39 changed files with 54 additions and 945 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -1,9 +0,0 @@
 **/bin/
 **/obj/
 .vs/
 TestResults/
 .git/
 .repo-tasks/
 .repo-context/
 .tasks/
 .agile/
--- a/.gitignore
+++ b/.gitignore
@ -1,23 +1,53 @@
-# Repository orchestration folders (local only)
+# AgileWebs local orchestration
 .repo-tasks/
 .repo-context/
 .tasks/
 .agile/
-# .NET build outputs
+# Build artifacts
-**/bin/
+**/[Bb]in/
-**/obj/
+**/[Oo]bj/
 /**/out/
 /**/artifacts/
 # IDE and editor files
 .vs/
 TestResults/
 **/TestResults/
 *.user
 *.suo
 *.rsuser
 # IDE
 .idea/
 .vscode/
 *.suo
 *.user
 *.userosscache
 *.sln.docstates
 *.rsuser
 *.swp
 *.swo
-# Package artifacts
+# NuGet
 *.nupkg
 *.snupkg
-artifacts/
+**/packages/*
 !**/packages/build/
 # Test output
 **/TestResults/
 *.trx
 *.coverage
 *.coveragexml
 # Logs
 *.log
 logs/
 # Local environment files
 .env
 .env.*
 !.env.example
 # Docker
 .docker/
 **/.docker/
 *.pid
 docker-compose.override.yml
 docker-compose.*.override.yml
 # OS files
 .DS_Store
 Thumbs.db
--- a/20
+++ b/20
@ -1,20 +0,0 @@
 # syntax=docker/dockerfile:1.7
 ARG SDK_IMAGE=mcr.microsoft.com/dotnet/sdk:10.0
 ARG RUNTIME_IMAGE=mcr.microsoft.com/dotnet/aspnet:10.0
 FROM ${SDK_IMAGE} AS build
 ARG NUGET_FEED_URL=https://gitea.dream-views.com/api/packages/AgileWebs/nuget/index.json
 ARG NUGET_FEED_USERNAME=
 ARG NUGET_FEED_TOKEN=
 WORKDIR /src
 COPY . .
 RUN if [ -n "$NUGET_FEED_USERNAME" ] && [ -n "$NUGET_FEED_TOKEN" ]; then dotnet nuget add source "$NUGET_FEED_URL" --name gitea-org --username "$NUGET_FEED_USERNAME" --password "$NUGET_FEED_TOKEN" --store-password-in-clear-text --allow-insecure-connections --configfile /root/.nuget/NuGet/NuGet.Config; fi
 RUN dotnet restore "src/Thalos.DAL.Host/Thalos.DAL.Host.csproj" --configfile /root/.nuget/NuGet/NuGet.Config
 RUN dotnet publish "src/Thalos.DAL.Host/Thalos.DAL.Host.csproj" -c Release -o /app/publish /p:UseAppHost=false --no-restore
 FROM ${RUNTIME_IMAGE} AS runtime
 WORKDIR /app
 ENV ASPNETCORE_URLS=http://+:8080     ASPNETCORE_ENVIRONMENT=Production
 EXPOSE 8080
 COPY --from=build /app/publish .
 ENTRYPOINT ["dotnet", "Thalos.DAL.Host.dll"]
--- a/Thalos.DAL.slnx
+++ b/Thalos.DAL.slnx
@ -1,6 +1,5 @@
 <Solution>
  <Folder Name="/src/">
    <Project Path="src/Thalos.DAL.Host/Thalos.DAL.Host.csproj" />
    <Project Path="src/Thalos.DAL/Thalos.DAL.csproj" />
  </Folder>
  <Folder Name="/tests/">
--- a/docs/architecture/dal-domain-alignment.md
+++ b/docs/architecture/dal-domain-alignment.md
@ -1,13 +0,0 @@
 # Thalos DAL Domain Alignment
 ## Goal
 Align DAL with thalos-domain abstractions while keeping DAL technical.
 ## DAL Responsibilities
 - Identity persistence and retrieval
 - Technical data translation
 - Provider/repository boundaries
 ## Prohibited
 - Identity policy decision ownership
 - Service orchestration concerns
--- a/docs/dal/identity-provider-boundaries.md
+++ b/docs/dal/identity-provider-boundaries.md
@ -16,7 +16,3 @@
 - Provider boundaries remain internal to Thalos DAL.
 - DAL interfaces expose only transport-neutral contracts and read ports.
 - Identity abstractions remain Thalos-owned.
 - Runtime provider routes currently support:
  - `InternalJwt`
  - `AzureAd`
  - `Google`
--- a/docs/dal/package-consumption-baseline.md
+++ b/docs/dal/package-consumption-baseline.md
@ -1,26 +0,0 @@
 # Thalos DAL Package Consumption Baseline
 ## Objective
 Remove cross-repo source coupling from `Thalos.DAL` and consume shared contracts through NuGet packages.
 ## Applied Baseline
 `Thalos.DAL.csproj` now consumes:
 - `BuildingBlock.Identity.Contracts` `0.2.0`
 - `Core.Blueprint.Common` `0.2.0`
 ## Feed Configuration
 Repository-level `nuget.config` includes:
 - `gitea-org`: `https://gitea.dream-views.com/api/packages/AgileWebs/nuget/index.json`
 - `nuget.org`
 Because feed is currently HTTP, `allowInsecureConnections="true"` is required for the Gitea source.
 ## Boundary Notes
 - No cross-repo `ProjectReference` remains in `src/Thalos.DAL/Thalos.DAL.csproj`.
 - DAL retains technical/provider ownership only.
--- a/docs/migration/dal-port-alignment-map.md
+++ b/docs/migration/dal-port-alignment-map.md
@ -1,6 +0,0 @@
 # Thalos DAL Port Alignment Map
 ## Alignment Areas
 - DAL read/write ports map to domain contracts.
 - Technical DTO translation remains in DAL adapters.
 - Domain policy semantics are not reimplemented in DAL.
