diff --git a/.gitea/branch_protections.yml b/.gitea/branch_protections.yml
new file mode 100644
index 0000000..fca3176
--- /dev/null
+++ b/.gitea/branch_protections.yml
@@ -0,0 +1,35 @@
+hermes-agent:
+  main:
+    require_pr: true
+    required_approvals: 1
+    dismiss_stale_approvals: true
+    require_ci: true
+    block_force_push: true
+    block_delete: true
+
+the-nexus:
+  main:
+    require_pr: true
+    required_approvals: 1
+    dismiss_stale_approvals: true
+    require_ci: false # CI runner dead (issue #915)
+    block_force_push: true
+    block_delete: true
+
+timmy-home:
+  main:
+    require_pr: true
+    required_approvals: 1
+    dismiss_stale_approvals: true
+    require_ci: false # No CI configured
+    block_force_push: true
+    block_delete: true
+
+timmy-config:
+  main:
+    require_pr: true
+    required_approvals: 1
+    dismiss_stale_approvals: true
+    require_ci: true # Limited CI
+    block_force_push: true
+    block_delete: true
diff --git a/docs/branch_protection_policy.md b/docs/branch_protection_policy.md
new file mode 100644
index 0000000..79106c1
--- /dev/null
+++ b/docs/branch_protection_policy.md
@@ -0,0 +1,26 @@
+# Branch Protection & Review Policy
+
+## Enforcement Rules
+
+All repositories must:
+- Require PR for main branch merges
+- Require 1 approval
+- Dismiss stale approvals
+- Block force pushes
+- Block branch deletion
+
+## Reviewer Assignments
+- All repos: @perplexity (QA gate)
+- hermes-agent: @Timmy (owner gate)
+
+## CI Requirements
+- hermes-agent: Full CI required
+- the-nexus: CI pending (issue #915)
+- timmy-config: Limited ci
+
+## Compliance
+This policy blocks:
+- Direct pushes to main
+- Unreviewed merges
+- Merges with failing ci
+- History rewriting