feat(identity): add policy contract integration

- WHY: enforce identity-only contract boundaries for policy orchestration
- WHAT: add thalos-owned policy contracts, adapters, and grpc translation surfaces
- RULE: apply workspace dependency graph and identity ownership constraints

docs/architecture/thalos-service-modules.puml

@@ -5,25 +5,32 @@ package "thalos-service" {
   package "Thalos.Service.Identity.Abstractions" {
     class IssueIdentityTokenRequest
     class IssueIdentityTokenResponse
+    class EvaluateIdentityPolicyRequest
+    class EvaluateIdentityPolicyResponse
+    class IdentityPolicyContextRequest
+    class IdentityPolicyContextResponse
+    class ThalosIdentityPackageContract
     interface IdentityAbstractionBoundary
   }
 
   package "Thalos.Service.Application" {
     interface IIssueIdentityTokenUseCase
     class IssueIdentityTokenUseCase
+    interface IEvaluateIdentityPolicyUseCase
+    class EvaluateIdentityPolicyUseCase
     interface IIdentityTokenReadPort
+    interface IIdentityPolicyContextReadPort
+    interface IIdentityCapabilityContractAdapter
+    interface IIdentityPolicyGrpcContractAdapter
   }
 
   package "Thalos.Service.Grpc" {
     class Program
   }
-
-  IssueIdentityTokenUseCase ..|> IIssueIdentityTokenUseCase
-  IssueIdentityTokenUseCase --> IIdentityTokenReadPort
-  IIssueIdentityTokenUseCase --> IssueIdentityTokenRequest
-  IIssueIdentityTokenUseCase --> IssueIdentityTokenResponse
 }
 
 package "thalos-dal" as ThalosDal
+
+IIdentityPolicyContextReadPort ..> ThalosDal
 IIdentityTokenReadPort ..> ThalosDal
 @enduml

docs/identity/token-policy-and-use-cases.md

@@ -3,10 +3,18 @@
 ## Use-Case Boundaries
 
 - `IIssueIdentityTokenUseCase`: orchestrates token issuance behavior.
+- `IEvaluateIdentityPolicyUseCase`: orchestrates policy evaluation behavior.
 - `IIdentityTokenReadPort`: DAL-facing identity token boundary.
+- `IIdentityPolicyContextReadPort`: DAL/integration-facing identity policy context boundary.
+
+## Contract Integration
+
+- Policy orchestration uses Thalos-owned transport-neutral identity contracts.
+- gRPC translation boundaries are isolated behind `IIdentityPolicyGrpcContractAdapter`.
+- Service contracts remain transport-neutral at the application boundary.
 
 ## Policy Baseline
 
-- Token issuance policy is orchestrated in service use cases.
+- Token issuance and policy evaluation are orchestrated in service use cases.
-- Data retrieval and persistence details remain in thalos-dal.
+- Data retrieval and persistence details remain in thalos-dal and identity adapters.
 - Protocol adaptation remains outside use-case logic.

src/Thalos.Service.Application/Adapters/IIdentityCapabilityContractAdapter.cs

@@ -0,0 +1,26 @@
+using Thalos.Service.Identity.Abstractions.Contracts;
+
+namespace Thalos.Service.Application.Adapters;
+
+/// <summary>
+/// Defines adapter boundary for integrating identity contracts into policy use cases.
+/// </summary>
+public interface IIdentityCapabilityContractAdapter
+{
+    /// <summary>
+    /// Creates a transport-neutral context request for policy evaluation.
+    /// </summary>
+    /// <param name="identityRequest">Identity policy request.</param>
+    /// <returns>Identity policy context request.</returns>
+    IdentityPolicyContextRequest CreatePolicyContext(EvaluateIdentityPolicyRequest identityRequest);
+
+    /// <summary>
+    /// Maps policy context response into identity policy response.
+    /// </summary>
+    /// <param name="identityRequest">Identity policy request.</param>
+    /// <param name="contextResponse">Identity policy context response.</param>
+    /// <returns>Identity policy response.</returns>
+    EvaluateIdentityPolicyResponse MapPolicyResponse(
+        EvaluateIdentityPolicyRequest identityRequest,
+        IdentityPolicyContextResponse contextResponse);
+}

src/Thalos.Service.Application/Adapters/IIdentityPolicyGrpcContractAdapter.cs

@@ -0,0 +1,24 @@
+using Thalos.Service.Application.Grpc;
+using Thalos.Service.Identity.Abstractions.Contracts;
+
+namespace Thalos.Service.Application.Adapters;
+
+/// <summary>
+/// Defines adapter boundary for gRPC contract translation of identity policy flows.
+/// </summary>
+public interface IIdentityPolicyGrpcContractAdapter
+{
+    /// <summary>
+    /// Maps transport-neutral request into gRPC contract shape.
+    /// </summary>
+    /// <param name="request">Identity policy request.</param>
+    /// <returns>gRPC policy contract.</returns>
+    EvaluateIdentityPolicyGrpcContract ToGrpc(EvaluateIdentityPolicyRequest request);
+
+    /// <summary>
+    /// Maps gRPC contract into transport-neutral request.
+    /// </summary>
+    /// <param name="contract">gRPC policy contract.</param>
+    /// <returns>Identity policy request.</returns>
+    EvaluateIdentityPolicyRequest FromGrpc(EvaluateIdentityPolicyGrpcContract contract);
+}

