Flea Flicker
152c52f47c
The 2026-06-11 merge-whitelist fix (GRO-2348) added a required_approvals
gate on uat→main merges. That gate is only satisfied by a Gitea Approve
click — the issue-thread QA/UAT-deploy/UAT-regression/security
approvals do not clear it. As a result the CTO is the human-in-the-loop
on every routine release-train PR (GRO-2358, GRO-2359 both hit it).
This change introduces an explicit "uat→main merge-gate policy" in
coding-standards: once the four pre-gates (QA, UAT deploy, UAT
regression, security) are green, the engineer self-merges. A CTO
Gitea Approve click is required only for three categories:
1. Novel auth / session paths (login, OIDC, OOBE, session
middleware, token issuance, MFA, new auth provider integrations).
2. Infra / prod-affecting merges (deploys, manifests, secrets,
GitOps overlays, CI/CD, main branch protection, prod-affecting
routing/ingress). All Phase 5 infra overlay PRs in
groombook/infra still require CTO Gitea Approve without
exception.
3. Risk-flagged merges (risk:cto-approve label, or explicit
CTO/CEO sign-off request in the PR or issue thread).
Phase 4 in sdlc is updated to reflect the new flow: engineer
classifies the PR; CTO Approve happens only for the three categories
above; otherwise the engineer merges once the four pre-gates are
green. The pre-gates themselves do not change.
Refs: GRO-2377
Triggers: GRO-2358, GRO-2359
Source rule: GRO-2348 (merge-whitelist fix)
4.6 KiB
name, description
| name | description |
|---|---|
| coding-standards | Engineering quality bar for GroomBook code: priority ordering of correctness vs. clarity vs. maintainability vs. performance vs. elegance, PR and test requirements, no-hardcoded-values rules, branch discipline, the no-self- merge contract, and the uat→main merge-gate policy (CTO Gitea Approve reserved for novel auth, infra/prod-affecting, and risk-flagged merges). |
Coding Standards
These rules apply to any GroomBook agent that writes, reviews, or merges code.
Priority ordering
When making technical decisions, prioritize in this order:
- Correctness — does it work? Does it handle edge cases? Have you proven it, not assumed it?
- Clarity — will another engineer understand this without context in 6 months?
- Maintainability — will it be safe to change?
- Performance — fast enough for the use case? Profile before optimizing.
- Elegance — nice if free; never trade any of the above for it.
Pull request discipline
- All changes go through a PR. Never push directly to
dev,uat, ormain. - Never merge a PR without the reviews required by the
sdlc(ordevops) skill for that branch. The engineer who opened the PR may click merge once those prerequisites are satisfied. - Always include
cc @cpfarhoodat the bottom of the PR body for visibility (not as a reviewer).
Test requirements
- Every PR must include tests for new code paths. No exceptions for "small" changes.
- Run unit tests, type check, and lint locally (or rely on CI) before requesting review.
- A PR without passing tests does not get approval.
- New code paths require coverage. No coverage = no approval.
Code review tone
Hold a high bar. PRs with obvious mistakes, missing tests, hardcoded values, or policy violations get firm, specific review comments citing what's wrong and what the fix is. Cite the file and line. Suggest the fix when you know it. Don't sugarcoat — but be professional and constructive. "This looks wrong" is not a review comment.
Hardcoded values
- Colors use CSS variables / theme tokens. Never raw hex in components.
- Strings use constants or i18n. No magic strings.
- Numbers that aren't trivially obvious go in named constants.
- No magic numbers in business logic.
Secrets in code
Secrets never touch source. See the safety skill for the SealedSecrets workflow. If your implementation requires a Kubernetes secret you cannot create, file an issue for the agent who owns the SealedSecrets workflow rather than committing a plaintext value.
Releases and versioning
All releases use CalVer (YYYY.MMDD.PATCH, e.g. 2026.0504.0). No SemVer, no custom schemes.
Container images
Push to git.farh.net only. Never Docker Hub for first-party images.
uat→main merge-gate policy
The CTO Gitea Approve click is not the default gate on uat → main PRs. Once the four pre-gates — QA, UAT deploy, UAT regression, and security review — are all green, the engineer self-merges. A CTO Gitea Approve click is required only for PRs in one of the three categories below.
Categories that require CTO Gitea Approve
- Novel auth / session paths — login, OIDC, OOBE, session middleware, token issuance, password reset, MFA, or any new auth provider integration. Routine changes to auth-gated UI (button styling, error messages, form layout, copy edits) are not in this category.
- Infra / prod-affecting merges — deploys, infra manifests, secrets, GitOps overlays, CI/CD pipelines,
mainbranch protection, production routing/ingress, or any change that mutates prod state. All Phase 5 infra overlay PRs (groombook/infra) require CTO Gitea Approve without exception. - Risk-flagged merges — any PR that carries the
risk:cto-approvelabel, or where the CTO or CEO has explicitly requested CTO sign-off in the PR or issue thread.
The engineer who opened the PR classifies it against the three categories above (escalating to the CTO via comment if the call is unclear), then:
- In a category → request a CTO Gitea Approve click. The engineer merges once the CTO has approved.
- Outside all three categories → no CTO click needed. The engineer merges once the four pre-gates are green.
The pre-gates (QA, UAT deploy, UAT regression, security) do not change. This rule only removes the CTO Gitea Approve click from the default uat → main path for routine PRs that already pass every pre-gate.
When uncertain
If a code-quality call isn't covered above and you can't decide cleanly, escalate to the CTO via comment rather than guessing.