Merge all changes

.gitea/workflows/advisory-ai-release.yml

@@ -15,7 +15,7 @@ on:
 
 jobs:
   package-feeds:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     env:
       COSIGN_PRIVATE_KEY_B64: ${{ secrets.COSIGN_PRIVATE_KEY_B64 }}
       COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
@@ -68,3 +68,4 @@ jobs:
             out/advisory-ai/feeds/provenance.json
           if-no-files-found: warn
           retention-days: 30
+

.gitea/workflows/airgap-sealed-ci.yml

@@ -14,7 +14,7 @@ on:
 
 jobs:
   sealed-smoke:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     permissions:
       contents: read
     steps:
@@ -26,3 +26,4 @@ jobs:
         run: pip install dnslib
       - name: Run sealed-mode smoke
         run: sudo devops/airgap/sealed-ci-smoke.sh
+

.gitea/workflows/aoc-backfill-release.yml

@@ -14,7 +14,7 @@ on:
 
 jobs:
   package-backfill:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     env:
       COSIGN_PRIVATE_KEY_B64: ${{ secrets.COSIGN_PRIVATE_KEY_B64 }}
       COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
@@ -81,3 +81,4 @@ jobs:
             out/aoc/SHA256SUMS
           if-no-files-found: warn
           retention-days: 30
+

.gitea/workflows/aoc-guard.yml

@@ -22,7 +22,7 @@ on:
 
 jobs:
   aoc-guard:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     env:
       DOTNET_VERSION: '10.0.100'
       ARTIFACT_DIR: ${{ github.workspace }}/.artifacts
@@ -100,7 +100,7 @@ jobs:
 
   aoc-verify:
     needs: aoc-guard
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     if: github.event_name != 'schedule'
     env:
       DOTNET_VERSION: '10.0.100'
@@ -168,3 +168,4 @@ jobs:
         with:
           name: aoc-verify-artifacts
           path: ${{ env.ARTIFACT_DIR }}
+

.gitea/workflows/authority-key-rotation.yml

@@ -50,7 +50,7 @@ on:
 
 jobs:
   rotate:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     environment: ${{ inputs.environment }}
     steps:
       - name: Checkout repository
@@ -164,3 +164,4 @@ jobs:
           echo "Key Path: ${{ inputs.key_path }}"
           echo "Source: ${{ inputs.source }}"
           echo "Algorithm: ${{ inputs.algorithm }}"
+

.gitea/workflows/build-test-deploy.yml

@@ -55,7 +55,7 @@ env:
 
 jobs:
   profile-validation:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -82,7 +82,7 @@ jobs:
         run: ./devops/tools/validate-profiles.sh
 
   build-test:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     environment: ${{ github.event_name == 'pull_request' && 'preview' || 'staging' }}
     env:
       PUBLISH_DIR: ${{ github.workspace }}/artifacts/publish/webservice
@@ -590,7 +590,7 @@ PY
   # Quality Gates Foundation (Sprint 0350)
   # ============================================================================
   quality-gates:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: build-test
     permissions:
       contents: read
@@ -674,7 +674,7 @@ PY
           retention-days: 14
 
   security-testing:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: build-test
     if: github.event_name == 'pull_request' || github.event_name == 'schedule'
     permissions:
@@ -717,7 +717,7 @@ PY
           retention-days: 30
 
   mutation-testing:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: build-test
     if: github.event_name == 'schedule' || (github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'mutation-test'))
     permissions:
@@ -790,7 +790,7 @@ PY
           fi
 
   sealed-mode-ci:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: build-test
     permissions:
       contents: read
@@ -828,7 +828,7 @@ PY
           retention-days: 14
 
   authority-container:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: build-test
     steps:
       - name: Checkout repository
@@ -843,7 +843,7 @@ PY
   excititor-batch-validation:
     needs: build-test
     if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.excititor_batch == 'true')
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     env:
       BATCH_RESULTS_DIR: ${{ github.workspace }}/artifacts/test-results/excititor-batch
     steps:
@@ -876,7 +876,7 @@ PY
           path: ${{ env.BATCH_RESULTS_DIR }}
 
   docs:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     env:
       DOCS_OUTPUT_DIR: ${{ github.workspace }}/artifacts/docs-site
     steps:
@@ -906,7 +906,7 @@ PY
           retention-days: 7
 
   scanner-perf:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: build-test
     env:
       BENCH_DIR: src/Bench/StellaOps.Bench/Scanner.Analyzers
@@ -987,7 +987,7 @@ PY
           retention-days: 7
 
   deploy:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: [build-test, docs, scanner-perf]
     if: >-
       needs.build-test.result == 'success' &&
@@ -1160,7 +1160,7 @@ PY
           echo "   Ref: ${{ github.ref }}"
 
   notify-smoke:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: deploy
     if: needs.deploy.result == 'success'
     env:
@@ -1202,3 +1202,4 @@ PY
 
       - name: Run Notify smoke validation
         run: dotnet run --project tools/NotifySmokeCheck/NotifySmokeCheck.csproj --configuration Release
+

.gitea/workflows/concelier-store-aoc-19-005.yml

@@ -5,7 +5,7 @@ on:
 
 jobs:
   build-dataset:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     env:
       ARTIFACT_DIR: ${{ github.workspace }}/out/linksets
     steps:
@@ -30,3 +30,4 @@ jobs:
           path: |
             ${ARTIFACT_DIR}/linksets-stage-backfill.tar.zst
             ${ARTIFACT_DIR}/linksets-stage-backfill.tar.zst.sha256
+

.gitea/workflows/connector-fixture-drift.yml

@@ -32,7 +32,7 @@ env:
 
 jobs:
   detect-drift:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     permissions:
       contents: write
       pull-requests: write
@@ -124,7 +124,7 @@ jobs:
   create-pr:
     needs: detect-drift
     if: needs.detect-drift.outputs.has_drift == 'true' && (github.event.inputs.create_pr == 'true' || github.event_name == 'schedule')
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     permissions:
       contents: write
       pull-requests: write
@@ -245,3 +245,4 @@ This commit was auto-generated by the connector-fixture-drift workflow.
               issue_number: pr.number,
               labels: ['automated', 'fixtures', 'schema-drift']
             });
+

.gitea/workflows/crypto-compliance.yml

@@ -17,7 +17,7 @@ on:
 
 jobs:
   crypto-audit:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     env:
       DOTNET_NOLOGO: 1
       DOTNET_CLI_TELEMETRY_OPTOUT: 1
@@ -42,3 +42,4 @@ jobs:
           path: |
             scripts/audit-crypto-usage.ps1
           retention-days: 30
+

.gitea/workflows/dead-path-detection.yml

@@ -49,7 +49,7 @@ jobs:
 
   detect:
     name: Detect Dead Paths
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     outputs:
       has-new-dead-paths: ${{ steps.check.outputs.has_new_dead_paths }}
       new-dead-path-count: ${{ steps.check.outputs.new_count }}
@@ -354,7 +354,7 @@ jobs:
     name: Post Report
     needs: detect
     if: github.event_name == 'pull_request' && always()
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     permissions:
       pull-requests: write
     steps:
@@ -436,3 +436,4 @@ jobs:
                 body: body
               });
             }
+

.gitea/workflows/deploy-keyless-verify.yml

@@ -38,7 +38,7 @@ env:
 
 jobs:
   pre-flight:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     outputs:
       identity-pattern: ${{ steps.config.outputs.identity-pattern }}
 
@@ -61,7 +61,7 @@ jobs:
 
   verify-attestations:
     needs: pre-flight
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     permissions:
       contents: read
 
@@ -123,7 +123,7 @@ jobs:
 
   verify-provenance:
     needs: pre-flight
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     permissions:
       contents: read
 
@@ -160,7 +160,7 @@ jobs:
 
   create-audit-entry:
     needs: [verify-attestations, verify-provenance]
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
 
     steps:
       - name: Install StellaOps CLI
@@ -183,7 +183,7 @@ jobs:
 
   approve-deployment:
     needs: [verify-attestations, verify-provenance, create-audit-entry]
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     environment: ${{ github.event.inputs.environment }}
 
     steps:
@@ -202,3 +202,4 @@ jobs:
 
           Deployment can now proceed.
           EOF
+

.gitea/workflows/determinism-gate.yml

@@ -48,7 +48,7 @@ jobs:
   # ===========================================================================
   schema-validation:
     name: Schema Validation
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     if: github.event.inputs.skip_schema_validation != 'true'
     timeout-minutes: 10
 
@@ -128,7 +128,7 @@ jobs:
     needs: [schema-validation]
     if: always() && (needs.schema-validation.result == 'success' || needs.schema-validation.result == 'skipped')
     name: Determinism Validation
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     timeout-minutes: 30
 
     outputs:
@@ -243,7 +243,7 @@ jobs:
   # ===========================================================================
   update-baselines:
     name: Update Baselines
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: [schema-validation, determinism-gate]
     if: github.event_name == 'workflow_dispatch' && github.event.inputs.update_baselines == 'true'
 
@@ -293,7 +293,7 @@ jobs:
   # ===========================================================================
   drift-check:
     name: Drift Detection Gate
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: [schema-validation, determinism-gate]
     if: always()
 
@@ -328,3 +328,4 @@ jobs:
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "Schema Validation: ${{ needs.schema-validation.result || 'skipped' }}" >> $GITHUB_STEP_SUMMARY
           echo "Determinism Status: ${{ needs.determinism-gate.outputs.status || 'pass' }}" >> $GITHUB_STEP_SUMMARY
+

.gitea/workflows/docs.yml

@@ -22,7 +22,7 @@ env:
 
 jobs:
   lint-and-preview:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     env:
       DOCS_OUTPUT_DIR: ${{ github.workspace }}/artifacts/docs-preview
     steps:
@@ -99,3 +99,4 @@ jobs:
           name: feedser-docs-preview
           path: ${{ env.DOCS_OUTPUT_DIR }}
           retention-days: 7
+

.gitea/workflows/epss-ingest-perf.yml

@@ -40,7 +40,7 @@ on:
 
 jobs:
   perf:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     env:
       DOTNET_NOLOGO: 1
       DOTNET_CLI_TELEMETRY_OPTOUT: 1
@@ -96,3 +96,4 @@ jobs:
           path: |
             bench/results/epss-ingest-perf-${{ github.sha }}.json
           retention-days: 90
+

.gitea/workflows/export-ci.yml

@@ -18,7 +18,7 @@ on:
 
 jobs:
   export-ci:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     env:
       DOTNET_VERSION: '10.0.100'
       MINIO_ACCESS_KEY: exportci
@@ -83,3 +83,4 @@ jobs:
       - name: Teardown MinIO
         if: always()
         run: docker compose -f devops/export/minio-compose.yml down -v
+

.gitea/workflows/findings-ledger-ci.yml

@@ -26,7 +26,7 @@ env:
 
 jobs:
   build-test:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     env:
       TEST_RESULTS_DIR: ${{ github.workspace }}/artifacts/test-results
     steps:
@@ -68,7 +68,7 @@ jobs:
           path: ${{ env.TEST_RESULTS_DIR }}
 
   migration-validation:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     services:
       postgres:
         image: postgres:16-alpine
@@ -228,7 +228,7 @@ jobs:
           echo "✓ Migration is idempotent"
 
   generate-manifest:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: [build-test, migration-validation]
     steps:
       - name: Checkout repository
@@ -323,3 +323,4 @@ jobs:
           name: findings-ledger-migrations
           path: out/findings-ledger/
           if-no-files-found: error
+

.gitea/workflows/icscisa-kisa-refresh.yml

@@ -18,7 +18,7 @@ on:
 
 jobs:
   refresh:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     permissions:
       contents: read
     env:
@@ -66,3 +66,4 @@ jobs:
           path: out/feeds/icscisa-kisa/${{ steps.meta.outputs.run_date }}
           if-no-files-found: error
           retention-days: 21
+

.gitea/workflows/interop-e2e.yml

@@ -15,7 +15,7 @@ env:
 
 jobs:
   interop-tests:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     strategy:
       fail-fast: false
       matrix:
@@ -96,7 +96,7 @@ jobs:
           fi
 
   summary:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: interop-tests
     if: always()
 
@@ -126,3 +126,4 @@ jobs:
             fi
             echo "| ${format} | ${STATUS} |" >> $GITHUB_STEP_SUMMARY
           done
+

.gitea/workflows/ledger-oas-ci.yml

@@ -13,7 +13,7 @@ on:
 
 jobs:
   validate-oas:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -44,7 +44,7 @@ jobs:
           if-no-files-found: warn
 
   check-wellknown:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: validate-oas
     steps:
       - name: Checkout
@@ -64,7 +64,7 @@ jobs:
           fi
 
   deprecation-check:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: validate-oas
     steps:
       - name: Checkout
@@ -79,3 +79,4 @@ jobs:
           else
             echo "[info] No deprecation policy yet (OK for initial setup)"
           fi
+

.gitea/workflows/ledger-packs-ci.yml

@@ -18,7 +18,7 @@ on:
 
 jobs:
   build-pack:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     env:
       COSIGN_PRIVATE_KEY_B64: ${{ secrets.COSIGN_PRIVATE_KEY_B64 }}
     steps:
@@ -71,7 +71,7 @@ jobs:
           retention-days: 30
 
   verify-pack:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: build-pack
     steps:
       - name: Checkout
@@ -99,3 +99,4 @@ jobs:
               fi
             fi
           done
+

.gitea/workflows/license-audit.yml

@@ -35,7 +35,7 @@ on:
 jobs:
   nuget-license-audit:
     name: NuGet License Audit
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     env:
       DOTNET_NOLOGO: 1
       DOTNET_CLI_TELEMETRY_OPTOUT: 1
@@ -94,7 +94,7 @@ jobs:
 
   npm-license-audit:
     name: npm License Audit
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -142,7 +142,7 @@ jobs:
 
   vendored-license-check:
     name: Vendored Components Check
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -207,7 +207,7 @@ jobs:
 
   license-compatibility-check:
     name: License Compatibility Check
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: [nuget-license-audit, npm-license-audit]
     steps:
       - name: Checkout
@@ -297,3 +297,4 @@ jobs:
           name: license-audit-summary
           path: out/combined
           retention-days: 90
+

.gitea/workflows/lighthouse-ci.yml

@@ -26,7 +26,7 @@ env:
 jobs:
   lighthouse:
     name: Lighthouse Audit
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     defaults:
       run:
         working-directory: src/Web/StellaOps.Web
@@ -145,7 +145,7 @@ jobs:
 
   axe-accessibility:
     name: Axe Accessibility Audit
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     defaults:
       run:
         working-directory: src/Web/StellaOps.Web
@@ -186,3 +186,4 @@ jobs:
           name: axe-accessibility-results
           path: src/Web/StellaOps.Web/test-results/
           retention-days: 30
+

.gitea/workflows/lnm-backfill.yml

@@ -19,7 +19,7 @@ on:
 
 jobs:
   lnm-backfill:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     env:
       DOTNET_VERSION: '10.0.100'
       ARTIFACT_DIR: ${{ github.workspace }}/.artifacts
@@ -62,3 +62,4 @@ jobs:
         with:
           name: lnm-backfill-artifacts
           path: ${{ env.ARTIFACT_DIR }}
+

.gitea/workflows/lnm-migration-ci.yml

@@ -15,7 +15,7 @@ on:
 
 jobs:
   build-runner:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -60,7 +60,7 @@ jobs:
           if-no-files-found: warn
 
   validate-metrics:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: build-runner
     steps:
       - name: Checkout
@@ -81,3 +81,4 @@ jobs:
           fi
 
           echo "Monitoring config validation complete"
+

.gitea/workflows/lnm-vex-backfill.yml

@@ -23,7 +23,7 @@ on:
 
 jobs:
   vex-backfill:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     env:
       DOTNET_VERSION: '10.0.100'
       ARTIFACT_DIR: ${{ github.workspace }}/.artifacts
@@ -61,3 +61,4 @@ jobs:
         with:
           name: lnm-vex-backfill-artifacts
           path: ${{ env.ARTIFACT_DIR }}
+

