From 50f1a072b39979d301d41d04b22085afdd705da9 Mon Sep 17 00:00:00 2001
From: Duende Bot <duendebot@duendesoftware.com>
Date: Wed, 1 Apr 2026 08:22:06 +0000
Subject: [PATCH] Publish - 2026-04-01 08:20:45 UTC

---
 .gitignore                                    |   3 +-
 Directory.Build.props                         |   2 +-
 Directory.Packages.props                      |   2 +-
 aspnetcore-authentication-jwtbearer/build.cs  |  26 ----
 ...AspNetCore.Authentication.JwtBearer.csproj |   1 -
 ...ntext.cs => DPoPProofValidationContext.cs} |   0
 ...Result.cs => DPoPProofValidationResult.cs} |   0
 .../DPoP/DPoPProofValidator.cs                |   2 +-
 ...Core.Authentication.JwtBearer.Tests.csproj |   1 -
 .../DPoP/ConcurrentTokenValidationTests.cs    | 115 ++++++++++++++++++
 .../test/Directory.Build.props                |  12 ++
 bff/build.cs                                  |  29 -----
 ...osts.Bff.Blazor.PerComponent.Client.csproj |   1 -
 .../Hosts.Bff.Blazor.PerComponent.csproj      |   1 -
 ...Hosts.Bff.Blazor.WebAssembly.Client.csproj |   1 -
 .../Hosts.Bff.Blazor.WebAssembly.csproj       |   1 -
 bff/hosts/Hosts.AppHost/Hosts.AppHost.csproj  |   1 -
 .../Hosts.Bff.DPoP/Hosts.Bff.DPoP.csproj      |   1 -
 bff/hosts/Hosts.Bff.EF/Hosts.Bff.EF.csproj    |   1 +
 .../Hosts.Bff.InMemory.csproj                 |   1 -
 .../Hosts.Bff.MultiFrontend.csproj            |   1 -
 .../Hosts.Bff.Performance.csproj              |   1 -
 .../Hosts.IdentityServer.csproj               |   1 +
 .../Hosts.ServiceDefaults.csproj              |   1 -
 .../Hosts.RemoteApi.DPoP.csproj               |   1 +
 .../Hosts.RemoteApi.Isolated.csproj           |   1 +
 .../Hosts.RemoteApi/Hosts.RemoteApi.csproj    |   1 +
 bff/migrations/Directory.Build.props          |   1 +
 .../Bff.Benchmarks/Bff.Benchmarks.csproj      |   1 -
 .../Bff.Performance/Bff.Performance.csproj    |   1 -
 .../Bff.Blazor.Client.csproj                  |   1 -
 bff/src/Bff.Blazor/Bff.Blazor.csproj          |   1 -
 bff/src/Directory.Build.props                 |   1 -
 .../src/BffLocalApi/BffLocalApi.csproj        |   1 +
 bff/test/Bff.Tests/Bff.Tests.csproj           |   1 -
 bff/test/Directory.Build.props                |  32 ++++-
 bff/test/Hosts.Tests/Hosts.Tests.csproj       |   1 -
 conformance-report/build.cs                   |  26 ----
 .../Services/OAuth21Assessor.cs               |   9 +-
 conformance-report/src/Directory.Build.props  |   1 -
 conformance-report/test/Directory.Build.props |   3 -
 docs-mcp/build.cs                             |  21 ----
 docs-mcp/src/Directory.Build.props            |   1 -
 .../aspire/AppHosts/All/All.csproj            |   1 -
 .../aspire/AppHosts/Dev/Dev.csproj            |   1 -
 .../ServiceDefaults/ServiceDefaults.csproj    |   1 -
 identity-server/build.cs                      |  32 -----
 identity-server/clients/Directory.Build.props |   1 +
 .../Host.AspNetIdentity10.csproj              |   1 -
 .../Host.EntityFramework10.csproj             |   1 -
 .../hosts/Main10/Host.Main10.csproj           |   1 -
 .../hosts/Shared/Host.Shared.csproj           |   1 -
 .../AspNetIdentity/UI.AspNetIdentity.csproj   |   1 -
 .../EntityFramework/UI.EntityFramework.csproj |   1 -
 identity-server/hosts/UI/Main/UI.Main.csproj  |   1 -
 .../migrations/Directory.Build.props          |   1 +
 identity-server/perf/Directory.Build.props    |   1 +
 identity-server/src/Directory.Build.props     |   1 +
 .../Stores/PersistedGrantStore.cs             |   4 +-
 .../LocalApiAuthenticationHandler.cs          |   2 +-
 .../DefaultSessionManagementService.cs        |   5 +-
 .../InMemory/InMemoryPersistedGrantStore.cs   |   4 +-
 ...ntext.cs => DPoPProofValidationContext.cs} |   2 +-
 .../Default/DefaultDPoPProofValidator.cs      |  26 ++--
 .../PushedAuthorizationRequestValidator.cs    |   2 +-
 .../Default/TokenRequestValidator.cs          |   2 +-
 .../Validation/IDPoPProofValidator.cs         |   2 +-
 ...Result.cs => DPoPProofValidationResult.cs} |   2 +-
 .../PersistedGrantFilterExtensions.cs         |   4 +-
 .../Storage/Stores/PersistedGrantFilter.cs    |   4 +-
 identity-server/test/Directory.Build.props    |  34 ++++++
 .../Endpoints/Token/DPoPTokenEndpointTests.cs |   2 +-
 .../Validation/DPoPProofValidatorTests.cs     |   2 +-
 ignore-this/src/Directory.Build.props         |   1 -
 ignore-this/src/IgnoreThis/IgnoreThis.csproj  |   1 -
 ignore-this/test/Directory.Build.props        |   3 -
 products.slnx                                 |  22 ++--
 .../ShouldlyExtensions.csproj                 |   1 -
 .../Xunit.Playwright/Xunit.Playwright.csproj  |   1 -
 src.props                                     |  42 +++----
 templates/build/build.csproj                  |   1 -
 templates/templates.csproj                    |   1 +
 test.props                                    |  62 +---------
 83 files changed, 267 insertions(+), 321 deletions(-)
 delete mode 100644 aspnetcore-authentication-jwtbearer/build.cs
 rename aspnetcore-authentication-jwtbearer/src/AspNetCore.Authentication.JwtBearer/DPoP/{DPoPProofValidatonContext.cs => DPoPProofValidationContext.cs} (100%)
 rename aspnetcore-authentication-jwtbearer/src/AspNetCore.Authentication.JwtBearer/DPoP/{DPoPProofValidatonResult.cs => DPoPProofValidationResult.cs} (100%)
 create mode 100644 aspnetcore-authentication-jwtbearer/test/AspNetCore.Authentication.JwtBearer.Tests/DPoP/ConcurrentTokenValidationTests.cs
 delete mode 100644 bff/build.cs
 delete mode 100644 conformance-report/build.cs
 delete mode 100644 docs-mcp/build.cs
 delete mode 100644 identity-server/build.cs
 rename identity-server/src/IdentityServer/Validation/Contexts/{DPoPProofValidatonContext.cs => DPoPProofValidationContext.cs} (98%)
 rename identity-server/src/IdentityServer/Validation/Models/{DPoPProofValidatonResult.cs => DPoPProofValidationResult.cs} (96%)

diff --git a/.gitignore b/.gitignore
index 4ef916bfa..8ca708e45 100644
--- a/.gitignore
+++ b/.gitignore
@@ -24,6 +24,7 @@ x86/
 bld/
 [Bb]in/
 [Oo]bj/
+[Tt]emp/
 
 # Visual Studio 2015 cache/options directory
 .vs/
@@ -176,7 +177,7 @@ Logging.g.cs
 LoggerMessage.g.cs
 PublicTopLevelProgram.Generated.g.cs
 RegexGenerator.g.cs
-**/Generated/
+**/Generated/Microsoft.CodeAnalysis.Razor.Compiler/
 
 # Backup & report files from converting an old project file
 # to a newer Visual Studio version. Backup files are not needed,
diff --git a/Directory.Build.props b/Directory.Build.props
index bf0870fe1..e35d7d54a 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -13,7 +13,7 @@
     <ImplicitUsings>enable</ImplicitUsings>
     <IsPackable>false</IsPackable>
     <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
-    <!-- <Nullable>enable</Nullable> -->
+    <Nullable>enable</Nullable>
     <TargetFramework>net10.0</TargetFramework>
   </PropertyGroup>
 
diff --git a/Directory.Packages.props b/Directory.Packages.props
index fc11ac06c..7ba895698 100644
--- a/Directory.Packages.props
+++ b/Directory.Packages.props
@@ -101,7 +101,7 @@
     <PackageVersion Include="Serilog.Sinks.OpenTelemetry" Version="4.2.0" />
     <PackageVersion Include="Serilog.Sinks.TextWriter" Version="3.0.0" />
     <PackageVersion Include="Shouldly" Version="4.3.0" />
-    <PackageVersion Include="SimpleExec" Version="12.0.0" />
+    <PackageVersion Include="SimpleExec" Version="12.1.0" />
     <PackageVersion Include="SimpleFeedReader" Version="2.0.4" />
     <PackageVersion Include="Spectre.Console.Cli" Version="0.53.1" />
     <PackageVersion Include="Spectre.Console.Json" Version="0.54.0" />
diff --git a/aspnetcore-authentication-jwtbearer/build.cs b/aspnetcore-authentication-jwtbearer/build.cs
deleted file mode 100644
index b94cac453..000000000
--- a/aspnetcore-authentication-jwtbearer/build.cs
+++ /dev/null
@@ -1,26 +0,0 @@
-#:project ../.github/build/BuildHelpers.csproj
-
-using BuildHelpers;
-using static Bullseye.Targets;
-
-var repoRoot = Repo.FindRoot();
-
-Targets.Shared(repoRoot, "aspnetcore-authentication-jwtbearer/aspnetcore-authentication-jwtbearer.slnf");
-
-const string TestsAspNetCoreAuthenticationJwtBearerTests = "tests-asp-net-core-authentication-jwt-bearer-tests";
-
-Targets.Test(TestsAspNetCoreAuthenticationJwtBearerTests, "aspnetcore-authentication-jwtbearer/test/AspNetCore.Authentication.JwtBearer.Tests", repoRoot);
-
-Target(SharedTargets.Default, [
-    SharedTargets.CheckSolutions,
-    SharedTargets.CheckUnusedPackages,
-    SharedTargets.CheckSortedRefs,
-    SharedTargets.CheckSortedSlnf,
-    SharedTargets.VerifyFormatting,
-    SharedTargets.Clean,
-    SharedTargets.VerifyNoChanges,
-    SharedTargets.DotnetDevCerts,
-    TestsAspNetCoreAuthenticationJwtBearerTests
-]);
-
-await RunTargetsAndExitAsync(args);
diff --git a/aspnetcore-authentication-jwtbearer/src/AspNetCore.Authentication.JwtBearer/AspNetCore.Authentication.JwtBearer.csproj b/aspnetcore-authentication-jwtbearer/src/AspNetCore.Authentication.JwtBearer/AspNetCore.Authentication.JwtBearer.csproj
index 6c03bc636..88ee46ee0 100644
--- a/aspnetcore-authentication-jwtbearer/src/AspNetCore.Authentication.JwtBearer/AspNetCore.Authentication.JwtBearer.csproj
+++ b/aspnetcore-authentication-jwtbearer/src/AspNetCore.Authentication.JwtBearer/AspNetCore.Authentication.JwtBearer.csproj
@@ -1,7 +1,6 @@
 <Project Sdk="Microsoft.NET.Sdk">
   <PropertyGroup>
     <TargetFramework>net10.0</TargetFramework>
-    <Nullable>enable</Nullable>
     <RootNamespace>Duende.AspNetCore.Authentication.JwtBearer</RootNamespace>
     <AssemblyName>Duende.AspNetCore.Authentication.JwtBearer</AssemblyName>
   </PropertyGroup>
diff --git a/aspnetcore-authentication-jwtbearer/src/AspNetCore.Authentication.JwtBearer/DPoP/DPoPProofValidatonContext.cs b/aspnetcore-authentication-jwtbearer/src/AspNetCore.Authentication.JwtBearer/DPoP/DPoPProofValidationContext.cs
similarity index 100%
rename from aspnetcore-authentication-jwtbearer/src/AspNetCore.Authentication.JwtBearer/DPoP/DPoPProofValidatonContext.cs
rename to aspnetcore-authentication-jwtbearer/src/AspNetCore.Authentication.JwtBearer/DPoP/DPoPProofValidationContext.cs
diff --git a/aspnetcore-authentication-jwtbearer/src/AspNetCore.Authentication.JwtBearer/DPoP/DPoPProofValidatonResult.cs b/aspnetcore-authentication-jwtbearer/src/AspNetCore.Authentication.JwtBearer/DPoP/DPoPProofValidationResult.cs
similarity index 100%
rename from aspnetcore-authentication-jwtbearer/src/AspNetCore.Authentication.JwtBearer/DPoP/DPoPProofValidatonResult.cs
rename to aspnetcore-authentication-jwtbearer/src/AspNetCore.Authentication.JwtBearer/DPoP/DPoPProofValidationResult.cs
diff --git a/aspnetcore-authentication-jwtbearer/src/AspNetCore.Authentication.JwtBearer/DPoP/DPoPProofValidator.cs b/aspnetcore-authentication-jwtbearer/src/AspNetCore.Authentication.JwtBearer/DPoP/DPoPProofValidator.cs
index 579f9850c..9852ca215 100644
--- a/aspnetcore-authentication-jwtbearer/src/AspNetCore.Authentication.JwtBearer/DPoP/DPoPProofValidator.cs
+++ b/aspnetcore-authentication-jwtbearer/src/AspNetCore.Authentication.JwtBearer/DPoP/DPoPProofValidator.cs
@@ -226,7 +226,7 @@ internal class DPoPProofValidator : IDPoPProofValidator
 
