Speed up CI/CD runs, scope the developer CLI, and harden workflow hygiene (#895)

### Summary & Motivation

A coordinated refresh of the CI/CD pipelines and developer CLI: faster
runs, scoped commands, better observability, and consistent workflow
conventions.

#### Test infrastructure

`BackOfficeEndpointBaseTest` and `EndpointBaseTest<TContext>` built a
fresh `WebApplicationFactory<Program>` per test instance. With
`Meziantou.Xunit.ParallelTestFramework`, every Account-API and
BackOffice test paid a full ASP.NET Core cold-start. Both bases now
share one host per test class via `IClassFixture<...>`, routing per-test
state (SqliteConnection, telemetry collector, MockStripeState,
`IEmailClient`) through `AsyncLocal`. New types:
`BackOfficeWebApplicationFactory` + `BackOfficeTestContext` (26 derived
classes) and `AccountWebApplicationFactory` + `AccountTestContext` (60
derived classes). `MockStripeState` becomes transient so per-request
resolution reads the per-test instance;
`TestServer.PreserveExecutionContext = true` keeps the AsyncLocal
flowing into request handling.

#### Single Code Style workflow

A new `code-style.yml` replaces the per-SCS code-style work in
`account.yml`, `main.yml`, `app-gateway.yml`. Four jobs:

- `detect-scope` — classifies the diff via inline `git diff`, outputs
the backend scope and format mode for the downstream jobs.
- `code-linting` — backend inspectcode + frontend build + frontend lint
(oxlint).
- `code-formatting` — backend cleanupcode + frontend format check
(oxfmt).
- `sonarcloud` — runs once per push (previously three times, once per
SCS), sequentially per slnf to keep test assemblies in separate
processes and avoid the `PortAllocation.Load()` race.

Backend lint and format are scoped to a single SCS via
`--self-contained-system <name>` when the diff touches only that SCS;
cross-cutting changes fall back to the full solution. Code coverage is
out of scope here — the dotCover path repeatedly exceeded 20 minutes
against the new IClassFixture infrastructure and is tracked separately.

#### AppGateway tests now run in CI

`AppGateway.Tests` existed in the solution but was never executed — the
slnf-scoped runs missed it, and `app-gateway.yml` had no test step. The
workflow now runs `dotnet test AppGateway.Tests/AppGateway.Tests.csproj
--no-build` with the same user-secret bootstrap the other workflows use.

#### Developer CLI: `--gateway/-g` scope flag

`build`, `test`, `format`, and `lint` accept `--gateway`/`-g` to scope
to AppGateway only (mutually exclusive with `-s`). `pp test -g` targets
`AppGateway.Tests/AppGateway.Tests.csproj`; lint/format scope JetBrains
tools to `AppGateway/**` + `AppGateway.Tests/**`. Shared logic in
`AppGatewayHelper`.

#### Faster format and lint

- `format` defaults to changed-only (`.cs` files diffed vs
`origin/main`); `--all-files` for full sweep. CI auto-flips to
`--all-files` when `application/dotnet-tools.json` changes, so JetBrains
tool upgrades catch latent drift.
- `lint --changed-only` is opt-in; CI lints full because inspectcode has
cross-file rules.
- Dropped the temp-`.slnf` workaround for `cleanupcode` — JetBrains
2026.1 accepts `.slnx` directly.

#### Workflow hygiene

- **Concurrency** on every top-level workflow with `cancel-in-progress:
true` (and `false` for reusable deploy workflows so mid-deploy
cancellations cannot leave a half-applied state).
- **Inspection results on failure**: `code-style.yml` and
`developer-cli.yml` dump `result.json` to the run console and
`$GITHUB_STEP_SUMMARY`. Replaces the brittle `grep | tee` exit-code
contract.
- Removed leftover SonarScanner steps and Java JDK setup from
`account.yml` and `main.yml` (centralized in `code-style.yml`).
- Removed stale `_preview-migrations.yml` trigger-path references (file
does not exist).
- YAML hygiene pass across all workflows: blank lines, canonical
argument order, trailing whitespace.

#### Database Plan reuses Build and Test artifacts

`build-and-test` uploads `application/**/bin` and `application/**/obj`
as a `<scs>-build` artifact (when staging is enabled).
`_migrate-database.yml` downloads it and restores NuGet, skipping the
redundant checkout + setup + build chain.