--- a/docs/migration/technical-mapping-rules.md
+++ b/docs/migration/technical-mapping-rules.md
@ -1,6 +0,0 @@
 # Thalos DAL Technical Mapping Rules
 ## Rules
 - Mapping logic remains technical and deterministic.
 - No policy evaluation branching in DAL mapping layer.
 - Correlation and metadata pass-through remains unchanged.
--- a/docs/runbooks/containerization.md
+++ b/docs/runbooks/containerization.md
@ -1,23 +0,0 @@
 # Containerization Runbook
 ## Image Build
 ```bash
 docker build   --build-arg NUGET_FEED_USERNAME=<gitea-login>   --build-arg NUGET_FEED_TOKEN=<gitea-token>   -t agilewebs/thalos-dal:dev .
 ```
 ## Local Run
 ```bash
 docker run --rm -p 8080:8080 --name thalos-dal agilewebs/thalos-dal:dev
 ```
 ## Health Probe
 - Path: `/health`
 - Fallback path: `/healthz`
 - Port: `8080`
 ## Runtime Notes
 - Exposes internal DAL lookup endpoints for identity token, policy, and permissions data.
--- a/nuget.config
+++ b/nuget.config
@ -1,8 +0,0 @@
 <?xml version="1.0" encoding="utf-8"?>
 <configuration>
  <packageSources>
    <clear />
    <add key="gitea-org" value="https://gitea.dream-views.com/api/packages/AgileWebs/nuget/index.json" allowInsecureConnections="true" />
    <add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
  </packageSources>
 </configuration>
--- a/src/Thalos.DAL.Host/Program.cs
+++ b/src/Thalos.DAL.Host/Program.cs
@ -1,71 +0,0 @@
 using Microsoft.Extensions.Primitives;
 using Thalos.DAL.Contracts;
 using Thalos.DAL.DependencyInjection;
 using Thalos.DAL.Repositories;
 using IdentityAuthProvider = BuildingBlock.Identity.Contracts.Conventions.IdentityAuthProvider;
 const string CorrelationHeaderName = "x-correlation-id";
 const string ContractVersion = "v1";
 var builder = WebApplication.CreateBuilder(args);
 builder.Services.AddHealthChecks();
 builder.Services.AddThalosDalRuntime();
 var app = builder.Build();
 app.MapGet("/internal/thalos-dal/token", async (
    string subjectId,
    string tenantId,
    string? externalToken,
    IIdentityRepository repository,
    HttpContext context,
    CancellationToken ct) =>
 {
    var envelope = new IdentityContractEnvelope(ContractVersion, ResolveCorrelationId(context));
    var request = new IdentityTokenLookupRequest(envelope, subjectId, tenantId, IdentityAuthProvider.InternalJwt, externalToken ?? string.Empty);
    var record = await repository.ReadIdentityTokenAsync(request, ct);
    return record is null ? Results.NotFound() : Results.Ok(record);
 });
 app.MapGet("/internal/thalos-dal/policy", async (
    string subjectId,
    string tenantId,
    string permissionCode,
    IIdentityRepository repository,
    HttpContext context,
    CancellationToken ct) =>
 {
    var envelope = new IdentityContractEnvelope(ContractVersion, ResolveCorrelationId(context));
    var request = new IdentityPolicyLookupRequest(envelope, subjectId, tenantId, permissionCode);
    var record = await repository.ReadIdentityPolicyAsync(request, ct);
    return record is null ? Results.NotFound() : Results.Ok(record);
 });
 app.MapGet("/internal/thalos-dal/permissions", async (
    string subjectId,
    string tenantId,
    IIdentityRepository repository,
    HttpContext context,
    CancellationToken ct) =>
 {
    var envelope = new IdentityContractEnvelope(ContractVersion, ResolveCorrelationId(context));
    var request = new IdentityPermissionSetLookupRequest(envelope, subjectId, tenantId);
    var records = await repository.ReadPermissionSetAsync(request, ct);
    return Results.Ok(records);
 });
 app.MapHealthChecks("/health");
 app.MapHealthChecks("/healthz");
 app.Run();
 static string ResolveCorrelationId(HttpContext context)
 {
    if (context.Request.Headers.TryGetValue(CorrelationHeaderName, out var headerValue) &&
        !StringValues.IsNullOrEmpty(headerValue))
    {
        return headerValue.ToString();
    }
    return context.TraceIdentifier;
 }
--- a/src/Thalos.DAL.Host/Properties/launchSettings.json
+++ b/src/Thalos.DAL.Host/Properties/launchSettings.json
@ -1,23 +0,0 @@
 {
  "$schema": "https://json.schemastore.org/launchsettings.json",
  "profiles": {
    "http": {
      "commandName": "Project",
      "dotnetRunMessages": true,
      "launchBrowser": true,
      "applicationUrl": "http://localhost:0",
      "environmentVariables": {
        "ASPNETCORE_ENVIRONMENT": "Development"
      }
    },
    "https": {
      "commandName": "Project",
      "dotnetRunMessages": true,
      "launchBrowser": true,
      "applicationUrl": "https://localhost:0;http://localhost:0",
      "environmentVariables": {
        "ASPNETCORE_ENVIRONMENT": "Development"
      }
    }
  }
 }
--- a/src/Thalos.DAL.Host/Thalos.DAL.Host.csproj
+++ b/src/Thalos.DAL.Host/Thalos.DAL.Host.csproj
@ -1,13 +0,0 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
  <PropertyGroup>
    <TargetFramework>net10.0</TargetFramework>
    <Nullable>enable</Nullable>
    <ImplicitUsings>enable</ImplicitUsings>
  </PropertyGroup>
  <ItemGroup>
    <ProjectReference Include="..\Thalos.DAL\Thalos.DAL.csproj" />
  </ItemGroup>
 </Project>
--- a/src/Thalos.DAL.Host/appsettings.Development.json
+++ b/src/Thalos.DAL.Host/appsettings.Development.json
@ -1,8 +0,0 @@
 {
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft.AspNetCore": "Warning"
    }
  }
 }
--- a/src/Thalos.DAL.Host/appsettings.json
+++ b/src/Thalos.DAL.Host/appsettings.json
@ -1,9 +0,0 @@
 {
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft.AspNetCore": "Warning"
    }
  },
  "AllowedHosts": "*"
 }
--- a/src/Thalos.DAL/Adapters/IdentityDalGrpcContractAdapter.cs
+++ b/src/Thalos.DAL/Adapters/IdentityDalGrpcContractAdapter.cs
@ -1,47 +0,0 @@
 using Core.Blueprint.Common.Runtime;
 using Thalos.DAL.Contracts;
 using Thalos.DAL.Grpc;
 namespace Thalos.DAL.Adapters;
 /// <summary>
 /// Default adapter implementation for DAL gRPC contract translation.
