merge(thalos-dal): integrate provider adapters baseline

2026-02-25 14:31:53 -06:00 · 2026-02-25 14:31:53 -06:00 · db497944a7
commit db497944a7
parent 3f83efec42 2d3f939e8f
27 changed files with 718 additions and 8 deletions
--- a/docs/architecture/dal-domain-alignment.md
+++ b/docs/architecture/dal-domain-alignment.md
@ -0,0 +1,13 @@
+# Thalos DAL Domain Alignment
+
+## Goal
+Align DAL with thalos-domain abstractions while keeping DAL technical.
+
+## DAL Responsibilities
+- Identity persistence and retrieval
+- Technical data translation
+- Provider/repository boundaries
+
+## Prohibited
+- Identity policy decision ownership
+- Service orchestration concerns
--- a/docs/dal/identity-provider-boundaries.md
+++ b/docs/dal/identity-provider-boundaries.md
@ -16,3 +16,7 @@
 - Provider boundaries remain internal to Thalos DAL.
 - DAL interfaces expose only transport-neutral contracts and read ports.
 - Identity abstractions remain Thalos-owned.
+- Runtime provider routes currently support:
+  - `InternalJwt`
+  - `AzureAd`
+  - `Google`
--- a/docs/migration/dal-port-alignment-map.md
+++ b/docs/migration/dal-port-alignment-map.md
@ -0,0 +1,6 @@
+# Thalos DAL Port Alignment Map
+
+## Alignment Areas
+- DAL read/write ports map to domain contracts.
+- Technical DTO translation remains in DAL adapters.
+- Domain policy semantics are not reimplemented in DAL.
--- a/docs/migration/technical-mapping-rules.md
+++ b/docs/migration/technical-mapping-rules.md
@ -0,0 +1,6 @@
+# Thalos DAL Technical Mapping Rules
+
+## Rules
+- Mapping logic remains technical and deterministic.
+- No policy evaluation branching in DAL mapping layer.
+- Correlation and metadata pass-through remains unchanged.
--- a/src/Thalos.DAL/Adapters/IdentityDalGrpcContractAdapter.cs
+++ b/src/Thalos.DAL/Adapters/IdentityDalGrpcContractAdapter.cs
@ -0,0 +1,47 @@
+using Core.Blueprint.Common.Runtime;
+using Thalos.DAL.Contracts;
+using Thalos.DAL.Grpc;
+
+namespace Thalos.DAL.Adapters;
+
+/// <summary>
+/// Default adapter implementation for DAL gRPC contract translation.
+/// </summary>
+public sealed class IdentityDalGrpcContractAdapter(IBlueprintSystemClock clock) : IIdentityDalGrpcContractAdapter
+{
+    /// <inheritdoc />
+    public IdentityPolicyDalGrpcContract ToGrpcPolicyRequest(IdentityPolicyLookupRequest request)
+    {
+        return new IdentityPolicyDalGrpcContract(request.SubjectId, request.TenantId, request.PermissionCode);
+    }
+
+    /// <inheritdoc />
+    public IdentityPolicyLookupRequest FromGrpcPolicyRequest(IdentityPolicyDalGrpcContract contract)
+    {
+        return new IdentityPolicyLookupRequest(
+            CreateEnvelope(),
+            contract.SubjectId,
+            contract.TenantId,
+            contract.PermissionCode);
+    }
+
+    /// <inheritdoc />
+    public IdentityTokenDalGrpcContract ToGrpcTokenRequest(IdentityTokenLookupRequest request)
+    {
+        return new IdentityTokenDalGrpcContract(request.SubjectId, request.TenantId);
+    }
+
+    /// <inheritdoc />
+    public IdentityTokenLookupRequest FromGrpcTokenRequest(IdentityTokenDalGrpcContract contract)
+    {
+        return new IdentityTokenLookupRequest(
+            CreateEnvelope(),
+            contract.SubjectId,
+            contract.TenantId);
+    }
+
+    private IdentityContractEnvelope CreateEnvelope()
+    {
+        return new IdentityContractEnvelope("1.0.0", $"corr-{clock.UtcNow:yyyyMMddHHmmssfff}");
+    }
+}
--- a/src/Thalos.DAL/Contracts/IdentityPermissionRecord.cs
+++ b/src/Thalos.DAL/Contracts/IdentityPermissionRecord.cs
@ -1,3 +1,5 @@
+using BuildingBlock.Identity.Contracts.Conventions;
+
 namespace Thalos.DAL.Contracts;

 /// <summary>
@ -6,7 +8,9 @@ namespace Thalos.DAL.Contracts;
 /// <param name="Envelope">Contract envelope metadata.</param>
 /// <param name="PermissionCode">Permission code identifier.</param>
 /// <param name="SourceRoleCode">Role code that grants the permission.</param>
+/// <param name="Provider">Auth provider for the permission grant.</param>
 public sealed record IdentityPermissionRecord(
    IdentityContractEnvelope Envelope,
    string PermissionCode,
-    string SourceRoleCode);
+    string SourceRoleCode,
+    IdentityAuthProvider Provider = IdentityAuthProvider.InternalJwt);
