diff --git a/.gitignore b/.gitignore
index 2556e45e..769e943d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,4 @@ node_modules/
 test-results/
 nexus/__pycache__/
 tests/__pycache__/
+.aider*
diff --git a/CODEOWNERS b/CODEOWNERS
new file mode 100644
index 00000000..c343ba88
--- /dev/null
+++ b/CODEOWNERS
@@ -0,0 +1,8 @@
+# CODEOWNERS - Reviewer assignments for branch protection policy
+
+# Default reviewer for all repos
+* @perplexity
+
+# Special repo owners
+nexus/ @Timmy
+hermes-agent/ @Timmy
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index d50e88fb..fd137703 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -17,3 +17,22 @@ Removal is a first-class contribution. Baseline: 4,462 lines (2026-03-25). Goes
 Applies to every contributor: human, Timmy, Claude, Perplexity, Gemini, Kimi, Grok.
 Exception: initial dependency config files (requirements.txt, package.json).
 No other exceptions. Too big? Break it up.
+
+## Branch Protection Policy
+
+**All PRs to `main` must satisfy:**
+- ✅ Require pull request (no direct pushes)
+- ✅ 1+ approved reviewer
+- ✅ CI passing (where CI exists)
+- ✅ No force-pushed commits
+- ✅ No branch deletions
+
+**Mandatory Reviewers by Repo:**
+- `hermes-agent`: @Timmy + @perplexity
+- All other repos: @perplexity (default reviewer)
+
+**Policy Enforcement:**
+- Gitea branch protection rules are enabled on all active repos
+- Stale approvals are automatically dismissed on new commits
+- CI failure blocks merge (where CI exists)
+- Force pushes to `main` are blocked