diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 3ffa541e..fc4d267d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -43,7 +43,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        os: [macos-11, macos-12]
+        os: [macos-13, macos-14, macos-15]
     steps:
       - name: DEBUG What is GitHub Actions IP?
         run: |
@@ -78,21 +78,21 @@ jobs:
         run: |
           echo BREWFILE_PATH=$BREWFILE_PATH
           echo GITHUB_WORKSPACE=$GITHUB_WORKSPACE
-        if: env.debug_ci == 'true'
+        if: ${{ env.debug_ci == 'true' || runner.debug == '1' }}
       - name: DEBUG - Print all shell env exports
         run: export -p
-        if: env.debug_ci == 'true'
+        if: ${{ env.debug_ci == 'true' || runner.debug == '1' }}
       - name: DEBUG - List workspace and Homebrew contents
         run: |
           ls -lAR ${GITHUB_WORKSPACE}
           ls -lR /usr/local/Homebrew
-        if: env.debug_ci == 'true'
+        if: ${{ env.debug_ci == 'true' || runner.debug == '1' }}
       - name: Generate Brewfile from soloistrc test fixture
         run: make brewfile
       - name: DEBUG - Where are Brewfiles?
         run: |
           find ${GITHUB_WORKSPACE} -iname 'Brewfile*'
-        if: env.debug_ci == 'true'
+        if: ${{ env.debug_ci == 'true' || runner.debug == '1' }}
       - name: Configure Homebrew cache
         uses: actions/cache@v4
         with:
@@ -127,4 +127,4 @@ jobs:
       - name: DEBUG - Where are Brewfiles? (exclude nodes and vendor dirs)
         run: |
           find ${GITHUB_WORKSPACE} \( -type d -a \( -name '*/nodes' -o -name '*/vendor' \) -prune \) -o -iname 'Brewfile*'
-        if: env.debug_ci == 'true'
+        if: ${{ env.debug_ci == 'true' || runner.debug == '1' }}
diff --git a/.kitchen.libvirt.qemu-tls.yml b/.kitchen.libvirt.qemu-tls.yml
new file mode 100644
index 00000000..60c041ee
--- /dev/null
+++ b/.kitchen.libvirt.qemu-tls.yml
@@ -0,0 +1,87 @@
+<%
+# Hack to fix a bug in TK. TK supports using an SSH gateway in its SSH transport, but appears not to support configuring
+# separate keys for the gateway and the destination.
+require 'kitchen/transport/ssh'
+
+GATEWAY_KEYS = ["#{ENV['HOME']}/.ssh/identity.lyra"]
+
+class Kitchen::Transport::Ssh::Connection
+  # Replace this method in TK core with a version that uses the logged in user's key to access the SSH gateway.
+  def establish_connection_via_gateway(opts)
+    retry_connection(opts) do
+      Net::SSH::Gateway.new(ssh_gateway, ssh_gateway_username, options.merge(keys: GATEWAY_KEYS))
+        .ssh(hostname, username, options)
+    end
+  end
+end
+%>
+---
+driver:
+  name: vagrant
+  provider: libvirt
+  vagrantfiles:
+    - 'test/fixtures/Vagrantfile.libvirt-qemu-tls'
+  synced_folders:
+  - [".", "/tmp/kitchen/soloist", "disabled: false, type: 'rsync'"]
+  # TODO: Find & fix bugs in Vagrant where it checks for vagrant-host path... needs to support remote NFS & 9p libvirt mounts
+  # TODO: Fix mount: false setting for 9p
+  # TODO: Fix auto-mount capability for Darwin / macOS... needs mount_9p support (see man mount_9p)
+  #       Need to implement mount_9p_shared_folder capability for macOS / Darwin
+  #       https://github.com/vagrant-libvirt/vagrant-libvirt/search?q=mount_9p_shared_folder
+  # NOTE: For qemu+ssh remote libvirt VM, create a fake directory matching hostpath on the host running vagrant
+  #       In this use case, both hostpath & guestpath live on the same remote libvirt + qemu hypervisor host & VM (guest)
+  # - ["/opt/export/terabyte", "/System/Volumes/Data/terabyte", "hostpath: '/export/terabyte', guestpath: '/System/Volumes/Data/terabyte', disabled: false, type: '9p', mount: false, accessmode: 'squash', owner:'1000'"]
