# Branch Protection & Review Policy ## 🛡️ Enforced Branch Protection Rules All repositories must apply the following branch protection rules to the `main` branch: | Rule | Setting | Rationale | |------|---------|-----------| | Require PR for merge | ✅ Required | Prevent direct pushes to `main` | | Required approvals | ✅ 1 approval | Ensure at least one reviewer approve before merge | | Dismiss stale approvals | ✅ Auto-dismiss | Require re-approval after new commits | | Require CI to pass | ✅ Where CI exist | Prevent merging of failing builds | | Block force push | ✅ Enabled | Protect commit history | | Block branch deletion | ✅ Enabled | Prevent accidental deletion of `main` | > ⚠️ Note: CI enforcement is optional for repositories where CI is not yet configured. --- ### 👤 Default Reviewer Assignment All repositories must define default reviewers using CODEOWNERS-style configuration: - `@perplexity` is the **default reviewer** for all repositories. - `@Timmy` is a **required reviewer** for `hermes-agent`. - Repository-specific owners may be added for specialized areas. --- ### � Affected Repositories | Repository | Status | Notes | |-------------|--------|-------| | `hermes-agent` | ✅ Protected | CI is active | | `the-nexus` | ✅ Protected | CI is pending | | `timmy-home` | ✅ Protected | No CI | | `timmy-config` | ✅ Protected | Limited CI | --- ### ✅ Acceptance Criteria - [ ] Branch protection enabled on `hermes-agent` main - [ ] Branch protection enabled on `the-nexus` main - [ ] Branch protection enabled on `timmy-home` main - [ ] Branch protection enabled on `timmy-config` main - [ ] `@perplexity` set as default reviewer org-wide - [ ] Policy documented in this file --- ### � Blocks - Blocks #916, #917 - cc @Timmy @Rockachopa — @perplexity, Integration Architect + QA ## 🛡️ Branch Protection Rules These rules must be applied to the `main` branch of all repositories: - [R] **Require Pull Request for Merge** – No direct pushes to `main` - [x] **Require 1 Approval** – At least one reviewer must approve - [R] **Dismiss Stale Approvals** – Re-review after new commits - [x] **Require CI to Pass** – Only allow merges with passing CI (where CI exists) - [x] **Block Force Push** – Prevent rewrite history - [x] **Block Branch Deletion** – Prevent accidental deletion of `main` ## 👤 Default Reviewer - `@perplexity` – Default reviewer for all repositories - `@Timmy` – Required reviewer for `hermes-agent` (owner gate) ## 🚧 Enforcement - All repositories must have these rules applied in the Gitea UI under **Settings > Branches > Branch Protection**. - CI must be configured and enforced for repositories with CI pipelines. - Reviewers assignments must be set via CODEOWNERS or manually in the UI. ## 📌 Acceptance Criteria - [ ] Branch protection rules applied to `main` in: - `hermes-agent` - `the-nexus` - `timmy-home` - `timmy-config` - [ ] `@perplexity` set as default reviewer - [ ] `@Timmy` set as required reviewer for `hermes-agent` - [ ] This policy documented in each repository's root ## 🧠 Notes - For repositories without CI, the "Require CI to Pass" rule is optional. - This policy is versioned and must be updated as needed.