17 lines
671 B
Markdown
17 lines
671 B
Markdown
# Thalos Service Orchestration Boundary
|
|
|
|
## Purpose
|
|
Constrain thalos-service to orchestration responsibilities after thalos-domain extraction.
|
|
|
|
## Service Responsibilities
|
|
- Coordinate identity use-case flow
|
|
- Delegate policy/token decisions to thalos-domain abstractions
|
|
- Adapt transport contracts
|
|
- Route provider metadata (`InternalJwt`, `AzureAd`, `Google`) between edge/service/dal boundaries
|
|
- Orchestrate Google external-token claim validation through provider-agnostic secret/material boundaries
|
|
|
|
## Prohibited Responsibilities
|
|
- Owning identity decision policies
|
|
- Owning persistence decision concerns
|
|
- Coupling use-cases directly to Vault/cloud provider SDKs
|