+  # - ["/export/terabyte", "/System/Volumes/Data/terabyte", "disabled: false, type: 'nfs', nfs_export: false, bsd__nfs_options: '-fstype=nfs,nolockd,resvport,hard,bg,intr,rw,tcp,nfc'"]
+#    ssh_gateway_username: trinitronx
+
+#  customize:
+#    memory: 1024
+
+transport:
+  ssh_gateway: saturn.internal
+  ssh_gateway_username: trinitronx
+#  username: vagrant
+
+provisioner:
+#  name: chef_zero
+  transport:
+    ssh_gateway: saturn.internal
+    ssh_gateway_username: trinitronx
+
+#  deprecations_as_errors: true
+  deprecations_as_errors: false
+#  multiple_converge: 2
+#  enforce_idempotency: true
+
+verifier:
+  name: inspec
+## Client error, can't connect to 'ssh' backend: Only one of proxy_command or bastion_host needs to be specified]
+## Apparently the transport ssh_gateway option is actually passed through to InSpec
+#  proxy_command: ssh saturn.local -q0 %h:%p
+
+platforms:
+  - name: ubuntu-20.04
+    driver:
+      box: generic/ubuntu2004
+    lifecycle:
+      pre_converge:
+      - remote: sudo addgroup --system admin
+      - remote: sudo usermod -a -G admin kitchen
+  - name: macos-12-1
+    driver:
+      box: lyraphase-runner/macos-monterey-base
+      box_url: http://saturn.local:8888/lyraphase-runner-macos-monterey-base.box
+      communicator: ssh
+      gui: true
+      customize:
+        memory: 4096
+#        cpus: 2
+
+suites:
+  - name: default
+    run_list:
+      - recipe[sprout-base::default]
+    attributes:
+      mysql_test:
+        version: '8.0'
+#    includes: [ubuntu-20.04, macos-latest]
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index f1cf42a7..e482c373 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -23,7 +23,11 @@ repos:
     -   id: check-merge-conflict
     -   id: check-symlinks
     -   id: check-yaml
-        exclude: \.kitchen\.libvirt\.ssh\.yml
+        exclude: |
+            (?x)^(
+                \.kitchen\.libvirt\.ssh\.yml|
+                \.kitchen\.libvirt\.qemu-tls\.yml
+            )$
     -   id: end-of-file-fixer
     -   id: trailing-whitespace
         exclude: .*\.patch
diff --git a/bootstrap-scripts/bootstrap.sh b/bootstrap-scripts/bootstrap.sh
index cd3c652d..131cad7d 100755
--- a/bootstrap-scripts/bootstrap.sh
+++ b/bootstrap-scripts/bootstrap.sh
@@ -121,9 +121,10 @@ prevent_sudo_timeout() {
 }
 
 # Kill sudo timestamp refresh PID and invalidate sudo timestamp
+# shellcheck disable=SC2317 # false-positive koalaman/shellcheck#2660
 kill_timeout_loop() {
   echo "Killing $timeout_loop_PID due to trap"
-  kill -TERM $timeout_loop_PID
+  kill -TERM "$timeout_loop_PID"
   sudo -K
 }
 trap kill_timeout_loop EXIT HUP TSTP QUIT SEGV TERM INT ABRT  # trap all common terminate signals
diff --git a/soloistrc.lyra.yml b/soloistrc.lyra.yml
index 9ba11c51..985d9dfd 100644
--- a/soloistrc.lyra.yml
+++ b/soloistrc.lyra.yml
@@ -232,6 +232,7 @@ node_attributes:
       - shellcheck
       - yamllint
       - ansible-builder
+      - ansible-creator
       - ansible-lint
       - sshpass
       - ansible
diff --git a/test/fixtures/Vagrantfile.libvirt-qemu-tls b/test/fixtures/Vagrantfile.libvirt-qemu-tls
new file mode 100644
index 00000000..094594f7
--- /dev/null
+++ b/test/fixtures/Vagrantfile.libvirt-qemu-tls
@@ -0,0 +1,18 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+ENV['VAGRANT_DEFAULT_PROVIDER'] = 'libvirt'
+
+Vagrant.configure("2") do |config|
+
+  #config.ssh.host = 'saturn.local'
+  #config.ssh.port = 2222
+  config.ssh.proxy_command = 'ssh -t -T saturn.internal exec nc -q0 %h %p'
+  config.vm.synced_folder ".", "/tmp/vagrant", disabled: true
+
+  config.vm.provider :libvirt do |libvirt|
+    libvirt.uri = 'qemu+tls://saturn.internal/system'
+    libvirt.system_uri = 'qemu+tls://saturn.internal/system'
+    #libvirt.forward_ssh_port = true
+  end
+end