chore(thalos-dal): checkpoint pending development updates

.dockerignore

@@ -0,0 +1,9 @@
+**/bin/
+**/obj/
+.vs/
+TestResults/
+.git/
+.repo-tasks/
+.repo-context/
+.tasks/
+.agile/

.gitignore

@@ -1,53 +1,23 @@
-# AgileWebs local orchestration
+# Repository orchestration folders (local only)
+.repo-tasks/
+.repo-context/
 .tasks/
 .agile/
 
-# Build artifacts
+# .NET build outputs
-**/[Bb]in/
+**/bin/
-**/[Oo]bj/
+**/obj/
-/**/out/
-/**/artifacts/
-
-# IDE and editor files
 .vs/
-.idea/
+TestResults/
-.vscode/
+**/TestResults/
-*.suo
 *.user
-*.userosscache
+*.suo
-*.sln.docstates
 *.rsuser
-*.swp
-*.swo
 
-# NuGet
+# IDE
+.idea/
+
+# Package artifacts
 *.nupkg
 *.snupkg
-**/packages/*
+artifacts/
-!**/packages/build/
-
-# Test output
-**/TestResults/
-*.trx
-*.coverage
-*.coveragexml
-
-# Logs
-*.log
-logs/
-
-# Local environment files
-.env
-.env.*
-!.env.example
-
-# Docker
-.docker/
-**/.docker/
-*.pid
-docker-compose.override.yml
-docker-compose.*.override.yml
-
-# OS files
-.DS_Store
-Thumbs.db

Dockerfile

@@ -0,0 +1,20 @@
+# syntax=docker/dockerfile:1.7
+ARG SDK_IMAGE=mcr.microsoft.com/dotnet/sdk:10.0
+ARG RUNTIME_IMAGE=mcr.microsoft.com/dotnet/aspnet:10.0
+
+FROM ${SDK_IMAGE} AS build
+ARG NUGET_FEED_URL=https://gitea.dream-views.com/api/packages/AgileWebs/nuget/index.json
+ARG NUGET_FEED_USERNAME=
+ARG NUGET_FEED_TOKEN=
+WORKDIR /src
+COPY . .
+RUN if [ -n "$NUGET_FEED_USERNAME" ] && [ -n "$NUGET_FEED_TOKEN" ]; then dotnet nuget add source "$NUGET_FEED_URL" --name gitea-org --username "$NUGET_FEED_USERNAME" --password "$NUGET_FEED_TOKEN" --store-password-in-clear-text --allow-insecure-connections --configfile /root/.nuget/NuGet/NuGet.Config; fi
+RUN dotnet restore "src/Thalos.DAL.Host/Thalos.DAL.Host.csproj" --configfile /root/.nuget/NuGet/NuGet.Config
+RUN dotnet publish "src/Thalos.DAL.Host/Thalos.DAL.Host.csproj" -c Release -o /app/publish /p:UseAppHost=false --no-restore
+
+FROM ${RUNTIME_IMAGE} AS runtime
+WORKDIR /app
+ENV ASPNETCORE_URLS=http://+:8080     ASPNETCORE_ENVIRONMENT=Production
+EXPOSE 8080
+COPY --from=build /app/publish .
+ENTRYPOINT ["dotnet", "Thalos.DAL.Host.dll"]

Thalos.DAL.slnx

@@ -1,5 +1,6 @@
 <Solution>
   <Folder Name="/src/">
+    <Project Path="src/Thalos.DAL.Host/Thalos.DAL.Host.csproj" />
     <Project Path="src/Thalos.DAL/Thalos.DAL.csproj" />
   </Folder>
   <Folder Name="/tests/">

docs/architecture/dal-domain-alignment.md

@@ -0,0 +1,13 @@
+# Thalos DAL Domain Alignment
+
+## Goal
+Align DAL with thalos-domain abstractions while keeping DAL technical.
+
+## DAL Responsibilities
+- Identity persistence and retrieval
+- Technical data translation
+- Provider/repository boundaries
+
+## Prohibited
+- Identity policy decision ownership
+- Service orchestration concerns

docs/dal/identity-provider-boundaries.md

@@ -16,3 +16,7 @@
 - Provider boundaries remain internal to Thalos DAL.
 - DAL interfaces expose only transport-neutral contracts and read ports.
 - Identity abstractions remain Thalos-owned.
+- Runtime provider routes currently support:
+  - `InternalJwt`
+  - `AzureAd`
+  - `Google`

docs/dal/package-consumption-baseline.md

@@ -0,0 +1,26 @@
+# Thalos DAL Package Consumption Baseline
+
+## Objective
+
+Remove cross-repo source coupling from `Thalos.DAL` and consume shared contracts through NuGet packages.
+
+## Applied Baseline
+
+`Thalos.DAL.csproj` now consumes:
+
+- `BuildingBlock.Identity.Contracts` `0.2.0`
+- `Core.Blueprint.Common` `0.2.0`
+
+## Feed Configuration
+
+Repository-level `nuget.config` includes:
+
+- `gitea-org`: `https://gitea.dream-views.com/api/packages/AgileWebs/nuget/index.json`
+- `nuget.org`
+
+Because feed is currently HTTP, `allowInsecureConnections="true"` is required for the Gitea source.
+
+## Boundary Notes
+
+- No cross-repo `ProjectReference` remains in `src/Thalos.DAL/Thalos.DAL.csproj`.
+- DAL retains technical/provider ownership only.

docs/migration/dal-port-alignment-map.md

@@ -0,0 +1,6 @@
+# Thalos DAL Port Alignment Map
+
+## Alignment Areas
+- DAL read/write ports map to domain contracts.
+- Technical DTO translation remains in DAL adapters.
+- Domain policy semantics are not reimplemented in DAL.

