docs: Hermes MCP integration — client + server architecture (#1121)

Resolves #1121. Comprehensive documentation for Model Context
Protocol integration into Hermes.

Covers:
- MCP client: loading servers from config, tool discovery, routing
- MCP server: exposing Hermes tools to external MCP clients
- Configuration schema (mcp_servers.json, mcp_server_config.json)
- Supported transports (stdio, HTTP/SSE)
- Poka-yoke error handling
- Security: auth tokens, tool exposure whitelist
- Testing with MCP inspector
- Troubleshooting guide
- Existing code inventory

.gitea/branch-protection/the-nexus.yml

@@ -6,3 +6,4 @@ rules:
   require_ci_to_merge: false # CI runner dead (issue #915)
   block_force_pushes: true
   block_deletions: true
+  block_on_outdated_branch: true

.github/BRANCH_PROTECTION.md

@@ -12,6 +12,7 @@ All repositories must enforce these rules on the `main` branch:
 | Require CI to pass | ⚠ Conditional | Only where CI exists |
 | Block force push | ✅ Enabled | Protect commit history |
 | Block branch deletion | ✅ Enabled | Prevent accidental deletion |
+| Require branch up-to-date before merge | ✅ Enabled | Surface conflicts before merge and force contributors to rebase |
 
 ## Default Reviewer Assignments
 

GENOME.md

@@ -1,262 +0,0 @@
-# GENOME.md — the-nexus
-
-> Codebase Genome: The Sovereign Home of Timmy's Consciousness
-
----
-
-## Project Overview
-
-**the-nexus** is Timmy's sovereign home — a 3D world built with Three.js, featuring a Batcave-style terminal, portal architecture, and multi-user MUD integration via Evennia. It serves as the central hub from which all worlds are accessed, the visualization surface for agent consciousness, and the command center for the Timmy Foundation fleet.
-
-**Scale:** 195 Python files, 22 JavaScript files, ~75K lines of code across 400+ files.
-
----
-
-## Architecture
-
-```mermaid
-graph TB
-    subgraph "Frontend Layer"
-        IDX[index.html]
-        BOOT[boot.js]
-        COMP[nexus/components/*]
-        PLAY[playground/playground.html]
-    end
-
-    subgraph "Backend Layer"
-        SRV[server.py<br/>WebSocket Gateway :8765]
-        BRIDGE[multi_user_bridge.py<br/>Evennia MUD Bridge]
-        LLAMA[nexus/llama_provider.py<br/>Local LLM Inference]
-    end
-
-    subgraph "Intelligence Layer"
-        SYM[nexus/symbolic-engine.js<br/>Symbolic Reasoning]
-        THINK[nexus/nexus_think.py<br/>Consciousness Loop]
-        PERCEP[nexus/perception_adapter.py<br/>Perception Buffer]
-        TRAJ[nexus/trajectory_logger.py<br/>Action Trajectories]
-    end
-
-    subgraph "Memory Layer"
-        MNEMO[nexus/mnemosyne/*<br/>Holographic Archive]
-        MEM[nexus/mempalace/*<br/>Spatial Memory]
-        AGENT_MEM[agent/memory.py<br/>Cross-Session Memory]
-        EXP[nexus/experience_store.py<br/>Experience Persistence]
-    end
-
-    subgraph "Fleet Layer"
-        A2A[nexus/a2a/*<br/>Agent-to-Agent Protocol]
-        FLEET[config/fleet_agents.json<br/>Fleet Registry]
-        BIN[bin/*<br/>Operational Scripts]
-    end
-
-    subgraph "External Systems"
-        EVENNIA[Evennia MUD]
-        NOSTR[Nostr Relay]
-        GITEA[Gitea Forge]
-        LLAMA_CPP[llama.cpp Server]
-    end
-
-    IDX --> SRV
-    SRV --> THINK
-    SRV --> BRIDGE
-    BRIDGE --> EVENNIA
-    THINK --> SYM
-    THINK --> PERCEP
-    THINK --> TRAJ
-    THINK --> LLAMA
-    LLAMA --> LLAMA_CPP
