Fix all baseline code-review findings across the six shared libraries

Resolves the 35 findings from the 2026-06-01 baseline (commit 26ba1c7),
test-first for every behavioral change. +51 tests (331 -> 382 passing, 0 failed).

- Telemetry-001 (HIGH): RedactionEnricher now honours property removal, so a
  redactor that drops a key actually scrubs the secret from the event.
- Auth: LDAP validator ValidateOnStart; API-key verify no longer fails on a
  best-effort MarkUsed write or a corrupt scopes column (fail-closed); LDAP cert
  validation hook; KeyPrefix persistence aligned; README algorithm corrected.
- Health: Akka checks return Degraded (not throw) when the cluster isn't up yet;
  GrpcDependencyHealthCheck catch-all; null 'description' rendered; composite
  endpoint builder; XML docs shipped.
- Audit: CompositeAuditWriter no longer re-throws OperationCanceledException;
  TruncatingAuditRedactor over-redact scrubs Target + safe negative max; options
  record; XML docs shipped.
- Configuration: TryAddEnumerable idempotent registration; consistent port
  quoting; strict invariant port parsing; XML docs + README packaged.
- Theme: mobile toggle is now CSS-only (no Bootstrap JS); token/CSS hygiene;
  XML docs on the public parameter surface.

Shared-contract/spec docs updated where the code was the source of truth
(observability service.instance.id, MapZbMetrics, redactor reach). All changes
additive/back-compatible at v0.1.0. code-reviews bookkeeping follows separately.

ZB.MOM.WW.Telemetry/src/ZB.MOM.WW.Telemetry.Serilog/ILogRedactor.cs

@@ -11,6 +11,20 @@ public interface ILogRedactor
     /// <summary>
     /// Inspects and mutates the supplied log-event <paramref name="properties"/> in place — remove
     /// or replace any sensitive values. Called on every log event before it reaches any sink.
+    /// Both removing a key (the property is dropped from the event) and replacing its value are
+    /// honoured by <see cref="RedactionEnricher"/>.
+    /// <para>
+    /// <b>Reach — scalar top-level properties only.</b> Each entry's value is the unwrapped scalar
+    /// of a Serilog <c>ScalarValue</c> property (so simple string/number/etc. properties such as
+    /// <c>{apiKey}</c> can be read and masked directly). <b>Destructured / structured properties are
+    /// not unwrapped:</b> a <c>{@Object}</c> property arrives as the raw Serilog
+    /// <c>StructureValue</c> wrapper (and a sequence/dictionary as <c>SequenceValue</c>/
+    /// <c>DictionaryValue</c>). A redactor can therefore replace or remove the <i>whole</i>
+    /// top-level property, but it cannot reach a field <i>nested inside</i> a destructured object to
+    /// mask it selectively. To protect a sensitive field of a logged object, do not destructure it
+    /// (log the field as its own scalar property), or remove/replace the entire structured property
+    /// by key.
+    /// </para>
     /// </summary>
     /// <param name="properties">The mutable property dictionary for the current log event.</param>
     void Redact(IDictionary<string, object?> properties);

ZB.MOM.WW.Telemetry/src/ZB.MOM.WW.Telemetry.Serilog/RedactionEnricher.cs

@@ -30,8 +30,18 @@ public sealed class RedactionEnricher : ILogEventEnricher
     }
 
     /// <summary>
-    /// Hands the log event's scalar properties to the registered <see cref="ILogRedactor"/> and
-    /// writes back any values the redactor changed. No-op when no redactor is registered.
+    /// Hands the log event's properties to the registered <see cref="ILogRedactor"/> and reconciles
+    /// the result back onto the event: values the redactor changed are rewritten via
+    /// <c>AddOrUpdateProperty</c>, and keys the redactor removed are deleted via
+    /// <c>RemovePropertyIfPresent</c>. No-op when no redactor is registered or the event carries no
+    /// properties.
+    /// <para>
+    /// The redactor sees the unwrapped value of each <see cref="ScalarValue"/> property; structured
+    /// values (<see cref="StructureValue"/> from <c>{@Object}</c>, <see cref="SequenceValue"/>,
+    /// <see cref="DictionaryValue"/>) are passed through as their raw Serilog wrapper. A redactor can
+    /// therefore replace or remove a whole structured top-level property, but cannot reach a field
+    /// nested inside one — see <see cref="ILogRedactor"/> for the seam's documented reach.
+    /// </para>
     /// </summary>
     /// <param name="logEvent">The log event to redact.</param>
     /// <param name="propertyFactory">Factory used to materialize replacement properties.</param>
@@ -46,6 +56,12 @@ public sealed class RedactionEnricher : ILogEventEnricher
             return;
         }
 