docs/migration/technical-mapping-rules.md

@@ -0,0 +1,6 @@
+# Thalos DAL Technical Mapping Rules
+
+## Rules
+- Mapping logic remains technical and deterministic.
+- No policy evaluation branching in DAL mapping layer.
+- Correlation and metadata pass-through remains unchanged.

docs/runbooks/containerization.md

@@ -0,0 +1,23 @@
+# Containerization Runbook
+
+## Image Build
+
+```bash
+docker build   --build-arg NUGET_FEED_USERNAME=<gitea-login>   --build-arg NUGET_FEED_TOKEN=<gitea-token>   -t agilewebs/thalos-dal:dev .
+```
+
+## Local Run
+
+```bash
+docker run --rm -p 8080:8080 --name thalos-dal agilewebs/thalos-dal:dev
+```
+
+## Health Probe
+
+- Path: `/health`
+- Fallback path: `/healthz`
+- Port: `8080`
+
+## Runtime Notes
+
+- Exposes internal DAL lookup endpoints for identity token, policy, and permissions data.

nuget.config

@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="utf-8"?>
+<configuration>
+  <packageSources>
+    <clear />
+    <add key="gitea-org" value="https://gitea.dream-views.com/api/packages/AgileWebs/nuget/index.json" allowInsecureConnections="true" />
+    <add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
+  </packageSources>
+</configuration>

src/Thalos.DAL.Host/Program.cs

@@ -0,0 +1,71 @@
+using Microsoft.Extensions.Primitives;
+using Thalos.DAL.Contracts;
+using Thalos.DAL.DependencyInjection;
+using Thalos.DAL.Repositories;
+using IdentityAuthProvider = BuildingBlock.Identity.Contracts.Conventions.IdentityAuthProvider;
+
+const string CorrelationHeaderName = "x-correlation-id";
+const string ContractVersion = "v1";
+
+var builder = WebApplication.CreateBuilder(args);
+builder.Services.AddHealthChecks();
+builder.Services.AddThalosDalRuntime();
+
+var app = builder.Build();
+
+app.MapGet("/internal/thalos-dal/token", async (
+    string subjectId,
+    string tenantId,
+    string? externalToken,
+    IIdentityRepository repository,
+    HttpContext context,
+    CancellationToken ct) =>
+{
+    var envelope = new IdentityContractEnvelope(ContractVersion, ResolveCorrelationId(context));
+    var request = new IdentityTokenLookupRequest(envelope, subjectId, tenantId, IdentityAuthProvider.InternalJwt, externalToken ?? string.Empty);
+    var record = await repository.ReadIdentityTokenAsync(request, ct);
+    return record is null ? Results.NotFound() : Results.Ok(record);
+});
+
+app.MapGet("/internal/thalos-dal/policy", async (
+    string subjectId,
+    string tenantId,
+    string permissionCode,
+    IIdentityRepository repository,
+    HttpContext context,
+    CancellationToken ct) =>
+{
+    var envelope = new IdentityContractEnvelope(ContractVersion, ResolveCorrelationId(context));
+    var request = new IdentityPolicyLookupRequest(envelope, subjectId, tenantId, permissionCode);
+    var record = await repository.ReadIdentityPolicyAsync(request, ct);
+    return record is null ? Results.NotFound() : Results.Ok(record);
+});
+
+app.MapGet("/internal/thalos-dal/permissions", async (
+    string subjectId,
+    string tenantId,
+    IIdentityRepository repository,
+    HttpContext context,
+    CancellationToken ct) =>
+{
+    var envelope = new IdentityContractEnvelope(ContractVersion, ResolveCorrelationId(context));
+    var request = new IdentityPermissionSetLookupRequest(envelope, subjectId, tenantId);
+    var records = await repository.ReadPermissionSetAsync(request, ct);
+    return Results.Ok(records);
+});
+
+app.MapHealthChecks("/health");
+app.MapHealthChecks("/healthz");
+
+app.Run();
+
+static string ResolveCorrelationId(HttpContext context)
+{
+    if (context.Request.Headers.TryGetValue(CorrelationHeaderName, out var headerValue) &&
+        !StringValues.IsNullOrEmpty(headerValue))
+    {
+        return headerValue.ToString();
+    }
+
+    return context.TraceIdentifier;
+}

src/Thalos.DAL.Host/Properties/launchSettings.json

@@ -0,0 +1,23 @@
+{
+  "$schema": "https://json.schemastore.org/launchsettings.json",
+  "profiles": {
+    "http": {
+      "commandName": "Project",
+      "dotnetRunMessages": true,
+      "launchBrowser": true,
+      "applicationUrl": "http://localhost:0",
+      "environmentVariables": {
+        "ASPNETCORE_ENVIRONMENT": "Development"
+      }
+    },
+    "https": {
+      "commandName": "Project",
+      "dotnetRunMessages": true,
+      "launchBrowser": true,
+      "applicationUrl": "https://localhost:0;http://localhost:0",
+      "environmentVariables": {
+        "ASPNETCORE_ENVIRONMENT": "Development"
+      }
+    }
+  }
+}

src/Thalos.DAL.Host/Thalos.DAL.Host.csproj

@@ -0,0 +1,13 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+
+  <PropertyGroup>
+    <TargetFramework>net10.0</TargetFramework>
+    <Nullable>enable</Nullable>
+    <ImplicitUsings>enable</ImplicitUsings>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\Thalos.DAL\Thalos.DAL.csproj" />
+  </ItemGroup>
+
+</Project>

src/Thalos.DAL.Host/appsettings.Development.json

@@ -0,0 +1,8 @@
+{
+  "Logging": {
+    "LogLevel": {
+      "Default": "Information",
+      "Microsoft.AspNetCore": "Warning"
+    }
+  }
+}

src/Thalos.DAL.Host/appsettings.json

@@ -0,0 +1,9 @@
+{
+  "Logging": {
+    "LogLevel": {
+      "Default": "Information",
+      "Microsoft.AspNetCore": "Warning"
+    }
+  },
+  "AllowedHosts": "*"
+}

src/Thalos.DAL/Adapters/IdentityDalGrpcContractAdapter.cs

@@ -0,0 +1,47 @@
+using Core.Blueprint.Common.Runtime;
+using Thalos.DAL.Contracts;
+using Thalos.DAL.Grpc;
+
+namespace Thalos.DAL.Adapters;
+
+/// <summary>
+/// Default adapter implementation for DAL gRPC contract translation.
+/// </summary>
+public sealed class IdentityDalGrpcContractAdapter(IBlueprintSystemClock clock) : IIdentityDalGrpcContractAdapter
+{
+    /// <inheritdoc />
+    public IdentityPolicyDalGrpcContract ToGrpcPolicyRequest(IdentityPolicyLookupRequest request)
+    {
+        return new IdentityPolicyDalGrpcContract(request.SubjectId, request.TenantId, request.PermissionCode);
+    }
+
+    /// <inheritdoc />
+    public IdentityPolicyLookupRequest FromGrpcPolicyRequest(IdentityPolicyDalGrpcContract contract)
+    {
+        return new IdentityPolicyLookupRequest(
+            CreateEnvelope(),
+            contract.SubjectId,
+            contract.TenantId,
+            contract.PermissionCode);
+    }
+
+    /// <inheritdoc />
+    public IdentityTokenDalGrpcContract ToGrpcTokenRequest(IdentityTokenLookupRequest request)
+    {
+        return new IdentityTokenDalGrpcContract(request.SubjectId, request.TenantId);
+    }
+
+    /// <inheritdoc />
+    public IdentityTokenLookupRequest FromGrpcTokenRequest(IdentityTokenDalGrpcContract contract)
+    {
+        return new IdentityTokenLookupRequest(
+            CreateEnvelope(),
+            contract.SubjectId,
+            contract.TenantId);
+    }
+
+    private IdentityContractEnvelope CreateEnvelope()
+    {
+        return new IdentityContractEnvelope("1.0.0", $"corr-{clock.UtcNow:yyyyMMddHHmmssfff}");
+    }
+}

src/Thalos.DAL/Contracts/IdentityPermissionRecord.cs

@@ -1,3 +1,5 @@
+using BuildingBlock.Identity.Contracts.Conventions;
+
 namespace Thalos.DAL.Contracts;
 
 /// <summary>
@@ -6,7 +8,9 @@ namespace Thalos.DAL.Contracts;
 /// <param name="Envelope">Contract envelope metadata.</param>
 /// <param name="PermissionCode">Permission code identifier.</param>
 /// <param name="SourceRoleCode">Role code that grants the permission.</param>
+/// <param name="Provider">Auth provider for the permission grant.</param>
 public sealed record IdentityPermissionRecord(
     IdentityContractEnvelope Envelope,
     string PermissionCode,
-    string SourceRoleCode);
+    string SourceRoleCode,
+    IdentityAuthProvider Provider = IdentityAuthProvider.InternalJwt);

src/Thalos.DAL/Contracts/IdentityPermissionSetLookupRequest.cs

@@ -1,3 +1,5 @@
+using BuildingBlock.Identity.Contracts.Conventions;
+
 namespace Thalos.DAL.Contracts;
 
 /// <summary>
@@ -6,7 +8,9 @@ namespace Thalos.DAL.Contracts;
 /// <param name="Envelope">Contract envelope metadata.</param>
 /// <param name="SubjectId">Identity subject identifier.</param>
 /// <param name="TenantId">Tenant scope identifier.</param>
+/// <param name="Provider">Auth provider for the lookup flow.</param>
 public sealed record IdentityPermissionSetLookupRequest(
     IdentityContractEnvelope Envelope,
     string SubjectId,
-    string TenantId);
+    string TenantId,
+    IdentityAuthProvider Provider = IdentityAuthProvider.InternalJwt);

src/Thalos.DAL/Contracts/IdentityPolicyLookupRequest.cs

@@ -1,3 +1,5 @@
+using BuildingBlock.Identity.Contracts.Conventions;
+
 namespace Thalos.DAL.Contracts;
 
 /// <summary>
@@ -7,8 +9,10 @@ namespace Thalos.DAL.Contracts;
 /// <param name="SubjectId">Identity subject identifier.</param>
 /// <param name="TenantId">Tenant scope identifier.</param>
 /// <param name="PermissionCode">Permission code to evaluate.</param>
+/// <param name="Provider">Auth provider for the lookup flow.</param>
 public sealed record IdentityPolicyLookupRequest(
     IdentityContractEnvelope Envelope,
     string SubjectId,
     string TenantId,
-    string PermissionCode);
+    string PermissionCode,
+    IdentityAuthProvider Provider = IdentityAuthProvider.InternalJwt);

src/Thalos.DAL/Contracts/IdentityPolicyRecord.cs

@@ -1,3 +1,5 @@
+using BuildingBlock.Identity.Contracts.Conventions;
+
 namespace Thalos.DAL.Contracts;
 
 /// <summary>
@@ -7,8 +9,10 @@ namespace Thalos.DAL.Contracts;
 /// <param name="SubjectId">Identity subject identifier.</param>
 /// <param name="PermissionCode">Permission code evaluated.</param>
 /// <param name="ContextSatisfied">Indicates whether policy context is satisfied.</param>
+/// <param name="Provider">Auth provider used for policy evaluation.</param>
 public sealed record IdentityPolicyRecord(
     IdentityContractEnvelope Envelope,
     string SubjectId,
     string PermissionCode,
-    bool ContextSatisfied);
+    bool ContextSatisfied,
+    IdentityAuthProvider Provider = IdentityAuthProvider.InternalJwt);

src/Thalos.DAL/Contracts/IdentityTokenLookupRequest.cs

@@ -1,3 +1,5 @@
+using BuildingBlock.Identity.Contracts.Conventions;
+
 namespace Thalos.DAL.Contracts;
 
