Pin the .NET SDK (global.json) + align mixed NuGet majors + add central package management

[Chris0Jeky]

Context

Builds are non-reproducible — the single most-cited issue across the audit (7 lenses). This directly undermines letting agents/LLMs test the product reliably.

Evidence

• No global.json at root or backend/; dotnet --version = 9.0.311 locally while every csproj targets net8.0 and CI pins 8.0.x (ci-extended.yml, ci-nightly.yml, reusable-performance-regression-gate.yml:18).
• Mixed majors: Taskdeck.Api.csproj references EF Tools 10.0.8 (line 28), Http.Polly 10.0.8 (32), Swashbuckle 10.1.7 (41); Application.csproj:19 + Infrastructure.csproj:30 reference Logging.Abstractions 10.0.8; EF runtime/Sqlite/Design pinned 8.0.27. EF 10 tooling vs EF 8 runtime is a plausible root cause of the split-migration mess.

Acceptance criteria

• Add a repo-root global.json with a rollForward policy that gives CI determinism on 8.0.x without breaking machines that only have 9.x (decide: install 8.0 SDK + pin, or rollForward: latestMajor as a bridge, or an ADR to move to net9/10). Validate dotnet --version + a clean build still resolve on the dev box before committing.
• Align Tools/Polly/Logging.Abstractions/Swashbuckle to the net8-compatible band (or record a deliberate net10 move in an ADR).
• Add Directory.Packages.props (central package management).
• README/CLAUDE.md prerequisites reference global.json.

Source: deep audit toolchain-pin-and-package-alignment (HIGH). NOTE: pinning to 8.0.x naively will break this dev box (only 9.0.311 installed) — needs a careful rollForward decision.