diff --git a/.markdownlint-cli2.jsonc b/.markdownlint-cli2.jsonc
index 90ab893..a0bacf6 100644
--- a/.markdownlint-cli2.jsonc
+++ b/.markdownlint-cli2.jsonc
@@ -19,6 +19,9 @@
 
     // Code blocks - fenced only
     "MD046": { "style": "fenced" },  // code-block-style
+    // NOTE: MD040 only checks for missing language on opening fence.
+    // It does NOT catch malformed closing fences with language specifiers (e.g., ```plaintext).
+    // Custom pre-commit hook required to enforce proper closing fence syntax.
 
     // Formatting - strict whitespace
     "MD009": true,  // no-hard-tabs
@@ -73,7 +76,7 @@
     "MD035": false,  // hr-style (consistent)
     "MD036": false,  // no-emphasis-as-heading
     "MD044": false,  // proper-names
-    "MD060": false   // table-column-style (formatting preference)
+    "MD060": true    // table-column-style (enforce proper table formatting)
   },
 
   // Documentation patterns
@@ -93,6 +96,7 @@
     ".coder/**",
     ".claude/**",
     ".wrks/**",
-    ".vale/**"
+    ".vale/**",
+    "extensions/providers/*/kcl/docs/**"
   ]
 }
diff --git a/.typedialog/ci/README.md b/.typedialog/ci/README.md
index e4a2c1d..d4799e1 100644
--- a/.typedialog/ci/README.md
+++ b/.typedialog/ci/README.md
@@ -209,7 +209,7 @@ Resources are searched in priority order:
 ### Affected Resources
 
 | Resource | Local Path | Tools Path |
-|----------|------------|------------|
+| ---------- | ------------ | ------------ |
 | Fragments | `.typedialog/ci/fragments/` | `$TOOLS_PATH/dev-system/ci/forms/fragments/` |
 | Schemas | `.typedialog/ci/schemas/` | `$TOOLS_PATH/dev-system/ci/schemas/` |
 | Validators | `.typedialog/ci/validators/` | `$TOOLS_PATH/dev-system/ci/validators/` |
diff --git a/.typedialog/platform/forms/fragments/constraint_interpolation_guide.md b/.typedialog/platform/forms/fragments/constraint_interpolation_guide.md
index a7c0b5b..a93a682 100644
--- a/.typedialog/platform/forms/fragments/constraint_interpolation_guide.md
+++ b/.typedialog/platform/forms/fragments/constraint_interpolation_guide.md
@@ -32,7 +32,7 @@ prompt = "Field Label"
 ### Orchestrator Fragments
 
 | Fragment | Field | Constraint Path | Min | Max |
-|----------|-------|-----------------|-----|-----|
+| ---------- | ------- | ----------------- | ----- | ----- |
 | `queue-section.toml` | `queue_max_concurrent_tasks` | `orchestrator.queue.concurrent_tasks` | 1 | 100 |
 | `queue-section.toml` | `queue_retry_attempts` | `orchestrator.queue.retry_attempts` | 0 | 10 |
 | `queue-section.toml` | `queue_retry_delay` | `orchestrator.queue.retry_delay` | 1000 | 60000 |
@@ -54,7 +54,7 @@ prompt = "Field Label"
 ### Control Center Fragments
 
 | Fragment | Field | Constraint Path | Min | Max |
-|----------|-------|-----------------|-----|-----|
+| ---------- | ------- | ----------------- | ----- | ----- |
 | `security-section.toml` | `jwt_token_expiration` | `control_center.jwt.token_expiration` | 300 | 604800 |
 | `security-section.toml` | `jwt_refresh_expiration` | `control_center.jwt.refresh_expiration` | 3600 | 2592000 |
 | `security-section.toml` | `rate_limiting_max_requests` | `control_center.rate_limiting.max_requests` | 10 | 10000 |
@@ -77,7 +77,7 @@ prompt = "Field Label"
 ### MCP Server Fragments
 
 | Fragment | Field | Constraint Path | Min | Max |
-|----------|-------|-----------------|-----|-----|
+| ---------- | ------- | ----------------- | ----- | ----- |
 | `tools-section.toml` | `tools_max_concurrent` | `mcp_server.tools.max_concurrent` | 1 | 20 |
 | `tools-section.toml` | `tools_timeout` | `mcp_server.tools.timeout` | 5000 | 600000 |
 | `prompts-section.toml` | `prompts_max_templates` | `mcp_server.prompts.max_templates` | 1 | 100 |
@@ -94,7 +94,7 @@ prompt = "Field Label"
 ### Common/Shared Fragments
 