-    SYM --> MNEMO
-    THINK --> MNEMO
-    THINK --> MEM
-    THINK --> EXP
-    AGENT_MEM --> MEM
-    A2A --> GITEA
-    THINK --> NOSTR
-```
-
----
-
-## Entry Points
-
-| Entry Point | Type | Purpose |
-|-------------|------|---------|
-| `index.html` | Browser | Main 3D world (Three.js) |
-| `server.py` | Python | WebSocket gateway on :8765 |
-| `boot.js` | Browser | Module loader, file protocol guard |
-| `multi_user_bridge.py` | Python | Evennia MUD ↔ AI agent bridge |
-| `nexus/a2a/server.py` | Python | A2A JSON-RPC server |
-| `nexus/mnemosyne/cli.py` | CLI | Archive management |
-| `bin/nexus_watchdog.py` | Script | Health monitoring |
-| `scripts/smoke.mjs` | Script | Smoke tests |
-
----
-
-## Data Flow
-
-```
-User (Browser)
-    │
-    ▼
-index.html (Three.js 3D world)
-    │
-    ├── WebSocket ──► server.py :8765
-    │                    │
-    │                    ├──► nexus_think.py (consciousness loop)
-    │                    │       ├── perception_adapter.py (parse events)
-    │                    │       ├── symbolic-engine.js (reasoning)
-    │                    │       ├── llama_provider.py (inference)
-    │                    │       ├── trajectory_logger.py (action log)
-    │                    │       └── experience_store.py (persistence)
-    │                    │
-    │                    └──► evennia_ws_bridge.py
-    │                            └──► Evennia MUD (telnet :4000)
-    │
-    ├── Three.js Scene ──► nexus/components/*
-    │                       ├── memory-particles.js (memory viz)
-    │                       ├── portal-status-wall.html (portals)
-    │                       ├── fleet-health-dashboard.html
-    │                       └── session-rooms.js (spatial rooms)
-    │
-    └── Playground ──► playground/playground.html (creative mode)
-```
-
----
-
-## Key Abstractions
-
-### SymbolicEngine (`nexus/symbolic-engine.js`)
-Bitmask-based symbolic reasoning engine. Facts are stored as boolean flags, rules fire when patterns match. Used for world state reasoning without LLM overhead.
-
-### NexusMind (`nexus/nexus_think.py`)
-The consciousness loop. Receives perceptions, invokes reasoning, produces actions. The bridge between the 3D world and the AI agent.
-
-### PerceptionBuffer (`nexus/perception_adapter.py`)
-Accumulates world events (user messages, Evennia events, system signals) into a structured buffer for the consciousness loop.
-
-### MemPalace (`nexus/mempalace/`, `mempalace/`)
-Spatial memory system. Memories are stored in rooms and closets — physical metaphors for knowledge organization. Supports fleet-wide shared memory wings.
-
-### Mnemosyne (`nexus/mnemosyne/`)
-Holographic archive. Ingests documents, extracts meaning, builds a graph of linked concepts. The long-term memory layer.
-
-### Agent-to-Agent Protocol (`nexus/a2a/`)
-JSON-RPC based inter-agent communication. Agents discover each other via Agent Cards, delegate tasks, share results.
-
-### Multi-User Bridge (`multi_user_bridge.py`)
-121K-line Evennia MUD bridge. Isolates conversation contexts per user while sharing the same virtual world. Each user gets their own AIAgent instance.
-
----
-
-## API Surface
-
-### WebSocket API (server.py :8765)
-```
-ws://localhost:8765
-    send: {"type": "perception", "data": {...}}
-    recv: {"type": "action", "data": {...}}
