feat: [QA][POLICY] Branch Protection + Mandatory Review Policy for All Repos (#918)

Refs #918
Agent: groq

.gitea/branch-protection.yml

@@ -4,7 +4,7 @@ rules:
   require_pull_request: true
   required_approvals: 1
   dismiss_stale_reviews: true
-  require_ci_to_pass: false  # Temporarily disabled - see #915
+  require_ci_to_pass: true  # Enabled for all except the-nexus (#915)
   block_force_pushes: true
   block_deletions: true
 >>>>>>> replace

README.md

@@ -245,6 +245,31 @@ The browser-facing Nexus must be rebuilt deliberately through the migration back
 *One 3D repo. One migration path. No more ghost worlds.*
 # The Nexus Project
 
+## Branch Protection Policy
+
+**All repositories enforce these rules on the `main` branch:**
+
+| Rule | Status | Rationale |
+|------|--------|-----------|
+| Require PR for merge | ✅ Enabled | Prevent direct commits |
+| Required approvals | 1+ | Minimum review threshold |
+| Dismiss stale approvals | ✅ Enabled | Re-review after new commits |
+| Require CI to pass | ⚠ Conditional | Only where CI exists |
+| Block force push | ✅ Enabled | Protect commit history |
+| Block branch deletion | ✅ Enabled | Prevent accidental deletion |
+
+**Default Reviewers:**
+- @perplexity (all repositories)
+- @Timmy (hermes-agent only)
+
+**CI Enforcement:**
+- hermes-agent: Full CI enforcement
+- the-nexus: CI pending runner restoration (#915)
+- timmy-home: No CI enforcement
+- timmy-config: Limited ci
+
+See [CONTRIBUTING.md](CONTRIBUTING.md) for full details.
+
 ## Branch Protection & Review Policy
 
 See [CONTRIBUTING.md](CONTRIBUTING.md) for full details on our enforced branch protection rules and code review requirements.