CODEOWNERS

@@ -41,67 +41,64 @@ CONTRIBUTING.md
 <<<<<<< search
 # Contribution & Code Review Policy
 
-## Branch Protection Rules (Enforced via Gitea)
-All repositories must have the following branch protection rules enabled on the `main` branch:
+## Branch Protection & Review Policy
 
-| Rule | Status | Applies To |
-|------|--------|------------|
-| Require Pull Request for merge | ✅ Enabled | All |
-| Required approvals | ✅ 1+ required | All |
-| Dismiss stale approvals on new commits | ✅ Enabled | All |
-| Require CI to pass (where CI exists) | ⚠ Conditional | All |
-| Block force pushes to `main` | ✅ Enabled | All |
-| Block deletion of `main` branch | ✅ Enabled | All |
+All repositories must enforce these rules on the `main` branch:
 
-## Default Reviewer Assignments
+| Rule | Status | Rationale |
+|---|---|---|
+| Require PR for merge | ✅ Enabled | Prevent direct commits |
+| Required approvals | ✅ 1+ | Minimum review threshold |
+| Dismiss stale approvals | ✅ Enabled | Re-review after new commits |
+| Require CI to pass | <20> Conditional | Only where CI exists |
+| Block force push | ✅ Enabled | Protect commit history |
+| Block branch deletion | ✅ Enabled | Prevent accidental deletion |
 
-| Repository | Required Reviewers |
-|------------|------------------|
-| `hermes-agent` | `@perplexity`, `@Timmy` |
-| `the-nexus` | `@perplexity` |
-| `timmy-home` | `@perplexity` |
-| `timmy-config` | `@perplexity` |
+### Repository-Specific Configuration
 
-## CI Enforcement Status
+**1. hermes-agent**
+- ✅ All protections enabled
+- 🔒 Required reviewer: `@Timmy` (owner gate)
+- 🧪 CI: Enabled (currently functional)
 
-| Repository | CI Status |
-|------------|-----------|
-| `hermes-agent` | ✅ Active |
-| `the-nexus` | ⚠ CI runner pending (#915) |
-| `timmy-home` | ❌ No CI |
-| `timmy-config` | ❌ Limited CI |
+**2. the-nexus**
+- ✅ All protections enabled
+- <20> CI: Disabled (runner dead - see #915)
+- 🧪 CI: Re-enable when runner restored
 
-## Review Workflow
+**3. timmy-home**
+- ✅ PR + 1 approval required
+- 🧪 CI: No CI configured
 
-### For All Contributors
-- Create feature branches from `main`
-- Open PR with clear description
-- `@perplexity` will be automatically assigned as reviewer
-- For `hermes-agent`: `@Timmy` must review critical changes
+**4. timmy-config**
+- ✅ PR + 1 approval required
+- 🧪 CI: Limited CI
 
-### For Maintainers
-- Review all PRs within 24h
-- Require at least 1 approval before merge
-- Dismiss stale approvals on new commits
+### Default Reviewer Assignment
 
-## Enforcement
-- Direct pushes to main: ❌ Prohibited
-- Unreviewed merges: ❌ Prohibited
-- Failing CI merges: ❌ Prohibited
+All repositories must:
+- 🧑‍ Default reviewer: `@perplexity` (QA gate)
+- 🧑 Required reviewer: `@Timmy` for `hermes-agent/` only
 
-## Exceptions
-Emergency hotfixes require:
-- `@Timmy` approval
-- Post-merge documentation
-- Follow-up PR for full review
+### Implementation Steps
 
-## Policy Enforcement
-This document is the source of truth for:
-- Branch protection settings
-- Reviewer assignments
-- Merge requirements
+1. Go to Gitea > Settings > Branches > Branch Protection
+2. For each repo:
+   - [ ] Enable "Require PR for merge"
+   - [ ] Set "Required approvals" to 1
+   - [ ] Enable "Dismiss stale approvals"
+   - [ ] Enable "Block force push"
+   - [ ] Enable "Block branch deletion"
+   - [ ] Enable "Require CI to pass" if CI exists
 
-See Gitea admin settings for each repo to verify protection rules are enabled.
+### Acceptance Criteria
+
+- [ ] All four repositories have protection rules applied
+- [ ] Default reviewers configured per matrix above
+- [ ] This document updated in all repositories
+- [ ] Policy enforced for 72 hours with no unreviewed merges
+
+> This policy replaces all previous ad-hoc workflows. Any exceptions require written approval from @Timmy and @perplexity.
 
 # Default reviewer for all repositories
 * @perplexity