CODEOWNERS

@@ -41,67 +41,64 @@ CONTRIBUTING.md
 <<<<<<< search
 # Contribution & Code Review Policy
 
-## Branch Protection Rules (Enforced via Gitea)
+## Branch Protection & Review Policy
-All repositories must have the following branch protection rules enabled on the `main` branch:
 
-| Rule | Status | Applies To |
+All repositories must enforce these rules on the `main` branch:
-|------|--------|------------|
-| Require Pull Request for merge | ✅ Enabled | All |
-| Required approvals | ✅ 1+ required | All |
-| Dismiss stale approvals on new commits | ✅ Enabled | All |
-| Require CI to pass (where CI exists) | ⚠ Conditional | All |
-| Block force pushes to `main` | ✅ Enabled | All |
-| Block deletion of `main` branch | ✅ Enabled | All |
 
-## Default Reviewer Assignments
+| Rule | Status | Rationale |
+|---|---|---|
+| Require PR for merge | ✅ Enabled | Prevent direct commits |
+| Required approvals | ✅ 1+ | Minimum review threshold |
+| Dismiss stale approvals | ✅ Enabled | Re-review after new commits |
+| Require CI to pass | <20> Conditional | Only where CI exists |
+| Block force push | ✅ Enabled | Protect commit history |
+| Block branch deletion | ✅ Enabled | Prevent accidental deletion |
 
-| Repository | Required Reviewers |
+### Repository-Specific Configuration
-|------------|------------------|
-| `hermes-agent` | `@perplexity`, `@Timmy` |
-| `the-nexus` | `@perplexity` |
-| `timmy-home` | `@perplexity` |
-| `timmy-config` | `@perplexity` |
 
-## CI Enforcement Status
+**1. hermes-agent**
+- ✅ All protections enabled
+- 🔒 Required reviewer: `@Timmy` (owner gate)
+- 🧪 CI: Enabled (currently functional)
 
-| Repository | CI Status |
+**2. the-nexus**
-|------------|-----------|
+- ✅ All protections enabled
-| `hermes-agent` | ✅ Active |
+- <20> CI: Disabled (runner dead - see #915)
-| `the-nexus` | ⚠ CI runner pending (#915) |
+- 🧪 CI: Re-enable when runner restored
-| `timmy-home` | ❌ No CI |
-| `timmy-config` | ❌ Limited CI |
 
-## Review Workflow
+**3. timmy-home**
+- ✅ PR + 1 approval required
+- 🧪 CI: No CI configured
 
-### For All Contributors
+**4. timmy-config**
-- Create feature branches from `main`
+- ✅ PR + 1 approval required
-- Open PR with clear description
+- 🧪 CI: Limited CI
-- `@perplexity` will be automatically assigned as reviewer
-- For `hermes-agent`: `@Timmy` must review critical changes
 
-### For Maintainers
+### Default Reviewer Assignment
-- Review all PRs within 24h
-- Require at least 1 approval before merge
-- Dismiss stale approvals on new commits
 
-## Enforcement
+All repositories must:
-- Direct pushes to main: ❌ Prohibited
+- 🧑‍ Default reviewer: `@perplexity` (QA gate)
-- Unreviewed merges: ❌ Prohibited
+- 🧑 Required reviewer: `@Timmy` for `hermes-agent/` only
-- Failing CI merges: ❌ Prohibited
 
-## Exceptions
+### Implementation Steps
-Emergency hotfixes require:
-- `@Timmy` approval
-- Post-merge documentation
-- Follow-up PR for full review
 
-## Policy Enforcement
+1. Go to Gitea > Settings > Branches > Branch Protection
-This document is the source of truth for:
+2. For each repo:
-- Branch protection settings
+   - [ ] Enable "Require PR for merge"
-- Reviewer assignments
+   - [ ] Set "Required approvals" to 1
-- Merge requirements
+   - [ ] Enable "Dismiss stale approvals"
+   - [ ] Enable "Block force push"
+   - [ ] Enable "Block branch deletion"
+   - [ ] Enable "Require CI to pass" if CI exists
 
-See Gitea admin settings for each repo to verify protection rules are enabled.
+### Acceptance Criteria
+
+- [ ] All four repositories have protection rules applied
+- [ ] Default reviewers configured per matrix above
+- [ ] This document updated in all repositories
+- [ ] Policy enforced for 72 hours with no unreviewed merges
+
+> This policy replaces all previous ad-hoc workflows. Any exceptions require written approval from @Timmy and @perplexity.
 
 # Default reviewer for all repositories
 * @perplexity