 /// </summary>
 public sealed class IdentityDalGrpcContractAdapter(IBlueprintSystemClock clock) : IIdentityDalGrpcContractAdapter
 {
    /// <inheritdoc />
    public IdentityPolicyDalGrpcContract ToGrpcPolicyRequest(IdentityPolicyLookupRequest request)
    {
        return new IdentityPolicyDalGrpcContract(request.SubjectId, request.TenantId, request.PermissionCode);
    }
    /// <inheritdoc />
    public IdentityPolicyLookupRequest FromGrpcPolicyRequest(IdentityPolicyDalGrpcContract contract)
    {
        return new IdentityPolicyLookupRequest(
            CreateEnvelope(),
            contract.SubjectId,
            contract.TenantId,
            contract.PermissionCode);
    }
    /// <inheritdoc />
    public IdentityTokenDalGrpcContract ToGrpcTokenRequest(IdentityTokenLookupRequest request)
    {
        return new IdentityTokenDalGrpcContract(request.SubjectId, request.TenantId);
    }
    /// <inheritdoc />
    public IdentityTokenLookupRequest FromGrpcTokenRequest(IdentityTokenDalGrpcContract contract)
    {
        return new IdentityTokenLookupRequest(
            CreateEnvelope(),
            contract.SubjectId,
            contract.TenantId);
    }
    private IdentityContractEnvelope CreateEnvelope()
    {
        return new IdentityContractEnvelope("1.0.0", $"corr-{clock.UtcNow:yyyyMMddHHmmssfff}");
    }
 }
--- a/src/Thalos.DAL/Contracts/IdentityPermissionRecord.cs
+++ b/src/Thalos.DAL/Contracts/IdentityPermissionRecord.cs
@ -1,5 +1,3 @@
 using BuildingBlock.Identity.Contracts.Conventions;
 namespace Thalos.DAL.Contracts;
 /// <summary>
@ -8,9 +6,7 @@ namespace Thalos.DAL.Contracts;
 /// <param name="Envelope">Contract envelope metadata.</param>
 /// <param name="PermissionCode">Permission code identifier.</param>
 /// <param name="SourceRoleCode">Role code that grants the permission.</param>
 /// <param name="Provider">Auth provider for the permission grant.</param>
 public sealed record IdentityPermissionRecord(
    IdentityContractEnvelope Envelope,
    string PermissionCode,
-    string SourceRoleCode,
+    string SourceRoleCode);
    IdentityAuthProvider Provider = IdentityAuthProvider.InternalJwt);
--- a/src/Thalos.DAL/Contracts/IdentityPermissionSetLookupRequest.cs
+++ b/src/Thalos.DAL/Contracts/IdentityPermissionSetLookupRequest.cs
@ -1,5 +1,3 @@
 using BuildingBlock.Identity.Contracts.Conventions;
 namespace Thalos.DAL.Contracts;
 /// <summary>
@ -8,9 +6,7 @@ namespace Thalos.DAL.Contracts;
 /// <param name="Envelope">Contract envelope metadata.</param>
 /// <param name="SubjectId">Identity subject identifier.</param>
 /// <param name="TenantId">Tenant scope identifier.</param>
 /// <param name="Provider">Auth provider for the lookup flow.</param>
 public sealed record IdentityPermissionSetLookupRequest(
    IdentityContractEnvelope Envelope,
    string SubjectId,
-    string TenantId,
+    string TenantId);
    IdentityAuthProvider Provider = IdentityAuthProvider.InternalJwt);
--- a/src/Thalos.DAL/Contracts/IdentityPolicyLookupRequest.cs
+++ b/src/Thalos.DAL/Contracts/IdentityPolicyLookupRequest.cs
@ -1,5 +1,3 @@
 using BuildingBlock.Identity.Contracts.Conventions;
 namespace Thalos.DAL.Contracts;
 /// <summary>
@ -9,10 +7,8 @@ namespace Thalos.DAL.Contracts;
 /// <param name="SubjectId">Identity subject identifier.</param>
 /// <param name="TenantId">Tenant scope identifier.</param>
 /// <param name="PermissionCode">Permission code to evaluate.</param>
 /// <param name="Provider">Auth provider for the lookup flow.</param>
 public sealed record IdentityPolicyLookupRequest(
    IdentityContractEnvelope Envelope,
    string SubjectId,
    string TenantId,
-    string PermissionCode,
+    string PermissionCode);
    IdentityAuthProvider Provider = IdentityAuthProvider.InternalJwt);
--- a/src/Thalos.DAL/Contracts/IdentityPolicyRecord.cs
+++ b/src/Thalos.DAL/Contracts/IdentityPolicyRecord.cs
@ -1,5 +1,3 @@
 using BuildingBlock.Identity.Contracts.Conventions;
 namespace Thalos.DAL.Contracts;
 /// <summary>
@ -9,10 +7,8 @@ namespace Thalos.DAL.Contracts;
 /// <param name="SubjectId">Identity subject identifier.</param>
 /// <param name="PermissionCode">Permission code evaluated.</param>
 /// <param name="ContextSatisfied">Indicates whether policy context is satisfied.</param>
 /// <param name="Provider">Auth provider used for policy evaluation.</param>
 public sealed record IdentityPolicyRecord(
    IdentityContractEnvelope Envelope,
    string SubjectId,
    string PermissionCode,
-    bool ContextSatisfied,
+    bool ContextSatisfied);
    IdentityAuthProvider Provider = IdentityAuthProvider.InternalJwt);
--- a/src/Thalos.DAL/Contracts/IdentityTokenLookupRequest.cs
+++ b/src/Thalos.DAL/Contracts/IdentityTokenLookupRequest.cs
@ -1,5 +1,3 @@
 using BuildingBlock.Identity.Contracts.Conventions;
 namespace Thalos.DAL.Contracts;
 /// <summary>
@ -8,11 +6,4 @@ namespace Thalos.DAL.Contracts;
 /// <param name="Envelope">Contract envelope metadata.</param>
 /// <param name="SubjectId">Identity subject identifier.</param>
 /// <param name="TenantId">Tenant scope identifier.</param>
-/// <param name="Provider">Auth provider for the lookup flow.</param>
+public sealed record IdentityTokenLookupRequest(IdentityContractEnvelope Envelope, string SubjectId, string TenantId);
 /// <param name="ExternalToken">External provider token when applicable.</param>
 public sealed record IdentityTokenLookupRequest(
    IdentityContractEnvelope Envelope,
    string SubjectId,
    string TenantId,
    IdentityAuthProvider Provider = IdentityAuthProvider.InternalJwt,
    string ExternalToken = "");
--- a/src/Thalos.DAL/Contracts/IdentityTokenRecord.cs
+++ b/src/Thalos.DAL/Contracts/IdentityTokenRecord.cs
@ -1,5 +1,3 @@
 using BuildingBlock.Identity.Contracts.Conventions;
 namespace Thalos.DAL.Contracts;
 /// <summary>
@ -10,11 +8,9 @@ namespace Thalos.DAL.Contracts;
 /// <param name="TenantId">Tenant scope identifier.</param>
 /// <param name="Token">Issued access token value.</param>
 /// <param name="ExpiresInSeconds">Token expiration in seconds.</param>
 /// <param name="Provider">Auth provider used for token issuance.</param>
 public sealed record IdentityTokenRecord(
    IdentityContractEnvelope Envelope,
    string SubjectId,
    string TenantId,
    string Token,
-    int ExpiresInSeconds,
+    int ExpiresInSeconds);
    IdentityAuthProvider Provider = IdentityAuthProvider.InternalJwt);
--- a/src/Thalos.DAL/Contracts/IdentityUserLookupRequest.cs
+++ b/src/Thalos.DAL/Contracts/IdentityUserLookupRequest.cs
@ -1,5 +1,3 @@
 using BuildingBlock.Identity.Contracts.Conventions;
 namespace Thalos.DAL.Contracts;
 /// <summary>
@ -7,12 +5,4 @@ namespace Thalos.DAL.Contracts;
 /// </summary>
 /// <param name="Envelope">Contract envelope metadata.</param>
 /// <param name="SubjectId">Identity subject identifier.</param>
-/// <param name="TenantId">Tenant identifier.</param>
+public sealed record IdentityUserLookupRequest(IdentityContractEnvelope Envelope, string SubjectId);
 /// <param name="Provider">Auth provider for the lookup flow.</param>
 /// <param name="ExternalToken">External provider token when applicable.</param>
 public sealed record IdentityUserLookupRequest(
    IdentityContractEnvelope Envelope,
    string SubjectId,
    string TenantId,
    IdentityAuthProvider Provider = IdentityAuthProvider.InternalJwt,
    string ExternalToken = "");
--- a/src/Thalos.DAL/Contracts/IdentityUserRecord.cs
+++ b/src/Thalos.DAL/Contracts/IdentityUserRecord.cs
@ -7,14 +7,8 @@ namespace Thalos.DAL.Contracts;
 /// <param name="SubjectId">Identity subject identifier.</param>
 /// <param name="TenantId">Tenant scope identifier.</param>
 /// <param name="Status">Current user status.</param>
 /// <param name="Token">Persisted token projection for subject/tenant.</param>
 /// <param name="ExpiresInSeconds">Persisted token expiration in seconds.</param>
 /// <param name="ContextSatisfied">Persisted policy context projection.</param>
 public sealed record IdentityUserRecord(
    IdentityContractEnvelope Envelope,
    string SubjectId,
    string TenantId,
-    string Status,
+    string Status);
    string Token,
    int ExpiresInSeconds,
    bool ContextSatisfied);
--- a/src/Thalos.DAL/DependencyInjection/ThalosDalServiceCollectionExtensions.cs
+++ b/src/Thalos.DAL/DependencyInjection/ThalosDalServiceCollectionExtensions.cs
@ -1,46 +0,0 @@
 using Core.Blueprint.Common.DependencyInjection;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.DependencyInjection.Extensions;
 using Thalos.DAL.Adapters;
 using Thalos.DAL.Health;
 using Thalos.DAL.Providers;
 using Thalos.DAL.Providers.InMemory;
 using Thalos.DAL.Repositories;
 namespace Thalos.DAL.DependencyInjection;
 /// <summary>
 /// Registers thalos dal runtime provider, repository, and adapter implementations.
 /// </summary>
 public static class ThalosDalServiceCollectionExtensions
 {
    /// <summary>
    /// Adds thalos dal runtime implementations aligned with blueprint runtime core.