         try
         {
-            var tvp = context.Options.ProofTokenValidationParameters;
+            var tvp = context.Options.ProofTokenValidationParameters.Clone();
             tvp.IssuerSigningKey = new JsonWebKey(result.JsonWebKey);
 
             var handler = new JsonWebTokenHandler();
diff --git a/aspnetcore-authentication-jwtbearer/test/AspNetCore.Authentication.JwtBearer.Tests/AspNetCore.Authentication.JwtBearer.Tests.csproj b/aspnetcore-authentication-jwtbearer/test/AspNetCore.Authentication.JwtBearer.Tests/AspNetCore.Authentication.JwtBearer.Tests.csproj
index 2753d17bc..26013b5bc 100644
--- a/aspnetcore-authentication-jwtbearer/test/AspNetCore.Authentication.JwtBearer.Tests/AspNetCore.Authentication.JwtBearer.Tests.csproj
+++ b/aspnetcore-authentication-jwtbearer/test/AspNetCore.Authentication.JwtBearer.Tests/AspNetCore.Authentication.JwtBearer.Tests.csproj
@@ -1,7 +1,6 @@
 <Project Sdk="Microsoft.NET.Sdk">
   <PropertyGroup>
     <TargetFramework>net10.0</TargetFramework>
-    <Nullable>enable</Nullable>
     <AssemblyName>Duende.AspNetCore.Authentication.JwtBearer.Tests</AssemblyName>
     <RootNameSpace>Duende.AspNetCore.Authentication.JwtBearer</RootNameSpace>
     <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
diff --git a/aspnetcore-authentication-jwtbearer/test/AspNetCore.Authentication.JwtBearer.Tests/DPoP/ConcurrentTokenValidationTests.cs b/aspnetcore-authentication-jwtbearer/test/AspNetCore.Authentication.JwtBearer.Tests/DPoP/ConcurrentTokenValidationTests.cs
new file mode 100644
index 000000000..411107d3a
--- /dev/null
+++ b/aspnetcore-authentication-jwtbearer/test/AspNetCore.Authentication.JwtBearer.Tests/DPoP/ConcurrentTokenValidationTests.cs
@@ -0,0 +1,115 @@
+// Copyright (c) Duende Software. All rights reserved.
+// See LICENSE in the project root for license information.
+
+using System.Security.Claims;
+using System.Security.Cryptography;
+using System.Text.Json;
+using Duende.IdentityModel;
+using Microsoft.IdentityModel.JsonWebTokens;
+using Microsoft.IdentityModel.Tokens;
+
+namespace Duende.AspNetCore.Authentication.JwtBearer.DPoP;
+
+/// <summary>
+/// Regression tests for GitHub issue #1667: concurrent DPoP proof validation
+/// must not corrupt the shared TokenValidationParameters.IssuerSigningKey.
+/// </summary>
+public sealed class ConcurrentTokenValidationTests : DPoPProofValidatorTestBase
+{
+    [Fact]
+    public async Task ConcurrentValidationsWithDifferentKeysShouldAllSucceed()
+    {
+        // Arrange – generate distinct RSA key pairs to simulate different DPoP clients
+        const int keyCount = 10;
+        const int requestsPerKey = 20;
+
+        var keys = Enumerable.Range(0, keyCount)
+            .Select(_ => GenerateRsaKeyPair())
+            .ToList();
+
+        // Build (context, result) pairs – each uses a proof token signed by a different key
+        var validations = keys.SelectMany(key =>
+            Enumerable.Range(0, requestsPerKey).Select(_ =>
+            {
+                var proofToken = CreateDPoPProofTokenForKey(key.PrivateJwk, key.PublicJwkPayload);
+                var result = new DPoPProofValidationResult();
+                var context = Context with { ProofToken = proofToken };
+
+                // Pre-populate the JWK on the result, as ValidateJwk normally does
+                ProofValidator.ValidateJwk(context, result);
+
+                return (Context: context, Result: result);
+            }))
+            .ToList();
+
+        // Act – run all validations concurrently against the shared Options.
+        // Use a gate to ensure all tasks start simultaneously on the thread pool,
+        // maximizing overlap to expose any race conditions.
+        using var gate = new ManualResetEventSlim(false);
+
+        var tasks = validations.Select(v => Task.Run(async () =>
+        {
+            gate.Wait();
+            await ProofValidator.ValidateToken(v.Context, v.Result);
+            return v.Result;
+        })).ToArray();
+
+        gate.Set();
+
+        var results = await Task.WhenAll(tasks);
+
+        // Assert – every validation must succeed; any failure indicates a race condition
+        var failures = results.Where(r => r.IsError).ToList();
+        failures.Count.ShouldBe(0,
+            $"{failures.Count}/{results.Length} validations failed. " +
+            $"First error: {failures.FirstOrDefault()?.ErrorDescription}");
+    }
+
+    private static (string PrivateJwk, Dictionary<string, string> PublicJwkPayload) GenerateRsaKeyPair()
+    {
+        using var rsa = RSA.Create(2048);
+        var parameters = rsa.ExportParameters(includePrivateParameters: true);
+
+        var privateJwkJson = JsonSerializer.Serialize(new
+        {
+            kty = "RSA",
+            n = Base64UrlEncoder.Encode(parameters.Modulus!),
+            e = Base64UrlEncoder.Encode(parameters.Exponent!),
+            d = Base64UrlEncoder.Encode(parameters.D!),
+            p = Base64UrlEncoder.Encode(parameters.P!),
+            q = Base64UrlEncoder.Encode(parameters.Q!),
+            dp = Base64UrlEncoder.Encode(parameters.DP!),
+            dq = Base64UrlEncoder.Encode(parameters.DQ!),
+            qi = Base64UrlEncoder.Encode(parameters.InverseQ!)
+        });
+
+        var publicJwkPayload = new Dictionary<string, string>
+        {
+            ["kty"] = "RSA",
+            ["n"] = Base64UrlEncoder.Encode(parameters.Modulus!),
+            ["e"] = Base64UrlEncoder.Encode(parameters.Exponent!)
+        };
+
+        return (privateJwkJson, publicJwkPayload);
+    }
+
+    private static string CreateDPoPProofTokenForKey(
+        string privateJwkJson,
+        Dictionary<string, string> publicJwkPayload)
+    {
+        var handler = new JsonWebTokenHandler();
+        var signingKey = new JsonWebKey(privateJwkJson);
+        var descriptor = new SecurityTokenDescriptor
+        {
+            TokenType = "dpop+jwt",
+            IssuedAt = DateTime.UtcNow,
+            AdditionalHeaderClaims = new Dictionary<string, object>
+            {
+                { JwtClaimTypes.JsonWebKey, publicJwkPayload }
+            },
+            Subject = new ClaimsIdentity(),
+            SigningCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.RsaSha256)
+        };
+        return handler.CreateToken(descriptor);
+    }
+}
diff --git a/aspnetcore-authentication-jwtbearer/test/Directory.Build.props b/aspnetcore-authentication-jwtbearer/test/Directory.Build.props
index 8178f7eeb..5191c88cd 100644
--- a/aspnetcore-authentication-jwtbearer/test/Directory.Build.props
+++ b/aspnetcore-authentication-jwtbearer/test/Directory.Build.props
@@ -2,4 +2,16 @@
 <Project>
   <Import Project="$([MSBuild]::GetPathOfFileAbove('Directory.Build.props', '$(MSBuildThisFileDirectory)..\'))" />
   <Import Project="../../test.props" />
+  <PropertyGroup>
+    <!-- TODO: Fix these in test code and remove suppressions -->
+    <NoWarn>$(NoWarn);CA1051</NoWarn><!-- Do not declare visible instance fields -->
+    <NoWarn>$(NoWarn);CA1305</NoWarn><!-- Specify IFormatProvider -->
+    <NoWarn>$(NoWarn);CA1310</NoWarn><!-- Specify StringComparison for correctness -->
+    <NoWarn>$(NoWarn);CA1707</NoWarn><!-- Identifiers should not contain underscores -->
+    <NoWarn>$(NoWarn);CA1805</NoWarn><!-- Do not initialize unnecessarily -->
+    <NoWarn>$(NoWarn);CA1822</NoWarn><!-- Mark members as static -->
+    <NoWarn>$(NoWarn);CA1852</NoWarn><!-- Seal internal types -->
+    <NoWarn>$(NoWarn);CA1866</NoWarn><!-- Use char overload -->
+    <NoWarn>$(NoWarn);CA2201</NoWarn><!-- Do not raise reserved exception types -->
+  </PropertyGroup>
 </Project>
diff --git a/bff/build.cs b/bff/build.cs
deleted file mode 100644
index 8da08210d..000000000
--- a/bff/build.cs
+++ /dev/null
@@ -1,29 +0,0 @@
-#:project ../.github/build/BuildHelpers.csproj
-
-using BuildHelpers;
-using static Bullseye.Targets;
-
-var repoRoot = Repo.FindRoot();
-
-Targets.Shared(repoRoot, "bff/bff.slnf");
-
-const string TestsBffTests = "tests-bff-tests";
-const string TestsHostsTests = "tests-hosts-tests";
-
-Targets.Test(TestsBffTests, "bff/test/Bff.Tests", repoRoot);
-Targets.Test(TestsHostsTests, "bff/test/Hosts.Tests", repoRoot);
-
-Target(SharedTargets.Default, [
-    SharedTargets.CheckSolutions,
-    SharedTargets.CheckUnusedPackages,
-    SharedTargets.CheckSortedRefs,
-    SharedTargets.CheckSortedSlnf,
-    SharedTargets.VerifyFormatting,
-    SharedTargets.Clean,
-    SharedTargets.VerifyNoChanges,
-    SharedTargets.DotnetDevCerts,
-    TestsBffTests,
-    TestsHostsTests
-]);
-
-await RunTargetsAndExitAsync(args);
diff --git a/bff/hosts/Blazor/PerComponent/Hosts.Bff.Blazor.PerComponent.Client/Hosts.Bff.Blazor.PerComponent.Client.csproj b/bff/hosts/Blazor/PerComponent/Hosts.Bff.Blazor.PerComponent.Client/Hosts.Bff.Blazor.PerComponent.Client.csproj
index a251fdb04..4dbf3c46d 100644
--- a/bff/hosts/Blazor/PerComponent/Hosts.Bff.Blazor.PerComponent.Client/Hosts.Bff.Blazor.PerComponent.Client.csproj
+++ b/bff/hosts/Blazor/PerComponent/Hosts.Bff.Blazor.PerComponent.Client/Hosts.Bff.Blazor.PerComponent.Client.csproj
@@ -2,7 +2,6 @@
 
   <PropertyGroup>
     <TargetFrameworks>net10.0</TargetFrameworks>
-    <Nullable>enable</Nullable>
     <NoDefaultLaunchSettingsFile>true</NoDefaultLaunchSettingsFile>
     <StaticWebAssetProjectMode>Default</StaticWebAssetProjectMode>
   </PropertyGroup>
diff --git a/bff/hosts/Blazor/PerComponent/Hosts.Bff.Blazor.PerComponent/Hosts.Bff.Blazor.PerComponent.csproj b/bff/hosts/Blazor/PerComponent/Hosts.Bff.Blazor.PerComponent/Hosts.Bff.Blazor.PerComponent.csproj
index 216d067e1..53e068dc5 100644
--- a/bff/hosts/Blazor/PerComponent/Hosts.Bff.Blazor.PerComponent/Hosts.Bff.Blazor.PerComponent.csproj
+++ b/bff/hosts/Blazor/PerComponent/Hosts.Bff.Blazor.PerComponent/Hosts.Bff.Blazor.PerComponent.csproj
@@ -2,7 +2,6 @@
 
   <PropertyGroup>
     <TargetFrameworks>net10.0</TargetFrameworks>
-    <Nullable>enable</Nullable>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/bff/hosts/Blazor/WebAssembly/Hosts.Bff.Blazor.WebAssembly.Client/Hosts.Bff.Blazor.WebAssembly.Client.csproj b/bff/hosts/Blazor/WebAssembly/Hosts.Bff.Blazor.WebAssembly.Client/Hosts.Bff.Blazor.WebAssembly.Client.csproj
index 7bbf1ebea..42b128bfa 100644
--- a/bff/hosts/Blazor/WebAssembly/Hosts.Bff.Blazor.WebAssembly.Client/Hosts.Bff.Blazor.WebAssembly.Client.csproj
+++ b/bff/hosts/Blazor/WebAssembly/Hosts.Bff.Blazor.WebAssembly.Client/Hosts.Bff.Blazor.WebAssembly.Client.csproj
@@ -2,7 +2,6 @@
 