src/Thalos.Service.Application/Grpc/EvaluateIdentityPolicyGrpcContract.cs

@@ -0,0 +1,9 @@
+namespace Thalos.Service.Application.Grpc;
+
+/// <summary>
+/// Defines minimal gRPC contract shape for identity policy adapter translation.
+/// </summary>
+/// <param name="SubjectId">Identity subject identifier.</param>
+/// <param name="TenantId">Tenant scope identifier.</param>
+/// <param name="PermissionCode">Permission code to evaluate.</param>
+public sealed record EvaluateIdentityPolicyGrpcContract(string SubjectId, string TenantId, string PermissionCode);

src/Thalos.Service.Application/Ports/IIdentityPolicyContextReadPort.cs

@@ -0,0 +1,16 @@
+using Thalos.Service.Identity.Abstractions.Contracts;
+
+namespace Thalos.Service.Application.Ports;
+
+/// <summary>
+/// Defines DAL/integration read boundary for identity policy context contracts.
+/// </summary>
+public interface IIdentityPolicyContextReadPort
+{
+    /// <summary>
+    /// Reads identity policy context for policy evaluation.
+    /// </summary>
+    /// <param name="request">Identity policy context request.</param>
+    /// <returns>Identity policy context response.</returns>
+    Task<IdentityPolicyContextResponse> ReadPolicyContextAsync(IdentityPolicyContextRequest request);
+}

src/Thalos.Service.Application/UseCases/EvaluateIdentityPolicyUseCase.cs

@@ -0,0 +1,23 @@
+using Thalos.Service.Application.Adapters;
+using Thalos.Service.Application.Ports;
+using Thalos.Service.Identity.Abstractions.Contracts;
+
+namespace Thalos.Service.Application.UseCases;
+
+/// <summary>
+/// Default orchestration implementation for identity policy evaluation.
+/// </summary>
+public sealed class EvaluateIdentityPolicyUseCase(
+    IIdentityCapabilityContractAdapter contractAdapter,
+    IIdentityPolicyContextReadPort policyContextReadPort)
+    : IEvaluateIdentityPolicyUseCase
+{
+    /// <inheritdoc />
+    public async Task<EvaluateIdentityPolicyResponse> HandleAsync(EvaluateIdentityPolicyRequest request)
+    {
+        var policyContextRequest = contractAdapter.CreatePolicyContext(request);
+        var policyContextResponse = await policyContextReadPort.ReadPolicyContextAsync(policyContextRequest);
+
+        return contractAdapter.MapPolicyResponse(request, policyContextResponse);
+    }
+}

src/Thalos.Service.Application/UseCases/IEvaluateIdentityPolicyUseCase.cs

@@ -0,0 +1,16 @@
+using Thalos.Service.Identity.Abstractions.Contracts;
+
+namespace Thalos.Service.Application.UseCases;
+
+/// <summary>
+/// Defines orchestration boundary for identity policy evaluation.
+/// </summary>
+public interface IEvaluateIdentityPolicyUseCase
+{
+    /// <summary>
+    /// Handles identity policy evaluation.
+    /// </summary>
+    /// <param name="request">Identity policy request contract.</param>
+    /// <returns>Identity policy response contract.</returns>
+    Task<EvaluateIdentityPolicyResponse> HandleAsync(EvaluateIdentityPolicyRequest request);
+}

src/Thalos.Service.Identity.Abstractions/Contracts/EvaluateIdentityPolicyRequest.cs

@@ -0,0 +1,9 @@
+namespace Thalos.Service.Identity.Abstractions.Contracts;
+
+/// <summary>
+/// Transport-neutral request contract for identity policy evaluation.
+/// </summary>
+/// <param name="SubjectId">Identity subject identifier.</param>
+/// <param name="TenantId">Tenant scope identifier.</param>
+/// <param name="PermissionCode">Permission code to evaluate.</param>
+public sealed record EvaluateIdentityPolicyRequest(string SubjectId, string TenantId, string PermissionCode);

src/Thalos.Service.Identity.Abstractions/Contracts/EvaluateIdentityPolicyResponse.cs

@@ -0,0 +1,9 @@
+namespace Thalos.Service.Identity.Abstractions.Contracts;
+
+/// <summary>
+/// Transport-neutral response contract for identity policy evaluation.
+/// </summary>
+/// <param name="SubjectId">Identity subject identifier.</param>
+/// <param name="PermissionCode">Permission code evaluated.</param>
+/// <param name="IsAllowed">Policy result.</param>
+public sealed record EvaluateIdentityPolicyResponse(string SubjectId, string PermissionCode, bool IsAllowed);

src/Thalos.Service.Identity.Abstractions/Contracts/IdentityPolicyContextRequest.cs