 /// <summary>
@@ -6,4 +8,11 @@ namespace Thalos.DAL.Contracts;
 /// <param name="Envelope">Contract envelope metadata.</param>
 /// <param name="SubjectId">Identity subject identifier.</param>
 /// <param name="TenantId">Tenant scope identifier.</param>
-public sealed record IdentityTokenLookupRequest(IdentityContractEnvelope Envelope, string SubjectId, string TenantId);
+/// <param name="Provider">Auth provider for the lookup flow.</param>
+/// <param name="ExternalToken">External provider token when applicable.</param>
+public sealed record IdentityTokenLookupRequest(
+    IdentityContractEnvelope Envelope,
+    string SubjectId,
+    string TenantId,
+    IdentityAuthProvider Provider = IdentityAuthProvider.InternalJwt,
+    string ExternalToken = "");

src/Thalos.DAL/Contracts/IdentityTokenRecord.cs

@@ -1,3 +1,5 @@
+using BuildingBlock.Identity.Contracts.Conventions;
+
 namespace Thalos.DAL.Contracts;
 
 /// <summary>
@@ -8,9 +10,11 @@ namespace Thalos.DAL.Contracts;
 /// <param name="TenantId">Tenant scope identifier.</param>
 /// <param name="Token">Issued access token value.</param>
 /// <param name="ExpiresInSeconds">Token expiration in seconds.</param>
+/// <param name="Provider">Auth provider used for token issuance.</param>
 public sealed record IdentityTokenRecord(
     IdentityContractEnvelope Envelope,
     string SubjectId,
     string TenantId,
     string Token,
-    int ExpiresInSeconds);
+    int ExpiresInSeconds,
+    IdentityAuthProvider Provider = IdentityAuthProvider.InternalJwt);

src/Thalos.DAL/Contracts/IdentityUserLookupRequest.cs

@@ -1,3 +1,5 @@
+using BuildingBlock.Identity.Contracts.Conventions;
+
 namespace Thalos.DAL.Contracts;
 
 /// <summary>
@@ -5,4 +7,12 @@ namespace Thalos.DAL.Contracts;
 /// </summary>
 /// <param name="Envelope">Contract envelope metadata.</param>
 /// <param name="SubjectId">Identity subject identifier.</param>
-public sealed record IdentityUserLookupRequest(IdentityContractEnvelope Envelope, string SubjectId);
+/// <param name="TenantId">Tenant identifier.</param>
+/// <param name="Provider">Auth provider for the lookup flow.</param>
+/// <param name="ExternalToken">External provider token when applicable.</param>
+public sealed record IdentityUserLookupRequest(
+    IdentityContractEnvelope Envelope,
+    string SubjectId,
+    string TenantId,
+    IdentityAuthProvider Provider = IdentityAuthProvider.InternalJwt,
+    string ExternalToken = "");

src/Thalos.DAL/Contracts/IdentityUserRecord.cs

@@ -7,8 +7,14 @@ namespace Thalos.DAL.Contracts;
 /// <param name="SubjectId">Identity subject identifier.</param>
 /// <param name="TenantId">Tenant scope identifier.</param>
 /// <param name="Status">Current user status.</param>
+/// <param name="Token">Persisted token projection for subject/tenant.</param>
+/// <param name="ExpiresInSeconds">Persisted token expiration in seconds.</param>
+/// <param name="ContextSatisfied">Persisted policy context projection.</param>
 public sealed record IdentityUserRecord(
     IdentityContractEnvelope Envelope,
     string SubjectId,
     string TenantId,
-    string Status);
+    string Status,
+    string Token,
+    int ExpiresInSeconds,
+    bool ContextSatisfied);

src/Thalos.DAL/DependencyInjection/ThalosDalServiceCollectionExtensions.cs

@@ -0,0 +1,46 @@
+using Core.Blueprint.Common.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection.Extensions;
+using Thalos.DAL.Adapters;
+using Thalos.DAL.Health;
+using Thalos.DAL.Providers;
+using Thalos.DAL.Providers.InMemory;
+using Thalos.DAL.Repositories;
+
+namespace Thalos.DAL.DependencyInjection;
+
+/// <summary>
+/// Registers thalos dal runtime provider, repository, and adapter implementations.
+/// </summary>
+public static class ThalosDalServiceCollectionExtensions
+{
+    /// <summary>
+    /// Adds thalos dal runtime implementations aligned with blueprint runtime core.
+    /// </summary>
+    /// <param name="services">Service collection.</param>
+    /// <returns>Service collection for fluent chaining.</returns>
+    public static IServiceCollection AddThalosDalRuntime(this IServiceCollection services)
+    {
+        services.AddBlueprintRuntimeCore();
+
+        services.TryAddSingleton<InternalJwtUserDataProvider>();
+        services.TryAddSingleton<AzureAdUserDataProvider>();
+        services.TryAddSingleton<GoogleUserDataProvider>();
+        services.TryAddSingleton<IUserDataProvider, RoutedUserDataProvider>();
+
+        services.TryAddSingleton<InternalJwtPermissionDataProvider>();
+        services.TryAddSingleton<AzureAdPermissionDataProvider>();
+        services.TryAddSingleton<GooglePermissionDataProvider>();
+        services.TryAddSingleton<IPermissionDataProvider, RoutedPermissionDataProvider>();
+
+        services.TryAddSingleton<IRoleDataProvider, InMemoryRoleDataProvider>();
+        services.TryAddSingleton<IModuleDataProvider, InMemoryModuleDataProvider>();
+        services.TryAddSingleton<ITenantDataProvider, InMemoryTenantDataProvider>();
+
+        services.TryAddSingleton<IIdentityRepository, IdentityRepository>();
+        services.TryAddSingleton<IIdentityDalGrpcContractAdapter, IdentityDalGrpcContractAdapter>();
+        services.TryAddSingleton<IDalDependencyHealthCheck, DalDependencyHealthCheck>();
+
+        return services;
+    }
+}

