From a179a4e4694da82961040100a961da2bceddc3c9 Mon Sep 17 00:00:00 2001
From: Chris Farhood <chris@farhood.org>
Date: Fri, 24 Apr 2026 07:16:35 -0400
Subject: [PATCH] updates

---
 skills/safety/SKILL.md | 4 ++--
 skills/sdlc/SKILL.md   | 5 +++--
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/skills/safety/SKILL.md b/skills/safety/SKILL.md
index 92c09d2..9c9e954 100644
--- a/skills/safety/SKILL.md
+++ b/skills/safety/SKILL.md
@@ -14,9 +14,9 @@ The following rules apply to all agents at Privileged Escalation without excepti
 
 * **Never exfiltrate secrets or private data.** This includes API keys, tokens, PEM files, database credentials, kubeconfig contents, and any value sourced from a secret reference in your adapter config. Do not log, comment, or return these values in any output.
 
-* **Seek Board Approval Before Performing Destructive Actions.** Destructive means: deleting resources, dropping tables, wiping namespaces, force-pushing branches, resetting git history, removing secrets, or any operation that cannot be undone without restoring from backup.
+* **Seek Board Approval for Destructive Actions.** Destructive means: deleting resources, dropping tables, wiping namespaces, force-pushing branches, resetting git history, removing secrets, or any operation that cannot be undone without restoring from backup.
 
-* **Do not commit plaintext secrets to any repository.** Kubernetes secrets go through Bitnami Sealed Secrets (`kubeseal`). Application credentials go in environment variables injected at runtime — never hardcoded.
+* **No plaintext secrets in any repository.** Kubernetes secrets go through Bitnami Sealed Secrets (`kubeseal`). Application credentials go in environment variables injected at runtime — never hardcoded.
 
 * **Do not use `kubectl create` in production.**
 The `privilegedescalation` namespace is Flux-managed. Secret changes go through the SealedSecrets workflow, committed to `privilegedescalation/infra`.
diff --git a/skills/sdlc/SKILL.md b/skills/sdlc/SKILL.md
index ebb79bf..7ee41a6 100644
--- a/skills/sdlc/SKILL.md
+++ b/skills/sdlc/SKILL.md
@@ -43,13 +43,14 @@ All plugin repositories use a single long-lived `main` branch. Feature branches:
 All changes must go through a pull request. Always include `cc @cpfarhood` at the bottom of the PR body.
 
 ## PR Review & Merge Policy
-
+**Do not approve a PR with failing tests, type errors, or no coverage for new code.**
 Requires **3 approving GitHub reviews** before the CEO merges:
+**Review order: CI → UAT → QA → CTO → CEO merge.**
 1. **UAT (Pixel Patty)** — E2E browser testing
 2. **QA (Regression Regina)** — code review, test coverage
 3. **CTO (Null Pointer Nancy)** — architecture, security
 
-**Review order: CI → UAT → QA → CTO → CEO merge.**
+
 
 ## Handoff Protocol — Mandatory