chore: retire auto-merge.yml (fixes #41)

[OriginalGary]

What\n\nDelete stale auto-merge.yml workflow.\n\nMerges are operator-driven via /merge per protected-main ruleset.\n\nCloses #41

[coderabbitai]

Warning

Rate limit exceeded

@OpenGaryBot has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 10 minutes and 6 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 10 minutes and 6 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 6b152dc6-4bcc-4c53-adfd-dbb5e6d2f9f8

📥 Commits

Reviewing files that changed from the base of the PR and between 508bd55 and 56df2d6.

📒 Files selected for processing (1)

• .github/workflows/auto-merge.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/structured-coding-auto-merge-41

• 🛠️ fix NAV violations: Commit on current branch
• 🛠️ fix NAV violations: Create PR

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[OriginalGary]

STAGE 13 — Adversarial PASS

Fresh-context audit. 6+1 check matrix:

Check	Result
1. Correctness vs intent	PASS (one minor — see below)
2. Pipeline blast radius	PASS — org-wide protected-main ruleset (id 11439705) is the real merge gate; unchanged. /run, /merge, 14 stages don't depend on this workflow.
3. Race / rollback	PASS — deletion atomic, git revert 56df2d6 cleanly restores.
4. Hidden coupling	PASS — no other workflow uses: the deleted file; the org-default shim at Open-Paws/.github/workflow-templates/auto-merge-caller.yml points to Open-Paws/.github/.github/workflows/auto-merge.yml@main, not the per-repo copy.
5. Test coverage	PASS — deletion-only; CodeQL/desloppify/NAV/Unicode all green.
6. Adversarial input	PASS — YAML deletion has no input surface.
7. Confidentiality leak	PASS — public ruleset id, no staff PII, no funder dynamic, no active campaign target. Org-wide-read-test passes.

Attempted attacks

• Phantom workflow re-invocation — searched all sibling repos and the org-default shim. No reference to the per-repo copy. Clean.
• Merge-gate weakening — verified the protected-main ruleset (1 approval, last-push approval, linear history, CodeQL high+) survives unchanged. Auto-merge.yml never enforced these.
• Pipeline self-deadlock — verified /run and /merge skills (added in feat(skills): /run — on-demand operator drive of the 14-stage pipeline #32, feat(skills): /unblock — operator decisions queue, sensitivity-leak-safe #34) explicitly invoke operator-driven merge; auto-merge.yml was never in the dispatch path.
• Cross-repo race — per-repo workflows are independent; deleting one doesn't affect any other repo's copy. The 30+ other repos in [chore] retire auto-merge.yml across all Open-Paws repos; merge is operator-driven via /merge #41's checklist still carry their own copies and will be cleaned up in separate per-repo PRs.

Minor (non-blocking, follow-up)

Closes #41 will auto-close the org-wide execution tracker on squash-merge, but #41 has ~30 remaining unchecked items (other repos, propagation infrastructure, doc cleanup, label retirement). Two resolutions:

• (a) Change Closes #41 → Refs Open-Paws/structured-coding-with-ai#41 in the PR body before merge, so the tracker stays open
• (b) Merge as-is and reopen [chore] retire auto-merge.yml across all Open-Paws repos; merge is operator-driven via /merge #41 immediately with a comment noting only this repo is done

(a) is cleaner. Operator's call.

Orphaned references (logged as follow-ups, not blockers — covered by #41's existing checklist)

• .github/workflows/setup-labels.yml:10-13 still creates auto-merge / needs-human-review labels — orphaned
• Labels auto-merge, wave0-auto, validation-approved, level-0, needs-human-review still present in the repo — covered by [chore] retire auto-merge.yml across all Open-Paws repos; merge is operator-driven via /merge #41's "retire labels" step

PR #42 close

Verified correct. Byte-identical diff (fce22fa..0000000, 247 deletions). #43 follows pipeline discipline (issue-linked branch name chore/structured-coding-auto-merge-41, Closes #41 in body); #42 used a generic branch and only had Refs #41. Right PR survived.

