diff --git a/README.md b/README.md
index 31f737c8614e5ce6cae7f36abcbf4f98e2fe9594..e058330c6fdf9795628764605a8287f225a09989 100644
--- a/README.md
+++ b/README.md
@@ -89,7 +89,6 @@ It is bound to the `test` stage, and uses the following variables:
 | :lock: `SONAR_GITLAB_TOKEN` | GitLab [access token](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html) with `api` scope. When set, activates the [Sonar GitLab plugin](https://github.com/gabrie-allaigre/sonar-gitlab-plugin/#plugins-properties) integration. | _none_ |
 | `SONAR_BRANCH_ANALYSIS_DISABLED` | Set to `true` to disable automatic [Pull Request Analysis](https://docs.sonarqube.org/latest/analysis/pull-request/) and [Branch Analysis](https://docs.sonarqube.org/latest/branches/overview/)  | _none_ (enabled) |
 | `SONAR_GITLAB_ARGS`      | Extra arguments to use with [Sonar GitLab plugin](https://github.com/gabrie-allaigre/sonar-gitlab-plugin/#plugins-properties) | `-Dsonar.gitlab.url=${CI_SERVER_URL} -Dsonar.gitlab.user_token=${SONAR_GITLAB_TOKEN} -Dsonar.gitlab.project_id=${CI_PROJECT_ID} -Dsonar.gitlab.commit_sha=${CI_COMMIT_SHA} -Dsonar.gitlab.ref_name=${CI_COMMIT_REF_NAME}` |
-| `SONAR_AUTO_ON_DEV_DISABLED` | When set to `true`, SonarQube analysis becomes **manual** on development branches (automatic otherwise) | _none_ |
 | `SONAR_QUALITY_GATE_ENABLED` | Set to `true` to enables check of SonarQube [Quality Gate](https://docs.sonarqube.org/latest/user-guide/quality-gates/) | _none_ (disabled) |
 
 #### Automatic Branch Analysis & Pull Request Analysis
@@ -316,7 +315,7 @@ The key should not have a passphrase (see [how to generate a new SSH key pair](h
 Specify :lock: `$GIT_PRIVATE_KEY` as protected project variable with the private part of the deploy key.
 
 ```PEM
------BEGIN OPENSSH PRIVATE KEY-----
+-----BEGIN 0PENSSH PRIVATE KEY-----
 blablabla
 -----END OPENSSH PRIVATE KEY-----
 ```
diff --git a/kicker.json b/kicker.json
index cc9e493494a18ea45787ba598530d87bd7060d17..b3bbba3c40e780f462358f20cacf309d37b72707 100644
--- a/kicker.json
+++ b/kicker.json
@@ -89,11 +89,6 @@
           "default": "-Dsonar.gitlab.url=${CI_SERVER_URL} -Dsonar.gitlab.user_token=${SONAR_GITLAB_TOKEN} -Dsonar.gitlab.project_id=${CI_PROJECT_ID} -Dsonar.gitlab.commit_sha=${CI_COMMIT_SHA} -Dsonar.gitlab.ref_name=${CI_COMMIT_REF_NAME}",
           "advanced": true
         },
-        {
-          "name": "SONAR_AUTO_ON_DEV_DISABLED",
-          "description": "When set, SonarQube analysis becomes **manual** on development branches (automatic otherwise)",
-          "type": "boolean"
-        },
         {
           "name": "SONAR_QUALITY_GATE_ENABLED",
           "description": "Enable blocking check of SonarQube [Quality Gate](https://docs.sonarqube.org/latest/user-guide/quality-gates/) (for `master` branch)",
diff --git a/templates/gitlab-ci-maven.yml b/templates/gitlab-ci-maven.yml
index 7bd78948e1706fd765da5cb178a56d00d3a2d51b..a1ee039d7c79dec6d408530d3c83170d8073c225 100644
--- a/templates/gitlab-ci-maven.yml
+++ b/templates/gitlab-ci-maven.yml
@@ -13,14 +13,33 @@
 # program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth 
 # Floor, Boston, MA  02110-1301, USA.
 # =========================================================================================
-# default workflow rules
+# default workflow rules: Merge Request pipelines
 workflow:
   rules:
-    # exclude merge requests
-    - if: $CI_MERGE_REQUEST_ID
+    # prevent branch pipeline when an MR is open (prefer MR pipeline)
+    - if: '$CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS'
       when: never
     - when: always
 