--- a/src/Thalos.DAL/Contracts/IdentityPermissionSetLookupRequest.cs
+++ b/src/Thalos.DAL/Contracts/IdentityPermissionSetLookupRequest.cs
@ -1,3 +1,5 @@
+using BuildingBlock.Identity.Contracts.Conventions;
+
 namespace Thalos.DAL.Contracts;

 /// <summary>
@ -6,7 +8,9 @@ namespace Thalos.DAL.Contracts;
 /// <param name="Envelope">Contract envelope metadata.</param>
 /// <param name="SubjectId">Identity subject identifier.</param>
 /// <param name="TenantId">Tenant scope identifier.</param>
+/// <param name="Provider">Auth provider for the lookup flow.</param>
 public sealed record IdentityPermissionSetLookupRequest(
    IdentityContractEnvelope Envelope,
    string SubjectId,
-    string TenantId);
+    string TenantId,
+    IdentityAuthProvider Provider = IdentityAuthProvider.InternalJwt);
--- a/src/Thalos.DAL/Contracts/IdentityPolicyLookupRequest.cs
+++ b/src/Thalos.DAL/Contracts/IdentityPolicyLookupRequest.cs
@ -1,3 +1,5 @@
+using BuildingBlock.Identity.Contracts.Conventions;
+
 namespace Thalos.DAL.Contracts;

 /// <summary>
@ -7,8 +9,10 @@ namespace Thalos.DAL.Contracts;
 /// <param name="SubjectId">Identity subject identifier.</param>
 /// <param name="TenantId">Tenant scope identifier.</param>
 /// <param name="PermissionCode">Permission code to evaluate.</param>
+/// <param name="Provider">Auth provider for the lookup flow.</param>
 public sealed record IdentityPolicyLookupRequest(
    IdentityContractEnvelope Envelope,
    string SubjectId,
    string TenantId,
-    string PermissionCode);
+    string PermissionCode,
+    IdentityAuthProvider Provider = IdentityAuthProvider.InternalJwt);
--- a/src/Thalos.DAL/Contracts/IdentityPolicyRecord.cs
+++ b/src/Thalos.DAL/Contracts/IdentityPolicyRecord.cs
@ -1,3 +1,5 @@
+using BuildingBlock.Identity.Contracts.Conventions;
+
 namespace Thalos.DAL.Contracts;

 /// <summary>
@ -7,8 +9,10 @@ namespace Thalos.DAL.Contracts;
 /// <param name="SubjectId">Identity subject identifier.</param>
 /// <param name="PermissionCode">Permission code evaluated.</param>
 /// <param name="ContextSatisfied">Indicates whether policy context is satisfied.</param>
+/// <param name="Provider">Auth provider used for policy evaluation.</param>
 public sealed record IdentityPolicyRecord(
    IdentityContractEnvelope Envelope,
    string SubjectId,
    string PermissionCode,
-    bool ContextSatisfied);
+    bool ContextSatisfied,
+    IdentityAuthProvider Provider = IdentityAuthProvider.InternalJwt);
--- a/src/Thalos.DAL/Contracts/IdentityTokenLookupRequest.cs
+++ b/src/Thalos.DAL/Contracts/IdentityTokenLookupRequest.cs
@ -1,3 +1,5 @@
+using BuildingBlock.Identity.Contracts.Conventions;
+
 namespace Thalos.DAL.Contracts;

 /// <summary>
@ -6,4 +8,11 @@ namespace Thalos.DAL.Contracts;
 /// <param name="Envelope">Contract envelope metadata.</param>
 /// <param name="SubjectId">Identity subject identifier.</param>
 /// <param name="TenantId">Tenant scope identifier.</param>
-public sealed record IdentityTokenLookupRequest(IdentityContractEnvelope Envelope, string SubjectId, string TenantId);
+/// <param name="Provider">Auth provider for the lookup flow.</param>
+/// <param name="ExternalToken">External provider token when applicable.</param>
+public sealed record IdentityTokenLookupRequest(
+    IdentityContractEnvelope Envelope,
+    string SubjectId,
+    string TenantId,
+    IdentityAuthProvider Provider = IdentityAuthProvider.InternalJwt,
+    string ExternalToken = "");
--- a/src/Thalos.DAL/Contracts/IdentityTokenRecord.cs
+++ b/src/Thalos.DAL/Contracts/IdentityTokenRecord.cs
@ -1,3 +1,5 @@
+using BuildingBlock.Identity.Contracts.Conventions;
+
 namespace Thalos.DAL.Contracts;

 /// <summary>
@ -8,9 +10,11 @@ namespace Thalos.DAL.Contracts;
 /// <param name="TenantId">Tenant scope identifier.</param>
 /// <param name="Token">Issued access token value.</param>
 /// <param name="ExpiresInSeconds">Token expiration in seconds.</param>
+/// <param name="Provider">Auth provider used for token issuance.</param>
 public sealed record IdentityTokenRecord(
    IdentityContractEnvelope Envelope,
    string SubjectId,
    string TenantId,
    string Token,
-    int ExpiresInSeconds);
+    int ExpiresInSeconds,
+    IdentityAuthProvider Provider = IdentityAuthProvider.InternalJwt);