   <PropertyGroup>
     <TargetFrameworks>net10.0</TargetFrameworks>
-    <Nullable>enable</Nullable>
     <NoDefaultLaunchSettingsFile>true</NoDefaultLaunchSettingsFile>
     <StaticWebAssetProjectMode>Default</StaticWebAssetProjectMode>
   </PropertyGroup>
diff --git a/bff/hosts/Blazor/WebAssembly/Hosts.Bff.Blazor.WebAssembly/Hosts.Bff.Blazor.WebAssembly.csproj b/bff/hosts/Blazor/WebAssembly/Hosts.Bff.Blazor.WebAssembly/Hosts.Bff.Blazor.WebAssembly.csproj
index 5e63ea2e3..feb83e0f2 100644
--- a/bff/hosts/Blazor/WebAssembly/Hosts.Bff.Blazor.WebAssembly/Hosts.Bff.Blazor.WebAssembly.csproj
+++ b/bff/hosts/Blazor/WebAssembly/Hosts.Bff.Blazor.WebAssembly/Hosts.Bff.Blazor.WebAssembly.csproj
@@ -2,7 +2,6 @@
 
   <PropertyGroup>
     <TargetFrameworks>net10.0</TargetFrameworks>
-    <Nullable>enable</Nullable>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/bff/hosts/Hosts.AppHost/Hosts.AppHost.csproj b/bff/hosts/Hosts.AppHost/Hosts.AppHost.csproj
index fad88a23c..101e5239c 100644
--- a/bff/hosts/Hosts.AppHost/Hosts.AppHost.csproj
+++ b/bff/hosts/Hosts.AppHost/Hosts.AppHost.csproj
@@ -2,7 +2,6 @@
 
   <PropertyGroup>
     <OutputType>Exe</OutputType>
-    <Nullable>enable</Nullable>
     <IsAspireHost>true</IsAspireHost>
     <UserSecretsId>616547e2-3a28-4c9d-8685-f4ac02581162</UserSecretsId>
 
diff --git a/bff/hosts/Hosts.Bff.DPoP/Hosts.Bff.DPoP.csproj b/bff/hosts/Hosts.Bff.DPoP/Hosts.Bff.DPoP.csproj
index d2fe546aa..c2216563d 100644
--- a/bff/hosts/Hosts.Bff.DPoP/Hosts.Bff.DPoP.csproj
+++ b/bff/hosts/Hosts.Bff.DPoP/Hosts.Bff.DPoP.csproj
@@ -3,7 +3,6 @@
   <PropertyGroup>
     <TargetFrameworks>net10.0</TargetFrameworks>
     <RootNamespace>Bff.DPoP</RootNamespace>
-    <Nullable>enable</Nullable>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/bff/hosts/Hosts.Bff.EF/Hosts.Bff.EF.csproj b/bff/hosts/Hosts.Bff.EF/Hosts.Bff.EF.csproj
index 95671fede..5ade47a4d 100644
--- a/bff/hosts/Hosts.Bff.EF/Hosts.Bff.EF.csproj
+++ b/bff/hosts/Hosts.Bff.EF/Hosts.Bff.EF.csproj
@@ -2,6 +2,7 @@
   <PropertyGroup>
     <TargetFrameworks>net10.0</TargetFrameworks>
     <RootNamespace>Bff.EF</RootNamespace>
+    <Nullable>disable</Nullable><!-- TODO: enable nullable -->
   </PropertyGroup>
   <ItemGroup>
     <PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" />
diff --git a/bff/hosts/Hosts.Bff.InMemory/Hosts.Bff.InMemory.csproj b/bff/hosts/Hosts.Bff.InMemory/Hosts.Bff.InMemory.csproj
index e60fd0d8f..d12a82ba1 100644
--- a/bff/hosts/Hosts.Bff.InMemory/Hosts.Bff.InMemory.csproj
+++ b/bff/hosts/Hosts.Bff.InMemory/Hosts.Bff.InMemory.csproj
@@ -3,7 +3,6 @@
   <PropertyGroup>
     <TargetFrameworks>net10.0</TargetFrameworks>
     <RootNamespace>Bff</RootNamespace>
-    <Nullable>enable</Nullable>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/bff/hosts/Hosts.Bff.MultiFrontend/Hosts.Bff.MultiFrontend.csproj b/bff/hosts/Hosts.Bff.MultiFrontend/Hosts.Bff.MultiFrontend.csproj
index 4148bd33c..68dae67c0 100644
--- a/bff/hosts/Hosts.Bff.MultiFrontend/Hosts.Bff.MultiFrontend.csproj
+++ b/bff/hosts/Hosts.Bff.MultiFrontend/Hosts.Bff.MultiFrontend.csproj
@@ -2,7 +2,6 @@
 
   <PropertyGroup>
     <TargetFrameworks>net10.0</TargetFrameworks>
-    <Nullable>enable</Nullable>
     <ImplicitUsings>enable</ImplicitUsings>
   </PropertyGroup>
 
diff --git a/bff/hosts/Hosts.Bff.Performance/Hosts.Bff.Performance.csproj b/bff/hosts/Hosts.Bff.Performance/Hosts.Bff.Performance.csproj
index da2ec451d..4fb9628d6 100644
--- a/bff/hosts/Hosts.Bff.Performance/Hosts.Bff.Performance.csproj
+++ b/bff/hosts/Hosts.Bff.Performance/Hosts.Bff.Performance.csproj
@@ -1,7 +1,6 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
   <PropertyGroup>
     <TargetFrameworks>net10.0</TargetFrameworks>
-    <Nullable>enable</Nullable>
     <ImplicitUsings>enable</ImplicitUsings>
   </PropertyGroup>
   <ItemGroup>
diff --git a/bff/hosts/Hosts.IdentityServer/Hosts.IdentityServer.csproj b/bff/hosts/Hosts.IdentityServer/Hosts.IdentityServer.csproj
index 27ef68f35..d2fb3b345 100644
--- a/bff/hosts/Hosts.IdentityServer/Hosts.IdentityServer.csproj
+++ b/bff/hosts/Hosts.IdentityServer/Hosts.IdentityServer.csproj
@@ -2,6 +2,7 @@
   <PropertyGroup>
     <TargetFrameworks>net10.0</TargetFrameworks>
     <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>disable</Nullable><!-- TODO: enable nullable -->
     <NoWarn>$(NoWarn);IDE0130</NoWarn><!-- Namespace does not match folder structure --><!-- TODO: remove? -->
   </PropertyGroup>
   <ItemGroup>
diff --git a/bff/hosts/Hosts.ServiceDefaults/Hosts.ServiceDefaults.csproj b/bff/hosts/Hosts.ServiceDefaults/Hosts.ServiceDefaults.csproj
index c7c8da7fd..330420c00 100644
--- a/bff/hosts/Hosts.ServiceDefaults/Hosts.ServiceDefaults.csproj
+++ b/bff/hosts/Hosts.ServiceDefaults/Hosts.ServiceDefaults.csproj
@@ -2,7 +2,6 @@
 
   <PropertyGroup>
     <TargetFrameworks>net10.0</TargetFrameworks>
-    <Nullable>enable</Nullable>
     <IsAspireSharedProject>true</IsAspireSharedProject>
   </PropertyGroup>
 
diff --git a/bff/hosts/RemoteApis/Hosts.RemoteApi.DPoP/Hosts.RemoteApi.DPoP.csproj b/bff/hosts/RemoteApis/Hosts.RemoteApi.DPoP/Hosts.RemoteApi.DPoP.csproj
index 596ffe9fd..2fff758fb 100644
--- a/bff/hosts/RemoteApis/Hosts.RemoteApi.DPoP/Hosts.RemoteApi.DPoP.csproj
+++ b/bff/hosts/RemoteApis/Hosts.RemoteApi.DPoP/Hosts.RemoteApi.DPoP.csproj
@@ -1,6 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
   <PropertyGroup>
     <TargetFrameworks>net10.0</TargetFrameworks>
+    <Nullable>disable</Nullable><!-- TODO: enable nullable -->
   </PropertyGroup>
   <ItemGroup>
     <PackageReference Include="Duende.AspNetCore.Authentication.JwtBearer" />
diff --git a/bff/hosts/RemoteApis/Hosts.RemoteApi.Isolated/Hosts.RemoteApi.Isolated.csproj b/bff/hosts/RemoteApis/Hosts.RemoteApi.Isolated/Hosts.RemoteApi.Isolated.csproj
index 20be48762..b6287e787 100644
--- a/bff/hosts/RemoteApis/Hosts.RemoteApi.Isolated/Hosts.RemoteApi.Isolated.csproj
+++ b/bff/hosts/RemoteApis/Hosts.RemoteApi.Isolated/Hosts.RemoteApi.Isolated.csproj
@@ -1,6 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
   <PropertyGroup>
     <TargetFrameworks>net10.0</TargetFrameworks>
+    <Nullable>disable</Nullable><!-- TODO: enable nullable -->
   </PropertyGroup>
   <ItemGroup>
     <PackageReference Include="Duende.IdentityModel" />
diff --git a/bff/hosts/RemoteApis/Hosts.RemoteApi/Hosts.RemoteApi.csproj b/bff/hosts/RemoteApis/Hosts.RemoteApi/Hosts.RemoteApi.csproj
index 14975ae35..c3c92b0bb 100644
--- a/bff/hosts/RemoteApis/Hosts.RemoteApi/Hosts.RemoteApi.csproj
+++ b/bff/hosts/RemoteApis/Hosts.RemoteApi/Hosts.RemoteApi.csproj
@@ -2,6 +2,7 @@
 
   <PropertyGroup>
     <TargetFrameworks>net10.0</TargetFrameworks>
+    <Nullable>disable</Nullable><!-- TODO: enable nullable -->
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/bff/migrations/Directory.Build.props b/bff/migrations/Directory.Build.props
index 388739594..0b9a61a3a 100644
--- a/bff/migrations/Directory.Build.props
+++ b/bff/migrations/Directory.Build.props
@@ -5,5 +5,6 @@
     <RootNamespace>$(AssemblyName)</RootNamespace>
     <AssemblyName>Duende.$(MSBuildProjectName)</AssemblyName>
     <WarnOnPackingNonPackableProject>false</WarnOnPackingNonPackableProject>
+    <Nullable>disable</Nullable><!-- TODO: enable nullable -->
   </PropertyGroup>
 </Project>
diff --git a/bff/performance/Bff.Benchmarks/Bff.Benchmarks.csproj b/bff/performance/Bff.Benchmarks/Bff.Benchmarks.csproj
index e17ae92cc..df2e8b198 100644
--- a/bff/performance/Bff.Benchmarks/Bff.Benchmarks.csproj
+++ b/bff/performance/Bff.Benchmarks/Bff.Benchmarks.csproj
@@ -3,7 +3,6 @@
     <TargetFramework>net10.0</TargetFramework>
     <OutputType>Exe</OutputType>
     <ImplicitUsings>enable</ImplicitUsings>
-    <Nullable>enable</Nullable>
     <WarningsAsErrors>false</WarningsAsErrors>
   </PropertyGroup>
   <ItemGroup>
diff --git a/bff/performance/Bff.Performance/Bff.Performance.csproj b/bff/performance/Bff.Performance/Bff.Performance.csproj
index 3129998e2..106e15b7d 100644
--- a/bff/performance/Bff.Performance/Bff.Performance.csproj
+++ b/bff/performance/Bff.Performance/Bff.Performance.csproj
@@ -4,7 +4,6 @@
     <TargetFramework>net10.0</TargetFramework>
     <OutputType>Exe</OutputType>
     <ImplicitUsings>enable</ImplicitUsings>
-    <Nullable>enable</Nullable>
   </PropertyGroup>
   <ItemGroup>
     <FrameworkReference Include="Microsoft.AspNetCore.App" />
diff --git a/bff/src/Bff.Blazor.Client/Bff.Blazor.Client.csproj b/bff/src/Bff.Blazor.Client/Bff.Blazor.Client.csproj
index 47efa59f7..75a33bf8a 100644
--- a/bff/src/Bff.Blazor.Client/Bff.Blazor.Client.csproj
+++ b/bff/src/Bff.Blazor.Client/Bff.Blazor.Client.csproj
@@ -1,7 +1,6 @@
 <Project Sdk="Microsoft.NET.Sdk">
   <PropertyGroup>
     <TargetFramework>net10.0</TargetFramework>
-    <Nullable>enable</Nullable>
     <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
     <AssemblyName>Duende.BFF.Blazor.Client</AssemblyName>
   </PropertyGroup>
diff --git a/bff/src/Bff.Blazor/Bff.Blazor.csproj b/bff/src/Bff.Blazor/Bff.Blazor.csproj
index 56576ed71..b59ee9fbb 100644
--- a/bff/src/Bff.Blazor/Bff.Blazor.csproj
+++ b/bff/src/Bff.Blazor/Bff.Blazor.csproj
@@ -2,7 +2,6 @@
 
   <PropertyGroup>
     <TargetFramework>net10.0</TargetFramework>
-    <Nullable>enable</Nullable>
     <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
     <AssemblyName>Duende.BFF.Blazor</AssemblyName>
   </PropertyGroup>
diff --git a/bff/src/Directory.Build.props b/bff/src/Directory.Build.props
index 1fa333316..5ffff4a4f 100644
--- a/bff/src/Directory.Build.props
+++ b/bff/src/Directory.Build.props
@@ -5,7 +5,6 @@
   <Import Project="../../src.props" />
 
