feat(thalos-service): wire grpc runtime and dal adapters

src/Thalos.Service.Application/Adapters/IdentityCapabilityContractAdapter.cs

@@ -0,0 +1,29 @@
+using Thalos.Service.Identity.Abstractions.Contracts;
+
+namespace Thalos.Service.Application.Adapters;
+
+/// <summary>
+/// Default adapter implementation for identity policy contract composition.
+/// </summary>
+public sealed class IdentityCapabilityContractAdapter : IIdentityCapabilityContractAdapter
+{
+    /// <inheritdoc />
+    public IdentityPolicyContextRequest CreatePolicyContext(EvaluateIdentityPolicyRequest identityRequest)
+    {
+        return new IdentityPolicyContextRequest(
+            identityRequest.SubjectId,
+            identityRequest.TenantId,
+            identityRequest.PermissionCode);
+    }
+
+    /// <inheritdoc />
+    public EvaluateIdentityPolicyResponse MapPolicyResponse(
+        EvaluateIdentityPolicyRequest identityRequest,
+        IdentityPolicyContextResponse contextResponse)
+    {
+        return new EvaluateIdentityPolicyResponse(
+            identityRequest.SubjectId,
+            identityRequest.PermissionCode,
+            contextResponse.ContextSatisfied);
+    }
+}

src/Thalos.Service.Application/Adapters/IdentityPolicyGrpcContractAdapter.cs

@@ -0,0 +1,22 @@
+using Thalos.Service.Application.Grpc;
+using Thalos.Service.Identity.Abstractions.Contracts;
+
+namespace Thalos.Service.Application.Adapters;
+
+/// <summary>
+/// Default adapter implementation for identity policy gRPC contract translation.
+/// </summary>
+public sealed class IdentityPolicyGrpcContractAdapter : IIdentityPolicyGrpcContractAdapter
+{
+    /// <inheritdoc />
+    public EvaluateIdentityPolicyGrpcContract ToGrpc(EvaluateIdentityPolicyRequest request)
+    {
+        return new EvaluateIdentityPolicyGrpcContract(request.SubjectId, request.TenantId, request.PermissionCode);
+    }
+
+    /// <inheritdoc />
+    public EvaluateIdentityPolicyRequest FromGrpc(EvaluateIdentityPolicyGrpcContract contract)
+    {
+        return new EvaluateIdentityPolicyRequest(contract.SubjectId, contract.TenantId, contract.PermissionCode);
+    }
+}

src/Thalos.Service.Application/DependencyInjection/ThalosServiceRuntimeServiceCollectionExtensions.cs

@@ -0,0 +1,37 @@
+using Core.Blueprint.Common.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection.Extensions;
+using Thalos.DAL.DependencyInjection;
+using Thalos.Service.Application.Adapters;
+using Thalos.Service.Application.Ports;
+using Thalos.Service.Application.UseCases;
+
+namespace Thalos.Service.Application.DependencyInjection;
+
+/// <summary>
+/// Registers thalos-service runtime orchestration and DAL adapters.
+/// </summary>
+public static class ThalosServiceRuntimeServiceCollectionExtensions
+{
+    /// <summary>
+    /// Adds thalos-service runtime wiring aligned with blueprint runtime and thalos-dal runtime.
+    /// </summary>
+    /// <param name="services">Service collection.</param>
+    /// <returns>Service collection for fluent chaining.</returns>
+    public static IServiceCollection AddThalosServiceRuntime(this IServiceCollection services)
+    {
+        services.AddBlueprintRuntimeCore();
+        services.AddThalosDalRuntime();
+
+        services.TryAddSingleton<IIdentityCapabilityContractAdapter, IdentityCapabilityContractAdapter>();
+        services.TryAddSingleton<IIdentityPolicyGrpcContractAdapter, IdentityPolicyGrpcContractAdapter>();
+
+        services.TryAddSingleton<IIdentityTokenReadPort, IdentityTokenReadPortDalAdapter>();
+        services.TryAddSingleton<IIdentityPolicyContextReadPort, IdentityPolicyContextReadPortDalAdapter>();
+
+        services.TryAddSingleton<IIssueIdentityTokenUseCase, IssueIdentityTokenUseCase>();
+        services.TryAddSingleton<IEvaluateIdentityPolicyUseCase, EvaluateIdentityPolicyUseCase>();
+
+        return services;
+    }
+}

src/Thalos.Service.Application/Ports/IdentityPolicyContextReadPortDalAdapter.cs

@@ -0,0 +1,49 @@
+using Core.Blueprint.Common.Runtime;
+using Thalos.DAL.Contracts;
+using Thalos.DAL.Repositories;
+using Thalos.Service.Identity.Abstractions.Contracts;
+
+namespace Thalos.Service.Application.Ports;
+
+/// <summary>
+/// Default DAL adapter for identity policy context read port.
+/// </summary>
+public sealed class IdentityPolicyContextReadPortDalAdapter(
+    IIdentityRepository identityRepository,
+    IBlueprintSystemClock clock) : IIdentityPolicyContextReadPort
+{
+    /// <inheritdoc />
+    public async Task<IdentityPolicyContextResponse> ReadPolicyContextAsync(IdentityPolicyContextRequest request)
+    {
+        var policyLookupRequest = new IdentityPolicyLookupRequest(
+            CreateEnvelope(),
+            request.SubjectId,
+            request.TenantId,
+            request.PermissionCode);
+
+        var policyRecord = await identityRepository.ReadIdentityPolicyAsync(policyLookupRequest);
+        if (policyRecord is null)
+        {
+            return new IdentityPolicyContextResponse(request.SubjectId, request.PermissionCode, false);
+        }
+
+        var permissionSetRequest = new IdentityPermissionSetLookupRequest(
+            policyLookupRequest.Envelope,
+            request.SubjectId,
+            request.TenantId);
+
+        var permissions = await identityRepository.ReadPermissionSetAsync(permissionSetRequest);
+        var permissionMatched = permissions.Any(permission =>
+            string.Equals(permission.PermissionCode, request.PermissionCode, StringComparison.OrdinalIgnoreCase));
+
+        return new IdentityPolicyContextResponse(
+            request.SubjectId,
+            request.PermissionCode,
+            policyRecord.ContextSatisfied && permissionMatched);
+    }
+
+    private IdentityContractEnvelope CreateEnvelope()
+    {
+        return new IdentityContractEnvelope("1.0.0", $"corr-{clock.UtcNow:yyyyMMddHHmmssfff}");
+    }
+}

src/Thalos.Service.Application/Ports/IdentityTokenReadPortDalAdapter.cs

@@ -0,0 +1,36 @@
+using Core.Blueprint.Common.Runtime;
+using Thalos.DAL.Contracts;
+using Thalos.DAL.Repositories;
+using Thalos.Service.Identity.Abstractions.Contracts;
+
+namespace Thalos.Service.Application.Ports;
+
+/// <summary>
+/// Default DAL adapter for identity token read port.
+/// </summary>
+public sealed class IdentityTokenReadPortDalAdapter(
+    IIdentityRepository identityRepository,
+    IBlueprintSystemClock clock) : IIdentityTokenReadPort
+{
+    /// <inheritdoc />
+    public async Task<IssueIdentityTokenResponse> IssueTokenAsync(IssueIdentityTokenRequest request)
+    {
+        var lookupRequest = new IdentityTokenLookupRequest(
+            CreateEnvelope(),
+            request.SubjectId,
+            request.TenantId);
+
+        var tokenRecord = await identityRepository.ReadIdentityTokenAsync(lookupRequest);
+        if (tokenRecord is null)
+        {
+            return new IssueIdentityTokenResponse(string.Empty, 0);
+        }
+
+        return new IssueIdentityTokenResponse(tokenRecord.Token, tokenRecord.ExpiresInSeconds);
+    }
+
+    private IdentityContractEnvelope CreateEnvelope()
+    {
+        return new IdentityContractEnvelope("1.0.0", $"corr-{clock.UtcNow:yyyyMMddHHmmssfff}");
+    }
+}

src/Thalos.Service.Application/Thalos.Service.Application.csproj

@@ -5,6 +5,8 @@
     <Nullable>enable</Nullable>
   </PropertyGroup>
   <ItemGroup>
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="10.0.0" />
+    <ProjectReference Include="..\..\..\thalos-dal\src\Thalos.DAL\Thalos.DAL.csproj" />
     <ProjectReference Include="..\Thalos.Service.Identity.Abstractions\Thalos.Service.Identity.Abstractions.csproj" />
   </ItemGroup>
 </Project>

src/Thalos.Service.Grpc/Program.cs

@@ -1,6 +1,15 @@
+using Thalos.Service.Application.DependencyInjection;
+using Thalos.Service.Grpc.Services;
+
 var builder = WebApplication.CreateBuilder(args);
 
-// Stage 3 skeleton: single active internal protocol policy is gRPC-first.
+builder.Services.AddGrpc();
+builder.Services.AddHealthChecks();
+builder.Services.AddThalosServiceRuntime();
+
 var app = builder.Build();
 
