diff --git a/enterprise/integrations/github/github_solvability.py b/enterprise/integrations/github/github_solvability.py
index 52cd4ffe40..c7aaddd184 100644
--- a/enterprise/integrations/github/github_solvability.py
+++ b/enterprise/integrations/github/github_solvability.py
@@ -106,6 +106,11 @@ async def summarize_issue_solvability(
             f'Solvability analysis disabled for user {github_view.user_info.user_id}'
         )
 
+    if user_settings.llm_api_key is None:
+        raise ValueError(
+            f'[Solvability] No LLM API key found for user {github_view.user_info.user_id}'
+        )
+
     try:
         llm_config = LLMConfig(
             model=user_settings.llm_model,
diff --git a/enterprise/server/middleware.py b/enterprise/server/middleware.py
index 726c552d3b..561b106418 100644
--- a/enterprise/server/middleware.py
+++ b/enterprise/server/middleware.py
@@ -43,13 +43,15 @@ class SetAuthCookieMiddleware:
             if not user_auth or user_auth.auth_type != AuthType.COOKIE:
                 return response
             if user_auth.refreshed:
+                if user_auth.access_token is None:
+                    return response
                 set_response_cookie(
                     request=request,
                     response=response,
                     keycloak_access_token=user_auth.access_token.get_secret_value(),
                     keycloak_refresh_token=user_auth.refresh_token.get_secret_value(),
                     secure=False if request.url.hostname == 'localhost' else True,
-                    accepted_tos=user_auth.accepted_tos,
+                    accepted_tos=user_auth.accepted_tos or False,
                 )
 
                 # On re-authentication (token refresh), kick off background sync for GitLab repos
diff --git a/enterprise/server/routes/billing.py b/enterprise/server/routes/billing.py
index bdf4b66b15..942b843cb5 100644
--- a/enterprise/server/routes/billing.py
+++ b/enterprise/server/routes/billing.py
@@ -91,6 +91,8 @@ async def get_credits(user_id: str = Depends(get_user_id)) -> GetCreditsResponse
     if not stripe_service.STRIPE_API_KEY:
         return GetCreditsResponse()
     user = await UserStore.get_user_by_id_async(user_id)
+    if user is None:
+        raise HTTPException(status.HTTP_404_NOT_FOUND, detail='User not found')
     user_team_info = await LiteLlmManager.get_user_team_info(
         user_id, str(user.current_org_id)
     )
@@ -247,6 +249,8 @@ async def success_callback(session_id: str, request: Request):
             raise HTTPException(status.HTTP_400_BAD_REQUEST)
 
         user = await UserStore.get_user_by_id_async(billing_session.user_id)
+        if user is None:
+            raise HTTPException(status.HTTP_404_NOT_FOUND, detail='User not found')
         user_team_info = await LiteLlmManager.get_user_team_info(
             billing_session.user_id, str(user.current_org_id)
         )
diff --git a/enterprise/server/routes/email.py b/enterprise/server/routes/email.py
index 273712751f..7571b619b2 100644
--- a/enterprise/server/routes/email.py
+++ b/enterprise/server/routes/email.py
@@ -77,13 +77,18 @@ async def update_email(
         )
 
         # need to set auth cookie to the new tokens
+        if user_auth.access_token is None:
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail='Access token not found',
+            )
         set_response_cookie(
             request=request,
             response=response,
             keycloak_access_token=user_auth.access_token.get_secret_value(),
             keycloak_refresh_token=user_auth.refresh_token.get_secret_value(),
             secure=False if request.url.hostname == 'localhost' else True,
-            accepted_tos=user_auth.accepted_tos,
+            accepted_tos=user_auth.accepted_tos or False,
         )
 
         await verify_email(request=request, user_id=user_id)
@@ -156,13 +161,17 @@ async def verified_email(request: Request):
     response = RedirectResponse(redirect_uri, status_code=302)
 
     # need to set auth cookie to the new tokens
+    if user_auth.access_token is None:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED, detail='Access token not found'
+        )
     set_response_cookie(
         request=request,
         response=response,
         keycloak_access_token=user_auth.access_token.get_secret_value(),
         keycloak_refresh_token=user_auth.refresh_token.get_secret_value(),
         secure=False if request.url.hostname == 'localhost' else True,
-        accepted_tos=user_auth.accepted_tos,
+        accepted_tos=user_auth.accepted_tos or False,
     )
 
     logger.info(f'Email {user_auth.email} verified.')
diff --git a/enterprise/storage/api_key_store.py b/enterprise/storage/api_key_store.py
index 3af7424e65..c6a4cbd05d 100644
--- a/enterprise/storage/api_key_store.py
+++ b/enterprise/storage/api_key_store.py
@@ -38,6 +38,8 @@ class ApiKeyStore:
         """
         api_key = self.generate_api_key()
         user = await UserStore.get_user_by_id_async(user_id)
+        if user is None:
+            raise ValueError(f'User not found: {user_id}')
         org_id = user.current_org_id
 
         async with a_session_maker() as session:
@@ -116,6 +118,8 @@ class ApiKeyStore:
     async def list_api_keys(self, user_id: str) -> list[ApiKey]:
         """List all API keys for a user."""
         user = await UserStore.get_user_by_id_async(user_id)
+        if user is None:
+            raise ValueError(f'User not found: {user_id}')
         org_id = user.current_org_id
 
         async with a_session_maker() as session:
@@ -129,6 +133,8 @@ class ApiKeyStore:
 
     async def retrieve_mcp_api_key(self, user_id: str) -> str | None:
         user = await UserStore.get_user_by_id_async(user_id)
+        if user is None:
+            raise ValueError(f'User not found: {user_id}')
         org_id = user.current_org_id
 
         async with a_session_maker() as session:
diff --git a/enterprise/storage/saas_secrets_store.py b/enterprise/storage/saas_secrets_store.py
index 0af7fe1745..ccde502cc6 100644
--- a/enterprise/storage/saas_secrets_store.py
+++ b/enterprise/storage/saas_secrets_store.py
@@ -53,6 +53,8 @@ class SaasSecretsStore(SecretsStore):
 
     async def store(self, item: Secrets):
         user = await UserStore.get_user_by_id_async(self.user_id)
+        if user is None:
+            raise ValueError(f'User not found: {self.user_id}')
         org_id = user.current_org_id
 
         async with a_session_maker() as session:
diff --git a/enterprise/storage/user_store.py b/enterprise/storage/user_store.py
index 1289619a69..67585f154d 100644
--- a/enterprise/storage/user_store.py
+++ b/enterprise/storage/user_store.py
@@ -88,6 +88,8 @@ class UserStore:
             session.add(user)
 
             role = RoleStore.get_role_by_name('owner')
+            if role is None:
+                raise ValueError('Owner role not found in database')
 
             from storage.org_member_store import OrgMemberStore
 
@@ -269,6 +271,8 @@ class UserStore:
                 'user_store:migrate_user:done_get_role_by_name',
                 extra={'user_id': user_id},
             )
+            if role is None:
+                raise ValueError('Owner role not found in database')
 
             from storage.org_member_store import OrgMemberStore