    /// </summary>
    /// <param name="services">Service collection.</param>
    /// <returns>Service collection for fluent chaining.</returns>
    public static IServiceCollection AddThalosDalRuntime(this IServiceCollection services)
    {
        services.AddBlueprintRuntimeCore();
        services.TryAddSingleton<InternalJwtUserDataProvider>();
        services.TryAddSingleton<AzureAdUserDataProvider>();
        services.TryAddSingleton<GoogleUserDataProvider>();
        services.TryAddSingleton<IUserDataProvider, RoutedUserDataProvider>();
        services.TryAddSingleton<InternalJwtPermissionDataProvider>();
        services.TryAddSingleton<AzureAdPermissionDataProvider>();
        services.TryAddSingleton<GooglePermissionDataProvider>();
        services.TryAddSingleton<IPermissionDataProvider, RoutedPermissionDataProvider>();
        services.TryAddSingleton<IRoleDataProvider, InMemoryRoleDataProvider>();
        services.TryAddSingleton<IModuleDataProvider, InMemoryModuleDataProvider>();
        services.TryAddSingleton<ITenantDataProvider, InMemoryTenantDataProvider>();
        services.TryAddSingleton<IIdentityRepository, IdentityRepository>();
        services.TryAddSingleton<IIdentityDalGrpcContractAdapter, IdentityDalGrpcContractAdapter>();
        services.TryAddSingleton<IDalDependencyHealthCheck, DalDependencyHealthCheck>();
        return services;
    }
 }
--- a/src/Thalos.DAL/Health/DalDependencyHealthCheck.cs
+++ b/src/Thalos.DAL/Health/DalDependencyHealthCheck.cs
@ -1,27 +0,0 @@
 using Core.Blueprint.Common.Runtime;
 using Thalos.DAL.Contracts;
 namespace Thalos.DAL.Health;
 /// <summary>
 /// Default DAL dependency health check implementation.
 /// </summary>
 public sealed class DalDependencyHealthCheck(IBlueprintSystemClock clock) : IDalDependencyHealthCheck
 {
    /// <inheritdoc />
    public Task<DalDependencyHealthStatus> CheckAsync(CancellationToken cancellationToken = default)
    {
        var envelope = new IdentityContractEnvelope("1.0.0", $"corr-{clock.UtcNow:yyyyMMddHHmmssfff}");
        IReadOnlyList<string> dependencyNames =
        [
            "IUserDataProvider",
            "IRoleDataProvider",
            "IPermissionDataProvider",
            "IModuleDataProvider",
            "ITenantDataProvider"
        ];
        var status = new DalDependencyHealthStatus(envelope, true, dependencyNames);
        return Task.FromResult(status);
    }
 }
--- a/src/Thalos.DAL/Providers/InMemory/InMemoryModuleDataProvider.cs
+++ b/src/Thalos.DAL/Providers/InMemory/InMemoryModuleDataProvider.cs
@ -1,22 +0,0 @@
 using Thalos.DAL.Contracts;
 namespace Thalos.DAL.Providers.InMemory;
 /// <summary>
 /// In-memory provider for identity module lookup contracts.
 /// </summary>
 public sealed class InMemoryModuleDataProvider : IModuleDataProvider
 {
    /// <inheritdoc />
    public Task<IReadOnlyList<IdentityModuleRecord>> ReadModulesAsync(
        IdentityModuleLookupRequest request,
        CancellationToken cancellationToken = default)
    {
        IReadOnlyList<IdentityModuleRecord> records =
        [
            new IdentityModuleRecord(request.Envelope, "identity", true)
        ];
        return Task.FromResult(records);
    }
 }
--- a/src/Thalos.DAL/Providers/InMemory/InMemoryPermissionDataProvider.cs
+++ b/src/Thalos.DAL/Providers/InMemory/InMemoryPermissionDataProvider.cs
@ -1,23 +0,0 @@
 using Thalos.DAL.Contracts;
 namespace Thalos.DAL.Providers.InMemory;
 /// <summary>
 /// In-memory provider for identity permission lookup contracts.
 /// </summary>
 public sealed class InMemoryPermissionDataProvider : IPermissionDataProvider
 {
    /// <inheritdoc />
    public Task<IReadOnlyList<IdentityPermissionRecord>> ReadPermissionsAsync(
        IdentityPermissionSetLookupRequest request,
        CancellationToken cancellationToken = default)
    {
        IReadOnlyList<IdentityPermissionRecord> records =
        [
            new IdentityPermissionRecord(request.Envelope, "identity.token.issue", "identity.admin"),
            new IdentityPermissionRecord(request.Envelope, "identity.policy.evaluate", "identity.admin")
        ];
        return Task.FromResult(records);
    }
 }
--- a/src/Thalos.DAL/Providers/InMemory/InMemoryRoleDataProvider.cs
+++ b/src/Thalos.DAL/Providers/InMemory/InMemoryRoleDataProvider.cs
@ -1,22 +0,0 @@
 using Thalos.DAL.Contracts;
 namespace Thalos.DAL.Providers.InMemory;
 /// <summary>
 /// In-memory provider for identity role lookup contracts.
 /// </summary>
 public sealed class InMemoryRoleDataProvider : IRoleDataProvider
 {
    /// <inheritdoc />
    public Task<IReadOnlyList<IdentityRoleRecord>> ReadRolesAsync(
        IdentityRoleLookupRequest request,
        CancellationToken cancellationToken = default)
    {
        IReadOnlyList<IdentityRoleRecord> records =
        [
            new IdentityRoleRecord(request.Envelope, "identity.admin", request.TenantId)
        ];
        return Task.FromResult(records);
    }
 }
--- a/src/Thalos.DAL/Providers/InMemory/InMemoryTenantDataProvider.cs
+++ b/src/Thalos.DAL/Providers/InMemory/InMemoryTenantDataProvider.cs
@ -1,23 +0,0 @@
 using Thalos.DAL.Contracts;
 namespace Thalos.DAL.Providers.InMemory;
 /// <summary>
 /// In-memory provider for identity tenant lookup contracts.
 /// </summary>
 public sealed class InMemoryTenantDataProvider : ITenantDataProvider
 {
    /// <inheritdoc />
    public Task<IdentityTenantRecord?> ReadTenantAsync(
        IdentityTenantLookupRequest request,
        CancellationToken cancellationToken = default)
    {
        var record = new IdentityTenantRecord(
            request.Envelope,
            request.TenantId,
            $"tenant-{request.TenantId}",
            true);
        return Task.FromResult<IdentityTenantRecord?>(record);
    }
 }
--- a/src/Thalos.DAL/Providers/InMemory/InMemoryUserDataProvider.cs
+++ b/src/Thalos.DAL/Providers/InMemory/InMemoryUserDataProvider.cs
@ -1,31 +0,0 @@
 using Thalos.DAL.Contracts;
 namespace Thalos.DAL.Providers.InMemory;
 /// <summary>
 /// In-memory provider for identity user lookup contracts.
