The 2026-06-11 merge-whitelist fix (GRO-2348) added a required_approvals
gate on uat→main merges. That gate is only satisfied by a Gitea Approve
click — the issue-thread QA/UAT-deploy/UAT-regression/security
approvals do not clear it. As a result the CTO is the human-in-the-loop
on every routine release-train PR (GRO-2358, GRO-2359 both hit it).
This change introduces an explicit "uat→main merge-gate policy" in
coding-standards: once the four pre-gates (QA, UAT deploy, UAT
regression, security) are green, the engineer self-merges. A CTO
Gitea Approve click is required only for three categories:
1. Novel auth / session paths (login, OIDC, OOBE, session
middleware, token issuance, MFA, new auth provider integrations).
2. Infra / prod-affecting merges (deploys, manifests, secrets,
GitOps overlays, CI/CD, main branch protection, prod-affecting
routing/ingress). All Phase 5 infra overlay PRs in
groombook/infra still require CTO Gitea Approve without
exception.
3. Risk-flagged merges (risk:cto-approve label, or explicit
CTO/CEO sign-off request in the PR or issue thread).
Phase 4 in sdlc is updated to reflect the new flow: engineer
classifies the PR; CTO Approve happens only for the three categories
above; otherwise the engineer merges once the four pre-gates are
green. The pre-gates themselves do not change.
Refs: GRO-2377
Triggers: GRO-2358, GRO-2359
Source rule: GRO-2348 (merge-whitelist fix)
Flea Flicker
152c52f47c