Fix all baseline code-review findings across the six shared libraries

Resolves the 35 findings from the 2026-06-01 baseline (commit 26ba1c7),
test-first for every behavioral change. +51 tests (331 -> 382 passing, 0 failed).

- Telemetry-001 (HIGH): RedactionEnricher now honours property removal, so a
  redactor that drops a key actually scrubs the secret from the event.
- Auth: LDAP validator ValidateOnStart; API-key verify no longer fails on a
  best-effort MarkUsed write or a corrupt scopes column (fail-closed); LDAP cert
  validation hook; KeyPrefix persistence aligned; README algorithm corrected.
- Health: Akka checks return Degraded (not throw) when the cluster isn't up yet;
  GrpcDependencyHealthCheck catch-all; null 'description' rendered; composite
  endpoint builder; XML docs shipped.
- Audit: CompositeAuditWriter no longer re-throws OperationCanceledException;
  TruncatingAuditRedactor over-redact scrubs Target + safe negative max; options
  record; XML docs shipped.
- Configuration: TryAddEnumerable idempotent registration; consistent port
  quoting; strict invariant port parsing; XML docs + README packaged.
- Theme: mobile toggle is now CSS-only (no Bootstrap JS); token/CSS hygiene;
  XML docs on the public parameter surface.

Shared-contract/spec docs updated where the code was the source of truth
(observability service.instance.id, MapZbMetrics, redactor reach). All changes
additive/back-compatible at v0.1.0. code-reviews bookkeeping follows separately.

ZB.MOM.WW.Audit/src/ZB.MOM.WW.Audit/CompositeAuditWriter.cs

@@ -1,8 +1,9 @@
 namespace ZB.MOM.WW.Audit;
 
 /// <summary>Fans an event out to several writers. Best-effort: a failing writer does not stop the others.</summary>
-/// <remarks>A failing writer's exception is swallowed so the fan-out drains and the caller is never
-/// aborted — but <see cref="OperationCanceledException"/> is re-thrown so cancellation is honored.</remarks>
+/// <remarks>Every inner-writer failure is swallowed — including <see cref="OperationCanceledException"/>
+/// — so the fan-out drains and the caller is never aborted, honoring the <see cref="IAuditWriter"/>
+/// "must not throw to the caller" contract even when a request-scoped cancellation token is passed.</remarks>
 public sealed class CompositeAuditWriter : IAuditWriter
 {
     private readonly IReadOnlyList<IAuditWriter> _inner;
@@ -21,8 +22,7 @@ public sealed class CompositeAuditWriter : IAuditWriter
         foreach (var writer in _inner)
         {
             try { await writer.WriteAsync(evt, ct).ConfigureAwait(false); }
-            catch (OperationCanceledException) { throw; } // honor cancellation; do not swallow
-            catch { /* best-effort seam: a failing writer must not stop the others or the caller */ }
+            catch { /* best-effort seam: a failing writer (incl. cancellation) must not stop the others or the caller */ }
         }
     }
 }

ZB.MOM.WW.Audit/src/ZB.MOM.WW.Audit/TruncatingAuditRedactor.cs

@@ -2,8 +2,9 @@ namespace ZB.MOM.WW.Audit;
 
 /// <summary>
 /// Redactor that caps oversized <see cref="AuditEvent.DetailsJson"/> and <see cref="AuditEvent.Target"/>.
-/// Never throws — over-redacts (drops DetailsJson) on internal failure. The secret-field policy
-/// (which fields are sensitive) stays per-project; compose this with a project redactor as needed.
+/// Never throws — over-redacts (drops both DetailsJson and Target) on internal failure. The
+/// secret-field policy (which fields are sensitive) stays per-project; compose this with a project
+/// redactor as needed.
 /// </summary>
 public sealed class TruncatingAuditRedactor : IAuditRedactor
 {
@@ -26,13 +27,15 @@ public sealed class TruncatingAuditRedactor : IAuditRedactor
         }
         catch
         {
-            // Hard contract: never throw. Over-redact on internal failure.
-            return rawEvent with { DetailsJson = null };
+            // Hard contract: never throw, and over-redact to a STRICTLY safer event on internal
+            // failure — scrub every field this redactor owns (both DetailsJson and Target).
+            return rawEvent with { DetailsJson = null, Target = null };
         }
     }
 
     private string? Truncate(string? value, int max)
     {
+        if (max < 0) max = 0; // clamp nonsensical negative caps so a config bug fails safe, not throws
         if (value is null || value.Length <= max) return value;
         var marker = _options.TruncationMarker;
         if (marker.Length >= max) return marker[..max];

ZB.MOM.WW.Audit/src/ZB.MOM.WW.Audit/TruncatingAuditRedactorOptions.cs

@@ -1,12 +1,12 @@
 namespace ZB.MOM.WW.Audit;
 