--- a/src/Thalos.DAL/Contracts/IdentityUserLookupRequest.cs
+++ b/src/Thalos.DAL/Contracts/IdentityUserLookupRequest.cs
@ -1,3 +1,5 @@
+using BuildingBlock.Identity.Contracts.Conventions;
+
 namespace Thalos.DAL.Contracts;

 /// <summary>
@ -5,4 +7,12 @@ namespace Thalos.DAL.Contracts;
 /// </summary>
 /// <param name="Envelope">Contract envelope metadata.</param>
 /// <param name="SubjectId">Identity subject identifier.</param>
-public sealed record IdentityUserLookupRequest(IdentityContractEnvelope Envelope, string SubjectId);
+/// <param name="TenantId">Tenant identifier.</param>
+/// <param name="Provider">Auth provider for the lookup flow.</param>
+/// <param name="ExternalToken">External provider token when applicable.</param>
+public sealed record IdentityUserLookupRequest(
+    IdentityContractEnvelope Envelope,
+    string SubjectId,
+    string TenantId,
+    IdentityAuthProvider Provider = IdentityAuthProvider.InternalJwt,
+    string ExternalToken = "");
--- a/src/Thalos.DAL/Contracts/IdentityUserRecord.cs
+++ b/src/Thalos.DAL/Contracts/IdentityUserRecord.cs
@ -7,8 +7,14 @@ namespace Thalos.DAL.Contracts;
 /// <param name="SubjectId">Identity subject identifier.</param>
 /// <param name="TenantId">Tenant scope identifier.</param>
 /// <param name="Status">Current user status.</param>
+/// <param name="Token">Persisted token projection for subject/tenant.</param>
+/// <param name="ExpiresInSeconds">Persisted token expiration in seconds.</param>
+/// <param name="ContextSatisfied">Persisted policy context projection.</param>
 public sealed record IdentityUserRecord(
    IdentityContractEnvelope Envelope,
    string SubjectId,
    string TenantId,
-    string Status);
+    string Status,
+    string Token,
+    int ExpiresInSeconds,
+    bool ContextSatisfied);
--- a/src/Thalos.DAL/DependencyInjection/ThalosDalServiceCollectionExtensions.cs
+++ b/src/Thalos.DAL/DependencyInjection/ThalosDalServiceCollectionExtensions.cs
@ -0,0 +1,46 @@
+using Core.Blueprint.Common.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection.Extensions;
+using Thalos.DAL.Adapters;
+using Thalos.DAL.Health;
+using Thalos.DAL.Providers;
+using Thalos.DAL.Providers.InMemory;
+using Thalos.DAL.Repositories;
+
+namespace Thalos.DAL.DependencyInjection;
+
+/// <summary>
+/// Registers thalos dal runtime provider, repository, and adapter implementations.
+/// </summary>
+public static class ThalosDalServiceCollectionExtensions
+{
+    /// <summary>
+    /// Adds thalos dal runtime implementations aligned with blueprint runtime core.
+    /// </summary>
+    /// <param name="services">Service collection.</param>
+    /// <returns>Service collection for fluent chaining.</returns>
+    public static IServiceCollection AddThalosDalRuntime(this IServiceCollection services)
+    {
+        services.AddBlueprintRuntimeCore();
+
+        services.TryAddSingleton<InternalJwtUserDataProvider>();
+        services.TryAddSingleton<AzureAdUserDataProvider>();
+        services.TryAddSingleton<GoogleUserDataProvider>();
+        services.TryAddSingleton<IUserDataProvider, RoutedUserDataProvider>();
+
+        services.TryAddSingleton<InternalJwtPermissionDataProvider>();
+        services.TryAddSingleton<AzureAdPermissionDataProvider>();
+        services.TryAddSingleton<GooglePermissionDataProvider>();
+        services.TryAddSingleton<IPermissionDataProvider, RoutedPermissionDataProvider>();
+
+        services.TryAddSingleton<IRoleDataProvider, InMemoryRoleDataProvider>();
+        services.TryAddSingleton<IModuleDataProvider, InMemoryModuleDataProvider>();
+        services.TryAddSingleton<ITenantDataProvider, InMemoryTenantDataProvider>();
+
+        services.TryAddSingleton<IIdentityRepository, IdentityRepository>();
+        services.TryAddSingleton<IIdentityDalGrpcContractAdapter, IdentityDalGrpcContractAdapter>();
+        services.TryAddSingleton<IDalDependencyHealthCheck, DalDependencyHealthCheck>();
+
+        return services;
+    }
+}
--- a/src/Thalos.DAL/Health/DalDependencyHealthCheck.cs
+++ b/src/Thalos.DAL/Health/DalDependencyHealthCheck.cs
@ -0,0 +1,27 @@
+using Core.Blueprint.Common.Runtime;
+using Thalos.DAL.Contracts;
+
+namespace Thalos.DAL.Health;
+
+/// <summary>
+/// Default DAL dependency health check implementation.