   <PropertyGroup>
-    <Nullable>enable</Nullable>
     <PackageTags>OAuth 2.0;OpenID Connect;Security;BFF;IdentityServer;ASP.NET Core;SPA;Blazor</PackageTags>
     <Product>Duende BFF</Product>
     <MinVerTagPrefix>bff-</MinVerTagPrefix>
diff --git a/bff/templates/src/BffLocalApi/BffLocalApi.csproj b/bff/templates/src/BffLocalApi/BffLocalApi.csproj
index aa6757fb4..49d3cc0a0 100644
--- a/bff/templates/src/BffLocalApi/BffLocalApi.csproj
+++ b/bff/templates/src/BffLocalApi/BffLocalApi.csproj
@@ -2,6 +2,7 @@
   <PropertyGroup>
     <TargetFramework>net10.0</TargetFramework>
     <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>disable</Nullable><!-- TODO: enable nullable -->
   </PropertyGroup>
   <ItemGroup>
     <PackageReference Include="Duende.BFF.Yarp" Version="3.0.0" />
diff --git a/bff/test/Bff.Tests/Bff.Tests.csproj b/bff/test/Bff.Tests/Bff.Tests.csproj
index 4870f96cb..1cc79da6e 100644
--- a/bff/test/Bff.Tests/Bff.Tests.csproj
+++ b/bff/test/Bff.Tests/Bff.Tests.csproj
@@ -2,7 +2,6 @@
   <PropertyGroup>
     <TargetFramework>net10.0</TargetFramework>
     <NoWarn>$(NoWarn);IDE0130</NoWarn><!-- Namespace does not match folder structure --><!-- TODO: remove? -->
-    <Nullable>enable</Nullable>
     <TreatWarningsAsErrors>True</TreatWarningsAsErrors>
   </PropertyGroup>
   <ItemGroup>
diff --git a/bff/test/Directory.Build.props b/bff/test/Directory.Build.props
index f9dc2ea41..66f181f48 100644
--- a/bff/test/Directory.Build.props
+++ b/bff/test/Directory.Build.props
@@ -5,11 +5,33 @@
     <AssemblyName>Duende.$(MSBuildProjectName)</AssemblyName>
     <RootNamespace>$(AssemblyName)</RootNamespace>
 
-        <!-- RS0026: Do not add multiple overloads with optional parameters -->
-    <NoWarn>$(NoWarn);RS0026</NoWarn>
-
-    <!-- RS0027: API with optional parameter(s) should have the most parameters amongst its public overloads -->
-    <NoWarn>$(NoWarn);RS0027</NoWarn>
+    <!-- TODO: Fix these in bff test code and remove suppressions -->
+    <NoWarn>$(NoWarn);RS0026</NoWarn><!-- Do not add multiple overloads with optional parameters -->
+    <NoWarn>$(NoWarn);RS0027</NoWarn><!-- API with optional parameter(s) should have the most parameters amongst its public overloads -->
+    <NoWarn>$(NoWarn);CA1000</NoWarn><!-- Do not declare static members on generic types -->
+    <NoWarn>$(NoWarn);CA1001</NoWarn><!-- Types that own disposable fields should be disposable -->
+    <NoWarn>$(NoWarn);CA1051</NoWarn><!-- Do not declare visible instance fields -->
+    <NoWarn>$(NoWarn);CA1304</NoWarn><!-- Specify CultureInfo -->
+    <NoWarn>$(NoWarn);CA1305</NoWarn><!-- Specify IFormatProvider -->
+    <NoWarn>$(NoWarn);CA1310</NoWarn><!-- Specify StringComparison for correctness -->
+    <NoWarn>$(NoWarn);CA1311</NoWarn><!-- Specify a culture or use an invariant version -->
+    <NoWarn>$(NoWarn);CA1707</NoWarn><!-- Identifiers should not contain underscores -->
+    <NoWarn>$(NoWarn);CA1711</NoWarn><!-- Identifiers should not have incorrect suffix -->
+    <NoWarn>$(NoWarn);CA1725</NoWarn><!-- Parameter names should match base declaration -->
+    <NoWarn>$(NoWarn);CA1805</NoWarn><!-- Do not initialize unnecessarily -->
+    <NoWarn>$(NoWarn);CA1816</NoWarn><!-- Call GC.SuppressFinalize correctly -->
+    <NoWarn>$(NoWarn);CA1822</NoWarn><!-- Mark members as static -->
+    <NoWarn>$(NoWarn);CA1829</NoWarn><!-- Use Length/Count property instead of Count() -->
+    <NoWarn>$(NoWarn);CA1848</NoWarn><!-- Use the LoggerMessage delegates -->
+    <NoWarn>$(NoWarn);CA1852</NoWarn><!-- Seal internal types -->
+    <NoWarn>$(NoWarn);CA1859</NoWarn><!-- Use concrete types when possible for improved performance -->
+    <NoWarn>$(NoWarn);CA1860</NoWarn><!-- Avoid using Enumerable.Any() extension method -->
+    <NoWarn>$(NoWarn);CA1861</NoWarn><!-- Avoid constant arrays as arguments -->
+    <NoWarn>$(NoWarn);CA1866</NoWarn><!-- Use char overload -->
+    <NoWarn>$(NoWarn);CA1869</NoWarn><!-- Cache and reuse JsonSerializerOptions instances -->
+    <NoWarn>$(NoWarn);CA2016</NoWarn><!-- Forward CancellationToken to methods that accept it -->
+    <NoWarn>$(NoWarn);CA2201</NoWarn><!-- Do not raise reserved exception types -->
+    <NoWarn>$(NoWarn);CA2254</NoWarn><!-- Template should be a static expression -->
   </PropertyGroup>
   <Import Project="../../test.props" />
 </Project>
diff --git a/bff/test/Hosts.Tests/Hosts.Tests.csproj b/bff/test/Hosts.Tests/Hosts.Tests.csproj
index c347c7f29..9ac513081 100644
--- a/bff/test/Hosts.Tests/Hosts.Tests.csproj
+++ b/bff/test/Hosts.Tests/Hosts.Tests.csproj
@@ -1,7 +1,6 @@
 <Project Sdk="Microsoft.NET.Sdk">
   <PropertyGroup>
     <TargetFrameworks>net10.0</TargetFrameworks>
-    <Nullable>enable</Nullable>
     <IsPackable>false</IsPackable>
     <Configurations>Debug;Release;Debug_ncrunch</Configurations>
     <RootNamespace>Hosts.Tests</RootNamespace>
diff --git a/conformance-report/build.cs b/conformance-report/build.cs
deleted file mode 100644
index 7269f621b..000000000
--- a/conformance-report/build.cs
+++ /dev/null
@@ -1,26 +0,0 @@
-#:project ../.github/build/BuildHelpers.csproj
-
-using BuildHelpers;
-using static Bullseye.Targets;
-
-var repoRoot = Repo.FindRoot();
-
-Targets.Shared(repoRoot, "conformance-report/conformance-report.slnf");
-
-const string TestsConformanceReportTests = "tests-conformance-report-tests";
-
-Targets.Test(TestsConformanceReportTests, "conformance-report/test/ConformanceReport.Tests", repoRoot);
-
-Target(SharedTargets.Default, [
-    SharedTargets.CheckSolutions,
-    SharedTargets.CheckUnusedPackages,
-    SharedTargets.CheckSortedRefs,
-    SharedTargets.CheckSortedSlnf,
-    SharedTargets.VerifyFormatting,
-    SharedTargets.Clean,
-    SharedTargets.VerifyNoChanges,
-    SharedTargets.DotnetDevCerts,
-    TestsConformanceReportTests
-]);
-
-await RunTargetsAndExitAsync(args);
diff --git a/conformance-report/src/ConformanceReport/Services/OAuth21Assessor.cs b/conformance-report/src/ConformanceReport/Services/OAuth21Assessor.cs
index d9469ee69..bb86a4c03 100644
--- a/conformance-report/src/ConformanceReport/Services/OAuth21Assessor.cs
+++ b/conformance-report/src/ConformanceReport/Services/OAuth21Assessor.cs
@@ -122,8 +122,6 @@ internal class OAuth21Assessor(ConformanceReportServerOptions options)
         return findings;
     }
 
-    #region Server-Level Assessments
-
     private Finding AssessParAvailability()
     {
         var parEnabled = options.PushedAuthorizationEndpointEnabled;
@@ -240,10 +238,6 @@ internal class OAuth21Assessor(ConformanceReportServerOptions options)
             Recommendation = options.UseHttp303Redirects ? null : "Set UseHttp303Redirects = true in IdentityServerOptions."
         };
 
-    #endregion
-
-    #region Client-Level Assessments
-
     private static Finding AssessAllowedGrantTypes(ConformanceReportClient client)
     {
         var allowedGrants = new HashSet<string>
@@ -654,5 +648,4 @@ internal class OAuth21Assessor(ConformanceReportServerOptions options)
         };
     }
 
-    #endregion
-}
+}
\ No newline at end of file
diff --git a/conformance-report/src/Directory.Build.props b/conformance-report/src/Directory.Build.props
index 803971578..492733bcb 100644
--- a/conformance-report/src/Directory.Build.props
+++ b/conformance-report/src/Directory.Build.props
@@ -2,7 +2,6 @@
   <Import Project="$([MSBuild]::GetPathOfFileAbove('Directory.Build.props', '$(MSBuildThisFileDirectory)..\'))" />
   <Import Project="../../src.props" />
   <PropertyGroup>
-    <Nullable>enable</Nullable>
     <AssemblyName>Duende.ConformanceReport.$(MSBuildProjectName)</AssemblyName>
     <PackageId>Duende.ConformanceReport.$(MSBuildProjectName)</PackageId>
     <RootNamespace>Duende.ConformanceReport</RootNamespace>
diff --git a/conformance-report/test/Directory.Build.props b/conformance-report/test/Directory.Build.props
index 689890199..5371b278d 100644
--- a/conformance-report/test/Directory.Build.props
+++ b/conformance-report/test/Directory.Build.props
@@ -1,7 +1,4 @@
 <Project>
   <Import Project="$([MSBuild]::GetPathOfFileAbove('Directory.Build.props', '$(MSBuildThisFileDirectory)..\'))" />
   <Import Project="../../test.props" />
-  <PropertyGroup>
-    <Nullable>enable</Nullable>
-  </PropertyGroup>
 </Project>
diff --git a/docs-mcp/build.cs b/docs-mcp/build.cs
deleted file mode 100644
index 9ee9f71e7..000000000
--- a/docs-mcp/build.cs
+++ /dev/null
@@ -1,21 +0,0 @@
-#:project ../.github/build/BuildHelpers.csproj
-
-using BuildHelpers;
-using static Bullseye.Targets;
-
-var repoRoot = Repo.FindRoot();
-
-Targets.Shared(repoRoot, "docs-mcp/docs-mcp.slnf");
-
-Target(SharedTargets.Default, [
-    SharedTargets.CheckSolutions,
-    SharedTargets.CheckUnusedPackages,
-    SharedTargets.CheckSortedRefs,
-    SharedTargets.CheckSortedSlnf,
-    SharedTargets.VerifyFormatting,
-    SharedTargets.Clean,
-    SharedTargets.VerifyNoChanges,
-    SharedTargets.DotnetDevCerts
-]);
-
-await RunTargetsAndExitAsync(args);
diff --git a/docs-mcp/src/Directory.Build.props b/docs-mcp/src/Directory.Build.props
index 690b48359..bb1a26472 100644
--- a/docs-mcp/src/Directory.Build.props
+++ b/docs-mcp/src/Directory.Build.props
@@ -9,6 +9,5 @@
     <Product>Duende Documentation MCP Server</Product>
     <MinVerTagPrefix>dmcp-</MinVerTagPrefix>
     <MinVerMinimumMajorMinor>1.0</MinVerMinimumMajorMinor>
-    <Nullable>enable</Nullable>
   </PropertyGroup>
 </Project>
diff --git a/identity-server/aspire/AppHosts/All/All.csproj b/identity-server/aspire/AppHosts/All/All.csproj
index 18d5a9098..b59d0d171 100644
--- a/identity-server/aspire/AppHosts/All/All.csproj
+++ b/identity-server/aspire/AppHosts/All/All.csproj
@@ -2,7 +2,6 @@
 
   <PropertyGroup>
     <OutputType>Exe</OutputType>
-    <Nullable>enable</Nullable>
     <IsAspireHost>true</IsAspireHost>
     <UserSecretsId>b86a3528-3d86-4514-b57f-9839f472ef31</UserSecretsId>
 
diff --git a/identity-server/aspire/AppHosts/Dev/Dev.csproj b/identity-server/aspire/AppHosts/Dev/Dev.csproj
index 8c54eca2f..6b5082d02 100644
--- a/identity-server/aspire/AppHosts/Dev/Dev.csproj
+++ b/identity-server/aspire/AppHosts/Dev/Dev.csproj
@@ -2,7 +2,6 @@
   
