diff --git a/powershell/Maester.Format.ps1xml b/powershell/Maester.Format.ps1xml
index 57eb7dd89..dfeeddb68 100644
--- a/powershell/Maester.Format.ps1xml
+++ b/powershell/Maester.Format.ps1xml
@@ -103,6 +103,28 @@
                   }
                 </ScriptBlock>
               </ListItem>
+              <ListItem>
+                <ItemSelectionCondition>
+                  <ScriptBlock>
+                    $null -ne $_.GitHub
+                  </ScriptBlock>
+                </ItemSelectionCondition>
+                <Label>GitHub</Label>
+                <ScriptBlock>
+                  if ($_.GitHub) {
+                    $connectedText = if ($_.GitHub.Connected) { 'Connected' } else { 'Not connected' }
+                    "$connectedText`n" +
+                    "Organization:                       $($_.GitHub.Organization)`n" +
+                    "Token Login:                        $($_.GitHub.TokenLogin)`n" +
+                    "API Base URI:                       $($_.GitHub.ApiBaseUri)`n" +
+                    "Role:                               $($_.GitHub.Role)`n" +
+                    "Role State:                         $($_.GitHub.RoleState)`n" +
+                    "Administration Permission Verified: $($_.GitHub.AdministrationPermissionVerified)`n"
+                  } else {
+                    ''
+                  }
+                </ScriptBlock>
+              </ListItem>
             </ListItems>
           </ListEntry>
         </ListEntries>
diff --git a/powershell/Maester.psd1 b/powershell/Maester.psd1
index a8142ff5c..2a9110241 100644
--- a/powershell/Maester.psd1
+++ b/powershell/Maester.psd1
@@ -57,9 +57,9 @@
     # Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export.
     FunctionsToExport    = @(
         'Add-MtMaesterAppFederatedCredential', 'Add-MtTestResultDetail', 'Clear-MtDnsCache', 'Clear-MtExoCache',
-        'Clear-MtGraphCache', 'Compare-MtJsonObject', 'Compare-MtTestResult', 'Connect-Maester', 'Convert-MtResultsToFlatObject',
+        'Clear-MtGraphCache', 'Compare-MtJsonObject', 'Compare-MtTestResult', 'Connect-Maester', 'Connect-MtGitHub', 'Convert-MtResultsToFlatObject',
         'ConvertFrom-MailAuthenticationRecordDkim', 'ConvertFrom-MailAuthenticationRecordDmarc',
-        'ConvertFrom-MailAuthenticationRecordMx', 'ConvertFrom-MailAuthenticationRecordSpf', 'Disconnect-Maester',
+        'ConvertFrom-MailAuthenticationRecordMx', 'ConvertFrom-MailAuthenticationRecordSpf', 'Disconnect-Maester', 'Disconnect-MtGitHub',
         'Get-MailAuthenticationRecord', 'Get-MtAdminPortalUrl', 'Get-MtAuthenticationMethodPolicyConfig',
         'Get-MtAzureManagementGroup', 'Get-MtConditionalAccessPolicy', 'Get-MtExo', 'Get-MtExoThreatPolicyMalware',
         'Get-MtGraphScope', 'Get-MtGroupMember', 'Get-MtHtmlReport', 'Get-MtLicenseInformation', 'Get-MtMaesterApp', 'Get-MtRole',
diff --git a/powershell/Maester.psm1 b/powershell/Maester.psm1
index 1cb989e9f..3dd22854f 100644
--- a/powershell/Maester.psm1
+++ b/powershell/Maester.psm1
@@ -25,6 +25,7 @@ $__MtSession = @{
 	DataverseApiBase = $null       # Resolved Dataverse OData API base URL (e.g. https://org123.api.crm.dynamics.com/api/data/v9.2)
 	DataverseResourceUrl = $null   # Dataverse resource URL for token acquisition (e.g. https://org123.crm.dynamics.com)
 	DataverseEnvironmentId = $null # Environment identifier for display (e.g. org123.crm.dynamics.com)
+	GitHubCache = @{}              # Per-session REST response cache; cleared each Invoke-Maester run
 }
 New-Variable -Name __MtSession -Value $__MtSession -Scope Script -Force
 
diff --git a/powershell/internal/Clear-ModuleVariable.ps1 b/powershell/internal/Clear-ModuleVariable.ps1
index 17879e660..bb456aabd 100644
--- a/powershell/internal/Clear-ModuleVariable.ps1
+++ b/powershell/internal/Clear-ModuleVariable.ps1
@@ -21,5 +21,8 @@
     Clear-MtExoCache
     $__MtSession.AIAgentInfo = $null
     $__MtSession.AzureDevOpsConnection = $null
+    # Do not clear GitHubConnection or GitHubAuthHeader — the user calls Connect-MtGitHub before
+    # Invoke-Maester; the session must persist across runs. Only the per-run cache is reset.
+    $__MtSession.GitHubCache = @{}
     # $__MtSession.Connections = @() # Do not clear connections as they are used to track the connection state. This module variable should only be set by Connect-Maester and Disconnect-Maester.
 }
diff --git a/powershell/internal/Get-MtGitHubErrorMessage.ps1 b/powershell/internal/Get-MtGitHubErrorMessage.ps1
new file mode 100644
index 000000000..6ce0b5659
--- /dev/null
+++ b/powershell/internal/Get-MtGitHubErrorMessage.ps1
@@ -0,0 +1,19 @@
+function Get-MtGitHubErrorMessage {
+    param([Parameter(Mandatory)] $ErrorRecord)
+    if (-not [string]::IsNullOrEmpty($ErrorRecord.ErrorDetails.Message)) {
+        try {
+            $parsed = $ErrorRecord.ErrorDetails.Message | ConvertFrom-Json -ErrorAction Stop
+            if ($parsed.PSObject.Properties.Name -contains 'message' -and
+                -not [string]::IsNullOrEmpty($parsed.message)) {
+                return $parsed.message
+            }
+        } catch {
+            Write-Debug "Get-MtGitHubErrorMessage: ErrorDetails.Message is not JSON, returning raw string."
+        }
+        return $ErrorRecord.ErrorDetails.Message
+    }
+    if (-not [string]::IsNullOrEmpty($ErrorRecord.Exception.Message)) {
+        return $ErrorRecord.Exception.Message
+    }
+    return ($ErrorRecord | Out-String)
+}
diff --git a/powershell/internal/Get-MtGitHubErrorStatusCode.ps1 b/powershell/internal/Get-MtGitHubErrorStatusCode.ps1
new file mode 100644
index 000000000..046d6c590
--- /dev/null
+++ b/powershell/internal/Get-MtGitHubErrorStatusCode.ps1
@@ -0,0 +1,11 @@
+function Get-MtGitHubErrorStatusCode {
+    param([Parameter(Mandatory)] $ErrorRecord)
+    try {
+        if ($ErrorRecord.Exception.Response -and $ErrorRecord.Exception.Response.StatusCode) {
+            return [int]$ErrorRecord.Exception.Response.StatusCode
+        }
+    } catch {
+        Write-Debug "Get-MtGitHubErrorStatusCode: $($_.Exception.Message)"
+    }
+    return $null
+}
diff --git a/powershell/internal/Get-MtGitHubRateLimitMessage.ps1 b/powershell/internal/Get-MtGitHubRateLimitMessage.ps1
new file mode 100644
index 000000000..f55609689
--- /dev/null
+++ b/powershell/internal/Get-MtGitHubRateLimitMessage.ps1
@@ -0,0 +1,75 @@
+function Get-MtGitHubRateLimitMessage {
+    <#
+    .SYNOPSIS
+    Internal: Returns a GitHub rate-limit message for an ErrorRecord, or $null when the
+    error is not a rate-limit response.
+
+    .DESCRIPTION
+    Mirrors the rate-limit detection in Invoke-MtGitHubRequest so that bootstrap callers
+    (Connect-MtGitHub) can distinguish HTTP 403/429 caused by rate limiting from
+    permission, token, or org-access failures.
+
+    Returns:
+      - "GitHub API rate limit encountered (HTTP <code>). Resets at: <time>" when the
+        response carries x-ratelimit-remaining = 0 (primary rate limit).
+      - "GitHub secondary rate limit encountered (HTTP <code>). Retry after: <n>s" when
+        the response carries retry-after (secondary rate limit / abuse detection).
+      - "GitHub secondary rate limit encountered (HTTP <code>). Retry after at least 60s."
+        when the response body indicates secondary-limit / abuse-detection wording but
+        no retry-after header is present.
+      - $null for any other error, including 403/429 without rate-limit headers.
+    #>
+    param(
+        [Parameter(Mandatory)] $ErrorRecord
+    )
+
+    $code = Get-MtGitHubErrorStatusCode -ErrorRecord $ErrorRecord
+    if ($code -notin 403, 429) { return $null }
+
+    $response = $null
+    try {
+        if ($null -ne $ErrorRecord.Exception) { $response = $ErrorRecord.Exception.Response }
+    } catch {
+        Write-Debug "Get-MtGitHubRateLimitMessage: $($_.Exception.Message)"
+    }
+    if ($null -eq $response) { return $null }
+
+    $headers = $null
+    try { $headers = $response.Headers } catch {
+        Write-Debug "Get-MtGitHubRateLimitMessage headers: $($_.Exception.Message)"
+    }
+    if ($null -eq $headers) { return $null }
+
+    $remaining = Get-MtGitHubResponseHeaderValue -Headers $headers -Name 'x-ratelimit-remaining'
+    $remainingValue = 0
+    $remainingParsed = $null -ne $remaining -and [int]::TryParse([string]$remaining, [ref]$remainingValue)
+    if ($remainingParsed -and $remainingValue -eq 0) {
+        $reset = Get-MtGitHubResponseHeaderValue -Headers $headers -Name 'x-ratelimit-reset'
+        $resetSeconds = 0L
+        $resetTime = 'unknown'
+        if ($null -ne $reset -and [long]::TryParse([string]$reset, [ref]$resetSeconds)) {
+            try { $resetTime = [DateTimeOffset]::FromUnixTimeSeconds($resetSeconds).LocalDateTime } catch {
+                Write-Debug "Get-MtGitHubRateLimitMessage reset conversion: $($_.Exception.Message)"
+            }
+        }
+        return "GitHub API rate limit encountered (HTTP $code). Resets at: $resetTime"
+    }
+
+    $retryAfter = Get-MtGitHubResponseHeaderValue -Headers $headers -Name 'retry-after'
+    if ($null -ne $retryAfter) {
+        return "GitHub secondary rate limit encountered (HTTP $code). Retry after: ${retryAfter}s"
+    }
+
+    # Some secondary-limit responses omit retry-after entirely (e.g. older abuse-detection
+    # responses, or responses where the proxy strips the header). Fall back to body wording -
+    # GitHub's documented messages include phrases like "secondary rate limit" and
+    # "abuse detection mechanism". When matched, recommend the 60-second minimum backoff
+    # documented at https://docs.github.com/en/rest/using-the-rest-api/rate-limits-for-the-rest-api.
+    $bodyMessage = Get-MtGitHubErrorMessage -ErrorRecord $ErrorRecord
+    if (-not [string]::IsNullOrEmpty($bodyMessage) -and
+        $bodyMessage -match '(?i)secondary\s+rate\s+limit|abuse\s+detection') {
+        return "GitHub secondary rate limit encountered (HTTP $code). Retry after at least 60s."
+    }
+
+    return $null
+}
diff --git a/powershell/internal/Get-MtGitHubResponseHeaderValue.ps1 b/powershell/internal/Get-MtGitHubResponseHeaderValue.ps1
new file mode 100644
index 000000000..37af59949
--- /dev/null
+++ b/powershell/internal/Get-MtGitHubResponseHeaderValue.ps1
@@ -0,0 +1,36 @@
+function Get-MtGitHubResponseHeaderValue {
+    param(
+        [Parameter()] $Headers,
+        [Parameter(Mandatory)] [string] $Name
+    )
+    if ($null -eq $Headers) { return $null }
+    # IDictionary covers PS 5.1 WebHeaderCollection and PS 7 Dictionary.
+    # Iterate keys with -ieq for case-insensitive match (plain hashtables are case-sensitive).
+    if ($Headers -is [System.Collections.IDictionary]) {
+        foreach ($key in $Headers.Keys) {
+            if ($key -ieq $Name) {
+                $value = $Headers[$key]
+                if ($value -is [array]) { return $value[0] }
+                return $value
+            }
+        }
+        return $null
+    }
+    # HttpResponseHeaders in PS 7 exposes GetValues / TryGetValues
+    if ($Headers.PSObject.Methods.Name -contains 'GetValues') {
+        try { return ($Headers.GetValues($Name) | Select-Object -First 1) } catch {
+            Write-Debug "Get-MtGitHubResponseHeaderValue GetValues: $($_.Exception.Message)"
+        }
+    }
+    if ($Headers.PSObject.Methods.Name -contains 'TryGetValues') {
+        try {
+            $values = $null
+            if ($Headers.TryGetValues($Name, [ref]$values)) {
+                return ($values | Select-Object -First 1)
+            }
+        } catch {
+            Write-Debug "Get-MtGitHubResponseHeaderValue TryGetValues: $($_.Exception.Message)"
+        }
+    }
+    return $null
+}
diff --git a/powershell/internal/Get-MtSkippedReason.ps1 b/powershell/internal/Get-MtSkippedReason.ps1
index 3e7c806ac..fb298dfbf 100644
--- a/powershell/internal/Get-MtSkippedReason.ps1
+++ b/powershell/internal/Get-MtSkippedReason.ps1
@@ -14,6 +14,7 @@
         "NotConnectedSecurityCompliance" { "Not connected to Security & Compliance. See [Connecting to Security & Compliance](https://maester.dev/docs/connect-maester/#connect-to-azure-exchange-online-and-teams)"; break}
         "NotConnectedTeams" { "Not connected to Teams. See [Connecting to Teams](https://maester.dev/docs/connect-maester/#connect-to-azure-exchange-online-and-teams)"; break}
         "NotConnectedAzureDevOps" { "Not connected to Azure DevOps. See [Connecting to Azure DevOps](https://maester.dev/docs/connect-maester/#connect-to-azure-devops-optional)"; break}
+        "NotConnectedGitHub" { "Not connected to GitHub. Call Connect-MtGitHub with a valid PAT and organization name. See [Connect-MtGitHub](https://maester.dev/docs/commands/Connect-MtGitHub)"; break}
         "NotConnectedGraph" { "Not connected to Graph. See [Connect-Maester](https://maester.dev/docs/commands/Connect-Maester#examples)"; break}
         "NotDotGovDomain" { "This test is only for federal, executive branch, departments and agencies. To override use [Test-MtCisaDmarcAggregateCisa -Force](https://maester.dev/docs/commands/Test-MtCisaDmarcAggregateCisa)"; break}
         "NotLicensedEntraIDP1" { "This test is for tenants that are licensed for Entra ID P1. See [Entra ID licensing](https://learn.microsoft.com/entra/fundamentals/licensing)"; break}
diff --git a/powershell/internal/Invoke-MtGitHubRequest.ps1 b/powershell/internal/Invoke-MtGitHubRequest.ps1
new file mode 100644
index 000000000..e11791e7a
--- /dev/null
+++ b/powershell/internal/Invoke-MtGitHubRequest.ps1
@@ -0,0 +1,152 @@
+function Invoke-MtGitHubRequest {
+    <#
+    .SYNOPSIS
+    Internal: Authenticated read-only GET request to GitHub REST API with caching and pagination.
+
+    .DESCRIPTION
+    Uses Invoke-WebRequest for PowerShell 5.1 compatibility (Invoke-RestMethod
+    -ResponseHeadersVariable is PowerShell 7+ only). Provides per-session caching,
+    explicit opt-in pagination, and rate-limit detection.
+
+    Cache key: ApiVersion|absoluteUri (cleared on reconnect and by Clear-ModuleVariable).
+    Rate-limit detection: checks x-ratelimit-remaining in both success and error responses.
+
+    .PARAMETER RelativeUri
+    Path relative to ApiBaseUri. URL-encode path segments with [Uri]::EscapeDataString.
+
+    .PARAMETER Paginate
+    Follows Link header rel="next" and appends per_page=100. Use for list endpoints only.
+
+    .PARAMETER DisableCache
+    Bypasses session cache; makes a live API call.
+    #>
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory = $true, Position = 0)]
+        [string] $RelativeUri,
+        [switch] $Paginate,
+        [switch] $DisableCache
+    )
+
+    if ($null -eq $__MtSession.GitHubConnection -or
+        $__MtSession.GitHubConnection.Connected -ne $true) {
+        throw "Not connected to GitHub. Call Connect-MtGitHub first."
+    }
+
+    $baseUri = $__MtSession.GitHubConnection.ApiBaseUri
+    $version = $__MtSession.GitHubConnection.ApiVersion
+    $headers = $__MtSession.GitHubAuthHeader
+
+    $absUri = "$baseUri/$($RelativeUri.TrimStart('/'))"
+    if ($Paginate -and $absUri -notmatch '[?&]per_page=') {
+        $sep = if ($absUri -match '\?') { '&' } else { '?' }
+        $absUri = "${absUri}${sep}per_page=100"
+    }
+
+    $cacheKey = "$version|$absUri"
+    if (-not $DisableCache -and $__MtSession.GitHubCache.ContainsKey($cacheKey)) {
+        Write-Verbose "GitHub cache hit: $absUri"
+        return $__MtSession.GitHubCache[$cacheKey]
+    }
+
+    function Invoke-Page ([string]$Uri) {
+        try {
+            $wr = Invoke-WebRequest -Uri $Uri -Headers $headers -Method GET -UseBasicParsing -ErrorAction Stop
+
+            $body = if (-not [string]::IsNullOrWhiteSpace($wr.Content)) {
+                # ConvertFrom-Json '[]' yields $null because it enumerates the (empty)
+                # array, so pagination can't distinguish "no items" from "one null item"
+                # without short-circuiting the empty-array case here.
+                if ($wr.Content.Trim() -eq '[]') {
+                    ,@()
+                } else {
+                    $wr.Content | ConvertFrom-Json
+                }
+            } else {
+                $null
+            }
+
+            # Rate-limit warning on successful response — do NOT throw; the response body is valid.
+            # TryParse rather than [int] cast: a malformed header (e.g. an upstream proxy
+            # rewriting the value) must not raise a parse exception that masks a successful response.
+            $remaining = Get-MtGitHubResponseHeaderValue -Headers $wr.Headers -Name 'x-ratelimit-remaining'
+            $remainingValue = 0
+            if ($null -ne $remaining -and [int]::TryParse([string]$remaining, [ref]$remainingValue) -and $remainingValue -eq 0) {
+                $reset = Get-MtGitHubResponseHeaderValue -Headers $wr.Headers -Name 'x-ratelimit-reset'
+                $resetValue = 0L
+                $resetTime = 'unknown'
+                if ($reset -and [long]::TryParse([string]$reset, [ref]$resetValue)) {
+                    # FromUnixTimeSeconds throws ArgumentOutOfRangeException for values
+                    # outside [-62135596800, 253402300799]. A bogus reset epoch must not
+                    # mask the successful response — fall back to 'unknown' instead.
+                    try {
+                        $resetTime = [DateTimeOffset]::FromUnixTimeSeconds($resetValue).LocalDateTime
+                    } catch {
+                        $resetTime = 'unknown'
+                    }
+                }
+                Write-Verbose "GitHub API rate limit remaining is 0 after this successful response. Resets at: $resetTime"
+            }
+
+            $linkHeader = Get-MtGitHubResponseHeaderValue -Headers $wr.Headers -Name 'Link'
+            return [PSCustomObject]@{ Body = $body; Link = $linkHeader }
+        } catch {
+            $rateLimitMessage = Get-MtGitHubRateLimitMessage -ErrorRecord $_
+            if ($rateLimitMessage) { throw $rateLimitMessage }
+            throw
+        }
+    }
+
+    function Get-NextLink ([string]$Link) {
+        if ([string]::IsNullOrEmpty($Link)) { return $null }
+        $m = [regex]::Match($Link, '<([^>]+)>;\s*rel="next"')
+        if ($m.Success) { return $m.Groups[1].Value }
+        return $null
+    }
+
+    # Refuse to follow a Link rel="next" that points outside the configured ApiBaseUri.
+    # A malicious or buggy upstream that injects a foreign URL would otherwise receive
+    # the Authorization header on a cross-origin request. Compare scheme + host + port
+    # + base path prefix so GHE bases like https://host/api/v3 are honored.
+    function Test-NextLinkSameOrigin ([string]$NextUri, [string]$BaseUri) {
+        $baseParsed = $null
+        $nextParsed = $null
+        if (-not [uri]::TryCreate($BaseUri, [UriKind]::Absolute, [ref]$baseParsed)) { return $false }
+        if (-not [uri]::TryCreate($NextUri, [UriKind]::Absolute, [ref]$nextParsed)) { return $false }
+        if ($baseParsed.Scheme -ne $nextParsed.Scheme) { return $false }
+        if (-not [string]::Equals($baseParsed.Host, $nextParsed.Host, [System.StringComparison]::OrdinalIgnoreCase)) { return $false }
+        if ($baseParsed.Port -ne $nextParsed.Port) { return $false }
+        $basePath = $baseParsed.AbsolutePath.TrimEnd('/')
+        $nextPath = $nextParsed.AbsolutePath
+        if ([string]::IsNullOrEmpty($basePath)) { return $true }
+        return $nextPath -eq $basePath -or $nextPath.StartsWith("$basePath/", [System.StringComparison]::Ordinal)
+    }
+
+    $first = Invoke-Page $absUri
+
+    if (-not $Paginate) {
+        $result = $first.Body
+    } else {
+        $all = [System.Collections.Generic.List[object]]::new()
+        # Filter $null per page so an empty-content or `[]` page does not contribute
+        # spurious null items to the merged result.
+        foreach ($item in @($first.Body)) {
+            if ($null -ne $item) { $all.Add($item) }
+        }
+        $next = Get-NextLink $first.Link
+        while ($null -ne $next) {
+            if (-not (Test-NextLinkSameOrigin -NextUri $next -BaseUri $baseUri)) {
+                throw "GitHub pagination refused: next link '$next' is outside the configured ApiBaseUri '$baseUri'."
+            }
+            $page = Invoke-Page $next
+            foreach ($item in @($page.Body)) {
+                if ($null -ne $item) { $all.Add($item) }
+            }
+            $next = Get-NextLink $page.Link
+        }
+        $result = $all.ToArray()
+    }
+
+    if (-not $DisableCache) { $__MtSession.GitHubCache[$cacheKey] = $result }
+    return $result
+}
diff --git a/powershell/public/Add-MtTestResultDetail.ps1 b/powershell/public/Add-MtTestResultDetail.ps1
index 93cff417e..290d70954 100644
--- a/powershell/public/Add-MtTestResultDetail.ps1
+++ b/powershell/public/Add-MtTestResultDetail.ps1
@@ -77,7 +77,7 @@
         [ValidateSet('NotConnectedAzure', 'NotConnectedExchange', 'NotConnectedGraph', 'NotDotGovDomain', 'NotLicensedEntraIDP1', 'NotConnectedSecurityCompliance', 'NotConnectedTeams',
             'NotLicensedEntraIDP2', 'NotLicensedEntraIDGovernance', 'NotLicensedEntraWorkloadID', 'NotLicensedExoDlp', "LicensedEntraIDPremium", 'NotSupported', 'Custom',
             'NotLicensedMdo', 'NotLicensedMdoP2', 'NotLicensedMdoP1', 'NotLicensedAdvAudit', 'NotLicensedEop', 'Error', 'NotSupportedAppPermission', 'LimitedPermissions', 'NotLicensedDefenderXDR',
-            'NotLicensedCustomerLockbox','NotAuthorized', 'NotLicensedIntune', 'NotConnectedAzureDevOps'
+            'NotLicensedCustomerLockbox','NotAuthorized', 'NotLicensedIntune', 'NotConnectedAzureDevOps', 'NotConnectedGitHub'
         )]
         [string] $SkippedBecause,
 
diff --git a/powershell/public/Disconnect-Maester.ps1 b/powershell/public/Disconnect-Maester.ps1
index 8918dd355..860b55168 100644
--- a/powershell/public/Disconnect-Maester.ps1
+++ b/powershell/public/Disconnect-Maester.ps1
@@ -11,6 +11,10 @@
     Disconnect-MgGraph
     ```
 
+    When invoked as Disconnect-Maester or Disconnect-MtMaester, also clears any active GitHub
+    REST session (token, connection metadata, per-session cache). The Disconnect-MtGraph alias
+    keeps its narrow Graph-only semantic and does NOT clear GitHub state.
+
     .Example
     Disconnect-MtGraph
 
@@ -27,26 +31,44 @@
    [CmdletBinding()]
    param()
 
-   if($__MtSession.Connections -contains "Graph" -or $__MtSession.Connections -contains "All"){
-      Write-Verbose -Message "Disconnecting from Microsoft Graph."
-      Disconnect-MgGraph
+   # Strip module qualifier (e.g. 'Maester\Disconnect-Maester') so module-qualified
+   # invocation still routes to the GitHub-clearing branch. PowerShell uses '\' for
+   # the qualifier on all OSes, so split on the literal char rather than Split-Path.
+   # Computed up-front so a failure in any service-disconnect call below cannot
+   # leave GitHub state behind: cleanup runs from the finally block.
+   $invokedAs = if ([string]::IsNullOrEmpty($MyInvocation.InvocationName)) {
+      $MyInvocation.MyCommand.Name
+   } else {
+      ($MyInvocation.InvocationName -split '\\')[-1]
    }
+   $shouldDisconnectGitHub = $invokedAs -iin @('Disconnect-Maester','Disconnect-MtMaester')
 
-   if($__MtSession.Connections -contains "Azure" -or $__MtSession.Connections -contains "Dataverse" -or $__MtSession.Connections -contains "All"){
-      Write-Verbose -Message "Disconnecting from Microsoft Azure."
-      try {
-         Disconnect-AzAccount -ErrorAction Stop | Out-Null
-      } catch {
-         Write-Verbose "Disconnect-AzAccount encountered an error: $($_.Exception.Message)"
+   try {
+      if($__MtSession.Connections -contains "Graph" -or $__MtSession.Connections -contains "All"){
+         Write-Verbose -Message "Disconnecting from Microsoft Graph."
+         Disconnect-MgGraph
       }
-   }
 
-   if($__MtSession.Connections -contains "ExchangeOnline" -or $__MtSession.Connections -contains "SecurityCompliance" -or $__MtSession.Connections -contains "All"){
-      Write-Verbose -Message "Disconnecting from Microsoft Exchange Online."
-      Disconnect-ExchangeOnline
-   }
-   if($__MtSession.Connections -contains "Teams" -or $__MtSession.Connections -contains "All"){
-      Write-Verbose -Message "Disconnecting from Microsoft Teams."
-      Disconnect-MicrosoftTeams
+      if($__MtSession.Connections -contains "Azure" -or $__MtSession.Connections -contains "Dataverse" -or $__MtSession.Connections -contains "All"){
+         Write-Verbose -Message "Disconnecting from Microsoft Azure."
+         try {
+            Disconnect-AzAccount -ErrorAction Stop | Out-Null
+         } catch {
+            Write-Verbose "Disconnect-AzAccount encountered an error: $($_.Exception.Message)"
+         }
+      }
+
+      if($__MtSession.Connections -contains "ExchangeOnline" -or $__MtSession.Connections -contains "SecurityCompliance" -or $__MtSession.Connections -contains "All"){
+         Write-Verbose -Message "Disconnecting from Microsoft Exchange Online."
+         Disconnect-ExchangeOnline
+      }
+      if($__MtSession.Connections -contains "Teams" -or $__MtSession.Connections -contains "All"){
+         Write-Verbose -Message "Disconnecting from Microsoft Teams."
+         Disconnect-MicrosoftTeams
+      }
+   } finally {
+      if ($shouldDisconnectGitHub) {
+         Disconnect-MtGitHub
+      }
    }
 }
diff --git a/powershell/public/core/Connect-MtGitHub.ps1 b/powershell/public/core/Connect-MtGitHub.ps1
new file mode 100644
index 000000000..c0b314084
--- /dev/null
+++ b/powershell/public/core/Connect-MtGitHub.ps1
@@ -0,0 +1,439 @@
+function Connect-MtGitHub {
+    <#
+    .SYNOPSIS
+    Establishes a GitHub Enterprise Cloud organization REST API session for Maester.
+
+    .DESCRIPTION
+    Establishes a GitHub Enterprise Cloud organization REST API session for Maester CIS
+    benchmark tests. This is an organization-scoped session, not a full enterprise-admin
+    session: enterprise-admin endpoints under /enterprises/{enterprise} are not verified
+    by this command and would require a future enterprise-access probe if CIS controls
+    need them.
+
+    Validates the PAT via four probes. The first three are blocking (any failure aborts
+    the connection); the fourth is non-blocking (failure emits a warning but the session
+    is still established):
+      1. GET /user                            — token identity (blocking)
+      2. GET /orgs/{org}                      — org metadata (blocking)
+      3. GET /orgs/{org}/memberships/{user}   — org-access proof, state + role (blocking)
+      4. GET /orgs/{org}/actions/permissions  — administration access probe (non-blocking)
+
+    The membership probe is the real access gate: /orgs/{org} returns public metadata
+    even for tokens with no relationship to the organization. A 4xx, malformed body,
+    or missing state/role on probe 3 aborts with FailureReason = 'OrgMembershipFailed'.
+    A successful response whose membership state is anything other than 'active'
+    (e.g. 'pending' for an invitation that has not been accepted) also aborts the
+    connection, with FailureReason = 'OrgMembershipPending' — only an active
+    membership proves the user can act on the organization.
+
+    Probe 4 verifies the token can reach an org-administration endpoint. GitHub
+    documents /orgs/{org}/actions/permissions as requiring classic PAT 'admin:org' or
+    fine-grained 'Organization Administration: read'. Failure here records
+    AdministrationPermissionVerified = $false and emits a warning, but does not flip
+    Connected to $false — the session remains usable for controls that don't require
+    org administration access.
+
+    On success, Role = 'admin' + RoleState = 'active' + AdministrationPermissionVerified
+    = $true is the no-warning path. Other active roles (member, billing_manager, etc.)
+    or admin-probe failure still connect but emit warnings indicating limited CIS
+    coverage. Non-active membership states do not connect at all.
+
+    Token resolution order:
+      1. -Token parameter (SecureString)
+      2. MAESTER_GITHUB_TOKEN environment variable
+      3. GH_TOKEN environment variable (GitHub CLI convention)
+
+    Required permissions:
+      Classic PAT:        admin:org
+      Fine-grained PAT:   Organization Members: read + Organization Administration: read
+      Required role for full coverage: organization owner/admin
+
+    Note: Connection success proves token validity and org access, not that all
+    CIS control fields will be visible. Each CIS test validates field availability
+    and skips with an informative message if required fields are absent.
+
+    .PARAMETER Organization
+    GitHub organization login name. Falls back to GitHubOrganization in maester-config.json.
+
+    .PARAMETER Token
+    PAT as SecureString. Falls back to MAESTER_GITHUB_TOKEN or GH_TOKEN env vars.
+
+    .PARAMETER ApiBaseUri
+    GitHub API base URI. Falls back to GitHubApiBaseUri config, then https://api.github.com.
+    Set to https://api.{subdomain}.ghe.com for GHE.com EMU deployments.
+
+    .PARAMETER ApiVersion
+    GitHub REST API version date. Falls back to GitHubApiVersion config, then 2022-11-28.
+    GitHub defaults requests without X-GitHub-Api-Version to 2022-11-28.
+
+    .EXAMPLE
+    Connect-MtGitHub -Organization 'mycompany'
+
+    .EXAMPLE
+    Connect-MtGitHub -Organization 'mycompany' -ApiBaseUri 'https://api.myco.ghe.com'
+
+    .LINK
+    https://maester.dev/docs/commands/Connect-MtGitHub
+    #>
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingWriteHost', '', Justification = 'Consistent with other Connect-* functions')]
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory = $false)]
+        [string] $Organization,
+
+        [Parameter(Mandatory = $false)]
+        [securestring] $Token,
+
+        [Parameter(Mandatory = $false)]
+        [string] $ApiBaseUri,
+
+        [Parameter(Mandatory = $false)]
+        [string] $ApiVersion
+    )
+
+    # Clear prior GitHub session state (prevents stale data on reconnect)
+    $__MtSession.GitHubConnection = $null
+    $__MtSession.GitHubAuthHeader = $null
+    $__MtSession.GitHubCache = @{}
+
+    # Lazy-load config once if MaesterConfig is not yet set and any config-backed parameter is
+    # omitted. This makes the config fallback work when Connect-MtGitHub is called before
+    # Invoke-Maester (the normal pre-run workflow). Get-MtMaesterConfig walks up to 5 parent
+    # directories from the given path, so it finds the config from anywhere in the test tree.
+    if ($null -eq $__MtSession.MaesterConfig -and (
+            [string]::IsNullOrWhiteSpace($Organization) -or
+            [string]::IsNullOrWhiteSpace($ApiBaseUri) -or
+            [string]::IsNullOrWhiteSpace($ApiVersion))) {
+        $__MtSession.MaesterConfig = Get-MtMaesterConfig -Path (Get-Location).Path
+    }
+
+    # Resolve organization (param -> config -> error)
+    if ([string]::IsNullOrWhiteSpace($Organization)) {
+        $Organization = Get-MtMaesterConfigGlobalSetting -SettingName 'GitHubOrganization'
+    }
+    if ([string]::IsNullOrWhiteSpace($Organization)) {
+        Write-Host "`nNo GitHub organization specified. Provide -Organization or set GitHubOrganization in maester-config.json." -ForegroundColor Red
+        $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'NotConfigured' }
+        return
+    }
+    # Surrounding whitespace from a config file or shell-quoted parameter would otherwise
+    # be URL-encoded into the probe paths and silently 404 against GitHub.
+    $Organization = $Organization.Trim()
+
+    # Resolve ApiBaseUri (param -> config -> default).
+    $resolvedApiBaseUri = $ApiBaseUri
+    if ([string]::IsNullOrWhiteSpace($resolvedApiBaseUri)) {
+        $configApiBaseUri = Get-MtMaesterConfigGlobalSetting -SettingName 'GitHubApiBaseUri'
+        if (-not [string]::IsNullOrWhiteSpace($configApiBaseUri)) { $resolvedApiBaseUri = $configApiBaseUri }
+    }
+    if ([string]::IsNullOrWhiteSpace($resolvedApiBaseUri)) { $resolvedApiBaseUri = 'https://api.github.com' }
+    $resolvedApiBaseUri = $resolvedApiBaseUri.Trim().TrimEnd('/')
+
+    # Validate the fully-resolved URI. Done in-body (not via parameter [ValidatePattern]) so
+    # config-supplied values are checked too, and so an invalid value records InvalidApiBaseUri
+    # after the session-clearing logic at the top of this function rather than throwing before it.
+    # Host allowlist prevents the PAT from being sent to arbitrary HTTPS hosts: only the
+    # documented GitHub API endpoints — api.github.com (SaaS) and api.<subdomain>.ghe.com
+    # (GHE.com data residency) — are accepted. GHES on-prem is intentionally not supported.
+    $parsedUri = $null
+    if (-not [uri]::TryCreate($resolvedApiBaseUri, [UriKind]::Absolute, [ref]$parsedUri) -or $parsedUri.Scheme -cne 'https') {
+        Write-Host "`nGitHub API base URI must be an absolute https:// URI. Got: '$resolvedApiBaseUri'." -ForegroundColor Red
+        $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'InvalidApiBaseUri' }
+        return
+    }
+    $uriHost = $parsedUri.Host.ToLowerInvariant()
+    $isGitHubSaas = $uriHost -eq 'api.github.com'
+    $isGheCom     = $uriHost -match '^api\.[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.ghe\.com$'
+    $hasRootPath  = [string]::IsNullOrEmpty($parsedUri.AbsolutePath) -or $parsedUri.AbsolutePath -eq '/'
+    # Reject query strings, fragments, and non-default ports — none are valid for the
+    # GitHub API base, and accepting them would let an attacker-supplied config redirect
+    # the PAT to an unexpected listener (e.g. a debug proxy on :8443) while still passing
+    # the host allowlist.
+    $hasNoQuery    = [string]::IsNullOrEmpty($parsedUri.Query)
+    $hasNoFragment = [string]::IsNullOrEmpty($parsedUri.Fragment)
+    $hasDefaultPort = $parsedUri.IsDefaultPort
+    if (-not (($isGitHubSaas -or $isGheCom) -and $hasRootPath -and $hasNoQuery -and $hasNoFragment -and $hasDefaultPort)) {
+        Write-Host "`nGitHub API base URI must be https://api.github.com or https://api.<subdomain>.ghe.com (no path, query, fragment, or non-default port). Got: '$resolvedApiBaseUri'." -ForegroundColor Red
+        $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'InvalidApiBaseUri' }
+        return
+    }
+    $ApiBaseUri = $resolvedApiBaseUri
+
+    # Resolve ApiVersion (param -> config -> default). Validation runs on the resolved value
+    # so the same FailureReason path applies whether the bad value came from -ApiVersion or
+    # GitHubApiVersion config — a parameter [ValidatePattern] would otherwise throw before
+    # the session-clearing logic at the top of this function ran.
+    $resolvedApiVersion = $ApiVersion
+    if ([string]::IsNullOrWhiteSpace($resolvedApiVersion)) {
+        $configApiVersion = Get-MtMaesterConfigGlobalSetting -SettingName 'GitHubApiVersion'
+        if (-not [string]::IsNullOrWhiteSpace($configApiVersion)) { $resolvedApiVersion = $configApiVersion }
+    }
+    if ([string]::IsNullOrWhiteSpace($resolvedApiVersion)) { $resolvedApiVersion = '2022-11-28' }
+    $resolvedApiVersion = $resolvedApiVersion.Trim()
+
+    if ($resolvedApiVersion -notmatch '^\d{4}-\d{2}-\d{2}$') {
+        Write-Host "`nGitHub API version must use YYYY-MM-DD format. Got: '$resolvedApiVersion'." -ForegroundColor Red
+        $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'InvalidApiVersion' }
+        return
+    }
+    $ApiVersion = $resolvedApiVersion
+
+    # Resolve token (param -> MAESTER_GITHUB_TOKEN -> GH_TOKEN)
+    $plainToken = $null
+    $bstr = [IntPtr]::Zero
+    try {
+        if ($Token) {
+            $bstr = [Runtime.InteropServices.Marshal]::SecureStringToBSTR($Token)
+            $plainToken = [Runtime.InteropServices.Marshal]::PtrToStringBSTR($bstr)
+        } elseif (-not [string]::IsNullOrEmpty($env:MAESTER_GITHUB_TOKEN)) {
+            $plainToken = $env:MAESTER_GITHUB_TOKEN
+        } elseif (-not [string]::IsNullOrEmpty($env:GH_TOKEN)) {
+            $plainToken = $env:GH_TOKEN
+        }
+    } finally {
+        if ($bstr -ne [IntPtr]::Zero) { [Runtime.InteropServices.Marshal]::ZeroFreeBSTR($bstr) }
+    }
+    if ([string]::IsNullOrEmpty($plainToken)) {
+        Write-Host "`nNo GitHub token found. Provide -Token, or set MAESTER_GITHUB_TOKEN or GH_TOKEN." -ForegroundColor Red
+        $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'NoToken' }
+        return
+    }
+
+    # Auth headers — token stored here, NOT in the connection object
+    $authHeaders = @{
+        Authorization          = "Bearer $plainToken"
+        Accept                 = 'application/vnd.github+json'
+        'X-GitHub-Api-Version' = $ApiVersion
+        'User-Agent'           = 'Maester-GitHubCis'
+    }
+    Remove-Variable -Name plainToken -ErrorAction SilentlyContinue
+
+    # Probe 1: token identity
+    try {
+        $userResponse = Invoke-WebRequest -Uri "$ApiBaseUri/user" -Headers $authHeaders -Method GET -UseBasicParsing -ErrorAction Stop
+        $user = $userResponse.Content | ConvertFrom-Json
+        Write-Verbose "GitHub token identity: $($user.login)"
+    } catch {
+        $rateLimitMessage = Get-MtGitHubRateLimitMessage -ErrorRecord $_
+        if ($rateLimitMessage) {
+            Write-Host "`n$rateLimitMessage" -ForegroundColor Red
+            $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'RateLimited' }
+            return
+        }
+        $code   = Get-MtGitHubErrorStatusCode -ErrorRecord $_
+        $apiMsg = Get-MtGitHubErrorMessage    -ErrorRecord $_
+        # 410 = unsupported API version. 400 with a message about API/version support
+        # also indicates an unsupported X-GitHub-Api-Version header value — GitHub's
+        # documented wording includes "Not a supported version" and "version is not supported".
+        $isUnsupportedApiVersion = $code -eq 410 -or ($code -eq 400 -and $apiMsg -match '(?i)api\s+version|x-github-api-version|not\s+.*supported.*version|version.*not\s+.*supported')
+        if ($isUnsupportedApiVersion) {
+            Write-Host "`nGitHub API version '$ApiVersion' is not supported by GitHub. Update GitHubApiVersion or omit it to use the default." -ForegroundColor Red
+            $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'InvalidApiVersion' }
+            return
+        }
+        # $null status code means no HTTP response was produced (DNS failure, TLS handshake
+        # failure, connection refused, hostname unreachable). The PAT was never evaluated and
+        # the URI itself didn't resolve to a working endpoint — commonly a wrong GHE base URI.
+        if ($null -eq $code) {
+            Write-Host "`nGitHub API base URI '$ApiBaseUri' is not reachable (no response). Verify network connectivity, DNS/TLS, and the GitHubApiBaseUri value (use https://api.{subdomain}.ghe.com for GHE.com)." -ForegroundColor Red
+            $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'ApiBaseUriFailed' }
+            return
+        }
+        # 5xx means GitHub responded but the endpoint is failing — the URI is fine, the
+        # service is unavailable. Don't conflate with token or base-URI problems.
+        if ($code -ge 500 -and $code -le 599) {
+            Write-Host "`nGitHub API request failed (HTTP $code). The GitHub service may be temporarily unavailable; check https://www.githubstatus.com/ and retry." -ForegroundColor Red
+            $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'ApiUnavailable' }
+            return
+        }
+        if ($code -eq 401) {
+            Write-Host "`nGitHub token validation failed (HTTP 401). Verify the PAT is valid and not expired." -ForegroundColor Red
+            $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'TokenInvalid' }
+            return
+        }
+        Write-Host "`nGitHub token validation failed (HTTP $code). Verify the PAT is valid and not expired." -ForegroundColor Red
+        $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'TokenInvalid' }
+        return
+    }
+
+    # Probe 2: org access
+    $encodedOrg = [System.Uri]::EscapeDataString($Organization)
+    try {
+        $orgResponse = Invoke-WebRequest -Uri "$ApiBaseUri/orgs/$encodedOrg" -Headers $authHeaders -Method GET -UseBasicParsing -ErrorAction Stop
+        $orgData = $orgResponse.Content | ConvertFrom-Json
+    } catch {
+        $rateLimitMessage = Get-MtGitHubRateLimitMessage -ErrorRecord $_
+        if ($rateLimitMessage) {
+            Write-Host "`n$rateLimitMessage" -ForegroundColor Red
+            $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'RateLimited' }
+            return
+        }
+        $code = Get-MtGitHubErrorStatusCode -ErrorRecord $_
+        $apiMsg = Get-MtGitHubErrorMessage -ErrorRecord $_
+        # Same transport/5xx classification as /user — a probe that gets to the network can
+        # still fail for reasons unrelated to org access (DNS hiccup, partial outage), and
+        # those should report ApiBaseUriFailed / ApiUnavailable rather than OrgAccessFailed.
+        if ($null -eq $code) {
+            Write-Host "`nGitHub API base URI '$ApiBaseUri' is not reachable (no response) while probing /orgs/$Organization. Verify network connectivity, DNS/TLS, and the GitHubApiBaseUri value." -ForegroundColor Red
+            $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'ApiBaseUriFailed' }
+            return
+        }
+        if ($code -ge 500 -and $code -le 599) {
+            Write-Host "`nGitHub API request failed (HTTP $code) while probing /orgs/$Organization. The GitHub service may be temporarily unavailable; check https://www.githubstatus.com/ and retry." -ForegroundColor Red
+            $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'ApiUnavailable' }
+            return
+        }
+        $msg = switch ($code) {
+            403     { "Access denied (403). Verify the PAT has 'admin:org' scope and is used by an organization owner. GitHub API: $apiMsg" }
+            404     { "Organization '$Organization' not found (404). Check the organization login name. GitHub API: $apiMsg" }
+            default { "HTTP $code. $apiMsg" }
+        }
+        Write-Host "`nFailed to access GitHub organization: $msg" -ForegroundColor Red
+        $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'OrgAccessFailed' }
+        return
+    }
+
+    # Null-safe plan name (not visible for all token types/roles)
+    $planName = $null
+    if ($orgData.PSObject.Properties.Name -contains 'plan' -and $null -ne $orgData.plan) {
+        $planName = $orgData.plan.name
+    }
+
+    # Probe 3: org membership / role — blocking proof of org access.
+    # /orgs/{org} returns public org metadata even for tokens with no relationship to the org,
+    # so membership is the real access gate. Any failure here aborts the connection.
+    $role         = $null
+    $roleState    = $null
+    $roleWarning  = $null
+
+    $encodedLogin = [System.Uri]::EscapeDataString($user.login)
+    try {
+        $membershipResponse = Invoke-WebRequest -Uri "$ApiBaseUri/orgs/$encodedOrg/memberships/$encodedLogin" -Headers $authHeaders -Method GET -UseBasicParsing -ErrorAction Stop
+
+        $membershipData = $null
+        try {
+            $membershipData = $membershipResponse.Content | ConvertFrom-Json -ErrorAction Stop
+        } catch {
+            $membershipData = $null
+        }
+
+        $hasState = $null -ne $membershipData -and $membershipData.PSObject.Properties.Name -contains 'state' -and -not [string]::IsNullOrWhiteSpace([string]$membershipData.state)
+        $hasRole  = $null -ne $membershipData -and $membershipData.PSObject.Properties.Name -contains 'role'  -and -not [string]::IsNullOrWhiteSpace([string]$membershipData.role)
+
+        if (-not ($hasState -and $hasRole)) {
+            Write-Host "`nGitHub organization membership could not be verified: malformed response from /orgs/$Organization/memberships/$($user.login)." -ForegroundColor Red
+            $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'OrgMembershipFailed' }
+            return
+        }
+
+        $role      = [string]$membershipData.role
+        $roleState = [string]$membershipData.state
+
+        # Only an 'active' membership proves the user can actually act on the org.
+        # 'pending' (invitation not accepted) and any other non-active state should
+        # not be treated as a usable session — org-scoped controls would silently
+        # fail or report misleading data. Fail closed and do not retain auth state.
+        if ($roleState -ne 'active') {
+            Write-Host "`nGitHub organization membership is not active (state: '$roleState'). Accept the organization invitation in GitHub and reconnect." -ForegroundColor Red
+            $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'OrgMembershipPending' }
+            return
+        }
+
+        if ($role -ne 'admin') {
+            $roleWarning = "GitHub organization admin/owner permissions required for full CIS coverage. Current role: '$role'. Some controls may skip or report limited visibility."
+        }
+    } catch {
+        $rateLimitMessage = Get-MtGitHubRateLimitMessage -ErrorRecord $_
+        if ($rateLimitMessage) {
+            Write-Host "`n$rateLimitMessage" -ForegroundColor Red
+            $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'RateLimited' }
+            return
+        }
+        $code   = Get-MtGitHubErrorStatusCode -ErrorRecord $_
+        $apiMsg = Get-MtGitHubErrorMessage    -ErrorRecord $_
+        # Same transport/5xx classification as /user — separating "the network/service broke"
+        # from "the token cannot prove membership" matters for actionable diagnostics.
+        if ($null -eq $code) {
+            Write-Host "`nGitHub API base URI '$ApiBaseUri' is not reachable (no response) while probing membership for '$($user.login)' in '$Organization'." -ForegroundColor Red
+            $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'ApiBaseUriFailed' }
+            return
+        }
+        if ($code -ge 500 -and $code -le 599) {
+            Write-Host "`nGitHub API request failed (HTTP $code) while probing membership for '$($user.login)' in '$Organization'. Service may be temporarily unavailable; check https://www.githubstatus.com/ and retry." -ForegroundColor Red
+            $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'ApiUnavailable' }
+            return
+        }
+        $msg = switch ($code) {
+            403     { "Membership probe forbidden (403). The token cannot prove membership in '$Organization'. GitHub API: $apiMsg" }
+            404     { "User '$($user.login)' is not a member of organization '$Organization' (404). GitHub API: $apiMsg" }
+            default { "Membership probe failed (HTTP $code). $apiMsg" }
+        }
+        Write-Host "`nFailed to verify GitHub organization membership: $msg" -ForegroundColor Red
+        $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'OrgMembershipFailed' }
+        return
+    }
+
+    # Probe 4: organization administration access (non-blocking).
+    # /orgs/{org}/actions/permissions requires classic PAT 'admin:org' or fine-grained
+    # 'Organization Administration: read' — a closer match to the permissions needed by
+    # CIS org-admin controls than the membership endpoint. Failure here records the
+    # outcome and emits a warning, but does not flip Connected to $false.
+    $adminVerified           = $false
+    $adminFailureReason      = $null
+    $adminStatusCode         = $null
+    $adminAcceptedPermissions = $null
+    $adminWarning            = $null
+    try {
+        $adminResponse = Invoke-WebRequest -Uri "$ApiBaseUri/orgs/$encodedOrg/actions/permissions" -Headers $authHeaders -Method GET -UseBasicParsing -ErrorAction Stop
+        $adminVerified   = $true
+        $adminStatusCode = 200
+        if ($adminResponse.PSObject.Properties.Name -contains 'StatusCode' -and $null -ne $adminResponse.StatusCode) {
+            $adminStatusCode = [int]$adminResponse.StatusCode
+        }
+    } catch {
+        $adminStatusCode    = Get-MtGitHubErrorStatusCode -ErrorRecord $_
+        $adminApiMsg        = Get-MtGitHubErrorMessage    -ErrorRecord $_
+        $respHeaders        = $null
+        if ($null -ne $_.Exception -and $null -ne $_.Exception.Response) {
+            $respHeaders = $_.Exception.Response.Headers
+        }
+        $adminAcceptedPermissions = Get-MtGitHubResponseHeaderValue -Headers $respHeaders -Name 'x-accepted-github-permissions'
+        $adminRateLimitMessage = Get-MtGitHubRateLimitMessage -ErrorRecord $_
+        if ($adminRateLimitMessage) {
+            $adminFailureReason = $adminRateLimitMessage
+            $adminWarning = "GitHub organization administration API access was not verified due to a GitHub API rate limit. Detail: $adminRateLimitMessage"
+        } else {
+            $adminFailureReason = switch ($adminStatusCode) {
+                403     { "HTTP 403 from /orgs/$Organization/actions/permissions. $adminApiMsg" }
+                404     { "HTTP 404 from /orgs/$Organization/actions/permissions. $adminApiMsg" }
+                default { "HTTP $adminStatusCode from /orgs/$Organization/actions/permissions. $adminApiMsg" }
+            }
+            $adminWarning = "GitHub organization administration API access was not verified. Some CIS controls requiring org administration may skip or report limited visibility. Required token permissions — classic PAT: admin:org; fine-grained PAT: Organization Administration: read. Detail: $adminFailureReason"
+        }
+    }
+
+    $__MtSession.GitHubAuthHeader = $authHeaders
+    $__MtSession.GitHubConnection = [PSCustomObject]@{
+        Connected                                   = $true
+        Organization                                = $Organization
+        ApiBaseUri                                  = $ApiBaseUri
+        ApiVersion                                  = $ApiVersion
+        TokenLogin                                  = $user.login
+        Plan                                        = $planName
+        Role                                        = $role
+        RoleState                                   = $roleState
+        RoleVerified                                = $true
+        RoleVerificationFailureReason               = $null
+        AdministrationPermissionVerified            = $adminVerified
+        AdministrationPermissionFailureReason       = $adminFailureReason
+        AdministrationPermissionStatusCode          = $adminStatusCode
+        AdministrationPermissionAcceptedPermissions = $adminAcceptedPermissions
+        FailureReason                               = $null
+    }
+
+    if ($roleWarning)  { Write-Warning $roleWarning }
+    if ($adminWarning) { Write-Warning $adminWarning }
+
+    $planDisplay = if ($planName) { " (plan: $planName)" } else { '' }
+    Write-Host "Connected to GitHub organization '$($orgData.login)' as '$($user.login)'$planDisplay." -ForegroundColor Green
+}
diff --git a/powershell/public/core/Disconnect-MtGitHub.ps1 b/powershell/public/core/Disconnect-MtGitHub.ps1
new file mode 100644
index 000000000..a641eca94
--- /dev/null
+++ b/powershell/public/core/Disconnect-MtGitHub.ps1
@@ -0,0 +1,38 @@
+function Disconnect-MtGitHub {
+    <#
+    .SYNOPSIS
+    Clears the current GitHub REST session in Maester.
+
+    .DESCRIPTION
+    Removes the GitHub PAT-derived auth header, the connection metadata, and the per-session
+    REST response cache from the Maester module's session state. Idempotent — safe to call when
+    no GitHub session is active.
+
+    Use this when you want to drop the in-memory token, switch organizations, or clean up
+    troubleshooting state. Disconnect-Maester also calls this automatically (Disconnect-MtGraph
+    alias does not, to preserve its narrow Graph-only semantic).
+
+    .EXAMPLE
+    Disconnect-MtGitHub
+
+    Clears any active GitHub session.
+
+    .LINK
+    https://maester.dev/docs/commands/Disconnect-MtGitHub
+    #>
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingWriteHost', '', Justification = 'Consistent with other Connect/Disconnect-* functions')]
+    [CmdletBinding()]
+    param()
+
+    $hadState = ($null -ne $__MtSession.GitHubConnection) -or ($null -ne $__MtSession.GitHubAuthHeader)
+
+    $__MtSession.GitHubConnection = $null
+    $__MtSession.GitHubAuthHeader = $null
+    $__MtSession.GitHubCache = @{}
+
+    if ($hadState) {
+        Write-Host 'Disconnected from GitHub.' -ForegroundColor Green
+    } else {
+        Write-Verbose 'No GitHub session to disconnect.'
+    }
+}
diff --git a/powershell/public/core/Get-MtSession.ps1 b/powershell/public/core/Get-MtSession.ps1
index d5d81d5cd..80d841f8c 100644
--- a/powershell/public/core/Get-MtSession.ps1
+++ b/powershell/public/core/Get-MtSession.ps1
@@ -1,4 +1,4 @@
-function Get-MtSession {
+function Get-MtSession {
     <#
     .SYNOPSIS
     Gets the current Maester session information which includes the current Graph base uri and other details.
@@ -7,6 +7,9 @@
     .DESCRIPTION
     The session information can be used to troubleshoot issues with the Maester module.
 
+    For security, the GitHubAuthHeader Authorization value is redacted on output so a copied
+    session dump cannot leak the GitHub PAT. The live session used by internal callers is unchanged.
+
     .EXAMPLE
     Get-MtSession
 
@@ -19,5 +22,28 @@
     param()
 
     Write-Verbose 'Getting the current Maester session information.'
-    Write-Output $__MtSession
+
+    $sessionCopy = @{}
+    foreach ($key in $__MtSession.Keys) {
+        $sessionCopy[$key] = $__MtSession[$key]
+    }
+
+    $authHeader = $__MtSession['GitHubAuthHeader']
+    if ($null -ne $authHeader) {
+        if ($authHeader -is [System.Collections.IDictionary]) {
+            $redactedHeader = [ordered]@{}
+            foreach ($k in $authHeader.Keys) {
+                if ($k -ieq 'Authorization') {
+                    $redactedHeader[$k] = '<redacted>'
+                } else {
+                    $redactedHeader[$k] = $authHeader[$k]
+                }
+            }
+            $sessionCopy['GitHubAuthHeader'] = $redactedHeader
+        } else {
+            $sessionCopy['GitHubAuthHeader'] = '<redacted>'
+        }
+    }
+
+    Write-Output $sessionCopy
 }
diff --git a/powershell/public/core/Test-MtConnection.ps1 b/powershell/public/core/Test-MtConnection.ps1
index 3c2157426..f6de34916 100644
--- a/powershell/public/core/Test-MtConnection.ps1
+++ b/powershell/public/core/Test-MtConnection.ps1
@@ -7,7 +7,9 @@
     Tests the connection for each service and returns $true if the session is connected to the specified service.
 
     .PARAMETER Service
-    The service to check the connection for. Valid values are 'All', 'Azure', 'AzureDevOps', 'ExchangeOnline', 'Graph', 'SecurityCompliance' (or 'EOP'), and 'Teams'. Default is 'Graph'.
+    The service to check the connection for. Valid values are 'All', 'Azure', 'AzureDevOps', 'ExchangeOnline', 'GitHub', 'Graph', 'SecurityCompliance' (or 'EOP'), and 'Teams'. Default is 'Graph'.
+
+    GitHub requires an explicit Connect-MtGitHub call before testing — unlike other services it has no auto-detection. When checked via -Service All, GitHub is only evaluated if Connect-MtGitHub has been called — if no GitHub session exists it is silently skipped and does not affect the result.
 
     .PARAMETER Details
     Return the full details of all connections instead of just a boolean value.
@@ -15,18 +17,24 @@
     .EXAMPLE
     Test-MtConnection -Service All
 
-    Checks if the current session is connected to all services including Azure, Microsoft Graph, Exchange Online, Exchange Online Protection (SecurityCompliance), and Microsoft Teams. Returns a Boolean value.
+    Checks if the current session is connected to all services including Azure, Microsoft Graph, Exchange Online, Exchange Online Protection (SecurityCompliance), Microsoft Teams, and GitHub (only if Connect-MtGitHub was called). Returns a Boolean value.
 
