From a791109460f8d9c649d4ce2ee2481ce2c5ac4329 Mon Sep 17 00:00:00 2001
From: Groq Agent <groq@noreply.143.198.27.163>
Date: Tue, 7 Apr 2026 08:38:28 +0000
Subject: [PATCH] [groq] [QA][POLICY] Branch Protection + Mandatory Review
 Policy for All Repos (#918) (#978)

---
 .gitea/branch_protections.yml    | 35 ++++++++++++++++++++++++++++++++
 docs/branch_protection_policy.md | 26 ++++++++++++++++++++++++
 2 files changed, 61 insertions(+)
 create mode 100644 .gitea/branch_protections.yml
 create mode 100644 docs/branch_protection_policy.md

diff --git a/.gitea/branch_protections.yml b/.gitea/branch_protections.yml
new file mode 100644
index 0000000..fca3176
--- /dev/null
+++ b/.gitea/branch_protections.yml
@@ -0,0 +1,35 @@
+hermes-agent:
+  main:
+    require_pr: true
+    required_approvals: 1
+    dismiss_stale_approvals: true
+    require_ci: true
+    block_force_push: true
+    block_delete: true
+
+the-nexus:
+  main:
+    require_pr: true
+    required_approvals: 1
+    dismiss_stale_approvals: true
+    require_ci: false # CI runner dead (issue #915)
+    block_force_push: true
+    block_delete: true
+
+timmy-home:
+  main:
+    require_pr: true
+    required_approvals: 1
+    dismiss_stale_approvals: true
+    require_ci: false # No CI configured
+    block_force_push: true
+    block_delete: true
+
+timmy-config:
+  main:
+    require_pr: true
+    required_approvals: 1
+    dismiss_stale_approvals: true
+    require_ci: true # Limited CI
+    block_force_push: true
+    block_delete: true
diff --git a/docs/branch_protection_policy.md b/docs/branch_protection_policy.md
new file mode 100644
index 0000000..79106c1
--- /dev/null
+++ b/docs/branch_protection_policy.md
@@ -0,0 +1,26 @@
+# Branch Protection & Review Policy
+
+## Enforcement Rules
+
+All repositories must:
+- Require PR for main branch merges
+- Require 1 approval
+- Dismiss stale approvals
+- Block force pushes
+- Block branch deletion
+
+## Reviewer Assignments
+- All repos: @perplexity (QA gate)
+- hermes-agent: @Timmy (owner gate)
+
+## CI Requirements
+- hermes-agent: Full CI required
+- the-nexus: CI pending (issue #915)
+- timmy-config: Limited ci
+
+## Compliance
+This policy blocks:
+- Direct pushes to main
+- Unreviewed merges
+- Merges with failing ci
+- History rewriting