.gitea/workflows/migration-test.yml

@@ -69,7 +69,7 @@ jobs:
 
   discover:
     name: Discover Migrations
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     outputs:
       modules: ${{ steps.find.outputs.modules }}
       module_count: ${{ steps.find.outputs.count }}
@@ -119,7 +119,7 @@ jobs:
 
   forward-migrations:
     name: Forward Migration
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     timeout-minutes: 30
     needs: discover
     if: needs.discover.outputs.module_count != '0'
@@ -246,7 +246,7 @@ jobs:
 
   rollback-migrations:
     name: Rollback Migration
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     timeout-minutes: 30
     needs: [discover, forward-migrations]
     if: |
@@ -371,7 +371,7 @@ jobs:
 
   idempotency:
     name: Idempotency Test
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     timeout-minutes: 20
     needs: [discover, forward-migrations]
     if: |
@@ -490,7 +490,7 @@ jobs:
 
   summary:
     name: Migration Summary
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: [discover, forward-migrations, rollback-migrations, idempotency]
     if: always()
     steps:
@@ -510,3 +510,4 @@ jobs:
       - name: Check for failures
         if: contains(needs.*.result, 'failure')
         run: exit 1
+

.gitea/workflows/mirror-sign.yml

@@ -7,7 +7,7 @@ on:
 
 jobs:
   mirror-sign:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     env:
       MIRROR_SIGN_KEY_B64: ${{ secrets.MIRROR_SIGN_KEY_B64 }}
       REQUIRE_PROD_SIGNING: 1
@@ -72,3 +72,4 @@ jobs:
             out/mirror/thin/export-center/schedule-response.json
           if-no-files-found: error
           retention-days: 14
+

.gitea/workflows/module-publish.yml

@@ -59,7 +59,7 @@ jobs:
 
   parse-tag:
     name: Parse Tag
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     if: github.event_name == 'push'
     outputs:
       module: ${{ steps.parse.outputs.module }}
@@ -90,7 +90,7 @@ jobs:
 
   validate:
     name: Validate Inputs
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: [parse-tag]
     if: always() && (needs.parse-tag.result == 'success' || needs.parse-tag.result == 'skipped')
     outputs:
@@ -139,7 +139,7 @@ jobs:
 
   publish-nuget:
     name: Publish NuGet
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: [validate]
     if: needs.validate.outputs.publish_nuget == 'true'
     steps:
@@ -251,7 +251,7 @@ jobs:
 
   publish-container:
     name: Publish Container
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: [validate]
     if: needs.validate.outputs.publish_container == 'true' && needs.validate.outputs.module != 'CLI'
     steps:
@@ -310,7 +310,7 @@ jobs:
 
   publish-cli:
     name: Publish CLI (${{ matrix.runtime }})
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: [validate]
     if: needs.validate.outputs.module == 'CLI'
     strategy:
@@ -378,7 +378,7 @@ jobs:
 
   summary:
     name: Publish Summary
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: [validate, publish-nuget, publish-container, publish-cli]
     if: always()
     steps:
@@ -403,3 +403,4 @@ jobs:
         run: |
           echo "::error::One or more publish jobs failed"
           exit 1
+

.gitea/workflows/nightly-regression.yml

@@ -47,7 +47,7 @@ jobs:
 
   prepare:
     name: Prepare Nightly Run
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     outputs:
       run_id: ${{ steps.metadata.outputs.run_id }}
       run_date: ${{ steps.metadata.outputs.run_date }}
@@ -88,7 +88,7 @@ jobs:
 
   build:
     name: Full Build
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     timeout-minutes: 30
     needs: prepare
     steps:
@@ -126,7 +126,7 @@ jobs:
 
   test-pr-gating:
     name: PR-Gating Tests
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     timeout-minutes: 45
     needs: build
     services:
@@ -184,7 +184,7 @@ jobs:
 
   test-extended:
     name: Extended Tests
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     timeout-minutes: 60
     needs: build
     if: github.event.inputs.skip_performance != 'true'
@@ -227,7 +227,7 @@ jobs:
 
   determinism:
     name: Determinism Verification
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     timeout-minutes: 45
     needs: build
     if: github.event.inputs.skip_determinism != 'true'
@@ -289,7 +289,7 @@ jobs:
 
   cross-module:
     name: Cross-Module Validation
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     timeout-minutes: 30
     needs: build
     steps:
@@ -341,7 +341,7 @@ jobs:
 
   coverage:
     name: Code Coverage
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     timeout-minutes: 45
     needs: build
     services:
@@ -415,7 +415,7 @@ jobs:
 
   summary:
     name: Nightly Summary
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs:
       - prepare
       - build
@@ -483,3 +483,4 @@ jobs:
       - name: Exit with appropriate code
         if: steps.status.outputs.status == 'failure'
         run: exit 1
+

.gitea/workflows/offline-e2e.yml

@@ -16,7 +16,7 @@ env:
 
 jobs:
   offline-e2e:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
 
     steps:
       - name: Checkout
@@ -82,7 +82,7 @@ jobs:
           path: ./results/
 
   verify-isolation:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: offline-e2e
     if: always()
 
@@ -119,3 +119,4 @@ jobs:
           else
             echo "⚠️ No test results found" >> $GITHUB_STEP_SUMMARY
           fi
+

.gitea/workflows/policy-lint.yml

@@ -17,7 +17,7 @@ on:
 
 jobs:
   policy-lint:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     env:
       DOTNET_NOLOGO: 1
       DOTNET_CLI_TELEMETRY_OPTOUT: 1
@@ -68,3 +68,4 @@ jobs:
           name: policy-lint
           path: out/policy-lint
           retention-days: 7
+

.gitea/workflows/policy-simulate.yml

@@ -17,7 +17,7 @@ on:
 
 jobs:
   policy-simulate:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     env:
       DOTNET_NOLOGO: 1
       DOTNET_CLI_TELEMETRY_OPTOUT: 1
@@ -87,3 +87,4 @@ jobs:
           name: policy-signing
           path: out/policy-sign
           retention-days: 7
+

.gitea/workflows/promote.yml

@@ -19,7 +19,7 @@ on:
 
 jobs:
   promote:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     environment: production
     steps:
       - name: Checkout repository
@@ -207,3 +207,4 @@ jobs:
           else
             echo "   Docs: skipped"
           fi
+

.gitea/workflows/reachability-bench.yaml

@@ -34,7 +34,7 @@ on:
 
 jobs:
   benchmark:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     env:
       DOTNET_NOLOGO: 1
       DOTNET_CLI_TELEMETRY_OPTOUT: 1
@@ -242,7 +242,7 @@ jobs:
   update-baseline:
     needs: benchmark
     if: github.event_name == 'push' && github.ref == 'refs/heads/main' && needs.benchmark.outputs.regression != 'true'
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -263,7 +263,7 @@ jobs:
   notify-pr:
     needs: benchmark
     if: github.event_name == 'pull_request'
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     permissions:
       pull-requests: write
     steps:
@@ -304,3 +304,4 @@ jobs:
               repo: context.repo.repo,
               body: body
             });
+

.gitea/workflows/reachability-corpus-ci.yml

@@ -20,7 +20,7 @@ on:
 
 jobs:
   validate-corpus:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     env:
       DOTNET_NOLOGO: 1
       DOTNET_CLI_TELEMETRY_OPTOUT: 1
@@ -136,7 +136,7 @@ jobs:
           retention-days: 14
 
   validate-ground-truths:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     env:
       TZ: UTC
     steps:
@@ -205,7 +205,7 @@ jobs:
           EOF
 
   determinism-check:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     env:
       TZ: UTC
     needs: validate-corpus
@@ -265,3 +265,4 @@ jobs:
 
           print(f"Checked {len(json_files)} JSON files")
           EOF
+

.gitea/workflows/release-keyless-sign.yml

@@ -37,7 +37,7 @@ env:
 
 jobs:
   sign-images:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     permissions:
       id-token: write
       contents: read
@@ -170,7 +170,7 @@ jobs:
             --registry "stellaops/gateway"
 
   sign-binaries:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     permissions:
       id-token: write
       contents: read
@@ -329,7 +329,7 @@ jobs:
 
   verify-signatures:
     needs: [sign-images, sign-binaries]
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     permissions:
       contents: read
       packages: read
@@ -397,3 +397,4 @@ jobs:
             --certificate-oidc-issuer "https://git.stella-ops.org"
           \`\`\`
           EOF
+

.gitea/workflows/release-suite.yml

@@ -50,7 +50,7 @@ jobs:
 
   parse-tag:
     name: Parse Tag
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     if: github.event_name == 'push'
     outputs:
       version: ${{ steps.parse.outputs.version }}
@@ -89,7 +89,7 @@ jobs:
 
   validate:
     name: Validate Release
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: [parse-tag]
     if: always() && (needs.parse-tag.result == 'success' || needs.parse-tag.result == 'skipped')
     outputs:
@@ -150,7 +150,7 @@ jobs:
 
   test-gate:
     name: Test Gate
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: [validate]
     if: github.event.inputs.skip_tests != 'true'
     steps:
@@ -192,7 +192,7 @@ jobs:
 
   build-modules:
     name: Build ${{ matrix.module }}
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: [validate, test-gate]
     if: always() && needs.validate.result == 'success' && (needs.test-gate.result == 'success' || needs.test-gate.result == 'skipped')
     strategy:
@@ -293,7 +293,7 @@ jobs:
 
   build-containers:
     name: Container ${{ matrix.module }}
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: [validate, build-modules]
     if: needs.validate.outputs.dry_run != 'true'
     strategy:
@@ -351,7 +351,7 @@ jobs:
 
   build-cli:
     name: CLI (${{ matrix.runtime }})
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: [validate, test-gate]
     if: always() && needs.validate.result == 'success' && (needs.test-gate.result == 'success' || needs.test-gate.result == 'skipped')
     strategy:
@@ -421,7 +421,7 @@ jobs:
 
   build-helm:
     name: Helm Chart
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: [validate]
     steps:
       - name: Checkout
@@ -459,7 +459,7 @@ jobs:
 
   release-manifest:
     name: Release Manifest
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: [validate, build-modules, build-cli, build-helm]
     if: always() && needs.validate.result == 'success'
     steps:
@@ -538,7 +538,7 @@ jobs:
 
   generate-changelog:
     name: Generate Changelog
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: [validate, build-modules]
     if: always() && needs.validate.result == 'success'
     steps:
@@ -595,7 +595,7 @@ jobs:
 
   generate-suite-docs:
     name: Generate Suite Docs
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: [validate, generate-changelog, release-manifest]
     if: always() && needs.validate.result == 'success'
     steps:
@@ -658,7 +658,7 @@ jobs:
 
   generate-compose:
     name: Generate Docker Compose
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: [validate, release-manifest]
     if: always() && needs.validate.result == 'success'
     steps:
@@ -704,7 +704,7 @@ jobs:
 
   commit-docs:
     name: Commit Documentation
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: [validate, generate-suite-docs, generate-compose, create-release]
     if: needs.validate.outputs.dry_run != 'true' && needs.create-release.result == 'success'
     steps:
@@ -765,7 +765,7 @@ jobs:
 
   create-release:
     name: Create Gitea Release
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: [validate, build-modules, build-containers, build-cli, build-helm, release-manifest]
     if: needs.validate.outputs.dry_run != 'true'
     steps:
@@ -877,7 +877,7 @@ jobs:
 
   summary:
     name: Release Summary
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: [validate, build-modules, build-containers, build-cli, build-helm, release-manifest, generate-changelog, generate-suite-docs, generate-compose, create-release, commit-docs]
     if: always()
     steps:
@@ -912,3 +912,4 @@ jobs:
         run: |
           echo "::error::One or more release jobs failed"
           exit 1
+

.gitea/workflows/release.yml

@@ -34,7 +34,7 @@ on:
 
 jobs:
   build-release:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     env:
       DOTNET_VERSION: '10.0.100'
       REGISTRY: registry.stella-ops.org
@@ -249,3 +249,4 @@ jobs:
           name: stellaops-debug-${{ steps.meta.outputs.version }}
           path: out/release/debug
           if-no-files-found: error
+

.gitea/workflows/replay-verification.yml

@@ -1,4 +1,4 @@
-name: Replay Verification
+name: Replay Verification
 
 on:
   pull_request:
@@ -11,7 +11,7 @@ on:
 
 jobs:
   replay-verification:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     steps:
       - uses: actions/checkout@v4
 
@@ -37,3 +37,4 @@ jobs:
         with:
           name: replay-diff-report
           path: results/diff-report.json
+

.gitea/workflows/risk-bundle-ci.yml

@@ -30,7 +30,7 @@ on:
 
 jobs:
   risk-bundle-build:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     env:
       DOTNET_VERSION: '10.0.100'
       ARTIFACT_DIR: ${{ github.workspace }}/.artifacts
@@ -101,7 +101,7 @@ jobs:
           path: ${{ env.ARTIFACT_DIR }}/*.trx
 
   risk-bundle-offline-kit:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: risk-bundle-build
     env:
       ARTIFACT_DIR: ${{ github.workspace }}/.artifacts
@@ -156,7 +156,7 @@ jobs:
           path: ${{ env.OFFLINE_KIT_DIR }}
 
   publish-checksums:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: risk-bundle-build
     if: github.ref == 'refs/heads/main' && (github.event_name == 'push' || github.event.inputs.publish_checksums == 'true')
     env:
@@ -196,3 +196,4 @@ jobs:
         with:
           name: risk-bundle-published-checksums
           path: out/checksums/risk-bundle/
+

.gitea/workflows/rollback-lag.yml

@@ -60,7 +60,7 @@ jobs:
 
   preflight:
     name: Pre-Flight Checks
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     environment: ${{ inputs.environment || 'staging' }}
     outputs:
       current-version: ${{ steps.current.outputs.version }}
@@ -173,7 +173,7 @@ jobs:
     name: Measure Rollback Lag
     needs: preflight
     if: needs.preflight.outputs.can-rollback == 'true'
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     environment: ${{ inputs.environment || 'staging' }}
     outputs:
       rollback-time: ${{ steps.timing.outputs.rollback_time }}
@@ -328,7 +328,7 @@ jobs:
     name: Generate Report
     needs: [preflight, measure]
     if: always() && needs.preflight.result == 'success'
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     steps:
       - name: Generate Report
         run: |
@@ -401,3 +401,4 @@ jobs:
           SLO_SECONDS="${{ inputs.rollback_slo_seconds || 300 }}"
           echo "::error::Rollback took ${TOTAL_LAG}s, exceeds SLO of ${SLO_SECONDS}s"
           exit 1
+

.gitea/workflows/router-chaos.yml

@@ -33,7 +33,7 @@ env:
 
 jobs:
   load-tests:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     timeout-minutes: 30
 
     services:
@@ -139,7 +139,7 @@ jobs:
           fi
 
   chaos-unit-tests:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     timeout-minutes: 20
     needs: load-tests
     if: always()
@@ -198,7 +198,7 @@ jobs:
           retention-days: 30
 
   valkey-failure-tests:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     timeout-minutes: 20
     needs: load-tests
     if: ${{ github.event.inputs.run_valkey_tests != 'false' }}
@@ -235,7 +235,7 @@ jobs:
           path: results/
 
   analyze-results:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: [load-tests, chaos-unit-tests]
     if: always()
 
@@ -304,3 +304,4 @@ jobs:
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "### Thresholds" >> $GITHUB_STEP_SUMMARY
           echo "- Status: ${{ steps.analysis.outputs.thresholds_passed == 'true' && 'PASSED' || 'FAILED' }}" >> $GITHUB_STEP_SUMMARY
+