     .EXAMPLE
     Test-MtConnection -Service All -Details
 
-    Checks if the current session is connected to all services including Azure, Microsoft Graph, Exchange Online, Exchange Online Protection (SecurityCompliance), and Microsoft Teams. Returns a custom object that contains the connection details for all services.
+    Checks if the current session is connected to all services including Azure, Microsoft Graph, Exchange Online, Exchange Online Protection (SecurityCompliance), Microsoft Teams, and GitHub (only if Connect-MtGitHub was called). Returns a custom object that contains the connection details for all services.
 
     .EXAMPLE
     Test-MtConnection -Service Azure
 
     Checks if the current session is connected to Azure and returns a Boolean result.
 
+    .EXAMPLE
+    Test-MtConnection -Service GitHub
+
+    Checks if the current session is connected to GitHub and returns a Boolean result.
+    Returns $false if Connect-MtGitHub has not been called in this session.
+
     .LINK
     https://maester.dev/docs/commands/Test-MtConnection
     #>
@@ -35,7 +43,7 @@
     [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingWriteHost', 'AvoidUsingWriteHost', Justification = 'Sending colorful output to host in addition to rich object output.')]
     param(
         # Checks if the current session is connected to the specified service
-        [ValidateSet('All', 'Azure', 'AzureDevOps', 'ExchangeOnline', 'EOP', 'Graph', 'SecurityCompliance', 'Teams')]
+        [ValidateSet('All', 'Azure', 'AzureDevOps', 'ExchangeOnline', 'EOP', 'GitHub', 'Graph', 'SecurityCompliance', 'Teams')]
         [Parameter(Position = 0)]
         [string[]]$Service = 'Graph',
 
@@ -49,6 +57,7 @@
             PSTypeName  = 'Maester.Connections'
             Azure = $null
             AzureDevOps = $null
+            GitHub = $null
             Graph = $null
             ExchangeOnline = $null
             ExchangeOnlineProtection = $null
@@ -181,6 +190,27 @@
         }
         #endregion AzureDevOps
 
+        #region GitHub
+        if ($Service -contains 'GitHub' -or (
+            $Service -contains 'All' -and
+            $null -ne $__MtSession.GitHubConnection -and
+            $__MtSession.GitHubConnection.FailureReason -ne 'NotCalled'
+        )) {
+            $IsConnected = $false
+            if ($null -ne $__MtSession.GitHubConnection) {
+                if ($__MtSession.GitHubConnection.Connected -eq $true) {
+                    $MtConnections.GitHub = $__MtSession.GitHubConnection
+                    $IsConnected = $true
+                }
+            } else {
+                # No session state — GitHub requires explicit Connect-MtGitHub (no module auto-detect)
+                $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'NotCalled' }
+            }
+            Write-Verbose "GitHub: $IsConnected"
+            if (!$IsConnected) { $ConnectionState = $false }
+        }
+        #endregion GitHub
+
         $MtConnections.AllConnected = $ConnectionState
 
