fix(workflows): enforce standard flow - remove test/* from main allowlist

**BREAKING CHANGE**: test/* branches can no longer merge directly to main

**Changes:**
1. Removed test/* from branch allowlist in dev-to-main.yml
2. Only dev and release/* branches can merge to main
3. All feature/*, fix/*, test/* must follow: branch → dev → main

**Updated README:**
- Clarified "Branch Flow Rules" section
- Standard flow (feature/*, fix/*, test/*): must go through dev
- Special exceptions (dev, release/*, dependabot/*): can merge to main
- Added clear examples and validation warning

**Rationale:**
Test branches should follow the same quality gates as feature branches.
Only production-ready code from dev or emergency hotfixes from release/*
should merge directly to main.

This corrects the previous implementation that incorrectly allowed test/*
branches to bypass dev.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: alirezarezvani

.github/workflows/dev-to-main.yml

@@ -4,18 +4,19 @@
 # Validates release pull requests before merging to main (production).
 #
 # Release Gates:
-# - Source must be dev, test/*, or release/* branches
+# - Source must be dev or release/* branches
 # - Production build must succeed
 # - Smoke tests must pass
 # - Security quick scan (informational only)
 # - Deployment readiness checklist
 #
 # Allowed source branches:
-# - dev: Production releases
-# - test/*: Workflow validation and testing
-# - release/*: Hotfix releases
+# - dev: Production releases (standard flow)
+# - release/*: Emergency hotfix releases
 # - dependabot/*: Automated dependency updates
 #
+# All other branches (feature/*, fix/*, test/*) must merge to dev first.
+#
 # Author: Alireza Rezvani
 # Date: 2025-11-06
 # ─────────────────────────────────────────────────────────────────
@@ -67,21 +68,24 @@ jobs:
           fi
 
           # Allowlist: branches permitted to merge to main
-          # Includes: dev (production), test/* (validation), release/* (hotfixes)
-          ALLOWED_REGEX='^(dev|test/.*|release/.*)$'
+          # Only: dev (production), release/* (hotfixes)
+          # All other branches (feature/*, fix/*, test/*) must go through dev first
+          ALLOWED_REGEX='^(dev|release/.*)$'
 
           if [[ ! $SOURCE_BRANCH =~ $ALLOWED_REGEX ]]; then
             echo "❌ Invalid source branch: $SOURCE_BRANCH"
             echo ""
-            echo "Only branches matching the allowlist may be merged to 'main'."
+            echo "Only dev and release/* branches may be merged to 'main'."
             echo ""
             echo "Allowed patterns:"
             echo "  - dev (production releases)"
-            echo "  - test/* (workflow validation)"
-            echo "  - release/* (hotfix releases)"
+            echo "  - release/* (emergency hotfixes)"
             echo ""
             echo "Got: $SOURCE_BRANCH → main"
             echo ""
+            echo "All other branches (feature/*, fix/*, test/*) must merge to dev first:"
+            echo "  $SOURCE_BRANCH → dev → main"
+            echo ""
             echo "If using a different branching strategy, adjust ALLOWED_REGEX in this workflow."
             exit 1
           fi

README.md

@@ -190,31 +190,42 @@ The blueprint supports all three strategies out of the box. Choose during setup.
 
 ---
 
-## 🔀 Special Branch Patterns
+## 🔀 Branch Flow Rules
 
-The `Release to Main` workflow allows specific branch patterns to merge directly to `main`:
+The `Release to Main` workflow enforces the following rules:
+
+### Standard Flow (Required for Most Branches)
+```
+feature/* → dev → main
+fix/* → dev → main
+test/* → dev → main
+```
+
+All feature, fix, and test branches **must** merge to `dev` first, then `dev` merges to `main`.
+
+### Special Exceptions (Direct to Main)
 
 | Pattern | Purpose | Use Case |
 |---------|---------|----------|
-| `dev` | Production releases | Standard release flow (dev → main) |
-| `test/*` | Workflow validation | Testing CI/CD changes (e.g., test/workflow-validation) |
-| `release/*` | Hotfix releases | Emergency fixes bypassing dev (e.g., release/1.0.1) |
-| `dependabot/*` | Dependency updates | Automated dependency PRs |
+| `dev` | Production releases | Standard release flow (only dev can merge to main) |
+| `release/*` | Emergency hotfixes | Critical fixes bypassing dev (e.g., release/1.0.1-security) |
+| `dependabot/*` | Dependency updates | Automated dependency update PRs |
 
 **Example:**
 ```bash
-# Test workflow changes
-git checkout -b test/new-ci-feature
-git push origin test/new-ci-feature
-# PR to main will run all release gates
+# Standard flow (most common)
+git checkout -b feature/new-feature
+git push origin feature/new-feature
+# Create PR: feature/new-feature → dev
+# After merge, create PR: dev → main
 
-# Emergency hotfix
+# Emergency hotfix (rare)
 git checkout -b release/1.0.1-security-patch
 git push origin release/1.0.1-security-patch
-# PR to main with fast-track release gates
+# Create PR: release/1.0.1-security-patch → main (bypasses dev)
 ```
 
-All other branches must follow the standard flow (feature/* → dev → main).
+**Important**: Attempting to merge feature/*, fix/*, or test/* branches directly to `main` will fail validation.
 
 ---