# Token Policy and Use Cases

## Use-Case Boundaries

- `IIssueIdentityTokenUseCase`: orchestrates token issuance behavior.
- `IEvaluateIdentityPolicyUseCase`: orchestrates policy evaluation behavior.
- `IIdentityTokenReadPort`: DAL-facing identity token boundary.
- `IIdentityPolicyContextReadPort`: DAL/integration-facing identity policy context boundary.

## Contract Integration

- Policy orchestration uses Thalos-owned transport-neutral identity contracts.
- gRPC translation boundaries are isolated behind `IIdentityPolicyGrpcContractAdapter`.
- Service contracts remain transport-neutral at the application boundary.

## Policy Baseline

- Token issuance and policy evaluation are orchestrated in service use cases.
- Data retrieval and persistence details remain in thalos-dal and identity adapters.
- Protocol adaptation remains outside use-case logic.

## Session Extension

- `IStartIdentitySessionUseCase`: orchestrates canonical session login/start behavior.
- `IRefreshIdentitySessionUseCase`: orchestrates canonical session refresh behavior.
- Refresh token security is implemented via provider-agnostic `IIdentitySecretMaterialProvider`.
- Runtime gRPC session contract details are documented in `docs/identity/session-runtime-contract.md`.