2 Commits

Author SHA1 Message Date
Scrubs McBarkley 8930a8d5f1 docs(skills): move uat→main merge-gate policy from coding-standards to sdlc
Reviewer feedback (COrtHvtYnuZx6DmhztGD50uGnKVJajPf): the merge-gate
policy is a process / SDLC rule, not a code-quality / coding-standard
rule, so it belongs in the sdlc skill.

  - skills/sdlc/SKILL.md: add new '## uat→main merge-gate policy'
    section after Phase 5 with the full policy, the three categories,
    the engineer workflow, and the 'when uncertain' escalation path.
    Update frontmatter description and intro paragraph to point at
    the new local section. Re-point the branch-strategy table row
    and Phase 4 step 3 at the local section.
  - skills/coding-standards/SKILL.md: remove the duplicate
    'uat→main merge-gate policy' section (it now lives in sdlc) and
    replace it with a one-paragraph pointer to sdlc. Update the
    frontmatter description to remove the policy bullet and add a
    'lives in sdlc, not here' line.

No behavior change: the policy content is identical, only its home
file moved. The PR is now an sdlc PR with a small coding-standards
follow-on, which matches the reviewer's point.

Refs: GRO-2377
Triggers: GRO-2358, GRO-2359
Source rule: GRO-2348 (merge-whitelist fix)

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-06-12 01:39:27 +00:00
Flea Flicker 152c52f47c docs(skills): loosen uat→main merge gate; CTO Approve only for novel auth, infra/prod, and risk-flagged
The 2026-06-11 merge-whitelist fix (GRO-2348) added a required_approvals
gate on uat→main merges. That gate is only satisfied by a Gitea Approve
click — the issue-thread QA/UAT-deploy/UAT-regression/security
approvals do not clear it. As a result the CTO is the human-in-the-loop
on every routine release-train PR (GRO-2358, GRO-2359 both hit it).

This change introduces an explicit "uat→main merge-gate policy" in
coding-standards: once the four pre-gates (QA, UAT deploy, UAT
regression, security) are green, the engineer self-merges. A CTO
Gitea Approve click is required only for three categories:

  1. Novel auth / session paths (login, OIDC, OOBE, session
     middleware, token issuance, MFA, new auth provider integrations).
  2. Infra / prod-affecting merges (deploys, manifests, secrets,
     GitOps overlays, CI/CD, main branch protection, prod-affecting
     routing/ingress). All Phase 5 infra overlay PRs in
     groombook/infra still require CTO Gitea Approve without
     exception.
  3. Risk-flagged merges (risk:cto-approve label, or explicit
     CTO/CEO sign-off request in the PR or issue thread).

Phase 4 in sdlc is updated to reflect the new flow: engineer
classifies the PR; CTO Approve happens only for the three categories
above; otherwise the engineer merges once the four pre-gates are
green. The pre-gates themselves do not change.

Refs: GRO-2377
Triggers: GRO-2358, GRO-2359
Source rule: GRO-2348 (merge-whitelist fix)
2026-06-12 01:30:45 +00:00
2 changed files with 0 additions and 28 deletions
-10
View File
@@ -1,10 +0,0 @@
# Agent runtime artifacts — never commit
.gh-token
*.gh-token
**/.gh-token
.config/gh/
**/.config/gh/
**/AGENT_HOME/**
$AGENT_HOME/**
.claude/
.codex/
-18
View File
@@ -59,24 +59,6 @@ Images currently use `:latest` with `imagePullPolicy: Always`; pin to a CalVer t
**Policy — Flux Image Tag Automation is DENIED.** Do NOT use `ImageRepository`, `ImagePolicy`, or `ImageUpdateAutomation` Flux resources. Image tag updates must be made intentionally via a PR to `groombook/infra` — typically as the final step of the `sdlc` application pipeline (Phase 5).
## When a cluster is broken: fix forward in git — never escalate a manual action
The cluster is reconciled by controllers (Flux, the OpenTofu Controller, the Sealed Secrets controller). **Any change one of these controllers can reconcile MUST be delivered as a PR to `groombook/infra`** — it is never a board approval and never a hand-run `kubectl` / `kubeseal` / `tofu` command.
This is the corollary of the read-only-prod and "no `kubectl apply` to production" rules in `safety`: agents are read-only on `groombook` **by design**, precisely because the write path is git. "I lack cluster-admin" therefore resolves to **"open a PR,"** not **"ask a human to run the command."**
Contract:
- **Do NOT** file an issue, board approval, or escalation that asks a human to run an imperative cluster command (`kubectl delete/apply/patch`, `kubeseal`, `flux reconcile`, `tofu apply`) that a controller would otherwise reconcile from git. That request is unfillable and wrong on a GitOps cluster — fix the desired state in the repo and let the controller converge.
- SealedSecret won't unseal / wrong scope → re-seal the `SealedSecret` and commit it.
- Missing or not-ready Flux `Receiver`, `Kustomization`, `Terraform`, RBAC, etc. → commit/correct the manifest in the overlay.
- Stale or wrong `sourceRef`, annotations, ownership → fix them declaratively in the overlay.
- **A reconcile blocked on a pre-existing in-cluster object** (e.g. a `SealedSecret` the controller won't adopt because an unmanaged or Reflector-mirrored `Secret` already exists) is still solved declaratively: correct ownership/annotations in git so the controller adopts it. Only if **no controller can adopt the object** is a one-time imperative step justified — and then it is a single, specifically-scoped, reviewed exception stating the exact reason, **not** a multi-day approval queue standing in for missing engineering.
- **Board approval is reserved** for genuinely irreversible or out-of-band actions no controller reconciles — destroying stateful data, rotating the cluster bootstrap, bootstrapping a brand-new cluster. Routine reconcilable breakage never qualifies. (See `safety` for destructive-action approval.)
- The Flux bootstrap/cluster repo is **not** `groombook/infra` (see GitOps above). A genuinely missing `GitRepository` or other bootstrap object is a PR to that externally-managed cluster-config repo — still a PR, still not a hand-run apply.
If you are about to write "escalated to board — a human must run …" for a reconcilable change, stop: that is the failure mode, not the fix. Open the PR.
## Infrastructure as Code
Terraform (OpenTofu) is deployed via the **Flux OpenTofu Controller** in a GitOps fashion. Submit Terraform configurations via a PR to `groombook/infra` — the tofu controller reconciles them on merge. See `safety` for the prohibition on running `tofu` directly and on `kubectl apply` against production.