#### E2E test fix piggy-backed on this branch

Two e2e tests inherited from the recently-merged feature-flags work
failed on a default-seeded database (`feature-flag-flows.spec.ts:262`,
`user-management-flows.spec.ts:473`). Root cause: `account-overview` and
`compact-view` are registered with `isKillSwitchEnabled: true`, so the
startup reconciler creates them inactive (`EnabledAt = null`); the
configurable-flags handlers filter inactive rows out, the API returns
empty, and `FeaturesSection` / `PreferencesFeatureFlagsSection` render
`null`. The tests now activate the kill-switch flags via the back-office
activate endpoint during setup — test-only fix, no production code, no
seeder change.

#### CI benchmark

The biggest CI win comes from the **Database Staging migration-skip
gate** on `account.yml` / `main.yml` — PRs that do not change EF
migration files skip the Database Staging job entirely.

| Workflow | BEFORE | AFTER, no migrations | AFTER, with migrations | Δ
(no migrations) | Δ (with migrations) |
|---|---|---|---|---|---|
| Account                     | 9m00s   | 2m49s | 6m17s | -69% | -30% |
| Main                        | 6m41s   | 1m55s | 5m40s | -71% | -15% |
| AppGateway                  | 7m26s   | 1m26s | 1m26s | -81% | -81% |
| Code Style | - | 4m48s | 4m48s | new | new |
| **Critical path per push** | **9m00s** | **4m48s** | **6m17s** |
**-47%** | **-30%** |
| Total CI minutes per push   | 23m07s  | 15m19s | 22m34s | -34% | -2% |

AppGateway's delta is large because `code-linting` and `code-formatting`
moved out of `app-gateway.yml` into the consolidated `code-style.yml`.
On the no-migrations path the critical path now sits on `Code Style`
(parallel lint/format/sonar jobs each paying setup); sharing the backend
build artifact across them is an obvious follow-up. On the
with-migrations path the critical path stays on `account.yml`.

Downstream projects with a substantial Main SCS will see a bigger lift
than this suggests — the slowest CI step used to be backend
`cleanupcode` running on every file; it now inspects only changed `.cs`
files. Main and Account now sit close in wall-clock despite Account
having materially more code, because the npm + dotnet restore + build
setup now dominates.

#### Test-step benchmark (isolated)

Test-host refactor measured in isolation (Code Style and Database
Staging disabled; 5 samples per side):

| | Run 1 | Run 2 | Run 3 | Run 4 | Run 5 | Mean | Stddev |
|---|---|---|---|---|---|---|---|
| AFTER (BackOffice + Account shared host) | 2m18s | 2m26s | 2m21s |
2m21s | 2m21s | **2m21s** | 2.9s |
| BEFORE (per-test host, baseline) | 3m46s | 3m51s | 3m38s | 3m41s |
3m54s | **3m46s** | 6.7s |

Δ -37% on the test step alone, stddev more than halves — the runs are
markedly more stable too.

### Checklist

- [x] I have added tests, or done manual regression tests
- [x] I have updated the documentation, if necessary

Author: tjementum

.claude/skills/format/SKILL.md

@@ -6,7 +6,7 @@ description: Auto-format code via the developer CLI - backend (.NET via JetBrain
 # Format
 
 ```bash
-dotnet run --project developer-cli -- format [--backend] [--frontend] [--cli] [--self-contained-system <name>] [--no-build] --quiet
+dotnet run --project developer-cli -- format [--backend] [--frontend] [--cli] [--self-contained-system <name>] [--no-build] [--all-files] --quiet
 ```
 
 Use `developer-cli` exactly as written - do not expand to an absolute worktree path.
@@ -16,8 +16,9 @@ Use `developer-cli` exactly as written - do not expand to an absolute worktree p
 - `--cli` - the developer CLI itself
 - `--self-contained-system <name>` - narrows backend formatting to one SCS (e.g. `account`, `main`)
 - `--no-build` - skip the `dotnet tool restore` step (faster after a recent run)
+- `--all-files` - format every file in the solution. Default is to format only `.cs` files changed against `origin/main` (faster).
 
-No arguments formats everything. Unformatted code fails CI - commit all changes, never revert.
+No arguments formats everything (changed-only by default). Unformatted code fails CI - commit all changes, never revert.
 
 After `build` succeeds, run `format`, `lint`, `test` in parallel with `--no-build`.
 

.claude/skills/lint/SKILL.md

@@ -6,7 +6,7 @@ description: Lint code via the developer CLI - backend (.NET via JetBrains inspe
 # Lint
 
 ```bash
-dotnet run --project developer-cli -- lint [--backend] [--frontend] [--cli] [--self-contained-system <name>] [--no-build] --quiet
+dotnet run --project developer-cli -- lint [--backend] [--frontend] [--cli] [--self-contained-system <name>] [--no-build] [--changed-only] --quiet
 ```
 
 Use `developer-cli` exactly as written - do not expand to an absolute worktree path.
@@ -16,18 +16,28 @@ Use `developer-cli` exactly as written - do not expand to an absolute worktree p
 - `--cli` - the developer CLI itself
 - `--self-contained-system <name>` - narrows backend linting to one SCS (e.g. `account`, `main`)
 - `--no-build` - skip the rebuild step (faster after a recent build)
+- `--changed-only` - lint only `.cs` files changed against `origin/main` (much faster; see guidance below)
 
-No arguments lints everything. Every finding fails CI regardless of severity - fix all of them.
+No arguments lints the whole solution. Every finding fails CI regardless of severity - fix all of them.
 
 After `build` succeeds, run `format`, `lint`, `test` in parallel with `--no-build`. Backend lint is slow - run last. Frontend lint often needs code rewrites - run after each bigger change.
 
+## When to use `--changed-only`
+
+Inspectcode has cross-file rules ("unused public method", "member can be private", flow analysis across method calls). `--changed-only` only inspects the listed files - it doesn't catch issues in untouched files that became invalid because of edits elsewhere.
+
+- **Routine work:** use `--changed-only`. Most lint findings are local (style, naming, hints) and the saving is large (~4m → ~30s).
+- **Larger changes that affect other files** (refactoring a public API, deleting a method's only caller, changing a widely-used type): omit `--changed-only` and lint the full solution.
+
+CI always lints the full solution, so anything missed by a local `--changed-only` run gets caught before merge.
+
 ## Examples
 
 ```bash
-dotnet run --project developer-cli -- lint --quiet                                          # everything
-dotnet run --project developer-cli -- lint --backend --quiet                                # all backend
-dotnet run --project developer-cli -- lint --frontend --quiet                               # frontend
-dotnet run --project developer-cli -- lint --backend --self-contained-system main --quiet   # one SCS
+dotnet run --project developer-cli -- lint --quiet                                                # everything (full solution)
+dotnet run --project developer-cli -- lint --backend --changed-only --quiet                       # backend, changed files only (recommended for routine work)
+dotnet run --project developer-cli -- lint --frontend --quiet                                     # frontend
+dotnet run --project developer-cli -- lint --backend --self-contained-system main --quiet         # one SCS, full
 ```
 
 ## Always pass --quiet

.github/workflows/_deploy-container.yml

@@ -38,6 +38,10 @@ on:
         required: true
         type: string
 
+concurrency:
+  group: ${{ inputs.image_name }}-${{ inputs.azure_environment }}-deploy
+  cancel-in-progress: false
+
 jobs:
   deploy:
     name: Deploy

.github/workflows/_deploy-infrastructure.yml

@@ -49,6 +49,10 @@ on:
         type: string
         default: "-"
 
+concurrency:
+  group: ${{ inputs.unique_prefix }}-${{ inputs.azure_environment }}-infrastructure
+  cancel-in-progress: false
+
 jobs:
   plan:
     name: Plan
@@ -67,6 +71,7 @@ jobs:
             should_deploy="false"
           fi
           echo "should_deploy=$should_deploy" >> $GITHUB_OUTPUT
+
       - name: Checkout Code
         uses: actions/checkout@v6
 

.github/workflows/_migrate-database.yml

@@ -32,6 +32,10 @@ on:
       apply_migrations:
         required: true
         type: boolean
+      build_artifact_name:
+        description: "Name of the artifact uploaded by the caller's build-and-test job that contains application/**/bin and application/**/obj"
+        required: true
+        type: string
 
     outputs:
       has_migrations_to_apply:
@@ -68,9 +72,18 @@ jobs:
         working-directory: application
         run: dotnet tool restore
 
