From bd49f4723d9517fb93b075627550bdeda5e7a71e Mon Sep 17 00:00:00 2001
From: topcoder1 <topcoder1@gmail.com>
Date: Fri, 22 May 2026 10:52:13 -0700
Subject: [PATCH 1/2] =?UTF-8?q?ci(risk-paths):=20narrow=20infra/**=20?=
 =?UTF-8?q?=E2=86=92=20infra/iam/**=20in=20blocked=20list?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fleet-wide cleanup after wxa_vpn#480 surfaced the over-classification.
The broad infra/** pattern flagged safe IaC sync PRs (crontab trackers,
nginx vhosts, cloudflare configs) as risk:blocked, forcing manual merges
even when both Codex and Claude review returned clean.

Narrow to infra/iam/** — IAM trust policies are the only infra subset
where a bad merge isn't trivially git-revertable. Aligns with the
narrowing already done in topcoder1/ci-workflows#70 for the auto-merge
bot's internal regex.

**Auto-merge rationale:** N/A — this PR edits .github/risk-paths.yml,
self-protected in blocked: list. Manual squash-merge by design.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

From ea20f9ea66d54ef1ab716e3ab21c9555be0645fe Mon Sep 17 00:00:00 2001
From: topcoder1 <topcoder1@gmail.com>
Date: Fri, 22 May 2026 11:12:22 -0700
Subject: [PATCH 2/2] =?UTF-8?q?ci(risk-paths):=20actually=20apply=20infra/?=
 =?UTF-8?q?**=20=E2=86=92=20infra/iam/**=20narrowing?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Previous PR commit on this branch was a no-op due to a sed pattern bug
(used \s+ which is literal 's+' in sed -E without GNU sed -P, not
whitespace). This commit applies the real narrowing via literal
string replace.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/risk-paths.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/risk-paths.yml b/.github/risk-paths.yml
index 4590f4f..b42b3ba 100644
--- a/.github/risk-paths.yml
+++ b/.github/risk-paths.yml
@@ -26,7 +26,7 @@ blocked:
   - '.github/workflows/**'
   - '.github/risk-paths.yml'
   - '.github/CODEOWNERS'
-  - 'infra/**'
+  - 'infra/iam/**'  # narrowed 2026-05-22 (was 'infra/**' — over-classified safe IaC sync PRs)
   - 'terraform/**'
   - 'k8s/**'
 
@@ -88,4 +88,4 @@ trivial:
   - 'LICENSE'
   - '.gitignore'
   - '.github/ISSUE_TEMPLATE/**'
-  - 'docs/**'
+  - 'docs/**'
\ No newline at end of file