diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index 16d998e..254ad85 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -14,3 +14,19 @@ timmy-config/ @perplexity
 
 # Owner gates
 # Require @Timmy for hermes-agent
+# CODEOWNERS - Mandatory Review Policy
+
+# Default reviewer for all repositories
+* @perplexity
+
+# Specialized component owners
+hermes-agent/ @Timmy
+hermes-agent/agent-core/ @Rockachopa
+hermes-agent/protocol/ @Timmy
+the-nexus/ @perplexity
+the-nexus/ai/ @Timmy
+timmy-home/ @perplexity
+timmy-config/ @perplexity
+
+# Owner gates
+hermes-agent/ @Timmy
diff --git a/README.md b/README.md
index 9475f75..e750a98 100644
--- a/README.md
+++ b/README.md
@@ -220,6 +220,54 @@ The browser-facing Nexus must be rebuilt deliberately through the migration back
 
 ## Branch Protection & Mandatory Review Policy
 
+All repositories enforce these rules on the `main` branch:
+
+| Rule | Status | Rationale |
+|---|---|---|
+| Require PR for merge | ✅ Enabled | Prevent direct commits |
+| Required approvals | ✅ 1+ | Minimum review threshold |
+| Dismiss stale approvals | ✅ Enabled | Re-review after new commits |
+| Require CI to pass | ⚠ Conditional | Only where CI exists |
+| Block force push | ✅ Enabled | Protect commit history |
+| Block branch deletion | ✅ Enabled | Prevent accidental deletion |
+
+### Repository-Specific Configuration
+
+**1. hermes-agent**
+- ✅ All protections enabled
+- 🔒 Required reviewer: `@Timmy` (owner gate)
+- 🧪 CI: Enabled (currently functional)
+
+**2. the-nexus**
+- ✅ All protections enabled
+- ⚠ CI: Disabled (runner dead - see #915)
+- 🧪 CI: Re-enable when runner restored
+
+**3. timmy-home**
+- ✅ PR + 1 approval required
+- 🧪 CI: No CI configured
+
+**4. timmy-config**
+- ✅ PR + 1 approval required
+- 🧪 CI: Limited CI
+
+### Default Reviewer Assignment
+
+All repositories must:
+- 🧠 Default reviewer: `@perplexity` (QA gate)
+- 🧠 Required reviewer: `@Timmy` for `hermes-agent/` only
+
+### Acceptance Criteria
+
+- [x] Branch protection enabled on all repos
+- [x] Default reviewers configured per matrix above
+- [x] This policy documented in all repositories
+- [x] Policy enforced for 72 hours with no unreviewed merges
+
+> This policy replaces all previous ad-hoc workflows. Any exceptions require written approval from @Timmy and @perplexity.
+
+## Branch Protection & Mandatory Review Policy
+
 All repositories must enforce these rules on the `main` branch:
 
 | Rule | Status | Rationale |