.gitea/workflows/sast-scan.yml

@@ -74,7 +74,7 @@ jobs:
 
   sast-scan:
     name: SAST Analysis
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     timeout-minutes: 30
     permissions:
       security-events: write
@@ -197,7 +197,7 @@ jobs:
 
   dotnet-security:
     name: .NET Security Analysis
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     timeout-minutes: 20
     steps:
       - name: Checkout
@@ -257,7 +257,7 @@ jobs:
 
   dependency-check:
     name: Dependency Vulnerabilities
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     timeout-minutes: 15
     steps:
       - name: Checkout
@@ -308,7 +308,7 @@ jobs:
 
   dockerfile-lint:
     name: Dockerfile Security
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     timeout-minutes: 10
     steps:
       - name: Checkout
@@ -362,7 +362,7 @@ jobs:
 
   summary:
     name: SAST Summary
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: [sast-scan, dotnet-security, dependency-check, dockerfile-lint]
     if: always()
     steps:
@@ -384,3 +384,4 @@ jobs:
            needs.dotnet-security.result == 'failure' ||
            needs.dependency-check.result == 'failure')
         run: exit 1
+

.gitea/workflows/schema-evolution.yml

@@ -53,7 +53,7 @@ jobs:
 
   discover:
     name: Discover Changed Modules
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     outputs:
       modules: ${{ steps.detect.outputs.modules }}
       has-schema-changes: ${{ steps.detect.outputs.has_changes }}
@@ -126,7 +126,7 @@ jobs:
     name: Test ${{ matrix.module }} (Schema ${{ matrix.schema-version }})
     needs: discover
     if: needs.discover.outputs.has-schema-changes == 'true' || github.event_name == 'workflow_dispatch'
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     strategy:
       fail-fast: false
       matrix:
@@ -275,7 +275,7 @@ jobs:
     name: Generate Compatibility Report
     needs: [discover, test]
     if: always() && needs.discover.outputs.has-schema-changes == 'true'
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     steps:
       - name: Download All Results
         uses: actions/download-artifact@v4
@@ -337,7 +337,7 @@ jobs:
     name: Post Report to PR
     needs: [discover, test, report]
     if: github.event_name == 'pull_request' && always()
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     permissions:
       pull-requests: write
     steps:
@@ -416,3 +416,4 @@ jobs:
                 body: body
               });
             }
+

.gitea/workflows/sdk-publish.yml

@@ -17,7 +17,7 @@ on:
 
 jobs:
   sdk-publish:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     env:
       DOTNET_NOLOGO: 1
       DOTNET_CLI_TELEMETRY_OPTOUT: 1
@@ -89,3 +89,4 @@ jobs:
             .nuget/packages/*.nupkg
           if-no-files-found: warn
           retention-days: 7
+

.gitea/workflows/secrets-bundle-release.yml

@@ -47,7 +47,7 @@ jobs:
 
   validate:
     name: Validate Inputs
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     outputs:
       version: ${{ steps.resolve.outputs.version }}
       sign_bundle: ${{ steps.resolve.outputs.sign_bundle }}
@@ -95,7 +95,7 @@ jobs:
 
   build-bundle:
     name: Build Secrets Bundle
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: [validate]
     steps:
       - name: Checkout
@@ -201,7 +201,7 @@ jobs:
 
   sign-bundle:
     name: Sign Secrets Bundle
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: [validate, build-bundle]
     if: needs.validate.outputs.sign_bundle == 'true'
     steps:
@@ -305,7 +305,7 @@ jobs:
 
   package-offline-kit:
     name: Package for Offline Kit
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: [validate, build-bundle, sign-bundle]
     if: always() && needs.build-bundle.result == 'success' && needs.validate.outputs.include_in_kit == 'true'
     steps:
@@ -357,7 +357,7 @@ jobs:
 
   publish:
     name: Publish Bundle
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: [validate, sign-bundle, package-offline-kit]
     if: needs.validate.outputs.dry_run != 'true' && needs.sign-bundle.result == 'success'
     steps:
@@ -478,7 +478,7 @@ jobs:
 
   summary:
     name: Build Summary
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: [validate, build-bundle, sign-bundle, package-offline-kit, publish]
     if: always()
     steps:
@@ -501,3 +501,4 @@ jobs:
           echo "| Sign Bundle | ${{ needs.sign-bundle.result || 'skipped' }} |" >> $GITHUB_STEP_SUMMARY
           echo "| Package Offline Kit | ${{ needs.package-offline-kit.result || 'skipped' }} |" >> $GITHUB_STEP_SUMMARY
           echo "| Publish | ${{ needs.publish.result || 'skipped' }} |" >> $GITHUB_STEP_SUMMARY
+

.gitea/workflows/signals-ci.yml

@@ -19,7 +19,7 @@ on:
 
 jobs:
   signals-ci:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     env:
       DOTNET_NOLOGO: 1
       DOTNET_CLI_TELEMETRY_OPTOUT: 1
@@ -73,3 +73,4 @@ jobs:
             out/signals
             out/signals/signals-image.tar
           retention-days: 7
+

.gitea/workflows/signals-dsse-sign.yml

@@ -22,7 +22,7 @@ on:
 
 jobs:
   sign-signals-artifacts:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     env:
       COSIGN_PRIVATE_KEY_B64: ${{ secrets.COSIGN_PRIVATE_KEY_B64 }}
       COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
@@ -120,7 +120,7 @@ jobs:
           echo "Artifacts available as workflow artifact for manual ingestion"
 
   verify-signatures:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: sign-signals-artifacts
     steps:
       - name: Checkout
@@ -181,3 +181,4 @@ jobs:
           done
           echo "" >> "$GITHUB_STEP_SUMMARY"
           echo "Run ID: ${{ github.run_number }}" >> "$GITHUB_STEP_SUMMARY"
+

.gitea/workflows/signals-reachability.yml

@@ -21,7 +21,7 @@ on:
 
 jobs:
   reachability-smoke:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     env:
       DOTNET_NOLOGO: 1
       DOTNET_CLI_TELEMETRY_OPTOUT: 1
@@ -54,7 +54,7 @@ jobs:
           scripts/signals/reachability-smoke.sh
 
   sign-and-upload:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: reachability-smoke
     env:
       COSIGN_PRIVATE_KEY_B64: ${{ secrets.COSIGN_PRIVATE_KEY_B64 }}
@@ -125,3 +125,4 @@ jobs:
         if: ${{ env.CI_EVIDENCE_LOCKER_TOKEN == '' || env.EVIDENCE_LOCKER_URL == '' }}
         run: |
           echo "::notice::Evidence Locker upload skipped (CI_EVIDENCE_LOCKER_TOKEN or EVIDENCE_LOCKER_URL not set)"
+

.gitea/workflows/symbols-ci.yml

@@ -17,7 +17,7 @@ on:
 
 jobs:
   symbols-smoke:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     env:
       ARTIFACT_DIR: ${{ github.workspace }}/artifacts/symbols-ci
     steps:
@@ -45,3 +45,4 @@ jobs:
           name: symbols-ci
           path: ${{ env.ARTIFACT_DIR }}
           retention-days: 7
+

.gitea/workflows/symbols-release.yml

@@ -8,7 +8,7 @@ on:
 
 jobs:
   symbols-release-smoke:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     env:
       ARTIFACT_DIR: ${{ github.workspace }}/artifacts/symbols-release
     steps:
@@ -39,3 +39,4 @@ jobs:
           name: symbols-release
           path: ${{ env.ARTIFACT_DIR }}
           retention-days: 14
+

.gitea/workflows/test-blast-radius.yml

@@ -39,7 +39,7 @@ jobs:
 
   validate:
     name: Validate Annotations
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     outputs:
       has-violations: ${{ steps.validate.outputs.has_violations }}
       violation-count: ${{ steps.validate.outputs.violation_count }}
@@ -205,7 +205,7 @@ jobs:
     name: Post Report
     needs: validate
     if: github.event_name == 'pull_request' && needs.validate.outputs.has-violations == 'true'
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     permissions:
       pull-requests: write
     steps:
@@ -253,3 +253,4 @@ jobs:
               issue_number: context.issue.number,
               body: body
             });
+

.gitea/workflows/test-infrastructure.yml

@@ -45,7 +45,7 @@ jobs:
 
   detect-changes:
     name: Detect Changes
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     outputs:
       has-test-changes: ${{ steps.changes.outputs.tests }}
       has-schema-changes: ${{ steps.changes.outputs.schema }}
@@ -109,7 +109,7 @@ jobs:
     name: Blast-Radius Validation
     needs: detect-changes
     if: needs.detect-changes.outputs.has-test-changes == 'true' || inputs.run_all == true || github.event_name == 'schedule'
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     outputs:
       status: ${{ steps.validate.outputs.status }}
       violations: ${{ steps.validate.outputs.violation_count }}
@@ -156,7 +156,7 @@ jobs:
     name: Dead-Path Detection
     needs: detect-changes
     if: needs.detect-changes.outputs.has-code-changes == 'true' || inputs.run_all == true || github.event_name == 'schedule'
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     outputs:
       status: ${{ steps.detect.outputs.status }}
       new-paths: ${{ steps.detect.outputs.new_paths }}
@@ -213,7 +213,7 @@ jobs:
     name: Schema Evolution Check
     needs: detect-changes
     if: needs.detect-changes.outputs.has-schema-changes == 'true' || inputs.run_all == true
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     services:
       postgres:
         image: postgres:16-alpine
@@ -274,7 +274,7 @@ jobs:
     name: Config-Diff Check
     needs: detect-changes
     if: needs.detect-changes.outputs.has-config-changes == 'true' || inputs.run_all == true
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     outputs:
       status: ${{ steps.test.outputs.status }}
       tested-configs: ${{ steps.test.outputs.tested }}
@@ -319,7 +319,7 @@ jobs:
     name: Generate Report
     needs: [detect-changes, blast-radius, dead-paths, schema-evolution, config-diff]
     if: always()
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     steps:
       - name: Generate Infrastructure Report
         run: |
@@ -417,7 +417,7 @@ jobs:
     name: Post PR Comment
     needs: [report, blast-radius, dead-paths, schema-evolution, config-diff]
     if: github.event_name == 'pull_request' && always()
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     permissions:
       pull-requests: write
     steps:
@@ -504,3 +504,4 @@ jobs:
                 body: body
               });
             }
+

.gitea/workflows/test-lanes.yml

@@ -38,7 +38,7 @@ jobs:
   # ===========================================================================
   unit-tests:
     name: Unit Tests
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     timeout-minutes: 15
     steps:
       - name: Checkout repository
@@ -79,7 +79,7 @@ jobs:
   # ===========================================================================
   architecture-tests:
     name: Architecture Tests
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     timeout-minutes: 10
     steps:
       - name: Checkout repository
@@ -121,7 +121,7 @@ jobs:
   # ===========================================================================
   contract-tests:
     name: Contract Tests
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     timeout-minutes: 10
     steps:
       - name: Checkout repository
@@ -162,7 +162,7 @@ jobs:
   # ===========================================================================
   integration-tests:
     name: Integration Tests
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     timeout-minutes: 30
     steps:
       - name: Checkout repository
@@ -205,7 +205,7 @@ jobs:
   # ===========================================================================
   security-tests:
     name: Security Tests
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     timeout-minutes: 20
     steps:
       - name: Checkout repository
@@ -246,7 +246,7 @@ jobs:
   # ===========================================================================
   performance-tests:
     name: Performance Tests
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.run_performance == 'true')
     timeout-minutes: 30
     steps:
@@ -288,7 +288,7 @@ jobs:
   # ===========================================================================
   live-tests:
     name: Live Tests (External Dependencies)
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     if: github.event_name == 'workflow_dispatch' && github.event.inputs.run_live == 'true'
     timeout-minutes: 20
     steps:
@@ -331,7 +331,7 @@ jobs:
   # ===========================================================================
   test-summary:
     name: Test Results Summary
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: [unit-tests, architecture-tests, contract-tests, integration-tests, security-tests]
     if: always()
     steps:
@@ -356,3 +356,4 @@ jobs:
 
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "See individual job logs for detailed test output." >> $GITHUB_STEP_SUMMARY
+

.gitea/workflows/test-matrix.yml

@@ -73,7 +73,7 @@ jobs:
 
   discover:
     name: Discover Tests
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     outputs:
       test-projects: ${{ steps.find.outputs.projects }}
       test-count: ${{ steps.find.outputs.count }}
@@ -120,7 +120,7 @@ jobs:
 
   pr-gating-tests:
     name: ${{ matrix.category }} Tests
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     timeout-minutes: ${{ matrix.timeout }}
     needs: discover
     strategy:
@@ -178,7 +178,7 @@ jobs:
 
   integration:
     name: Integration Tests
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     timeout-minutes: 45
     needs: discover
     services:
@@ -229,7 +229,7 @@ jobs:
 
   extended-tests:
     name: ${{ matrix.category }} Tests
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     timeout-minutes: ${{ matrix.timeout }}
     needs: discover
     if: >-
@@ -321,7 +321,7 @@ jobs:
 
   summary:
     name: Test Summary
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     needs: [discover, pr-gating-tests, integration]
     if: always()
     steps:
@@ -372,3 +372,4 @@ jobs:
       - name: Check for failures
         if: contains(needs.*.result, 'failure')
         run: exit 1
+

.gitea/workflows/unknowns-budget-gate.yml

@@ -29,7 +29,7 @@ env:
 
 jobs:
   scan-and-check-budget:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
     permissions:
       contents: read
       pull-requests: write
@@ -197,3 +197,4 @@ jobs:
         if: steps.env.outputs.environment != 'prod' && steps.budget.outputs.exit_code == '2'
         run: |
           echo "::warning::Unknowns budget exceeded for ${{ steps.env.outputs.environment }}"
+

docs/implplan/permament/SPRINT_20251229_006_CICD_full_pipeline_validation.md

@@ -48,15 +48,16 @@
 | 14 | CICD-VAL-021 | TODO | CICD-VAL-020 | DevOps | Run test-matrix.yml with act (PR trigger). |
 | 15 | CICD-VAL-022 | TODO | CICD-VAL-021 | DevOps | Run build-test-deploy.yml with act (PR trigger). |
 | 16 | CICD-VAL-023 | TODO | CICD-VAL-022 | DevOps | Document act simulation results and gaps. |
+| 17 | CICD-VAL-024 | DONE | Runner labels available | DevOps | Align workflow runner labels with available Gitea runner pool (configurable Linux label). |
 
 ### Phase 4: Test Failure Remediation
 | # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
 | --- | --- | --- | --- | --- | --- |
-| 17 | CICD-VAL-030 | TODO | CICD-VAL-016 | DevOps | Fix test categorization (move integration tests from Unit). |
+| 18 | CICD-VAL-030 | TODO | CICD-VAL-016 | DevOps | Fix test categorization (move integration tests from Unit). |
-| 18 | CICD-VAL-031 | TODO | CICD-VAL-030 | DevOps | Fix PostgreSQL connection/fixture issues in tests. |
+| 19 | CICD-VAL-031 | TODO | CICD-VAL-030 | DevOps | Fix PostgreSQL connection/fixture issues in tests. |
-| 19 | CICD-VAL-032 | TODO | CICD-VAL-031 | DevOps | Fix golden fixture mismatches. |
+| 20 | CICD-VAL-032 | TODO | CICD-VAL-031 | DevOps | Fix golden fixture mismatches. |
-| 20 | CICD-VAL-033 | TODO | CICD-VAL-032 | DevOps | Fix remaining test failures (actual bugs). |
+| 21 | CICD-VAL-033 | TODO | CICD-VAL-032 | DevOps | Fix remaining test failures (actual bugs). |
-| 21 | CICD-VAL-034 | TODO | CICD-VAL-033 | DevOps | Re-run full test suite to verify all green. |
+| 22 | CICD-VAL-034 | TODO | CICD-VAL-033 | DevOps | Re-run full test suite to verify all green. |
 