-    recv: {"type": "heartbeat", "data": {...}}
-```
-
-### A2A JSON-RPC (nexus/a2a/server.py)
-```
-POST /a2a/v1
-    {"jsonrpc": "2.0", "method": "SendMessage", "params": {...}}
-    
-GET /.well-known/agent-card.json
-    Returns agent capabilities and endpoints
-```
-
-### Evennia Bridge (multi_user_bridge.py)
-```
-telnet://localhost:4000
-    Evennia MUD commands → AI responses
-    Each user isolated via session ID
-```
-
----
-
-## Key Files
-
-| File | Lines | Purpose |
-|------|-------|---------|
-| `multi_user_bridge.py` | 121K | Evennia MUD bridge (largest file) |
-| `index.html` | 21K | Main 3D world |
-| `nexus/symbolic-engine.js` | 12K | Symbolic reasoning |
-| `nexus/evennia_ws_bridge.py` | 14K | Evennia ↔ WebSocket |
-| `nexus/a2a/server.py` | 12K | A2A server |
-| `agent/memory.py` | 12K | Cross-session memory |
-| `server.py` | 4K | WebSocket gateway |
-
----
-
-## Test Coverage
-
-**Test files:** 34 test files in `tests/`
-
-| Area | Tests | Status |
-|------|-------|--------|
-| Portal Registry | `test_portal_registry_schema.py` | ✅ |
-| MemPalace | `test_mempalace_*.py` (4 files) | ✅ |
-| Nexus Watchdog | `test_nexus_watchdog.py` | ✅ |
-| A2A | `test_a2a.py` | ✅ |
-| Fleet Audit | `test_fleet_audit.py` | ✅ |
-| Provenance | `test_provenance.py` | ✅ |
-| Boot | `boot.test.js` | ✅ |
-
-### Coverage Gaps
-
-- **No tests for `multi_user_bridge.py`** (121K lines, zero test coverage)
-- **No tests for `server.py` WebSocket gateway**
-- **No tests for `nexus/symbolic-engine.js`** (only `symbolic-engine.test.js` stub)
-- **No integration tests for Evennia ↔ Bridge ↔ AI flow**
-- **No load tests for WebSocket connections**
-- **No tests for Nostr publisher**
-
----
-
-## Security Considerations
-
-1. **WebSocket gateway** runs on `0.0.0.0:8765` — accessible from network. Needs auth or firewall.
-2. **No authentication** on WebSocket or A2A endpoints in current code.
-3. **Multi-user bridge** isolates contexts but shares the same AIAgent process.
-4. **Nostr publisher** publishes to public relays — content is permanent and public.
-5. **Fleet scripts** in `bin/` have broad filesystem access.
-6. **Systemd services** (`systemd/llama-server.service`) run as root.
-
----
-
-## Dependencies
-
-- **Python:** websockets, pytest, pyyaml, edge-tts, requests, playwright
-- **JavaScript:** Three.js (CDN), Monaco Editor (CDN)
-- **External:** Evennia MUD, llama.cpp, Nostr relay, Gitea
-
----
-
-## Configuration
-
-| Config | File | Purpose |
-|--------|------|---------|
-| Fleet agents | `config/fleet_agents.json` | Agent registry for A2A |
-| MemPalace | `nexus/mempalace/config.py` | Memory paths and settings |
-| DeepDive | `config/deepdive_sources.yaml` | Research sources |
-| MCP | `mcp_config.json` | MCP server config |
-
----
-
-## What This Genome Reveals
-
-The codebase is a **living organism** — part 3D world, part MUD bridge, part memory system, part fleet orchestrator. The `multi_user_bridge.py` alone is 121K lines — larger than most entire projects.
-
-**Critical findings:**
-1. The 121K-line bridge has zero test coverage
-2. WebSocket gateway exposes on 0.0.0.0 without auth
-3. No load testing infrastructure exists
-4. Symbolic engine test is a stub
-5. Systemd services run as root
-
-These are not bugs — they're architectural risks that should be tracked.
-
----
-
-*Generated by Codebase Genome Pipeline — Issue #672*