-/// <summary>Caps for <see cref="TruncatingAuditRedactor"/>.</summary>
-public sealed class TruncatingAuditRedactorOptions
+/// <summary>Immutable caps for <see cref="TruncatingAuditRedactor"/>.</summary>
+public sealed record TruncatingAuditRedactorOptions
 {
     /// <summary>Max length of <see cref="AuditEvent.DetailsJson"/> before truncation. Default 4096.</summary>
-    public int MaxDetailsJsonLength { get; set; } = 4096;
+    public int MaxDetailsJsonLength { get; init; } = 4096;
     /// <summary>Max length of <see cref="AuditEvent.Target"/> before truncation. Default 512.</summary>
-    public int MaxTargetLength { get; set; } = 512;
+    public int MaxTargetLength { get; init; } = 512;
     /// <summary>Marker appended to a truncated value. Default "…[truncated]".</summary>
-    public string TruncationMarker { get; set; } = "…[truncated]";
+    public string TruncationMarker { get; init; } = "…[truncated]";
 }

ZB.MOM.WW.Audit/src/ZB.MOM.WW.Audit/ZB.MOM.WW.Audit.csproj

@@ -3,6 +3,8 @@
     <TargetFramework>net10.0</TargetFramework>
     <ImplicitUsings>enable</ImplicitUsings>
     <Nullable>enable</Nullable>
+    <!-- Emit and pack XML docs so consumers get IntelliSense/tooltip documentation. -->
+    <GenerateDocumentationFile>true</GenerateDocumentationFile>
   </PropertyGroup>
   <PropertyGroup>
     <IsPackable>true</IsPackable>

ZB.MOM.WW.Audit/tests/ZB.MOM.WW.Audit.Tests/CompositeAuditWriterTests.cs

@@ -38,11 +38,32 @@ public class CompositeAuditWriterTests
     }
 
     [Fact]
-    public async Task Cancellation_is_propagated_not_swallowed()
+    public async Task Cancellation_does_not_surface_to_the_caller()
     {
-        // OperationCanceledException is re-thrown (unlike ordinary writer failures, which are swallowed).
+        // Per the IAuditWriter hard contract ("must not throw to the caller"), an
+        // OperationCanceledException from an inner writer is swallowed like any other failure —
+        // it must NOT abort the user-facing action that produced the event.
         var after = new RecordingWriter();
         var sut = new CompositeAuditWriter(new IAuditWriter[] { new CancellingWriter(), after });
-        await Assert.ThrowsAsync<OperationCanceledException>(() => sut.WriteAsync(Evt()));
+        await sut.WriteAsync(Evt()); // must not throw
+        Assert.Equal(1, after.Count); // drain continues past the cancelled writer
+    }
+
+    [Fact]
+    public async Task Empty_writer_list_is_a_no_op()
+    {
+        var sut = new CompositeAuditWriter(Array.Empty<IAuditWriter>());
+        await sut.WriteAsync(Evt()); // must not throw
+    }
+
+    [Fact]
+    public async Task Null_writer_entry_is_swallowed_and_does_not_stop_the_others()
+    {
+        // A null inner writer faults the await; the best-effort seam swallows it (like any
+        // other writer failure) and continues draining the remaining writers.
+        var after = new RecordingWriter();
+        var sut = new CompositeAuditWriter(new IAuditWriter?[] { null, after }!);
+        await sut.WriteAsync(Evt()); // must not throw
+        Assert.Equal(1, after.Count);
     }
 }

ZB.MOM.WW.Audit/tests/ZB.MOM.WW.Audit.Tests/TruncatingAuditRedactorTests.cs

@@ -53,4 +53,30 @@ public class TruncatingAuditRedactorTests
         var result = r.Apply(Evt(new string('x', 20)));
         Assert.Equal(3, result.DetailsJson!.Length);
     }
+
+    [Fact]
+    public void Negative_max_is_treated_as_zero_and_does_not_throw()
+    {
+        // A negative cap is nonsensical misconfiguration. Truncate must clamp to 0 rather than
+        // throw, capping the value to the empty string (plus marker handling).
+        var opts = new TruncatingAuditRedactorOptions { MaxDetailsJsonLength = -5, MaxTargetLength = -1, TruncationMarker = "" };
+        var r = new TruncatingAuditRedactor(opts);
+        var result = r.Apply(Evt(new string('x', 20), target: new string('y', 20)));
+        Assert.Equal(string.Empty, result.DetailsJson);
+        Assert.Equal(string.Empty, result.Target);
+    }
+
+    [Fact]
+    public void Over_redact_fallback_scrubs_both_details_and_target_without_throwing()
+    {
+        // Drive the REAL TruncatingAuditRedactor.Apply into its catch branch via a reachable
+        // misconfiguration (a null TruncationMarker faults inside Truncate). The over-redact
+        // fallback must be strictly safer: BOTH DetailsJson AND Target scrubbed to null, no throw.
+        var opts = new TruncatingAuditRedactorOptions { MaxDetailsJsonLength = 5, TruncationMarker = null! };
+        var r = new TruncatingAuditRedactor(opts);
+        var raw = Evt(new string('x', 50), target: "sensitive target");
+        var result = r.Apply(raw);
+        Assert.Null(result.DetailsJson);
+        Assert.Null(result.Target);
+    }
 }