 ## Execution Log
 | Date (UTC) | Update | Owner |
@@ -72,6 +73,10 @@
 | 2026-01-06 | BLOCKED: Act workflow simulation not yet run. Requires CI image build and further investigation of test categorization issues. | DevOps |
 | 2026-01-06 | SCOPE EXPANDED: Sprint amended to include Phase 2 (local test execution), Phase 3 (act simulation), Phase 4 (test remediation). | Planning |
 | 2026-01-06 | CICD-VAL-010 analysis: 137 passed, 85 failed, 10 aborted. Root cause: 133 PostgreSQL connection exhaustion errors. Many tests tagged "Unit" require DB. | DevOps |
+| 2026-01-07 | Updated workflows to use a configurable Linux runner label defaulting to ubuntu-latest to avoid runner label mismatches. | DevOps |
+| 2026-01-07 | Act dry-run for test-matrix (pr-gating-tests job only) progresses through discover and matrix setup; integration job still pending due to act service container handling. | DevOps |
+| 2026-01-07 | Local smoke build step exceeded 10 minutes and was stopped; unit-split 1-5 failed in AdvisoryAI due to stale build outputs, re-run `dotnet test` for AdvisoryAI passed (207 tests). | DevOps |
+| 2026-01-07 | Unit-split runs (projects 1-20) completed after AdvisoryAI rebuild; all 20 projects passed. | DevOps |
 
 ## Decisions & Risks
 - Risk: local CI steps drift from pipeline definitions; mitigate with scheduled doc sync.

docs/technical/testing/ci-quality-gates.md

@@ -93,7 +93,7 @@ Quality gates are integrated into the main CI workflow:
 # .gitea/workflows/build-test-deploy.yml
 
 quality-gates:
-  runs-on: ubuntu-22.04
+  runs-on: ${{ vars.LINUX_RUNNER_LABEL || 'ubuntu-latest' }}
   needs: build-test
   steps:
     - name: Reachability quality gate

src/Attestor/StellaOps.Attestor.Verify/AttestorVerificationEngine.cs

@@ -44,7 +44,7 @@ public sealed class AttestorVerificationEngine : IAttestorVerificationEngine
     {
         ArgumentNullException.ThrowIfNull(entry);
 
-        var signatureIssuer = await EvaluateSignatureAndIssuerAsync(entry, bundle, cancellationToken).ConfigureAwait(false);
+        var signatureIssuer = await EvaluateSignatureAndIssuerAsync(entry, bundle, evaluationTime, cancellationToken).ConfigureAwait(false);
         var freshness = EvaluateFreshness(entry, evaluationTime);
         var transparency = EvaluateTransparency(entry);
         var policy = EvaluatePolicy(entry, signatureIssuer.Signatures, signatureIssuer.Issuer, freshness, transparency, bundle is not null);
@@ -55,6 +55,7 @@ public sealed class AttestorVerificationEngine : IAttestorVerificationEngine
     private async Task<(SignatureEvaluationResult Signatures, IssuerEvaluationResult Issuer)> EvaluateSignatureAndIssuerAsync(
         AttestorEntry entry,
         AttestorSubmissionRequest.SubmissionBundle? bundle,
+        DateTimeOffset evaluationTime,
         CancellationToken cancellationToken)
     {
         var signatureIssues = new List<string>();
@@ -178,7 +179,7 @@ public sealed class AttestorVerificationEngine : IAttestorVerificationEngine
                 break;
 
             case "keyless":
-                var keylessResult = EvaluateKeylessSignature(entry, bundle, preAuth, signatureIssues, issuerIssues);
+                var keylessResult = EvaluateKeylessSignature(entry, bundle, preAuth, signatureIssues, issuerIssues, evaluationTime);
                 verifiedSignatures = keylessResult.VerifiedSignatures;
                 subjectAlternativeName = keylessResult.SubjectAlternativeName;
                 break;
@@ -270,7 +271,8 @@ public sealed class AttestorVerificationEngine : IAttestorVerificationEngine
         AttestorSubmissionRequest.SubmissionBundle bundle,
         byte[] preAuthEncoding,
         List<string> signatureIssues,
-        List<string> issuerIssues)
+        List<string> issuerIssues,
+        DateTimeOffset evaluationTime)
     {
         if (bundle.CertificateChain.Count == 0)
         {
@@ -296,46 +298,47 @@ public sealed class AttestorVerificationEngine : IAttestorVerificationEngine
         var leafCertificate = certificates[0];
         var subjectAltName = GetSubjectAlternativeNames(leafCertificate).FirstOrDefault();
 
-            if (_options.Security.SignerIdentity.FulcioRoots.Count > 0)
+        if (_options.Security.SignerIdentity.FulcioRoots.Count > 0)
+        {
+            using var chain = new X509Chain
             {
-                using var chain = new X509Chain
+                ChainPolicy =
-                {
-                    ChainPolicy =
                 {
                     RevocationMode = X509RevocationMode.NoCheck,
                     VerificationFlags = X509VerificationFlags.NoFlag,
-                    TrustMode = X509ChainTrustMode.CustomRootTrust
+                    TrustMode = X509ChainTrustMode.CustomRootTrust,
+                    VerificationTime = evaluationTime.UtcDateTime
                 }
             };
 
-                foreach (var rootPath in _options.Security.SignerIdentity.FulcioRoots)
+            foreach (var rootPath in _options.Security.SignerIdentity.FulcioRoots)
+            {
+                try
                 {
-                    try
+                    if (File.Exists(rootPath))
                     {
-                        if (File.Exists(rootPath))
+                        var rootCertificate = X509CertificateLoader.LoadCertificateFromFile(rootPath);
-                        {
+                        chain.ChainPolicy.CustomTrustStore.Add(rootCertificate);
-                            var rootCertificate = X509CertificateLoader.LoadCertificateFromFile(rootPath);
-                            chain.ChainPolicy.CustomTrustStore.Add(rootCertificate);
-                        }
-                    }
-                    catch (Exception ex)
-                    {
-                        _logger.LogWarning(ex, "Failed to load Fulcio root {Root}", rootPath);
                     }
                 }
-
+                catch (Exception ex)
-                for (var i = 1; i < certificates.Count; i++)
                 {
-                    chain.ChainPolicy.ExtraStore.Add(certificates[i]);
+                    _logger.LogWarning(ex, "Failed to load Fulcio root {Root}", rootPath);
-                }
-
-                if (!chain.Build(leafCertificate))
-                {
-                    var status = string.Join(";", chain.ChainStatus.Select(s => s.StatusInformation.Trim())).Trim(';');
-                    issuerIssues.Add(string.IsNullOrEmpty(status) ? "certificate_chain_untrusted" : $"certificate_chain_untrusted:{status}");
                 }
             }
 
+            for (var i = 1; i < certificates.Count; i++)
+            {
+                chain.ChainPolicy.ExtraStore.Add(certificates[i]);
+            }
+
+            if (!chain.Build(leafCertificate))
+            {
+                var status = string.Join(";", chain.ChainStatus.Select(s => s.StatusInformation.Trim())).Trim(';');
+                issuerIssues.Add(string.IsNullOrEmpty(status) ? "certificate_chain_untrusted" : $"certificate_chain_untrusted:{status}");
+            }
+        }
+
         if (_options.Security.SignerIdentity.AllowedSans.Count > 0)
         {
             var sans = GetSubjectAlternativeNames(leafCertificate);

src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core.Tests/Chain/AttestationChainBuilderTests.cs

@@ -223,9 +223,12 @@ public class AttestationChainBuilderTests
         result.IsSuccess.Should().BeTrue();
         result.LinksCreated.Should().HaveCount(3);
         // Links should be created in layer order
-        result.LinksCreated[0].Metadata!.Annotations["layerIndex"].Should().Be("0");
+        Assert.NotNull(result.LinksCreated[0].Metadata?.Annotations);
-        result.LinksCreated[1].Metadata!.Annotations["layerIndex"].Should().Be("1");
+        Assert.NotNull(result.LinksCreated[1].Metadata?.Annotations);
-        result.LinksCreated[2].Metadata!.Annotations["layerIndex"].Should().Be("2");
+        Assert.NotNull(result.LinksCreated[2].Metadata?.Annotations);
+        result.LinksCreated[0].Metadata!.Annotations!["layerIndex"].Should().Be("0");
+        result.LinksCreated[1].Metadata!.Annotations!["layerIndex"].Should().Be("1");
+        result.LinksCreated[2].Metadata!.Annotations!["layerIndex"].Should().Be("2");
     }
 
     [Fact]

src/Attestor/__Tests/StellaOps.Attestor.Verify.Tests/AttestorVerificationEngineTests.cs

@@ -319,7 +319,21 @@ public sealed class AttestorVerificationEngineTests
     }
 
     private static X509Certificate2 EnsurePrivateKey(X509Certificate2 certificate, ECDsa key)
-        => certificate.HasPrivateKey ? certificate : certificate.CopyWithPrivateKey(key);
+    {
+        if (certificate.HasPrivateKey)
+        {
+            return certificate;
+        }
+
+        try
+        {
+            return certificate.CopyWithPrivateKey(key);
+        }
+        catch (InvalidOperationException)
+        {
+            return certificate;
+        }
+    }
 
     private static string ToPem(X509Certificate2 certificate)
     {

src/Authority/StellaOps.Authority/StellaOps.Auth.Abstractions.Tests/AuthAbstractionsConstantsTests.cs

@@ -65,35 +65,35 @@ public class AuthAbstractionsConstantsTests
             [nameof(StellaOpsClaimTypes.SessionId)] = "sid"
         };
 
-        Assert.Equal(expected[nameof(StellaOpsClaimTypes.Subject)], StellaOpsClaimTypes.Subject);
+        Assert.Equal(StellaOpsClaimTypes.Subject, expected[nameof(StellaOpsClaimTypes.Subject)]);
-        Assert.Equal(expected[nameof(StellaOpsClaimTypes.Tenant)], StellaOpsClaimTypes.Tenant);
+        Assert.Equal(StellaOpsClaimTypes.Tenant, expected[nameof(StellaOpsClaimTypes.Tenant)]);
-        Assert.Equal(expected[nameof(StellaOpsClaimTypes.Project)], StellaOpsClaimTypes.Project);
+        Assert.Equal(StellaOpsClaimTypes.Project, expected[nameof(StellaOpsClaimTypes.Project)]);
-        Assert.Equal(expected[nameof(StellaOpsClaimTypes.ClientId)], StellaOpsClaimTypes.ClientId);
+        Assert.Equal(StellaOpsClaimTypes.ClientId, expected[nameof(StellaOpsClaimTypes.ClientId)]);
-        Assert.Equal(expected[nameof(StellaOpsClaimTypes.ServiceAccount)], StellaOpsClaimTypes.ServiceAccount);
+        Assert.Equal(StellaOpsClaimTypes.ServiceAccount, expected[nameof(StellaOpsClaimTypes.ServiceAccount)]);
-        Assert.Equal(expected[nameof(StellaOpsClaimTypes.TokenId)], StellaOpsClaimTypes.TokenId);
+        Assert.Equal(StellaOpsClaimTypes.TokenId, expected[nameof(StellaOpsClaimTypes.TokenId)]);
-        Assert.Equal(expected[nameof(StellaOpsClaimTypes.AuthenticationMethod)], StellaOpsClaimTypes.AuthenticationMethod);
+        Assert.Equal(StellaOpsClaimTypes.AuthenticationMethod, expected[nameof(StellaOpsClaimTypes.AuthenticationMethod)]);
-        Assert.Equal(expected[nameof(StellaOpsClaimTypes.Scope)], StellaOpsClaimTypes.Scope);
+        Assert.Equal(StellaOpsClaimTypes.Scope, expected[nameof(StellaOpsClaimTypes.Scope)]);
-        Assert.Equal(expected[nameof(StellaOpsClaimTypes.ScopeItem)], StellaOpsClaimTypes.ScopeItem);
+        Assert.Equal(StellaOpsClaimTypes.ScopeItem, expected[nameof(StellaOpsClaimTypes.ScopeItem)]);
-        Assert.Equal(expected[nameof(StellaOpsClaimTypes.Audience)], StellaOpsClaimTypes.Audience);
+        Assert.Equal(StellaOpsClaimTypes.Audience, expected[nameof(StellaOpsClaimTypes.Audience)]);
-        Assert.Equal(expected[nameof(StellaOpsClaimTypes.IdentityProvider)], StellaOpsClaimTypes.IdentityProvider);
+        Assert.Equal(StellaOpsClaimTypes.IdentityProvider, expected[nameof(StellaOpsClaimTypes.IdentityProvider)]);
-        Assert.Equal(expected[nameof(StellaOpsClaimTypes.OperatorReason)], StellaOpsClaimTypes.OperatorReason);
+        Assert.Equal(StellaOpsClaimTypes.OperatorReason, expected[nameof(StellaOpsClaimTypes.OperatorReason)]);
-        Assert.Equal(expected[nameof(StellaOpsClaimTypes.OperatorTicket)], StellaOpsClaimTypes.OperatorTicket);
+        Assert.Equal(StellaOpsClaimTypes.OperatorTicket, expected[nameof(StellaOpsClaimTypes.OperatorTicket)]);
-        Assert.Equal(expected[nameof(StellaOpsClaimTypes.QuotaReason)], StellaOpsClaimTypes.QuotaReason);
+        Assert.Equal(StellaOpsClaimTypes.QuotaReason, expected[nameof(StellaOpsClaimTypes.QuotaReason)]);
-        Assert.Equal(expected[nameof(StellaOpsClaimTypes.QuotaTicket)], StellaOpsClaimTypes.QuotaTicket);
+        Assert.Equal(StellaOpsClaimTypes.QuotaTicket, expected[nameof(StellaOpsClaimTypes.QuotaTicket)]);
-        Assert.Equal(expected[nameof(StellaOpsClaimTypes.BackfillReason)], StellaOpsClaimTypes.BackfillReason);
+        Assert.Equal(StellaOpsClaimTypes.BackfillReason, expected[nameof(StellaOpsClaimTypes.BackfillReason)]);
-        Assert.Equal(expected[nameof(StellaOpsClaimTypes.BackfillTicket)], StellaOpsClaimTypes.BackfillTicket);
+        Assert.Equal(StellaOpsClaimTypes.BackfillTicket, expected[nameof(StellaOpsClaimTypes.BackfillTicket)]);
-        Assert.Equal(expected[nameof(StellaOpsClaimTypes.PolicyDigest)], StellaOpsClaimTypes.PolicyDigest);
+        Assert.Equal(StellaOpsClaimTypes.PolicyDigest, expected[nameof(StellaOpsClaimTypes.PolicyDigest)]);
-        Assert.Equal(expected[nameof(StellaOpsClaimTypes.PolicyTicket)], StellaOpsClaimTypes.PolicyTicket);
+        Assert.Equal(StellaOpsClaimTypes.PolicyTicket, expected[nameof(StellaOpsClaimTypes.PolicyTicket)]);
-        Assert.Equal(expected[nameof(StellaOpsClaimTypes.PolicyReason)], StellaOpsClaimTypes.PolicyReason);
+        Assert.Equal(StellaOpsClaimTypes.PolicyReason, expected[nameof(StellaOpsClaimTypes.PolicyReason)]);
-        Assert.Equal(expected[nameof(StellaOpsClaimTypes.PackRunId)], StellaOpsClaimTypes.PackRunId);
+        Assert.Equal(StellaOpsClaimTypes.PackRunId, expected[nameof(StellaOpsClaimTypes.PackRunId)]);
-        Assert.Equal(expected[nameof(StellaOpsClaimTypes.PackGateId)], StellaOpsClaimTypes.PackGateId);
+        Assert.Equal(StellaOpsClaimTypes.PackGateId, expected[nameof(StellaOpsClaimTypes.PackGateId)]);
-        Assert.Equal(expected[nameof(StellaOpsClaimTypes.PackPlanHash)], StellaOpsClaimTypes.PackPlanHash);
+        Assert.Equal(StellaOpsClaimTypes.PackPlanHash, expected[nameof(StellaOpsClaimTypes.PackPlanHash)]);
-        Assert.Equal(expected[nameof(StellaOpsClaimTypes.PolicyOperation)], StellaOpsClaimTypes.PolicyOperation);
+        Assert.Equal(StellaOpsClaimTypes.PolicyOperation, expected[nameof(StellaOpsClaimTypes.PolicyOperation)]);
-        Assert.Equal(expected[nameof(StellaOpsClaimTypes.IncidentReason)], StellaOpsClaimTypes.IncidentReason);
+        Assert.Equal(StellaOpsClaimTypes.IncidentReason, expected[nameof(StellaOpsClaimTypes.IncidentReason)]);
-        Assert.Equal(expected[nameof(StellaOpsClaimTypes.VulnerabilityEnvironment)], StellaOpsClaimTypes.VulnerabilityEnvironment);
+        Assert.Equal(StellaOpsClaimTypes.VulnerabilityEnvironment, expected[nameof(StellaOpsClaimTypes.VulnerabilityEnvironment)]);
-        Assert.Equal(expected[nameof(StellaOpsClaimTypes.VulnerabilityOwner)], StellaOpsClaimTypes.VulnerabilityOwner);
+        Assert.Equal(StellaOpsClaimTypes.VulnerabilityOwner, expected[nameof(StellaOpsClaimTypes.VulnerabilityOwner)]);
-        Assert.Equal(expected[nameof(StellaOpsClaimTypes.VulnerabilityBusinessTier)], StellaOpsClaimTypes.VulnerabilityBusinessTier);
+        Assert.Equal(StellaOpsClaimTypes.VulnerabilityBusinessTier, expected[nameof(StellaOpsClaimTypes.VulnerabilityBusinessTier)]);
-        Assert.Equal(expected[nameof(StellaOpsClaimTypes.SessionId)], StellaOpsClaimTypes.SessionId);
+        Assert.Equal(StellaOpsClaimTypes.SessionId, expected[nameof(StellaOpsClaimTypes.SessionId)]);
     }
 