 /// </summary>
 public sealed class InMemoryUserDataProvider : IUserDataProvider
 {
    /// <inheritdoc />
    public Task<IdentityUserRecord?> ReadUserAsync(
        IdentityUserLookupRequest request,
        CancellationToken cancellationToken = default)
    {
        if (request.SubjectId.StartsWith("missing-", StringComparison.OrdinalIgnoreCase))
        {
            return Task.FromResult<IdentityUserRecord?>(null);
        }
        var record = new IdentityUserRecord(
            request.Envelope,
            request.SubjectId,
            request.TenantId,
            "active",
            $"{request.SubjectId}:{request.TenantId}:token",
            1800,
            true);
        return Task.FromResult<IdentityUserRecord?>(record);
    }
 }
--- a/src/Thalos.DAL/Providers/ProviderPermissionDataProviders.cs
+++ b/src/Thalos.DAL/Providers/ProviderPermissionDataProviders.cs
@ -1,89 +0,0 @@
 using BuildingBlock.Identity.Contracts.Conventions;
 using Thalos.DAL.Contracts;
 namespace Thalos.DAL.Providers;
 /// <summary>
 /// Internal JWT permission provider implementation.
 /// </summary>
 public sealed class InternalJwtPermissionDataProvider : IPermissionDataProvider
 {
    /// <inheritdoc />
    public Task<IReadOnlyList<IdentityPermissionRecord>> ReadPermissionsAsync(
        IdentityPermissionSetLookupRequest request,
        CancellationToken cancellationToken = default)
    {
        IReadOnlyList<IdentityPermissionRecord> records =
        [
            new IdentityPermissionRecord(request.Envelope, "identity.token.issue", "identity.admin", IdentityAuthProvider.InternalJwt),
            new IdentityPermissionRecord(request.Envelope, "identity.policy.evaluate", "identity.admin", IdentityAuthProvider.InternalJwt)
        ];
        return Task.FromResult(records);
    }
 }
 /// <summary>
 /// Azure AD permission provider implementation.
 /// </summary>
 public sealed class AzureAdPermissionDataProvider : IPermissionDataProvider
 {
    /// <inheritdoc />
    public Task<IReadOnlyList<IdentityPermissionRecord>> ReadPermissionsAsync(
        IdentityPermissionSetLookupRequest request,
        CancellationToken cancellationToken = default)
    {
        IReadOnlyList<IdentityPermissionRecord> records =
        [
            new IdentityPermissionRecord(request.Envelope, "identity.token.issue", "identity.azure.user", IdentityAuthProvider.AzureAd),
            new IdentityPermissionRecord(request.Envelope, "identity.policy.evaluate", "identity.azure.user", IdentityAuthProvider.AzureAd),
            new IdentityPermissionRecord(request.Envelope, "identity.oauth.exchange", "identity.azure.user", IdentityAuthProvider.AzureAd)
        ];
        return Task.FromResult(records);
    }
 }
 /// <summary>
 /// Google permission provider implementation.
 /// </summary>
 public sealed class GooglePermissionDataProvider : IPermissionDataProvider
 {
    /// <inheritdoc />
    public Task<IReadOnlyList<IdentityPermissionRecord>> ReadPermissionsAsync(
        IdentityPermissionSetLookupRequest request,
        CancellationToken cancellationToken = default)
    {
        IReadOnlyList<IdentityPermissionRecord> records =
        [
            new IdentityPermissionRecord(request.Envelope, "identity.token.issue", "identity.google.user", IdentityAuthProvider.Google),
            new IdentityPermissionRecord(request.Envelope, "identity.policy.evaluate", "identity.google.user", IdentityAuthProvider.Google),
            new IdentityPermissionRecord(request.Envelope, "identity.oauth.exchange", "identity.google.user", IdentityAuthProvider.Google)
        ];
        return Task.FromResult(records);
    }
 }
 /// <summary>
 /// Routes permission lookups to the matching provider implementation.
 /// </summary>
 public sealed class RoutedPermissionDataProvider(
    InternalJwtPermissionDataProvider internalJwtProvider,
    AzureAdPermissionDataProvider azureProvider,
    GooglePermissionDataProvider googleProvider) : IPermissionDataProvider
 {
    /// <inheritdoc />
    public Task<IReadOnlyList<IdentityPermissionRecord>> ReadPermissionsAsync(
        IdentityPermissionSetLookupRequest request,
        CancellationToken cancellationToken = default)
    {
        return request.Provider switch
        {
            IdentityAuthProvider.InternalJwt => internalJwtProvider.ReadPermissionsAsync(request, cancellationToken),
            IdentityAuthProvider.AzureAd => azureProvider.ReadPermissionsAsync(request, cancellationToken),
            IdentityAuthProvider.Google => googleProvider.ReadPermissionsAsync(request, cancellationToken),
            _ => Task.FromResult<IReadOnlyList<IdentityPermissionRecord>>([])
        };
    }
 }
--- a/src/Thalos.DAL/Providers/ProviderUserDataProviders.cs
+++ b/src/Thalos.DAL/Providers/ProviderUserDataProviders.cs
@ -1,143 +0,0 @@
 using BuildingBlock.Identity.Contracts.Conventions;
 using Thalos.DAL.Contracts;
 namespace Thalos.DAL.Providers;
 /// <summary>
 /// Internal JWT provider implementation for identity user reads.
 /// </summary>
 public sealed class InternalJwtUserDataProvider : IUserDataProvider
 {
    /// <inheritdoc />
    public Task<IdentityUserRecord?> ReadUserAsync(
        IdentityUserLookupRequest request,
        CancellationToken cancellationToken = default)
    {
        if (request.SubjectId.StartsWith("missing-", StringComparison.OrdinalIgnoreCase))
        {
            return Task.FromResult<IdentityUserRecord?>(null);
        }
        var record = new IdentityUserRecord(
            request.Envelope,
            request.SubjectId,
            request.TenantId,
            "active",
            $"{request.SubjectId}:{request.TenantId}:token",
            1800,
            true);
        return Task.FromResult<IdentityUserRecord?>(record);
    }
 }
 /// <summary>
 /// Azure AD provider implementation for identity user reads.
