Merge Policy

The merge policy turns findings into a check-run conclusion. Every org has a default policy; every repo can override it. Policy is enforced in the Merge Gate stage — deny rules override AI judgment.

Policy beats AI

If your policy denies merges to db/migrations/** from non-humans, that rule wins even when AI Review and Deep Audit both approve. The point of governance is that your rules are the source of truth.

Merge policy simulator

Pick a mode and a finding profile — see how the gate would decide.

Mode

Blocks on CRITICAL + HIGH. Default for most teams.

Highest finding severity

Changed files match a path deny ruleCode-owner approved the head commit(locked-mode only)

Check-run result

failure — merge blocked

Standard mode blocks HIGH findings.

The five tiers

Advisory

Never blocks. Posts a comment with the findings summary. Use this when you want visibility without enforcement — typically for trial accounts or repos still being onboarded.

Warn

Sets a neutral check-run conclusion with a summary comment. GitHub branch protection treats neutral as non-blocking by default. Use this when you want a visible signal without preventing merges.

Standard

Default. Blocks on CRITICAL and HIGH findings. MEDIUM and below are reported as comments. Catches high-risk changes while keeping merge friction low.

Strict

Blocks on CRITICAL, HIGH, and MEDIUM findings plus any deny-rule match. Use this for repos under compliance review or repos with a high concentration of agent-authored PRs.

Locked

Uses the Strict severity floor — CRITICAL, HIGH, and MEDIUM findings block — and also requires a code-owner human to approve the latest commit within the last push. Use this for production-critical repos where every change must pass through a human gate regardless of AI verdict.

Deny rules

On top of the tier, every policy carries two deny-rule lists. Both are evaluated in the merge gate and add to the block conditions.

Path deny rules

Glob patterns plus a reason. A match means the merge is denied regardless of finding severity.

pathDenyRules:
  - pattern: "db/migrations/**"
    reason: "Migrations require DBA approval — see #db-changes"
  - pattern: "infra/terraform/prod/**"
    reason: "Prod infra changes require platform-team approval"

Agent rules

Per agent type, decide whether PRs from that agent can merge directly or require a human reviewer.

agentRules:
  - agentType: DEVIN
    action: require-human
  - agentType: COPILOT
    action: block
  - agentType: CLAUDE_CODE
    action: allow

See Agents for how agent identity is detected.

Per-repo overrides

The org-wide default applies to every repo unless that repo has its own policy row. Override per-repo from Settings → Repos → [repo] → Policy. The override completely replaces the org default for that repo.

Check-run mapping

The merge gate writes one of three GitHub check-run conclusions:

Conclusion	When	Branch protection effect
`success`	No block conditions matched	Required check passes
`neutral`	Warn tier with findings present	Treated as non-blocking by default
`failure`	Any block condition matched	Required check fails — merge blocked

Branch protection still required

Veriva sets the check-run conclusion. GitHub branch protection has to be configured to require the veriva check before the policy actually blocks merges. We don't bypass GitHub's permission model.

Pipeline

Hooks