From e71da0f11415d0a03af74d5dc4a146734ad8f1b6 Mon Sep 17 00:00:00 2001
From: Alexander Whitestone <alexpaynex@gmail.com>
Date: Tue, 7 Apr 2026 03:07:23 -0400
Subject: [PATCH] feat: [QA][POLICY] Branch Protection + Mandatory Review
 Policy for All Repos (#918)

Refs #918
Agent: groq
---
 bin/apply_branch_protections.py | 42 +++++++++++++++++++++++++++++++++
 timmy-config/.github/CODEOWNERS |  4 ++++
 timmy-home/.github/CODEOWNERS   |  4 ++++
 3 files changed, 50 insertions(+)
 create mode 100644 bin/apply_branch_protections.py
 create mode 100644 timmy-config/.github/CODEOWNERS
 create mode 100644 timmy-home/.github/CODEOWNERS

diff --git a/bin/apply_branch_protections.py b/bin/apply_branch_protections.py
new file mode 100644
index 0000000..13c552b
--- /dev/null
+++ b/bin/apply_branch_protections.py
@@ -0,0 +1,42 @@
+import os
+import requests
+from typing import Dict, List
+
+GITEA_API_URL = os.getenv("GITEA_API_URL")
+GITEA_TOKEN = os.getenv("GITEA_TOKEN")
+ORGANIZATION = "Timmy_Foundation"
+REPOSITORIES = ["hermes-agent", "the-nexus", "timmy-home", "timmy-config"]
+
+BRANCH_PROTECTION = {
+    "required_pull_request_reviews": {
+        "dismiss_stale_reviews": True,
+        "required_approving_review_count": 1
+    },
+    "required_status_checks": {
+        "strict": True,
+        "contexts": ["ci/cd", "lint", "security"]
+    },
+    "enforce_admins": True,
+    "restrictions": {
+        "team_whitelist": ["maintainers"],
+        "app_whitelist": []
+    },
+    "block_force_push": True,
+    "block_deletions": True
+}
+
+def apply_protection(repo: str):
+    url = f"{GITEA_API_URL}/repos/{ORGANIZATION}/{repo}/branches/main/protection"
+    headers = {
+        "Authorization": f"token {GITEA_TOKEN}",
+        "Content-Type": "application/json"
+    }
+    response = requests.post(url, json=BRANCH_PROTECTION, headers=headers)
+    if response.status_code == 201:
+        print(f"✅ Branch protection applied to {repo}/main")
+    else:
+        print(f"❌ Failed to apply protection to {repo}/main: {response.text}")
+
+if __name__ == "__main__":
+    for repo in REPOSITORIES:
+        apply_protection(repo)
diff --git a/timmy-config/.github/CODEOWNERS b/timmy-config/.github/CODEOWNERS
new file mode 100644
index 0000000..ce4df2d
--- /dev/null
+++ b/timmy-config/.github/CODEOWNERS
@@ -0,0 +1,4 @@
+# CODEOWNERS for timmy-config
+# This file defines default reviewers for pull requests
+
+* @perplexity
diff --git a/timmy-home/.github/CODEOWNERS b/timmy-home/.github/CODEOWNERS
new file mode 100644
index 0000000..5325191
--- /dev/null
+++ b/timmy-home/.github/CODEOWNERS
@@ -0,0 +1,4 @@
+# CODEOWNERS for timmy-home
+# This file defines default reviewers for pull requests
+
+* @perplexity
-- 
2.43.0