diff --git a/.gitea/protected_branches.yaml b/.gitea/protected_branches.yaml
new file mode 100644
index 00000000..7cc0d51d
--- /dev/null
+++ b/.gitea/protected_branches.yaml
@@ -0,0 +1,7 @@
+main:
+  require_pull_request: true
+  required_approvals: 1
+  dismiss_stale: true
+  require_ci_to_merge: true
+  block_force_push: true
+  block_delete: true
diff --git a/.gitignore b/.gitignore
index 2556e45e..769e943d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,4 @@ node_modules/
 test-results/
 nexus/__pycache__/
 tests/__pycache__/
+.aider*
diff --git a/CODEOWNERS b/CODEOWNERS
new file mode 100644
index 00000000..0c8d0cc2
--- /dev/null
+++ b/CODEOWNERS
@@ -0,0 +1,2 @@
+* @perplexity
+:hermes-agent/* @Timmy
diff --git a/POLICY.md b/POLICY.md
new file mode 100644
index 00000000..c42d49b5
--- /dev/null
+++ b/POLICY.md
@@ -0,0 +1,24 @@
+# Branch Protection Policy
+
+## Requirements for All Repos
+- All changes must go through a PR
+- Minimum 1 approval required
+- CI must pass before merge
+- No force pushes to main
+- No direct commits to main
+- No branch deletion without review
+
+## Reviewer Assignments
+- @perplexity - Default reviewer for all repos
+- @Timmy - Required reviewer for hermes-agent
+- Repo-specific owners for specialized areas
+
+## CI Requirements
+- hermes-agent: CI must pass
+- the-nexus: CI pending (see #915)
+- timmy-home: No CI
+- timmy-config: Limited CI
+
+## Enforcement
+- All rules enforced via Gitea branch protection
+- Violations require manual override by @Timmy