     }
diff --git a/powershell/tests/functions/Clear-ModuleVariable.Tests.ps1 b/powershell/tests/functions/Clear-ModuleVariable.Tests.ps1
new file mode 100644
index 000000000..23afa4bb0
--- /dev/null
+++ b/powershell/tests/functions/Clear-ModuleVariable.Tests.ps1
@@ -0,0 +1,51 @@
+BeforeAll {
+    Import-Module "$PSScriptRoot/../../Maester.psd1" -Force
+}
+
+Describe 'Clear-ModuleVariable — GitHub session lifecycle' {
+    BeforeEach {
+        InModuleScope Maester {
+            $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $true; Organization = 'myorg' }
+            $__MtSession.GitHubAuthHeader = @{ Authorization = 'Bearer testtoken' }
+            $__MtSession.GitHubCache      = @{ somekey = 'cached-value' }
+        }
+    }
+
+    AfterEach {
+        InModuleScope Maester {
+            $__MtSession.GitHubConnection = $null
+            $__MtSession.GitHubAuthHeader = $null
+            $__MtSession.GitHubCache      = @{}
+        }
+    }
+
+    It 'Preserves GitHubConnection after Clear-ModuleVariable' {
+        InModuleScope Maester {
+            Clear-ModuleVariable
+            $__MtSession.GitHubConnection | Should -Not -BeNullOrEmpty
+            $__MtSession.GitHubConnection.Connected | Should -BeTrue
+        }
+    }
+
+    It 'Preserves GitHubAuthHeader after Clear-ModuleVariable' {
+        InModuleScope Maester {
+            Clear-ModuleVariable
+            $__MtSession.GitHubAuthHeader | Should -Not -BeNullOrEmpty
+            $__MtSession.GitHubAuthHeader['Authorization'] | Should -Be 'Bearer testtoken'
+        }
+    }
+
+    It 'Resets GitHubCache to empty after Clear-ModuleVariable' {
+        InModuleScope Maester {
+            Clear-ModuleVariable
+            $__MtSession.GitHubCache.Count | Should -Be 0
+        }
+    }
+
+    It 'Test-MtConnection GitHub still returns True after Clear-ModuleVariable' {
+        InModuleScope Maester {
+            Clear-ModuleVariable
+            Test-MtConnection -Service GitHub | Should -BeTrue
+        }
+    }
+}
diff --git a/powershell/tests/functions/Connect-MtGitHub.Tests.ps1 b/powershell/tests/functions/Connect-MtGitHub.Tests.ps1
new file mode 100644
index 000000000..3afe6cf23
--- /dev/null
+++ b/powershell/tests/functions/Connect-MtGitHub.Tests.ps1
@@ -0,0 +1,1280 @@
+BeforeAll {
+    Import-Module "$PSScriptRoot/../../Maester.psd1" -Force
+}
+
+Describe 'Connect-MtGitHub' {
+    BeforeEach {
+        $script:savedMaesterGitHubToken = $env:MAESTER_GITHUB_TOKEN
+        $script:savedGhToken            = $env:GH_TOKEN
+        $env:MAESTER_GITHUB_TOKEN       = $null
+        $env:GH_TOKEN                   = $null
+
+        InModuleScope Maester {
+            $__MtSession.GitHubConnection = $null
+            $__MtSession.GitHubAuthHeader = $null
+            $__MtSession.GitHubCache      = @{}
+            # Pre-load an empty config so the lazy-load path is skipped in most tests.
+            # Tests that exercise lazy-load explicitly reset this to $null.
+            $__MtSession.MaesterConfig = [PSCustomObject]@{
+                GlobalSettings = [PSCustomObject]@{}
+            }
+        }
+    }
+
+    AfterEach {
+        $env:MAESTER_GITHUB_TOKEN = $script:savedMaesterGitHubToken
+        $env:GH_TOKEN             = $script:savedGhToken
+
+        InModuleScope Maester {
+            $__MtSession.GitHubConnection = $null
+            $__MtSession.GitHubAuthHeader = $null
+            $__MtSession.GitHubCache      = @{}
+            $__MtSession.MaesterConfig    = $null
+        }
+    }
+
+    Context 'Failure: NotConfigured' {
+        It 'Sets FailureReason = NotConfigured when no org and config has no GitHubOrganization' {
+            Connect-MtGitHub
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection.Connected     | Should -BeFalse
+                $__MtSession.GitHubConnection.FailureReason | Should -Be 'NotConfigured'
+            }
+        }
+    }
+
+    Context 'Failure: NoToken' {
+        It 'Sets FailureReason = NoToken when org is given but no token is available' {
+            # Token env vars are cleared in BeforeEach; no -Token param
+            Connect-MtGitHub -Organization 'myorg'
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection.Connected     | Should -BeFalse
+                $__MtSession.GitHubConnection.FailureReason | Should -Be 'NoToken'
+            }
+        }
+    }
+
+    Context 'Failure: TokenInvalid' {
+        It 'Sets FailureReason = TokenInvalid on HTTP 401 from /user' {
+            $env:MAESTER_GITHUB_TOKEN = 'bad-token'
+            $fakeResp = [PSCustomObject]@{ StatusCode = 401; Headers = @{} }
+            $ex = [System.Exception]::new('Unauthorized')
+            Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $fakeResp
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/user$' } { throw $ex }
+
+            Connect-MtGitHub -Organization 'myorg'
+
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection.Connected     | Should -BeFalse
+                $__MtSession.GitHubConnection.FailureReason | Should -Be 'TokenInvalid'
+            }
+        }
+    }
+
+    Context 'Failure: ApiBaseUriFailed' {
+        BeforeEach {
+            $env:MAESTER_GITHUB_TOKEN = 'valid-token'
+        }
+
+        It 'Sets FailureReason = ApiBaseUriFailed when /user throws with no Response/StatusCode (DNS/TLS/transport)' {
+            # Plain exception with no Response — Get-MtGitHubErrorStatusCode returns $null,
+            # which models DNS failure, TLS handshake failure, connection refused, or an
+            # unreachable GHE base URI. Must not be classified as TokenInvalid.
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/user$' } {
+                throw [System.Exception]::new('No such host is known')
+            }
+
+            Connect-MtGitHub -Organization 'myorg' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'ApiBaseUriFailed'
+                $c.FailureReason | Should -Not -Be 'TokenInvalid'
+                # Security property: failed connection must not leave a Bearer header in session.
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+        }
+    }
+
+    Context 'Failure: ApiUnavailable' {
+        BeforeEach {
+            $env:MAESTER_GITHUB_TOKEN = 'valid-token'
+        }
+
+        It 'Sets FailureReason = ApiUnavailable when /user returns HTTP 500 (server error, URI is fine)' {
+            # 5xx means GitHub responded — the base URI resolved and TLS succeeded — but the
+            # service itself is failing. Must not be conflated with TokenInvalid or ApiBaseUriFailed.
+            $fakeResp = [PSCustomObject]@{ StatusCode = 500; Headers = @{} }
+            $ex = [System.Exception]::new('Internal Server Error')
+            Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $fakeResp
+            Mock Get-MtGitHubErrorStatusCode -ModuleName Maester { 500 }
+            Mock Get-MtGitHubErrorMessage    -ModuleName Maester { 'Internal Server Error' }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/user$' } { throw $ex }
+
+            Connect-MtGitHub -Organization 'myorg' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'ApiUnavailable'
+                $c.FailureReason | Should -Not -Be 'TokenInvalid'
+                $c.FailureReason | Should -Not -Be 'ApiBaseUriFailed'
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+        }
+
+        It 'Sets FailureReason = ApiUnavailable when /user returns HTTP 503' {
+            $fakeResp = [PSCustomObject]@{ StatusCode = 503; Headers = @{} }
+            $ex = [System.Exception]::new('Service Unavailable')
+            Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $fakeResp
+            Mock Get-MtGitHubErrorStatusCode -ModuleName Maester { 503 }
+            Mock Get-MtGitHubErrorMessage    -ModuleName Maester { 'Service Unavailable' }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/user$' } { throw $ex }
+
+            Connect-MtGitHub -Organization 'myorg' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'ApiUnavailable'
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+        }
+    }
+
+    Context 'Failure: OrgAccessFailed' {
+        BeforeEach {
+            $env:MAESTER_GITHUB_TOKEN = 'valid-token'
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/user$' } {
+                [PSCustomObject]@{ Content = '{"login":"testuser"}' }
+            }
+        }
+
+        It 'Sets FailureReason = OrgAccessFailed on HTTP 403 from /orgs/{org}' {
+            $fakeResp = [PSCustomObject]@{ StatusCode = 403; Headers = @{} }
+            $ex = [System.Exception]::new('Forbidden')
+            Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $fakeResp
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/orgs/' } { throw $ex }
+
+            Connect-MtGitHub -Organization 'myorg'
+
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection.Connected     | Should -BeFalse
+                $__MtSession.GitHubConnection.FailureReason | Should -Be 'OrgAccessFailed'
+            }
+        }
+
+        It 'Sets FailureReason = OrgAccessFailed on HTTP 404 from /orgs/{org}' {
+            $fakeResp = [PSCustomObject]@{ StatusCode = 404; Headers = @{} }
+            $ex = [System.Exception]::new('Not Found')
+            Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $fakeResp
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/orgs/' } { throw $ex }
+
+            Connect-MtGitHub -Organization 'myorg'
+
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection.Connected     | Should -BeFalse
+                $__MtSession.GitHubConnection.FailureReason | Should -Be 'OrgAccessFailed'
+            }
+        }
+
+        It 'Sets FailureReason = ApiBaseUriFailed when /orgs/{org} throws transport exception (no Response)' {
+            # /user succeeded, then DNS/TLS fails on the second probe. Must not be classified
+            # as OrgAccessFailed — the org access can't be determined when there's no HTTP response.
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/orgs/' } {
+                throw [System.Exception]::new('Connection reset by peer')
+            }
+
+            Connect-MtGitHub -Organization 'myorg' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'ApiBaseUriFailed'
+                $c.FailureReason | Should -Not -Be 'OrgAccessFailed'
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+        }
+
+        It 'Sets FailureReason = ApiUnavailable when /orgs/{org} returns HTTP 500' {
+            $fakeResp = [PSCustomObject]@{ StatusCode = 500; Headers = @{} }
+            $ex = [System.Exception]::new('Internal Server Error')
+            Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $fakeResp
+            Mock Get-MtGitHubErrorStatusCode -ModuleName Maester { 500 }
+            Mock Get-MtGitHubErrorMessage    -ModuleName Maester { 'Internal Server Error' }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/orgs/' } { throw $ex }
+
+            Connect-MtGitHub -Organization 'myorg' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'ApiUnavailable'
+                $c.FailureReason | Should -Not -Be 'OrgAccessFailed'
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+        }
+    }
+
+    Context 'Successful connection' {
+        BeforeEach {
+            $env:MAESTER_GITHUB_TOKEN = 'valid-token'
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/actions/permissions$' } {
+                [PSCustomObject]@{ Content = '{"enabled_repositories":"all"}'; StatusCode = 200 }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } {
+                [PSCustomObject]@{ Content = '{"state":"active","role":"admin"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/user$' } {
+                [PSCustomObject]@{ Content = '{"login":"testuser"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/orgs/[^/]+$' } {
+                [PSCustomObject]@{ Content = '{"login":"myorg","plan":{"name":"enterprise"}}' }
+            }
+        }
+
+        It 'Sets Connected = $true and stores GitHubAuthHeader' {
+            Connect-MtGitHub -Organization 'myorg' 3>$null
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection.Connected                        | Should -BeTrue
+                $__MtSession.GitHubConnection.Organization                     | Should -Be 'myorg'
+                $__MtSession.GitHubConnection.TokenLogin                       | Should -Be 'testuser'
+                $__MtSession.GitHubConnection.AdministrationPermissionVerified | Should -BeTrue
+                $__MtSession.GitHubAuthHeader                                  | Should -Not -BeNullOrEmpty
+                $__MtSession.GitHubAuthHeader['Authorization']                 | Should -Match '^Bearer '
+            }
+        }
+
+        It 'All four probes use the configured ApiBaseUri and X-GitHub-Api-Version header' {
+            Connect-MtGitHub -Organization 'myorg' -ApiBaseUri 'https://api.myco.ghe.com' -ApiVersion '2024-01-01' 3>$null
+
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Times 4 -ParameterFilter {
+                $Uri -match 'api\.myco\.ghe\.com' -and $Headers['X-GitHub-Api-Version'] -eq '2024-01-01'
+            }
+        }
+
+        It 'GHE.com data residency: all four endpoint paths target the configured base URI' {
+            Connect-MtGitHub -Organization 'myorg' -ApiBaseUri 'https://api.octocorp.ghe.com' 3>$null
+
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Times 1 -ParameterFilter {
+                $Uri -eq 'https://api.octocorp.ghe.com/user'
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Times 1 -ParameterFilter {
+                $Uri -eq 'https://api.octocorp.ghe.com/orgs/myorg'
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Times 1 -ParameterFilter {
+                $Uri -eq 'https://api.octocorp.ghe.com/orgs/myorg/memberships/testuser'
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Times 1 -ParameterFilter {
+                $Uri -eq 'https://api.octocorp.ghe.com/orgs/myorg/actions/permissions'
+            }
+        }
+    }
+
+    Context 'Role probe' {
+        BeforeEach {
+            $env:MAESTER_GITHUB_TOKEN = 'valid-token'
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/actions/permissions$' } {
+                [PSCustomObject]@{ Content = '{}'; StatusCode = 200 }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/user$' } {
+                [PSCustomObject]@{ Content = '{"login":"testuser"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/orgs/[^/]+$' } {
+                [PSCustomObject]@{ Content = '{"login":"myorg"}' }
+            }
+        }
+
+        It 'admin + active: no warning, Role=admin, RoleVerified=$true, RoleState=active' {
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } {
+                [PSCustomObject]@{ Content = '{"state":"active","role":"admin"}' }
+            }
+            $warns = @()
+            Connect-MtGitHub -Organization 'myorg' -WarningAction SilentlyContinue -WarningVariable warns 3>$null
+            $warns.Count | Should -Be 0
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeTrue
+                $c.Role          | Should -Be 'admin'
+                $c.RoleState     | Should -Be 'active'
+                $c.RoleVerified  | Should -BeTrue
+                $c.RoleVerificationFailureReason | Should -BeNullOrEmpty
+                $c.AdministrationPermissionVerified | Should -BeTrue
+            }
+        }
+
+        It 'admin + pending: fails connection with FailureReason = OrgMembershipPending and clears auth header' {
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } {
+                [PSCustomObject]@{ Content = '{"state":"pending","role":"admin"}' }
+            }
+            Connect-MtGitHub -Organization 'myorg' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'OrgMembershipPending'
+                # Security property: failed connection must not leave a Bearer header in session.
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+        }
+
+        It 'member + pending: fails connection with FailureReason = OrgMembershipPending' {
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } {
+                [PSCustomObject]@{ Content = '{"state":"pending","role":"member"}' }
+            }
+            Connect-MtGitHub -Organization 'myorg' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'OrgMembershipPending'
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+        }
+
+        It 'member + active: warning matches admin/owner phrasing (not "owner role"); Role=member, RoleVerified=$true' {
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } {
+                [PSCustomObject]@{ Content = '{"state":"active","role":"member"}' }
+            }
+            $warns = @()
+            Connect-MtGitHub -Organization 'myorg' -WarningAction SilentlyContinue -WarningVariable warns 3>$null
+            $warns.Count | Should -BeGreaterOrEqual 1
+            ($warns -join ' ') | Should -Match 'admin/owner|full CIS coverage'
+            ($warns -join ' ') | Should -Not -Match 'owner role'
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected    | Should -BeTrue
+                $c.Role         | Should -Be 'member'
+                $c.RoleVerified | Should -BeTrue
+            }
+        }
+
+        It 'unexpected role string: warning emitted; fields populated as returned' {
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } {
+                [PSCustomObject]@{ Content = '{"state":"active","role":"billing_manager"}' }
+            }
+            $warns = @()
+            Connect-MtGitHub -Organization 'myorg' -WarningAction SilentlyContinue -WarningVariable warns 3>$null
+            $warns.Count | Should -BeGreaterOrEqual 1
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected    | Should -BeTrue
+                $c.Role         | Should -Be 'billing_manager'
+                $c.RoleState    | Should -Be 'active'
+                $c.RoleVerified | Should -BeTrue
+            }
+        }
+
+    }
+
+    Context 'Administration permission probe' {
+        BeforeEach {
+            $env:MAESTER_GITHUB_TOKEN = 'valid-token'
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/user$' } {
+                [PSCustomObject]@{ Content = '{"login":"testuser"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/orgs/[^/]+$' } {
+                [PSCustomObject]@{ Content = '{"login":"myorg"}' }
+            }
+        }
+
+        It 'admin + active + admin probe 200: Connected=true, AdministrationPermissionVerified=true, no admin warning, four IWR calls' {
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } {
+                [PSCustomObject]@{ Content = '{"state":"active","role":"admin"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/actions/permissions$' } {
+                [PSCustomObject]@{ Content = '{"enabled_repositories":"all"}'; StatusCode = 200 }
+            }
+
+            $warns = @()
+            Connect-MtGitHub -Organization 'myorg' -WarningAction SilentlyContinue -WarningVariable warns 3>$null
+
+            ($warns -join ' ') | Should -Not -Match 'administration API access'
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected                                    | Should -BeTrue
+                $c.AdministrationPermissionVerified             | Should -BeTrue
+                $c.AdministrationPermissionFailureReason        | Should -BeNullOrEmpty
+                $c.AdministrationPermissionStatusCode           | Should -Be 200
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Times 4
+        }
+
+        It 'admin + active + admin probe 403: Connected=true, FailureReason=null, AdministrationPermissionVerified=false, warning mentions both permission models' {
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } {
+                [PSCustomObject]@{ Content = '{"state":"active","role":"admin"}' }
+            }
+            $fakeResp = [PSCustomObject]@{
+                StatusCode = 403
+                Headers    = @{ 'x-accepted-github-permissions' = 'administration=read' }
+            }
+            $ex = [System.Exception]::new('Forbidden')
+            Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $fakeResp
+            Mock Get-MtGitHubErrorStatusCode -ModuleName Maester { 403 }
+            Mock Get-MtGitHubErrorMessage    -ModuleName Maester { 'Resource not accessible by personal access token' }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/actions/permissions$' } { throw $ex }
+
+            $warns = @()
+            Connect-MtGitHub -Organization 'myorg' -WarningAction SilentlyContinue -WarningVariable warns 3>$null
+
+            $combined = $warns -join ' '
+            $combined | Should -Match 'admin:org'
+            $combined | Should -Match 'Administration: read'
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected                                    | Should -BeTrue
+                $c.FailureReason                                | Should -BeNullOrEmpty
+                $c.Role                                         | Should -Be 'admin'
+                $c.AdministrationPermissionVerified             | Should -BeFalse
+                $c.AdministrationPermissionStatusCode           | Should -Be 403
+                $c.AdministrationPermissionFailureReason        | Should -Match 'HTTP 403'
+                $c.AdministrationPermissionAcceptedPermissions  | Should -Be 'administration=read'
+            }
+        }
+
+        It 'member + active + admin probe 403: emits both role and admin-permission warnings' {
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } {
+                [PSCustomObject]@{ Content = '{"state":"active","role":"member"}' }
+            }
+            $fakeResp = [PSCustomObject]@{ StatusCode = 403; Headers = @{} }
+            $ex = [System.Exception]::new('Forbidden')
+            Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $fakeResp
+            Mock Get-MtGitHubErrorStatusCode -ModuleName Maester { 403 }
+            Mock Get-MtGitHubErrorMessage    -ModuleName Maester { 'Resource not accessible' }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/actions/permissions$' } { throw $ex }
+
+            $warns = @()
+            Connect-MtGitHub -Organization 'myorg' -WarningAction SilentlyContinue -WarningVariable warns 3>$null
+
+            $warns.Count | Should -BeGreaterOrEqual 2
+            $combined = $warns -join ' '
+            $combined | Should -Match 'admin/owner|full CIS coverage'
+            $combined | Should -Match 'administration API access|Administration: read'
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected                        | Should -BeTrue
+                $c.Role                             | Should -Be 'member'
+                $c.AdministrationPermissionVerified | Should -BeFalse
+            }
+        }
+    }
+
+    Context 'Failure: OrgMembershipFailed' {
+        BeforeEach {
+            $env:MAESTER_GITHUB_TOKEN = 'valid-token'
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/user$' } {
+                [PSCustomObject]@{ Content = '{"login":"testuser"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/orgs/[^/]+$' } {
+                [PSCustomObject]@{ Content = '{"login":"myorg"}' }
+            }
+        }
+
+        It 'Membership HTTP 403 fails connection with FailureReason = OrgMembershipFailed' {
+            $fakeResp = [PSCustomObject]@{ StatusCode = 403; Headers = @{} }
+            $ex = [System.Exception]::new('Forbidden')
+            Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $fakeResp
+            Mock Get-MtGitHubErrorStatusCode -ModuleName Maester { 403 }
+            Mock Get-MtGitHubErrorMessage    -ModuleName Maester { 'Insufficient permissions to read membership.' }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } { throw $ex }
+
+            Connect-MtGitHub -Organization 'myorg' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'OrgMembershipFailed'
+                # Security property: failed connection must not leave a Bearer header in session.
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+        }
+
+        It 'Membership HTTP 404 fails connection with FailureReason = OrgMembershipFailed' {
+            $fakeResp = [PSCustomObject]@{ StatusCode = 404; Headers = @{} }
+            $ex = [System.Exception]::new('Not Found')
+            Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $fakeResp
+            Mock Get-MtGitHubErrorStatusCode -ModuleName Maester { 404 }
+            Mock Get-MtGitHubErrorMessage    -ModuleName Maester { 'Not Found' }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } { throw $ex }
+
+            Connect-MtGitHub -Organization 'myorg' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'OrgMembershipFailed'
+                # Security property: failed connection must not leave a Bearer header in session.
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+        }
+
+        It '200 with malformed JSON body fails connection with FailureReason = OrgMembershipFailed' {
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } {
+                [PSCustomObject]@{ Content = 'not-json{' }
+            }
+            Connect-MtGitHub -Organization 'myorg' 6>$null
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'OrgMembershipFailed'
+                # Security property: failed connection must not leave a Bearer header in session.
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+        }
+
+        It '200 with valid JSON missing role field fails connection with FailureReason = OrgMembershipFailed' {
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } {
+                [PSCustomObject]@{ Content = '{"state":"active"}' }
+            }
+            Connect-MtGitHub -Organization 'myorg' 6>$null
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'OrgMembershipFailed'
+                # Security property: failed connection must not leave a Bearer header in session.
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+        }
+
+        It '200 with valid JSON missing state field fails connection with FailureReason = OrgMembershipFailed' {