   <PropertyGroup>
     <OutputType>Exe</OutputType>
-    <Nullable>enable</Nullable>
     <IsAspireHost>true</IsAspireHost>
   </PropertyGroup>
 
diff --git a/identity-server/aspire/ServiceDefaults/ServiceDefaults.csproj b/identity-server/aspire/ServiceDefaults/ServiceDefaults.csproj
index 0c0e1e443..5008c34c3 100644
--- a/identity-server/aspire/ServiceDefaults/ServiceDefaults.csproj
+++ b/identity-server/aspire/ServiceDefaults/ServiceDefaults.csproj
@@ -1,7 +1,6 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <Nullable>enable</Nullable>
     <IsAspireSharedProject>true</IsAspireSharedProject>
   </PropertyGroup>
 
diff --git a/identity-server/build.cs b/identity-server/build.cs
deleted file mode 100644
index 304bfeb47..000000000
--- a/identity-server/build.cs
+++ /dev/null
@@ -1,32 +0,0 @@
-#:project ../.github/build/BuildHelpers.csproj
-
-using BuildHelpers;
-using static Bullseye.Targets;
-
-var repoRoot = Repo.FindRoot();
-
-Targets.Shared(repoRoot, "identity-server/identity-server.slnf");
-
-const string TestsIdentityServerUnitTests = "tests-identity-server-unit-tests";
-const string TestsIdentityServerIntegrationTests = "tests-identity-server-integration-tests";
-const string TestsIdentityServerEndToEndTests = "tests-identity-server-end-to-end-tests";
-
-Targets.Test(TestsIdentityServerUnitTests, "identity-server/test/IdentityServer.UnitTests", repoRoot);
-Targets.Test(TestsIdentityServerIntegrationTests, "identity-server/test/IdentityServer.IntegrationTests", repoRoot);
-Targets.Test(TestsIdentityServerEndToEndTests, "identity-server/test/IdentityServer.EndToEndTests", repoRoot);
-
-Target(SharedTargets.Default, [
-    SharedTargets.CheckSolutions,
-    SharedTargets.CheckUnusedPackages,
-    SharedTargets.CheckSortedRefs,
-    SharedTargets.CheckSortedSlnf,
-    SharedTargets.VerifyFormatting,
-    SharedTargets.Clean,
-    SharedTargets.VerifyNoChanges,
-    SharedTargets.DotnetDevCerts,
-    TestsIdentityServerUnitTests,
-    TestsIdentityServerIntegrationTests,
-    TestsIdentityServerEndToEndTests
-]);
-
-await RunTargetsAndExitAsync(args);
diff --git a/identity-server/clients/Directory.Build.props b/identity-server/clients/Directory.Build.props
index 8a89ceed6..a3b32caa0 100644
--- a/identity-server/clients/Directory.Build.props
+++ b/identity-server/clients/Directory.Build.props
@@ -4,5 +4,6 @@
     <AnalysisMode>None</AnalysisMode>
     <IsIdSrvProject>true</IsIdSrvProject>
     <WarnOnPackingNonPackableProject>false</WarnOnPackingNonPackableProject>
+    <Nullable>disable</Nullable><!-- TODO: enable nullable -->
   </PropertyGroup>
 </Project>
diff --git a/identity-server/hosts/AspNetIdentity10/Host.AspNetIdentity10.csproj b/identity-server/hosts/AspNetIdentity10/Host.AspNetIdentity10.csproj
index 97c68e120..52a182485 100644
--- a/identity-server/hosts/AspNetIdentity10/Host.AspNetIdentity10.csproj
+++ b/identity-server/hosts/AspNetIdentity10/Host.AspNetIdentity10.csproj
@@ -2,7 +2,6 @@
 
   <PropertyGroup>
     <RootNamespace>IdentityServerHost</RootNamespace>
-    <Nullable>enable</Nullable>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/identity-server/hosts/EntityFramework10/Host.EntityFramework10.csproj b/identity-server/hosts/EntityFramework10/Host.EntityFramework10.csproj
index b2e6fbd19..51a8ca264 100644
--- a/identity-server/hosts/EntityFramework10/Host.EntityFramework10.csproj
+++ b/identity-server/hosts/EntityFramework10/Host.EntityFramework10.csproj
@@ -2,7 +2,6 @@
 
   <PropertyGroup>
     <RootNamespace>IdentityServerHost</RootNamespace>
-    <Nullable>enable</Nullable>
     <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
     <ImplicitUsings>enable</ImplicitUsings>
   </PropertyGroup>
diff --git a/identity-server/hosts/Main10/Host.Main10.csproj b/identity-server/hosts/Main10/Host.Main10.csproj
index fc0a473d2..7838f5c45 100644
--- a/identity-server/hosts/Main10/Host.Main10.csproj
+++ b/identity-server/hosts/Main10/Host.Main10.csproj
@@ -4,7 +4,6 @@
     <AspNetCoreHostingModel>InProcess</AspNetCoreHostingModel>
     <RootNamespace>IdentityServerHost</RootNamespace>
     <UserSecretsId>e60c119c-8b86-4016-9d44-80e25948dbba</UserSecretsId>
-    <Nullable>enable</Nullable>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/identity-server/hosts/Shared/Host.Shared.csproj b/identity-server/hosts/Shared/Host.Shared.csproj
index 70b673fe4..dbf90e32f 100644
--- a/identity-server/hosts/Shared/Host.Shared.csproj
+++ b/identity-server/hosts/Shared/Host.Shared.csproj
@@ -3,7 +3,6 @@
   <PropertyGroup>
     <TargetFramework>net10.0</TargetFramework>
     <ImplicitUsings>enable</ImplicitUsings>
-    <Nullable>enable</Nullable>
     <RootNamespace>Duende.IdentityServer.Hosts.Shared</RootNamespace>
     <IsPackable>false</IsPackable>
   </PropertyGroup>
diff --git a/identity-server/hosts/UI/AspNetIdentity/UI.AspNetIdentity.csproj b/identity-server/hosts/UI/AspNetIdentity/UI.AspNetIdentity.csproj
index 477996f30..dd986e832 100644
--- a/identity-server/hosts/UI/AspNetIdentity/UI.AspNetIdentity.csproj
+++ b/identity-server/hosts/UI/AspNetIdentity/UI.AspNetIdentity.csproj
@@ -2,7 +2,6 @@
 
   <PropertyGroup>
     <TargetFramework>net10.0</TargetFramework>
-    <Nullable>enable</Nullable>
     <ImplicitUsings>enable</ImplicitUsings>
     <AddRazorSupportForMvc>true</AddRazorSupportForMvc>
     <RootNamespace>Duende.IdentityServer.UI.AspNetIdentity</RootNamespace>
diff --git a/identity-server/hosts/UI/EntityFramework/UI.EntityFramework.csproj b/identity-server/hosts/UI/EntityFramework/UI.EntityFramework.csproj
index 6bb558761..f00ffc298 100644
--- a/identity-server/hosts/UI/EntityFramework/UI.EntityFramework.csproj
+++ b/identity-server/hosts/UI/EntityFramework/UI.EntityFramework.csproj
@@ -2,7 +2,6 @@
 
   <PropertyGroup>
     <TargetFramework>net10.0</TargetFramework>
-    <Nullable>enable</Nullable>
     <ImplicitUsings>enable</ImplicitUsings>
     <AddRazorSupportForMvc>true</AddRazorSupportForMvc>
     <RootNamespace>Duende.IdentityServer.UI.EntityFramework</RootNamespace>
diff --git a/identity-server/hosts/UI/Main/UI.Main.csproj b/identity-server/hosts/UI/Main/UI.Main.csproj
index 6ffa043f6..3806f061e 100644
--- a/identity-server/hosts/UI/Main/UI.Main.csproj
+++ b/identity-server/hosts/UI/Main/UI.Main.csproj
@@ -2,7 +2,6 @@
 
   <PropertyGroup>
     <TargetFramework>net10.0</TargetFramework>
-    <Nullable>enable</Nullable>
     <ImplicitUsings>enable</ImplicitUsings>
     <AddRazorSupportForMvc>true</AddRazorSupportForMvc>
     <RootNamespace>Duende.IdentityServer.UI</RootNamespace>
diff --git a/identity-server/migrations/Directory.Build.props b/identity-server/migrations/Directory.Build.props
index 8a89ceed6..a3b32caa0 100644
--- a/identity-server/migrations/Directory.Build.props
+++ b/identity-server/migrations/Directory.Build.props
@@ -4,5 +4,6 @@
     <AnalysisMode>None</AnalysisMode>
     <IsIdSrvProject>true</IsIdSrvProject>
     <WarnOnPackingNonPackableProject>false</WarnOnPackingNonPackableProject>
+    <Nullable>disable</Nullable><!-- TODO: enable nullable -->
   </PropertyGroup>
 </Project>
diff --git a/identity-server/perf/Directory.Build.props b/identity-server/perf/Directory.Build.props
index de7b79c33..ba993305d 100644
--- a/identity-server/perf/Directory.Build.props
+++ b/identity-server/perf/Directory.Build.props
@@ -2,5 +2,6 @@
   <Import Project="$([MSBuild]::GetPathOfFileAbove('Directory.Build.props', '$(MSBuildThisFileDirectory)..\'))" />
   <PropertyGroup>
     <AnalysisMode>None</AnalysisMode>
+    <Nullable>disable</Nullable><!-- TODO: enable nullable -->
   </PropertyGroup>
 </Project>
diff --git a/identity-server/src/Directory.Build.props b/identity-server/src/Directory.Build.props
index 0bb39d74c..56dd0c82c 100644
--- a/identity-server/src/Directory.Build.props
+++ b/identity-server/src/Directory.Build.props
@@ -9,6 +9,7 @@
     <MinVerTagPrefix>is-</MinVerTagPrefix>
     <MinVerMinimumMajorMinor>8.0</MinVerMinimumMajorMinor>
     <IsIdSrvProject>true</IsIdSrvProject>
+    <Nullable>disable</Nullable><!-- TODO: enable nullable -->
   </PropertyGroup>
   <PropertyGroup>
     <NoWarn>$(NoWarn);CA1002;CA1008;CA1031;CA1051;CA1054;CA1055;CA1056;CA1062;CA1716;CA1724;CA1725;CA1727;CA1819;CA1848;CA1851;CA2201;CA2208;CA2227;CA2234</NoWarn>
diff --git a/identity-server/src/EntityFramework.Storage/Stores/PersistedGrantStore.cs b/identity-server/src/EntityFramework.Storage/Stores/PersistedGrantStore.cs
index 319288614..e7abaa863 100644
--- a/identity-server/src/EntityFramework.Storage/Stores/PersistedGrantStore.cs
+++ b/identity-server/src/EntityFramework.Storage/Stores/PersistedGrantStore.cs
@@ -159,7 +159,7 @@ public class PersistedGrantStore : Duende.IdentityServer.Stores.IPersistedGrantS
 
     private static IQueryable<PersistedGrant> Filter(IQueryable<PersistedGrant> query, PersistedGrantFilter filter)
     {
-        if (filter.ClientIds != null)
+        if (filter.ClientIds.Count > 0)
         {
             var ids = filter.ClientIds.ToList();
             if (!string.IsNullOrWhiteSpace(filter.ClientId))
@@ -182,7 +182,7 @@ public class PersistedGrantStore : Duende.IdentityServer.Stores.IPersistedGrantS
             query = query.Where(x => x.SubjectId == filter.SubjectId);
         }
 
-        if (filter.Types != null)
+        if (filter.Types.Count > 0)
         {
             var types = filter.Types.ToList();
             if (!string.IsNullOrWhiteSpace(filter.Type))
diff --git a/identity-server/src/IdentityServer/Hosting/LocalApiAuthentication/LocalApiAuthenticationHandler.cs b/identity-server/src/IdentityServer/Hosting/LocalApiAuthentication/LocalApiAuthenticationHandler.cs
index 9d8301a91..2c871938b 100644
--- a/identity-server/src/IdentityServer/Hosting/LocalApiAuthentication/LocalApiAuthenticationHandler.cs
+++ b/identity-server/src/IdentityServer/Hosting/LocalApiAuthentication/LocalApiAuthenticationHandler.cs
@@ -119,7 +119,7 @@ public class LocalApiAuthenticationHandler : AuthenticationHandler<LocalApiAuthe
             }
 
             var proofToken = Context.Request.Headers[OidcConstants.HttpHeaders.DPoP].FirstOrDefault();
-            var validationContext = new DPoPProofValidatonContext
+            var validationContext = new DPoPProofValidationContext
             {
                 ProofToken = proofToken,
                 Method = Context.Request.Method,
diff --git a/identity-server/src/IdentityServer/Services/Default/DefaultSessionManagementService.cs b/identity-server/src/IdentityServer/Services/Default/DefaultSessionManagementService.cs
index b6622103d..178f88483 100644
--- a/identity-server/src/IdentityServer/Services/Default/DefaultSessionManagementService.cs
+++ b/identity-server/src/IdentityServer/Services/Default/DefaultSessionManagementService.cs
@@ -61,10 +61,7 @@ public class DefaultSessionManagementService : ISessionManagementService
                 SessionId = context.SessionId,
             };
 
-            if (context.ClientIds != null)
-            {
-                grantFilter.ClientIds = context.ClientIds;
-            }
+            grantFilter.ClientIds = context.ClientIds ?? [];
 
             if (!context.RevokeTokens || !context.RevokeConsents)
             {
diff --git a/identity-server/src/IdentityServer/Stores/InMemory/InMemoryPersistedGrantStore.cs b/identity-server/src/IdentityServer/Stores/InMemory/InMemoryPersistedGrantStore.cs
index de6975786..f01598ca1 100644
--- a/identity-server/src/IdentityServer/Stores/InMemory/InMemoryPersistedGrantStore.cs
+++ b/identity-server/src/IdentityServer/Stores/InMemory/InMemoryPersistedGrantStore.cs
@@ -83,7 +83,7 @@ public class InMemoryPersistedGrantStore : IPersistedGrantStore
             from item in _repository
             select item.Value;
 
-        if (filter.ClientIds != null)
+        if (filter.ClientIds.Count > 0)
         {
             var ids = filter.ClientIds.ToList();
             if (!string.IsNullOrWhiteSpace(filter.ClientId))
@@ -106,7 +106,7 @@ public class InMemoryPersistedGrantStore : IPersistedGrantStore
             query = query.Where(x => x.SubjectId == filter.SubjectId);
         }
 
-        if (filter.Types != null)
+        if (filter.Types.Count > 0)
         {
             var types = filter.Types.ToList();
             if (!string.IsNullOrWhiteSpace(filter.Type))
diff --git a/identity-server/src/IdentityServer/Validation/Contexts/DPoPProofValidatonContext.cs b/identity-server/src/IdentityServer/Validation/Contexts/DPoPProofValidationContext.cs
similarity index 98%
rename from identity-server/src/IdentityServer/Validation/Contexts/DPoPProofValidatonContext.cs
rename to identity-server/src/IdentityServer/Validation/Contexts/DPoPProofValidationContext.cs
index 9348beda9..c1cde28cd 100644
--- a/identity-server/src/IdentityServer/Validation/Contexts/DPoPProofValidatonContext.cs
+++ b/identity-server/src/IdentityServer/Validation/Contexts/DPoPProofValidationContext.cs
@@ -12,7 +12,7 @@ namespace Duende.IdentityServer.Validation;
 /// <summary>
 /// Models the context for validaing DPoP proof tokens.
 /// </summary>
-public class DPoPProofValidatonContext
+public class DPoPProofValidationContext
 {
     /// <summary>
     /// Enum setting to control validation for the DPoP proof token expiration.
diff --git a/identity-server/src/IdentityServer/Validation/Default/DefaultDPoPProofValidator.cs b/identity-server/src/IdentityServer/Validation/Default/DefaultDPoPProofValidator.cs
index c5eac04d0..fda201373 100644
--- a/identity-server/src/IdentityServer/Validation/Default/DefaultDPoPProofValidator.cs
+++ b/identity-server/src/IdentityServer/Validation/Default/DefaultDPoPProofValidator.cs
@@ -69,9 +69,9 @@ public class DefaultDPoPProofValidator : IDPoPProofValidator
     }
 
     /// <inheritdoc/>
-    public async Task<DPoPProofValidatonResult> ValidateAsync(DPoPProofValidatonContext context, Ct ct)
+    public async Task<DPoPProofValidationResult> ValidateAsync(DPoPProofValidationContext context, Ct ct)
     {
-        var result = new DPoPProofValidatonResult() { IsError = false };
+        var result = new DPoPProofValidationResult() { IsError = false };
 
         try
         {
@@ -120,7 +120,7 @@ public class DefaultDPoPProofValidator : IDPoPProofValidator
     /// <summary>
     /// Validates the header.
     /// </summary>
-    protected virtual Task ValidateHeaderAsync(DPoPProofValidatonContext context, DPoPProofValidatonResult result)
+    protected virtual Task ValidateHeaderAsync(DPoPProofValidationContext context, DPoPProofValidationResult result)
     {
         JsonWebToken token;
         var handler = new JsonWebTokenHandler();
@@ -242,7 +242,7 @@ public class DefaultDPoPProofValidator : IDPoPProofValidator
     /// <summary>
     /// Validates the signature.
     /// </summary>
-    protected virtual async Task ValidateSignatureAsync(DPoPProofValidatonContext context, DPoPProofValidatonResult result)
+    protected virtual async Task ValidateSignatureAsync(DPoPProofValidationContext context, DPoPProofValidationResult result)
     {
         Microsoft.IdentityModel.Tokens.TokenValidationResult tokenValidationResult;
 
@@ -284,7 +284,7 @@ public class DefaultDPoPProofValidator : IDPoPProofValidator
     /// <summary>
     /// Validates the payload.
     /// </summary>
-    protected virtual async Task ValidatePayloadAsync(DPoPProofValidatonContext context, DPoPProofValidatonResult result, Ct ct)
+    protected virtual async Task ValidatePayloadAsync(DPoPProofValidationContext context, DPoPProofValidationResult result, Ct ct)
     {
         if (context.ValidateAccessToken)
         {
@@ -379,9 +379,9 @@ public class DefaultDPoPProofValidator : IDPoPProofValidator
     }
 
     /// <summary>
-    /// Validates is the token has been replayed.
+    /// Validates if the token has been replayed.
     /// </summary>
-    protected virtual async Task ValidateReplayAsync(DPoPProofValidatonContext context, DPoPProofValidatonResult result, Ct ct)
+    protected virtual async Task ValidateReplayAsync(DPoPProofValidationContext context, DPoPProofValidationResult result, Ct ct)
     {
         if (await ReplayCache.ExistsAsync(ReplayCachePurpose, result.TokenId, ct))
         {
@@ -416,7 +416,7 @@ public class DefaultDPoPProofValidator : IDPoPProofValidator
     /// <summary>
     /// Validates the freshness.
     /// </summary>
-    protected virtual async Task ValidateFreshnessAsync(DPoPProofValidatonContext context, DPoPProofValidatonResult result)
+    protected virtual async Task ValidateFreshnessAsync(DPoPProofValidationContext context, DPoPProofValidationResult result)
     {
         var validateIat = (context.ExpirationValidationMode & DPoPTokenExpirationValidationMode.Iat) == DPoPTokenExpirationValidationMode.Iat;
         if (validateIat)
@@ -442,7 +442,7 @@ public class DefaultDPoPProofValidator : IDPoPProofValidator
     /// <summary>
     /// Validates the freshness of the iat value.
     /// </summary>
-    protected virtual Task ValidateIatAsync(DPoPProofValidatonContext context, DPoPProofValidatonResult result)
+    protected virtual Task ValidateIatAsync(DPoPProofValidationContext context, DPoPProofValidationResult result)
     {
         if (IsExpired(context, result, context.ClientClockSkew, result.IssuedAt.Value))
         {
@@ -457,7 +457,7 @@ public class DefaultDPoPProofValidator : IDPoPProofValidator
     /// <summary>
     /// Validates the freshness of the nonce value.
     /// </summary>
-    protected virtual async Task ValidateNonceAsync(DPoPProofValidatonContext context, DPoPProofValidatonResult result)
+    protected virtual async Task ValidateNonceAsync(DPoPProofValidationContext context, DPoPProofValidationResult result)
     {
         if (result.Nonce.IsMissing())
         {
@@ -496,7 +496,7 @@ public class DefaultDPoPProofValidator : IDPoPProofValidator
     /// Creates a nonce value to return to the client.
     /// </summary>
     /// <returns></returns>
-    protected virtual string CreateNonce(DPoPProofValidatonContext context, DPoPProofValidatonResult result)
+    protected virtual string CreateNonce(DPoPProofValidationContext context, DPoPProofValidationResult result)
     {
         var now = TimeProvider.GetUtcNow().ToUnixTimeSeconds();
         return DataProtector.Protect(now.ToString(CultureInfo.InvariantCulture));
@@ -506,7 +506,7 @@ public class DefaultDPoPProofValidator : IDPoPProofValidator
     /// Reads the time the nonce was created.
     /// </summary>
     /// <returns></returns>
-    protected virtual ValueTask<long> GetUnixTimeFromNonceAsync(DPoPProofValidatonContext context, DPoPProofValidatonResult result)
+    protected virtual ValueTask<long> GetUnixTimeFromNonceAsync(DPoPProofValidationContext context, DPoPProofValidationResult result)
     {
         try
         {
@@ -528,7 +528,7 @@ public class DefaultDPoPProofValidator : IDPoPProofValidator
     /// Validates the expiration of the DPoP proof.
     /// Returns true if the time is beyond the allowed limits, false otherwise.
     /// </summary>
-    protected virtual bool IsExpired(DPoPProofValidatonContext context, DPoPProofValidatonResult result, TimeSpan clockSkew, long issuedAtTime)
+    protected virtual bool IsExpired(DPoPProofValidationContext context, DPoPProofValidationResult result, TimeSpan clockSkew, long issuedAtTime)
     {
         var now = TimeProvider.GetUtcNow().ToUnixTimeSeconds();
         var start = now + (int)clockSkew.TotalSeconds;
diff --git a/identity-server/src/IdentityServer/Validation/Default/PushedAuthorizationRequestValidator.cs b/identity-server/src/IdentityServer/Validation/Default/PushedAuthorizationRequestValidator.cs
index 0bcc4c230..578721e69 100644
--- a/identity-server/src/IdentityServer/Validation/Default/PushedAuthorizationRequestValidator.cs
+++ b/identity-server/src/IdentityServer/Validation/Default/PushedAuthorizationRequestValidator.cs
@@ -87,7 +87,7 @@ internal class PushedAuthorizationRequestValidator(
 
             // validate proof token
             var parUrl = context.ClientCertificate == null ? serverUrls.BaseUrl.EnsureTrailingSlash() + ProtocolRoutePaths.PushedAuthorization : mtlsEndpointGenerator.GetMtlsEndpointPath(ProtocolRoutePaths.PushedAuthorization);
-            var dpopContext = new DPoPProofValidatonContext
+            var dpopContext = new DPoPProofValidationContext
             {
                 ProofToken = context.DPoPProofToken,
                 ExpirationValidationMode = context.Client.DPoPValidationMode,
diff --git a/identity-server/src/IdentityServer/Validation/Default/TokenRequestValidator.cs b/identity-server/src/IdentityServer/Validation/Default/TokenRequestValidator.cs
index 2f587f26d..fe6af2d23 100644
--- a/identity-server/src/IdentityServer/Validation/Default/TokenRequestValidator.cs
+++ b/identity-server/src/IdentityServer/Validation/Default/TokenRequestValidator.cs
@@ -253,7 +253,7 @@ internal class TokenRequestValidator : ITokenRequestValidator
             }
 
             var tokenUrl = context.ClientCertificate == null ? _serverUrls.BaseUrl.EnsureTrailingSlash() + ProtocolRoutePaths.Token : _mtlsEndpointGenerator.GetMtlsEndpointPath(ProtocolRoutePaths.Token);
-            var dpopContext = new DPoPProofValidatonContext
+            var dpopContext = new DPoPProofValidationContext
             {
                 ExpirationValidationMode = _validatedRequest.Client.DPoPValidationMode,
                 ClientClockSkew = _validatedRequest.Client.DPoPClockSkew,
diff --git a/identity-server/src/IdentityServer/Validation/IDPoPProofValidator.cs b/identity-server/src/IdentityServer/Validation/IDPoPProofValidator.cs
index 12749d1fb..155e7d3e0 100644
--- a/identity-server/src/IdentityServer/Validation/IDPoPProofValidator.cs
+++ b/identity-server/src/IdentityServer/Validation/IDPoPProofValidator.cs
@@ -16,5 +16,5 @@ public interface IDPoPProofValidator
     /// </summary>
     /// <param name="context">The validation context.</param>
     /// <param name="ct">The cancellation token.</param>
-    Task<DPoPProofValidatonResult> ValidateAsync(DPoPProofValidatonContext context, Ct ct);
+    Task<DPoPProofValidationResult> ValidateAsync(DPoPProofValidationContext context, Ct ct);
 }
diff --git a/identity-server/src/IdentityServer/Validation/Models/DPoPProofValidatonResult.cs b/identity-server/src/IdentityServer/Validation/Models/DPoPProofValidationResult.cs
similarity index 96%
rename from identity-server/src/IdentityServer/Validation/Models/DPoPProofValidatonResult.cs
rename to identity-server/src/IdentityServer/Validation/Models/DPoPProofValidationResult.cs
index 14564714f..c03a28100 100644
--- a/identity-server/src/IdentityServer/Validation/Models/DPoPProofValidatonResult.cs
+++ b/identity-server/src/IdentityServer/Validation/Models/DPoPProofValidationResult.cs
@@ -9,7 +9,7 @@ namespace Duende.IdentityServer.Validation;
 /// <summary>
 /// Models the result of DPoP proof validation.
 /// </summary>
-public class DPoPProofValidatonResult : ValidationResult
+public class DPoPProofValidationResult : ValidationResult
 {
     /// <summary>
     /// The serialized JWK from the validated DPoP proof token.
diff --git a/identity-server/src/Storage/Extensions/PersistedGrantFilterExtensions.cs b/identity-server/src/Storage/Extensions/PersistedGrantFilterExtensions.cs
index 2f1401e03..ff9b592b6 100644
--- a/identity-server/src/Storage/Extensions/PersistedGrantFilterExtensions.cs
+++ b/identity-server/src/Storage/Extensions/PersistedGrantFilterExtensions.cs
@@ -20,11 +20,11 @@ public static class PersistedGrantFilterExtensions
         ArgumentNullException.ThrowIfNull(filter);
 
         if (string.IsNullOrWhiteSpace(filter.ClientId) &&
-            filter.ClientIds == null &&
+            filter.ClientIds.Count == 0 &&
             string.IsNullOrWhiteSpace(filter.SessionId) &&
             string.IsNullOrWhiteSpace(filter.SubjectId) &&
             string.IsNullOrWhiteSpace(filter.Type) &&
-            filter.Types == null)
+            filter.Types.Count == 0)
         {
             throw new ArgumentException("No filter values set.", nameof(filter));
         }
diff --git a/identity-server/src/Storage/Stores/PersistedGrantFilter.cs b/identity-server/src/Storage/Stores/PersistedGrantFilter.cs
index 2b91d2d83..ecb91235e 100644
--- a/identity-server/src/Storage/Stores/PersistedGrantFilter.cs
+++ b/identity-server/src/Storage/Stores/PersistedGrantFilter.cs
@@ -31,7 +31,7 @@ public class PersistedGrantFilter
     /// <summary>
     /// Client ids the grant was issued to.
     /// </summary>
-    public IReadOnlyCollection<string>? ClientIds { get; set; }
+    public IReadOnlyCollection<string> ClientIds { get; set; } = [];
 