+/// </summary>
+public sealed class DalDependencyHealthCheck(IBlueprintSystemClock clock) : IDalDependencyHealthCheck
+{
+    /// <inheritdoc />
+    public Task<DalDependencyHealthStatus> CheckAsync(CancellationToken cancellationToken = default)
+    {
+        var envelope = new IdentityContractEnvelope("1.0.0", $"corr-{clock.UtcNow:yyyyMMddHHmmssfff}");
+        IReadOnlyList<string> dependencyNames =
+        [
+            "IUserDataProvider",
+            "IRoleDataProvider",
+            "IPermissionDataProvider",
+            "IModuleDataProvider",
+            "ITenantDataProvider"
+        ];
+
+        var status = new DalDependencyHealthStatus(envelope, true, dependencyNames);
+        return Task.FromResult(status);
+    }
+}
--- a/src/Thalos.DAL/Providers/InMemory/InMemoryModuleDataProvider.cs
+++ b/src/Thalos.DAL/Providers/InMemory/InMemoryModuleDataProvider.cs
@ -0,0 +1,22 @@
+using Thalos.DAL.Contracts;
+
+namespace Thalos.DAL.Providers.InMemory;
+
+/// <summary>
+/// In-memory provider for identity module lookup contracts.
+/// </summary>
+public sealed class InMemoryModuleDataProvider : IModuleDataProvider
+{
+    /// <inheritdoc />
+    public Task<IReadOnlyList<IdentityModuleRecord>> ReadModulesAsync(
+        IdentityModuleLookupRequest request,
+        CancellationToken cancellationToken = default)
+    {
+        IReadOnlyList<IdentityModuleRecord> records =
+        [
+            new IdentityModuleRecord(request.Envelope, "identity", true)
+        ];
+
+        return Task.FromResult(records);
+    }
+}
--- a/src/Thalos.DAL/Providers/InMemory/InMemoryPermissionDataProvider.cs
+++ b/src/Thalos.DAL/Providers/InMemory/InMemoryPermissionDataProvider.cs
@ -0,0 +1,23 @@
+using Thalos.DAL.Contracts;
+
+namespace Thalos.DAL.Providers.InMemory;
+
+/// <summary>
+/// In-memory provider for identity permission lookup contracts.
+/// </summary>
+public sealed class InMemoryPermissionDataProvider : IPermissionDataProvider
+{
+    /// <inheritdoc />
+    public Task<IReadOnlyList<IdentityPermissionRecord>> ReadPermissionsAsync(
+        IdentityPermissionSetLookupRequest request,
+        CancellationToken cancellationToken = default)
+    {
+        IReadOnlyList<IdentityPermissionRecord> records =
+        [
+            new IdentityPermissionRecord(request.Envelope, "identity.token.issue", "identity.admin"),
+            new IdentityPermissionRecord(request.Envelope, "identity.policy.evaluate", "identity.admin")
+        ];
+
+        return Task.FromResult(records);
+    }
+}
--- a/src/Thalos.DAL/Providers/InMemory/InMemoryRoleDataProvider.cs
+++ b/src/Thalos.DAL/Providers/InMemory/InMemoryRoleDataProvider.cs
@ -0,0 +1,22 @@
+using Thalos.DAL.Contracts;
+
+namespace Thalos.DAL.Providers.InMemory;
+
+/// <summary>
+/// In-memory provider for identity role lookup contracts.
+/// </summary>
+public sealed class InMemoryRoleDataProvider : IRoleDataProvider
+{
+    /// <inheritdoc />
+    public Task<IReadOnlyList<IdentityRoleRecord>> ReadRolesAsync(
+        IdentityRoleLookupRequest request,
+        CancellationToken cancellationToken = default)
+    {
+        IReadOnlyList<IdentityRoleRecord> records =
+        [
+            new IdentityRoleRecord(request.Envelope, "identity.admin", request.TenantId)
+        ];
+
+        return Task.FromResult(records);
+    }
+}
--- a/src/Thalos.DAL/Providers/InMemory/InMemoryTenantDataProvider.cs
+++ b/src/Thalos.DAL/Providers/InMemory/InMemoryTenantDataProvider.cs
@ -0,0 +1,23 @@
+using Thalos.DAL.Contracts;
+
+namespace Thalos.DAL.Providers.InMemory;
+
+/// <summary>
+/// In-memory provider for identity tenant lookup contracts.
+/// </summary>
+public sealed class InMemoryTenantDataProvider : ITenantDataProvider
+{
+    /// <inheritdoc />
+    public Task<IdentityTenantRecord?> ReadTenantAsync(
+        IdentityTenantLookupRequest request,
+        CancellationToken cancellationToken = default)
+    {
+        var record = new IdentityTenantRecord(
+            request.Envelope,
+            request.TenantId,
+            $"tenant-{request.TenantId}",
+            true);
+
+        return Task.FromResult<IdentityTenantRecord?>(record);
+    }
+}
--- a/src/Thalos.DAL/Providers/InMemory/InMemoryUserDataProvider.cs
+++ b/src/Thalos.DAL/Providers/InMemory/InMemoryUserDataProvider.cs
@ -0,0 +1,31 @@
+using Thalos.DAL.Contracts;
+
+namespace Thalos.DAL.Providers.InMemory;
+
+/// <summary>
+/// In-memory provider for identity user lookup contracts.
+/// </summary>
+public sealed class InMemoryUserDataProvider : IUserDataProvider
+{
+    /// <inheritdoc />
+    public Task<IdentityUserRecord?> ReadUserAsync(
+        IdentityUserLookupRequest request,
+        CancellationToken cancellationToken = default)
+    {
+        if (request.SubjectId.StartsWith("missing-", StringComparison.OrdinalIgnoreCase))
+        {
+            return Task.FromResult<IdentityUserRecord?>(null);
+        }
+
+        var record = new IdentityUserRecord(
+            request.Envelope,
+            request.SubjectId,
+            request.TenantId,
+            "active",
+            $"{request.SubjectId}:{request.TenantId}:token",
+            1800,
+            true);
+
+        return Task.FromResult<IdentityUserRecord?>(record);
+    }
+}
--- a/src/Thalos.DAL/Providers/ProviderPermissionDataProviders.cs
+++ b/src/Thalos.DAL/Providers/ProviderPermissionDataProviders.cs
@ -0,0 +1,89 @@
+using BuildingBlock.Identity.Contracts.Conventions;
+using Thalos.DAL.Contracts;
+
+namespace Thalos.DAL.Providers;
+
+/// <summary>
+/// Internal JWT permission provider implementation.
+/// </summary>
+public sealed class InternalJwtPermissionDataProvider : IPermissionDataProvider
+{
+    /// <inheritdoc />
+    public Task<IReadOnlyList<IdentityPermissionRecord>> ReadPermissionsAsync(
+        IdentityPermissionSetLookupRequest request,
+        CancellationToken cancellationToken = default)
+    {
+        IReadOnlyList<IdentityPermissionRecord> records =
+        [
+            new IdentityPermissionRecord(request.Envelope, "identity.token.issue", "identity.admin", IdentityAuthProvider.InternalJwt),
+            new IdentityPermissionRecord(request.Envelope, "identity.policy.evaluate", "identity.admin", IdentityAuthProvider.InternalJwt)
+        ];
+
+        return Task.FromResult(records);
+    }
+}
+
+/// <summary>
+/// Azure AD permission provider implementation.
+/// </summary>
+public sealed class AzureAdPermissionDataProvider : IPermissionDataProvider
+{
+    /// <inheritdoc />
+    public Task<IReadOnlyList<IdentityPermissionRecord>> ReadPermissionsAsync(
+        IdentityPermissionSetLookupRequest request,
+        CancellationToken cancellationToken = default)
+    {
+        IReadOnlyList<IdentityPermissionRecord> records =
+        [
+            new IdentityPermissionRecord(request.Envelope, "identity.token.issue", "identity.azure.user", IdentityAuthProvider.AzureAd),
+            new IdentityPermissionRecord(request.Envelope, "identity.policy.evaluate", "identity.azure.user", IdentityAuthProvider.AzureAd),
+            new IdentityPermissionRecord(request.Envelope, "identity.oauth.exchange", "identity.azure.user", IdentityAuthProvider.AzureAd)
+        ];
+
+        return Task.FromResult(records);
+    }
+}
+
+/// <summary>
+/// Google permission provider implementation.
+/// </summary>
+public sealed class GooglePermissionDataProvider : IPermissionDataProvider
+{
+    /// <inheritdoc />
+    public Task<IReadOnlyList<IdentityPermissionRecord>> ReadPermissionsAsync(
+        IdentityPermissionSetLookupRequest request,
+        CancellationToken cancellationToken = default)
+    {
+        IReadOnlyList<IdentityPermissionRecord> records =
+        [
+            new IdentityPermissionRecord(request.Envelope, "identity.token.issue", "identity.google.user", IdentityAuthProvider.Google),
+            new IdentityPermissionRecord(request.Envelope, "identity.policy.evaluate", "identity.google.user", IdentityAuthProvider.Google),
+            new IdentityPermissionRecord(request.Envelope, "identity.oauth.exchange", "identity.google.user", IdentityAuthProvider.Google)
+        ];
+
+        return Task.FromResult(records);
+    }
+}
+
+/// <summary>
+/// Routes permission lookups to the matching provider implementation.
+/// </summary>
+public sealed class RoutedPermissionDataProvider(
+    InternalJwtPermissionDataProvider internalJwtProvider,
+    AzureAdPermissionDataProvider azureProvider,
+    GooglePermissionDataProvider googleProvider) : IPermissionDataProvider
+{
+    /// <inheritdoc />
+    public Task<IReadOnlyList<IdentityPermissionRecord>> ReadPermissionsAsync(
+        IdentityPermissionSetLookupRequest request,
+        CancellationToken cancellationToken = default)
+    {
+        return request.Provider switch
+        {
+            IdentityAuthProvider.InternalJwt => internalJwtProvider.ReadPermissionsAsync(request, cancellationToken),
+            IdentityAuthProvider.AzureAd => azureProvider.ReadPermissionsAsync(request, cancellationToken),
+            IdentityAuthProvider.Google => googleProvider.ReadPermissionsAsync(request, cancellationToken),
+            _ => Task.FromResult<IReadOnlyList<IdentityPermissionRecord>>([])
+        };
+    }
+}
--- a/src/Thalos.DAL/Providers/ProviderUserDataProviders.cs
+++ b/src/Thalos.DAL/Providers/ProviderUserDataProviders.cs
@ -0,0 +1,143 @@
+using BuildingBlock.Identity.Contracts.Conventions;
+using Thalos.DAL.Contracts;
+
+namespace Thalos.DAL.Providers;
+
+/// <summary>
+/// Internal JWT provider implementation for identity user reads.
+/// </summary>
+public sealed class InternalJwtUserDataProvider : IUserDataProvider
+{
+    /// <inheritdoc />
+    public Task<IdentityUserRecord?> ReadUserAsync(
+        IdentityUserLookupRequest request,
+        CancellationToken cancellationToken = default)
+    {
+        if (request.SubjectId.StartsWith("missing-", StringComparison.OrdinalIgnoreCase))
+        {
+            return Task.FromResult<IdentityUserRecord?>(null);
+        }
+
+        var record = new IdentityUserRecord(
+            request.Envelope,
+            request.SubjectId,
+            request.TenantId,
+            "active",
+            $"{request.SubjectId}:{request.TenantId}:token",
+            1800,
+            true);
+
+        return Task.FromResult<IdentityUserRecord?>(record);
+    }
+}
+
+/// <summary>
+/// Azure AD provider implementation for identity user reads.
+/// </summary>
+public sealed class AzureAdUserDataProvider : IUserDataProvider
+{
+    /// <inheritdoc />
+    public Task<IdentityUserRecord?> ReadUserAsync(
+        IdentityUserLookupRequest request,
+        CancellationToken cancellationToken = default)
+    {
+        var subjectId = ResolveSubjectId(request, "azure-sub");
+        if (string.IsNullOrWhiteSpace(subjectId))
+        {
+            return Task.FromResult<IdentityUserRecord?>(null);
+        }
+
+        var record = new IdentityUserRecord(
+            request.Envelope,
+            subjectId,
+            request.TenantId,
+            "active",
+            $"azure:{subjectId}:{request.TenantId}:token",
+            3600,
+            true);
+
+        return Task.FromResult<IdentityUserRecord?>(record);
+    }
+
+    private static string ResolveSubjectId(IdentityUserLookupRequest request, string prefix)
+    {
+        if (!string.IsNullOrWhiteSpace(request.SubjectId))
+        {
+            return request.SubjectId;
+        }
+
+        if (string.IsNullOrWhiteSpace(request.ExternalToken))
+        {
+            return string.Empty;
+        }
+
+        return $"{prefix}-{Math.Abs(request.ExternalToken.GetHashCode(StringComparison.Ordinal))}";
+    }
+}
+
+/// <summary>
+/// Google provider implementation for identity user reads.
+/// </summary>
+public sealed class GoogleUserDataProvider : IUserDataProvider
+{
+    /// <inheritdoc />
+    public Task<IdentityUserRecord?> ReadUserAsync(
+        IdentityUserLookupRequest request,
+        CancellationToken cancellationToken = default)
+    {
+        var subjectId = ResolveSubjectId(request, "google-sub");
+        if (string.IsNullOrWhiteSpace(subjectId))
+        {
+            return Task.FromResult<IdentityUserRecord?>(null);
+        }
+
+        var record = new IdentityUserRecord(
+            request.Envelope,
+            subjectId,
+            request.TenantId,
+            "active",
+            $"google:{subjectId}:{request.TenantId}:token",
+            3000,
+            true);
+
+        return Task.FromResult<IdentityUserRecord?>(record);
+    }
+
+    private static string ResolveSubjectId(IdentityUserLookupRequest request, string prefix)
+    {
+        if (!string.IsNullOrWhiteSpace(request.SubjectId))
+        {
+            return request.SubjectId;
+        }
+
+        if (string.IsNullOrWhiteSpace(request.ExternalToken))
+        {
+            return string.Empty;
+        }
+
+        return $"{prefix}-{Math.Abs(request.ExternalToken.GetHashCode(StringComparison.Ordinal))}";
+    }
+}
+
+/// <summary>
+/// Routes user lookups to the matching provider implementation.
