diff --git a/CHANGELOG.md b/CHANGELOG.md
index da131d3..b8bb9e0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,14 @@ semantic versioning; the version is a conceptual tag (no git tag is created).
 
 ## Unreleased
 
+- **Fix: `pipeline-doctor` models branch-deploy repos (#204).** The dev-tag-guard
+  check only accepted a `refs/tags/v*` tag gate, so web-app/CMS repos that deploy
+  on a **branch push** (`event: push` + `branch: develop/staging/production`) and
+  tag each push from `CI_COMMIT_BRANCH`/`CI_COMMIT_SHA`/`CI_PIPELINE_NUMBER` (a
+  deterministic per-push tag, no default-version clobber) false-failed. The check
+  now accepts that branch-deploy form as a valid guard. cms-plugins,
+  emdash-kotkanagrilli, kotkanagrilli.fi → 9/9; trio + self-test unchanged; a
+  tagless `event: push` publish with NO per-push tag still FAILs.
 - **Fix: `pipeline-doctor` now reads a `.woodpecker/` DIRECTORY (#202).** It only
   folded the single-file `.woodpecker.yaml`/`.yml` into `ci_txt`; repos whose
   Woodpecker config is a `.woodpecker/` directory (per-arch workflows) had their
diff --git a/ci/pipeline-doctor.sh b/ci/pipeline-doctor.sh
index 5b38fcd..d0ed650 100755
--- a/ci/pipeline-doctor.sh
+++ b/ci/pipeline-doctor.sh
@@ -299,6 +299,14 @@ elif [ "$CI_SCRIPT_FORM" -eq 1 ] &&
 	printf '%s' "$ci_txt" | grep -Eq 'DRY_RUN|dry-run|PUBLISH' &&
 	printf '%s' "$ci_txt" | grep -Eq 'refs/tags/v\*|event:[[:space:]]*tag|tag:'; then
 	ok "dev-tag guard equivalent (ci-script dry-run default + .woodpecker refs/tags/v* gate, cluster #193)"
+elif printf '%s' "$ci_txt" | grep -Eq 'event:[[:space:]]*push' &&
+	printf '%s' "$ci_txt" | grep -Eq 'branch:' &&
+	printf '%s' "$ci_txt" | grep -Eq 'CI_COMMIT_BRANCH|CI_COMMIT_SHA|CI_PIPELINE_NUMBER|commit-branch|commit-sha|pipeline-number'; then
+	# Branch-deploy (cluster #204): a web-app/CMS repo that deploys on push to a
+	# branch (develop/staging/production) and tags each push from CI_COMMIT_* /
+	# pipeline-number — a deterministic per-push tag, NOT a clobbering default
+	# version. This is a deliberate continuous-deploy guard, not the absence of one.
+	ok "dev-tag guard equivalent (branch-deploy: per-push tags from CI_COMMIT_*/pipeline-number, cluster #204)"
 else
 	bad "no dev-tag guard: a default-version --publish could clobber the registry"
 fi