Add integration tests for migration categories and execution

- Implemented MigrationCategoryTests to validate migration categorization for startup, release, seed, and data migrations.
- Added tests for edge cases, including null, empty, and whitespace migration names.
- Created StartupMigrationHostTests to verify the behavior of the migration host with real PostgreSQL instances using Testcontainers.
- Included tests for migration execution, schema creation, and handling of pending release migrations.
- Added SQL migration files for testing: creating a test table, adding a column, a release migration, and seeding data.

docs/implplan/CLI_AUTH_MIGRATION_PLAN.md

@@ -0,0 +1,143 @@
+# CLI Auth.Client Migration Plan
+
+> **Created:** 2025-12-04
+> **Status:** COMPLETED
+> **Completed:** 2025-12-04
+
+## Problem Statement
+
+The CLI services used an older `IStellaOpsTokenClient` API that no longer exists. This document outlines the migration strategy and tracks completion.
+
+## Summary of Changes
+
+### Files Created
+- `src/Cli/StellaOps.Cli/Extensions/StellaOpsTokenClientExtensions.cs` - Compatibility shim methods
+
+### Files Modified
+
+#### Service Files (Auth.Client API Migration)
+1. `OrchestratorClient.cs` - Updated scope references
+2. `VexObservationsClient.cs` - Updated to use `GetAccessTokenAsync(string)` extension, removed `IsSuccess` check
+3. `SbomerClient.cs` - Fixed `GetTokenAsync` to use `AccessToken` property
+4. `ExceptionClient.cs` - Updated token acquisition pattern
+5. `NotifyClient.cs` - Updated token acquisition pattern
+6. `ObservabilityClient.cs` - Updated token acquisition pattern
+7. `PackClient.cs` - Updated token acquisition pattern
+8. `SbomClient.cs` - Updated token acquisition pattern
+
+#### Command Handlers (Signature Fixes)
+9. `CommandHandlers.cs`:
+   - Fixed `CreateLogger<CommandHandlers>()` static type error (line 80)
+   - Fixed PolicyDsl diagnostic rendering (removed Line/Column/Suggestion, added Path)
+
+10. `CommandFactory.cs`:
+    - Fixed `HandleExceptionsListAsync` argument order and count
+    - Fixed `HandleExceptionsCreateAsync` argument order, expiration type conversion
+    - Fixed `HandleExceptionsPromoteAsync` argument order
+    - Fixed `HandleExceptionsExportAsync` argument order and count
+    - Fixed `HandleExceptionsImportAsync` argument order
+
+#### Model Updates
+11. `PolicyWorkspaceModels.cs` - Updated `PolicyDiagnostic` class (replaced Line/Column/Span/Suggestion with Path)
+
+## Old API (Removed)
+
+```csharp
+// Methods that no longer exist
+Task<StellaOpsTokenResult> GetTokenAsync(StellaOpsTokenRequest request, CancellationToken ct);
+Task<StellaOpsTokenResult> GetAccessTokenAsync(string[] scopes, CancellationToken ct);
+
+// Types that no longer exist
+class StellaOpsTokenRequest { string[] Scopes; }
+static class StellaOpsScope { const string OrchRead = "orch:read"; }
+
+// Properties removed from StellaOpsTokenResult
+bool IsSuccess;
+```
+
+## New API (Current)
+
+```csharp
+interface IStellaOpsTokenClient
+{
+    Task<StellaOpsTokenResult> RequestClientCredentialsTokenAsync(
+        string? scope = null,
+        IReadOnlyDictionary<string, string>? additionalParameters = null,
+        CancellationToken cancellationToken = default);
+
+    ValueTask<StellaOpsTokenCacheEntry?> GetCachedTokenAsync(string key, CancellationToken ct);
+    ValueTask CacheTokenAsync(string key, StellaOpsTokenCacheEntry entry, CancellationToken ct);
+}
+
+// StellaOpsTokenResult record properties:
+// - AccessToken (string)
+// - TokenType (string)
+// - ExpiresAtUtc (DateTimeOffset)
+// - Scopes (IReadOnlyList<string>)
+```
+
+## Migration Approach
+
+### Extension Methods Created
+
+```csharp
+public static class StellaOpsTokenClientExtensions
+{
+    // Single scope version
+    public static async Task<StellaOpsTokenResult> GetAccessTokenAsync(
+        this IStellaOpsTokenClient client,
+        string scope,
+        CancellationToken cancellationToken = default);
+
+    // Multi-scope version
+    public static async Task<StellaOpsTokenResult> GetAccessTokenAsync(
+        this IStellaOpsTokenClient client,
+        IEnumerable<string> scopes,
+        CancellationToken cancellationToken = default);
+
+    // Cached token version
+    public static async Task<StellaOpsTokenCacheEntry> GetCachedAccessTokenAsync(
+        this IStellaOpsTokenClient client,
+        string scope,
+        CancellationToken cancellationToken = default);
+
+    // Parameterless version
+    public static async Task<StellaOpsTokenResult> GetTokenAsync(
+        this IStellaOpsTokenClient client,
+        CancellationToken cancellationToken = default);
+}
+```
+
+### Scope Constants
+
+Used `StellaOpsScopes` from `StellaOps.Auth.Abstractions` namespace (e.g., `StellaOpsScopes.OrchRead`, `StellaOpsScopes.VexRead`).
+
+## Build Results
+
+**Build succeeded with 0 errors, 6 warnings:**
+- 3x CS8629 nullable warnings in OutputRenderer.cs
+- 1x CS0618 obsolete warning (VulnRead → VulnView)
+- 1x SYSLIB0057 obsolete X509Certificate2 constructor
+- 1x CS0219 unused variable warning
+
+## Implementation Checklist
+
+- [x] Create `StellaOpsTokenClientExtensions.cs`
+- [x] Verify `StellaOpsScopes` exists in Auth.Abstractions
+- [x] Update OrchestratorClient.cs
+- [x] Update VexObservationsClient.cs
+- [x] Update SbomerClient.cs
+- [x] Update ExceptionClient.cs
+- [x] Update NotifyClient.cs
+- [x] Update ObservabilityClient.cs
+- [x] Update PackClient.cs
+- [x] Update SbomClient.cs
+- [x] Fix CommandHandlers static type error
+- [x] Fix PolicyDsl API changes (PolicyIssue properties)
+- [x] Fix HandleExceptionsListAsync signature
+- [x] Fix HandleExceptionsCreateAsync signature
+- [x] Fix HandleExceptionsPromoteAsync signature
+- [x] Fix HandleExceptionsExportAsync signature
+- [x] Fix HandleExceptionsImportAsync signature
+- [x] Update PolicyDiagnostic model
+- [x] Build verification passed