 | Fragment | Field | Constraint Path | Min | Max |
-|----------|-------|-----------------|-----|-----|
+| ---------- | ------- | ----------------- | ----- | ----- |
 | `server-section.toml` | `server_port` | `common.server.port` | 1024 | 65535 |
 | `server-section.toml` | `server_workers` | `common.server.workers` | 1 | 32 |
 | `server-section.toml` | `server_max_connections` | `common.server.max_connections` | 10 | 10000 |
@@ -115,7 +115,7 @@ prompt = "Field Label"
 ### Installer Fragments
 
 | Fragment | Field | Constraint Path | Min | Max |
-|----------|-------|-----------------|-----|-----|
+| ---------- | ------- | ----------------- | ----- | ----- |
 | `target-section.toml` | `remote_ssh_port` | `common.server.port` | 1024 | 65535 |
 | `preflight-section.toml` | `min_disk_gb` | `deployment.solo.disk_gb.min` (mode-dependent) | Variable | Variable |
 | `preflight-section.toml` | `min_memory_gb` | `deployment.solo.memory_mb.min` (mode-dependent) | Variable | Variable |
diff --git a/.vale/styles/write-good/README.md b/.vale/styles/write-good/README.md
index fe806cb..40f7dc1 100644
--- a/.vale/styles/write-good/README.md
+++ b/.vale/styles/write-good/README.md
@@ -24,4 +24,4 @@ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
-```plaintext
+```
diff --git a/.woodpecker/README.md b/.woodpecker/README.md
index ef0b6c6..d4ee51d 100644
--- a/.woodpecker/README.md
+++ b/.woodpecker/README.md
@@ -71,7 +71,7 @@ git push origin main
 ## Differences from GitHub Actions
 
 | Feature | GitHub Actions | Woodpecker CI |
-|---------|---------------|---------------|
+| --------- | --------------- | --------------- |
 | Matrix builds | ✅ 3 OS | ❌ Linux only* |
 | Caching | ✅ Built-in | ⚠️  Server-side** |
 
diff --git a/SECURITY.md b/SECURITY.md
index 48e83a6..02b830f 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -96,6 +96,6 @@ Security fixes are highlighted in CHANGELOG.md with [SECURITY] prefix.
 - [Rust Security](https://www.rust-lang.org/governance/security-disclosures)
 - [npm Security](https://docs.npmjs.com/about-npm/security)
 
-## Questions?
+## Questions
 
 If you have security questions (not vulnerabilities), open a discussion or issue with the `security` label.
diff --git a/bootstrap/README.md b/bootstrap/README.md
index b2c2fbd..12e0c1c 100644
--- a/bootstrap/README.md
+++ b/bootstrap/README.md
@@ -14,7 +14,7 @@ cd provisioning
 
 # Run bootstrap
 ./provisioning/bootstrap/install.sh
-```plaintext
+```
 
 ### What it Does (7 Stages)
 
@@ -32,13 +32,13 @@ cd provisioning
 
 ```bash
 ./provisioning/bootstrap/install.sh
-```plaintext
+```
 
 ### Nushell Direct
 
 ```bash
 nu provisioning/bootstrap/install.nu $(pwd)
-```plaintext
+```
 
 ## Requirements
 
@@ -75,12 +75,12 @@ workspace_librecloud/
 ├── .providers/                    ← Provider state
 ├── .taskservs/                    ← Task service data
 └── .clusters/                     ← Cluster data
-```plaintext
+```
 
 ## Differences from Rust Installer
 
 | Feature | Rust Installer | Bash+Nushell Bootstrap |
-|---------|-----------------|------------------------|
+| --------- | ----------------- | ------------------------ |
 | **Requires compilation** | ✅ Yes (5+ min) | ❌ No |
 | **Flexible** | ⚠️ Limited | ✅ Fully scriptable |
 | **Source code** | ❌ Binary | ✅ Clear scripts |
@@ -105,13 +105,13 @@ sudo apt install nushell
 sudo yum install nushell
 