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } {
+                [PSCustomObject]@{ Content = '{"role":"admin"}' }
+            }
+            Connect-MtGitHub -Organization 'myorg' 6>$null
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'OrgMembershipFailed'
+                # Security property: failed connection must not leave a Bearer header in session.
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+        }
+
+        It 'Sets FailureReason = ApiBaseUriFailed when /memberships/ throws transport exception (no Response)' {
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } {
+                throw [System.Exception]::new('No such host is known')
+            }
+
+            Connect-MtGitHub -Organization 'myorg' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'ApiBaseUriFailed'
+                $c.FailureReason | Should -Not -Be 'OrgMembershipFailed'
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+        }
+
+        It 'Sets FailureReason = ApiUnavailable when /memberships/ returns HTTP 503' {
+            $fakeResp = [PSCustomObject]@{ StatusCode = 503; Headers = @{} }
+            $ex = [System.Exception]::new('Service Unavailable')
+            Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $fakeResp
+            Mock Get-MtGitHubErrorStatusCode -ModuleName Maester { 503 }
+            Mock Get-MtGitHubErrorMessage    -ModuleName Maester { 'Service Unavailable' }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } { throw $ex }
+
+            Connect-MtGitHub -Organization 'myorg' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'ApiUnavailable'
+                $c.FailureReason | Should -Not -Be 'OrgMembershipFailed'
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+        }
+    }
+
+    Context 'Failure: RateLimited' {
+        BeforeEach {
+            $env:MAESTER_GITHUB_TOKEN = 'valid-token'
+        }
+
+        It '/user 403 with x-ratelimit-remaining=0 sets FailureReason=RateLimited and clears auth header' {
+            $fakeResp = [PSCustomObject]@{
+                StatusCode = 403
+                Headers    = @{ 'x-ratelimit-remaining' = '0'; 'x-ratelimit-reset' = '9999999999' }
+            }
+            $ex = [System.Exception]::new('Forbidden')
+            Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $fakeResp
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/user$' } { throw $ex }
+
+            Connect-MtGitHub -Organization 'myorg' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'RateLimited'
+                $c.FailureReason | Should -Not -Be 'TokenInvalid'
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+        }
+
+        It '/orgs/{org} 429 with retry-after sets FailureReason=RateLimited (not OrgAccessFailed)' {
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/user$' } {
+                [PSCustomObject]@{ Content = '{"login":"testuser"}' }
+            }
+            $fakeResp = [PSCustomObject]@{
+                StatusCode = 429
+                Headers    = @{ 'retry-after' = '60' }
+            }
+            $ex = [System.Exception]::new('Too Many Requests')
+            Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $fakeResp
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/orgs/[^/]+$' } { throw $ex }
+
+            Connect-MtGitHub -Organization 'myorg' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'RateLimited'
+                $c.FailureReason | Should -Not -Be 'OrgAccessFailed'
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+        }
+
+        It '/memberships/ 403 with x-ratelimit-remaining=0 sets FailureReason=RateLimited (not OrgMembershipFailed)' {
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/user$' } {
+                [PSCustomObject]@{ Content = '{"login":"testuser"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/orgs/[^/]+$' } {
+                [PSCustomObject]@{ Content = '{"login":"myorg"}' }
+            }
+            $fakeResp = [PSCustomObject]@{
+                StatusCode = 403
+                Headers    = @{ 'x-ratelimit-remaining' = '0'; 'x-ratelimit-reset' = '9999999999' }
+            }
+            $ex = [System.Exception]::new('Forbidden')
+            Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $fakeResp
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } { throw $ex }
+
+            Connect-MtGitHub -Organization 'myorg' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'RateLimited'
+                $c.FailureReason | Should -Not -Be 'OrgMembershipFailed'
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+        }
+
+        It 'Admin probe 429 with retry-after: Connected=true, FailureReason=null, admin permission marked rate-limited, warning mentions rate limit' {
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/user$' } {
+                [PSCustomObject]@{ Content = '{"login":"testuser"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/orgs/[^/]+$' } {
+                [PSCustomObject]@{ Content = '{"login":"myorg"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } {
+                [PSCustomObject]@{ Content = '{"state":"active","role":"admin"}' }
+            }
+            $fakeResp = [PSCustomObject]@{
+                StatusCode = 429
+                Headers    = @{ 'retry-after' = '90' }
+            }
+            $ex = [System.Exception]::new('Too Many Requests')
+            Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $fakeResp
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/actions/permissions$' } { throw $ex }
+
+            $warns = @()
+            Connect-MtGitHub -Organization 'myorg' -WarningAction SilentlyContinue -WarningVariable warns 3>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected                                | Should -BeTrue
+                $c.FailureReason                            | Should -BeNullOrEmpty
+                $c.AdministrationPermissionVerified         | Should -BeFalse
+                $c.AdministrationPermissionStatusCode       | Should -Be 429
+                $c.AdministrationPermissionFailureReason    | Should -Match 'rate limit'
+            }
+            ($warns -join ' ') | Should -Match 'rate limit'
+        }
+    }
+
+    Context 'Failure: InvalidApiBaseUri' {
+        BeforeEach {
+            $env:MAESTER_GITHUB_TOKEN = 'valid-token'
+        }
+
+        It 'Config http:// URI fails before any web request' {
+            InModuleScope Maester {
+                $__MtSession.MaesterConfig = [PSCustomObject]@{
+                    GlobalSettings = [PSCustomObject]@{
+                        GitHubApiBaseUri = 'http://api.example.com'
+                    }
+                }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester { throw 'Invoke-WebRequest must not be called when ApiBaseUri is invalid' }
+
+            Connect-MtGitHub -Organization 'myorg' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'InvalidApiBaseUri'
+                # Security property: invalid URI must short-circuit before headers are stored.
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Times 0
+        }
+
+        It 'Config non-URI value fails before any web request' {
+            InModuleScope Maester {
+                $__MtSession.MaesterConfig = [PSCustomObject]@{
+                    GlobalSettings = [PSCustomObject]@{
+                        GitHubApiBaseUri = 'not-a-uri'
+                    }
+                }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester { throw 'Invoke-WebRequest must not be called when ApiBaseUri is invalid' }
+
+            Connect-MtGitHub -Organization 'myorg' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'InvalidApiBaseUri'
+                # Security property: invalid URI must short-circuit before headers are stored.
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Times 0
+        }
+
+        It 'Parameter -ApiBaseUri http:// fails before any web request and clears prior session state' {
+            # Pre-seed a stale session to prove the parameter validation path no longer throws
+            # before the session-clear step at the top of Connect-MtGitHub runs.
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $true; Organization = 'stale' }
+                $__MtSession.GitHubAuthHeader = @{ Authorization = 'Bearer stale-token' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester { throw 'Invoke-WebRequest must not be called when ApiBaseUri is invalid' }
+
+            Connect-MtGitHub -Organization 'myorg' -ApiBaseUri 'http://api.example.com' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'InvalidApiBaseUri'
+                # Stale session state must be cleared even when the parameter value is rejected.
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Times 0
+        }
+
+        It 'Parameter -ApiBaseUri "not-a-uri" fails before any web request and clears prior session state' {
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $true; Organization = 'stale' }
+                $__MtSession.GitHubAuthHeader = @{ Authorization = 'Bearer stale-token' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester { throw 'Invoke-WebRequest must not be called when ApiBaseUri is invalid' }
+
+            Connect-MtGitHub -Organization 'myorg' -ApiBaseUri 'not-a-uri' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'InvalidApiBaseUri'
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Times 0
+        }
+
+        It 'Parameter https URI with trailing slash still works and is trimmed' {
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/actions/permissions$' } {
+                [PSCustomObject]@{ Content = '{}'; StatusCode = 200 }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } {
+                [PSCustomObject]@{ Content = '{"state":"active","role":"admin"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/user$' } {
+                [PSCustomObject]@{ Content = '{"login":"testuser"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/orgs/[^/]+$' } {
+                [PSCustomObject]@{ Content = '{"login":"myorg"}' }
+            }
+
+            Connect-MtGitHub -Organization 'myorg' -ApiBaseUri 'https://api.github.com/' 3>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected  | Should -BeTrue
+                $c.ApiBaseUri | Should -Be 'https://api.github.com'
+            }
+        }
+
+        It 'api.github.com (SaaS) passes the host allowlist' {
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/actions/permissions$' } {
+                [PSCustomObject]@{ Content = '{}'; StatusCode = 200 }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } {
+                [PSCustomObject]@{ Content = '{"state":"active","role":"admin"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/user$' } {
+                [PSCustomObject]@{ Content = '{"login":"testuser"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/orgs/[^/]+$' } {
+                [PSCustomObject]@{ Content = '{"login":"myorg"}' }
+            }
+
+            Connect-MtGitHub -Organization 'myorg' -ApiBaseUri 'https://api.github.com' 3>$null
+
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection.Connected  | Should -BeTrue
+                $__MtSession.GitHubConnection.ApiBaseUri | Should -Be 'https://api.github.com'
+            }
+        }
+
+        It 'api.<subdomain>.ghe.com (GHE.com data residency) passes the host allowlist' {
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/actions/permissions$' } {
+                [PSCustomObject]@{ Content = '{}'; StatusCode = 200 }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } {
+                [PSCustomObject]@{ Content = '{"state":"active","role":"admin"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/user$' } {
+                [PSCustomObject]@{ Content = '{"login":"testuser"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/orgs/[^/]+$' } {
+                [PSCustomObject]@{ Content = '{"login":"myorg"}' }
+            }
+
+            Connect-MtGitHub -Organization 'myorg' -ApiBaseUri 'https://api.octocorp.ghe.com' 3>$null
+
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection.Connected  | Should -BeTrue
+                $__MtSession.GitHubConnection.ApiBaseUri | Should -Be 'https://api.octocorp.ghe.com'
+            }
+        }
+
+        It 'Non-allowlisted https host fails before any web request and clears prior session state' {
+            # Pre-seed a stale session to confirm session-clear runs before host validation rejects the URI.
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $true; Organization = 'stale' }
+                $__MtSession.GitHubAuthHeader = @{ Authorization = 'Bearer stale-token' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester { throw 'Invoke-WebRequest must not be called when ApiBaseUri host is not allowlisted' }
+
+            Connect-MtGitHub -Organization 'myorg' -ApiBaseUri 'https://evil.example.com' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'InvalidApiBaseUri'
+                # Security property: PAT must never be sent to non-GitHub hosts; auth header must be cleared.
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Times 0
+        }
+
+        It 'Non-allowlisted https host with /api/v3 path (GHES on-prem shape) is rejected' {
+            Mock Invoke-WebRequest -ModuleName Maester { throw 'Invoke-WebRequest must not be called when ApiBaseUri host is not allowlisted' }
+
+            Connect-MtGitHub -Organization 'myorg' -ApiBaseUri 'https://github.example.com/api/v3' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'InvalidApiBaseUri'
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Times 0
+        }
+
+        It 'Allowlisted host with a query string is rejected before any web request' {
+            Mock Invoke-WebRequest -ModuleName Maester { throw 'Invoke-WebRequest must not be called when ApiBaseUri has a query string' }
+
+            Connect-MtGitHub -Organization 'myorg' -ApiBaseUri 'https://api.github.com?foo=bar' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'InvalidApiBaseUri'
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Times 0
+        }
+
+        It 'Allowlisted host with a fragment is rejected before any web request' {
+            Mock Invoke-WebRequest -ModuleName Maester { throw 'Invoke-WebRequest must not be called when ApiBaseUri has a fragment' }
+
+            Connect-MtGitHub -Organization 'myorg' -ApiBaseUri 'https://api.github.com#frag' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'InvalidApiBaseUri'
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Times 0
+        }
+
+        It 'Allowlisted host with non-default port is rejected before any web request' {
+            Mock Invoke-WebRequest -ModuleName Maester { throw 'Invoke-WebRequest must not be called when ApiBaseUri uses a non-default port' }
+
+            Connect-MtGitHub -Organization 'myorg' -ApiBaseUri 'https://api.github.com:8443' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'InvalidApiBaseUri'
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Times 0
+        }
+
+        It 'Allowlisted host with extra path component is rejected' {
+            # api.github.com/api/v3 has the right host but a non-root path; reject so the PAT isn't
+            # sent to an unexpected endpoint that could be a proxy or path-rewriting middleware.
+            Mock Invoke-WebRequest -ModuleName Maester { throw 'Invoke-WebRequest must not be called when ApiBaseUri has a non-root path' }
+
+            Connect-MtGitHub -Organization 'myorg' -ApiBaseUri 'https://api.github.com/api/v3' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'InvalidApiBaseUri'
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Times 0
+        }
+    }
+
+    Context 'Config fallback: pre-loaded MaesterConfig' {
+        It 'Resolves org from pre-loaded MaesterConfig without calling Get-MtMaesterConfig' {
+            $env:MAESTER_GITHUB_TOKEN = 'valid-token'
+            InModuleScope Maester {
+                $__MtSession.MaesterConfig = [PSCustomObject]@{
+                    GlobalSettings = [PSCustomObject]@{
+                        GitHubOrganization = 'config-org'
+                    }
+                }
+            }
+            Mock Get-MtMaesterConfig -ModuleName Maester { throw 'Get-MtMaesterConfig must not be called when config is pre-loaded' }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/actions/permissions$' } {
+                [PSCustomObject]@{ Content = '{}'; StatusCode = 200 }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } {
+                [PSCustomObject]@{ Content = '{"state":"active","role":"admin"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/user$' } {
+                [PSCustomObject]@{ Content = '{"login":"testuser"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/orgs/[^/]+$' } {
+                [PSCustomObject]@{ Content = '{"login":"config-org"}' }
+            }
+
+            Connect-MtGitHub 3>$null
+
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection.Connected    | Should -BeTrue
+                $__MtSession.GitHubConnection.Organization | Should -Be 'config-org'
+            }
+        }
+    }
+
+    Context 'Config fallback: lazy-load when MaesterConfig is null' {
+        BeforeEach {
+            $env:MAESTER_GITHUB_TOKEN = 'valid-token'
+
+            # Reset to null so the lazy-load path fires
+            InModuleScope Maester { $__MtSession.MaesterConfig = $null }
+
+            $fakeConfig = [PSCustomObject]@{
+                GlobalSettings = [PSCustomObject]@{
+                    GitHubOrganization = 'lazy-org'
+                    GitHubApiBaseUri   = 'https://api.lazy.ghe.com'
+                    GitHubApiVersion   = '2024-06-01'
+                }
+            }
+            Mock Get-MtMaesterConfig -ModuleName Maester { $fakeConfig }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/actions/permissions$' } {
+                [PSCustomObject]@{ Content = '{}'; StatusCode = 200 }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } {
+                [PSCustomObject]@{ Content = '{"state":"active","role":"admin"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/user$' } {
+                [PSCustomObject]@{ Content = '{"login":"testuser"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/orgs/[^/]+$' } {
+                [PSCustomObject]@{ Content = '{"login":"lazy-org"}' }
+            }
+        }
+
+        It 'Lazy-loads config and resolves org when MaesterConfig is null and no -Organization supplied' {
+            Connect-MtGitHub 3>$null
+
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection.Connected    | Should -BeTrue
+                $__MtSession.GitHubConnection.Organization | Should -Be 'lazy-org'
+                # $__MtSession.MaesterConfig is now set; real Get-MtMaesterConfigGlobalSetting reads it
+                $__MtSession.MaesterConfig.GlobalSettings.GitHubOrganization | Should -Be 'lazy-org'
+            }
+        }
+
+        It 'Lazy-loads config for ApiBaseUri and ApiVersion when -Organization is supplied but others are omitted' {
+            Connect-MtGitHub -Organization 'myorg' 3>$null
+
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection.Connected  | Should -BeTrue
+                $__MtSession.GitHubConnection.ApiBaseUri | Should -Be 'https://api.lazy.ghe.com'
+                $__MtSession.GitHubConnection.ApiVersion | Should -Be '2024-06-01'
+            }
+        }
+
+        It 'All three config-backed values (org, ApiBaseUri, ApiVersion) are resolved from lazy-loaded config' {
+            Connect-MtGitHub 3>$null
+
+            InModuleScope Maester {
+                $conn = $__MtSession.GitHubConnection
+                $conn.Organization | Should -Be 'lazy-org'
+                $conn.ApiBaseUri   | Should -Be 'https://api.lazy.ghe.com'
+                $conn.ApiVersion   | Should -Be '2024-06-01'
+            }
+        }
+    }
+
+    Context 'Failure: InvalidApiVersion' {
+        BeforeEach {
+            $env:MAESTER_GITHUB_TOKEN = 'valid-token'
+        }
+
+        It 'Config GitHubApiVersion = "latest" fails before any web request' {
+            InModuleScope Maester {
+                $__MtSession.MaesterConfig = [PSCustomObject]@{
+                    GlobalSettings = [PSCustomObject]@{
+                        GitHubApiVersion = 'latest'
+                    }
+                }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester { throw 'Invoke-WebRequest must not be called when ApiVersion is invalid' }
+
+            Connect-MtGitHub -Organization 'myorg' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'InvalidApiVersion'
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Times 0
+        }
+
+        It 'Config GitHubApiVersion with valid format but /user returns 410: InvalidApiVersion (not TokenInvalid)' {
+            InModuleScope Maester {
+                $__MtSession.MaesterConfig = [PSCustomObject]@{
+                    GlobalSettings = [PSCustomObject]@{
+                        GitHubApiVersion = '2020-01-01'
+                    }
+                }
+            }
+            $fakeResp = [PSCustomObject]@{ StatusCode = 410; Headers = @{} }
+            $ex = [System.Exception]::new('Gone')
+            Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $fakeResp
+            Mock Get-MtGitHubErrorStatusCode -ModuleName Maester { 410 }
+            Mock Get-MtGitHubErrorMessage    -ModuleName Maester { 'API version is not supported' }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/user$' } { throw $ex }
+
+            Connect-MtGitHub -Organization 'myorg' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'InvalidApiVersion'
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+        }
+
+        It 'Parameter -ApiVersion "latest" sets InvalidApiVersion and clears prior session state' {
+            # Pre-seed a stale session to prove the function clears it before failing.
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $true; Organization = 'stale' }
+                $__MtSession.GitHubAuthHeader = @{ Authorization = 'Bearer stale-token' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester { throw 'Invoke-WebRequest must not be called when ApiVersion is invalid' }
+
+            Connect-MtGitHub -Organization 'myorg' -ApiVersion 'latest' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'InvalidApiVersion'
+                # Stale auth header must be cleared even though the failure path runs early.
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Times 0
+        }
+
+        It '/user 400 with "Not a supported version" message maps to InvalidApiVersion (not TokenInvalid)' {
+            $fakeResp = [PSCustomObject]@{ StatusCode = 400; Headers = @{} }
+            $ex = [System.Exception]::new('Bad Request')
+            Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $fakeResp
+            Mock Get-MtGitHubErrorStatusCode -ModuleName Maester { 400 }
+            Mock Get-MtGitHubErrorMessage    -ModuleName Maester { 'Not a supported version' }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/user$' } { throw $ex }
+
+            Connect-MtGitHub -Organization 'myorg' -ApiVersion '2024-01-01' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'InvalidApiVersion'
+            }
+        }
+
+        It 'Parameter -ApiVersion "2024-01-01" passes local format validation and reaches /user header' {
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/actions/permissions$' } {
+                [PSCustomObject]@{ Content = '{}'; StatusCode = 200 }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } {
+                [PSCustomObject]@{ Content = '{"state":"active","role":"admin"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/user$' } {
+                [PSCustomObject]@{ Content = '{"login":"testuser"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/orgs/[^/]+$' } {
+                [PSCustomObject]@{ Content = '{"login":"myorg"}' }
+            }
+
+            Connect-MtGitHub -Organization 'myorg' -ApiVersion '2024-01-01' 3>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected  | Should -BeTrue
+                $c.ApiVersion | Should -Be '2024-01-01'
+                $__MtSession.GitHubAuthHeader['X-GitHub-Api-Version'] | Should -Be '2024-01-01'
+            }
+        }
+    }
+
+    Context 'Whitespace trimming on resolved values' {
+        BeforeEach {
+            $env:MAESTER_GITHUB_TOKEN = 'valid-token'
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/actions/permissions$' } {
+                [PSCustomObject]@{ Content = '{}'; StatusCode = 200 }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } {
+                [PSCustomObject]@{ Content = '{"state":"active","role":"admin"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/user$' } {
+                [PSCustomObject]@{ Content = '{"login":"testuser"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/orgs/[^/]+$' } {
+                [PSCustomObject]@{ Content = '{"login":"myorg"}' }
+            }
+        }
+
+        It 'Trims surrounding whitespace from -Organization parameter' {
+            Connect-MtGitHub -Organization "  myorg`t" 3>$null
+
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection.Connected    | Should -BeTrue
+                $__MtSession.GitHubConnection.Organization | Should -Be 'myorg'
+            }
+            # Probe URIs must use the trimmed org, not URL-encoded whitespace.
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Times 1 -ParameterFilter {
+                $Uri -eq 'https://api.github.com/orgs/myorg'
+            }
+        }
+
+        It 'Trims surrounding whitespace from config-supplied GitHubOrganization' {
+            InModuleScope Maester {
+                $__MtSession.MaesterConfig = [PSCustomObject]@{
+                    GlobalSettings = [PSCustomObject]@{
+                        GitHubOrganization = "  myorg `n"
+                    }
+                }
+            }
+
+            Connect-MtGitHub 3>$null
+
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection.Connected    | Should -BeTrue
+                $__MtSession.GitHubConnection.Organization | Should -Be 'myorg'
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Times 1 -ParameterFilter {
+                $Uri -eq 'https://api.github.com/orgs/myorg'
+            }
+        }
+
+        It 'Trims surrounding whitespace from -ApiVersion parameter before validation' {
+            Connect-MtGitHub -Organization 'myorg' -ApiVersion "  2024-01-01`t" 3>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected  | Should -BeTrue
+                $c.ApiVersion | Should -Be '2024-01-01'
+                $__MtSession.GitHubAuthHeader['X-GitHub-Api-Version'] | Should -Be '2024-01-01'
+            }
+        }
+
+        It 'Trims surrounding whitespace from config-supplied GitHubApiVersion before validation' {
+            InModuleScope Maester {
+                $__MtSession.MaesterConfig = [PSCustomObject]@{
+                    GlobalSettings = [PSCustomObject]@{
+                        GitHubApiVersion = " 2024-06-01 "
+                    }
+                }
+            }
+
+            Connect-MtGitHub -Organization 'myorg' 3>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected  | Should -BeTrue
+                $c.ApiVersion | Should -Be '2024-06-01'
+            }
+        }
+
+        It 'Trims surrounding whitespace from -ApiBaseUri parameter before validation' {
+            Connect-MtGitHub -Organization 'myorg' -ApiBaseUri ' https://api.github.com ' 3>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected  | Should -BeTrue
+                $c.ApiBaseUri | Should -Be 'https://api.github.com'
+            }
+            # Probe URI must be clean — no URL-encoded whitespace prefix/suffix that would 404.
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Times 1 -ParameterFilter {
+                $Uri -eq 'https://api.github.com/user'
+            }
+        }
+
+        It 'Trims surrounding whitespace from -ApiBaseUri parameter combined with trailing slash' {
+            Connect-MtGitHub -Organization 'myorg' -ApiBaseUri 'https://api.github.com/ ' 3>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected  | Should -BeTrue
+                $c.ApiBaseUri | Should -Be 'https://api.github.com'
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Times 1 -ParameterFilter {
+                $Uri -eq 'https://api.github.com/user'
+            }
+        }
+
+        It 'Trims surrounding whitespace from config-supplied GitHubApiBaseUri before validation' {
+            InModuleScope Maester {
+                $__MtSession.MaesterConfig = [PSCustomObject]@{
+                    GlobalSettings = [PSCustomObject]@{
+                        GitHubApiBaseUri = ' https://api.github.com/ '
+                    }
+                }
+            }
+
+            Connect-MtGitHub -Organization 'myorg' 3>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected  | Should -BeTrue
+                $c.ApiBaseUri | Should -Be 'https://api.github.com'
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Times 1 -ParameterFilter {
+                $Uri -eq 'https://api.github.com/user'
+            }
+        }
+    }
+}
diff --git a/powershell/tests/functions/Disconnect-Maester.Tests.ps1 b/powershell/tests/functions/Disconnect-Maester.Tests.ps1
new file mode 100644
index 000000000..5c2bcb751
--- /dev/null
+++ b/powershell/tests/functions/Disconnect-Maester.Tests.ps1
@@ -0,0 +1,112 @@
+BeforeAll {
+    Import-Module "$PSScriptRoot/../../Maester.psd1" -Force
+}
+
+Describe 'Disconnect-Maester — GitHub cleanup branch' {
+    BeforeEach {
+        InModuleScope Maester {
+            $__MtSession.Connections      = @()
+            $__MtSession.GitHubConnection = $null
+            $__MtSession.GitHubAuthHeader = $null
+            $__MtSession.GitHubCache      = @{}
+        }
+    }
+
+    AfterEach {
+        InModuleScope Maester {
+            $__MtSession.Connections      = @()
+            $__MtSession.GitHubConnection = $null
+            $__MtSession.GitHubAuthHeader = $null
+            $__MtSession.GitHubCache      = @{}
+        }
+    }
+
+    Context 'Default name (Disconnect-Maester)' {
+        It 'Clears all three GitHub session keys' {
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $true; Organization = 'myorg' }
+                $__MtSession.GitHubAuthHeader = @{ Authorization = 'Bearer token' }
+                $__MtSession.GitHubCache      = @{ 'foo' = 'bar' }
+            }
+            Disconnect-Maester 6>$null
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection | Should -BeNullOrEmpty
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+                $__MtSession.GitHubCache.Count | Should -Be 0
+            }
+        }
+    }
+
+    Context 'Module-qualified invocation (Maester\Disconnect-Maester)' {
+        It 'Clears all three GitHub session keys' {
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $true; Organization = 'myorg' }
+                $__MtSession.GitHubAuthHeader = @{ Authorization = 'Bearer token' }
+                $__MtSession.GitHubCache      = @{ 'foo' = 'bar' }
+            }
+            Maester\Disconnect-Maester 6>$null
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection  | Should -BeNullOrEmpty
+                $__MtSession.GitHubAuthHeader  | Should -BeNullOrEmpty
+                $__MtSession.GitHubCache.Count | Should -Be 0
+            }
+        }
+    }
+
+    Context 'Disconnect-MtMaester alias' {
+        It 'Clears GitHub state' {
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $true; Organization = 'myorg' }
+                $__MtSession.GitHubAuthHeader = @{ Authorization = 'Bearer token' }
+            }
+            Disconnect-MtMaester 6>$null
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection | Should -BeNullOrEmpty
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+        }
+    }
+
+    Context 'Disconnect-MtGraph alias' {
+        It 'Does NOT clear GitHub state (Graph-only semantic)' {
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $true; Organization = 'myorg' }
+                $__MtSession.GitHubAuthHeader = @{ Authorization = 'Bearer token' }
+            }
+            Disconnect-MtGraph 6>$null
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection | Should -Not -BeNullOrEmpty
+                $__MtSession.GitHubConnection.Organization | Should -Be 'myorg'
+                $__MtSession.GitHubAuthHeader | Should -Not -BeNullOrEmpty
+                $__MtSession.GitHubAuthHeader['Authorization'] | Should -Be 'Bearer token'
+            }
+        }
+    }
+
+    Context 'When Graph disconnect throws' {
+        It 'Still clears GitHub state and rethrows the original exception' {
+            InModuleScope Maester {
+                $__MtSession.Connections      = @('Graph')
+                $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $true; Organization = 'myorg' }
+                $__MtSession.GitHubAuthHeader = @{ Authorization = 'Bearer token' }
+                $__MtSession.GitHubCache      = @{ 'foo' = 'bar' }
+            }
+            Mock Disconnect-MgGraph -ModuleName Maester { throw 'Graph disconnect blew up' }
+
+            { Disconnect-Maester 6>$null } | Should -Throw '*Graph disconnect blew up*'
+
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection  | Should -BeNullOrEmpty
+                $__MtSession.GitHubAuthHeader  | Should -BeNullOrEmpty
+                $__MtSession.GitHubCache.Count | Should -Be 0
+            }
+        }
+    }
+
+    Context 'When no GitHub state exists' {
+        It 'Produces no GitHub-related host output' {
+            $hostOutput = Disconnect-Maester 6>&1 | Out-String
+            $hostOutput | Should -Not -Match 'Disconnected from GitHub'
+        }
+    }
+}
diff --git a/powershell/tests/functions/Disconnect-MtGitHub.Tests.ps1 b/powershell/tests/functions/Disconnect-MtGitHub.Tests.ps1
new file mode 100644
index 000000000..01a4f4e28
--- /dev/null
+++ b/powershell/tests/functions/Disconnect-MtGitHub.Tests.ps1
@@ -0,0 +1,51 @@
+BeforeAll {
+    Import-Module "$PSScriptRoot/../../Maester.psd1" -Force
+}
+
+Describe 'Disconnect-MtGitHub' {
+    BeforeEach {
+        InModuleScope Maester {
+            $__MtSession.GitHubConnection = $null
+            $__MtSession.GitHubAuthHeader = $null
+            $__MtSession.GitHubCache      = @{}
+        }
+    }
+
+    AfterEach {
+        InModuleScope Maester {
+            $__MtSession.GitHubConnection = $null
+            $__MtSession.GitHubAuthHeader = $null
+            $__MtSession.GitHubCache      = @{}
+        }
+    }
+
+    Context 'When GitHub state is set' {
+        It 'Clears GitHubConnection, GitHubAuthHeader, and GitHubCache' {
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $true; Organization = 'myorg' }
+                $__MtSession.GitHubAuthHeader = @{ Authorization = 'Bearer token' }
+                $__MtSession.GitHubCache      = @{ 'foo' = 'bar' }
+            }
+            Disconnect-MtGitHub 6>$null
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection | Should -BeNullOrEmpty
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+                $__MtSession.GitHubCache.Count | Should -Be 0
+            }
+        }
+    }
+
+    Context 'When GitHub state is already null' {
+        It 'Does not throw' {
+            { Disconnect-MtGitHub 6>$null } | Should -Not -Throw
+        }
+
+        It 'Leaves session keys null' {
+            Disconnect-MtGitHub 6>$null
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection | Should -BeNullOrEmpty
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+        }
+    }
+}
diff --git a/powershell/tests/functions/Get-MtGitHubRateLimitMessage.Tests.ps1 b/powershell/tests/functions/Get-MtGitHubRateLimitMessage.Tests.ps1
new file mode 100644
index 000000000..10827b680
--- /dev/null
+++ b/powershell/tests/functions/Get-MtGitHubRateLimitMessage.Tests.ps1
@@ -0,0 +1,141 @@
+BeforeAll {
+    Import-Module "$PSScriptRoot/../../Maester.psd1" -Force
+}
+
+Describe 'Get-MtGitHubRateLimitMessage' {
+    function New-RateLimitErrorRecord {
+        param(
+            [int] $StatusCode,
+            [hashtable] $Headers
+        )
+        $resp = [PSCustomObject]@{ StatusCode = $StatusCode; Headers = $Headers }
+        $ex = [System.Exception]::new("HTTP $StatusCode")
+        Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $resp
+        # An ErrorRecord wrapping the exception is what the helper expects.
+        [System.Management.Automation.ErrorRecord]::new($ex, "TestId", [System.Management.Automation.ErrorCategory]::NotSpecified, $null)
+    }
+
+    Context 'Non-rate-limit responses' {
+        It 'Returns $null for status codes outside 403/429' {
+            InModuleScope Maester {
+                $resp = [PSCustomObject]@{ StatusCode = 500; Headers = @{} }
+                $ex = [System.Exception]::new('Server error')
+                Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $resp
+                $err = [System.Management.Automation.ErrorRecord]::new($ex, 'id', 'NotSpecified', $null)
+                Get-MtGitHubRateLimitMessage -ErrorRecord $err | Should -BeNullOrEmpty
+            }
+        }
+
+        It 'Returns $null for 403 without rate-limit headers' {
+            InModuleScope Maester {
+                $resp = [PSCustomObject]@{ StatusCode = 403; Headers = @{} }
+                $ex = [System.Exception]::new('Forbidden')
+                Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $resp
+                $err = [System.Management.Automation.ErrorRecord]::new($ex, 'id', 'NotSpecified', $null)
+                Get-MtGitHubRateLimitMessage -ErrorRecord $err | Should -BeNullOrEmpty
+            }
+        }
+    }
+
+    Context 'Malformed headers' {
+        It 'Returns $null when x-ratelimit-remaining is not a number and no retry-after header is set' {
+            InModuleScope Maester {
+                $resp = [PSCustomObject]@{
+                    StatusCode = 403
+                    Headers    = @{ 'x-ratelimit-remaining' = 'not-a-number' }
+                }
+                $ex = [System.Exception]::new('Forbidden')
+                Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $resp
+                $err = [System.Management.Automation.ErrorRecord]::new($ex, 'id', 'NotSpecified', $null)
+                { Get-MtGitHubRateLimitMessage -ErrorRecord $err } | Should -Not -Throw
+                Get-MtGitHubRateLimitMessage -ErrorRecord $err | Should -BeNullOrEmpty
+            }
+        }
+
+        It 'Returns primary rate-limit message with "Resets at: unknown" when remaining is 0 and reset is malformed' {
+            InModuleScope Maester {
+                $resp = [PSCustomObject]@{
+                    StatusCode = 403
+                    Headers    = @{ 'x-ratelimit-remaining' = '0'; 'x-ratelimit-reset' = 'not-a-number' }
+                }
+                $ex = [System.Exception]::new('Forbidden')
+                Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $resp
+                $err = [System.Management.Automation.ErrorRecord]::new($ex, 'id', 'NotSpecified', $null)
+                $msg = Get-MtGitHubRateLimitMessage -ErrorRecord $err
+                $msg | Should -Match 'rate limit'
+                $msg | Should -Match 'Resets at: unknown'
+            }
+        }
+    }
+
+    Context 'Valid rate-limit headers' {
+        It 'Returns primary rate-limit message with parsed reset time when remaining=0 and reset is valid' {
+            InModuleScope Maester {
+                $resp = [PSCustomObject]@{
+                    StatusCode = 403
+                    Headers    = @{ 'x-ratelimit-remaining' = '0'; 'x-ratelimit-reset' = '9999999999' }
+                }
+                $ex = [System.Exception]::new('Forbidden')
+                Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $resp
+                $err = [System.Management.Automation.ErrorRecord]::new($ex, 'id', 'NotSpecified', $null)
+                $msg = Get-MtGitHubRateLimitMessage -ErrorRecord $err
+                $msg | Should -Match '^GitHub API rate limit encountered \(HTTP 403\)\. Resets at: '
+                $msg | Should -Not -Match 'unknown'
+            }
+        }
+
+        It 'Returns secondary rate-limit message when retry-after is present' {
+            InModuleScope Maester {
+                $resp = [PSCustomObject]@{
+                    StatusCode = 429
+                    Headers    = @{ 'retry-after' = '30' }
+                }
+                $ex = [System.Exception]::new('Too Many Requests')
+                Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $resp
+                $err = [System.Management.Automation.ErrorRecord]::new($ex, 'id', 'NotSpecified', $null)
+                $msg = Get-MtGitHubRateLimitMessage -ErrorRecord $err
+                $msg | Should -Match 'secondary rate limit'
+                $msg | Should -Match 'Retry after: 30s'
+            }
+        }
+    }
+
+    Context 'Body-fallback secondary rate-limit detection' {
+        It 'Returns secondary rate-limit message for 403 when body mentions secondary rate limit and no retry-after header is present' {
+            InModuleScope Maester {
+                $resp = [PSCustomObject]@{ StatusCode = 403; Headers = @{} }
+                $ex = [System.Exception]::new('Forbidden')
+                Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $resp
+                $err = [System.Management.Automation.ErrorRecord]::new($ex, 'id', 'NotSpecified', $null)
+                $err.ErrorDetails = [System.Management.Automation.ErrorDetails]::new('{"message":"You have exceeded a secondary rate limit. Please wait a few minutes before you try again."}')
+                $msg = Get-MtGitHubRateLimitMessage -ErrorRecord $err
+                $msg | Should -Match '^GitHub secondary rate limit encountered \(HTTP 403\)\.'
+                $msg | Should -Match 'Retry after at least 60s'
+            }
+        }
+
+        It 'Returns secondary rate-limit message for 429 when body mentions abuse detection and no retry-after header is present' {
+            InModuleScope Maester {
+                $resp = [PSCustomObject]@{ StatusCode = 429; Headers = @{} }
+                $ex = [System.Exception]::new('Too Many Requests')
+                Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $resp
+                $err = [System.Management.Automation.ErrorRecord]::new($ex, 'id', 'NotSpecified', $null)
+                $err.ErrorDetails = [System.Management.Automation.ErrorDetails]::new('{"message":"Triggered abuse detection mechanism."}')
+                $msg = Get-MtGitHubRateLimitMessage -ErrorRecord $err
+                $msg | Should -Match '^GitHub secondary rate limit encountered \(HTTP 429\)\.'
+                $msg | Should -Match 'Retry after at least 60s'
+            }
+        }
+
+        It 'Still returns $null for 403 when body has unrelated message and no rate-limit headers' {
+            InModuleScope Maester {
+                $resp = [PSCustomObject]@{ StatusCode = 403; Headers = @{} }
+                $ex = [System.Exception]::new('Forbidden')
+                Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $resp
+                $err = [System.Management.Automation.ErrorRecord]::new($ex, 'id', 'NotSpecified', $null)
+                $err.ErrorDetails = [System.Management.Automation.ErrorDetails]::new('{"message":"Resource not accessible by personal access token"}')
+                Get-MtGitHubRateLimitMessage -ErrorRecord $err | Should -BeNullOrEmpty
+            }
+        }
+    }
+}
diff --git a/powershell/tests/functions/Get-MtGitHubResponseHeaderValue.Tests.ps1 b/powershell/tests/functions/Get-MtGitHubResponseHeaderValue.Tests.ps1
new file mode 100644
index 000000000..60e582b05
--- /dev/null
+++ b/powershell/tests/functions/Get-MtGitHubResponseHeaderValue.Tests.ps1
@@ -0,0 +1,99 @@
+BeforeAll {
+    Import-Module "$PSScriptRoot/../../Maester.psd1" -Force
+}
+
+Describe 'Get-MtGitHubResponseHeaderValue' {
+    Context 'Null headers' {
+        It 'Returns $null when Headers is $null' {
+            InModuleScope Maester {
+                Get-MtGitHubResponseHeaderValue -Headers $null -Name 'x-ratelimit-remaining' | Should -BeNullOrEmpty
+            }
+        }
+    }
+
+    Context 'IDictionary headers (PS 5.1 WebHeaderCollection style)' {
+        It 'Returns value for exact-case match' {
+            InModuleScope Maester {
+                $headers = @{ 'x-ratelimit-remaining' = '42' }
+                Get-MtGitHubResponseHeaderValue -Headers $headers -Name 'x-ratelimit-remaining' | Should -Be '42'
+            }
+        }
+
+        It 'Returns value for different-case header name' {
+            InModuleScope Maester {
+                $headers = @{ 'X-RateLimit-Remaining' = '10' }
+                Get-MtGitHubResponseHeaderValue -Headers $headers -Name 'x-ratelimit-remaining' | Should -Be '10'
+            }
+        }
+
+        It 'Returns first element when header value is an array' {
+            InModuleScope Maester {
+                $headers = @{ 'Link' = @('<https://api.github.com/next>; rel="next"', '<https://api.github.com/last>; rel="last"') }
+                $result = Get-MtGitHubResponseHeaderValue -Headers $headers -Name 'Link'
+                $result | Should -Be '<https://api.github.com/next>; rel="next"'
+            }
+        }
+
+        It 'Returns $null when header is not present' {
+            InModuleScope Maester {
+                $headers = @{ 'content-type' = 'application/json' }
+                Get-MtGitHubResponseHeaderValue -Headers $headers -Name 'x-ratelimit-remaining' | Should -BeNullOrEmpty
+            }
+        }
+    }
+
+    Context 'HttpResponseHeaders with GetValues (PS 7 style)' {
+        It 'Returns value when GetValues succeeds' {
+            InModuleScope Maester {
+                $headers = [PSCustomObject]@{}
+                $headers | Add-Member -MemberType ScriptMethod -Name GetValues -Value {
+                    param([string]$name)
+                    if ($name -eq 'x-ratelimit-reset') { return @('1700000000') }
+                    throw "Header '$name' not found"
+                }
+                $result = Get-MtGitHubResponseHeaderValue -Headers $headers -Name 'x-ratelimit-reset'
+                $result | Should -Be '1700000000'
+            }
+        }
+
+        It 'Returns $null when GetValues throws for unknown header' {
+            InModuleScope Maester {
+                $headers = [PSCustomObject]@{}
+                $headers | Add-Member -MemberType ScriptMethod -Name GetValues -Value {
+                    param([string]$name)
+                    throw "Header '$name' not found"
+                }
+                Get-MtGitHubResponseHeaderValue -Headers $headers -Name 'x-ratelimit-remaining' | Should -BeNullOrEmpty
+            }
+        }
+    }
+
+    Context 'HttpResponseHeaders with TryGetValues (PS 7 style)' {
+        It 'Returns value when TryGetValues succeeds' {
+            InModuleScope Maester {
+                $headers = [PSCustomObject]@{}
+                $headers | Add-Member -MemberType ScriptMethod -Name TryGetValues -Value {
+                    param([string]$name, [ref]$values)
+                    if ($name -eq 'retry-after') {
+                        $values.Value = @('30')
+                        return $true
+                    }
+                    return $false
+                }
+                $result = Get-MtGitHubResponseHeaderValue -Headers $headers -Name 'retry-after'
+                $result | Should -Be '30'
+            }
+        }
+
+        It 'Returns $null when TryGetValues returns false' {
+            InModuleScope Maester {
+                $headers = [PSCustomObject]@{}
+                $headers | Add-Member -MemberType ScriptMethod -Name TryGetValues -Value {
+                    param([string]$name, [ref]$values)
+                    return $false
+                }
+                Get-MtGitHubResponseHeaderValue -Headers $headers -Name 'x-ratelimit-remaining' | Should -BeNullOrEmpty
+            }
+        }
+    }
+}
diff --git a/powershell/tests/functions/Get-MtSession.Tests.ps1 b/powershell/tests/functions/Get-MtSession.Tests.ps1
new file mode 100644
index 000000000..4205b3e4f
--- /dev/null
+++ b/powershell/tests/functions/Get-MtSession.Tests.ps1
@@ -0,0 +1,143 @@
+BeforeAll {
+    Import-Module "$PSScriptRoot/../../Maester.psd1" -Force
+}
+
+Describe 'Get-MtSession — GitHubAuthHeader redaction' {
+    BeforeEach {
+        InModuleScope Maester {
+            $__MtSession.GitHubAuthHeader = $null
+        }
+    }
+
+    AfterEach {
+        InModuleScope Maester {
+            $__MtSession.GitHubAuthHeader = $null
+        }
+    }
+
+    Context 'When GitHubAuthHeader is null' {
+        It 'Returns null without error' {
+            $result = Get-MtSession
+            $result.GitHubAuthHeader | Should -BeNullOrEmpty
+        }
+    }
+
+    Context 'When GitHubAuthHeader is a hashtable with Authorization (PascalCase)' {
+        It 'Redacts Authorization and preserves other headers' {
+            InModuleScope Maester {
+                $__MtSession.GitHubAuthHeader = @{
+                    Authorization          = 'Bearer ghp_realtoken123'
+                    Accept                 = 'application/vnd.github+json'
+                    'X-GitHub-Api-Version' = '2022-11-28'
+                    'User-Agent'           = 'Maester-GitHubCis'
+                }
+            }
+            $result = Get-MtSession
+            $result.GitHubAuthHeader | Should -BeOfType [System.Collections.IDictionary]
+            $result.GitHubAuthHeader['Authorization']          | Should -Be '<redacted>'
+            $result.GitHubAuthHeader['Accept']                 | Should -Be 'application/vnd.github+json'
+            $result.GitHubAuthHeader['X-GitHub-Api-Version']   | Should -Be '2022-11-28'
+            $result.GitHubAuthHeader['User-Agent']             | Should -Be 'Maester-GitHubCis'
+        }
+    }
+
+    Context 'When GitHubAuthHeader has lowercase authorization key' {
+        It 'Redacts the lowercase key and leaves no token in any value' {
+            InModuleScope Maester {
+                $__MtSession.GitHubAuthHeader = @{
+                    authorization = 'Bearer ghp_realtoken123'
+                    Accept        = 'application/vnd.github+json'
+                }
+            }
+            $result = Get-MtSession
+            $result.GitHubAuthHeader['authorization'] | Should -Be '<redacted>'
+            foreach ($v in $result.GitHubAuthHeader.Values) {
+                $v | Should -Not -Be 'Bearer ghp_realtoken123'
+            }
+        }
+    }
+
+    Context 'When GitHubAuthHeader has uppercase AUTHORIZATION key' {
+        It 'Redacts the uppercase key' {
+            InModuleScope Maester {
+                $__MtSession.GitHubAuthHeader = @{
+                    AUTHORIZATION = 'Bearer ghp_realtoken123'
+                    Accept        = 'application/vnd.github+json'
+                }
+            }
+            $result = Get-MtSession
+            $result.GitHubAuthHeader['AUTHORIZATION'] | Should -Be '<redacted>'
+            foreach ($v in $result.GitHubAuthHeader.Values) {
+                $v | Should -Not -Be 'Bearer ghp_realtoken123'
+            }
+        }
+    }
+
+    Context 'When GitHubAuthHeader has BOTH Authorization and authorization' {
+        It 'Redacts every Authorization-like key' {
+            InModuleScope Maester {
+                $h = [ordered]@{}
+                $h['Authorization'] = 'Bearer ghp_realtoken123'
+                $h['authorization'] = 'Bearer ghp_realtoken123'
+                $h['Accept']        = 'application/vnd.github+json'
+                $__MtSession.GitHubAuthHeader = $h
+            }
+            $result = Get-MtSession
+            $result.GitHubAuthHeader['Authorization'] | Should -Be '<redacted>'