+app.MapGrpcService<IdentityRuntimeGrpcService>();
+app.MapHealthChecks("/healthz");
+
 app.Run();

src/Thalos.Service.Grpc/Protos/identity_runtime.proto

@@ -0,0 +1,32 @@
+syntax = "proto3";
+
+option csharp_namespace = "Thalos.Service.Grpc";
+
+package thalos.service.grpc;
+
+service IdentityRuntime {
+  rpc IssueIdentityToken (IssueIdentityTokenGrpcRequest) returns (IssueIdentityTokenGrpcResponse);
+  rpc EvaluateIdentityPolicy (EvaluateIdentityPolicyGrpcRequest) returns (EvaluateIdentityPolicyGrpcResponse);
+}
+
+message IssueIdentityTokenGrpcRequest {
+  string subject_id = 1;
+  string tenant_id = 2;
+}
+
+message IssueIdentityTokenGrpcResponse {
+  string token = 1;
+  int32 expires_in_seconds = 2;
+}
+
+message EvaluateIdentityPolicyGrpcRequest {
+  string subject_id = 1;
+  string tenant_id = 2;
+  string permission_code = 3;
+}
+
+message EvaluateIdentityPolicyGrpcResponse {
+  string subject_id = 1;
+  string permission_code = 2;
+  bool is_allowed = 3;
+}

src/Thalos.Service.Grpc/Services/IdentityRuntimeGrpcService.cs

@@ -0,0 +1,62 @@
+using Grpc.Core;
+using Thalos.Service.Application.Adapters;
+using Thalos.Service.Application.Grpc;
+using Thalos.Service.Application.UseCases;
+using Thalos.Service.Identity.Abstractions.Contracts;
+
+namespace Thalos.Service.Grpc.Services;
+
+/// <summary>
+/// Internal gRPC endpoint implementation for identity runtime operations.
+/// </summary>
+public sealed class IdentityRuntimeGrpcService(
+    IIssueIdentityTokenUseCase issueIdentityTokenUseCase,
+    IEvaluateIdentityPolicyUseCase evaluateIdentityPolicyUseCase,
+    IIdentityPolicyGrpcContractAdapter grpcContractAdapter) : IdentityRuntime.IdentityRuntimeBase
+{
+    /// <summary>
+    /// Issues identity token through service use-case orchestration.
+    /// </summary>
+    /// <param name="request">gRPC token issuance request.</param>
+    /// <param name="context">gRPC server call context.</param>
+    /// <returns>gRPC token issuance response.</returns>
+    public override async Task<IssueIdentityTokenGrpcResponse> IssueIdentityToken(
+        IssueIdentityTokenGrpcRequest request,
+        ServerCallContext context)
+    {
+        var useCaseRequest = new IssueIdentityTokenRequest(request.SubjectId, request.TenantId);
+        var useCaseResponse = await issueIdentityTokenUseCase.HandleAsync(useCaseRequest);
+
+        return new IssueIdentityTokenGrpcResponse
+        {
+            Token = useCaseResponse.Token,
+            ExpiresInSeconds = useCaseResponse.ExpiresInSeconds
+        };
+    }
+
+    /// <summary>
+    /// Evaluates identity policy through service use-case orchestration.
+    /// </summary>
+    /// <param name="request">gRPC policy evaluation request.</param>
+    /// <param name="context">gRPC server call context.</param>
+    /// <returns>gRPC policy evaluation response.</returns>
+    public override async Task<EvaluateIdentityPolicyGrpcResponse> EvaluateIdentityPolicy(
+        EvaluateIdentityPolicyGrpcRequest request,
+        ServerCallContext context)
+    {
+        var grpcContract = new EvaluateIdentityPolicyGrpcContract(
+            request.SubjectId,
+            request.TenantId,
+            request.PermissionCode);
+
+        var useCaseRequest = grpcContractAdapter.FromGrpc(grpcContract);
+        var useCaseResponse = await evaluateIdentityPolicyUseCase.HandleAsync(useCaseRequest);
+
+        return new EvaluateIdentityPolicyGrpcResponse
+        {
+            SubjectId = useCaseResponse.SubjectId,
+            PermissionCode = useCaseResponse.PermissionCode,
+            IsAllowed = useCaseResponse.IsAllowed
+        };
+    }
+}