     [Trait("Category", TestCategories.Unit)]

src/Authority/StellaOps.Authority/StellaOps.Auth.Client.Tests/ServiceCollectionExtensionsTests.cs

@@ -72,7 +72,7 @@ public class ServiceCollectionExtensionsTests
         using var provider = services.BuildServiceProvider();
 
         var cache = provider.GetRequiredService<StellaOpsDiscoveryCache>();
-        var configuration = await cache.GetAsync(CancellationToken.None);
+        var configuration = await cache.GetAsync(TestContext.Current.CancellationToken);
 
         Assert.Equal(new Uri("https://authority.test/connect/token"), configuration.TokenEndpoint);
         Assert.Equal(2, attemptCount);

src/Authority/StellaOps.Authority/StellaOps.Auth.Client.Tests/StellaOpsDiscoveryCacheTests.cs

@@ -47,12 +47,12 @@ public class StellaOpsDiscoveryCacheTests
         var monitor = new TestOptionsMonitor<StellaOpsAuthClientOptions>(options);
         var cache = new StellaOpsDiscoveryCache(httpClient, monitor, timeProvider, NullLogger<StellaOpsDiscoveryCache>.Instance);
 
-        var configuration = await cache.GetAsync(CancellationToken.None);
+        var configuration = await cache.GetAsync(TestContext.Current.CancellationToken);
         Assert.Equal(new Uri("https://authority.test/connect/token"), configuration.TokenEndpoint);
 
         timeProvider.Advance(TimeSpan.FromMinutes(1) + TimeSpan.FromSeconds(5));
 
-        configuration = await cache.GetAsync(CancellationToken.None);
+        configuration = await cache.GetAsync(TestContext.Current.CancellationToken);
         Assert.Equal(new Uri("https://authority.test/connect/token"), configuration.TokenEndpoint);
         Assert.Equal(2, callCount);
 
@@ -66,7 +66,7 @@ public class StellaOpsDiscoveryCacheTests
         HttpRequestException? exception = null;
         try
         {
-            await cache.GetAsync(CancellationToken.None);
+            await cache.GetAsync(TestContext.Current.CancellationToken);
         }
         catch (HttpRequestException ex)
         {

src/Authority/StellaOps.Authority/StellaOps.Auth.Client.Tests/StellaOpsJwksCacheTests.cs

@@ -52,12 +52,12 @@ public class StellaOpsJwksCacheTests
         var discoveryCache = new StellaOpsDiscoveryCache(discoveryClient, monitor, timeProvider, NullLogger<StellaOpsDiscoveryCache>.Instance);
         var jwksCache = new StellaOpsJwksCache(jwksClient, discoveryCache, monitor, timeProvider, NullLogger<StellaOpsJwksCache>.Instance);
 
-        var keys = await jwksCache.GetAsync(CancellationToken.None);
+        var keys = await jwksCache.GetAsync(TestContext.Current.CancellationToken);
         Assert.NotNull(keys);
 
         timeProvider.Advance(TimeSpan.FromMinutes(1) + TimeSpan.FromSeconds(5));
 
-        keys = await jwksCache.GetAsync(CancellationToken.None);
+        keys = await jwksCache.GetAsync(TestContext.Current.CancellationToken);
         Assert.NotNull(keys);
         Assert.Equal(2, jwksCallCount);
 
@@ -68,7 +68,7 @@ public class StellaOpsJwksCacheTests
 
         Assert.True(offlineExpiry < timeProvider.GetUtcNow());
 
-        await Assert.ThrowsAsync<HttpRequestException>(() => jwksCache.GetAsync(CancellationToken.None));
+        await Assert.ThrowsAsync<HttpRequestException>(() => jwksCache.GetAsync(TestContext.Current.CancellationToken));
     }
 
     private static HttpResponseMessage CreateJsonResponse(string json)

src/Authority/StellaOps.Authority/StellaOps.Auth.ServerIntegration.Tests/StellaOpsAuthorityConfigurationManagerTests.cs

@@ -38,7 +38,7 @@ public class StellaOpsAuthorityConfigurationManagerTests
         var initialMetadataRequests = handler.MetadataRequests;
         var initialJwksRequests = handler.JwksRequests;
 
-        var second = await manager.GetConfigurationAsync(CancellationToken.None);
+        var second = await manager.GetConfigurationAsync(TestContext.Current.CancellationToken);
 
         // Cache must return same instance
         Assert.Same(first, second);
@@ -70,11 +70,11 @@ public class StellaOpsAuthorityConfigurationManagerTests
             timeProvider,
             NullLogger<StellaOpsAuthorityConfigurationManager>.Instance);
 
-        var first = await manager.GetConfigurationAsync(CancellationToken.None);
+        var first = await manager.GetConfigurationAsync(TestContext.Current.CancellationToken);
 
         timeProvider.Advance(TimeSpan.FromMinutes(2));
 
-        var second = await manager.GetConfigurationAsync(CancellationToken.None);
+        var second = await manager.GetConfigurationAsync(TestContext.Current.CancellationToken);
 
         Assert.Same(first, second);
         Assert.Equal(2, handler.MetadataRequests);
@@ -100,12 +100,12 @@ public class StellaOpsAuthorityConfigurationManagerTests
             timeProvider,
             NullLogger<StellaOpsAuthorityConfigurationManager>.Instance);
 
-        await manager.GetConfigurationAsync(CancellationToken.None);
+        await manager.GetConfigurationAsync(TestContext.Current.CancellationToken);
 
         var updated = CreateOptions("https://authority2.test");
         optionsMonitor.Set(updated);
 
-        await manager.GetConfigurationAsync(CancellationToken.None);
+        await manager.GetConfigurationAsync(TestContext.Current.CancellationToken);
 
         Assert.Equal(2, handler.MetadataRequests);
     }

src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap.Tests/Claims/LdapClaimsCacheTests.cs

@@ -21,8 +21,8 @@ public sealed class InMemoryLdapClaimsCacheTests
                 ["displayName"] = "Alice Example"
             });
 
-        await cache.SetAsync("uid=alice,ou=people,dc=example,dc=internal", claims, CancellationToken.None);
+        await cache.SetAsync("uid=alice,ou=people,dc=example,dc=internal", claims, TestContext.Current.CancellationToken);
-        var fetched = await cache.GetAsync("uid=alice,ou=people,dc=example,dc=internal", CancellationToken.None);
+        var fetched = await cache.GetAsync("uid=alice,ou=people,dc=example,dc=internal", TestContext.Current.CancellationToken);
 
         Assert.NotNull(fetched);
         Assert.Contains("operators", fetched!.Roles);
@@ -35,10 +35,10 @@ public sealed class InMemoryLdapClaimsCacheTests
         var timeProvider = new TestTimeProvider(new DateTimeOffset(2025, 11, 9, 6, 0, 0, TimeSpan.Zero));
         var cache = CreateCache(enabled: true, ttlSeconds: 60, timeProvider: timeProvider);
 
-        await cache.SetAsync("uid=expired,ou=people,dc=example,dc=internal", new LdapCachedClaims(Array.Empty<string>(), new Dictionary<string, string>()), CancellationToken.None);
+        await cache.SetAsync("uid=expired,ou=people,dc=example,dc=internal", new LdapCachedClaims(Array.Empty<string>(), new Dictionary<string, string>()), TestContext.Current.CancellationToken);
 
         timeProvider.Advance(TimeSpan.FromMinutes(5));
-        var fetched = await cache.GetAsync("uid=expired,ou=people,dc=example,dc=internal", CancellationToken.None);
+        var fetched = await cache.GetAsync("uid=expired,ou=people,dc=example,dc=internal", TestContext.Current.CancellationToken);
 
         Assert.Null(fetched);
     }
@@ -48,11 +48,11 @@ public sealed class InMemoryLdapClaimsCacheTests
     {
         var cache = CreateCache(enabled: true, ttlSeconds: 600, maxEntries: 1);
 
-        await cache.SetAsync("uid=first,ou=people,dc=example,dc=internal", new LdapCachedClaims(Array.Empty<string>(), new Dictionary<string, string>()), CancellationToken.None);
+        await cache.SetAsync("uid=first,ou=people,dc=example,dc=internal", new LdapCachedClaims(Array.Empty<string>(), new Dictionary<string, string>()), TestContext.Current.CancellationToken);
-        await cache.SetAsync("uid=second,ou=people,dc=example,dc=internal", new LdapCachedClaims(Array.Empty<string>(), new Dictionary<string, string>()), CancellationToken.None);
+        await cache.SetAsync("uid=second,ou=people,dc=example,dc=internal", new LdapCachedClaims(Array.Empty<string>(), new Dictionary<string, string>()), TestContext.Current.CancellationToken);
 
-        var first = await cache.GetAsync("uid=first,ou=people,dc=example,dc=internal", CancellationToken.None);
+        var first = await cache.GetAsync("uid=first,ou=people,dc=example,dc=internal", TestContext.Current.CancellationToken);
-        var second = await cache.GetAsync("uid=second,ou=people,dc=example,dc=internal", CancellationToken.None);
+        var second = await cache.GetAsync("uid=second,ou=people,dc=example,dc=internal", TestContext.Current.CancellationToken);
 
         Assert.Null(first);
         Assert.NotNull(second);

src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap.Tests/Claims/LdapClaimsEnricherTests.cs

@@ -41,7 +41,7 @@ public class LdapClaimsEnricherTests
         var identity = new ClaimsIdentity();
         var context = CreateContext("uid=j.doe,ou=people,dc=example,dc=internal");
 
-        await enricher.EnrichAsync(identity, context, CancellationToken.None);
+        await enricher.EnrichAsync(identity, context, TestContext.Current.CancellationToken);
 
         Assert.Contains(identity.Claims, claim => claim.Type == ClaimTypes.Role && claim.Value == "operators");
     }
@@ -74,7 +74,7 @@ public class LdapClaimsEnricherTests
         var identity = new ClaimsIdentity();
         var context = CreateContext("uid=ops,ou=people,dc=example,dc=internal");
 
-        await enricher.EnrichAsync(identity, context, CancellationToken.None);
+        await enricher.EnrichAsync(identity, context, TestContext.Current.CancellationToken);
 
         Assert.Contains(identity.Claims, claim => claim.Type == ClaimTypes.Role && claim.Value == "incident");
     }
@@ -107,7 +107,7 @@ public class LdapClaimsEnricherTests
         var identity = new ClaimsIdentity();
         var context = CreateContext("uid=alice,ou=people,dc=example,dc=internal");
 
-        await enricher.EnrichAsync(identity, context, CancellationToken.None);
+        await enricher.EnrichAsync(identity, context, TestContext.Current.CancellationToken);
 
         Assert.Contains(identity.Claims, claim => claim.Type == "displayName" && claim.Value == "Alice Example");
         Assert.Contains(identity.Claims, claim => claim.Type == "email" && claim.Value == "alice@example.test");
@@ -134,11 +134,11 @@ public class LdapClaimsEnricherTests
         var identity = new ClaimsIdentity();
         var context = CreateContext("uid=cached,ou=people,dc=example,dc=internal");
 
-        await enricher.EnrichAsync(identity, context, CancellationToken.None);
+        await enricher.EnrichAsync(identity, context, TestContext.Current.CancellationToken);
 
         Assert.Contains(identity.Claims, claim => claim.Type == ClaimTypes.Role && claim.Value == "operators");
         Assert.Contains(identity.Claims, claim => claim.Type == "displayName" && claim.Value == "Cached User");
-        Assert.Equal(0, connection.Operations.Count);
+        Assert.Empty(connection.Operations);
         Assert.Equal(0, cache.SetCount);
     }
 

src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap.Tests/ClientProvisioning/LdapCapabilityProbeTests.cs

@@ -25,7 +25,7 @@ public class LdapCapabilityProbeTests
             checkClientProvisioning: true,
             checkBootstrap: true,
             options.CapabilityProbe.Timeout,
-            CancellationToken.None);
+            TestContext.Current.CancellationToken);
 
         Assert.True(snapshot.ClientProvisioningWritable);
         Assert.True(snapshot.BootstrapWritable);
@@ -47,7 +47,7 @@ public class LdapCapabilityProbeTests
             checkClientProvisioning: true,
             checkBootstrap: true,
             options.CapabilityProbe.Timeout,
-            CancellationToken.None);
+            TestContext.Current.CancellationToken);
 
         Assert.False(snapshot.ClientProvisioningWritable);
         Assert.False(snapshot.BootstrapWritable);

src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap.Tests/ClientProvisioning/LdapClientProvisioningStoreTests.cs

@@ -49,7 +49,7 @@ public sealed class LdapClientProvisioningStoreTests
             allowedScopes: new[] { "signer.sign" },
             allowedAudiences: new[] { "signer" });
 
-        var result = await store.CreateOrUpdateAsync(registration, CancellationToken.None);
+        var result = await store.CreateOrUpdateAsync(registration, TestContext.Current.CancellationToken);
 
         Assert.True(result.Succeeded);
         Assert.True(clientStore.Documents.ContainsKey("svc-bootstrap"));
@@ -88,7 +88,7 @@ public sealed class LdapClientProvisioningStoreTests
             SecretHash = "hash"
         };
 
-        var result = await store.DeleteAsync("svc-bootstrap", CancellationToken.None);
+        var result = await store.DeleteAsync("svc-bootstrap", TestContext.Current.CancellationToken);
 