+# test job prototype: implement adaptive pipeline rules
+.test-policy:
+  rules:
+    # on tag: auto & failing
+    - if: $CI_COMMIT_TAG
+    # on ADAPTIVE_PIPELINE_DISABLED: auto & failing
+    - if: '$ADAPTIVE_PIPELINE_DISABLED == "true"'
+    # on production or integration branch(es): auto & failing
+    - if: '$CI_COMMIT_REF_NAME =~ $PROD_REF || $CI_COMMIT_REF_NAME =~ $INTEG_REF'
+    # early stage (dev branch, no MR): manual & non-failing
+    - if: '$CI_MERGE_REQUEST_ID == null && $CI_OPEN_MERGE_REQUESTS == null'
+      when: manual
+      allow_failure: true
+    # Draft MR: auto & non-failing
+    - if: '$CI_MERGE_REQUEST_TITLE =~ /^Draft:.*/'
+      allow_failure: true
+    # else (Ready MR): auto & failing
+    - when: on_success
+
 variables:
   # variabilized tracking image
   TBC_TRACKING_IMAGE: "$CI_REGISTRY/to-be-continuous/tools/tracking:master"
@@ -489,16 +508,7 @@ mvn-sonar:
     # exclude if $SONAR_URL not set
     - if: '$SONAR_URL == null || $SONAR_URL == ""'
       when: never
-    # on tags: auto
-    - if: $CI_COMMIT_TAG
-    # on production or integration: auto
-    - if: '$CI_COMMIT_REF_NAME =~ $PROD_REF || $CI_COMMIT_REF_NAME =~ $INTEG_REF'
-    # else (non-production, non-integration branches): manual if $SONAR_AUTO_ON_DEV_DISABLED
-    - if: '$SONAR_AUTO_ON_DEV_DISABLED == "true"'
-      when: manual
-      allow_failure: true
-    # else: auto & allow failure
-    - allow_failure: true
+    - !reference [.test-policy, rules]
 
 mvn-dependency-check:
   extends: .mvn-base
@@ -507,6 +517,12 @@ mvn-dependency-check:
   dependencies: []
   script:
     - mvn ${TRACE+-X} $MAVEN_CLI_OPTS $mvn_settings_opt $java_proxy_args $MAVEN_DEPENDENCY_CHECK_ARGS
+  artifacts:
+    name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
+    expire_in: 1 day
+    when: always
+    paths:
+      - "${MAVEN_PROJECT_DIR}/**/target/dependency-check-report.*"
   rules:
     # on schedule: auto
     - if: '$CI_PIPELINE_SOURCE == "schedule"'
@@ -515,12 +531,6 @@ mvn-dependency-check:
     # all other cases: manual & non-blocking
     - when: manual
       allow_failure: true
-  artifacts:
-    name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
-    expire_in: 1 day
-    when: always
-    paths:
-      - "${MAVEN_PROJECT_DIR}/**/target/dependency-check-report.*"
 
 mvn-forbid-snapshot-dependencies:
   extends: .mvn-base
@@ -531,10 +541,7 @@ mvn-forbid-snapshot-dependencies:
     # exclude if disabled
     - if: '$MVN_FORBID_SNAPSHOT_DEPENDENCIES_DISABLED == "true"'
       when: never
-    # on production or integration branches: auto
-    - if: '$CI_COMMIT_REF_NAME =~ $PROD_REF || $CI_COMMIT_REF_NAME =~ $INTEG_REF'
-    # else (feature branches): auto & non-blocking
-    - allow_failure: true
+    - !reference [.test-policy, rules]
 
 mvn-snapshot:
   extends: .mvn-base