+/// </summary>
+public sealed class RoutedUserDataProvider(
+    InternalJwtUserDataProvider internalJwtProvider,
+    AzureAdUserDataProvider azureProvider,
+    GoogleUserDataProvider googleProvider) : IUserDataProvider
+{
+    /// <inheritdoc />
+    public Task<IdentityUserRecord?> ReadUserAsync(
+        IdentityUserLookupRequest request,
+        CancellationToken cancellationToken = default)
+    {
+        return request.Provider switch
+        {
+            IdentityAuthProvider.InternalJwt => internalJwtProvider.ReadUserAsync(request, cancellationToken),
+            IdentityAuthProvider.AzureAd => azureProvider.ReadUserAsync(request, cancellationToken),
+            IdentityAuthProvider.Google => googleProvider.ReadUserAsync(request, cancellationToken),
+            _ => Task.FromResult<IdentityUserRecord?>(null)
+        };
+    }
+}
--- a/src/Thalos.DAL/Repositories/IdentityRepository.cs
+++ b/src/Thalos.DAL/Repositories/IdentityRepository.cs
@ -0,0 +1,70 @@
+using Thalos.DAL.Contracts;
+using Thalos.DAL.Providers;
+
+namespace Thalos.DAL.Repositories;
+
+/// <summary>
+/// Default identity repository implementation composed from DAL providers.
+/// </summary>
+public sealed class IdentityRepository(
+    IUserDataProvider userDataProvider,
+    IPermissionDataProvider permissionDataProvider) : IIdentityRepository
+{
+    /// <inheritdoc />
+    public async Task<IdentityTokenRecord?> ReadIdentityTokenAsync(
+        IdentityTokenLookupRequest request,
+        CancellationToken cancellationToken = default)
+    {
+        var userRequest = new IdentityUserLookupRequest(
+            request.Envelope,
+            request.SubjectId,
+            request.TenantId,
+            request.Provider,
+            request.ExternalToken);
+        var userRecord = await userDataProvider.ReadUserAsync(userRequest, cancellationToken);
+        if (userRecord is null)
+        {
+            return null;
+        }
+
+        return new IdentityTokenRecord(
+            request.Envelope,
+            userRecord.SubjectId,
+            request.TenantId,
+            userRecord.Token,
+            userRecord.ExpiresInSeconds,
+            request.Provider);
+    }
+
+    /// <inheritdoc />
+    public async Task<IdentityPolicyRecord?> ReadIdentityPolicyAsync(
+        IdentityPolicyLookupRequest request,
+        CancellationToken cancellationToken = default)
+    {
+        var userRequest = new IdentityUserLookupRequest(
+            request.Envelope,
+            request.SubjectId,
+            request.TenantId,
+            request.Provider);
+        var userRecord = await userDataProvider.ReadUserAsync(userRequest, cancellationToken);
+        if (userRecord is null)
+        {
+            return null;
+        }
+
+        return new IdentityPolicyRecord(
+            request.Envelope,
+            userRecord.SubjectId,
+            request.PermissionCode,
+            userRecord.ContextSatisfied,
+            request.Provider);
+    }
+
+    /// <inheritdoc />
+    public Task<IReadOnlyList<IdentityPermissionRecord>> ReadPermissionSetAsync(
+        IdentityPermissionSetLookupRequest request,
+        CancellationToken cancellationToken = default)
+    {
+        return permissionDataProvider.ReadPermissionsAsync(request, cancellationToken);
+    }
+}
--- a/src/Thalos.DAL/Thalos.DAL.csproj
+++ b/src/Thalos.DAL/Thalos.DAL.csproj
@ -5,6 +5,8 @@
    <Nullable>enable</Nullable>
  </PropertyGroup>
  <ItemGroup>
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="10.0.0" />
+    <ProjectReference Include="..\..\..\building-block-identity\src\BuildingBlock.Identity.Contracts\BuildingBlock.Identity.Contracts.csproj" />
    <ProjectReference Include="..\..\..\blueprint-platform\src\Core.Blueprint.Common\Core.Blueprint.Common.csproj" />
  </ItemGroup>
 </Project>
--- a/tests/Thalos.DAL.UnitTests/ContractShapeTests.cs
+++ b/tests/Thalos.DAL.UnitTests/ContractShapeTests.cs
@ -16,6 +16,7 @@ public class ContractShapeTests
        Assert.Equal("user-1", request.SubjectId);
        Assert.Equal("tenant-1", request.TenantId);
        Assert.Equal("identity.token.issue", request.PermissionCode);
+        Assert.Equal(BuildingBlock.Identity.Contracts.Conventions.IdentityAuthProvider.InternalJwt, request.Provider);
    }

    [Fact]
@ -30,6 +31,7 @@ public class ContractShapeTests