 /// </summary>
 public sealed class AzureAdUserDataProvider : IUserDataProvider
 {
    /// <inheritdoc />
    public Task<IdentityUserRecord?> ReadUserAsync(
        IdentityUserLookupRequest request,
        CancellationToken cancellationToken = default)
    {
        var subjectId = ResolveSubjectId(request, "azure-sub");
        if (string.IsNullOrWhiteSpace(subjectId))
        {
            return Task.FromResult<IdentityUserRecord?>(null);
        }
        var record = new IdentityUserRecord(
            request.Envelope,
            subjectId,
            request.TenantId,
            "active",
            $"azure:{subjectId}:{request.TenantId}:token",
            3600,
            true);
        return Task.FromResult<IdentityUserRecord?>(record);
    }
    private static string ResolveSubjectId(IdentityUserLookupRequest request, string prefix)
    {
        if (!string.IsNullOrWhiteSpace(request.SubjectId))
        {
            return request.SubjectId;
        }
        if (string.IsNullOrWhiteSpace(request.ExternalToken))
        {
            return string.Empty;
        }
        return $"{prefix}-{Math.Abs(request.ExternalToken.GetHashCode(StringComparison.Ordinal))}";
    }
 }
 /// <summary>
 /// Google provider implementation for identity user reads.
 /// </summary>
 public sealed class GoogleUserDataProvider : IUserDataProvider
 {
    /// <inheritdoc />
    public Task<IdentityUserRecord?> ReadUserAsync(
        IdentityUserLookupRequest request,
        CancellationToken cancellationToken = default)
    {
        var subjectId = ResolveSubjectId(request, "google-sub");
        if (string.IsNullOrWhiteSpace(subjectId))
        {
            return Task.FromResult<IdentityUserRecord?>(null);
        }
        var record = new IdentityUserRecord(
            request.Envelope,
            subjectId,
            request.TenantId,
            "active",
            $"google:{subjectId}:{request.TenantId}:token",
            3000,
            true);
        return Task.FromResult<IdentityUserRecord?>(record);
    }
    private static string ResolveSubjectId(IdentityUserLookupRequest request, string prefix)
    {
        if (!string.IsNullOrWhiteSpace(request.SubjectId))
        {
            return request.SubjectId;
        }
        if (string.IsNullOrWhiteSpace(request.ExternalToken))
        {
            return string.Empty;
        }
        return $"{prefix}-{Math.Abs(request.ExternalToken.GetHashCode(StringComparison.Ordinal))}";
    }
 }
 /// <summary>
 /// Routes user lookups to the matching provider implementation.
 /// </summary>
 public sealed class RoutedUserDataProvider(
    InternalJwtUserDataProvider internalJwtProvider,
    AzureAdUserDataProvider azureProvider,
    GoogleUserDataProvider googleProvider) : IUserDataProvider
 {
    /// <inheritdoc />
    public Task<IdentityUserRecord?> ReadUserAsync(
        IdentityUserLookupRequest request,
        CancellationToken cancellationToken = default)
    {
        return request.Provider switch
        {
            IdentityAuthProvider.InternalJwt => internalJwtProvider.ReadUserAsync(request, cancellationToken),
            IdentityAuthProvider.AzureAd => azureProvider.ReadUserAsync(request, cancellationToken),
            IdentityAuthProvider.Google => googleProvider.ReadUserAsync(request, cancellationToken),
            _ => Task.FromResult<IdentityUserRecord?>(null)
        };
    }
 }
--- a/src/Thalos.DAL/Repositories/IdentityRepository.cs
+++ b/src/Thalos.DAL/Repositories/IdentityRepository.cs
@ -1,70 +0,0 @@
 using Thalos.DAL.Contracts;
 using Thalos.DAL.Providers;
 namespace Thalos.DAL.Repositories;
 /// <summary>
 /// Default identity repository implementation composed from DAL providers.
 /// </summary>
 public sealed class IdentityRepository(
    IUserDataProvider userDataProvider,
    IPermissionDataProvider permissionDataProvider) : IIdentityRepository
 {
    /// <inheritdoc />
    public async Task<IdentityTokenRecord?> ReadIdentityTokenAsync(
        IdentityTokenLookupRequest request,
        CancellationToken cancellationToken = default)
    {
        var userRequest = new IdentityUserLookupRequest(
            request.Envelope,
            request.SubjectId,
            request.TenantId,
            request.Provider,
            request.ExternalToken);
        var userRecord = await userDataProvider.ReadUserAsync(userRequest, cancellationToken);
        if (userRecord is null)
        {
            return null;
        }
        return new IdentityTokenRecord(
            request.Envelope,
            userRecord.SubjectId,
            request.TenantId,
            userRecord.Token,
            userRecord.ExpiresInSeconds,
            request.Provider);
    }
    /// <inheritdoc />
    public async Task<IdentityPolicyRecord?> ReadIdentityPolicyAsync(
        IdentityPolicyLookupRequest request,
        CancellationToken cancellationToken = default)
    {
        var userRequest = new IdentityUserLookupRequest(
            request.Envelope,
            request.SubjectId,
            request.TenantId,
            request.Provider);
        var userRecord = await userDataProvider.ReadUserAsync(userRequest, cancellationToken);
        if (userRecord is null)
        {
            return null;
        }
        return new IdentityPolicyRecord(
            request.Envelope,
            userRecord.SubjectId,
            request.PermissionCode,
            userRecord.ContextSatisfied,
            request.Provider);
    }
    /// <inheritdoc />
