diff --git a/.gitea/workflows/audit-force-merge.yml b/.gitea/workflows/audit-force-merge.yml
index 09f4eb7b..1115a5fc 100644
--- a/.gitea/workflows/audit-force-merge.yml
+++ b/.gitea/workflows/audit-force-merge.yml
@@ -52,7 +52,14 @@ jobs:
           # Declared here rather than fetched from /branch_protections
           # because that endpoint requires admin write — sop-tier-bot is
           # read-only by design (least-privilege).
+          #
+          # mc#798: F3a+F3b fix — staging/main branch protection requires:
+          #   - "CI / all-required (pull_request)"
+          #   - "sop-checklist / all-items-acked (pull_request)"
+          # The previous values (sop-tier-check, Secret scan) were not in
+          # branch protection — they would have caused false-positive audit
+          # findings AND missed unforced sop-checklist bypasses.
           REQUIRED_CHECKS: |
-            sop-tier-check / tier-check (pull_request)
-            Secret scan / Scan diff for credential-shaped strings (pull_request)
+            CI / all-required (pull_request)
+            sop-checklist / all-items-acked (pull_request)
         run: bash .gitea/scripts/audit-force-merge.sh