         Assert.True(result.Succeeded);
         Assert.DoesNotContain("svc-bootstrap", clientStore.Documents.Keys);
@@ -124,7 +124,7 @@ public sealed class LdapClientProvisioningStoreTests
             allowedGrantTypes: new[] { "client_credentials" },
             allowedScopes: new[] { "signer.sign" });
 
-        var result = await store.CreateOrUpdateAsync(registration, CancellationToken.None);
+        var result = await store.CreateOrUpdateAsync(registration, TestContext.Current.CancellationToken);
 
         Assert.False(result.Succeeded);
         Assert.Equal("disabled", result.ErrorCode);

src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap.Tests/Credentials/LdapCredentialStoreTests.cs

@@ -44,7 +44,7 @@ public class LdapCredentialStoreTests
             monitor,
             new FakeLdapConnectionFactory(connection));
 
-        var result = await store.VerifyPasswordAsync("J.Doe", "Password1!", CancellationToken.None);
+        var result = await store.VerifyPasswordAsync("J.Doe", "Password1!", TestContext.Current.CancellationToken);
 
         Assert.True(result.Succeeded);
         Assert.Equal(2, bindCalls.Count);
@@ -86,7 +86,7 @@ public class LdapCredentialStoreTests
             monitor,
             new FakeLdapConnectionFactory(connection));
 
-        var result = await store.VerifyPasswordAsync("J.Doe", "Password1!", CancellationToken.None);
+        var result = await store.VerifyPasswordAsync("J.Doe", "Password1!", TestContext.Current.CancellationToken);
 
         Assert.True(result.Succeeded);
         Assert.NotNull(result.User);
@@ -119,7 +119,7 @@ public class LdapCredentialStoreTests
             new FakeLdapConnectionFactory(connection),
             delayAsync: (_, _) => Task.CompletedTask);
 
-        var result = await store.VerifyPasswordAsync("jdoe", "Password1!", CancellationToken.None);
+        var result = await store.VerifyPasswordAsync("jdoe", "Password1!", TestContext.Current.CancellationToken);
 
         Assert.True(result.Succeeded);
         Assert.Equal(2, attempts);
@@ -142,7 +142,7 @@ public class LdapCredentialStoreTests
             new FakeLdapConnectionFactory(connection),
             delayAsync: (_, _) => Task.CompletedTask);
 
-        var result = await store.VerifyPasswordAsync("jdoe", "bad", CancellationToken.None);
+        var result = await store.VerifyPasswordAsync("jdoe", "bad", TestContext.Current.CancellationToken);
 
         Assert.False(result.Succeeded);
         Assert.Equal(AuthorityCredentialFailureCode.InvalidCredentials, result.FailureCode);
@@ -176,7 +176,7 @@ public class LdapCredentialStoreTests
             monitor,
             new FakeLdapConnectionFactory(connection));
 
-        var result = await store.FindBySubjectAsync("uid=j.doe,ou=people,dc=example,dc=internal", CancellationToken.None);
+        var result = await store.FindBySubjectAsync("uid=j.doe,ou=people,dc=example,dc=internal", TestContext.Current.CancellationToken);
 
         Assert.NotNull(result);
         Assert.Equal("uid=j.doe,ou=people,dc=example,dc=internal", result!.SubjectId);
@@ -201,7 +201,7 @@ public class LdapCredentialStoreTests
             email: "bootstrap@example.internal",
             requirePasswordReset: true);
 
-        var result = await store.UpsertUserAsync(registration, CancellationToken.None);
+        var result = await store.UpsertUserAsync(registration, TestContext.Current.CancellationToken);
 
         Assert.True(result.Succeeded);
         Assert.Contains(connection.Operations, op => op.StartsWith("add:uid=bootstrap.user", StringComparison.OrdinalIgnoreCase));
@@ -234,7 +234,7 @@ public class LdapCredentialStoreTests
             email: "bootstrap@example.internal",
             requirePasswordReset: false);
 
-        var result = await store.UpsertUserAsync(registration, CancellationToken.None);
+        var result = await store.UpsertUserAsync(registration, TestContext.Current.CancellationToken);
 
         Assert.True(result.Succeeded);
         Assert.Contains(connection.Operations, op => op.StartsWith("modify:uid=bootstrap.user", StringComparison.OrdinalIgnoreCase));

src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap.Tests/Resilience/LdapConnectorResilienceTests.cs

@@ -61,7 +61,7 @@ public sealed class LdapConnectorResilienceTests
         var store = CreateStore(options, connection);
 
         // Act
-        var result = await store.VerifyPasswordAsync("noname", "Password1!", CancellationToken.None);
+        var result = await store.VerifyPasswordAsync("noname", "Password1!", TestContext.Current.CancellationToken);
 
         // Assert
         result.Succeeded.Should().BeTrue("Missing displayName should not prevent authentication");
@@ -88,7 +88,7 @@ public sealed class LdapConnectorResilienceTests
         var store = CreateStore(options, connection);
 
         // Act
-        var result = await store.VerifyPasswordAsync("nomail", "Password1!", CancellationToken.None);
+        var result = await store.VerifyPasswordAsync("nomail", "Password1!", TestContext.Current.CancellationToken);
 
         // Assert
         result.Succeeded.Should().BeTrue("Missing mail should not prevent authentication");
@@ -113,7 +113,7 @@ public sealed class LdapConnectorResilienceTests
         var store = CreateStore(options, connection);
 
         // Act
-        var result = await store.VerifyPasswordAsync("nogroups", "Password1!", CancellationToken.None);
+        var result = await store.VerifyPasswordAsync("nogroups", "Password1!", TestContext.Current.CancellationToken);
 
         // Assert
         result.Succeeded.Should().BeTrue("Empty memberOf should not prevent authentication");
@@ -135,7 +135,7 @@ public sealed class LdapConnectorResilienceTests
         var store = CreateStore(options, connection);
 
         // Act
-        var result = await store.VerifyPasswordAsync("nonexistent", "Password1!", CancellationToken.None);
+        var result = await store.VerifyPasswordAsync("nonexistent", "Password1!", TestContext.Current.CancellationToken);
 
         // Assert
         result.Succeeded.Should().BeFalse("Nonexistent user should fail authentication");
@@ -177,7 +177,7 @@ public sealed class LdapConnectorResilienceTests
         var store = CreateStore(options, new FakeLdapConnectionFactory(connection));
 
         // Act
-        var result = await store.VerifyPasswordAsync("user", "WrongPassword!", CancellationToken.None);
+        var result = await store.VerifyPasswordAsync("user", "WrongPassword!", TestContext.Current.CancellationToken);
 
         // Assert
         result.Succeeded.Should().BeFalse("Wrong password should fail authentication");
@@ -200,7 +200,7 @@ public sealed class LdapConnectorResilienceTests
         var store = CreateStore(options, connection);
 
         // Act
-        var result = await store.VerifyPasswordAsync("malformed", "Password1!", CancellationToken.None);
+        var result = await store.VerifyPasswordAsync("malformed", "Password1!", TestContext.Current.CancellationToken);
 
         // Assert - should handle gracefully (either succeed with warning or fail cleanly)
         // The exact behavior depends on implementation
@@ -225,7 +225,7 @@ public sealed class LdapConnectorResilienceTests
         var store = CreateStore(options, new FakeLdapConnectionFactory(connection));
 
         // Act
-        Func<Task> act = async () => await store.VerifyPasswordAsync("user", "Password1!", CancellationToken.None);
+        Func<Task> act = async () => await store.VerifyPasswordAsync("user", "Password1!", TestContext.Current.CancellationToken);
 
         // Assert
         await act.Should().ThrowAsync<TimeoutException>();
@@ -247,7 +247,7 @@ public sealed class LdapConnectorResilienceTests
         var store = CreateStore(options, new FakeLdapConnectionFactory(connection));
 
         // Act
-        Func<Task> act = async () => await store.VerifyPasswordAsync("user", "Password1!", CancellationToken.None);
+        Func<Task> act = async () => await store.VerifyPasswordAsync("user", "Password1!", TestContext.Current.CancellationToken);
 
         // Assert
         await act.Should().ThrowAsync<InvalidOperationException>();
@@ -303,7 +303,7 @@ public sealed class LdapConnectorResilienceTests
         var store = CreateStore(options, connection);
 
         // Act
-        var result = await store.VerifyPasswordAsync("münchen-user", "Password1!", CancellationToken.None);
+        var result = await store.VerifyPasswordAsync("münchen-user", "Password1!", TestContext.Current.CancellationToken);
 
         // Assert
         result.Succeeded.Should().BeTrue("Unicode username should be handled");
@@ -329,7 +329,7 @@ public sealed class LdapConnectorResilienceTests
         var store = CreateStore(options, connection);
 
         // Act
-        var result = await store.VerifyPasswordAsync("user+test", "Password1!", CancellationToken.None);
+        var result = await store.VerifyPasswordAsync("user+test", "Password1!", TestContext.Current.CancellationToken);
 
         // Assert
         result.Succeeded.Should().BeTrue("Special characters in DN should be handled");

src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap.Tests/Security/LdapConnectorSecurityTests.cs

@@ -69,7 +69,7 @@ public sealed class LdapConnectorSecurityTests
         var store = CreateStore(options, new FakeLdapConnectionFactory(connection));
 
         // Act
-        var result = await store.VerifyPasswordAsync(maliciousUsername, "Password1!", CancellationToken.None);
+        var result = await store.VerifyPasswordAsync(maliciousUsername, "Password1!", TestContext.Current.CancellationToken);
 
         // Assert
         result.Succeeded.Should().BeFalse("Injection attempt should fail");
@@ -103,7 +103,7 @@ public sealed class LdapConnectorSecurityTests
         var store = CreateStore(options, new FakeLdapConnectionFactory(connection));
 
         // Act
-        var result = await store.VerifyPasswordAsync(emptyUsername, "Password1!", CancellationToken.None);
+        var result = await store.VerifyPasswordAsync(emptyUsername, "Password1!", TestContext.Current.CancellationToken);
 
         // Assert
         result.Succeeded.Should().BeFalse("Empty username should be rejected");
@@ -120,7 +120,7 @@ public sealed class LdapConnectorSecurityTests
         var store = CreateStore(options, new FakeLdapConnectionFactory(connection));
 
         // Act
-        var result = await store.VerifyPasswordAsync("user", null!, CancellationToken.None);
+        var result = await store.VerifyPasswordAsync("user", null!, TestContext.Current.CancellationToken);
 
         // Assert
         result.Succeeded.Should().BeFalse("Null password should be rejected");
@@ -137,7 +137,7 @@ public sealed class LdapConnectorSecurityTests
         var store = CreateStore(options, new FakeLdapConnectionFactory(connection));
 
         // Act
-        var result = await store.VerifyPasswordAsync("user", "", CancellationToken.None);
+        var result = await store.VerifyPasswordAsync("user", "", TestContext.Current.CancellationToken);
 
         // Assert
         result.Succeeded.Should().BeFalse("Empty password should be rejected");
@@ -169,7 +169,7 @@ public sealed class LdapConnectorSecurityTests
         var store = CreateStore(options, new FakeLdapConnectionFactory(connection));
 
         // Act
-        Func<Task> act = async () => await store.VerifyPasswordAsync("user", "Password1!", CancellationToken.None);
+        Func<Task> act = async () => await store.VerifyPasswordAsync("user", "Password1!", TestContext.Current.CancellationToken);
 
         // Assert
         await act.Should().ThrowAsync<InvalidOperationException>();
@@ -201,7 +201,7 @@ public sealed class LdapConnectorSecurityTests
         var store = CreateStore(options, new FakeLdapConnectionFactory(connection));
 
         // Act
-        await store.VerifyPasswordAsync("targetuser", "Password1!", CancellationToken.None);
+        await store.VerifyPasswordAsync("targetuser", "Password1!", TestContext.Current.CancellationToken);
 
         // Assert
         bindDns.Should().HaveCountGreaterThanOrEqualTo(2, "Should bind as service then as user");
@@ -289,7 +289,7 @@ public sealed class LdapConnectorSecurityTests
         // Act
         try
         {
-            await store.VerifyPasswordAsync("user", "SuperSecret123!", CancellationToken.None);
+            await store.VerifyPasswordAsync("user", "SuperSecret123!", TestContext.Current.CancellationToken);
         }
         catch
         {
@@ -308,7 +308,7 @@ public sealed class LdapConnectorSecurityTests
         var store = CreateStore(options, new FakeLdapConnectionFactory(connection));
 
         // Act
-        var result = await store.VerifyPasswordAsync("user", "MyPassword123", CancellationToken.None);
+        var result = await store.VerifyPasswordAsync("user", "MyPassword123", TestContext.Current.CancellationToken);
 
         // Assert
         var resultString = result.ToString();

src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap.Tests/Snapshots/LdapConnectorSnapshotTests.cs

@@ -112,13 +112,13 @@ public sealed class LdapConnectorSnapshotTests
     {
         // Arrange
         var fixtureFiles = Directory.Exists(FixturesPath)
-            ? Directory.EnumerateFiles(FixturesPath, "*.json").Select(Path.GetFileNameWithoutExtension).ToList()
+            ? Directory.EnumerateFiles(FixturesPath, "*.json").Select(Path.GetFileNameWithoutExtension).Where(n => n is not null).Cast<string>().ToList()
             : new List<string>();
 
         var expectedFiles = Directory.Exists(ExpectedPath)
             ? Directory.EnumerateFiles(ExpectedPath, "*.canonical.json")
-                .Select(f => Path.GetFileNameWithoutExtension(f).Replace(".canonical", ""))
+                .Select(f => Path.GetFileNameWithoutExtension(f)?.Replace(".canonical", ""))
-                .ToList()
+                .Where(n => n is not null).Cast<string>().ToList()
             : new List<string>();
 
         // Assert

src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Oidc.Tests/Credentials/OidcCredentialStoreTests.cs

@@ -52,7 +52,7 @@ public sealed class OidcCredentialStoreTests
             username: "user@example.com",
             signingCredentials: new SigningCredentials(symmetricKey, SecurityAlgorithms.HmacSha256));
 
-        var result = await store.VerifyPasswordAsync("user@example.com", token, CancellationToken.None);
+        var result = await store.VerifyPasswordAsync("user@example.com", token, TestContext.Current.CancellationToken);
 
         Assert.False(result.Succeeded);
         Assert.Equal(AuthorityCredentialFailureCode.InvalidCredentials, result.FailureCode);
@@ -102,10 +102,10 @@ public sealed class OidcCredentialStoreTests
             username: "user2@example.com",
             signingCredentials: new SigningCredentials(rsaKey, SecurityAlgorithms.RsaSha256));
 
-        var result = await storeA.VerifyPasswordAsync("user2@example.com", token, CancellationToken.None);
+        var result = await storeA.VerifyPasswordAsync("user2@example.com", token, TestContext.Current.CancellationToken);
         Assert.True(result.Succeeded);
 
-        var cached = await storeB.FindBySubjectAsync("user-2", CancellationToken.None);
+        var cached = await storeB.FindBySubjectAsync("user-2", TestContext.Current.CancellationToken);
 
         Assert.Null(cached);
     }
@@ -220,8 +220,8 @@ public sealed class OidcCredentialStoreTests
 
         public OidcPluginOptions CurrentValue => options.Values.First();
 
-        public OidcPluginOptions Get(string name)
+        public OidcPluginOptions Get(string? name)
-            => options.TryGetValue(name, out var value) ? value : options.Values.First();
+            => name is not null && options.TryGetValue(name, out var value) ? value : options.Values.First();
 
         public IDisposable OnChange(Action<OidcPluginOptions, string> listener)
             => new NoopDisposable();

src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Oidc.Tests/OidcIdentityProviderPluginTests.cs

@@ -23,7 +23,7 @@ public sealed class OidcIdentityProviderPluginTests
     {
         var (plugin, _) = CreatePlugin(HttpStatusCode.OK);
 
