# Thalos Service Orchestration Boundary

## Purpose
Constrain thalos-service to orchestration responsibilities after thalos-domain extraction.

## Service Responsibilities
- Coordinate identity use-case flow
- Delegate policy/token decisions to thalos-domain abstractions
- Adapt transport contracts
- Route provider metadata (`InternalJwt`, `AzureAd`, `Google`) between edge/service/dal boundaries
- Orchestrate Google external-token claim validation through provider-agnostic secret/material boundaries

## Prohibited Responsibilities
- Owning identity decision policies
- Owning persistence decision concerns
- Coupling use-cases directly to Vault/cloud provider SDKs