 # Or: https://nushell.sh/book/installation.html
-```plaintext
+```
 
 ### "Docker not installed"
 
 ```bash
 # https://docs.docker.com/get-docker/
-```plaintext
+```
 
 ### "Rust not installed"
 
@@ -119,7 +119,7 @@ sudo yum install nushell
 # https://rustup.rs/
 curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
 rustup default stable
-```plaintext
+```
 
 ### "Configuration validation failed"
 
@@ -132,7 +132,7 @@ vim workspace_librecloud/config/config.ncl
 
 # Re-run bootstrap
 ./provisioning/bootstrap/install.sh
-```plaintext
+```
 
 ### "Orchestrator didn't start"
 
@@ -146,7 +146,7 @@ cd provisioning/platform/orchestrator
 
 # Check health
 curl http://localhost:9090/health
-```plaintext
+```
 
 ## After Bootstrap
 
@@ -191,7 +191,7 @@ print "────────────────────────
 
 print "  ✅ Done"
 print ""
-```plaintext
+```
 
 ### Modify Existing Stages
 
@@ -208,7 +208,7 @@ provisioning/bootstrap/
 ├── validators.nu           # Validation helpers (future)
 ├── generators.nu           # Generator helpers (future)
 └── README.md              # This file
-```plaintext
+```
 
 ## Comparison to Old Rust Installer
 
diff --git a/deny.toml b/deny.toml
index a6a8652..279d3b2 100644
--- a/deny.toml
+++ b/deny.toml
@@ -1,23 +1,12 @@
-# Generated by dev-system/ci
-# Configuration for cargo-deny
+# Cargo-deny configuration
 # See: https://embarkstudios.github.io/cargo-deny/
 
 [advisories]
-# The path where the advisory database is cloned/fetched into
 db-path = "~/.cargo/advisory-db"
-# The url(s) of the advisory databases to use
 db-urls = ["https://github.com/rustsec/advisory-db"]
-# How to handle crates with security vulnerabilities
-vulnerability = "deny"
-# How to handle unmaintained crates
-unmaintained = "warn"
-# How to handle crates that have been yanked from crates.io
-yanked = "warn"
 
 [licenses]
-# The lint level for crates which do not have a detectable license
 unlicensed = "deny"
-# List of explicitly allowed licenses
 allow = [
     "MIT",
     "MIT-0",
@@ -28,47 +17,11 @@ allow = [
     "ISC",
     "Unicode-DFS-2016",
 ]
-# List of explicitly disallowed licenses
-deny = [
-    "GPL-2.0",
-    "GPL-3.0",
-    "AGPL-3.0",
-]
-# Lint level for licenses considered copyleft
-copyleft = "warn"
-# Blanket approval or denial for OSI-approved or FSF Free/Libre licenses
-allow-osi-fsf-free = "both"
-# Lint level used when no other predicates are matched
-default = "deny"
 
 [bans]
-# Lint level for when multiple versions of the same crate are detected
 multiple-versions = "warn"
-# Lint level for when an allow-listed crate is detected without an exact version
-allow = [
-    # Each entry can be just the name and an optional wildcard version.
-    # This would ideally be pulled from Cargo.lock deps to keep up to date
-    # but that is more complex. It depends on the use case.
-]
-# Each entry must be a single version number
-deny = [
-    # Each entry is a crate name. Optionally with a version
-]
-# Certain crates/versions that will be skipped when doing duplicate detection
-skip = [
-    # { name = "ansi_term", version = "<= 0.11.0" }
-]
-# Similarly named crates that are allowed to coexist
-skip-tree = [
-    # { name = "windows", version = "<=0.46.0" }
-]
 
 [sources]
-# Lint level for what to happen when a crate from a crate registry that is not in the allow list is detected
 unknown-registry = "deny"
-# Lint level for what to happen when a crate from a Git repository that is not in the allow list is detected
 unknown-git = "deny"
-# The allow list of crate registries
 allow-registry = ["https://github.com/rust-lang/crates.io-index"]
-# The allow list of Git repositories
-allow-git = []
diff --git a/examples/complete-workflow.md b/examples/complete-workflow.md
index 183f8a7..7f576a1 100644
--- a/examples/complete-workflow.md
+++ b/examples/complete-workflow.md
@@ -29,7 +29,7 @@ cd /Users/Akasha/project-provisioning
 
 # Verify installation
 kcl list packages | grep provisioning
-```plaintext
+```
 
 ## Step 2: Create Workspace
 
@@ -43,7 +43,7 @@ cd workspace/infra/production-k8s
 
 # Verify structure
 tree -a .
-```plaintext
+```
 
 Expected output:
 
@@ -61,7 +61,7 @@ Expected output:
 ├── tmp/