src/Thalos.DAL/Health/DalDependencyHealthCheck.cs

@@ -0,0 +1,27 @@
+using Core.Blueprint.Common.Runtime;
+using Thalos.DAL.Contracts;
+
+namespace Thalos.DAL.Health;
+
+/// <summary>
+/// Default DAL dependency health check implementation.
+/// </summary>
+public sealed class DalDependencyHealthCheck(IBlueprintSystemClock clock) : IDalDependencyHealthCheck
+{
+    /// <inheritdoc />
+    public Task<DalDependencyHealthStatus> CheckAsync(CancellationToken cancellationToken = default)
+    {
+        var envelope = new IdentityContractEnvelope("1.0.0", $"corr-{clock.UtcNow:yyyyMMddHHmmssfff}");
+        IReadOnlyList<string> dependencyNames =
+        [
+            "IUserDataProvider",
+            "IRoleDataProvider",
+            "IPermissionDataProvider",
+            "IModuleDataProvider",
+            "ITenantDataProvider"
+        ];
+
+        var status = new DalDependencyHealthStatus(envelope, true, dependencyNames);
+        return Task.FromResult(status);
+    }
+}

src/Thalos.DAL/Providers/InMemory/InMemoryModuleDataProvider.cs

@@ -0,0 +1,22 @@
+using Thalos.DAL.Contracts;
+
+namespace Thalos.DAL.Providers.InMemory;
+
+/// <summary>
+/// In-memory provider for identity module lookup contracts.
+/// </summary>
+public sealed class InMemoryModuleDataProvider : IModuleDataProvider
+{
+    /// <inheritdoc />
+    public Task<IReadOnlyList<IdentityModuleRecord>> ReadModulesAsync(
+        IdentityModuleLookupRequest request,
+        CancellationToken cancellationToken = default)
+    {
+        IReadOnlyList<IdentityModuleRecord> records =
+        [
+            new IdentityModuleRecord(request.Envelope, "identity", true)
+        ];
+
+        return Task.FromResult(records);
+    }
+}

src/Thalos.DAL/Providers/InMemory/InMemoryPermissionDataProvider.cs

@@ -0,0 +1,23 @@
+using Thalos.DAL.Contracts;
+
+namespace Thalos.DAL.Providers.InMemory;
+
+/// <summary>
+/// In-memory provider for identity permission lookup contracts.
+/// </summary>
+public sealed class InMemoryPermissionDataProvider : IPermissionDataProvider
+{
+    /// <inheritdoc />
+    public Task<IReadOnlyList<IdentityPermissionRecord>> ReadPermissionsAsync(
+        IdentityPermissionSetLookupRequest request,
+        CancellationToken cancellationToken = default)
+    {
+        IReadOnlyList<IdentityPermissionRecord> records =
+        [
+            new IdentityPermissionRecord(request.Envelope, "identity.token.issue", "identity.admin"),
+            new IdentityPermissionRecord(request.Envelope, "identity.policy.evaluate", "identity.admin")
+        ];
+
+        return Task.FromResult(records);
+    }
+}

src/Thalos.DAL/Providers/InMemory/InMemoryRoleDataProvider.cs

@@ -0,0 +1,22 @@
+using Thalos.DAL.Contracts;
+
+namespace Thalos.DAL.Providers.InMemory;
+
+/// <summary>
+/// In-memory provider for identity role lookup contracts.
+/// </summary>
+public sealed class InMemoryRoleDataProvider : IRoleDataProvider
+{
+    /// <inheritdoc />
+    public Task<IReadOnlyList<IdentityRoleRecord>> ReadRolesAsync(
+        IdentityRoleLookupRequest request,
+        CancellationToken cancellationToken = default)
+    {
+        IReadOnlyList<IdentityRoleRecord> records =
+        [
+            new IdentityRoleRecord(request.Envelope, "identity.admin", request.TenantId)
+        ];
+
+        return Task.FromResult(records);
+    }
+}

src/Thalos.DAL/Providers/InMemory/InMemoryTenantDataProvider.cs

@@ -0,0 +1,23 @@
+using Thalos.DAL.Contracts;
+
+namespace Thalos.DAL.Providers.InMemory;
+
+/// <summary>
+/// In-memory provider for identity tenant lookup contracts.
+/// </summary>
+public sealed class InMemoryTenantDataProvider : ITenantDataProvider
+{
+    /// <inheritdoc />
+    public Task<IdentityTenantRecord?> ReadTenantAsync(
+        IdentityTenantLookupRequest request,
+        CancellationToken cancellationToken = default)
+    {
+        var record = new IdentityTenantRecord(
+            request.Envelope,
+            request.TenantId,
+            $"tenant-{request.TenantId}",
+            true);
+
+        return Task.FromResult<IdentityTenantRecord?>(record);
+    }
+}

src/Thalos.DAL/Providers/InMemory/InMemoryUserDataProvider.cs

@@ -0,0 +1,31 @@
+using Thalos.DAL.Contracts;
+
+namespace Thalos.DAL.Providers.InMemory;
+
+/// <summary>
+/// In-memory provider for identity user lookup contracts.
+/// </summary>
+public sealed class InMemoryUserDataProvider : IUserDataProvider
+{
+    /// <inheritdoc />
+    public Task<IdentityUserRecord?> ReadUserAsync(
+        IdentityUserLookupRequest request,
+        CancellationToken cancellationToken = default)
+    {
+        if (request.SubjectId.StartsWith("missing-", StringComparison.OrdinalIgnoreCase))
+        {
+            return Task.FromResult<IdentityUserRecord?>(null);
+        }
+
+        var record = new IdentityUserRecord(
+            request.Envelope,
+            request.SubjectId,
+            request.TenantId,
+            "active",
+            $"{request.SubjectId}:{request.TenantId}:token",
+            1800,
+            true);
+
+        return Task.FromResult<IdentityUserRecord?>(record);
+    }
+}

src/Thalos.DAL/Providers/ProviderPermissionDataProviders.cs

@@ -0,0 +1,89 @@
+using BuildingBlock.Identity.Contracts.Conventions;
+using Thalos.DAL.Contracts;
+
+namespace Thalos.DAL.Providers;
+
+/// <summary>
+/// Internal JWT permission provider implementation.
+/// </summary>
+public sealed class InternalJwtPermissionDataProvider : IPermissionDataProvider
+{
+    /// <inheritdoc />
+    public Task<IReadOnlyList<IdentityPermissionRecord>> ReadPermissionsAsync(
+        IdentityPermissionSetLookupRequest request,
+        CancellationToken cancellationToken = default)
+    {
+        IReadOnlyList<IdentityPermissionRecord> records =
+        [
+            new IdentityPermissionRecord(request.Envelope, "identity.token.issue", "identity.admin", IdentityAuthProvider.InternalJwt),
+            new IdentityPermissionRecord(request.Envelope, "identity.policy.evaluate", "identity.admin", IdentityAuthProvider.InternalJwt)
+        ];
+
+        return Task.FromResult(records);
+    }
+}
+
+/// <summary>
+/// Azure AD permission provider implementation.
+/// </summary>
+public sealed class AzureAdPermissionDataProvider : IPermissionDataProvider
+{
+    /// <inheritdoc />
+    public Task<IReadOnlyList<IdentityPermissionRecord>> ReadPermissionsAsync(
+        IdentityPermissionSetLookupRequest request,
+        CancellationToken cancellationToken = default)
+    {
+        IReadOnlyList<IdentityPermissionRecord> records =
+        [
+            new IdentityPermissionRecord(request.Envelope, "identity.token.issue", "identity.azure.user", IdentityAuthProvider.AzureAd),
+            new IdentityPermissionRecord(request.Envelope, "identity.policy.evaluate", "identity.azure.user", IdentityAuthProvider.AzureAd),
+            new IdentityPermissionRecord(request.Envelope, "identity.oauth.exchange", "identity.azure.user", IdentityAuthProvider.AzureAd)
+        ];
+
+        return Task.FromResult(records);
+    }
+}
+
+/// <summary>
+/// Google permission provider implementation.
+/// </summary>
+public sealed class GooglePermissionDataProvider : IPermissionDataProvider
+{
+    /// <inheritdoc />
+    public Task<IReadOnlyList<IdentityPermissionRecord>> ReadPermissionsAsync(
+        IdentityPermissionSetLookupRequest request,
+        CancellationToken cancellationToken = default)
+    {
+        IReadOnlyList<IdentityPermissionRecord> records =
+        [
+            new IdentityPermissionRecord(request.Envelope, "identity.token.issue", "identity.google.user", IdentityAuthProvider.Google),
+            new IdentityPermissionRecord(request.Envelope, "identity.policy.evaluate", "identity.google.user", IdentityAuthProvider.Google),
+            new IdentityPermissionRecord(request.Envelope, "identity.oauth.exchange", "identity.google.user", IdentityAuthProvider.Google)
+        ];
+
+        return Task.FromResult(records);
+    }
+}
+
+/// <summary>
+/// Routes permission lookups to the matching provider implementation.
+/// </summary>
+public sealed class RoutedPermissionDataProvider(
+    InternalJwtPermissionDataProvider internalJwtProvider,
+    AzureAdPermissionDataProvider azureProvider,
+    GooglePermissionDataProvider googleProvider) : IPermissionDataProvider
+{
+    /// <inheritdoc />
+    public Task<IReadOnlyList<IdentityPermissionRecord>> ReadPermissionsAsync(
+        IdentityPermissionSetLookupRequest request,
+        CancellationToken cancellationToken = default)
+    {
+        return request.Provider switch
+        {
+            IdentityAuthProvider.InternalJwt => internalJwtProvider.ReadPermissionsAsync(request, cancellationToken),
+            IdentityAuthProvider.AzureAd => azureProvider.ReadPermissionsAsync(request, cancellationToken),
+            IdentityAuthProvider.Google => googleProvider.ReadPermissionsAsync(request, cancellationToken),
+            _ => Task.FromResult<IReadOnlyList<IdentityPermissionRecord>>([])
+        };
+    }
+}

