diff --git a/TODO.md b/TODO.md
index 3944a4f..6115a60 100644
--- a/TODO.md
+++ b/TODO.md
@@ -107,7 +107,7 @@ This file is the single source of truth for roadmap and delivery progress.
 
 ### MVP0 Close-Out Checklist
 
-- [ ] [P1] Verify and document protected branch rules in Gitea (`main`, `staging`)
+- [~] [P1] Verify and document protected branch rules in Gitea (`main`, `staging`)
 - [ ] [P1] Run first staging deployment against a real host with deploy workflow and document result
 - [x] [P1] Replace release workflow placeholders with real release-notes and rollback execution steps
 - [x] [P1] Expose runtime version + short git hash in admin and public app footer
@@ -219,6 +219,7 @@ This file is the single source of truth for roadmap and delivery progress.
 - [2026-02-10] Docs now include a domain glossary, public API glossary, and ADR baseline with initial accepted decision (`ADR 0001`).
 - [2026-02-10] Delivery and release governance now include branch/PR policy checks, deploy/release workflows, and explicit versioning policy (`VERSIONING.md`).
 - [2026-02-11] Release workflow now publishes changelog-derived notes to Gitea releases and supports executable production rollback via SSH + compose tag switch.
+- [2026-02-11] Branch protection verification checklist is now documented; final UI-level verification remains environment-specific.
 
 ## How We Use This File
 
diff --git a/docs/product-engineering/git-flow-governance.md b/docs/product-engineering/git-flow-governance.md
index eb737e9..acbcec5 100644
--- a/docs/product-engineering/git-flow-governance.md
+++ b/docs/product-engineering/git-flow-governance.md
@@ -23,6 +23,33 @@ Minimum policy:
 - required status checks
 - at least one reviewer approval
 
+## Branch Protection Verification Checklist
+
+Use this checklist in Gitea repository settings after applying policy:
+
+1. `main` protection exists and direct push is disabled.
+2. `staging` protection exists and direct push is disabled.
+3. Required checks include:
+   - `Governance Checks`
+   - `Lint Typecheck Unit E2E`
+4. Pull request approval is required.
+5. Branch must be up to date before merge (recommended in protected branches).
+
+API automation example:
+
+```bash
+sh .gitea/scripts/configure-branch-protection.sh \
+  "$GITEA_URL" \
+  "$GITEA_OWNER" \
+  "$GITEA_REPO" \
+  "$GITEA_ADMIN_TOKEN"
+```
+
+Notes:
+
+- The script applies baseline protection for `main` and `staging`.
+- Final verification is still required in the Gitea UI to confirm repository-specific policies.
+
 ## PR Gates
 
 Required checks are implemented in `.gitea/workflows/ci.yml`: