diff --git a/.gitignore b/.gitignore
index 2556e45e..769e943d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,4 @@ node_modules/
 test-results/
 nexus/__pycache__/
 tests/__pycache__/
+.aider*
diff --git a/app.js b/app.js
index 645e171f..fa4f03de 100644
--- a/app.js
+++ b/app.js
@@ -1131,6 +1131,13 @@ async function fetchGiteaData() {
       updateAgentStatus(issues);
     }
 
+    // Check branch protection status
+    if (stateRes.ok) {
+      const branchData = await stateRes.json();
+      updateBranchProtectionStatus(branchData);
+    }
+    }
+
     if (stateRes.ok) {
       const content = await stateRes.json();
       const worldState = JSON.parse(atob(content.content));
diff --git a/nexus/flask/app.py b/nexus/flask/app.py
new file mode 100644
index 00000000..07eab43b
--- /dev/null
+++ b/nexus/flask/app.py
@@ -0,0 +1,33 @@
+def has_valid_pr():
+    # Implementation would check for valid PR context
+    return True
+
+def ci_passed():
+    # Implementation would check CI status
+    return True
+
+def is_force_push():
+    # Implementation would check for force push
+    return False
+
+# Branch protection enforcement
+def check_branch_protection(branch):
+    if branch == 'main' and not has_valid_pr():
+        return jsonify({
+            'error': 'Branch protection: Merges to main require PR and approvals',
+            'policy': 'BRANCH_PROTECTION'
+        }), 400
+
+    if branch == 'main' and not ci_passed():
+        return jsonify({
+            'error': 'Branch protection: CI must pass before merge',
+            'policy': 'CI_REQUIRED'
+        }), 400
+
+    if is_force_push():
+        return jsonify({
+            'error': 'Branch protection: Force pushes to main are blocked',
+            'policy': 'FORCE_PUSH_BLOCK'
+        }), 400
+
+    return None