docs/identity/session-runtime-contract.md

@@ -26,8 +26,6 @@ Session refresh token signing is bound to `IIdentitySecretMaterialProvider`.
 - Runtime binding is configuration-based by default.
 - Vault/cloud/env adapters can be swapped at DI boundaries without changing use-case code.
 - OIDC provider material uses the same boundary (no provider SDK coupling in use-case logic).
-- Missing secrets fail explicitly at runtime; the service no longer falls back to a baked-in signing secret.
-- `AddThalosServiceRuntime()` only provides a local in-memory session-signing default when no host configuration is present, so isolated tests and developer runs stay deterministic without changing production behavior.
 
 ## Configuration Keys
 
@@ -35,9 +33,3 @@ Session refresh token signing is bound to `IIdentitySecretMaterialProvider`.
 - `ThalosIdentity:Secrets:Oidc:Google:ClientId`
 - `ThalosIdentity:Secrets:Oidc:Google:Issuer` (optional, defaults to `https://accounts.google.com`)
 - `ThalosIdentity:Secrets:Default` (fallback)
-
-## Production Expectation
-
-- Production hosts must provide `ThalosIdentity:Secrets:SessionSigning`.
-- Google OIDC validation must provide `ThalosIdentity:Secrets:Oidc:Google:ClientId`.
-- The optional `Default` key is intended for non-sensitive shared local/test values, not as a production substitute for explicit signing material.

docs/runbooks/containerization.md

@@ -28,5 +28,3 @@ docker run --rm -p 8080:8080 \
 
 - Exposes internal identity runtime endpoint set and gRPC service.
 - Google OIDC claim validation requires `ThalosIdentity:Secrets:Oidc:Google:ClientId`.
-- Session refresh signing requires `ThalosIdentity:Secrets:SessionSigning`; there is no baked-in production fallback secret.
-- If the host does not provide configuration, `AddThalosServiceRuntime()` supplies a local in-memory session-signing default strictly for isolated tests and developer-only runtime wiring.

src/Thalos.Service.Application/DependencyInjection/ThalosServiceRuntimeServiceCollectionExtensions.cs

@@ -18,12 +18,6 @@ namespace Thalos.Service.Application.DependencyInjection;
 /// </summary>
 public static class ThalosServiceRuntimeServiceCollectionExtensions
 {
-    private static readonly IReadOnlyDictionary<string, string?> LocalRuntimeDefaults =
-        new Dictionary<string, string?>(StringComparer.Ordinal)
-        {
-            ["ThalosIdentity:Secrets:SessionSigning"] = "thalos-local-session-signing-secret"
-        };
-
     /// <summary>
     /// Adds thalos-service runtime wiring aligned with blueprint runtime and thalos-dal runtime.
     /// </summary>
@@ -34,8 +28,7 @@ public static class ThalosServiceRuntimeServiceCollectionExtensions
         services.AddBlueprintRuntimeCore();
         services.AddThalosDalRuntime();
         services.TryAddSingleton<IConfiguration>(_ =>
-            // Local-only defaults keep isolated tests and developer runs deterministic.
+            new ConfigurationBuilder().AddInMemoryCollection().Build());
-            new ConfigurationBuilder().AddInMemoryCollection(LocalRuntimeDefaults).Build());
         services.TryAddSingleton<IIdentityPolicyDecisionService, IdentityPolicyDecisionService>();
         services.TryAddSingleton<IIdentityTokenDecisionService, IdentityTokenDecisionService>();
 

src/Thalos.Service.Application/Secrets/ConfigurationIdentitySecretMaterialProvider.cs

@@ -8,6 +8,8 @@ namespace Thalos.Service.Application.Secrets;
 public sealed class ConfigurationIdentitySecretMaterialProvider(IConfiguration configuration)
     : IIdentitySecretMaterialProvider
 {
+    private const string FallbackSecret = "thalos-dev-secret";
+
     /// <inheritdoc />
     public bool TryGetSecret(string secretKey, out string secretValue)
     {
@@ -37,8 +39,7 @@ public sealed class ConfigurationIdentitySecretMaterialProvider(IConfiguration c
         {
             return secretValue;
         }
-
+        
-        throw new InvalidOperationException(
+        return FallbackSecret;
-            $"Identity secret '{secretKey}' is not configured for the current runtime.");
     }
 }

src/Thalos.Service.Application/Secrets/IIdentitySecretMaterialProvider.cs

@@ -18,6 +18,5 @@ public interface IIdentitySecretMaterialProvider
     /// </summary>
     /// <param name="secretKey">Logical secret key.</param>
     /// <returns>Secret material value.</returns>
-    /// <exception cref="InvalidOperationException">Thrown when the secret is not available in the active runtime.</exception>
     string GetSecret(string secretKey);
 }

tests/Thalos.Service.Application.UnitTests/ConfigurationIdentitySecretMaterialProviderTests.cs

@@ -1,56 +0,0 @@
-using Microsoft.Extensions.Configuration;
-using Thalos.Service.Application.Secrets;
-
-namespace Thalos.Service.Application.UnitTests;
-
-public class ConfigurationIdentitySecretMaterialProviderTests
-{
-    [Fact]
-    public void TryGetSecret_WhenScopedSecretConfigured_ReturnsScopedValue()
-    {
-        var provider = CreateProvider(new Dictionary<string, string?>
-        {
-            ["ThalosIdentity:Secrets:SessionSigning"] = "scoped-secret",
-            ["ThalosIdentity:Secrets:Default"] = "default-secret"
-        });
-
-        var ok = provider.TryGetSecret("SessionSigning", out var secretValue);
-
-        Assert.True(ok);
-        Assert.Equal("scoped-secret", secretValue);
-    }
-
-    [Fact]
-    public void TryGetSecret_WhenScopedSecretMissing_UsesDefaultSecret()
-    {
-        var provider = CreateProvider(new Dictionary<string, string?>
-        {
-            ["ThalosIdentity:Secrets:Default"] = "default-secret"
-        });
-
-        var ok = provider.TryGetSecret("MissingSecret", out var secretValue);
-
-        Assert.True(ok);
-        Assert.Equal("default-secret", secretValue);
-    }
-
-    [Fact]
-    public void GetSecret_WhenSecretMissing_ThrowsExplicitRuntimeError()
-    {
-        var provider = CreateProvider(new Dictionary<string, string?>());
-
-        var error = Assert.Throws<InvalidOperationException>(() => provider.GetSecret("SessionSigning"));
-
-        Assert.Contains("SessionSigning", error.Message, StringComparison.Ordinal);
-    }
-
-    private static ConfigurationIdentitySecretMaterialProvider CreateProvider(
-        IReadOnlyDictionary<string, string?> configurationValues)
-    {
-        var configuration = new ConfigurationBuilder()
-            .AddInMemoryCollection(configurationValues)
-            .Build();
-
-        return new ConfigurationIdentitySecretMaterialProvider(configuration);
-    }
-}

tests/Thalos.Service.Application.UnitTests/HmacIdentitySessionTokenCodecTests.cs

@@ -42,21 +42,6 @@ public class HmacIdentitySessionTokenCodecTests
         Assert.False(ok);
     }
 
-    [Fact]
-    public void Encode_WhenSigningSecretUnavailable_ThrowsExplicitRuntimeError()
-    {
-        var codec = new HmacIdentitySessionTokenCodec(new MissingSecretMaterialProvider());
-        var descriptor = new IdentitySessionDescriptor(
-            "user-9",
-            "tenant-9",
-            IdentityAuthProvider.InternalJwt,
-            DateTimeOffset.UtcNow.AddMinutes(5));
-
-        var error = Assert.Throws<InvalidOperationException>(() => codec.Encode(descriptor));
-
-        Assert.Contains("SessionSigning", error.Message, StringComparison.Ordinal);
-    }
-
     private sealed class FakeSecretMaterialProvider : IIdentitySecretMaterialProvider
     {
         public bool TryGetSecret(string secretKey, out string secretValue)
@@ -67,19 +52,4 @@ public class HmacIdentitySessionTokenCodecTests
 
         public string GetSecret(string secretKey) => "unit-test-secret";
     }
-
-    private sealed class MissingSecretMaterialProvider : IIdentitySecretMaterialProvider
-    {
-        public bool TryGetSecret(string secretKey, out string secretValue)
-        {
-            secretValue = string.Empty;
-            return false;
-        }
-
-        public string GetSecret(string secretKey)
-        {
-            throw new InvalidOperationException(
-                $"Identity secret '{secretKey}' is not configured for the current runtime.");
-        }
-    }
 }