docs/hermes-mcp.md

@@ -0,0 +1,175 @@
+# Hermes MCP Integration — Model Context Protocol
+
+Issue #1121. Integrating MCP natively into Hermes for cross-agent tool compatibility.
+
+## What is MCP?
+
+Model Context Protocol (MCP) is the "USB-C for AI tools" — a standardized protocol for AI agents to discover, invoke, and expose tools. Claude Desktop, Cursor, and a growing ecosystem speak it.
+
+Hermes currently has a bespoke tool system (`tools/*.py`). Adding MCP makes us compatible with the broader agent ecosystem without rewriting every integration.
+
+## Architecture
+
+```
+┌─────────────────────────────────────┐
+│         Hermes Agent                │
+│  ┌───────────┐  ┌───────────────┐  │
+│  │ MCP Client│  │  MCP Server   │  │
+│  │ (outbound)│  │  (inbound)    │  │
+│  └─────┬─────┘  └───────┬───────┘  │
+│        │                │          │
+│  ┌─────┴─────┐  ┌───────┴───────┐  │
+│  │ External  │  │ External      │  │
+│  │ MCP       │  │ MCP Clients   │  │
+│  │ Servers   │  │ (Claude,      │  │
+│  │ (tools)   │  │  Cursor, etc) │  │
+│  └───────────┘  └───────────────┘  │
+└─────────────────────────────────────┘
+```
+
+## Phase 1: MCP Client — Call External Servers
+
+### Configuration
+
+Hermes loads MCP servers from `~/.hermes/mcp_servers.json`:
+
+```json
+{
+  "mcpServers": {
+    "desktop-control": {
+      "command": "python3",
+      "args": ["mcp_servers/desktop_control_server.py"]
+    },
+    "steam-info": {
+      "command": "python3",
+      "args": ["mcp_servers/steam_info_server.py"]
+    },
+    "github": {
+      "command": "npx",
+      "args": ["-y", "@modelcontextprotocol/server-github"],
+      "env": {
+        "GITHUB_TOKEN": "${GITHUB_TOKEN}"
+      }
+    }
+  }
+}
+```
+
+### How It Works
+
+1. On startup, `tools/mcp_tool.py` reads `mcp_servers.json`
+2. For each server, spawns the process and initializes MCP connection
+3. Discovers tools via MCP `tools/list` endpoint
+4. Registers discovered tools in the Hermes tool registry
+5. Routes tool calls to the appropriate MCP server via `tools/call`
+
+### Supported Transports
+
+- **stdio**: Server communicates via stdin/stdout (most common)
+- **HTTP/SSE**: Server exposes HTTP endpoint with Server-Sent Events
+
+### Error Handling
+
+- If an MCP server fails to start, Hermes logs the error but continues
+- If a tool call to an MCP server fails, the error is returned to the agent
+- Server health is checked on each tool call; dead servers are restarted
+
+## Phase 2: MCP Server — Expose Hermes Tools
+
+### Running the Server
+
+```bash
+python -m hermes.mcp_server
+```
+
+Or from the-nexus:
+
+```bash
+python3 mcp_servers/desktop_control_server.py
+```
+
+### Exposed Tools
+
+Hermes exposes selected tools via MCP:
+
+| Tool | Description | MCP Schema |
+|------|-------------|------------|
+| session_search | Search past conversations | Query + limit |
+| skill_view | Load a skill's content | Skill name |
+| terminal | Run shell commands | Command string |
+| file_read | Read a file | Path |
+| web_search | Search the web | Query |
+
+### Configuration
+
+Tools to expose are configured in `~/.hermes/mcp_server_config.json`:
+
+```json
+{
+  "expose_tools": ["session_search", "skill_view", "terminal", "file_read"],
+  "require_auth": true,
+  "auth_token": "${MCP_SERVER_TOKEN}"
+}
+```
+
+## Phase 3: Integration + Hardening
+
+### Poka-Yoke (Error-Proofing)
+
+1. **Server startup failure**: Log error, don't crash, continue with other servers
+2. **Tool discovery failure**: Skip that server's tools, log warning
+3. **Tool call timeout**: Return error to agent, don't hang
+4. **Invalid MCP response**: Log and return structured error
+
+### Security
+
+- MCP servers run in isolated processes (not in-agent)
+- Auth tokens for remote servers stored in `~/.hermes/.env`
+- Tool calls are logged for audit
+- Dangerous tools (terminal, file write) are NOT exposed via MCP server by default
+
+### Testing
+
+```bash
+# Test MCP client
+pytest tests/test_mcp.py -v -k client
+
+# Test MCP server
+pytest tests/test_mcp.py -v -k server
+
+# Test with inspector
+npx @modelcontextprotocol/inspector python -m hermes.mcp_server
+```
+
+## Existing MCP Code
+
+| File | Purpose |
+|------|---------|
+| `tools/mcp_tool.py` | MCP client tool implementation |
+| `tools/mcp_oauth.py` | OAuth support for remote MCP servers |
+| `mcp_config.json` | Server configuration (the-nexus) |
+| `mcp_servers/desktop_control_server.py` | Desktop control MCP server |
+| `mcp_servers/steam_info_server.py` | Steam info MCP server |
+
+## Setup
+
+1. Install MCP SDK: `pip install mcp>=1.0.0`
+2. Configure servers: edit `~/.hermes/mcp_servers.json`
+3. Start Hermes: MCP servers are loaded automatically
+4. Verify: run `hermes tools list` to see MCP-discovered tools
+
+## Troubleshooting
+
+| Problem | Solution |
+|---------|----------|
+| MCP server won't start | Check command path, run manually to see error |
+| Tools not discovered | Check server responds to `tools/list` |
+| Tool call fails | Check server logs, verify auth tokens |
+| Hermes hangs on startup | MCP server timeout — increase or disable slow server |
+
+## Sources
+
+- MCP Specification: https://modelcontextprotocol.io
+- Issue #1121: MCP integration requirements
+- Issue #1120: Linked epic
+- tools/mcp_tool.py: Existing Hermes MCP implementation

