diff --git a/.github/workflows/code-coverage.yml b/.github/workflows/code-coverage.yml
index 4c6def2..988813d 100644
--- a/.github/workflows/code-coverage.yml
+++ b/.github/workflows/code-coverage.yml
@@ -23,7 +23,7 @@ env:
 jobs:
   coverage:
     name: Code Coverage
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, linux, x64, rust-cpu]
     permissions:
       contents: read
       pull-requests: write
@@ -49,6 +49,8 @@ jobs:
         uses: taiki-e/install-action@cargo-llvm-cov
 
       - name: Free up disk space
+        # Only needed on github-hosted; smithy redirects TMPDIR to a 500G volume.
+        if: runner.environment == 'github-hosted'
         run: |
           # Remove unnecessary tools and files to free up ~10GB
           sudo rm -rf /usr/share/dotnet
diff --git a/.github/workflows/docker-validation.yml b/.github/workflows/docker-validation.yml
index 318c4d3..4288c66 100644
--- a/.github/workflows/docker-validation.yml
+++ b/.github/workflows/docker-validation.yml
@@ -14,6 +14,7 @@ env:
 jobs:
   build-validation-image:
     name: Build Validation Docker Image
+    # Stays on ubuntu-latest: docker buildx + GHCR push; smithy's podman-docker shim is untested for this.
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -68,6 +69,7 @@ jobs:
   validate-in-container:
     name: Run Validation in Container
     needs: build-validation-image
+    # Stays on ubuntu-latest: pulls + runs a container image; smithy podman-docker shim is untested.
     runs-on: ubuntu-latest
     if: success()
 
@@ -102,7 +104,7 @@ jobs:
 
   multi-version-testing:
     name: Multi-Version Protocol Testing
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, linux, x64, rust-cpu]
     strategy:
       matrix:
         protocol_version: ["2024-11-05", "2025-03-26"]
diff --git a/.github/workflows/external-validation.yml b/.github/workflows/external-validation.yml
index c59cbfc..3b78876 100644
--- a/.github/workflows/external-validation.yml
+++ b/.github/workflows/external-validation.yml
@@ -33,7 +33,7 @@ jobs:
   # Fast validation for PRs - Ubuntu only
   validate-framework-fast:
     name: Fast Framework Validation
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, linux, x64, rust-cpu]
     timeout-minutes: 25
     if: github.event_name == 'pull_request'
 
@@ -86,6 +86,7 @@ jobs:
   # Full cross-platform validation for main branch and scheduled runs
   validate-framework:
     name: Full Framework Validation
+    # Stays on ubuntu-latest/macos-latest/windows-latest: matrix spans macOS + Windows; smithy is Linux-only.
     runs-on: ${{ matrix.os }}
     timeout-minutes: 35
     if: github.event_name != 'pull_request'
@@ -270,7 +271,7 @@ jobs:
 
   stdio-integration-tests:
     name: Stdio + Inspector Integration Tests
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, linux, x64, rust-cpu]
     timeout-minutes: 20
     if: github.event_name == 'push' || github.event_name == 'pull_request' || github.event_name == 'workflow_dispatch'
 
@@ -354,7 +355,7 @@ jobs:
 
   python-sdk-compatibility:
     name: Python SDK Compatibility
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, linux, x64, rust-cpu]
     timeout-minutes: 15
     if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' || github.ref == 'refs/heads/main'
 
@@ -392,7 +393,7 @@ jobs:
 
   external-validator-integration:
     name: External Validator Integration
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, linux, x64, rust-cpu]
     timeout-minutes: 20
     if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
 
@@ -432,6 +433,8 @@ jobs:
 
   security-validation:
     name: Security Validation
+    # Stays on ubuntu-latest: runs cargo audit; smithy's pinned cargo-audit (0.21.x) rejects CVSS 4.0
+    # advisories (e.g. RUSTSEC-2026-0037). Move once smithy bumps cargo-audit to >=0.22.1.
     runs-on: ubuntu-latest
     timeout-minutes: 15
     if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' || github.ref == 'refs/heads/main'
@@ -461,7 +464,7 @@ jobs:
 
   benchmark-validation:
     name: Performance Benchmarks
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, linux, x64, rust-cpu]
     timeout-minutes: 25
     if: github.event_name == 'push' && github.ref == 'refs/heads/main'
 
diff --git a/.github/workflows/pr-validation.yml b/.github/workflows/pr-validation.yml
index 011708e..0a0f0f8 100644
--- a/.github/workflows/pr-validation.yml
+++ b/.github/workflows/pr-validation.yml
@@ -21,7 +21,7 @@ env:
 jobs:
   changes:
     name: Detect Changes
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, linux, x64, light]
     outputs:
       validation: ${{ steps.filter.outputs.validation }}
       core: ${{ steps.filter.outputs.core }}
@@ -40,7 +40,7 @@ jobs:
 
   quick-validation:
     name: Quick PR Validation
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, linux, x64, rust-cpu]
     needs: changes
 
     steps:
@@ -62,6 +62,8 @@ jobs:
           echo "Rustfmt version: $(cargo fmt --version)"
 
       - name: Free up disk space
+        # Only needed on github-hosted; smithy redirects TMPDIR to a 500G volume.
+        if: runner.environment == 'github-hosted'
         run: |
           # Remove unnecessary tools and files to free up ~10GB
           sudo rm -rf /usr/share/dotnet
@@ -142,7 +144,7 @@ jobs:
 
   validation-specific-tests:
     name: Validation Framework Tests
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, linux, x64, rust-cpu]
     needs: changes
     if: needs.changes.outputs.validation == 'true'
 
@@ -180,7 +182,7 @@ jobs:
 
   compatibility-check:
     name: Compatibility Check
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, linux, x64, rust-cpu]
     needs: changes
     if: needs.changes.outputs.core == 'true'
 
@@ -205,7 +207,7 @@ jobs:
 
   pr-report:
     name: Generate PR Report
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, linux, x64, light]
     needs: [quick-validation, validation-specific-tests, compatibility-check]
     if: always()
 
diff --git a/.github/workflows/release-validation.yml b/.github/workflows/release-validation.yml
index ccf85d9..6209387 100644
--- a/.github/workflows/release-validation.yml
+++ b/.github/workflows/release-validation.yml
@@ -20,7 +20,7 @@ permissions:
 jobs:
   validate-release:
     name: Validate Release
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, linux, x64, rust-cpu]
 
     steps:
       - name: Checkout code
@@ -118,6 +118,7 @@ jobs:
 
   cross-platform-validation:
     name: Cross-Platform Release Validation
+    # Stays on ubuntu-latest/macos-latest/windows-latest: matrix spans macOS + Windows; smithy is Linux-only.
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
diff --git a/.github/workflows/scheduled-validation.yml b/.github/workflows/scheduled-validation.yml
index 34dd7fd..bc9d4ed 100644
--- a/.github/workflows/scheduled-validation.yml
+++ b/.github/workflows/scheduled-validation.yml
@@ -26,7 +26,7 @@ permissions:
 jobs:
   validate-external-servers:
     name: Validate External MCP Servers
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, linux, x64, rust-cpu]
 
     steps:
       - name: Checkout code
@@ -148,7 +148,7 @@ jobs:
 
   update-compatibility-matrix:
     name: Update Compatibility Matrix
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, linux, x64, light]
     needs: validate-external-servers
 
     steps: