SOP-OPS-github-branch-protection-v1.0¶
1. Purpose¶
Establish and maintain branch protection standards across all active repositories in the eco-monetize GitHub org. This SOP defines the standard configuration, ownership, review cadence, and gap remediation path. The step-by-step installation procedure lives in /Claude/knowledge/tools/github-branch-protection-install-guide.md and is not duplicated here.
2. Branch Protection Standard¶
All active repositories must meet this baseline. The install guide provides the specific checkbox configuration.
| Branch | Minimum required rules |
|---|---|
| main | PR required (1 approval), dismiss stale approvals ON, conversation resolution required, force push blocked, deletions blocked, squash-only merge |
| develop | PR required (0 approvals — self-merge OK), force push blocked, conversation resolution required |
| All other protected branches | Force push blocked at minimum |
Current enforcement gap (as of 2026-04-21): Three active repos still need rulesets applied:
- ecomonetize — needs main branch ruleset
- ecomonetize-factory — needs main branch ruleset
- claude (vault repo) — needs main branch ruleset
security.ops is responsible for completing this configuration. Target: before first non-owner org member is added.
3. Ownership¶
| Responsibility | Owner |
|---|---|
| Branch protection configuration | security.ops |
| Org-level security settings (2FA, member privileges) | security.ops |
| GitHub Team upgrade trigger (when first non-owner joins) | COO directs; security.ops executes |
| Ruleset review when new repos are added | security.ops (within 48 hours of repo creation) |
4. Org-Level Security Baseline¶
In addition to per-repo rulesets, the following org-level settings must be maintained:
| Setting | Required state | Current state |
|---|---|---|
| 2FA required for all org members | ON | ON (completed 2026-04-21) |
| Public repo creation restricted | ON | GAP — not available on GitHub Free |
Public repo restriction gap: GitHub Free plan does not allow restricting public repo creation by org members. This is a documented SEV3 known gap (low risk while Rick is sole org member). Upgrade trigger: Move to GitHub Team ($4/user/month) when the first non-owner org member joins the org. security.ops initiates the upgrade and enables the restriction within 24 hours of the first non-owner member addition.
5. New Repository Protocol¶
When any new repository is created in the eco-monetize org:
- Within 48 hours: security.ops applies main and develop branch rulesets per the install guide standard
- security.ops files a one-line note to the audit log at
/Claude/operations/logs/github-security-audit.md:{YYYY-MM-DD} — {repo-name} — rulesets applied - If repo is public-facing or contains customer data: COO notified before repo creation (not after)
6. Quarterly Audit¶
security.ops runs a quarterly branch protection audit:
- List all active (non-archived) repos in the org
- Verify each has active rulesets for main and develop branches
- Verify org-level settings match the baseline in Section 4
- File audit results to
/Claude/operations/reports/security/github-protection-audit-{YYYY-QN}.md - Any gaps filed as Section 6E Incidents (SEV3 for configuration drift, SEV2 if a force push or direct main commit occurred)
7. Future Security Hardening¶
When team grows beyond solo operator (upgrade trigger: first non-owner org member):
- Require signed commits for all protected branches
- Create CODEOWNERS file, enable Code Owner review requirement
- Add branch name restrictions
- Restrict commit email to org domain
These are deferred — they add friction that's disproportionate for a solo operator. security.ops proposes activation timing to COO when the team grows.
Change Log¶
| Version | Date | Change |
|---|---|---|
| v1.0 | 2026-04-21 | Initial draft — sop.manager. Elevates install guide (security.ops, 2026-04-19) to governance SOP. |
Owner: security.ops Executive sponsor: coo Drafted by: sop.manager Status: Draft — pending COO approval Version: v1.0