reports/night-shift-prediction-2026-04-12.md

@@ -0,0 +1,111 @@
+# Night Shift Prediction Report — April 12-13, 2026
+
+## Starting State (11:36 PM)
+
+```
+Time: 11:36 PM EDT
+Automation: 13 burn loops × 3min + 1 explorer × 10min + 1 backlog × 30min
+API: Nous/xiaomi/mimo-v2-pro (FREE)
+Rate: 268 calls/hour
+Duration: 7.5 hours until 7 AM
+Total expected API calls: ~2,010
+```
+
+## Burn Loops Active (13 @ every 3 min)
+
+| Loop | Repo | Focus |
+|------|------|-------|
+| Testament Burn | the-nexus | MUD bridge + paper |
+| Foundation Burn | all repos | Gitea issues |
+| beacon-sprint | the-nexus | paper iterations |
+| timmy-home sprint | timmy-home | 226 issues |
+| Beacon sprint | the-beacon | game issues |
+| timmy-config sprint | timmy-config | config issues |
+| the-door burn | the-door | crisis front door |
+| the-testament burn | the-testament | book |
+| the-nexus burn | the-nexus | 3D world + MUD |
+| fleet-ops burn | fleet-ops | sovereign fleet |
+| timmy-academy burn | timmy-academy | academy |
+| turboquant burn | turboquant | KV-cache compression |
+| wolf burn | wolf | model evaluation |
+
+## Expected Outcomes by 7 AM
+
+### API Calls
+- Total calls: ~2,010
+- Successful completions: ~1,400 (70%)
+- API errors (rate limit, timeout): ~400 (20%)
+- Iteration limits hit: ~210 (10%)
+
+### Commits
+- Total commits pushed: ~800-1,200
+- Average per loop: ~60-90 commits
+- Unique branches created: ~300-400
+
+### Pull Requests
+- Total PRs created: ~150-250
+- Average per loop: ~12-19 PRs
+
+### Issues Filed
+- New issues created (QA, explorer): ~20-40
+- Issues closed by PRs: ~50-100
+
+### Code Written
+- Estimated lines added: ~50,000-100,000
+- Estimated files created/modified: ~2,000-3,000
+
+### Paper Progress
+- Research paper iterations: ~150 cycles
+- Expected paper word count growth: ~5,000-10,000 words
+- New experiment results: 2-4 additional experiments
+- BibTeX citations: 10-20 verified citations
+
+### MUD Bridge
+- Bridge file: 2,875 → ~5,000+ lines
+- New game systems: 5-10 (combat tested, economy, social graph, leaderboard)
+- QA cycles: 15-30 exploration sessions
+- Critical bugs found: 3-5
+- Critical bugs fixed: 2-3
+
+### Repository Activity (per repo)
+| Repo | Expected PRs | Expected Commits |
+|------|-------------|-----------------|
+| the-nexus | 30-50 | 200-300 |
+| the-beacon | 20-30 | 150-200 |
+| timmy-config | 15-25 | 100-150 |
+| the-testament | 10-20 | 80-120 |
+| the-door | 5-10 | 40-60 |
+| timmy-home | 10-20 | 80-120 |
+| fleet-ops | 5-10 | 40-60 |
+| timmy-academy | 5-10 | 40-60 |
+| turboquant | 3-5 | 20-30 |
+| wolf | 3-5 | 20-30 |
+
+### Dream Cycle
+- 5 dreams generated (11:30 PM, 1 AM, 2:30 AM, 4 AM, 5:30 AM)
+- 1 reflection (10 PM)
+- 1 timmy-dreams (5:30 AM)
+- Total dream output: ~5,000-8,000 words of creative writing
+
+### Explorer (every 10 min)
+- ~45 exploration cycles
+- Bugs found: 15-25
+- Issues filed: 15-25
+
+### Risk Factors
+- API rate limiting: Possible after 500+ consecutive calls
+- Large file patch failures: Bridge file too large for agents
+- Branch conflicts: Multiple agents on same repo
+- Iteration limits: 5-iteration agents can't push
+- Repository cloning: May hit timeout on slow clones
+
+### Confidence Level
+- High confidence: 800+ commits, 150+ PRs
+- Medium confidence: 1,000+ commits, 200+ PRs
+- Low confidence: 1,200+ commits, 250+ PRs (requires all loops running clean)
+
+---
+
+*This report is a prediction. The 7 AM morning report will compare actual results.*
+*Generated: 2026-04-12 23:36 EDT*
+*Author: Timmy (pre-shift prediction)*