-        var result = await plugin.CheckHealthAsync(CancellationToken.None);
+        var result = await plugin.CheckHealthAsync(TestContext.Current.CancellationToken);
 
         Assert.Equal(AuthorityPluginHealthStatus.Healthy, result.Status);
     }
@@ -33,7 +33,7 @@ public sealed class OidcIdentityProviderPluginTests
     {
         var (plugin, _) = CreatePlugin(HttpStatusCode.ServiceUnavailable);
 
-        var result = await plugin.CheckHealthAsync(CancellationToken.None);
+        var result = await plugin.CheckHealthAsync(TestContext.Current.CancellationToken);
 
         Assert.Equal(AuthorityPluginHealthStatus.Degraded, result.Status);
     }
@@ -132,7 +132,7 @@ public sealed class OidcIdentityProviderPluginTests
 
         public OidcPluginOptions CurrentValue => options;
 
-        public OidcPluginOptions Get(string name)
+        public OidcPluginOptions Get(string? name)
             => string.Equals(name, pluginName, StringComparison.Ordinal) ? options : options;
 
         public IDisposable OnChange(Action<OidcPluginOptions, string> listener)

src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Oidc.Tests/Snapshots/OidcConnectorSnapshotTests.cs

@@ -129,13 +129,13 @@ public sealed class OidcConnectorSnapshotTests
     {
         // Arrange
         var fixtureFiles = Directory.Exists(FixturesPath)
-            ? Directory.EnumerateFiles(FixturesPath, "*.json").Select(Path.GetFileNameWithoutExtension).ToList()
+            ? Directory.EnumerateFiles(FixturesPath, "*.json").Select(Path.GetFileNameWithoutExtension).Where(n => n is not null).Cast<string>().ToList()
             : new List<string>();
 
         var expectedFiles = Directory.Exists(ExpectedPath)
             ? Directory.EnumerateFiles(ExpectedPath, "*.canonical.json")
                 .Select(f => Path.GetFileNameWithoutExtension(f)?.Replace(".canonical", ""))
-                .ToList()
+                .Where(n => n is not null).Cast<string>().ToList()
             : new List<string>();
 
         // Assert

src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Saml.Tests/SamlIdentityProviderPluginTests.cs

@@ -23,7 +23,7 @@ public sealed class SamlIdentityProviderPluginTests
     {
         var plugin = CreatePlugin(HttpStatusCode.OK);
 
-        var result = await plugin.CheckHealthAsync(CancellationToken.None);
+        var result = await plugin.CheckHealthAsync(TestContext.Current.CancellationToken);
 
         Assert.Equal(AuthorityPluginHealthStatus.Healthy, result.Status);
     }
@@ -33,7 +33,7 @@ public sealed class SamlIdentityProviderPluginTests
     {
         var plugin = CreatePlugin(HttpStatusCode.ServiceUnavailable);
 
-        var result = await plugin.CheckHealthAsync(CancellationToken.None);
+        var result = await plugin.CheckHealthAsync(TestContext.Current.CancellationToken);
 
         Assert.Equal(AuthorityPluginHealthStatus.Degraded, result.Status);
     }
@@ -130,7 +130,7 @@ public sealed class SamlIdentityProviderPluginTests
 
         public SamlPluginOptions CurrentValue => options;
 
-        public SamlPluginOptions Get(string name)
+        public SamlPluginOptions Get(string? name)
             => string.Equals(name, pluginName, StringComparison.Ordinal) ? options : options;
 
         public IDisposable OnChange(Action<SamlPluginOptions, string> listener)

src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Saml.Tests/Snapshots/SamlConnectorSnapshotTests.cs

@@ -122,13 +122,13 @@ public sealed class SamlConnectorSnapshotTests
     {
         // Arrange
         var fixtureFiles = Directory.Exists(FixturesPath)
-            ? Directory.EnumerateFiles(FixturesPath, "*.xml").Select(Path.GetFileNameWithoutExtension).ToList()
+            ? Directory.EnumerateFiles(FixturesPath, "*.xml").Select(Path.GetFileNameWithoutExtension).Where(n => n is not null).Cast<string>().ToList()
             : new List<string>();
 
         var expectedFiles = Directory.Exists(ExpectedPath)
             ? Directory.EnumerateFiles(ExpectedPath, "*.canonical.json")
                 .Select(f => Path.GetFileNameWithoutExtension(f)?.Replace(".canonical", ""))
-                .ToList()
+                .Where(n => n is not null).Cast<string>().ToList()
             : new List<string>();
 
         // Assert

src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard.Tests/Security/StandardCredentialAuditLoggerTests.cs

@@ -39,7 +39,7 @@ public class StandardCredentialAuditLoggerTests
             failureCode: null,
             reason: null,
             properties: Array.Empty<AuthEventProperty>(),
-            CancellationToken.None);
+            TestContext.Current.CancellationToken);
 
         var record = Assert.Single(sink.Records);
         Assert.Equal("authority.plugin.standard.password_verification", record.EventType);
@@ -92,7 +92,7 @@ public class StandardCredentialAuditLoggerTests
             failureCode: AuthorityCredentialFailureCode.InvalidCredentials,
             reason: "Invalid credentials.",
             properties,
-            CancellationToken.None);
+            TestContext.Current.CancellationToken);
 
         var record = Assert.Single(sink.Records);
         Assert.Equal(AuthEventOutcome.Failure, record.Outcome);
@@ -147,7 +147,7 @@ public class StandardCredentialAuditLoggerTests
             failureCode: AuthorityCredentialFailureCode.LockedOut,
             reason: "Account locked.",
             properties,
-            CancellationToken.None);
+            TestContext.Current.CancellationToken);
 
         var record = Assert.Single(sink.Records);
         Assert.Equal(AuthEventOutcome.LockedOut, record.Outcome);
@@ -189,7 +189,7 @@ public class StandardCredentialAuditLoggerTests
             failureCode: AuthorityCredentialFailureCode.RequiresMfa,
             reason: "MFA required.",
             properties: null,
-            CancellationToken.None);
+            TestContext.Current.CancellationToken);
 
         var record = Assert.Single(sink.Records);
         var property = Assert.Single(record.Properties);

src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard.Tests/StandardClaimsEnricherTests.cs

@@ -43,7 +43,7 @@ public class StandardClaimsEnricherTests
         var identity = new ClaimsIdentity();
         var enricher = new StandardClaimsEnricher();
 
-        await enricher.EnrichAsync(identity, context, CancellationToken.None);
+        await enricher.EnrichAsync(identity, context, TestContext.Current.CancellationToken);
 
         Assert.Contains(identity.Claims, claim => claim.Type == ClaimTypes.Role && claim.Value == "admin");
         Assert.Contains(identity.Claims, claim => claim.Type == ClaimTypes.Role && claim.Value == "ops");

src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard.Tests/StandardClientProvisioningStoreTests.cs

@@ -32,7 +32,7 @@ public class StandardClientProvisioningStoreTests
             allowedGrantTypes: new[] { "client_credentials" },
             allowedScopes: new[] { "scopeA" });
 
-        var result = await provisioning.CreateOrUpdateAsync(registration, CancellationToken.None);
+        var result = await provisioning.CreateOrUpdateAsync(registration, TestContext.Current.CancellationToken);
 
         Assert.True(result.Succeeded);
         Assert.True(store.Documents.TryGetValue("bootstrap-client", out var document));
@@ -40,7 +40,7 @@ public class StandardClientProvisioningStoreTests
         Assert.Equal(AuthoritySecretHasher.ComputeHash("SuperSecret1!"), document!.SecretHash);
         Assert.Equal("standard", document.Plugin);
 
-        var descriptor = await provisioning.FindByClientIdAsync("bootstrap-client", CancellationToken.None);
+        var descriptor = await provisioning.FindByClientIdAsync("bootstrap-client", TestContext.Current.CancellationToken);
         Assert.NotNull(descriptor);
         Assert.Equal("bootstrap-client", descriptor!.ClientId);
         Assert.True(descriptor.Confidential);
@@ -65,13 +65,13 @@ public class StandardClientProvisioningStoreTests
             allowedScopes: new[] { "scopeA" },
             tenant: " Tenant-Alpha " );
 
-        await provisioning.CreateOrUpdateAsync(registration, CancellationToken.None);
+        await provisioning.CreateOrUpdateAsync(registration, TestContext.Current.CancellationToken);
 
         Assert.True(store.Documents.TryGetValue("tenant-client", out var document));
         Assert.NotNull(document);
         Assert.Equal("tenant-alpha", document!.Properties[AuthorityClientMetadataKeys.Tenant]);
 
-        var descriptor = await provisioning.FindByClientIdAsync("tenant-client", CancellationToken.None);
+        var descriptor = await provisioning.FindByClientIdAsync("tenant-client", TestContext.Current.CancellationToken);
         Assert.NotNull(descriptor);
         Assert.Equal("tenant-alpha", descriptor!.Tenant);
     }
@@ -92,14 +92,14 @@ public class StandardClientProvisioningStoreTests
             allowedScopes: new[] { "signer.sign" },
             allowedAudiences: new[] { "attestor", "signer" });
 
-        var result = await provisioning.CreateOrUpdateAsync(registration, CancellationToken.None);
+        var result = await provisioning.CreateOrUpdateAsync(registration, TestContext.Current.CancellationToken);
 
         Assert.True(result.Succeeded);
         Assert.True(store.Documents.TryGetValue("signer", out var document));
         Assert.NotNull(document);
         Assert.Equal("attestor signer", document!.Properties[AuthorityClientMetadataKeys.Audiences]);
 
-        var descriptor = await provisioning.FindByClientIdAsync("signer", CancellationToken.None);
+        var descriptor = await provisioning.FindByClientIdAsync("signer", TestContext.Current.CancellationToken);
         Assert.NotNull(descriptor);
         Assert.Equal(new[] { "attestor", "signer" }, descriptor!.AllowedAudiences.OrderBy(value => value, StringComparer.Ordinal));
     }
@@ -132,7 +132,7 @@ public class StandardClientProvisioningStoreTests
             allowedAudiences: new[] { "signer" },
             certificateBindings: new[] { bindingRegistration });
 
-        await provisioning.CreateOrUpdateAsync(registration, CancellationToken.None);
+        await provisioning.CreateOrUpdateAsync(registration, TestContext.Current.CancellationToken);
 
         Assert.True(store.Documents.TryGetValue("mtls-client", out var document));
         Assert.NotNull(document);
@@ -164,9 +164,9 @@ public class StandardClientProvisioningStoreTests
             allowedGrantTypes: new[] { "client_credentials" },
             allowedScopes: new[] { "scopeA" });
 
-        await provisioning.CreateOrUpdateAsync(registration, CancellationToken.None);
+        await provisioning.CreateOrUpdateAsync(registration, TestContext.Current.CancellationToken);
 
-        var result = await provisioning.DeleteAsync("delete-me", CancellationToken.None);
+        var result = await provisioning.DeleteAsync("delete-me", TestContext.Current.CancellationToken);
 
         Assert.True(result.Succeeded);
         Assert.False(store.Documents.ContainsKey("delete-me"));

src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard.Tests/StandardIdentityProviderPluginTests.cs

@@ -58,7 +58,7 @@ public class StandardIdentityProviderPluginTests
             new StandardClaimsEnricher(),
             NullLogger<StandardIdentityProviderPlugin>.Instance);
 
-        var health = await plugin.CheckHealthAsync(CancellationToken.None);
+        var health = await plugin.CheckHealthAsync(TestContext.Current.CancellationToken);
 
         Assert.Equal(AuthorityPluginHealthStatus.Healthy, health.Status);
     }

src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard.Tests/StandardPluginBootstrapperTests.cs

@@ -67,7 +67,7 @@ public class StandardPluginBootstrapperTests
         using var provider = services.BuildServiceProvider();
         var bootstrapper = provider.GetRequiredService<StandardPluginBootstrapper>();
 
-        var exception = await Record.ExceptionAsync(() => bootstrapper.StartAsync(CancellationToken.None));
+        var exception = await Record.ExceptionAsync(() => bootstrapper.StartAsync(TestContext.Current.CancellationToken));
 
         Assert.Null(exception);
     }

src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard.Tests/StandardUserCredentialStoreTests.cs

@@ -228,6 +228,7 @@ public class StandardUserCredentialStoreTests : IAsyncLifetime
 
         var updated = await store.UpsertUserAsync(update, CancellationToken.None);
         Assert.True(updated.Succeeded);
+        Assert.NotNull(updated.Value);
         Assert.Contains("editor", updated.Value.Roles);
         Assert.Contains("admin", updated.Value.Roles);
         Assert.Equal("us", updated.Value.Attributes["region"]);
@@ -250,6 +251,7 @@ public class StandardUserCredentialStoreTests : IAsyncLifetime
 
         var created = await store.UpsertUserAsync(registration, CancellationToken.None);
         Assert.True(created.Succeeded);
+        Assert.NotNull(created.Value);
 
         var found = await store.FindBySubjectAsync(created.Value.SubjectId, CancellationToken.None);
         Assert.NotNull(found);

src/Authority/StellaOps.Authority/StellaOps.Authority.Tests/AdvisoryAi/AdvisoryAiRemoteInferenceEndpointTests.cs

@@ -115,7 +115,7 @@ public sealed class AdvisoryAiRemoteInferenceEndpointTests : IClassFixture<Autho
         var expectedHash = ComputeSha256(payload.Prompt);
         Assert.Equal(expectedHash, body["prompt_hash"]);
 
-        var doc = Assert.Single(lastLoginAttemptStore!.Records.Where(record => record.EventType == "authority.advisory_ai.remote_inference"));
+        var doc = Assert.Single(lastLoginAttemptStore!.Records, record => record.EventType == "authority.advisory_ai.remote_inference");
         Assert.Equal("authority.advisory_ai.remote_inference", doc.EventType);
         var properties = doc.Properties.ToDictionary(p => p.Name, p => p.Value);
         Assert.Equal(expectedHash, properties["advisory_ai.prompt.hash"]);

src/Authority/StellaOps.Authority/StellaOps.Authority.Tests/Audit/AuthorityAuditSinkTests.cs

@@ -77,7 +77,7 @@ public class AuthorityAuditSinkTests
         Assert.Equal(record.OccurredAt, document.OccurredAt);
         Assert.Equal(new[] { "openid", "profile" }, document.Scopes);
 
-        var pluginProperty = Assert.Single(document.Properties.Where(property => property.Name == "plugin.failed_attempts"));
+        var pluginProperty = Assert.Single(document.Properties, property => property.Name == "plugin.failed_attempts");
         Assert.Equal("0", pluginProperty.Value);
         Assert.Equal("none", pluginProperty.Classification);
 

src/Authority/StellaOps.Authority/StellaOps.Authority.Tests/OpenIddict/ClientCredentialsAndTokenHandlersTests.cs

@@ -2926,9 +2926,9 @@ public class ClientCredentialsHandlersTests
         Assert.False(validateContext.IsRejected);
         Assert.False(validateContext.Transaction.Properties.ContainsKey(AuthorityOpenIddictConstants.SenderConstraintProperty));
 
-        var bypassEvent = Assert.Single(auditSink.Events.Where(record => record.EventType == "authority.dpop.proof.bypass"));
+        var bypassEvent = Assert.Single(auditSink.Events, record => record.EventType == "authority.dpop.proof.bypass");
         Assert.Equal(AuthEventOutcome.Success, bypassEvent.Outcome);
-        var reasonProperty = Assert.Single(bypassEvent.Properties.Where(property => property.Name == "dpop.reason_code"));
+        var reasonProperty = Assert.Single(bypassEvent.Properties, property => property.Name == "dpop.reason_code");
         Assert.Equal("bypass", reasonProperty.Value.Value);
     }
 
@@ -3387,7 +3387,7 @@ public class ClientCredentialsHandlersTests
         var grantEvent = authSink.Events.LastOrDefault(evt => evt.EventType == "authority.client_credentials.grant");
         Assert.NotNull(grantEvent);
 