+            $result.GitHubAuthHeader['authorization'] | Should -Be '<redacted>'
+            foreach ($v in $result.GitHubAuthHeader.Values) {
+                $v | Should -Not -Be 'Bearer ghp_realtoken123'
+            }
+        }
+    }
+
+    Context 'When GitHubAuthHeader is an OrderedDictionary' {
+        It 'Redacts Authorization and preserves remaining keys' {
+            InModuleScope Maester {
+                $h = [ordered]@{}
+                $h['Authorization']        = 'Bearer ghp_realtoken123'
+                $h['Accept']               = 'application/vnd.github+json'
+                $h['X-GitHub-Api-Version'] = '2022-11-28'
+                $__MtSession.GitHubAuthHeader = $h
+            }
+            $result = Get-MtSession
+            $result.GitHubAuthHeader | Should -BeOfType [System.Collections.IDictionary]
+            $result.GitHubAuthHeader['Authorization']        | Should -Be '<redacted>'
+            $result.GitHubAuthHeader['Accept']               | Should -Be 'application/vnd.github+json'
+            $result.GitHubAuthHeader['X-GitHub-Api-Version'] | Should -Be '2022-11-28'
+        }
+    }
+
+    Context 'When GitHubAuthHeader is an unsupported non-null shape' {
+        It 'Replaces the entire value with the redacted sentinel string (fail-closed)' {
+            InModuleScope Maester {
+                $__MtSession.GitHubAuthHeader = 'Bearer ghp_realtoken123'
+            }
+            $result = Get-MtSession
+            $result.GitHubAuthHeader | Should -Be '<redacted>'
+        }
+
+        It 'Replaces a PSCustomObject auth-like blob with the redacted sentinel string' {
+            InModuleScope Maester {
+                $__MtSession.GitHubAuthHeader = [PSCustomObject]@{ Authorization = 'Bearer ghp_realtoken123' }
+            }
+            $result = Get-MtSession
+            $result.GitHubAuthHeader | Should -Be '<redacted>'
+        }
+    }
+
+    Context 'Live session is not mutated by Get-MtSession' {
+        It 'Leaves $__MtSession.GitHubAuthHeader.Authorization intact for internal callers' {
+            InModuleScope Maester {
+                $__MtSession.GitHubAuthHeader = @{
+                    Authorization = 'Bearer ghp_realtoken123'
+                    Accept        = 'application/vnd.github+json'
+                }
+            }
+            Get-MtSession | Out-Null
+            InModuleScope Maester {
+                $__MtSession.GitHubAuthHeader['Authorization'] | Should -Be 'Bearer ghp_realtoken123'
+            }
+        }
+    }
+}
diff --git a/powershell/tests/functions/Invoke-MtGitHubRequest.Tests.ps1 b/powershell/tests/functions/Invoke-MtGitHubRequest.Tests.ps1
new file mode 100644
index 000000000..6ab230053
--- /dev/null
+++ b/powershell/tests/functions/Invoke-MtGitHubRequest.Tests.ps1
@@ -0,0 +1,322 @@
+BeforeAll {
+    Import-Module "$PSScriptRoot/../../Maester.psd1" -Force
+}
+
+Describe 'Invoke-MtGitHubRequest' {
+    BeforeEach {
+        InModuleScope Maester {
+            $__MtSession.GitHubConnection = [PSCustomObject]@{
+                Connected    = $true
+                Organization = 'myorg'
+                ApiBaseUri   = 'https://api.github.com'
+                ApiVersion   = '2022-11-28'
+            }
+            $__MtSession.GitHubAuthHeader = @{ Authorization = 'Bearer faketoken' }
+            $__MtSession.GitHubCache      = @{}
+        }
+    }
+
+    AfterEach {
+        InModuleScope Maester {
+            $__MtSession.GitHubConnection = $null
+            $__MtSession.GitHubAuthHeader = $null
+            $__MtSession.GitHubCache      = @{}
+        }
+    }
+
+    Context 'Connection guard' {
+        It 'Throws when GitHubConnection is null' {
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection = $null
+                { Invoke-MtGitHubRequest '/orgs/myorg' } | Should -Throw '*Connect-MtGitHub*'
+            }
+        }
+
+        It 'Throws when Connected = $false' {
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false }
+                { Invoke-MtGitHubRequest '/orgs/myorg' } | Should -Throw '*Connect-MtGitHub*'
+            }
+        }
+    }
+
+    Context 'Cache behavior' {
+        BeforeEach {
+            Mock Invoke-WebRequest -ModuleName Maester {
+                [PSCustomObject]@{ Content = '{"login":"myorg"}'; Headers = @{} }
+            }
+        }
+
+        It 'Returns cached result; Invoke-WebRequest called only once for two identical calls' {
+            InModuleScope Maester {
+                Invoke-MtGitHubRequest '/orgs/myorg' | Out-Null
+                Invoke-MtGitHubRequest '/orgs/myorg' | Out-Null
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Exactly -Times 1
+        }
+
+        It 'Cache key is ApiVersion|absoluteUri' {
+            InModuleScope Maester {
+                Invoke-MtGitHubRequest '/orgs/myorg' | Out-Null
+                $expectedKey = '2022-11-28|https://api.github.com/orgs/myorg'
+                $__MtSession.GitHubCache.ContainsKey($expectedKey) | Should -BeTrue
+            }
+        }
+
+        It 'Stores result in cache on successful call (no -DisableCache)' {
+            InModuleScope Maester {
+                $result = Invoke-MtGitHubRequest '/orgs/myorg'
+                $result.login | Should -Be 'myorg'
+                $__MtSession.GitHubCache.Count | Should -Be 1
+                $cacheKey = '2022-11-28|https://api.github.com/orgs/myorg'
+                $__MtSession.GitHubCache[$cacheKey].login | Should -Be 'myorg'
+            }
+        }
+
+        It '-DisableCache bypasses existing cache entry and does NOT store result' {
+            InModuleScope Maester {
+                $cacheKey = '2022-11-28|https://api.github.com/orgs/myorg'
+                $__MtSession.GitHubCache[$cacheKey] = [PSCustomObject]@{ login = 'cached-value' }
+
+                $result = Invoke-MtGitHubRequest '/orgs/myorg' -DisableCache
+
+                # Web request was made (bypassed cache)
+                $result.login | Should -Be 'myorg'
+                # Original cache entry is untouched (not overwritten)
+                $__MtSession.GitHubCache[$cacheKey].login | Should -Be 'cached-value'
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Exactly -Times 1
+        }
+    }
+
+    Context 'Non-paginated request' {
+        It 'Returns single object body without -Paginate' {
+            Mock Invoke-WebRequest -ModuleName Maester {
+                [PSCustomObject]@{ Content = '{"login":"myorg","plan":{"name":"enterprise"}}'; Headers = @{} }
+            }
+            InModuleScope Maester {
+                $result = Invoke-MtGitHubRequest '/orgs/myorg'
+                $result.login | Should -Be 'myorg'
+            }
+        }
+    }
+
+    Context 'Pagination' {
+        It 'Follows Link rel=next until no next link; returns all items combined' {
+            # [?&]page= matches ?page= or &page= but NOT per_page= (per_page contains 'page=' at offset 4)
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -notmatch '[?&]page=\d' } {
+                [PSCustomObject]@{
+                    Content = '[{"id":1},{"id":2}]'
+                    Headers = @{ 'Link' = '<https://api.github.com/orgs/myorg/members?page=2>; rel="next"' }
+                }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '[?&]page=\d' } {
+                [PSCustomObject]@{ Content = '[{"id":3}]'; Headers = @{} }
+            }
+
+            InModuleScope Maester {
+                $result = Invoke-MtGitHubRequest '/orgs/myorg/members' -Paginate
+                $result.Count | Should -Be 3
+                $result[2].id | Should -Be 3
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Exactly -Times 2
+        }
+    }
+
+    Context 'Pagination of empty arrays' {
+        It 'Returns an empty result (count 0) when the only page is `[]` with no next link' {
+            Mock Invoke-WebRequest -ModuleName Maester {
+                [PSCustomObject]@{ Content = '[]'; Headers = @{} }
+            }
+            InModuleScope Maester {
+                $result = Invoke-MtGitHubRequest '/orgs/myorg/members' -Paginate
+                @($result).Count | Should -Be 0
+                # Must not contain a spurious $null item (the regression case).
+                @($result) -contains $null | Should -BeFalse
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Exactly -Times 1
+        }
+
+        It 'Skips an empty intermediate page without contributing $null items' {
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -notmatch '[?&]page=\d' } {
+                [PSCustomObject]@{
+                    Content = '[]'
+                    Headers = @{ 'Link' = '<https://api.github.com/orgs/myorg/members?page=2>; rel="next"' }
+                }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '[?&]page=\d' } {
+                [PSCustomObject]@{ Content = '[{"id":7}]'; Headers = @{} }
+            }
+            InModuleScope Maester {
+                $result = Invoke-MtGitHubRequest '/orgs/myorg/members' -Paginate
+                @($result).Count | Should -Be 1
+                @($result)[0].id | Should -Be 7
+                @($result) -contains $null | Should -BeFalse
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Exactly -Times 2
+        }
+
+        It 'Non-paginated `[]` response does not return a single $null item' {
+            Mock Invoke-WebRequest -ModuleName Maester {
+                [PSCustomObject]@{ Content = '[]'; Headers = @{} }
+            }
+            InModuleScope Maester {
+                $result = Invoke-MtGitHubRequest '/orgs/myorg/members'
+                @($result).Count | Should -Be 0
+                @($result) -contains $null | Should -BeFalse
+            }
+        }
+    }
+
+    Context 'Pagination cross-origin guard' {
+        It 'Throws and stops paginating when next link is on a different origin' {
+            Mock Invoke-WebRequest -ModuleName Maester {
+                [PSCustomObject]@{
+                    Content = '[{"id":1}]'
+                    Headers = @{ 'Link' = '<https://evil.example/orgs/myorg/members?page=2>; rel="next"' }
+                }
+            }
+            InModuleScope Maester {
+                { Invoke-MtGitHubRequest '/orgs/myorg/members' -Paginate } |
+                    Should -Throw '*outside the configured ApiBaseUri*'
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Exactly -Times 1
+        }
+
+        It 'Allows a same-origin next link with a base path prefix (GHE-style /api/v3)' {
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection.ApiBaseUri = 'https://ghe.example.com/api/v3'
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -notmatch '[?&]page=\d' } {
+                [PSCustomObject]@{
+                    Content = '[{"id":1}]'
+                    Headers = @{ 'Link' = '<https://ghe.example.com/api/v3/orgs/myorg/members?page=2>; rel="next"' }
+                }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '[?&]page=\d' } {
+                [PSCustomObject]@{ Content = '[{"id":2}]'; Headers = @{} }
+            }
+            InModuleScope Maester {
+                $result = Invoke-MtGitHubRequest '/orgs/myorg/members' -Paginate
+                $result.Count | Should -Be 2
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Exactly -Times 2
+        }
+    }
+
+    Context 'Rate limit handling' {
+        It 'Emits verbose message when x-ratelimit-remaining is 0 on successful response' {
+            Mock Invoke-WebRequest -ModuleName Maester {
+                [PSCustomObject]@{
+                    Content = '{"login":"myorg"}'
+                    Headers = @{ 'x-ratelimit-remaining' = '0'; 'x-ratelimit-reset' = '9999999999' }
+                }
+            }
+            InModuleScope Maester {
+                $allOutput   = Invoke-MtGitHubRequest '/orgs/myorg' -Verbose 4>&1
+                $verboseMsgs = ($allOutput | Where-Object { $_ -is [System.Management.Automation.VerboseRecord] }).Message
+                $verboseMsgs | Should -Match 'rate limit'
+            }
+        }
+
+        It 'Throws on primary rate-limit exhaustion (HTTP 403, remaining = 0)' {
+            Mock Invoke-WebRequest -ModuleName Maester {
+                $fakeResp = [PSCustomObject]@{
+                    StatusCode = 403
+                    Headers    = @{ 'x-ratelimit-remaining' = '0'; 'x-ratelimit-reset' = '9999999999' }
+                }
+                $ex = [System.Exception]::new('Forbidden')
+                Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $fakeResp
+                throw $ex
+            }
+            InModuleScope Maester {
+                { Invoke-MtGitHubRequest '/orgs/myorg' } | Should -Throw '*rate limit*'
+            }
+        }
+
+        It 'Rethrows ordinary 403 without rate-limit headers as the original error (not a rate-limit message)' {
+            Mock Invoke-WebRequest -ModuleName Maester {
+                $fakeResp = [PSCustomObject]@{
+                    StatusCode = 403
+                    Headers    = @{}
+                }
+                $ex = [System.Exception]::new('Forbidden')
+                Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $fakeResp
+                throw $ex
+            }
+            InModuleScope Maester {
+                $thrownMessage = $null
+                try { Invoke-MtGitHubRequest '/orgs/myorg' } catch { $thrownMessage = $_.Exception.Message }
+                $thrownMessage | Should -Match 'Forbidden'
+                $thrownMessage | Should -Not -Match 'rate limit'
+            }
+        }
+
+        It 'Rethrows original error when x-ratelimit-remaining is malformed (no parse exception)' {
+            Mock Invoke-WebRequest -ModuleName Maester {
+                $fakeResp = [PSCustomObject]@{
+                    StatusCode = 403
+                    Headers    = @{ 'x-ratelimit-remaining' = 'not-a-number' }
+                }
+                $ex = [System.Exception]::new('Forbidden')
+                Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $fakeResp
+                throw $ex
+            }
+            InModuleScope Maester {
+                $thrownMessage = $null
+                try { Invoke-MtGitHubRequest '/orgs/myorg' } catch { $thrownMessage = $_.Exception.Message }
+                $thrownMessage | Should -Match 'Forbidden'
+                $thrownMessage | Should -Not -Match 'rate limit'
+                $thrownMessage | Should -Not -Match 'Cannot convert'
+            }
+        }
+
+        It 'Does not throw on successful response when x-ratelimit-reset is out of range for FromUnixTimeSeconds' {
+            # 253402300800 is one second past the documented upper bound of FromUnixTimeSeconds
+            # (max accepted = 253402300799 = 9999-12-31T23:59:59Z). A bogus reset epoch from
+            # an upstream proxy must not raise ArgumentOutOfRangeException and mask the response.
+            Mock Invoke-WebRequest -ModuleName Maester {
+                [PSCustomObject]@{
+                    Content = '{"login":"myorg"}'
+                    Headers = @{ 'x-ratelimit-remaining' = '0'; 'x-ratelimit-reset' = '253402300800' }
+                }
+            }
+            InModuleScope Maester {
+                { Invoke-MtGitHubRequest '/orgs/myorg' } | Should -Not -Throw
+                $result = Invoke-MtGitHubRequest '/orgs/myorg' -DisableCache
+                $result.login | Should -Be 'myorg'
+            }
+        }
+
+        It 'Does not throw on successful response when x-ratelimit-remaining is malformed' {
+            # Successful response body is valid; a malformed rate-limit header (e.g. an upstream
+            # proxy rewriting the value) must not raise a parse exception that masks the response.
+            Mock Invoke-WebRequest -ModuleName Maester {
+                [PSCustomObject]@{
+                    Content = '{"login":"myorg"}'
+                    Headers = @{ 'x-ratelimit-remaining' = 'not-a-number'; 'x-ratelimit-reset' = 'also-bogus' }
+                }
+            }
+            InModuleScope Maester {
+                { Invoke-MtGitHubRequest '/orgs/myorg' } | Should -Not -Throw
+                $result = Invoke-MtGitHubRequest '/orgs/myorg' -DisableCache
+                $result.login | Should -Be 'myorg'
+            }
+        }
+
+        It 'Throws on secondary rate-limit (HTTP 429, retry-after header present)' {
+            Mock Invoke-WebRequest -ModuleName Maester {
+                $fakeResp = [PSCustomObject]@{
+                    StatusCode = 429
+                    Headers    = @{ 'retry-after' = '30' }
+                }
+                $ex = [System.Exception]::new('Too Many Requests')
+                Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $fakeResp
+                throw $ex
+            }
+            InModuleScope Maester {
+                { Invoke-MtGitHubRequest '/orgs/myorg' } | Should -Throw '*secondary rate limit*'
+            }
+        }
+    }
+}
diff --git a/powershell/tests/functions/Test-MtConnection.Tests.ps1 b/powershell/tests/functions/Test-MtConnection.Tests.ps1
new file mode 100644
index 000000000..9f3cebf40
--- /dev/null
+++ b/powershell/tests/functions/Test-MtConnection.Tests.ps1
@@ -0,0 +1,195 @@
+BeforeAll {
+    Import-Module "$PSScriptRoot/../../Maester.psd1" -Force
+
+    # Bypass Pester's slow command-resolution path when MS service modules are not loaded
+    # in the test environment. Track which stubs we created so AfterAll cleans up only
+    # those — never touch real cmdlets that were already present.
+    $script:createdStubs = @()
+    foreach ($cmd in 'Get-AzContext','Invoke-AzRestMethod','Get-MgContext','Get-CsTenant') {
+        if (-not (Get-Command $cmd -ErrorAction SilentlyContinue)) {
+            New-Item -Path "function:global:$cmd" -Value { } | Out-Null
+            $script:createdStubs += $cmd
+        }
+    }
+}
+
+AfterAll {
+    foreach ($cmd in $script:createdStubs) {
+        Remove-Item -Path "function:global:$cmd" -ErrorAction SilentlyContinue
+    }
+}
+
+Describe 'Test-MtConnection — GitHub service' {
+    BeforeEach {
+        InModuleScope Maester {
+            $__MtSession.GitHubConnection      = $null
+            $__MtSession.AzureDevOpsConnection = $null
+        }
+    }
+
+    AfterEach {
+        InModuleScope Maester {
+            $__MtSession.GitHubConnection      = $null
+            $__MtSession.AzureDevOpsConnection = $null
+        }
+    }
+
+    Context 'When Connect-MtGitHub has never been called' {
+        It 'Returns $false for -Service GitHub' {
+            InModuleScope Maester {
+                Test-MtConnection -Service GitHub | Should -BeFalse
+            }
+        }
+
+        It 'Writes the NotCalled sentinel to GitHubConnection' {
+            InModuleScope Maester {
+                Test-MtConnection -Service GitHub | Out-Null
+                $__MtSession.GitHubConnection | Should -Not -BeNullOrEmpty
+                $__MtSession.GitHubConnection.FailureReason | Should -Be 'NotCalled'
+            }
+        }
+    }
+
+    Context 'When GitHub is explicitly disconnected' {
+        It 'Returns $false when Connected is $false' {
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'TokenInvalid' }
+                Test-MtConnection -Service GitHub | Should -BeFalse
+            }
+        }
+
+        It 'Returns $false when membership is pending (FailureReason = OrgMembershipPending)' {
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'OrgMembershipPending' }
+                Test-MtConnection -Service GitHub | Should -BeFalse
+            }
+        }
+    }
+
+    Context 'When GitHub is connected' {
+        It 'Returns $true' {
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $true; Organization = 'myorg' }
+                Test-MtConnection -Service GitHub | Should -BeTrue
+            }
+        }
+
+        It 'Returns an object with GitHub populated and AllConnected $true when using -Details' {
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $true; Organization = 'myorg' }
+                $result = Test-MtConnection -Service GitHub -Details
+                $result.GitHub | Should -Not -BeNullOrEmpty
+                $result.GitHub.Connected | Should -BeTrue
+                $result.AllConnected | Should -BeTrue
+            }
+        }
+    }
+
+    Context 'When GitHub is not connected' {
+        It 'Returns an object with GitHub $null and AllConnected $false when using -Details' {
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'NoToken' }
+                $result = Test-MtConnection -Service GitHub -Details
+                $result.GitHub | Should -BeNullOrEmpty
+                $result.AllConnected | Should -BeFalse
+            }
+        }
+    }
+
+    Context '-Service GitHub -Details with GitHub connected' {
+        It 'Populates the GitHub property and returns AllConnected $true' {
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $true; Organization = 'myorg' }
+            }
+            $result = Test-MtConnection -Service GitHub -Details
+            $result.GitHub | Should -Not -BeNullOrEmpty
+            $result.GitHub.Connected | Should -BeTrue
+            $result.AllConnected | Should -BeTrue
+        }
+    }
+
+    Context '-Service All regression — GitHub absence does not flip AllConnected' {
+        It 'Returns AllConnected $true when all MS services are connected and GitHub session is absent' {
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection      = $null
+                $__MtSession.AzureDevOpsConnection = [PSCustomObject]@{ Organization = 'ado-org' }
+            }
+            Mock Get-AzContext { [PSCustomObject]@{ Account = 'test@contoso.com' } } -ModuleName Maester
+            Mock Invoke-AzRestMethod { [PSCustomObject]@{} } -ModuleName Maester
+            Mock Get-MgContext { [PSCustomObject]@{ TenantId = 'tenant-id' } } -ModuleName Maester
+            Mock Get-MtExo {
+                @(
+                    [PSCustomObject]@{ Name = 'ExchangeOnline'; State = 'Connected'; IsEopSession = $false }
+                    [PSCustomObject]@{ Name = 'ExchangeOnline'; State = 'Connected'; IsEopSession = $true }
+                )
+            } -ModuleName Maester
+            Mock Get-CsTenant { [PSCustomObject]@{ TenantId = 'tenant-id' } } -ModuleName Maester
+            $result = Test-MtConnection -Service All -Details
+            $result.AllConnected | Should -BeTrue
+            $result.GitHub | Should -BeNullOrEmpty
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection | Should -BeNullOrEmpty
+            }
+        }
+    }
+
+    Context '-Service All — GitHub skipped when NotCalled sentinel exists' {
+        It 'Does not set the GitHub property' {
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection      = [PSCustomObject]@{ Connected = $false; FailureReason = 'NotCalled' }
+                $__MtSession.AzureDevOpsConnection = 'NotConnected'
+            }
+            Mock Get-AzContext { $null } -ModuleName Maester
+            Mock Get-MgContext { $null } -ModuleName Maester
+            Mock Get-MtExo { $null } -ModuleName Maester
+            Mock Get-CsTenant { $null } -ModuleName Maester
+            $result = Test-MtConnection -Service All -Details
+            $result.GitHub | Should -BeNullOrEmpty
+        }
+    }
+
+    Context '-Service GitHub -Details formatted output' {
+        It 'Renders safe GitHub metadata and excludes auth/token values' {
+            $fakeToken = 'ghp_FAKE_TOKEN_VALUE_DO_NOT_USE'
+            InModuleScope Maester -ArgumentList $fakeToken {
+                param($FakeToken)
+                $__MtSession.GitHubConnection = [PSCustomObject]@{
+                    Connected                        = $true
+                    Organization                     = 'myorg'
+                    TokenLogin                       = 'octocat'
+                    ApiBaseUri                       = 'https://api.github.com'
+                    ApiVersion                       = '2022-11-28'
+                    Role                             = 'admin'
+                    RoleState                        = 'active'
+                    AdministrationPermissionVerified = $true
+                }
+                $__MtSession.GitHubAuthHeader = @{
+                    Authorization = "Bearer $FakeToken"
+                }
+            }
+            $rendered = Test-MtConnection -Service GitHub -Details | Out-String
+            $rendered | Should -Match 'GitHub'
+            $rendered | Should -Match 'myorg'
+            $rendered | Should -Match 'octocat'
+            $rendered | Should -Not -Match 'Bearer'
+            $rendered | Should -Not -Match 'Authorization'
+            $rendered | Should -Not -Match ([regex]::Escape($fakeToken))
+        }
+    }
+
+    Context '-Service All — GitHub included when connected' {
+        It 'Populates the GitHub property' {
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection      = [PSCustomObject]@{ Connected = $true; Organization = 'myorg' }
+                $__MtSession.AzureDevOpsConnection = 'NotConnected'
+            }
+            Mock Get-AzContext { $null } -ModuleName Maester
+            Mock Get-MgContext { $null } -ModuleName Maester
+            Mock Get-MtExo { $null } -ModuleName Maester
+            Mock Get-CsTenant { $null } -ModuleName Maester
+            $result = Test-MtConnection -Service All -Details
+            $result.GitHub | Should -Not -BeNullOrEmpty
+            $result.GitHub.Connected | Should -BeTrue
+        }
+    }
+}
diff --git a/tests/maester-config.json b/tests/maester-config.json
index e055960b7..4454e82ae 100644
--- a/tests/maester-config.json
+++ b/tests/maester-config.json
@@ -1,7 +1,10 @@
 {
   "GlobalSettings": {
     "EmergencyAccessAccounts": [],
-    "DataverseEnvironmentUrl": ""
+    "DataverseEnvironmentUrl": "",
+    "GitHubOrganization": "",
+    "GitHubApiBaseUri": "https://api.github.com",
+    "GitHubApiVersion": "2022-11-28"
   },
   "TestSettings": [
     {