From 816b0196cd07eb2d2aa022179c08a93eb134b40b Mon Sep 17 00:00:00 2001
From: "Molecule AI Dev Engineer A (Kimi)"
 <dev-engineer-a-kimi@agents.moleculesai.app>
Date: Sat, 6 Jun 2026 03:44:50 +0000
Subject: [PATCH 1/3] fix(audit,merge-queue): include SOP ceremony contexts in
 required checks (#2144, #2142)

audit-force-merge.yml:
- Add sop-checklist, sop-tier-check, qa-review, security-review to
  REQUIRED_CHECKS_JSON for both main and staging.
- Without these, the force-merge audit detector missed merges that
  bypassed the SOP ceremony gates.

gitea-merge-queue.py:
- Add sop-tier-check, qa-review, security-review to REQUIRED_CONTEXTS
  default.
- The merge queue previously considered a PR ready once CI all-required
  + sop-checklist were green, omitting qa/security/tier ceremony.

Fixes #2144. Fixes #2142.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 .gitea/scripts/gitea-merge-queue.py    |  5 ++++-
 .gitea/workflows/audit-force-merge.yml | 11 +++++++++--
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/.gitea/scripts/gitea-merge-queue.py b/.gitea/scripts/gitea-merge-queue.py
index 17c3d318e..4f3e40391 100644
--- a/.gitea/scripts/gitea-merge-queue.py
+++ b/.gitea/scripts/gitea-merge-queue.py
@@ -44,7 +44,10 @@ REQUIRED_CONTEXTS_RAW = _env(
     "REQUIRED_CONTEXTS",
     default=(
         "CI / all-required (pull_request),"
-        "sop-checklist / all-items-acked (pull_request)"
+        "sop-checklist / all-items-acked (pull_request),"
+        "sop-tier-check / tier-check (pull_request),"
+        "qa-review / approved (pull_request),"
+        "security-review / approved (pull_request)"
     ),
 )
 # Required contexts for push (main/staging) runs. The push CI uses the same
diff --git a/.gitea/workflows/audit-force-merge.yml b/.gitea/workflows/audit-force-merge.yml
index 00c47312f..e5e7a3580 100644
--- a/.gitea/workflows/audit-force-merge.yml
+++ b/.gitea/workflows/audit-force-merge.yml
@@ -61,11 +61,18 @@ jobs:
               "main": [
                 "CI / all-required (pull_request)",
                 "E2E API Smoke Test / E2E API Smoke Test (pull_request)",
-                "Handlers Postgres Integration / Handlers Postgres Integration (pull_request)"
+                "Handlers Postgres Integration / Handlers Postgres Integration (pull_request)",
+                "sop-checklist / all-items-acked (pull_request)",
+                "sop-tier-check / tier-check (pull_request)",
+                "qa-review / approved (pull_request)",
+                "security-review / approved (pull_request)"
               ],
               "staging": [
                 "CI / all-required (pull_request)",
-                "sop-checklist / all-items-acked (pull_request)"
+                "sop-checklist / all-items-acked (pull_request)",
+                "sop-tier-check / tier-check (pull_request)",
+                "qa-review / approved (pull_request)",
+                "security-review / approved (pull_request)"
               ]
             }
         run: bash .gitea/scripts/audit-force-merge.sh
-- 
2.52.0


From 32288582832417055fe40794a5cbf8104703cb17 Mon Sep 17 00:00:00 2001
From: "Molecule AI Dev Engineer A (Kimi)"
 <dev-engineer-a-kimi@agents.moleculesai.app>
Date: Tue, 9 Jun 2026 13:33:12 +0000
Subject: [PATCH 2/3] fix(governance): use (pull_request_target) suffix for
 qa-review/security-review/sop-tier-check contexts (#2331 CR)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The qa-review, security-review, and sop-tier-check workflows run on
pull_request_target (they need elevated tokens to post review status),
so the contexts they post are the (pull_request_target) variants — there
is no (pull_request) variant for any of the three.

Using (pull_request) would make these contexts permanently 'missing',
causing the merge queue to brick (required_contexts_green always False)
and the force-merge audit to false-positive on every legitimate merge.

Verified live: PR #2478 shows qa-review / approved (pull_request_target)
and security-review / approved (pull_request_target). sop-checklist
all-items-acked (pull_request) is kept as-is because that workflow DOES
post a (pull_request) variant.