Advancing to STAGE 14 (merge).

[OriginalGary]

STAGE 13 — Adversarial RE-AUDIT (fresh context)

This is a second-pass adversarial review of the 5-PR auto-merge.yml retirement batch (#43, ai-security#39, platform#117, slingshot-uk-phase1#325, graze-cli#98). Fresh read of every diff cold, no carryover from the prior 04:32 UTC pass.

Verdict: PASS. No new findings on this PR.

Independent verification of load-bearing claims

• Org ruleset 11439705 actually enforces what's claimed — verified via gh api repos/.../rules/branches/main. Active rules: pull_request (1 approval, dismiss-stale-on-push, require-last-push-approval, squash-only), required_linear_history, deletion, non_fast_forward, code_scanning (CodeQL high+ security alerts, errors threshold). Crucially: no required_status_checks rule — so deleting a workflow file cannot create an "expected check missing" deadlock on any of the 5 repos.
• Hidden coupling check across all 5 repos — grepped every workflow in each repo for references to auto-merge.yml / Wave 0 Auto-Merge / auto-merge-gate. Zero hits outside the deleted file itself. No workflow_call, no uses:, no caller anywhere.
• Per-repo orphan setup-labels.yml — confirmed in all 5 repos. workflow_dispatch:-only, idempotent (gh label create … || true). No harm at rest. Already tracked as nitpick follow-up — out of scope per no-scope-creep.

6+1 checks

#	Check	Result
1	Edge cases / hidden state	PASS — pure YAML deletion, no DB/migration/external state
2	Concurrency / race	PASS — file deletion is atomic, no listener race
3	Security	PASS — shrinks contents: write + pull-requests: write token surface; merge gate (ruleset 11439705) intact
4	UX / breaking change	PASS — workflow has been dead taxonomy (level-0 never applied to any current PR)
5	Performance	N/A (-247 LOC YAML, fewer per-PR job runs)
6	Rollback	PASS — git revert restores byte-for-byte
7	Confidentiality leak (per ~/.claude/rules/context-repo.md)	PASS — workflow YAML, no PII, no funder dynamics, no individual personal info, no active campaign target, no unannounced plans. Org-wide read test passes.

Attempted attacks (all falsified)

• Required-status-check deadlock — verified ruleset 11439705 does not name Auto-merge gate or auto-merge-gate as a required check. No deadlock surface.
• Cross-repo workflow caller — searched every workflow in all 5 repos. None uses: the deleted file.
• Concurrent in-flight level-0 PR — gh pr list --label level-0 returns empty across all 5 repos. Nothing stranded.
• Re-introduction via setup-labels.yml — orphan workflow only creates labels, never re-creates the deleted workflow file.
• Permissions escalation via stale GH token — workflow held GITHUB_TOKEN auto-provisioned per run; no PAT, no external secret tied to this file.

Minor (non-blocking, follow-up)

The PR body uses Closes #41 while #41 is the org-wide tracker covering ~30 repos. On squash-merge, #41 will auto-close even though only 1 of 30 repos is done. Two clean fixes:

• (a) Edit body before merge: Closes #41 → Refs Open-Paws/structured-coding-with-ai#41
• (b) Merge as-is, then immediately reopen [chore] retire auto-merge.yml across all Open-Paws repos; merge is operator-driven via /merge #41 with a comment

Operator's call. Already noted in the prior STAGE 13 comment.

Label transition

stage:ready-for-merge already applied by the prior audit. No transition needed.

Per ~/.claude/rules/pipeline-nevers.md: stage:ready-for-merge is a forward-flowing pipeline label the bot may apply with evidence in hand — not an override label. No override:* label applied.

This re-audit anchor will be referenced by the other 4 PRs in the batch (ai-security#39, platform#117, slingshot-uk-phase1#325, graze-cli#98).