-        var serviceProperty = Assert.Single(grantEvent!.Properties.Where(prop => prop.Name == "delegation.service_account"));
+        var serviceProperty = Assert.Single(grantEvent!.Properties, prop => prop.Name == "delegation.service_account");
         Assert.Equal(serviceAccount.AccountId, serviceProperty.Value.Value);
 
         var actorPropertyValues = grantEvent.Properties

src/Authority/__Tests/StellaOps.Authority.ConfigDiff.Tests/AuthorityConfigDiffTests.cs

@@ -22,6 +22,9 @@ namespace StellaOps.Authority.ConfigDiff.Tests;
 [Trait("BlastRadius", TestCategories.BlastRadius.Auth)]
 public class AuthorityConfigDiffTests : ConfigDiffTestBase
 {
+    private static readonly DateTimeOffset SnapshotTimestamp =
+        new DateTimeOffset(2025, 1, 1, 0, 0, 0, TimeSpan.Zero);
+
     /// <summary>
     /// Initializes a new instance of the <see cref="AuthorityConfigDiffTests"/> class.
     /// </summary>
@@ -61,7 +64,8 @@ public class AuthorityConfigDiffTests : ConfigDiffTestBase
                 async config => await GetSessionBehaviorAsync(config),
                 async config => await GetRefreshBehaviorAsync(config),
                 async config => await GetAuthenticationBehaviorAsync(config)
-            ]);
+            ],
+            ct: TestContext.Current.CancellationToken);
 
         // Assert
         result.IsSuccess.Should().BeTrue(
@@ -93,7 +97,8 @@ public class AuthorityConfigDiffTests : ConfigDiffTestBase
             changedConfig,
             getBehavior: async config => await CaptureSessionBehaviorAsync(config),
             computeDelta: ComputeBehaviorSnapshotDelta,
-            expectedDelta: expectedDelta);
+            expectedDelta: expectedDelta,
+            ct: TestContext.Current.CancellationToken);
 
         // Assert
         result.IsSuccess.Should().BeTrue(
@@ -119,7 +124,8 @@ public class AuthorityConfigDiffTests : ConfigDiffTestBase
             [
                 async config => await GetSessionBehaviorAsync(config),
                 async config => await GetPasswordPolicyBehaviorAsync(config)
-            ]);
+            ],
+            ct: TestContext.Current.CancellationToken);
 
         // Assert
         result.IsSuccess.Should().BeTrue(
@@ -151,7 +157,8 @@ public class AuthorityConfigDiffTests : ConfigDiffTestBase
             changedConfig,
             getBehavior: async config => await CapturePasswordPolicyBehaviorAsync(config),
             computeDelta: ComputeBehaviorSnapshotDelta,
-            expectedDelta: expectedDelta);
+            expectedDelta: expectedDelta,
+            ct: TestContext.Current.CancellationToken);
 
         // Assert
         result.IsSuccess.Should().BeTrue();
@@ -176,7 +183,8 @@ public class AuthorityConfigDiffTests : ConfigDiffTestBase
             [
                 async config => await GetTokenBehaviorAsync(config),
                 async config => await GetSessionBehaviorAsync(config)
-            ]);
+            ],
+            ct: TestContext.Current.CancellationToken);
 
         // Assert
         result.IsSuccess.Should().BeTrue(
@@ -216,11 +224,11 @@ public class AuthorityConfigDiffTests : ConfigDiffTestBase
             ConfigurationId: $"sessions-{config.MaxConcurrentSessions}",
             Behaviors:
             [
-                new CapturedBehavior("SessionLimit", config.MaxConcurrentSessions.ToString(), DateTimeOffset.UtcNow),
+                new CapturedBehavior("SessionLimit", config.MaxConcurrentSessions.ToString(), SnapshotTimestamp),
                 new CapturedBehavior("ConcurrencyPolicy",
-                    config.MaxConcurrentSessions > 5 ? "permissive" : "restrictive", DateTimeOffset.UtcNow)
+                    config.MaxConcurrentSessions > 5 ? "permissive" : "restrictive", SnapshotTimestamp)
             ],
-            CapturedAt: DateTimeOffset.UtcNow);
+            CapturedAt: SnapshotTimestamp);
 
         return Task.FromResult(snapshot);
     }
@@ -232,11 +240,11 @@ public class AuthorityConfigDiffTests : ConfigDiffTestBase
             Behaviors:
             [
                 new CapturedBehavior("PasswordComplexity",
-                    config.MinPasswordLength >= 12 ? "enhanced" : "standard", DateTimeOffset.UtcNow),
+                    config.MinPasswordLength >= 12 ? "enhanced" : "standard", SnapshotTimestamp),
                 new CapturedBehavior("ValidationRejectionRate",
-                    config.MinPasswordLength >= 12 ? "increase" : "standard", DateTimeOffset.UtcNow)
+                    config.MinPasswordLength >= 12 ? "increase" : "standard", SnapshotTimestamp)
             ],
-            CapturedAt: DateTimeOffset.UtcNow);
+            CapturedAt: SnapshotTimestamp);
 
         return Task.FromResult(snapshot);
     }

src/Authority/__Tests/StellaOps.Authority.Persistence.Tests/AuthorityPostgresFixture.cs

@@ -33,7 +33,7 @@ public sealed class AuthorityPostgresFixture : PostgresIntegrationFixture, IColl
     public PostgresOptions CreateOptions()
     {
         var options = Fixture.CreateOptions();
-        options.SchemaName = SchemaName;
+        options.SchemaName = AuthorityDataSource.DefaultSchemaName;
         options.MaxPoolSize = 10;
         options.MinPoolSize = 0;
         return options;

src/Authority/__Tests/StellaOps.Authority.Persistence.Tests/VerdictManifestStoreTests.cs

@@ -1,5 +1,4 @@
 using System.Collections.Immutable;
-using System.Threading;
 using FluentAssertions;
 using Microsoft.Extensions.Logging.Abstractions;
 using Microsoft.Extensions.Options;
@@ -7,6 +6,7 @@ using Npgsql;
 using StellaOps.Authority.Core.Verdicts;
 using StellaOps.Authority.Persistence.Postgres;
 using StellaOps.TestKit;
+using System.Text.Json;
 using Xunit;
 
 namespace StellaOps.Authority.Persistence.Tests;
@@ -37,7 +37,7 @@ public sealed class VerdictManifestStoreTests : IAsyncLifetime
     [Fact]
     public async Task StoreAndGetById_RoundTripsManifest()
     {
-        var evaluatedAt = DateTimeOffset.Parse("2025-01-15T10:00:00Z");
+        var evaluatedAt = new DateTimeOffset(2025, 1, 15, 10, 0, 0, TimeSpan.Zero);
         var manifest = CreateManifest("tenant-1", "manifest-001", evaluatedAt, VexStatus.NotAffected);
 
         await _store.StoreAsync(manifest);
@@ -58,12 +58,15 @@ public sealed class VerdictManifestStoreTests : IAsyncLifetime
     [Fact]
     public async Task StoreAsync_WritesStringEnumJson()
     {
-        var evaluatedAt = DateTimeOffset.Parse("2025-01-15T11:00:00Z");
+        var evaluatedAt = new DateTimeOffset(2025, 1, 15, 11, 0, 0, TimeSpan.Zero);
         var manifest = CreateManifest("tenant-2", "manifest-002", evaluatedAt, VexStatus.UnderInvestigation);
 
         await _store.StoreAsync(manifest);
 
-        await using var conn = await _dataSource.OpenConnectionAsync(manifest.Tenant, "reader", CancellationToken.None);
+        await using var conn = await _dataSource.OpenConnectionAsync(
+            manifest.Tenant,
+            "reader",
+            TestContext.Current.CancellationToken);
         await using var cmd = new NpgsqlCommand("""
             SELECT result_json::text
             FROM verdict_manifests
@@ -77,7 +80,8 @@ public sealed class VerdictManifestStoreTests : IAsyncLifetime
 
         var json = (string?)await cmd.ExecuteScalarAsync();
         json.Should().NotBeNull();
-        json.Should().Contain("\"status\":\"under_investigation\"");
+        using var document = JsonDocument.Parse(json!);
+        document.RootElement.GetProperty("status").GetString().Should().Be("under_investigation");
     }
 
     private static VerdictManifest CreateManifest(string tenant, string manifestId, DateTimeOffset evaluatedAt, VexStatus status)

src/Cli/__Tests/StellaOps.Cli.Tests/Commands/CommandHandlersTests.cs

@@ -223,7 +223,7 @@ public sealed class CommandHandlersTests
             Assert.Equal("scan-missing", backend.LastEntryTraceScanId);
             Assert.Contains("No EntryTrace data", output.Combined, StringComparison.OrdinalIgnoreCase);
 
-            var warning = Assert.Single(loggerProvider.Entries.Where(entry => entry.Level == LogLevel.Warning));
+            var warning = Assert.Single(loggerProvider.Entries, entry => entry.Level == LogLevel.Warning);
             Assert.Contains("No EntryTrace data", warning.Message, StringComparison.OrdinalIgnoreCase);
         }
         finally

src/Concelier/__Analyzers/StellaOps.Concelier.Analyzers/AnalyzerReleases.Unshipped.md

@@ -1,5 +1,7 @@
-## Release History
+; Unshipped analyzer releases
 
-### Unreleased
+### New Rules
 
-- CONCELIER0004: Flag direct `new HttpClient()` usage inside `StellaOps.Concelier.Connector*` namespaces; require sandboxed `IHttpClientFactory` to enforce allow/deny lists. Exempts test assemblies and uses symbol-based namespace matching.
+Rule ID | Category | Severity | Notes
+--------|----------|----------|------
+CONCELIER0004 | Sandbox | Warning | Flag direct `new HttpClient()` usage inside `StellaOps.Concelier.Connector*` namespaces

src/Concelier/__Analyzers/StellaOps.Concelier.Analyzers/ConnectorHttpClientSandboxAnalyzer.cs

@@ -15,7 +15,7 @@ public sealed class ConnectorHttpClientSandboxAnalyzer : DiagnosticAnalyzer
     private static readonly DiagnosticDescriptor Rule = new(
         id: DiagnosticId,
         title: "Connector HTTP clients must use sandboxed factory",
-        messageFormat: "Use IHttpClientFactory or connector sandbox helpers instead of 'new HttpClient()' inside Concelier connectors.",
+        messageFormat: "Use IHttpClientFactory or connector sandbox helpers instead of 'new HttpClient()' inside Concelier connectors",
         category: "Sandbox",
         defaultSeverity: DiagnosticSeverity.Warning,
         isEnabledByDefault: true,
@@ -73,7 +73,7 @@ public sealed class ConnectorHttpClientSandboxAnalyzer : DiagnosticAnalyzer
             return false;
         }
 
-        return assemblyName.EndsWith(".Tests", StringComparison.OrdinalIgnoreCase)
+        return assemblyName!.EndsWith(".Tests", StringComparison.OrdinalIgnoreCase)
                || assemblyName.EndsWith(".Test", StringComparison.OrdinalIgnoreCase)
                || assemblyName.EndsWith(".Testing", StringComparison.OrdinalIgnoreCase);
     }

src/Concelier/__Analyzers/StellaOps.Concelier.Merge.Analyzers/AnalyzerReleases.Unshipped.md

@@ -1,9 +1,7 @@
-## Release History
+; Unshipped analyzer releases
 
-### Unreleased
+### New Rules
 
-#### New Rules
+Rule ID | Category | Severity | Notes
-
+--------|----------|----------|------
-Rule ID | Title | Notes
+CONCELIER0002 | Usage | Warning | Legacy merge service usage detected - flags references to `AdvisoryMergeService` and `AddMergeModule`
---------|-------|------
-CONCELIER0002 | Legacy merge service usage detected | Flags references to `AdvisoryMergeService` and `AddMergeModule`.

src/Concelier/__Connectors/StellaOps.Concelier.Connector.Astra/AstraConnector.cs

@@ -185,6 +185,11 @@ public sealed class AstraConnector : IFeedConnector
     /// </remarks>
     private async Task<string> FetchOvalDatabaseAsync(string version, CancellationToken cancellationToken)
     {
+        if (_fetchService is null || _rawDocumentStorage is null)
+        {
+            throw new InvalidOperationException("Fetch and raw document storage services are required for OVAL database fetch");
+        }
+
         var uri = _options.BuildOvalDatabaseUri(version);
 
         _logger.LogDebug("Fetching OVAL database for Astra Linux {Version} from {Uri}", version, uri);
@@ -197,18 +202,24 @@ public sealed class AstraConnector : IFeedConnector
 
         var result = await _fetchService.FetchAsync(request, cancellationToken).ConfigureAwait(false);
 
-        if (!result.IsSuccess || result.Document is null)
+        if (result is null || !result.IsSuccess || result.Document is null)
         {
             throw new InvalidOperationException($"Failed to fetch OVAL database for version {version}");
         }
 
-        if (!result.Document.PayloadId.HasValue)
+        var document = result.Document;
+
+        if (!document.PayloadId.HasValue)
         {
             throw new InvalidOperationException($"OVAL database document for version {version} has no payload");
         }
 
         // Download the raw XML content
-        var payloadBytes = await _rawDocumentStorage.DownloadAsync(result.Document.PayloadId.Value, cancellationToken).ConfigureAwait(false);
+        var payloadBytes = await _rawDocumentStorage.DownloadAsync(document.PayloadId.Value, cancellationToken).ConfigureAwait(false);
+        if (payloadBytes is null)
+        {
+            throw new InvalidOperationException($"OVAL database payload for version {version} not found");
+        }
         return System.Text.Encoding.UTF8.GetString(payloadBytes);
     }
 

src/Concelier/__Libraries/StellaOps.Concelier.Connector.Cccs/Internal/CccsHtmlParser.cs

@@ -359,7 +359,7 @@ public sealed class CccsHtmlParser
 
         var candidate = href.Trim();
         var hasAbsolute = Uri.TryCreate(candidate, UriKind.Absolute, out var absolute);
-        if (!hasAbsolute || string.Equals(absolute.Scheme, Uri.UriSchemeFile, StringComparison.OrdinalIgnoreCase))
+        if (!hasAbsolute || absolute is null || string.Equals(absolute.Scheme, Uri.UriSchemeFile, StringComparison.OrdinalIgnoreCase))
         {
             if (baseUri is null || !Uri.TryCreate(baseUri, candidate, out absolute))
             {

src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertCc/CertCcConnector.cs

@@ -177,7 +177,7 @@ public sealed class CertCcConnector : IFeedConnector
                         await _documentStore.UpdateStatusAsync(result.Document.Id, DocumentStatuses.Mapped, cancellationToken).ConfigureAwait(false);
                     }
 
-                    if (!shouldProcessNotes)
+                    if (!shouldProcessNotes || result.Document is null)
                     {
                         continue;
                     }

src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertCc/Internal/CertCcCursor.cs

@@ -168,7 +168,7 @@ internal sealed record CertCcCursor(
             }
 
             var bytes = binary.AsByteArray;
-            if (bytes.Length == 16)
+            if (bytes is not null && bytes.Length == 16)
             {
                 guid = new Guid(bytes);
                 return true;

src/Concelier/__Libraries/StellaOps.Concelier.Connector.Distro.Debian/DebianConnector.cs

@@ -605,7 +605,7 @@ public sealed class DebianConnector : IFeedConnector
         {
             ["advisoryId"] = dto.AdvisoryId,
             ["sourcePackage"] = dto.SourcePackage,
-            ["title"] = dto.Title,
+            ["title"] = dto.Title ?? string.Empty,
             ["description"] = dto.Description ?? string.Empty,
             ["cves"] = new DocumentArray(dto.CveIds),
             ["packages"] = packages,