diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index 942f853c..1602429c 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -2,7 +2,7 @@ name: CI
 
 on:
   push:
-    branches: [dev, testing, "temp/merge-*"]
+    branches: [dev, testing]
     paths-ignore:
       - "**/*.md"
       - "docs/**"
@@ -11,6 +11,7 @@ jobs:
   lint:
     name: Lint (ruff)
     runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/dev'
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v5
@@ -22,6 +23,7 @@ jobs:
   bandit:
     name: SAST (bandit)
     runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/dev'
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v5
@@ -33,6 +35,7 @@ jobs:
   pip-audit:
     name: Dependency audit (pip-audit)
     runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/dev'
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v5
@@ -42,10 +45,31 @@ jobs:
       - run: pip install -e .[dev]
       - run: pip-audit --skip-editable --ignore-vuln CVE-2025-65896 --ignore-vuln CVE-2026-3219
 
+  merge-to-testing:
+    name: Merge dev → testing
+    runs-on: ubuntu-latest
+    needs: [lint, bandit, pip-audit]
+    if: github.ref == 'refs/heads/dev'
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.DECNET_PR_TOKEN }}
+      - name: Configure git
+        run: |
+          git config user.name "DECNET CI"
+          git config user.email "ci@decnet.local"
+      - name: Merge dev into testing
+        run: |
+          git fetch origin testing
+          git checkout testing
+          git merge origin/dev --no-ff -m "ci: auto-merge dev → testing"
+          git push origin testing
+
   test-standard:
     name: Test (Standard)
     runs-on: ubuntu-latest
-    needs: [lint, bandit, pip-audit]
+    if: github.ref == 'refs/heads/testing'
     strategy:
       matrix:
         python-version: ["3.11"]
@@ -60,6 +84,7 @@ jobs:
   test-live:
     name: Test (Live)
     runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/testing'
     needs: [test-standard]
     services:
       mysql:
@@ -91,31 +116,10 @@ jobs:
           DECNET_MYSQL_PASSWORD: root
           DECNET_MYSQL_DATABASE: decnet_test
 
-  merge-to-testing:
-    name: Merge dev → testing
+  merge-to-main:
+    name: Merge testing → main
     runs-on: ubuntu-latest
     needs: [test-standard, test-live]
-    if: github.ref == 'refs/heads/dev'
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-          token: ${{ secrets.DECNET_PR_TOKEN }}
-      - name: Configure git
-        run: |
-          git config user.name "DECNET CI"
-          git config user.email "ci@decnet.local"
-      - name: Merge dev into testing
-        run: |
-          git fetch origin testing
-          git checkout testing
-          git merge origin/dev --no-ff -m "ci: auto-merge dev → testing [skip ci]"
-          git push origin testing
-
-  prepare-merge-to-main:
-    name: Prepare Merge to Main
-    runs-on: ubuntu-latest
-    needs: [test-standard, test-live, test-fuzz]
     if: github.ref == 'refs/heads/testing'
     steps:
       - uses: actions/checkout@v4
@@ -126,33 +130,12 @@ jobs:
         run: |
           git config user.name "DECNET CI"
           git config user.email "ci@decnet.local"
-      - name: Create temp branch and sync with main
-        run: |
-          git fetch origin main
-          git checkout -b temp/merge-testing-to-main
-          echo "--- Switched to temp branch, merging main into it ---"
-          git merge origin/main --no-edit || { echo "CONFLICT: Manual resolution required"; exit 1; }
-          git push origin temp/merge-testing-to-main --force
-
-  finalize-merge-to-main:
-    name: Finalize Merge to Main
-    runs-on: ubuntu-latest
-    needs: [test-standard, test-live, test-fuzz]
-    if: startsWith(github.ref, 'refs/heads/temp/merge-')
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-          token: ${{ secrets.DECNET_PR_TOKEN }}
-      - name: Configure git
-        run: |
-          git config user.name "DECNET CI"
-          git config user.email "ci@decnet.local"
-      - name: Merge RC into main
+      - name: Merge testing into main
         run: |
           git fetch origin main
           git checkout main
-          git merge ${{ github.ref }} --no-ff -m "ci: auto-merge testing → main"
+          git merge origin/testing --no-ff -m "ci: auto-merge testing → main" || {
+            echo "CONFLICT: testing and main have diverged — manual resolution required"
+            exit 1
+          }
           git push origin main
-          echo "--- Cleaning up temp branch ---"
-          git push origin --delete ${{ github.ref_name }}
diff --git a/SIGNAL_CAPTURE_AUDIT.md b/development/SIGNAL_CAPTURE_AUDIT.md
similarity index 100%
rename from SIGNAL_CAPTURE_AUDIT.md
rename to development/SIGNAL_CAPTURE_AUDIT.md
diff --git a/api-audit.md b/development/api-audit.md
similarity index 100%
rename from api-audit.md
rename to development/api-audit.md