src/Thalos.Service.Grpc/Thalos.Service.Grpc.csproj

@@ -5,6 +5,14 @@
     <ImplicitUsings>enable</ImplicitUsings>
   </PropertyGroup>
   <ItemGroup>
+    <PackageReference Include="Grpc.AspNetCore" Version="2.71.0" />
+    <PackageReference Include="Grpc.Tools" Version="2.71.0">
+      <PrivateAssets>all</PrivateAssets>
+      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+    </PackageReference>
+  </ItemGroup>
+  <ItemGroup>
+    <Protobuf Include="Protos\identity_runtime.proto" GrpcServices="Server" />
     <ProjectReference Include="..\Thalos.Service.Application\Thalos.Service.Application.csproj" />
     <ProjectReference Include="..\Thalos.Service.Identity.Abstractions\Thalos.Service.Identity.Abstractions.csproj" />
   </ItemGroup>

tests/Thalos.Service.Application.UnitTests/RuntimeWiringTests.cs

@@ -0,0 +1,73 @@
+using Microsoft.Extensions.DependencyInjection;
+using Thalos.Service.Application.Adapters;
+using Thalos.Service.Application.DependencyInjection;
+using Thalos.Service.Application.Grpc;
+using Thalos.Service.Application.UseCases;
+using Thalos.Service.Identity.Abstractions.Contracts;
+
+namespace Thalos.Service.Application.UnitTests;
+
+public class RuntimeWiringTests
+{
+    [Fact]
+    public async Task AddThalosServiceRuntime_WhenInvoked_ResolvesUseCases()
+    {
+        var services = new ServiceCollection();
+        services.AddThalosServiceRuntime();
+
+        using var provider = services.BuildServiceProvider();
+        var issueTokenUseCase = provider.GetRequiredService<IIssueIdentityTokenUseCase>();
+        var evaluatePolicyUseCase = provider.GetRequiredService<IEvaluateIdentityPolicyUseCase>();
+
+        var tokenResponse = await issueTokenUseCase.HandleAsync(new IssueIdentityTokenRequest("user-1", "tenant-1"));
+        var policyResponse = await evaluatePolicyUseCase.HandleAsync(
+            new EvaluateIdentityPolicyRequest("user-1", "tenant-1", "identity.token.issue"));
+
+        Assert.Equal("user-1:tenant-1:token", tokenResponse.Token);
+        Assert.Equal(1800, tokenResponse.ExpiresInSeconds);
+        Assert.True(policyResponse.IsAllowed);
+    }
+
+    [Fact]
+    public async Task AddThalosServiceRuntime_WhenSubjectMissing_ReturnsEmptyToken()
+    {
+        var services = new ServiceCollection();
+        services.AddThalosServiceRuntime();
+
+        using var provider = services.BuildServiceProvider();
+        var issueTokenUseCase = provider.GetRequiredService<IIssueIdentityTokenUseCase>();
+
+        var tokenResponse = await issueTokenUseCase.HandleAsync(
+            new IssueIdentityTokenRequest("missing-user", "tenant-1"));
+
+        Assert.Equal(string.Empty, tokenResponse.Token);
+        Assert.Equal(0, tokenResponse.ExpiresInSeconds);
+    }
+
+    [Fact]
+    public void IdentityPolicyGrpcContractAdapter_WhenMapped_PreservesValues()
+    {
+        var adapter = new IdentityPolicyGrpcContractAdapter();
+        var useCaseRequest = new EvaluateIdentityPolicyRequest("user-2", "tenant-2", "identity.policy.evaluate");
+
+        var grpcContract = adapter.ToGrpc(useCaseRequest);
+        var roundtrip = adapter.FromGrpc(grpcContract);
+
+        Assert.Equal("user-2", roundtrip.SubjectId);
+        Assert.Equal("tenant-2", roundtrip.TenantId);
+        Assert.Equal("identity.policy.evaluate", roundtrip.PermissionCode);
+    }
+
+    [Fact]
+    public void IdentityPolicyGrpcContractAdapter_WhenFromGrpc_UsesExpectedContractShape()
+    {
+        var adapter = new IdentityPolicyGrpcContractAdapter();
+        var contract = new EvaluateIdentityPolicyGrpcContract("subject-9", "tenant-9", "identity.token.issue");
+
+        var request = adapter.FromGrpc(contract);
+
+        Assert.Equal("subject-9", request.SubjectId);
+        Assert.Equal("tenant-9", request.TenantId);
+        Assert.Equal("identity.token.issue", request.PermissionCode);
+    }
+}

tests/Thalos.Service.Application.UnitTests/Thalos.Service.Application.UnitTests.csproj

@@ -7,6 +7,7 @@
   </PropertyGroup>
   <ItemGroup>
     <PackageReference Include="coverlet.collector" Version="6.0.4" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="10.0.0" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.14.1" />
     <PackageReference Include="xunit" Version="2.9.3" />
     <PackageReference Include="xunit.runner.visualstudio" Version="3.1.4" />