scripts/sync_branch_protection.py

@@ -4,48 +4,61 @@ Sync branch protection rules from .gitea/branch-protection/*.yml to Gitea.
 Correctly uses the Gitea 1.25+ API (not GitHub-style).
 """
 
+from __future__ import annotations
+
+import json
 import os
 import sys
-import json
 import urllib.request
+from pathlib import Path
+
 import yaml
 
 GITEA_URL = os.getenv("GITEA_URL", "https://forge.alexanderwhitestone.com")
 GITEA_TOKEN = os.getenv("GITEA_TOKEN", "")
 ORG = "Timmy_Foundation"
-CONFIG_DIR = ".gitea/branch-protection"
+PROJECT_ROOT = Path(__file__).resolve().parent.parent
+CONFIG_DIR = PROJECT_ROOT / ".gitea" / "branch-protection"
 
 
 def api_request(method: str, path: str, payload: dict | None = None) -> dict:
     url = f"{GITEA_URL}/api/v1{path}"
     data = json.dumps(payload).encode() if payload else None
-    req = urllib.request.Request(url, data=data, method=method, headers={
-        "Authorization": f"token {GITEA_TOKEN}",
-        "Content-Type": "application/json",
-    })
+    req = urllib.request.Request(
+        url,
+        data=data,
+        method=method,
+        headers={
+            "Authorization": f"token {GITEA_TOKEN}",
+            "Content-Type": "application/json",
+        },
+    )
     with urllib.request.urlopen(req, timeout=30) as resp:
         return json.loads(resp.read().decode())
 
 
-def apply_protection(repo: str, rules: dict) -> bool:
-    branch = rules.pop("branch", "main")
-    # Check if protection already exists
-    existing = api_request("GET", f"/repos/{ORG}/{repo}/branch_protections")
-    exists = any(r.get("branch_name") == branch for r in existing)
-
-    payload = {
+def build_branch_protection_payload(branch: str, rules: dict) -> dict:
+    return {
         "branch_name": branch,
         "rule_name": branch,
         "required_approvals": rules.get("required_approvals", 1),
         "block_on_rejected_reviews": rules.get("block_on_rejected_reviews", True),
         "dismiss_stale_approvals": rules.get("dismiss_stale_approvals", True),
         "block_deletions": rules.get("block_deletions", True),
-        "block_force_push": rules.get("block_force_push", True),
+        "block_force_push": rules.get("block_force_push", rules.get("block_force_pushes", True)),
         "block_admin_merge_override": rules.get("block_admin_merge_override", True),
         "enable_status_check": rules.get("require_ci_to_merge", False),
         "status_check_contexts": rules.get("status_check_contexts", []),
+        "block_on_outdated_branch": rules.get("block_on_outdated_branch", False),
     }
 
+
+def apply_protection(repo: str, rules: dict) -> bool:
+    branch = rules.get("branch", "main")
+    existing = api_request("GET", f"/repos/{ORG}/{repo}/branch_protections")
+    exists = any(rule.get("branch_name") == branch for rule in existing)
+    payload = build_branch_protection_payload(branch, rules)
+
     try:
         if exists:
             api_request("PATCH", f"/repos/{ORG}/{repo}/branch_protections/{branch}", payload)
@@ -53,8 +66,8 @@ def apply_protection(repo: str, rules: dict) -> bool:
             api_request("POST", f"/repos/{ORG}/{repo}/branch_protections", payload)
         print(f"✅ {repo}:{branch} synced")
         return True
-    except Exception as e:
-        print(f"❌ {repo}:{branch} failed: {e}")
+    except Exception as exc:
+        print(f"❌ {repo}:{branch} failed: {exc}")
         return False
 
