PR review that blocks the merge

A review that only leaves comments is a suggestion, and suggestions lose to deadlines. The first time a release is late, the advisory note gets waved through, and from then on the review is decoration. The difference between a comment and a gate is enforcement.

Every push, not only the first#

Review that runs once, on the first push, reviews a pull request that no longer exists by the time it merges. People respond to feedback, force-push fixes, and add commits. Hyrax reviews every push to the pull request, so the review always describes the code that is actually about to merge — not an earlier draft of it.

Must-fix holds the merge#

The findings split into two classes, and the split is the whole point.

A must-fix finding blocks the merge until it is resolved or explicitly overridden by a human with the authority to do so. Everything else is raised without standing in the way. That keeps the gate credible: it stops the things that should stop a release and stays out of the way of the things that should not.

Enforcement is not strictness for its own sake. It is the property that keeps a review from decaying into a comment nobody reads.

Severity is a contract#

The line between must-fix and advisory cannot be a mystery. If a team cannot predict what will block a merge, the gate feels arbitrary and gets disabled. So severity is legible: a finding states why it blocks, and the boundary stays consistent from one pull request to the next. A predictable gate is one people build around instead of fighting.

Where it runs#

PR review is part of the Team plan and runs in CI on every push. It draws on the same audit and verification machinery as the rest of Hyrax, so a blocking finding carries the same evidence a standalone audit would — the reviewer sees not only that something is wrong, but what was checked to decide so.