{ "version": "1.0.0", "phase": "enforcement-ready", "full_workflow_required_when": [ { "id": "risk-security", "description": "Any change touching authentication, authorization, CSRF, encryption, logging redaction, file uploads, or API bootstrap/security behavior.", "paths": [ "lib/Http/**", "lib/Service/Access/**", "lib/Support/Crypto.php", "pages/api/**", "pages/**" ] }, { "id": "risk-data-boundary", "description": "Any change touching tenant-scoped data access, repository query boundaries, DB schema updates, or API contracts.", "paths": [ "lib/Repository/**", "db/updates/**", "db/init/init.sql", "docs/openapi.yaml" ] }, { "id": "risk-modules", "description": "Any change touching module manifests, module runtime wiring, module routes, module providers, or module migrations/assets.", "paths": [ "modules/*/module.php", "lib/App/Module/**", "storage/runtime/pages/**", "web/modules/**" ] }, { "id": "risk-cross-layer", "description": "Any feature/addition changing more than one architecture layer (Repository, Service, pages/templates/web, modules, config, db).", "paths": [ "lib/**", "pages/**", "templates/**", "web/**", "modules/**", "config/**", "db/**" ] } ], "quick_fix_allowlist": [ "single-file typo fix without behavior change", "single-file translation text/key correction without flow change", "single-file CSS visual adjustment without behavioral JS or backend change", "single-file docs-only update" ], "gate_policy": { "required_gates_always": [ "QG-001", "QG-002", "QG-003", "QG-006", "QG-008", "QG-009" ], "manual_non_blocking": [ "QG-005" ], "periodic_non_blocking": [ "QG-007" ] }, "ci_rollout": { "target_platform": "gitea", "blocking_enabled": false, "phase_2_activation": "Enable required status checks in repository branch protection once qa-required is stable on runner infrastructure." } }