Context
The repository is going public (Epic #561). The default branch main currently has no enforced protection, so the "all changes go through reviewed PRs" practice is procedural, not technically enforced.
Current state
gh api repos/semiotic-agentium/agentium-os/rulesets returns 0 rulesets.
- Classic branch protection on
main could not be confirmed as set (the API returned empty). Verify directly in Settings → Branches.
- Recent history shows changes do arrive via PRs in practice (sampled
main commits all traced to merged PRs), but nothing prevents a direct push, an unreviewed merge, or a force-push.
Why it matters
Two reasons, both sharpened by going public: (1) SOC 2 change-management expects the review control to be enforced, not just followed; an auditor samples for this. (2) On day one as a public repo, an unprotected main can be force-pushed or merged without review — exactly the integrity risk you do not want on a partner-facing project. (It also structurally prevents a future history-rewrite force-push.)
Acceptance criteria
Suggested approach
Use a GitHub ruleset (or classic branch protection) on main in repo settings. This is an admin/settings action, not a code change.
Out of scope
Org-level policies; protection for non-default branches.
Part of #561.
Context
The repository is going public (Epic #561). The default branch
maincurrently has no enforced protection, so the "all changes go through reviewed PRs" practice is procedural, not technically enforced.Current state
gh api repos/semiotic-agentium/agentium-os/rulesetsreturns 0 rulesets.maincould not be confirmed as set (the API returned empty). Verify directly in Settings → Branches.maincommits all traced to merged PRs), but nothing prevents a direct push, an unreviewed merge, or a force-push.Why it matters
Two reasons, both sharpened by going public: (1) SOC 2 change-management expects the review control to be enforced, not just followed; an auditor samples for this. (2) On day one as a public repo, an unprotected
maincan be force-pushed or merged without review — exactly the integrity risk you do not want on a partner-facing project. (It also structurally prevents a future history-rewrite force-push.)Acceptance criteria
mainrequires a pull request before merging.secret-scan/gitleaks lane).mainare blocked.Suggested approach
Use a GitHub ruleset (or classic branch protection) on
mainin repo settings. This is an admin/settings action, not a code change.Out of scope
Org-level policies; protection for non-default branches.
Part of #561.