src/Thalos.DAL/Providers/ProviderUserDataProviders.cs

@@ -0,0 +1,143 @@
+using BuildingBlock.Identity.Contracts.Conventions;
+using Thalos.DAL.Contracts;
+
+namespace Thalos.DAL.Providers;
+
+/// <summary>
+/// Internal JWT provider implementation for identity user reads.
+/// </summary>
+public sealed class InternalJwtUserDataProvider : IUserDataProvider
+{
+    /// <inheritdoc />
+    public Task<IdentityUserRecord?> ReadUserAsync(
+        IdentityUserLookupRequest request,
+        CancellationToken cancellationToken = default)
+    {
+        if (request.SubjectId.StartsWith("missing-", StringComparison.OrdinalIgnoreCase))
+        {
+            return Task.FromResult<IdentityUserRecord?>(null);
+        }
+
+        var record = new IdentityUserRecord(
+            request.Envelope,
+            request.SubjectId,
+            request.TenantId,
+            "active",
+            $"{request.SubjectId}:{request.TenantId}:token",
+            1800,
+            true);
+
+        return Task.FromResult<IdentityUserRecord?>(record);
+    }
+}
+
+/// <summary>
+/// Azure AD provider implementation for identity user reads.
+/// </summary>
+public sealed class AzureAdUserDataProvider : IUserDataProvider
+{
+    /// <inheritdoc />
+    public Task<IdentityUserRecord?> ReadUserAsync(
+        IdentityUserLookupRequest request,
+        CancellationToken cancellationToken = default)
+    {
+        var subjectId = ResolveSubjectId(request, "azure-sub");
+        if (string.IsNullOrWhiteSpace(subjectId))
+        {
+            return Task.FromResult<IdentityUserRecord?>(null);
+        }
+
+        var record = new IdentityUserRecord(
+            request.Envelope,
+            subjectId,
+            request.TenantId,
+            "active",
+            $"azure:{subjectId}:{request.TenantId}:token",
+            3600,
+            true);
+
+        return Task.FromResult<IdentityUserRecord?>(record);
+    }
+
+    private static string ResolveSubjectId(IdentityUserLookupRequest request, string prefix)
+    {
+        if (!string.IsNullOrWhiteSpace(request.SubjectId))
+        {
+            return request.SubjectId;
+        }
+
+        if (string.IsNullOrWhiteSpace(request.ExternalToken))
+        {
+            return string.Empty;
+        }
+
+        return $"{prefix}-{Math.Abs(request.ExternalToken.GetHashCode(StringComparison.Ordinal))}";
+    }
+}
+
+/// <summary>
+/// Google provider implementation for identity user reads.
+/// </summary>
+public sealed class GoogleUserDataProvider : IUserDataProvider
+{
+    /// <inheritdoc />
+    public Task<IdentityUserRecord?> ReadUserAsync(
+        IdentityUserLookupRequest request,
+        CancellationToken cancellationToken = default)
+    {
+        var subjectId = ResolveSubjectId(request, "google-sub");
+        if (string.IsNullOrWhiteSpace(subjectId))
+        {
+            return Task.FromResult<IdentityUserRecord?>(null);
+        }
+
+        var record = new IdentityUserRecord(
+            request.Envelope,
+            subjectId,
+            request.TenantId,
+            "active",
+            $"google:{subjectId}:{request.TenantId}:token",
+            3000,
+            true);
+
+        return Task.FromResult<IdentityUserRecord?>(record);
+    }
+
+    private static string ResolveSubjectId(IdentityUserLookupRequest request, string prefix)
+    {
+        if (!string.IsNullOrWhiteSpace(request.SubjectId))
+        {
+            return request.SubjectId;
+        }
+
+        if (string.IsNullOrWhiteSpace(request.ExternalToken))
+        {
+            return string.Empty;
+        }
+
+        return $"{prefix}-{Math.Abs(request.ExternalToken.GetHashCode(StringComparison.Ordinal))}";
+    }
+}
+
+/// <summary>
+/// Routes user lookups to the matching provider implementation.
+/// </summary>
+public sealed class RoutedUserDataProvider(
+    InternalJwtUserDataProvider internalJwtProvider,
+    AzureAdUserDataProvider azureProvider,
+    GoogleUserDataProvider googleProvider) : IUserDataProvider
+{
+    /// <inheritdoc />
+    public Task<IdentityUserRecord?> ReadUserAsync(
+        IdentityUserLookupRequest request,
+        CancellationToken cancellationToken = default)
+    {
+        return request.Provider switch
+        {
+            IdentityAuthProvider.InternalJwt => internalJwtProvider.ReadUserAsync(request, cancellationToken),
+            IdentityAuthProvider.AzureAd => azureProvider.ReadUserAsync(request, cancellationToken),
+            IdentityAuthProvider.Google => googleProvider.ReadUserAsync(request, cancellationToken),
+            _ => Task.FromResult<IdentityUserRecord?>(null)
+        };
+    }
+}

src/Thalos.DAL/Repositories/IdentityRepository.cs

@@ -0,0 +1,70 @@
+using Thalos.DAL.Contracts;
+using Thalos.DAL.Providers;
+
+namespace Thalos.DAL.Repositories;
+
+/// <summary>
+/// Default identity repository implementation composed from DAL providers.
+/// </summary>
+public sealed class IdentityRepository(
+    IUserDataProvider userDataProvider,
+    IPermissionDataProvider permissionDataProvider) : IIdentityRepository
+{
+    /// <inheritdoc />
+    public async Task<IdentityTokenRecord?> ReadIdentityTokenAsync(
+        IdentityTokenLookupRequest request,
+        CancellationToken cancellationToken = default)
+    {
+        var userRequest = new IdentityUserLookupRequest(
+            request.Envelope,
+            request.SubjectId,
+            request.TenantId,
+            request.Provider,
+            request.ExternalToken);
+        var userRecord = await userDataProvider.ReadUserAsync(userRequest, cancellationToken);
+        if (userRecord is null)
+        {
+            return null;
+        }
+
+        return new IdentityTokenRecord(
+            request.Envelope,
+            userRecord.SubjectId,
+            request.TenantId,
+            userRecord.Token,
+            userRecord.ExpiresInSeconds,
+            request.Provider);
+    }
+
+    /// <inheritdoc />
+    public async Task<IdentityPolicyRecord?> ReadIdentityPolicyAsync(
+        IdentityPolicyLookupRequest request,
+        CancellationToken cancellationToken = default)
+    {
+        var userRequest = new IdentityUserLookupRequest(
+            request.Envelope,
+            request.SubjectId,
+            request.TenantId,
+            request.Provider);
+        var userRecord = await userDataProvider.ReadUserAsync(userRequest, cancellationToken);
+        if (userRecord is null)
+        {
+            return null;
+        }
+
+        return new IdentityPolicyRecord(
+            request.Envelope,
+            userRecord.SubjectId,
+            request.PermissionCode,
+            userRecord.ContextSatisfied,
+            request.Provider);
+    }
+
+    /// <inheritdoc />
+    public Task<IReadOnlyList<IdentityPermissionRecord>> ReadPermissionSetAsync(
+        IdentityPermissionSetLookupRequest request,
+        CancellationToken cancellationToken = default)
+    {
+        return permissionDataProvider.ReadPermissionsAsync(request, cancellationToken);
+    }
+}