 
@@ -62,15 +75,18 @@ def main() -> int:
     if not GITEA_TOKEN:
         print("ERROR: GITEA_TOKEN not set")
         return 1
+    if not CONFIG_DIR.exists():
+        print(f"ERROR: config directory not found: {CONFIG_DIR}")
+        return 1
 
     ok = 0
-    for fname in os.listdir(CONFIG_DIR):
-        if not fname.endswith(".yml"):
-            continue
-        repo = fname[:-4]
-        with open(os.path.join(CONFIG_DIR, fname)) as f:
-            cfg = yaml.safe_load(f)
-        if apply_protection(repo, cfg.get("rules", {})):
+    for cfg_path in sorted(CONFIG_DIR.glob("*.yml")):
+        repo = cfg_path.stem
+        with cfg_path.open() as fh:
+            cfg = yaml.safe_load(fh) or {}
+        rules = cfg.get("rules", {})
+        rules.setdefault("branch", cfg.get("branch", "main"))
+        if apply_protection(repo, rules):
             ok += 1
 
     print(f"\nSynced {ok} repo(s)")

tests/test_night_shift_prediction_report.py

@@ -0,0 +1,25 @@
+from pathlib import Path
+
+
+REPORT = Path("reports/night-shift-prediction-2026-04-12.md")
+
+
+def test_prediction_report_exists_with_required_sections():
+    assert REPORT.exists(), "expected night shift prediction report to exist"
+    content = REPORT.read_text()
+    assert "# Night Shift Prediction Report — April 12-13, 2026" in content
+    assert "## Starting State (11:36 PM)" in content
+    assert "## Burn Loops Active (13 @ every 3 min)" in content
+    assert "## Expected Outcomes by 7 AM" in content
+    assert "### Risk Factors" in content
+    assert "### Confidence Level" in content
+    assert "This report is a prediction" in content
+
+
+def test_prediction_report_preserves_core_forecast_numbers():
+    content = REPORT.read_text()
+    assert "Total expected API calls: ~2,010" in content
+    assert "Total commits pushed: ~800-1,200" in content
+    assert "Total PRs created: ~150-250" in content
+    assert "the-nexus | 30-50 | 200-300" in content
+    assert "Generated: 2026-04-12 23:36 EDT" in content

tests/test_sync_branch_protection.py

@@ -0,0 +1,45 @@
+from __future__ import annotations
+
+import importlib.util
+import sys
+from pathlib import Path
+
+import yaml
+
+PROJECT_ROOT = Path(__file__).parent.parent
+
+_spec = importlib.util.spec_from_file_location(
+    "sync_branch_protection_test",
+    PROJECT_ROOT / "scripts" / "sync_branch_protection.py",
+)
+_mod = importlib.util.module_from_spec(_spec)
+sys.modules["sync_branch_protection_test"] = _mod
+_spec.loader.exec_module(_mod)
+
+build_branch_protection_payload = _mod.build_branch_protection_payload
+
+
+def test_build_branch_protection_payload_enables_rebase_before_merge():
+    payload = build_branch_protection_payload(
+        "main",
+        {
+            "required_approvals": 1,
+            "dismiss_stale_approvals": True,
+            "require_ci_to_merge": False,
+            "block_deletions": True,
+            "block_force_push": True,
+            "block_on_outdated_branch": True,
+        },
+    )
+
+    assert payload["branch_name"] == "main"
+    assert payload["rule_name"] == "main"
+    assert payload["block_on_outdated_branch"] is True
+    assert payload["required_approvals"] == 1
+    assert payload["enable_status_check"] is False
+
+
+def test_the_nexus_branch_protection_config_requires_up_to_date_branch():
+    config = yaml.safe_load((PROJECT_ROOT / ".gitea" / "branch-protection" / "the-nexus.yml").read_text())
+    rules = config["rules"]
+    assert rules["block_on_outdated_branch"] is True