@@ -0,0 +1,9 @@
+namespace Thalos.Service.Identity.Abstractions.Contracts;
+
+/// <summary>
+/// Transport-neutral request contract for identity policy context retrieval.
+/// </summary>
+/// <param name="SubjectId">Identity subject identifier.</param>
+/// <param name="TenantId">Tenant scope identifier.</param>
+/// <param name="PermissionCode">Permission code to evaluate.</param>
+public sealed record IdentityPolicyContextRequest(string SubjectId, string TenantId, string PermissionCode);

src/Thalos.Service.Identity.Abstractions/Contracts/IdentityPolicyContextResponse.cs

@@ -0,0 +1,9 @@
+namespace Thalos.Service.Identity.Abstractions.Contracts;
+
+/// <summary>
+/// Transport-neutral response contract for identity policy context retrieval.
+/// </summary>
+/// <param name="SubjectId">Identity subject identifier.</param>
+/// <param name="PermissionCode">Permission code evaluated.</param>
+/// <param name="ContextSatisfied">Indicates whether context satisfies policy preconditions.</param>
+public sealed record IdentityPolicyContextResponse(string SubjectId, string PermissionCode, bool ContextSatisfied);

src/Thalos.Service.Identity.Abstractions/Contracts/ThalosIdentityPackageContract.cs

@@ -0,0 +1,15 @@
+using Core.Blueprint.Common.Contracts;
+
+namespace Thalos.Service.Identity.Abstractions.Contracts;
+
+/// <summary>
+/// Defines package descriptor metadata for Thalos identity abstractions.
+/// </summary>
+public sealed class ThalosIdentityPackageContract : IBlueprintPackageContract
+{
+    /// <inheritdoc />
+    public BlueprintPackageDescriptor Descriptor { get; } = new(
+        "Thalos.Service.Identity.Abstractions",
+        PackageVersionPolicy.Minor,
+        ["Core.Blueprint.Common"]);
+}

src/Thalos.Service.Identity.Abstractions/Thalos.Service.Identity.Abstractions.csproj

@@ -4,4 +4,7 @@
     <ImplicitUsings>enable</ImplicitUsings>
     <Nullable>enable</Nullable>
   </PropertyGroup>
+  <ItemGroup>
+    <ProjectReference Include="..\..\..\blueprint-platform\src\Core.Blueprint.Common\Core.Blueprint.Common.csproj" />
+  </ItemGroup>
 </Project>

tests/Thalos.Service.Application.UnitTests/EvaluateIdentityPolicyUseCaseTests.cs

@@ -0,0 +1,49 @@
+using Thalos.Service.Application.Adapters;
+using Thalos.Service.Application.Ports;
+using Thalos.Service.Application.UseCases;
+using Thalos.Service.Identity.Abstractions.Contracts;
+
+namespace Thalos.Service.Application.UnitTests;
+
+public class EvaluateIdentityPolicyUseCaseTests
+{
+    [Fact]
+    public async Task HandleAsync_WhenCalled_UsesIdentityContractsAndReturnsMappedResponse()
+    {
+        var useCase = new EvaluateIdentityPolicyUseCase(
+            new FakeIdentityCapabilityContractAdapter(),
+            new FakeIdentityPolicyContextReadPort());
+
+        var response = await useCase.HandleAsync(new EvaluateIdentityPolicyRequest("subject-1", "tenant-1", "perm.read"));
+
+        Assert.Equal("subject-1", response.SubjectId);
+        Assert.Equal("perm.read", response.PermissionCode);
+        Assert.True(response.IsAllowed);
+    }
+
+    private sealed class FakeIdentityCapabilityContractAdapter : IIdentityCapabilityContractAdapter
+    {
+        public IdentityPolicyContextRequest CreatePolicyContext(EvaluateIdentityPolicyRequest identityRequest)
+        {
+            return new IdentityPolicyContextRequest(identityRequest.SubjectId, identityRequest.TenantId, identityRequest.PermissionCode);
+        }
+
+        public EvaluateIdentityPolicyResponse MapPolicyResponse(
+            EvaluateIdentityPolicyRequest identityRequest,
+            IdentityPolicyContextResponse contextResponse)
+        {
+            return new EvaluateIdentityPolicyResponse(
+                identityRequest.SubjectId,
+                identityRequest.PermissionCode,
+                contextResponse.ContextSatisfied);
+        }
+    }
+
+    private sealed class FakeIdentityPolicyContextReadPort : IIdentityPolicyContextReadPort
+    {
+        public Task<IdentityPolicyContextResponse> ReadPolicyContextAsync(IdentityPolicyContextRequest request)
+        {
+            return Task.FromResult(new IdentityPolicyContextResponse(request.SubjectId, request.PermissionCode, true));
+        }
+    }
+}