src/Thalos.DAL/Thalos.DAL.csproj

@@ -5,6 +5,8 @@
     <Nullable>enable</Nullable>
   </PropertyGroup>
   <ItemGroup>
-    <ProjectReference Include="..\..\..\blueprint-platform\src\Core.Blueprint.Common\Core.Blueprint.Common.csproj" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="10.0.0" />
+    <PackageReference Include="BuildingBlock.Identity.Contracts" Version="0.2.0" />
+    <PackageReference Include="Core.Blueprint.Common" Version="0.2.0" />
   </ItemGroup>
 </Project>

tests/Thalos.DAL.UnitTests/ContractShapeTests.cs

@@ -16,6 +16,7 @@ public class ContractShapeTests
         Assert.Equal("user-1", request.SubjectId);
         Assert.Equal("tenant-1", request.TenantId);
         Assert.Equal("identity.token.issue", request.PermissionCode);
+        Assert.Equal(BuildingBlock.Identity.Contracts.Conventions.IdentityAuthProvider.InternalJwt, request.Provider);
     }
 
     [Fact]
@@ -30,6 +31,7 @@ public class ContractShapeTests
         Assert.Equal("tenant-1", record.TenantId);
         Assert.Equal("token-xyz", record.Token);
         Assert.Equal(1800, record.ExpiresInSeconds);
+        Assert.Equal(BuildingBlock.Identity.Contracts.Conventions.IdentityAuthProvider.InternalJwt, record.Provider);
     }
 
     [Fact]

tests/Thalos.DAL.UnitTests/RuntimeWiringTests.cs

@@ -0,0 +1,88 @@
+using Microsoft.Extensions.DependencyInjection;
+using Thalos.DAL.Adapters;
+using Thalos.DAL.Contracts;
+using Thalos.DAL.DependencyInjection;
+using Thalos.DAL.Health;
+using Thalos.DAL.Repositories;
+
+namespace Thalos.DAL.UnitTests;
+
+public class RuntimeWiringTests
+{
+    [Fact]
+    public async Task AddThalosDalRuntime_WhenResolved_WiresRepositoryAndProviders()
+    {
+        var services = new ServiceCollection();
+        services.AddThalosDalRuntime();
+
+        using var provider = services.BuildServiceProvider();
+        var repository = provider.GetRequiredService<IIdentityRepository>();
+        var request = new IdentityTokenLookupRequest(
+            new IdentityContractEnvelope("1.0.0", "corr-123"),
+            "user-1",
+            "tenant-1");
+
+        var response = await repository.ReadIdentityTokenAsync(request);
+
+        Assert.NotNull(response);
+        Assert.Equal("user-1", response.SubjectId);
+        Assert.Equal("tenant-1", response.TenantId);
+        Assert.Equal(1800, response.ExpiresInSeconds);
+        Assert.Equal(BuildingBlock.Identity.Contracts.Conventions.IdentityAuthProvider.InternalJwt, response.Provider);
+    }
+
+    [Fact]
+    public async Task AddThalosDalRuntime_WhenExternalProviderUsed_ResolvesProviderSpecificToken()
+    {
+        var services = new ServiceCollection();
+        services.AddThalosDalRuntime();
+
+        using var provider = services.BuildServiceProvider();
+        var repository = provider.GetRequiredService<IIdentityRepository>();
+        var request = new IdentityTokenLookupRequest(
+            new IdentityContractEnvelope("1.0.0", "corr-ext"),
+            string.Empty,
+            "tenant-2",
+            BuildingBlock.Identity.Contracts.Conventions.IdentityAuthProvider.AzureAd,
+            "external-azure-token");
+
+        var response = await repository.ReadIdentityTokenAsync(request);
+
+        Assert.NotNull(response);
+        Assert.Equal(BuildingBlock.Identity.Contracts.Conventions.IdentityAuthProvider.AzureAd, response.Provider);
+        Assert.StartsWith("azure:", response.Token);
+    }
+
+    [Fact]
+    public void AddThalosDalRuntime_WhenResolved_WiresGrpcContractAdapter()
+    {
+        var services = new ServiceCollection();
+        services.AddThalosDalRuntime();
+
+        using var provider = services.BuildServiceProvider();
+        var adapter = provider.GetRequiredService<IIdentityDalGrpcContractAdapter>();
+        var grpcContract = new Thalos.DAL.Grpc.IdentityTokenDalGrpcContract("user-2", "tenant-2");
+
+        var request = adapter.FromGrpcTokenRequest(grpcContract);
+
+        Assert.Equal("user-2", request.SubjectId);
+        Assert.Equal("tenant-2", request.TenantId);
+        Assert.NotEmpty(request.Envelope.CorrelationId);
+    }
+
+    [Fact]
+    public async Task AddThalosDalRuntime_WhenResolved_WiresDependencyHealthCheck()
+    {
+        var services = new ServiceCollection();
+        services.AddThalosDalRuntime();
+
+        using var provider = services.BuildServiceProvider();
+        var healthCheck = provider.GetRequiredService<IDalDependencyHealthCheck>();
+
+        var status = await healthCheck.CheckAsync();
+
+        Assert.True(status.IsHealthy);
+        Assert.Contains("IUserDataProvider", status.DependencyNames);
+        Assert.Contains("IPermissionDataProvider", status.DependencyNames);
+    }
+}

tests/Thalos.DAL.UnitTests/Thalos.DAL.UnitTests.csproj

@@ -7,6 +7,7 @@
   </PropertyGroup>
   <ItemGroup>
     <PackageReference Include="coverlet.collector" Version="6.0.4" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="10.0.0" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.14.1" />
     <PackageReference Include="xunit" Version="2.9.3" />
     <PackageReference Include="xunit.runner.visualstudio" Version="3.1.4" />