diff --git a/.github/workflows/automatic.yml b/.github/workflows/automatic.yml
index 1339ba0..53fb499 100644
--- a/.github/workflows/automatic.yml
+++ b/.github/workflows/automatic.yml
@@ -18,7 +18,7 @@ jobs:
 
   policy-checks:
     runs-on: ubuntu-latest
-    if: github.event.action != 'closed'
+    if: github.event.action != 'closed' && github.event.pull_request.base.ref == 'main'
     needs: execute
     permissions:
       contents: read
@@ -51,6 +51,7 @@ jobs:
 
   execute:
     runs-on: ubuntu-latest
+    if: github.event.pull_request.base.ref == 'main'
     outputs:
       run-url: ${{ steps.submit-plan.outputs.run-url }}
     permissions:
@@ -139,7 +140,7 @@ jobs:
 
   cost-analysis:
     runs-on: ubuntu-latest
-    if: github.event.action != 'closed'
+    if: github.event.action != 'closed' && github.event.pull_request.base.ref == 'main'
     permissions:
       contents: read
       id-token: write
@@ -168,7 +169,7 @@ jobs:
 
   auto-approval:
     runs-on: ubuntu-latest
-    if: github.event.action != 'closed'
+    if: github.event.action != 'closed' && github.event.pull_request.base.ref == 'main'
     needs: execute
     permissions:
       pull-requests: write
diff --git a/.github/workflows/signals-demo.yml b/.github/workflows/signals-demo.yml
index 646bd85..f5110e8 100644
--- a/.github/workflows/signals-demo.yml
+++ b/.github/workflows/signals-demo.yml
@@ -11,6 +11,16 @@ on:
         type: boolean
         required: false
         default: false
+      target_branch:
+        description: Target branch for pull request (only used when include_needle is true)
+        type: choice
+        required: false
+        default: main
+        options:
+          - main
+          - demo/env0
+          - demo/spacelift
+          - demo/tfc
 
 concurrency:
   group: signals-demo
@@ -261,6 +271,10 @@ jobs:
         env:
           GH_TOKEN: ${{ secrets.GH_PAT }}
         run: |
+          # Use target_branch input if provided, otherwise default to main
+          TARGET_BRANCH="${{ github.event.inputs.target_branch || 'main' }}"
+          echo "Creating PR targeting branch: $TARGET_BRANCH"
+          
           BODY="$(printf '%s\n' \
             '## Summary' \
             '- Narrow internal ingress CIDR used for service/monitoring access.' \
@@ -276,7 +290,7 @@ jobs:
           )"
 
           gh pr create \
-            --base main \
+            --base "$TARGET_BRANCH" \
             --head "$BRANCH" \
             --title "security: narrow internal ingress CIDR (JIRA-4521)" \
             --body "$BODY"
diff --git a/main.tf b/main.tf
index 1650a57..b0a3d56 100644
--- a/main.tf
+++ b/main.tf
@@ -67,6 +67,16 @@ module "shared_security_group" {
 # Customer API access configuration
 locals {
   api_customer_cidrs = {
+    newco_9 = {
+      cidr = "203.0.113.109/32"
+      name = "NewCo 9"
+    }
+
+    newco_8 = {
+      cidr = "203.0.113.108/32"
+      name = "NewCo 8"
+    }
+
     newco_7 = {
       cidr = "203.0.113.107/32"
       name = "NewCo 7"
@@ -124,7 +134,7 @@ locals {
     }
   }
 
-  api_internal_cidr = "10.0.0.0/8"
+  api_internal_cidr = "10.0.0.0/16" # SECURITY HARDENING: Narrowed to VPC CIDR per audit findings
   api_domain        = "signals-demo-test.demo"
   api_alert_email   = "alerts@example.com"
 }