     /// <summary>
     /// The type of grant.
@@ -41,5 +41,5 @@ public class PersistedGrantFilter
     /// <summary>
     /// The types of grants.
     /// </summary>
-    public IReadOnlyCollection<string>? Types { get; set; }
+    public IReadOnlyCollection<string> Types { get; set; } = [];
 }
diff --git a/identity-server/test/Directory.Build.props b/identity-server/test/Directory.Build.props
index f967d20c5..206b07847 100644
--- a/identity-server/test/Directory.Build.props
+++ b/identity-server/test/Directory.Build.props
@@ -5,5 +5,39 @@
   <Import Project="../identity-server.props" />
   <PropertyGroup>
     <IsIdSrvProject>true</IsIdSrvProject>
+    <Nullable>disable</Nullable><!-- TODO: enable nullable -->
+    <!-- TODO: Fix these in identity-server test code and remove suppressions -->
+    <NoWarn>$(NoWarn);CA1001</NoWarn><!-- Types that own disposable fields should be disposable -->
+    <NoWarn>$(NoWarn);CA1041</NoWarn><!-- Provide ObsoleteAttribute message -->
+    <NoWarn>$(NoWarn);CA1051</NoWarn><!-- Do not declare visible instance fields -->
+    <NoWarn>$(NoWarn);CA1304</NoWarn><!-- Specify CultureInfo -->
+    <NoWarn>$(NoWarn);CA1305</NoWarn><!-- Specify IFormatProvider -->
+    <NoWarn>$(NoWarn);CA1309</NoWarn><!-- Use ordinal StringComparison -->
+    <NoWarn>$(NoWarn);CA1310</NoWarn><!-- Specify StringComparison for correctness -->
+    <NoWarn>$(NoWarn);CA1311</NoWarn><!-- Specify a culture or use an invariant version -->
+    <NoWarn>$(NoWarn);CA1707</NoWarn><!-- Identifiers should not contain underscores -->
+    <NoWarn>$(NoWarn);CA1708</NoWarn><!-- Identifiers should differ by more than case -->
+    <NoWarn>$(NoWarn);CA1711</NoWarn><!-- Identifiers should not have incorrect suffix -->
+    <NoWarn>$(NoWarn);CA1716</NoWarn><!-- Identifiers should not match keywords -->
+    <NoWarn>$(NoWarn);CA1725</NoWarn><!-- Parameter names should match base declaration -->
+    <NoWarn>$(NoWarn);CA1805</NoWarn><!-- Do not initialize unnecessarily -->
+    <NoWarn>$(NoWarn);CA1806</NoWarn><!-- Do not ignore method results -->
+    <NoWarn>$(NoWarn);CA1816</NoWarn><!-- Call GC.SuppressFinalize correctly -->
+    <NoWarn>$(NoWarn);CA1822</NoWarn><!-- Mark members as static -->
+    <NoWarn>$(NoWarn);CA1825</NoWarn><!-- Avoid zero-length array allocations -->
+    <NoWarn>$(NoWarn);CA1829</NoWarn><!-- Use Length/Count property instead of Count() -->
+    <NoWarn>$(NoWarn);CA1835</NoWarn><!-- Prefer Memory-based overloads for ReadAsync/WriteAsync -->
+    <NoWarn>$(NoWarn);CA1850</NoWarn><!-- Prefer static HashData method over ComputeHash -->
+    <NoWarn>$(NoWarn);CA1852</NoWarn><!-- Seal internal types -->
+    <NoWarn>$(NoWarn);CA1859</NoWarn><!-- Use concrete types when possible for improved performance -->
+    <NoWarn>$(NoWarn);CA1860</NoWarn><!-- Avoid using Enumerable.Any() extension method -->
+    <NoWarn>$(NoWarn);CA1861</NoWarn><!-- Avoid constant arrays as arguments -->
+    <NoWarn>$(NoWarn);CA1863</NoWarn><!-- Cache and reuse CompositeFormat instances -->
+    <NoWarn>$(NoWarn);CA1864</NoWarn><!-- Prefer IDictionary.TryAdd(TKey, TValue) -->
+    <NoWarn>$(NoWarn);CA1869</NoWarn><!-- Cache and reuse JsonSerializerOptions instances -->
+    <NoWarn>$(NoWarn);CA1872</NoWarn><!-- Prefer Convert.ToHexString and Convert.ToHexStringLower -->
+    <NoWarn>$(NoWarn);CA2201</NoWarn><!-- Do not raise reserved exception types -->
+    <NoWarn>$(NoWarn);CA2211</NoWarn><!-- Non-constant fields should not be visible -->
+    <NoWarn>$(NoWarn);CA5350</NoWarn><!-- Do not use weak cryptographic algorithms -->
   </PropertyGroup>
 </Project>
diff --git a/identity-server/test/IdentityServer.IntegrationTests/Endpoints/Token/DPoPTokenEndpointTests.cs b/identity-server/test/IdentityServer.IntegrationTests/Endpoints/Token/DPoPTokenEndpointTests.cs
index f12363ae7..60d44eee0 100644
--- a/identity-server/test/IdentityServer.IntegrationTests/Endpoints/Token/DPoPTokenEndpointTests.cs
+++ b/identity-server/test/IdentityServer.IntegrationTests/Endpoints/Token/DPoPTokenEndpointTests.cs
@@ -444,7 +444,7 @@ public class DPoPTokenEndpointTests : DPoPEndpointTestBase
 
         public string ServerIssuedNonce { get; set; }
 
-        protected override async Task ValidateFreshnessAsync(DPoPProofValidatonContext context, DPoPProofValidatonResult result)
+        protected override async Task ValidateFreshnessAsync(DPoPProofValidationContext context, DPoPProofValidationResult result)
         {
             if (ServerIssuedNonce.IsPresent())
             {
diff --git a/identity-server/test/IdentityServer.UnitTests/Validation/DPoPProofValidatorTests.cs b/identity-server/test/IdentityServer.UnitTests/Validation/DPoPProofValidatorTests.cs
index 2e1657028..4cbaf945e 100644
--- a/identity-server/test/IdentityServer.UnitTests/Validation/DPoPProofValidatorTests.cs
+++ b/identity-server/test/IdentityServer.UnitTests/Validation/DPoPProofValidatorTests.cs
@@ -43,7 +43,7 @@ public class DPoPProofValidatorTests
         }
     }
 
-    private DPoPProofValidatonContext _context = new DPoPProofValidatonContext
+    private DPoPProofValidationContext _context = new DPoPProofValidationContext
     {
         ClientClockSkew = TimeSpan.Zero,
         Url = "https://identityserver/connect/token",
diff --git a/ignore-this/src/Directory.Build.props b/ignore-this/src/Directory.Build.props
index de732b89c..5f4f4a12f 100644
--- a/ignore-this/src/Directory.Build.props
+++ b/ignore-this/src/Directory.Build.props
@@ -5,7 +5,6 @@
   <Import Project="../../src.props" />
 
   <PropertyGroup>
-    <Nullable>enable</Nullable>
     <Product>Duende IgnoreThis</Product>
     <MinVerTagPrefix>it-</MinVerTagPrefix>
     <MinVerMinimumMajorMinor>0.1</MinVerMinimumMajorMinor>
diff --git a/ignore-this/src/IgnoreThis/IgnoreThis.csproj b/ignore-this/src/IgnoreThis/IgnoreThis.csproj
index 309182e16..42d495c52 100644
--- a/ignore-this/src/IgnoreThis/IgnoreThis.csproj
+++ b/ignore-this/src/IgnoreThis/IgnoreThis.csproj
@@ -1,7 +1,6 @@
 <Project Sdk="Microsoft.NET.Sdk">
   <PropertyGroup>
     <TargetFramework>net10.0</TargetFramework>
-    <Nullable>enable</Nullable>
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
     <PackageId>Duende.IgnoreThis</PackageId>
     <AssemblyName>$(PackageId)</AssemblyName>
diff --git a/ignore-this/test/Directory.Build.props b/ignore-this/test/Directory.Build.props
index 689890199..5371b278d 100644
--- a/ignore-this/test/Directory.Build.props
+++ b/ignore-this/test/Directory.Build.props
@@ -1,7 +1,4 @@
 <Project>
   <Import Project="$([MSBuild]::GetPathOfFileAbove('Directory.Build.props', '$(MSBuildThisFileDirectory)..\'))" />
   <Import Project="../../test.props" />
-  <PropertyGroup>
-    <Nullable>enable</Nullable>
-  </PropertyGroup>
 </Project>
diff --git a/products.slnx b/products.slnx
index 101ad3ab5..fde8d558d 100644
--- a/products.slnx
+++ b/products.slnx
@@ -11,12 +11,6 @@
   <Folder Name="/aspnetcore-authentication-jwtbearer/test/">
     <Project Path="aspnetcore-authentication-jwtbearer/test/AspNetCore.Authentication.JwtBearer.Tests/AspNetCore.Authentication.JwtBearer.Tests.csproj" />
   </Folder>
-  <Folder Name="/conformance-report/src/">
-    <Project Path="conformance-report/src/ConformanceReport/ConformanceReport.csproj" />
-  </Folder>
-  <Folder Name="/conformance-report/test/">
-    <Project Path="conformance-report/test/ConformanceReport.Tests/ConformanceReport.Tests.csproj" />
-  </Folder>
   <Folder Name="/bff/hosts/">
     <Project Path="bff/hosts/Hosts.AppHost/Hosts.AppHost.csproj" />
     <Project Path="bff/hosts/Hosts.Bff.DPoP/Hosts.Bff.DPoP.csproj" />
@@ -43,6 +37,10 @@
   <Folder Name="/bff/migrations/">
     <Project Path="bff/migrations/UserSessionDb/UserSessionDb.csproj" />
   </Folder>
+  <Folder Name="/bff/performance/">
+    <Project Path="bff/performance/Bff.Benchmarks/Bff.Benchmarks.csproj" />
+    <Project Path="bff/performance/Bff.Performance/Bff.Performance.csproj" />
+  </Folder>
   <Folder Name="/bff/src/">
     <Project Path="bff/src/Bff.Blazor.Client/Bff.Blazor.Client.csproj" />
     <Project Path="bff/src/Bff.Blazor/Bff.Blazor.csproj" />
@@ -50,10 +48,6 @@
     <Project Path="bff/src/Bff.Yarp/Bff.Yarp.csproj" />
     <Project Path="bff/src/Bff/Bff.csproj" />
   </Folder>
-  <Folder Name="/bff/performance/">
-    <Project Path="bff/performance/Bff.Benchmarks/Bff.Benchmarks.csproj" />
-    <Project Path="bff/performance/Bff.Performance/Bff.Performance.csproj" />
-  </Folder>
   <Folder Name="/bff/templates/src/">
     <Project Path="bff/templates/src/BffLocalApi/BffLocalApi.csproj" />
     <Project Path="bff/templates/src/BffRemoteApi/BffRemoteApi.csproj" />
@@ -66,9 +60,15 @@
     <Project Path="bff/test/Bff.Tests/Bff.Tests.csproj" />
     <Project Path="bff/test/Hosts.Tests/Hosts.Tests.csproj" />
   </Folder>
+  <Folder Name="/conformance-report/src/">
+    <Project Path="conformance-report/src/ConformanceReport/ConformanceReport.csproj" />
+  </Folder>
+  <Folder Name="/conformance-report/test/">
+    <Project Path="conformance-report/test/ConformanceReport.Tests/ConformanceReport.Tests.csproj" />
+  </Folder>
   <Folder Name="/docs-mcp/">
-    <File Path="docs-mcp/README.md" />
     <Project Path="docs-mcp/src/Documentation.Mcp/Documentation.Mcp.csproj" />
+    <File Path="docs-mcp/README.md" />
   </Folder>
   <Folder Name="/docs-mcp/.config/">
     <File Path="docs-mcp/.config/dotnet-tools.json" />
diff --git a/shared/ShouldlyExtensions/ShouldlyExtensions.csproj b/shared/ShouldlyExtensions/ShouldlyExtensions.csproj
index c4188b665..660a006b8 100644
--- a/shared/ShouldlyExtensions/ShouldlyExtensions.csproj
+++ b/shared/ShouldlyExtensions/ShouldlyExtensions.csproj
@@ -3,7 +3,6 @@
   <PropertyGroup>
     <AnalysisMode>None</AnalysisMode>
     <ManagePackageVersionsCentrally>false</ManagePackageVersionsCentrally>
-    <Nullable>enable</Nullable>
     <IsTestProject>false</IsTestProject>
     <RootNamespace>Shouldly</RootNamespace>
   </PropertyGroup>
diff --git a/shared/Xunit.Playwright/Xunit.Playwright.csproj b/shared/Xunit.Playwright/Xunit.Playwright.csproj
index e967e28ff..e9e37cea5 100644
--- a/shared/Xunit.Playwright/Xunit.Playwright.csproj
+++ b/shared/Xunit.Playwright/Xunit.Playwright.csproj
@@ -1,7 +1,6 @@
 <Project Sdk="Microsoft.NET.Sdk">
   <PropertyGroup>
     <AnalysisMode>None</AnalysisMode>
-    <Nullable>enable</Nullable>
     <AssemblyName>Duende.Xunit.Playwright</AssemblyName>
     <RootNamespace>Duende.Xunit.Playwright</RootNamespace>
     <IsTestProject>false</IsTestProject>
diff --git a/src.props b/src.props
index 37f8f20a4..a2d731bb9 100644
--- a/src.props
+++ b/src.props
@@ -1,33 +1,26 @@
-<?xml version="1.0" encoding="utf-8"?>
 <Project>
   <PropertyGroup>
-    <IsTestProject>false</IsTestProject>
-    <IsPackable>true</IsPackable>
-    <CompilerGeneratedFilesOutputPath>Generated</CompilerGeneratedFilesOutputPath>
-    <EmitCompilerGeneratedFiles>true</EmitCompilerGeneratedFiles>
-
-    <!--NuGet-->
-    <PackageRequireLicenseAcceptance>true</PackageRequireLicenseAcceptance>
-    <!-- TODO - Verify that license is included in nuget packages -->
-    <PackageLicenseFile>LICENSE</PackageLicenseFile>
-    <PackageIcon>icon.png</PackageIcon>
-    <PackageProjectUrl>https://github.com/duendesoftware/products</PackageProjectUrl>
-    <PackageReleaseNotes>https://github.com/duendesoftware/products/releases</PackageReleaseNotes>
-    <PackageReadmeFile>README.md</PackageReadmeFile>
-
-    <!--Minver-->
     <BUILD_NUMBER Condition="'$(BUILD_NUMBER)' == ''">0</BUILD_NUMBER>
+    <CompilerGeneratedFilesOutputPath>Generated</CompilerGeneratedFilesOutputPath><!-- TODO: move to Directory.Build.props -->
+    <EmitCompilerGeneratedFiles>true</EmitCompilerGeneratedFiles><!-- TODO: move to Directory.Build.props -->
+    <IsPackable>true</IsPackable>
     <MinVerBuildMetadata>build.$(BUILD_NUMBER)</MinVerBuildMetadata>
-    <MinVerAutoIncrement>patch</MinVerAutoIncrement>
-
-    <AllowedOutputExtensionsInPackageBuildOutputFolder>$(AllowedOutputExtensionsInPackageBuildOutputFolder);.pdb</AllowedOutputExtensionsInPackageBuildOutputFolder>
-    <TargetLatestRuntimePatch>true</TargetLatestRuntimePatch>
-    <EmbedUntrackedSources>true</EmbedUntrackedSources>
-    <PublishRepositoryUrl>true</PublishRepositoryUrl>
-
+    <PackageIcon>icon.png</PackageIcon>
+    <PackageLicenseFile>LICENSE</PackageLicenseFile><!-- TODO: verify license is included in packages -->
+    <PackageProjectUrl>https://github.com/duendesoftware/products</PackageProjectUrl>
+    <PackageReadmeFile>README.md</PackageReadmeFile>
     <PackageReadmePath>../../README.md</PackageReadmePath>
+    <PackageReleaseNotes>https://github.com/duendesoftware/products/releases</PackageReleaseNotes>
+    <PackageRequireLicenseAcceptance>true</PackageRequireLicenseAcceptance>
   </PropertyGroup>
 
+  <!-- TODO: check which of these properties are actually required -->
+  <PropertyGroup Label="SourceLink">
+    <AllowedOutputExtensionsInPackageBuildOutputFolder>$(AllowedOutputExtensionsInPackageBuildOutputFolder);.pdb</AllowedOutputExtensionsInPackageBuildOutputFolder>
+    <EmbedUntrackedSources>true</EmbedUntrackedSources>
+    <PublishRepositoryUrl>true</PublishRepositoryUrl>
+    <TargetLatestRuntimePatch>true</TargetLatestRuntimePatch>
+  </PropertyGroup>
 
   <PropertyGroup>
     <NoWarn>$(NoWarn);RS0016</NoWarn><!-- Add public types and members to the declared API -->
@@ -41,8 +34,7 @@
 
   <ItemGroup>
     <None Include="../../../icon.png" Pack="true" Visible="false" PackagePath="" />
-    <None Include="$(PackageReadmePath)" Pack="true" PackagePath="" />
     <None Include="../../../LICENSE" Pack="true" PackagePath="" />
+    <None Include="$(PackageReadmePath)" Pack="true" PackagePath="" />
   </ItemGroup>
-
 </Project>
diff --git a/templates/build/build.csproj b/templates/build/build.csproj
index 7562235a5..b08af2dc4 100644
--- a/templates/build/build.csproj
+++ b/templates/build/build.csproj
@@ -2,7 +2,6 @@
 
   <PropertyGroup>
     <OutputType>Exe</OutputType>
-    <Nullable>enable</Nullable>
     <NoWarn>$(NoWarn);CA1303</NoWarn>
   </PropertyGroup>
 
diff --git a/templates/templates.csproj b/templates/templates.csproj
index e64bdc9bd..d414b0aaa 100644
--- a/templates/templates.csproj
+++ b/templates/templates.csproj
@@ -8,6 +8,7 @@
 
     <IsTestProject>false</IsTestProject>
     <IsPackable>true</IsPackable>
+    <Nullable>disable</Nullable><!-- TODO: enable nullable -->
 
     <PackageId>Duende.Templates</PackageId>
     <Description>Templates for Duende Identity Server and Duende BFF </Description>
diff --git a/test.props b/test.props
index 57275d6e1..77c540734 100644
--- a/test.props
+++ b/test.props
@@ -8,66 +8,10 @@
     <OutputType>exe</OutputType>
     <!-- Enable Microsoft Testing Platform command line experience for code coverage support -->
     <UseMicrosoftTestingPlatformRunner>true</UseMicrosoftTestingPlatformRunner>
-    <!-- Suppress analyzer rules inappropriate for test projects -->
-    <!-- CA1000: No static members on generic types — generic test fixtures commonly use static helpers -->
-    <!-- CA1001: Types owning disposable fields should be disposable — test classes rely on xunit lifecycle -->
-    <!-- CA1002: Use Collection<T> instead of List<T> — test fixtures use List<T> for convenience -->
-    <!-- CA1003: Use generic EventHandler — test infrastructure uses Action delegates -->
-    <!-- CA1012: Abstract types should not have public constructors — test base classes need public ctors for xunit -->
-    <!-- CA1024: Use properties where appropriate — test helpers use Get methods for clarity -->
-    <!-- CA1031: Catch more specific exception — test infrastructure intentionally catches all exceptions -->
-    <!-- CA1033: Explicit interface implementation — test mocks use explicit interface impls without sealing -->
-    <!-- CA1041: Provide ObsoleteAttribute message — test methods use [Obsolete] to skip without message -->
-    <!-- CA1051: Do not declare visible instance fields — test base classes expose fields for subclasses -->
-    <!-- CA1052: Static holder types should be static — test classes with only static [Fact] methods are common -->
-    <!-- CA1054/CA1055/CA1056: URI parameters/return/properties should not be strings — test helpers use strings -->
-    <!-- CA1062: Validate public method parameters — test code relies on xunit for argument validation -->
-    <!-- CA1063: Implement IDisposable correctly — test infrastructure uses simplified disposal patterns -->
-    <!-- CA1304/CA1305/CA1307/CA1308/CA1309/CA1310/CA1311: Locale/culture/ordinal rules — not critical in test code -->
-    <!-- CA1508: Avoid dead conditional code — tests intentionally verify always-true/false conditions -->
-    <!-- CA1515: Make class internal — test classes must be public for xunit discovery -->
-    <!-- CA1707: Identifiers should not contain underscores — snake_case test method names are conventional -->
-    <!-- CA1708: Namespace names differ only by case — test namespaces mirror SUT folder structure (V2 vs v2) -->
-    <!-- CA1711: Identifiers should not have incorrect suffix — xunit [CollectionDefinition] requires 'Collection' suffix -->
-    <!-- CA1716: Reserved language keyword in namespace — test namespaces use 'Default' to mirror SUT structure -->
-    <!-- CA1724: Type names should not match namespaces — test types like TestHost commonly shadow framework namespaces -->
-    <!-- CA1725: Parameter names should match base — test overrides use abbreviated names (ct) -->
-    <!-- CA1805: Do not initialize unnecessarily — clarity preferred in test code -->
-    <!-- CA1806: Return value not used / object instantiated but not used — tests verify ctor exceptions -->
-    <!-- CA1810: Initialize static fields when declared — test classes use static ctors for complex initialization -->
-    <!-- CA1812: Internal class never instantiated — test classes instantiated via DI/reflection -->
-    <!-- CA1816: Call GC.SuppressFinalize — test infrastructure uses simplified disposal patterns -->
-    <!-- CA1820: Test for empty strings using Length — test code uses == "" for readability -->
-    <!-- CA1822: Mark members as static — test helper methods may be non-static by convention -->
-    <!-- CA1823: Unused fields — test fixture fields may be assigned but not directly referenced -->
-    <!-- CA1825: Avoid zero-length array allocations — test code uses new T[0] for clarity -->
-    <!-- CA1829: Use Count property — test code prioritizes readability over perf -->
-    <!-- CA1835: Use Memory-based overloads — test code uses simpler byte[] overloads -->
-    <!-- CA1848: Use LoggerMessage delegates — test infrastructure uses simple logging -->
-    <!-- CA1849: Call async methods in async context — test infrastructure may use sync APIs intentionally -->
-    <!-- CA1850: Prefer static hash methods — test code uses instance SHA256 for readability -->
-    <!-- CA1851: Possible multiple enumerations — test assertions may enumerate multiple times intentionally -->
-    <!-- CA1852: Type can be sealed — test infrastructure classes are not sealed for flexibility -->
-    <!-- CA1859: Change return type for perf — test code prioritizes interface-based design over perf -->
-    <!-- CA1860: Use Count > 0 instead of Any() — test code prioritizes readability -->
-    <!-- CA1861: Prefer static readonly arrays — test code prioritizes inline readability -->
-    <!-- CA1863: Cache CompositeFormat — test code uses string.Format with inline format strings -->
-    <!-- CA1864: Use TryAdd — test code uses ContainsKey+Add for clarity -->
-    <!-- CA1866: Use char overload — not critical in test code -->
-    <!-- CA1869: Cache JsonSerializerOptions — test code creates options inline for clarity -->
-    <!-- CA1872: Prefer Convert.ToHexString — test code uses BitConverter.ToString for readability -->
-    <!-- CA2000: Dispose objects before losing scope — test code manages disposal differently -->
-    <!-- CA2016: Forward CancellationToken — test infrastructure may intentionally not propagate -->
-    <!-- CA2201: Do not raise reserved exception types — test infrastructure may throw Exception -->
-    <!-- CA2211: Non-constant visible fields — test base classes expose mutable static fields -->
-    <!-- CA2213: Dispose IDisposable fields — test classes rely on xunit lifecycle for cleanup -->
-    <!-- CA2227: Collection properties should be read only — test DTOs need setters -->
-    <!-- CA2234: Pass Uri instead of string — test code uses string URLs for readability -->
-    <!-- CA2254: Logging template should not vary — test infrastructure builds templates dynamically -->
-    <!-- CA5350: Weak cryptographic algorithm — test code uses TripleDES to validate SAML interop scenarios -->
-    <NoWarn>$(NoWarn);CA1000;CA1001;CA1002;CA1003;CA1012;CA1024;CA1031;CA1033;CA1041;CA1051;CA1052;CA1054;CA1055;CA1056;CA1062;CA1063;CA1304;CA1305;CA1307;CA1308;CA1309;CA1310;CA1311;CA1508;CA1515;CA1707;CA1708;CA1711;CA1716;CA1724;CA1725;CA1805;CA1806;CA1810;CA1812;CA1816;CA1820;CA1822;CA1823;CA1825;CA1829;CA1835;CA1848;CA1849;CA1850;CA1851;CA1852;CA1859;CA1860;CA1861;CA1863;CA1864;CA1866;CA1869;CA1872;CA2000;CA2016;CA2201;CA2211;CA2213;CA2227;CA2234;CA2254;CA5350</NoWarn>
   </PropertyGroup>
-
+  <PropertyGroup>
+    <NoWarn>$(NoWarn);CA1707</NoWarn><!-- Identifiers should not contain underscores -->
+  </PropertyGroup>
   <ItemGroup>
     <PackageReference Include="coverlet.collector" />
     <PackageReference Include="MartinCostello.Logging.XUnit.v3" />