        Assert.Equal("tenant-1", record.TenantId);
        Assert.Equal("token-xyz", record.Token);
        Assert.Equal(1800, record.ExpiresInSeconds);
+        Assert.Equal(BuildingBlock.Identity.Contracts.Conventions.IdentityAuthProvider.InternalJwt, record.Provider);
    }

    [Fact]
--- a/tests/Thalos.DAL.UnitTests/RuntimeWiringTests.cs
+++ b/tests/Thalos.DAL.UnitTests/RuntimeWiringTests.cs
@ -0,0 +1,88 @@
+using Microsoft.Extensions.DependencyInjection;
+using Thalos.DAL.Adapters;
+using Thalos.DAL.Contracts;
+using Thalos.DAL.DependencyInjection;
+using Thalos.DAL.Health;
+using Thalos.DAL.Repositories;
+
+namespace Thalos.DAL.UnitTests;
+
+public class RuntimeWiringTests
+{
+    [Fact]
+    public async Task AddThalosDalRuntime_WhenResolved_WiresRepositoryAndProviders()
+    {
+        var services = new ServiceCollection();
+        services.AddThalosDalRuntime();
+
+        using var provider = services.BuildServiceProvider();
+        var repository = provider.GetRequiredService<IIdentityRepository>();
+        var request = new IdentityTokenLookupRequest(
+            new IdentityContractEnvelope("1.0.0", "corr-123"),
+            "user-1",
+            "tenant-1");
+
+        var response = await repository.ReadIdentityTokenAsync(request);
+
+        Assert.NotNull(response);
+        Assert.Equal("user-1", response.SubjectId);
+        Assert.Equal("tenant-1", response.TenantId);
+        Assert.Equal(1800, response.ExpiresInSeconds);
+        Assert.Equal(BuildingBlock.Identity.Contracts.Conventions.IdentityAuthProvider.InternalJwt, response.Provider);
+    }
+
+    [Fact]
+    public async Task AddThalosDalRuntime_WhenExternalProviderUsed_ResolvesProviderSpecificToken()
+    {
+        var services = new ServiceCollection();
+        services.AddThalosDalRuntime();
+
+        using var provider = services.BuildServiceProvider();
+        var repository = provider.GetRequiredService<IIdentityRepository>();
+        var request = new IdentityTokenLookupRequest(
+            new IdentityContractEnvelope("1.0.0", "corr-ext"),
+            string.Empty,
+            "tenant-2",
+            BuildingBlock.Identity.Contracts.Conventions.IdentityAuthProvider.AzureAd,
+            "external-azure-token");
+
+        var response = await repository.ReadIdentityTokenAsync(request);
+
+        Assert.NotNull(response);
+        Assert.Equal(BuildingBlock.Identity.Contracts.Conventions.IdentityAuthProvider.AzureAd, response.Provider);
+        Assert.StartsWith("azure:", response.Token);
+    }
+
+    [Fact]
+    public void AddThalosDalRuntime_WhenResolved_WiresGrpcContractAdapter()
+    {
+        var services = new ServiceCollection();
+        services.AddThalosDalRuntime();
+
+        using var provider = services.BuildServiceProvider();
+        var adapter = provider.GetRequiredService<IIdentityDalGrpcContractAdapter>();
+        var grpcContract = new Thalos.DAL.Grpc.IdentityTokenDalGrpcContract("user-2", "tenant-2");
+
+        var request = adapter.FromGrpcTokenRequest(grpcContract);
+
+        Assert.Equal("user-2", request.SubjectId);
+        Assert.Equal("tenant-2", request.TenantId);
+        Assert.NotEmpty(request.Envelope.CorrelationId);
+    }
+
+    [Fact]
+    public async Task AddThalosDalRuntime_WhenResolved_WiresDependencyHealthCheck()
+    {
+        var services = new ServiceCollection();
+        services.AddThalosDalRuntime();
+
+        using var provider = services.BuildServiceProvider();
+        var healthCheck = provider.GetRequiredService<IDalDependencyHealthCheck>();
+
+        var status = await healthCheck.CheckAsync();
+
+        Assert.True(status.IsHealthy);
+        Assert.Contains("IUserDataProvider", status.DependencyNames);
+        Assert.Contains("IPermissionDataProvider", status.DependencyNames);
+    }
+}
--- a/tests/Thalos.DAL.UnitTests/Thalos.DAL.UnitTests.csproj
+++ b/tests/Thalos.DAL.UnitTests/Thalos.DAL.UnitTests.csproj
@ -7,6 +7,7 @@
  </PropertyGroup>
  <ItemGroup>
    <PackageReference Include="coverlet.collector" Version="6.0.4" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="10.0.0" />
    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.14.1" />
    <PackageReference Include="xunit" Version="2.9.3" />
    <PackageReference Include="xunit.runner.visualstudio" Version="3.1.4" />