# Session Runtime Contract

## Canonical Internal gRPC Operations

`IdentityRuntime` now exposes the canonical session operations consumed by `thalos-bff`:

- `StartIdentitySession`
- `RefreshIdentitySession`
- `IssueIdentityToken` (compatibility)
- `EvaluateIdentityPolicy` (policy guardrail)

## Session Flow

1. BFF calls `StartIdentitySession` with subject/tenant/provider/external token.
2. Service issues access token through existing token orchestration.
3. Service generates refresh token through provider-agnostic session token codec.
4. BFF calls `RefreshIdentitySession` with refresh token.
5. Service validates refresh token signature/expiry and reissues session tokens.

## Provider-Agnostic Secret Boundary

Session refresh token signing is bound to `IIdentitySecretMaterialProvider`.

- Contract is provider-neutral.
- Runtime binding is configuration-based by default.
- Vault/cloud/env adapters can be swapped at DI boundaries without changing use-case code.

## Configuration Keys

- `ThalosIdentity:Secrets:SessionSigning`
- `ThalosIdentity:Secrets:Default` (fallback)