# Identity Provider Boundaries

## Ownership

- `IUserDataProvider`: user aggregate persistence provider boundary.
- `IRoleDataProvider`: role aggregate persistence provider boundary.
- `IPermissionDataProvider`: permission aggregate provider boundary.
- `IModuleDataProvider`: module aggregate provider boundary.
- `ITenantDataProvider`: tenant aggregate provider boundary.
- `IIdentityRepository`: DAL composition boundary for policy, token, and permission-set reads.
- `IIdentityDalGrpcContractAdapter`: gRPC translation boundary for DAL contracts.

## Rules

- Providers isolate datastore-specific behavior.
- Provider boundaries remain internal to Thalos DAL.
- DAL interfaces expose only transport-neutral contracts and read ports.
- Identity abstractions remain Thalos-owned.