chore(repo): initialize project's repository structure

- Adds src/tests/docs scaffolding
- Preserves Stage 1 planning tasks
- Adds local AI orchestration folders (.agile, tasks)
- Applies GitFlow development base branch

.gitignore

@@ -0,0 +1,2 @@
+.tasks/
+.agile/

docs/architecture/module-map.puml

@@ -0,0 +1,33 @@
+@startuml
+skinparam shadowing false
+skinparam packageStyle rectangle
+
+title thalos-domain module map
+
+package "thalos-domain" {
+  package "Policies" {
+    class IdentityPolicyEvaluator
+    class PolicyContextDecision
+  }
+  package "TokenRules" {
+    class TokenIssuancePolicy
+    class TokenFallbackPolicy
+  }
+  package "Abstractions" {
+    interface IIdentityDomainDecision
+  }
+}
+
+package "building-block-identity" {
+  class EvaluateIdentityPolicyRequest
+  class IssueIdentityTokenRequest
+}
+
+EvaluateIdentityPolicyRequest ..> IdentityPolicyEvaluator
+IssueIdentityTokenRequest ..> TokenIssuancePolicy
+
+note bottom
+Domain logic only.
+No transport or persistence implementation.
+end note
+@enduml

docs/architecture/repository-charter.md

@@ -0,0 +1,26 @@
+# Thalos Domain Repository Charter
+
+## Purpose
+`thalos-domain` owns identity domain decisions and policies that are currently mixed into service application components.
+
+## Ownership
+- Identity domain ownership remains strictly inside Thalos.
+- Thalos domain defines policy and token decision semantics.
+
+## Scope
+- Identity policy decision rules
+- Token issuance decision policies
+- Domain-level identity context evaluation
+
+## Out of Scope
+- Transport wiring (gRPC/REST)
+- Persistence providers/repositories
+- BFF edge concerns
+
+## Dependency Boundary
+Allowed direction:
+- `blueprint-platform` -> `building-block-identity` -> `thalos-domain`
+
+Forbidden:
+- Domain references to DAL, Service, or BFF
+- Dependencies on `legacy/`

docs/domain/identity-domain-boundaries.md

@@ -0,0 +1,22 @@
+# Identity Domain Boundary Rules
+
+## Domain Owns
+- Identity policy decision rules
+- Token issuance decision policies
+- Identity decision invariants
+
+## Service Owns
+- Use-case orchestration
+- Transport adaptation
+
+## DAL Owns
+- Persistence/retrieval
+- Technical translation
+
+## BFF Owns
+- Edge contract handling
+- Service client adaptation
+
+## Forbidden
+- Domain references to DAL/Service/BFF
+- Domain transport or persistence implementation

docs/migration/policy-behavior-invariants.md

@@ -0,0 +1,10 @@
+# Policy Behavior Invariants
+
+## Invariants
+- Equivalent policy inputs produce equivalent policy decisions.
+- Token decision fallback behavior remains stable until explicitly revised.
+- Service transport contracts remain stable during domain extraction.
+
+## Validation Approach
+- Capture pre/post decision examples for policy and token flows.
+- Validate delegation path: service orchestrates, domain decides.

docs/migration/service-to-domain-migration-map.md

@@ -0,0 +1,14 @@
+# Thalos Service to Domain Migration Map
+
+## Candidate Migrations
+
+| Current Location | Target Domain Area | Ownership Outcome |
+|---|---|---|
+| service policy evaluation decision branches | Domain/PolicyDecisions | Domain owns policy decision semantics |
+| service token issuance decision branches | Domain/TokenPolicies | Domain owns token policy semantics |
+| service-level identity context decision mapping | Domain/ContextRules | Service remains orchestration-only |
+
+## Service After Extraction
+- Orchestration-only use cases
+- Delegation to domain decision abstractions
+- No direct identity decision ownership

docs/provisioning/checklist.md

@@ -0,0 +1,19 @@
+# Stage 7 Provisioning Checklist - thalos-domain
+
+## Preconditions
+- [ ] Identity ownership rule verified (Thalos-only).
+- [ ] Dependency direction verified against rules/15-workspace-dependency-graph.md.
+
+## Provisioning Scope
+- [ ] Create domain-only module structure.
+- [ ] Define domain contracts and policy abstractions.
+- [ ] Publish domain ownership boundaries and non-goals.
+
+## Guardrails
+- [ ] No runtime wiring changes.
+- [ ] No DAL/provider implementation.
+- [ ] No BFF transport concerns.
+
+## Handoff
+- [ ] Service delegation plan documented.
+- [ ] DAL alignment plan documented.