diff --git a/.codecov.yml b/.codecov.yml
index d583a98..5084f68 100644
--- a/.codecov.yml
+++ b/.codecov.yml
@@ -1,5 +1,6 @@
 # SPDX-FileCopyrightText: 2019 Comcast Cable Communications Management, LLC
 # SPDX-License-Identifier: Apache-2.0
+---
 coverage:
   range: 50..80
   round: down
@@ -10,4 +11,4 @@ ignore:
   - "vendor"
 
 fixes:
-  - "github.com/xmidt-org/scytale/::"
\ No newline at end of file
+  - "github.com/xmidt-org/scytale/::"
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index b81804c..8764f8b 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2019 Comcast Cable Communications Management, LLC
+# SPDX-FileCopyrightText: 2023 Comcast Cable Communications Management, LLC
 # SPDX-License-Identifier: Apache-2.0
 ---
 version: 2
@@ -7,13 +7,14 @@ updates:
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      # Check for updates to GitHub Actions every week
+      # Check for updates to GitHub Actions every day
       interval: "daily"
     labels:
       - "dependencies"
     commit-message:
       prefix: "chore"
       include: "scope"
+    open-pull-requests-limit: 10
 
   - package-ecosystem: gomod
     directory: /
@@ -22,5 +23,6 @@ updates:
     labels:
       - "dependencies"
     commit-message:
-      prefix: "feat"
+      prefix: "chore"
       include: "scope"
+    open-pull-requests-limit: 10
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 8e6f614..fc35884 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -23,4 +23,5 @@ jobs:
     uses: xmidt-org/shared-go/.github/workflows/ci.yml@c9c75b3fd850c64594bcdc7181b4f7557675faed # v4.4.0
     with:
       release-type:   program
+      yaml-lint-skip: false
     secrets: inherit
diff --git a/.release/docker/scytale_spruce.yaml b/.release/docker/scytale_spruce.yaml
index 94bdce1..71de604 100644
--- a/.release/docker/scytale_spruce.yaml
+++ b/.release/docker/scytale_spruce.yaml
@@ -344,7 +344,7 @@ service:
 
     chrysom:
       listen:
-        # pullInterval is how often to call argus to update the list of 
+        # pullInterval is how often to call argus to update the list of
         # inactive datacenters.
         pullInterval:  (( grab $ARGUS_PULL_INTERVAL || "5s" ))
 
@@ -385,7 +385,7 @@ service:
     # (Optional) defaults to 10
     datacenterRetries: 3
 
-    # DatacenterWatchInterval is the interval at which scytale checks for a change 
+    # DatacenterWatchInterval is the interval at which scytale checks for a change
     # in active datacenters.
     datacenterWatchInterval: 10s
 
diff --git a/.release/helm/scytale/templates/scytale.yaml b/.release/helm/scytale/templates/scytale.yaml
index a5f1567..05e3b6e 100644
--- a/.release/helm/scytale/templates/scytale.yaml
+++ b/.release/helm/scytale/templates/scytale.yaml
@@ -1,5 +1,6 @@
 # SPDX-FileCopyrightText: 2019 Comcast Cable Communications Management, LLC
 # SPDX-License-Identifier: Apache-2.0
+---
 apiVersion: v1
 data:
   scytale.yaml: |
@@ -382,5 +383,3 @@ spec:
       imagePullSecrets:
         - name: {{ .Values.imagePullSecretName }}}
       {{ end }}
-      
-
diff --git a/.release/helm/scytale/values.yaml b/.release/helm/scytale/values.yaml
index 793e5bc..6806029 100644
--- a/.release/helm/scytale/values.yaml
+++ b/.release/helm/scytale/values.yaml
@@ -1,6 +1,7 @@
 # SPDX-FileCopyrightText: 2019 Comcast Cable Communications Management, LLC
 # SPDX-License-Identifier: Apache-2.0
 # Default values for scytale.
+---
 scytale:
   # docker image used
   image: xmidt/scytale
@@ -23,9 +24,7 @@ pprof:
 metric:
   address:
     host: ""
-    port: "6303"  
+    port: "6303"
 
 # Pull secret used when images are stored in a private repository
 # imagePullSecretName:
-
-
diff --git a/.yamllint.yml b/.yamllint.yml
new file mode 100644
index 0000000..74c7e81
--- /dev/null
+++ b/.yamllint.yml
@@ -0,0 +1,38 @@
+# SPDX-FileCopyrightText: 2024 Comcast Cable Communications Management, LLC
+# SPDX-License-Identifier: Apache-2.0
+---
+
+extends: default
+
+ignore:
+  - .release/helm/scytale/templates/scytale.yaml
+
+rules:
+  braces:
+    level: warning
+    max-spaces-inside: 1
+  brackets:
+    level: warning
+    max-spaces-inside: 1
+  colons:
+    level: warning
+    max-spaces-after: -1
+  commas:
+    level: warning
+  comments: disable
+  comments-indentation: disable
+  document-start:
+    present: true
+  empty-lines:
+    max: 2
+  hyphens:
+    max-spaces-after: 1
+  indentation:
+    level: error
+    indent-sequences: consistent
+  line-length:
+    level: warning
+    max: 90
+    allow-non-breakable-words: true
+    allow-non-breakable-inline-mappings: true
+  truthy: disable
diff --git a/scytale.yaml b/scytale.yaml
index 55bc36f..9e52438 100644
--- a/scytale.yaml
+++ b/scytale.yaml
@@ -191,7 +191,7 @@ zap:
   level: DEBUG
 
   # DisableCaller stops annotating logs with the calling function's file
-	# name and line number. By default, all logs are annotated.
+  # name and line number. By default, all logs are annotated.
   disableCaller: true
 
   # EncoderConfig sets options for the chosen encoder. See
@@ -291,7 +291,7 @@ jwtValidator:
   Config:
     Resolve:
       # Template is a URI template used to fetch keys.  This template may
-	    # use a single parameter named keyID, e.g. http://keys.com/{keyID}.
+      # use a single parameter named keyID, e.g. http://keys.com/{keyID}.
       # This field is required and has no default.
       Template: "http://localhost/{keyID}"
     Refresh:
@@ -304,21 +304,21 @@ jwtValidator:
         - URI: "http://localhost"
 
 # capabilityCheck provides the details needed for checking an incoming JWT's
-# capabilities.  If the type of check isn't provided, no checking is done.  The 
-# type can be "monitor" or "enforce".  If it is empty or a different value, no 
-# checking is done.  If "monitor" is provided, the capabilities are checked but 
-# the request isn't rejected when there isn't a valid capability for the 
-# request. Instead, a message is logged.  When "enforce" is provided, a request 
+# capabilities.  If the type of check isn't provided, no checking is done.  The
+# type can be "monitor" or "enforce".  If it is empty or a different value, no
+# checking is done.  If "monitor" is provided, the capabilities are checked but
+# the request isn't rejected when there isn't a valid capability for the
+# request. Instead, a message is logged.  When "enforce" is provided, a request
 # that doesn't have the needed capability is rejected.
 #
 # The capability is expected to have the format:
 #
 # {prefix}{endpoint}:{method}
 #
-# The prefix can be a regular expression.  If it's empty, no capability check 
+# The prefix can be a regular expression.  If it's empty, no capability check
 # is done.  The endpoint is a regular expression that should match the endpoint
-# the request was sent to. The method is usually the method of the request, such as 
-# GET.  The accept all method is a catchall string that indicates the capability 
+# the request was sent to. The method is usually the method of the request, such as
+# GET.  The accept all method is a catchall string that indicates the capability
 # is approved for all methods.
 # (Optional)
 # capabilityCheck:
@@ -326,10 +326,10 @@ jwtValidator:
 #   type: "enforce"
 #   # prefix provides the regex to match the capability before the endpoint.
 #   prefix: "prefix Here"
-#   # acceptAllMethod provides a way to have a capability that allows all 
+#   # acceptAllMethod provides a way to have a capability that allows all
 #   # methods for a specific endpoint.
 #   acceptAllMethod: "all"
-#   # endpointBuckets provides regular expressions to use against the request 
+#   # endpointBuckets provides regular expressions to use against the request
 #   # endpoint in order to group requests for a metric label.
 #   endpointBuckets:
 #     - "hook\\b"
@@ -397,7 +397,7 @@ service:
   #
   #   chrysom:
   #     listen:
-  #       # pullInterval is how often to call argus to update the list of 
+  #       # pullInterval is how often to call argus to update the list of
   #       # inactive datacenters.
   #       pullInterval: "5s"
   #
@@ -421,7 +421,7 @@ service:
   #         #   "": ""
   #
   #         # authURL is the URL to access for the token.
-  #         authURL: 
+  #         authURL:
   #
   #         # timeout is how long the request to get the token will take before
   #         # timing out.
@@ -437,7 +437,7 @@ service:
   #   # (Optional) defaults to 10
   #   datacenterRetries: 3
   #
-  #   # DatacenterWatchInterval is the interval at which scytale checks for a change 
+  #   # DatacenterWatchInterval is the interval at which scytale checks for a change
   #   # in active datacenters.
   #   datacenterWatchInterval: 10s
   #
@@ -539,7 +539,7 @@ tracing:
   # endpoint is where trace information should be routed. Applies to otlp, zipkin, and jaegar. OTLP/gRPC uses port 4317 by default.
   # OTLP/HTTP uses port 4318 by default.
   # endpoint: "localhost:4317"
-  
+
   # ParentBased and NoParent dictate if and when new spans should be created.
   # ParentBased = "ignore" (default), tracing is effectively turned off and the "NoParent" value is ignored
   # ParentBased = "honor", the sampling decision is made by the parent of the span