    public Task<IReadOnlyList<IdentityPermissionRecord>> ReadPermissionSetAsync(
        IdentityPermissionSetLookupRequest request,
        CancellationToken cancellationToken = default)
    {
        return permissionDataProvider.ReadPermissionsAsync(request, cancellationToken);
    }
 }
--- a/src/Thalos.DAL/Thalos.DAL.csproj
+++ b/src/Thalos.DAL/Thalos.DAL.csproj
@ -5,8 +5,6 @@
    <Nullable>enable</Nullable>
  </PropertyGroup>
  <ItemGroup>
-    <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="10.0.0" />
+    <ProjectReference Include="..\..\..\blueprint-platform\src\Core.Blueprint.Common\Core.Blueprint.Common.csproj" />
    <PackageReference Include="BuildingBlock.Identity.Contracts" Version="0.2.0" />
    <PackageReference Include="Core.Blueprint.Common" Version="0.2.0" />
  </ItemGroup>
 </Project>
--- a/tests/Thalos.DAL.UnitTests/ContractShapeTests.cs
+++ b/tests/Thalos.DAL.UnitTests/ContractShapeTests.cs
@ -16,7 +16,6 @@ public class ContractShapeTests
        Assert.Equal("user-1", request.SubjectId);
        Assert.Equal("tenant-1", request.TenantId);
        Assert.Equal("identity.token.issue", request.PermissionCode);
        Assert.Equal(BuildingBlock.Identity.Contracts.Conventions.IdentityAuthProvider.InternalJwt, request.Provider);
    }
    [Fact]
@ -31,7 +30,6 @@ public class ContractShapeTests
        Assert.Equal("tenant-1", record.TenantId);
        Assert.Equal("token-xyz", record.Token);
        Assert.Equal(1800, record.ExpiresInSeconds);
        Assert.Equal(BuildingBlock.Identity.Contracts.Conventions.IdentityAuthProvider.InternalJwt, record.Provider);
    }
    [Fact]
--- a/tests/Thalos.DAL.UnitTests/RuntimeWiringTests.cs
+++ b/tests/Thalos.DAL.UnitTests/RuntimeWiringTests.cs
@ -1,88 +0,0 @@
 using Microsoft.Extensions.DependencyInjection;
 using Thalos.DAL.Adapters;
 using Thalos.DAL.Contracts;
 using Thalos.DAL.DependencyInjection;
 using Thalos.DAL.Health;
 using Thalos.DAL.Repositories;
 namespace Thalos.DAL.UnitTests;
 public class RuntimeWiringTests
 {
    [Fact]
    public async Task AddThalosDalRuntime_WhenResolved_WiresRepositoryAndProviders()
    {
        var services = new ServiceCollection();
        services.AddThalosDalRuntime();
        using var provider = services.BuildServiceProvider();
        var repository = provider.GetRequiredService<IIdentityRepository>();
        var request = new IdentityTokenLookupRequest(
            new IdentityContractEnvelope("1.0.0", "corr-123"),
            "user-1",
            "tenant-1");
        var response = await repository.ReadIdentityTokenAsync(request);
        Assert.NotNull(response);
        Assert.Equal("user-1", response.SubjectId);
        Assert.Equal("tenant-1", response.TenantId);
        Assert.Equal(1800, response.ExpiresInSeconds);
        Assert.Equal(BuildingBlock.Identity.Contracts.Conventions.IdentityAuthProvider.InternalJwt, response.Provider);
    }
    [Fact]
    public async Task AddThalosDalRuntime_WhenExternalProviderUsed_ResolvesProviderSpecificToken()
    {
        var services = new ServiceCollection();
        services.AddThalosDalRuntime();
        using var provider = services.BuildServiceProvider();
        var repository = provider.GetRequiredService<IIdentityRepository>();
        var request = new IdentityTokenLookupRequest(
            new IdentityContractEnvelope("1.0.0", "corr-ext"),
            string.Empty,
            "tenant-2",
            BuildingBlock.Identity.Contracts.Conventions.IdentityAuthProvider.AzureAd,
            "external-azure-token");
        var response = await repository.ReadIdentityTokenAsync(request);
        Assert.NotNull(response);
        Assert.Equal(BuildingBlock.Identity.Contracts.Conventions.IdentityAuthProvider.AzureAd, response.Provider);
        Assert.StartsWith("azure:", response.Token);
    }
    [Fact]
    public void AddThalosDalRuntime_WhenResolved_WiresGrpcContractAdapter()
    {
        var services = new ServiceCollection();
        services.AddThalosDalRuntime();
        using var provider = services.BuildServiceProvider();
        var adapter = provider.GetRequiredService<IIdentityDalGrpcContractAdapter>();
        var grpcContract = new Thalos.DAL.Grpc.IdentityTokenDalGrpcContract("user-2", "tenant-2");
        var request = adapter.FromGrpcTokenRequest(grpcContract);
        Assert.Equal("user-2", request.SubjectId);
        Assert.Equal("tenant-2", request.TenantId);
        Assert.NotEmpty(request.Envelope.CorrelationId);
    }
    [Fact]
    public async Task AddThalosDalRuntime_WhenResolved_WiresDependencyHealthCheck()
    {
        var services = new ServiceCollection();
        services.AddThalosDalRuntime();
        using var provider = services.BuildServiceProvider();
        var healthCheck = provider.GetRequiredService<IDalDependencyHealthCheck>();
        var status = await healthCheck.CheckAsync();
        Assert.True(status.IsHealthy);
        Assert.Contains("IUserDataProvider", status.DependencyNames);
        Assert.Contains("IPermissionDataProvider", status.DependencyNames);
    }
 }
--- a/tests/Thalos.DAL.UnitTests/Thalos.DAL.UnitTests.csproj
+++ b/tests/Thalos.DAL.UnitTests/Thalos.DAL.UnitTests.csproj
@ -7,7 +7,6 @@
  </PropertyGroup>
  <ItemGroup>
    <PackageReference Include="coverlet.collector" Version="6.0.4" />
    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="10.0.0" />
    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.14.1" />
    <PackageReference Include="xunit" Version="2.9.3" />
    <PackageReference Include="xunit.runner.visualstudio" Version="3.1.4" />