
        var userRequest = new IdentityUserLookupRequest(
            request.Envelope,
            request.SubjectId,
            request.TenantId,
            request.Provider);
        var userRecord = await userDataProvider.ReadUserAsync(userRequest, cancellationToken);
        if (userRecord is null)
        {
            return null;
        }
        return new IdentityPolicyRecord(
            request.Envelope,
            userRecord.SubjectId,
            request.PermissionCode,
            userRecord.ContextSatisfied,
            request.Provider);
    }
    /// <inheritdoc />
    public Task<IReadOnlyList<IdentityPermissionRecord>> ReadPermissionSetAsync(
        IdentityPermissionSetLookupRequest request,
        CancellationToken cancellationToken = default)
    {
        return permissionDataProvider.ReadPermissionsAsync(request, cancellationToken);
    }
 }
--- a/src/Thalos.DAL/Thalos.DAL.csproj
+++ b/src/Thalos.DAL/Thalos.DAL.csproj
@ -5,6 +5,8 @@
    <Nullable>enable</Nullable>
  </PropertyGroup>
  <ItemGroup>
    <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="10.0.0" />
    <ProjectReference Include="..\..\..\building-block-identity\src\BuildingBlock.Identity.Contracts\BuildingBlock.Identity.Contracts.csproj" />
    <ProjectReference Include="..\..\..\blueprint-platform\src\Core.Blueprint.Common\Core.Blueprint.Common.csproj" />
  </ItemGroup>
 </Project>
--- a/tests/Thalos.DAL.UnitTests/ContractShapeTests.cs
+++ b/tests/Thalos.DAL.UnitTests/ContractShapeTests.cs
@ -16,6 +16,7 @@ public class ContractShapeTests
        Assert.Equal("user-1", request.SubjectId);
        Assert.Equal("tenant-1", request.TenantId);
        Assert.Equal("identity.token.issue", request.PermissionCode);
        Assert.Equal(BuildingBlock.Identity.Contracts.Conventions.IdentityAuthProvider.InternalJwt, request.Provider);
    }
    [Fact]
@ -30,6 +31,7 @@ public class ContractShapeTests
        Assert.Equal("tenant-1", record.TenantId);
        Assert.Equal("token-xyz", record.Token);
        Assert.Equal(1800, record.ExpiresInSeconds);
        Assert.Equal(BuildingBlock.Identity.Contracts.Conventions.IdentityAuthProvider.InternalJwt, record.Provider);
    }
    [Fact]
--- a/tests/Thalos.DAL.UnitTests/RuntimeWiringTests.cs
+++ b/tests/Thalos.DAL.UnitTests/RuntimeWiringTests.cs
@ -0,0 +1,88 @@
 using Microsoft.Extensions.DependencyInjection;
 using Thalos.DAL.Adapters;
 using Thalos.DAL.Contracts;
 using Thalos.DAL.DependencyInjection;
 using Thalos.DAL.Health;
 using Thalos.DAL.Repositories;
 namespace Thalos.DAL.UnitTests;
 public class RuntimeWiringTests
 {
    [Fact]
    public async Task AddThalosDalRuntime_WhenResolved_WiresRepositoryAndProviders()
    {
        var services = new ServiceCollection();
        services.AddThalosDalRuntime();
        using var provider = services.BuildServiceProvider();
        var repository = provider.GetRequiredService<IIdentityRepository>();
        var request = new IdentityTokenLookupRequest(
            new IdentityContractEnvelope("1.0.0", "corr-123"),
            "user-1",
            "tenant-1");
        var response = await repository.ReadIdentityTokenAsync(request);
        Assert.NotNull(response);
        Assert.Equal("user-1", response.SubjectId);
        Assert.Equal("tenant-1", response.TenantId);
        Assert.Equal(1800, response.ExpiresInSeconds);
        Assert.Equal(BuildingBlock.Identity.Contracts.Conventions.IdentityAuthProvider.InternalJwt, response.Provider);
    }
    [Fact]
    public async Task AddThalosDalRuntime_WhenExternalProviderUsed_ResolvesProviderSpecificToken()
    {
        var services = new ServiceCollection();
        services.AddThalosDalRuntime();
        using var provider = services.BuildServiceProvider();
        var repository = provider.GetRequiredService<IIdentityRepository>();
        var request = new IdentityTokenLookupRequest(
            new IdentityContractEnvelope("1.0.0", "corr-ext"),
            string.Empty,
            "tenant-2",
            BuildingBlock.Identity.Contracts.Conventions.IdentityAuthProvider.AzureAd,
            "external-azure-token");
        var response = await repository.ReadIdentityTokenAsync(request);
        Assert.NotNull(response);
        Assert.Equal(BuildingBlock.Identity.Contracts.Conventions.IdentityAuthProvider.AzureAd, response.Provider);
        Assert.StartsWith("azure:", response.Token);
    }
    [Fact]
    public void AddThalosDalRuntime_WhenResolved_WiresGrpcContractAdapter()
    {
        var services = new ServiceCollection();
        services.AddThalosDalRuntime();
        using var provider = services.BuildServiceProvider();
        var adapter = provider.GetRequiredService<IIdentityDalGrpcContractAdapter>();
        var grpcContract = new Thalos.DAL.Grpc.IdentityTokenDalGrpcContract("user-2", "tenant-2");
        var request = adapter.FromGrpcTokenRequest(grpcContract);
        Assert.Equal("user-2", request.SubjectId);
        Assert.Equal("tenant-2", request.TenantId);
        Assert.NotEmpty(request.Envelope.CorrelationId);
    }
    [Fact]
    public async Task AddThalosDalRuntime_WhenResolved_WiresDependencyHealthCheck()
    {
        var services = new ServiceCollection();
        services.AddThalosDalRuntime();
        using var provider = services.BuildServiceProvider();
        var healthCheck = provider.GetRequiredService<IDalDependencyHealthCheck>();
        var status = await healthCheck.CheckAsync();
        Assert.True(status.IsHealthy);
        Assert.Contains("IUserDataProvider", status.DependencyNames);
        Assert.Contains("IPermissionDataProvider", status.DependencyNames);
    }
 }
--- a/tests/Thalos.DAL.UnitTests/Thalos.DAL.UnitTests.csproj
+++ b/tests/Thalos.DAL.UnitTests/Thalos.DAL.UnitTests.csproj
@ -7,6 +7,7 @@
  </PropertyGroup>
  <ItemGroup>
    <PackageReference Include="coverlet.collector" Version="6.0.4" />
    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="10.0.0" />
    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.14.1" />
    <PackageReference Include="xunit" Version="2.9.3" />
    <PackageReference Include="xunit.runner.visualstudio" Version="3.1.4" />