diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index b2f3ef6..9971c76 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -2,9 +2,9 @@ name: CI
 
 on:
   push:
-    branches: [main]
+    branches: [main, dev, uat]
   pull_request:
-    branches: [main]
+    branches: [main, dev, uat]
   workflow_call:
   workflow_dispatch:
 
diff --git a/.github/workflows/dual-approval.yaml b/.github/workflows/dual-approval.yaml
index c3d81d0..9552ee4 100644
--- a/.github/workflows/dual-approval.yaml
+++ b/.github/workflows/dual-approval.yaml
@@ -1,21 +1,21 @@
-name: Dual Approval (CTO + QA)
+name: Promotion Gate
 
-# Calls the shared dual-approval-check workflow.
-# Passes when both privilegedescalation-cto and privilegedescalation-qa
-# have approved the PR. Add "Dual Approval (CTO + QA)" to required_status_checks
-# in branch protection to enforce this gate.
+# Calls the shared promotion gate workflow.
+# dev PRs: no gate (engineer self-merges).
+# uat PRs: QA approval required.
+# main PRs: UAT approval required (uat→main promotions).
 
 on:
   pull_request_review:
     types: [submitted, dismissed]
   pull_request:
-    branches: [main]
+    branches: [uat, main]
     types: [opened, reopened, synchronize]
 
 jobs:
-  dual-approval:
-    if: github.event.pull_request != null
+  promotion-gate:
     uses: privilegedescalation/.github/.github/workflows/dual-approval-check.yaml@main
     secrets: inherit
     with:
       pr_number: ${{ github.event.pull_request.number }}
+