diff --git a/.gitea/branch-protection.yml b/.gitea/branch-protection.yml
index 635a1a9..66d3e85 100644
--- a/.gitea/branch-protection.yml
+++ b/.gitea/branch-protection.yml
@@ -4,7 +4,7 @@ rules:
   require_pull_request: true
   required_approvals: 1
   dismiss_stale_reviews: true
-  require_ci_to_pass: true
+  require_ci_to_pass: false  # Temporarily disabled - see #915
   block_force_pushes: true
   block_deletions: true
 >>>>>>> replace
diff --git a/README.md b/README.md
index d14795b..6aa82ac 100644
--- a/README.md
+++ b/README.md
@@ -3,6 +3,50 @@
 ## Branch Protection & Review Requirements
 
 All repositories must enforce these rules on the `main` branch:
+
+| Rule | Status | Rationale |
+|---|---|---|
+| Require PR for merge | ✅ Enabled | Prevent direct commits |
+| Required approvals | ✅ 1+ | Minimum review threshold |
+| Dismiss stale approvals | ✅ Enabled | Re-review after new commits |
+| Require CI to pass | ⚠ Conditional | Only where CI exists |
+| Block force push | ✅ Enabled | Protect commit history |
+| Block branch deletion | ✅ Enabled | Prevent accidental deletion |
+
+### Repository-Specific Configuration
+
+**1. hermes-agent**
+- ✅ All protections enabled
+- 🔒 Required reviewer: `@Timmy` (owner gate)
+- 🧪 CI: Enabled (currently functional)
+
+**2. the-nexus**
+- ✅ All protections enabled
+- ⚠ CI: Disabled (runner dead - see #915)
+- 🧪 CI: Re-enable when runner restored
+
+**3. timmy-home**
+- ✅ PR + 1 approval required
+- 🧪 CI: No CI configured
+
+**4. timmy-config**
+- ✅ PR + 1 approval required
+- 🧪 CI: Limited CI
+
+### Default Reviewer Assignment
+
+All repositories must:
+- 🧑‍ Default reviewer: `@perplexity` (QA gate)
+- 🧑 Required reviewer: `@Timmy` for `hermes-agent/` only
+
+### Acceptance Criteria
+
+- [ ] All four repositories have protection rules applied
+- [ ] Default reviewers configured per matrix above
+- [ ] This policy documented in all repositories
+- [ ] Policy enforced for 72 hours with no unreviewed merges
+
+> This policy replaces all previous ad-hoc workflows. Any exceptions require written approval from @Timmy and @perplexity.
 - ✅ Require Pull Request for merge
 - ✅ Require 1 approval
 - ✅ Dismiss stale approvals