Files:
- .gitea/scripts/gitea-merge-queue.py
- .gitea/workflows/audit-force-merge.yml

Refs: #2331 review agent-reviewer + agent-reviewer-cr2
---
 .gitea/scripts/gitea-merge-queue.py    |  6 +++---
 .gitea/workflows/audit-force-merge.yml | 12 ++++++------
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/.gitea/scripts/gitea-merge-queue.py b/.gitea/scripts/gitea-merge-queue.py
index 4f3e40391..c5f2fe97a 100644
--- a/.gitea/scripts/gitea-merge-queue.py
+++ b/.gitea/scripts/gitea-merge-queue.py
@@ -45,9 +45,9 @@ REQUIRED_CONTEXTS_RAW = _env(
     default=(
         "CI / all-required (pull_request),"
         "sop-checklist / all-items-acked (pull_request),"
-        "sop-tier-check / tier-check (pull_request),"
-        "qa-review / approved (pull_request),"
-        "security-review / approved (pull_request)"
+        "sop-tier-check / tier-check (pull_request_target),"
+        "qa-review / approved (pull_request_target),"
+        "security-review / approved (pull_request_target)"
     ),
 )
 # Required contexts for push (main/staging) runs. The push CI uses the same
diff --git a/.gitea/workflows/audit-force-merge.yml b/.gitea/workflows/audit-force-merge.yml
index e5e7a3580..e481ccd63 100644
--- a/.gitea/workflows/audit-force-merge.yml
+++ b/.gitea/workflows/audit-force-merge.yml
@@ -63,16 +63,16 @@ jobs:
                 "E2E API Smoke Test / E2E API Smoke Test (pull_request)",
                 "Handlers Postgres Integration / Handlers Postgres Integration (pull_request)",
                 "sop-checklist / all-items-acked (pull_request)",
-                "sop-tier-check / tier-check (pull_request)",
-                "qa-review / approved (pull_request)",
-                "security-review / approved (pull_request)"
+                "sop-tier-check / tier-check (pull_request_target)",
+                "qa-review / approved (pull_request_target)",
+                "security-review / approved (pull_request_target)"
               ],
               "staging": [
                 "CI / all-required (pull_request)",
                 "sop-checklist / all-items-acked (pull_request)",
-                "sop-tier-check / tier-check (pull_request)",
-                "qa-review / approved (pull_request)",
-                "security-review / approved (pull_request)"
+                "sop-tier-check / tier-check (pull_request_target)",
+                "qa-review / approved (pull_request_target)",
+                "security-review / approved (pull_request_target)"
               ]
             }
         run: bash .gitea/scripts/audit-force-merge.sh
-- 
2.52.0


From 6968bb0af918f4ae7d432d7094ded9a0ef1a2177 Mon Sep 17 00:00:00 2001
From: devops-engineer <devops-engineer@moleculesai.app>
Date: Sun, 14 Jun 2026 22:36:50 +0000
Subject: [PATCH 3/3] fix(audit,merge-queue): correct sop-tier context to
 (pull_request_review)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CR2 REQUEST_CHANGES: the live sop-tier status is
"sop-tier-check / tier-check (pull_request_review)", not
(pull_request_target). The (pull_request_target) variant is never
produced, so the merge-queue/audit would wait on / classify against a
context that does not exist. Corrected both occurrences in
audit-force-merge.yml and the one in gitea-merge-queue.py. qa-review and
security-review keep (pull_request_target) — those variants ARE produced
live (verified).
---
 .gitea/scripts/gitea-merge-queue.py    | 2 +-
 .gitea/workflows/audit-force-merge.yml | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.gitea/scripts/gitea-merge-queue.py b/.gitea/scripts/gitea-merge-queue.py
index c5f2fe97a..9fdaff375 100644
--- a/.gitea/scripts/gitea-merge-queue.py
+++ b/.gitea/scripts/gitea-merge-queue.py
@@ -45,7 +45,7 @@ REQUIRED_CONTEXTS_RAW = _env(
     default=(
         "CI / all-required (pull_request),"
         "sop-checklist / all-items-acked (pull_request),"
-        "sop-tier-check / tier-check (pull_request_target),"
+        "sop-tier-check / tier-check (pull_request_review),"
         "qa-review / approved (pull_request_target),"
         "security-review / approved (pull_request_target)"
     ),
diff --git a/.gitea/workflows/audit-force-merge.yml b/.gitea/workflows/audit-force-merge.yml
index e481ccd63..87925f781 100644
--- a/.gitea/workflows/audit-force-merge.yml
+++ b/.gitea/workflows/audit-force-merge.yml
@@ -63,14 +63,14 @@ jobs:
                 "E2E API Smoke Test / E2E API Smoke Test (pull_request)",
                 "Handlers Postgres Integration / Handlers Postgres Integration (pull_request)",
                 "sop-checklist / all-items-acked (pull_request)",
-                "sop-tier-check / tier-check (pull_request_target)",
+                "sop-tier-check / tier-check (pull_request_review)",
                 "qa-review / approved (pull_request_target)",
                 "security-review / approved (pull_request_target)"
               ],
               "staging": [
                 "CI / all-required (pull_request)",
                 "sop-checklist / all-items-acked (pull_request)",
-                "sop-tier-check / tier-check (pull_request_target)",
+                "sop-tier-check / tier-check (pull_request_review)",
                 "qa-review / approved (pull_request_target)",
                 "security-review / approved (pull_request_target)"
               ]
-- 
2.52.0