Branch Protection Rules

Configure these in GitHub Settings → Branches → Branch protection rules for main:

Required Settings

• Require a pull request before merging — at least 1 approval
• Require status checks to pass before merging (job ids from .github/workflows/ci.yml):
  • lint (Lint & Typecheck)
  • test (Unit Tests)
  • integration (Integration Tests)
  • integration-real (Real Integration Tests)
  • security (Security Audit)
  • build (Build)
  • docker-build (Docker Build)
  • migration-check (Migration Safety Check)
  • bundle-size (Bundle Size)
  • image-scan (Image Vulnerability Scan)
• Require branches to be up to date before merging
• Require conversation resolution before merging

Recommended Settings

• Restrict who can push to matching branches — only admins
• Do not allow bypassing the above settings
• Require signed commits (optional but recommended)
• Include administrators in all restrictions

CODEOWNERS

The .github/CODEOWNERS file assigns @drdropout as default owner (*) and for these explicit paths:

• supabase/migrations/
• apps/hub/src/main.ts
• apps/hub/src/api/server.ts
• docker-compose*.yml
• .github/workflows/
• Dockerfile
• apps/hub/plugins/**/plugin.json (plugin manifests)
• packages/shared/src/types/ and packages/shared/src/index.ts (shared types — breaking change risk)
• apps/hub/src/services/plugins/PluginContext.ts
• apps/hub/src/services/policy/
• apps/hub/src/api/middleware/authMiddleware.ts