+        // Hot path: an event with no properties has nothing to redact — skip the snapshot copy.
+        if (logEvent.Properties.Count == 0)
+        {
+            return;
+        }
+
         var snapshot = new Dictionary<string, object?>(logEvent.Properties.Count);
         foreach (var property in logEvent.Properties)
         {
@@ -54,6 +70,10 @@ public sealed class RedactionEnricher : ILogEventEnricher
                 : property.Value;
         }
 
+        // Capture the original key set so we can honour deletions: any key the redactor drops from
+        // the snapshot must be removed from the event (not silently retained).
+        var originalKeys = new HashSet<string>(snapshot.Keys, StringComparer.Ordinal);
+
         redactor.Redact(snapshot);
 
         foreach (var entry in snapshot)
@@ -64,6 +84,16 @@ public sealed class RedactionEnricher : ILogEventEnricher
                     propertyFactory.CreateProperty(entry.Key, entry.Value));
             }
         }
+
+        // Reconcile removals: a redactor that deleted a key from the snapshot (e.g.
+        // properties.Remove("apiKey")) means that property must not reach any sink.
+        foreach (var key in originalKeys)
+        {
+            if (!snapshot.ContainsKey(key))
+            {
+                logEvent.RemovePropertyIfPresent(key);
+            }
+        }
     }
 
     private ILogRedactor? ResolveRedactor() => _redactor.Value;

ZB.MOM.WW.Telemetry/src/ZB.MOM.WW.Telemetry.Serilog/ZbSerilogConfig.cs

@@ -115,38 +115,13 @@ internal static class ZbSerilogConfig
     }
 
     /// <summary>
-    /// Builds the OTLP Resource-attribute map mirroring <c>ZbResource</c>. Null/empty optional
-    /// attributes are omitted, matching the shared Resource's omission rules. The
-    /// <c>service.instance.id</c> is sourced from <see cref="ZbResource.InstanceId"/> — the
-    /// same deterministic <c>MachineName:ProcessId</c> value used by the OTel SDK path — so
-    /// all three signals carry an identical instance identifier. Internal so it can be asserted
-    /// by the test assembly without being part of the public NuGet API.
+    /// Builds the OTLP log-sink Resource-attribute map. This is <em>not</em> a parallel
+    /// implementation: it is derived directly from <see cref="ZbResource.BuildAttributes"/> — the
+    /// single source of truth shared with the OTel SDK metrics/traces pipeline — so the log sink can
+    /// never drift from metrics and traces. Returned as a fresh mutable copy because the
+    /// Serilog OpenTelemetry sink takes ownership of the dictionary it is handed. Internal so it can
+    /// be asserted by the test assembly without being part of the public NuGet API.
     /// </summary>
-    internal static IDictionary<string, object> BuildResourceAttributes(ZbTelemetryOptions options)
-    {
-        var attributes = new Dictionary<string, object>
-        {
-            ["service.name"] = options.ServiceName,
-            ["service.namespace"] = options.ServiceNamespace,
-            ["service.instance.id"] = ZbResource.InstanceId,
-            ["host.name"] = Environment.MachineName,
-        };
-
-        if (!string.IsNullOrEmpty(options.ServiceVersion))
-        {
-            attributes["service.version"] = options.ServiceVersion;
-        }
-
-        if (!string.IsNullOrEmpty(options.SiteId))
-        {
-            attributes["site.id"] = options.SiteId;
-        }
-
-        if (!string.IsNullOrEmpty(options.NodeRole))
-        {
-            attributes["node.role"] = options.NodeRole;
-        }
-
-        return attributes;
-    }
+    internal static IDictionary<string, object> BuildResourceAttributes(ZbTelemetryOptions options) =>
+        new Dictionary<string, object>(ZbResource.BuildAttributes(options), StringComparer.Ordinal);
 }

ZB.MOM.WW.Telemetry/src/ZB.MOM.WW.Telemetry.Serilog/ZbSerilogExtensions.cs

@@ -65,6 +65,10 @@ public static class ZbSerilogExtensions
         var options = new ZbTelemetryOptions();
         configure(options);
 
+        // Fail fast on a malformed OTLP endpoint with a clear, named message — same validation the
+        // core AddZbTelemetry path uses — instead of a late error when the OTel log sink builds.
+        ZbTelemetryOptionsValidator.Validate(options, nameof(configure));
+
         // Register the application logger in DI only. preserveStaticLogger: true ensures
         // AddSerilog does NOT freeze or replace Log.Logger — critical for multi-host
         // processes (integration tests etc.) where AddZbSerilog may be called more than once.