 ├── resources/
 └── clusters/
-```plaintext
+```
 
 ## Step 3: Discover Available Modules
 
@@ -77,7 +77,7 @@ Expected output:
 
 # Check output formats
 ../../../provisioning/core/cli/module-loader discover taskservs --format json
-```plaintext
+```
 
 ## Step 4: Load Required Modules
 
@@ -91,7 +91,7 @@ Expected output:
 # Verify loading
 ../../../provisioning/core/cli/module-loader list taskservs .
 ../../../provisioning/core/cli/module-loader list providers .
-```plaintext
+```
 
 Check generated files:
 
@@ -103,7 +103,7 @@ cat providers.k
 # Check manifest
 cat .manifest/taskservs.yaml
 cat .manifest/providers.yaml
-```plaintext
+```
 
 ## Step 5: Configure Infrastructure
 
@@ -284,7 +284,7 @@ production_servers: [server.Server] = [
     settings = k8s_settings
     servers = production_servers
 }
-```plaintext
+```
 
 ## Step 6: Validate Configuration
 
@@ -297,7 +297,7 @@ kcl run servers.k
 
 # Check workspace info
 ../../../provisioning/tools/workspace-init.nu . info
-```plaintext
+```
 
 ## Step 7: Configure Provider Credentials
 
@@ -335,7 +335,7 @@ upcloud_defaults: defaults.ServerDefaults = {
 
 upcloud_defaults
 EOF
-```plaintext
+```
 
 ## Step 8: Deploy Infrastructure
 
@@ -348,7 +348,7 @@ EOF
 
 # Monitor server creation
 ../../../provisioning/core/cli/provisioning server list --infra .
-```plaintext
+```
 
 ## Step 9: Install Taskservs
 
@@ -361,7 +361,7 @@ EOF
 
 # Install Cilium CNI
 ../../../provisioning/core/cli/provisioning taskserv create cilium --infra .
-```plaintext
+```
 
 ## Step 10: Verify Cluster
 
@@ -377,7 +377,7 @@ kubectl get services -A
 # Test Cilium connectivity
 cilium status
 cilium connectivity test
-```plaintext
+```
 
 ## Step 11: Deploy Sample Application
 
@@ -394,7 +394,7 @@ kubectl expose deployment nginx --port=80 --type=ClusterIP -n test-app
 # Verify deployment
 kubectl get pods -n test-app
 kubectl get services -n test-app
-```plaintext
+```
 
 ## Step 12: Cluster Management
 
@@ -408,7 +408,7 @@ kubectl get services -n test-app
 # Deploy monitoring stack
 ../../../provisioning/core/cli/provisioning taskserv create prometheus --infra .
 ../../../provisioning/core/cli/provisioning taskserv create grafana --infra .
-```plaintext
+```
 
 ## Step 13: Backup and Documentation
 
@@ -436,7 +436,7 @@ cat > cluster-info.md << 'EOF'
 - upcloud (cloud provider)
 
 ## Management Commands
-```bash
+```
 # SSH to master
 ../../../provisioning/core/cli/provisioning server ssh k8s-master-01 --infra .
 
@@ -455,7 +455,7 @@ cp -r . ../production-k8s-backup-$(date +%Y%m%d)
 git add .
 git commit -m "Initial Kubernetes cluster deployment with package system"
 
-```plaintext
+```
 
 ## Troubleshooting
 
@@ -467,7 +467,7 @@ git commit -m "Initial Kubernetes cluster deployment with package system"
 
 # Check generated imports
 cat taskservs.k
-```plaintext
+```
 
 ### KCL Compilation Issues
 
@@ -477,7 +477,7 @@ kcl check servers.k
 
 # Validate specific schemas
 kcl run --dry-run servers.k
-```plaintext
+```
 
 ### Provider Authentication Issues
 
@@ -487,7 +487,7 @@ cat .providers/upcloud/provision_upcloud.k
 
 # Verify credentials
 ../../../provisioning/core/cli/provisioning server price --provider upcloud
-```plaintext
+```
 
 ### Kubernetes Setup Issues
 
@@ -497,7 +497,7 @@ tail -f tmp/k8s-deployment/kubernetes-*.log
 
 # Verify SSH connectivity
 ../../../provisioning/core/cli/provisioning server ssh k8s-master-01 --infra . --command "systemctl status kubelet"
-```plaintext
+```
 
 ## Next Steps
 
diff --git a/examples/workspaces/multi-region-ha/README.md b/examples/workspaces/multi-region-ha/README.md
index b4d8680..cb502dd 100644
--- a/examples/workspaces/multi-region-ha/README.md
+++ b/examples/workspaces/multi-region-ha/README.md
@@ -588,7 +588,7 @@ aws ec2 start-instances --region ap-southeast-1 --instance-ids i-1234567890abcde
 ### Monthly Cost Breakdown
 
 | Component | US East | EU Central | Asia Pacific | Total |
-|-----------|---------|-----------|--------------|-------|
+| ----------- | --------- | ----------- | -------------- | ------- |
 | Compute | $72 | €62.70 | $80 | $242.70 |
 | Database | $30 | Read Replica | $30 | $60 |
 | Load Balancer | Free | ~$10 | ~$20 | ~$30 |