Repository:
- Add _lock to InMemoryMunicipalityProfileRepository; make duplicate-JCode
  check + insert atomic in CreateAsync (TOCTOU fix) and wrap UpdateAsync
  read-modify-write in lock (lost-update fix)
- Normalize JCode before passing to ILegacyLinkValidator so validation and
  storage use the same form (was: raw input validated, ToUpperInvariant stored)
- UpdateAsync returns ProfileNotFound (new factory on MunicipalityProfileSaveResult)
  so controller can distinguish 404 from 422

Controller:
- Null-guard post-save/update GetByIdAsync result instead of bang-deref
- Return 404 (not 422) when update target profile does not exist
- GET /api/municipalities/jurisdictions accepted as in-scope extension

Data access:
- FromJsonSeedFile: catch(Exception ex) with Console.Error.WriteLine;
  DistinctBy(JCode) before projection to suppress duplicates in seed file
- 422 body shape mismatch: problem.error ?? 'Validation failed.' fallback
  in createMunicipalityProfile and updateMunicipalityProfile

Frontend:
- Split Promise.all into independent profile + jurisdiction loads so a
  jurisdiction failure does not suppress the profile table
- Add jurisdictionsLoadError state; disable "New" button and show warning
  alert when jurisdictions are unavailable

Tests:
- Override ILegacyDataAccess in AuthIntegrationTestFactory with hardcoded
  defaults, isolating integration tests from the development seed file
- Add wrong-role 403, jurisdiction endpoint 401, update-not-found 404,
  and AC#3 audit assertion tests (create + update) to controller suite
- Add fetchAvailableJurisdictions contract tests (success + failure)
- Story 1.10 marked done; sprint-status synced

Introduces the Municipalities namespace with domain entity, in-memory
repository, and REST API. Extends the workspace shell with a live panel.

Backend:
- MunicipalityProfile record (ILegacyLinkedRecord) — participates in
  Story 1.8 nightly link integrity check automatically
- InMemoryMunicipalityProfileRepository — validates JCode before save
  (AC #4), resolves legacy jurisdiction for combined views (AC #2)
- POST/GET/PUT /api/municipalities/profiles — ClientServicesAccess policy;
  audit-logged creates and updates (AC #3)

Frontend:
- municipalityContracts.ts — typed fetch helpers, MunicipalityValidationError
- MunicipalityProfilePanel — table with combined legacy+extension data,
  modal create form with JCode validation error display
- WorkspaceShell — municipalities nav now renders the panel

Tests: 16 backend + 9 frontend (133 server / 36 client total, 0 failures)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Seed system reference values, readiness required-field rules, and overdue milestone escalation defaults during application startup.

Add idempotent seed-key storage with source metadata so reruns avoid duplicates and preserve admin-managed values. Replace the corrupted seed test file with coverage for first seed, persistence, idempotency, FR29 readiness scope, FR30 escalation defaults, and admin override preservation.

- wire legacy schema checks to live OleDb inspection and durable history
- harden schema baseline parsing and add constraint drift detection
- authenticate admin schema API calls from the client
- add release-gate workflow for legacy schema validation
- add extension-record save path with pre-save legacy link validation
- add link ambiguity detection, provider coverage reporting, and nightly integrity scheduler
- mark stories 1.7 and 1.8 done after review fixes

Introduces the ExtensionData namespace with the full contract and service
layer that future extension records (municipality profiles, election jobs,
service configs) will use to store and validate their legacy foreign references.

- LegacyLinkType enum (JurisdictionJCode, KitId, ContactId)
- LegacyLinkReference value record with typed factory methods
- ILegacyLinkValidator / LegacyLinkValidator — validates each link type
  against the anti-corruption layer; returns descriptive errors on failure
- ILegacyLinkedRecord / ILegacyLinkedRecordProvider — contracts extension
  record types implement to participate in integrity checks
- ILegacyLinkIntegrityCheck / LegacyLinkIntegrityService — scans all
  registered providers, computes consistency percentage (NFR13 target 99.9%)
- POST /api/admin/legacy-link/integrity-check (Admin-only, audit-logged)
- 19 unit tests covering all four ACs

Stories 1.10-1.13 register ILegacyLinkedRecordProvider implementations.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

- add Keycloak role mapping, app authorization policies, and logout/session coverage
- add shared append-only audit logging with authorization audit events
- add read-only legacy data access anti-corruption layer
- add legacy schema compatibility gate, admin API, and client schema check panel
- update story artifacts, planning docs, sprint status, and test coverage

React StrictMode's double-invocation of useEffect caused the first run to
remove oidcStateStorageKey from sessionStorage before the async code exchange
began. The second run would see the missing state, throw, and display
"Authentication failed" — while the first run completed in the background
(storing tokens and replacing the URL), making a page refresh appear to work.

Introduces a module-scope Promise (pendingCallbackSequence) that covers the
full callback sequence: token exchange, session fetch, and URL navigation. The
second effect run shares the same Promise and awaits its result, so no re-
validation or re-fetching occurs, and only the non-cancelled run sets state.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

- Add JWT bearer auth, session endpoint, and auth audit capture
- Add server-side Keycloak token exchange and refresh endpoints
- Load Keycloak client secret from ignored .env file
- Configure Canopy Keycloak realm, CORS, and Vite API proxy
- Add frontend protected auth callback, token storage, and refresh handling
- Cover backend and frontend auth behavior with tests