-      - name: Build Backend Solution
+      - name: Download Backend Build Artifacts
+        uses: actions/download-artifact@v8
+        with:
+          name: ${{ inputs.build_artifact_name }}
+          path: application
+
+      # The artifact carries bin/ and obj/ but not the global NuGet package cache.
+      # `dotnet ef --no-build` loads compiled assemblies that reference packages by
+      # absolute path under ~/.nuget/packages — those must exist on this runner.
+      - name: Restore .NET Dependencies
         working-directory: application
-        run: dotnet build ${{ inputs.relative_startup_project }}
+        run: dotnet restore ${{ inputs.relative_startup_project }}
 
       - name: Login to Azure
         uses: azure/login@v3
@@ -93,7 +106,7 @@ jobs:
         run: |
           ENTRA_USER=$(az postgres flexible-server microsoft-entra-admin list --resource-group ${{ env.CLUSTER_RESOURCE_GROUP_NAME }} --server-name ${{ env.POSTGRES_SERVER_NAME }} --query "[0].principalName" --output tsv)
           CONNECTION_STRING="Host=${{ env.POSTGRES_HOST }};Database=${{ inputs.database_name }};Username=$ENTRA_USER;Password=$(az account get-access-token --resource-type oss-rdbms --query accessToken --output tsv);Ssl Mode=VerifyFull;"
-          
+
           echo "Checking for pending migrations..."
           MIGRATION_INFO=$(dotnet ef migrations list \
             --project ${{ inputs.relative_project_path }} \
@@ -102,12 +115,12 @@ jobs:
             --connection "$CONNECTION_STRING" \
             --no-build \
             --json)
-          
+
           MIGRATION_JSON=$(echo "$MIGRATION_INFO" | sed -n '/^[{[]/,$p')
           PENDING_MIGRATIONS_JSON=$(echo "$MIGRATION_JSON" | jq '[.[] | select(.applied == false)]')
           PENDING_MIGRATIONS_COUNT=$(echo "$PENDING_MIGRATIONS_JSON" | jq '. | length')
           LAST_APPLIED_MIGRATION=$(echo "$MIGRATION_JSON" | jq -r '[.[] | select(.applied == true) | .id] | sort | last // "0"')
-          
+
           if [ "$PENDING_MIGRATIONS_COUNT" -gt "0" ]; then
             LAST_PENDING_MIGRATION=$(echo "$PENDING_MIGRATIONS_JSON" | jq -r '.[-1].id')
             echo "$PENDING_MIGRATIONS_COUNT pending migration(s) detected:"
@@ -122,13 +135,13 @@ jobs:
               --idempotent \
               --no-build \
               --output migration.sql
-            
+
             echo "has_migrations_to_apply=true" >> $GITHUB_OUTPUT
-            
+
             echo "migration_script<<EOF" >> $GITHUB_OUTPUT
             cat migration.sql >> $GITHUB_OUTPUT
             echo "EOF" >> $GITHUB_OUTPUT
-            
+
             echo "migration_json<<EOF" >> $GITHUB_OUTPUT
             echo "$PENDING_MIGRATIONS_JSON" >> $GITHUB_OUTPUT
             echo "EOF" >> $GITHUB_OUTPUT
@@ -165,22 +178,22 @@ jobs:
         with:
           script: |
             const migrationJson = JSON.parse(process.env.MIGRATION_JSON);
-            
+
             const migrationsList = migrationJson.map(m => `- ${m.name} (${m.id})`).join('\n');
-            
+
             const migrationInfo = `## Approve Database Migration \`${{ inputs.database_name }}\` database on \`${{ inputs.azure_environment }}\`
-            
+
             The following pending migration(s) will be applied to the database when approved:
             ${migrationsList}
-            
+
             ### Migration Script
             \`\`\`sql
             ${process.env.MIGRATION_SCRIPT}
             \`\`\`
             `;
-            
+
             console.log(migrationInfo);
-            
+
             core.setOutput('markdown', migrationInfo);
 
       - name: Add Migration Information to Pull Request