# Branch Protection Policy

## Enforcement Rules

All repositories must have the following branch protection rules enabled on the `main` branch:

| Rule | Status | Description |
|------|--------|-------------|
| Require PR for merge | ✅ Enabled | No direct pushes to main |
| Required approvals | ✅ 1 approval | At least one reviewer must approve |
| Dismiss stale approvals | ✅ Enabled | Re-review after new commits |
| Require CI to pass | ✅ Where CI exists | No merging with failing CI |
| Block force push | ✅ Enabled | Protect commit history |
| Block branch deletion | ✅ Enabled | Prevent accidental main deletion |

## Reviewer Assignments

- `@perplexity` - Default reviewer for all repositories
- `@Timmy` - Required reviewer for `hermes-agent`

- Repo-specific owners for specialized areas (e.g., `@Rockachopa` for infrastructure)

## Implementation Status

- [x] `hermes-agent`: All rules enabled
- [x] `the-nexus`: All rules enabled (CI pending)
- [x] `timmy-home`: PR + 1 approval
- [x] `timmy-config`: PR + 1 approval

## Acceptance Criteria

- [x] Branch protection enabled on all main branches
- [x] `@perplexity` set as default reviewer
- [x] This documentation added to all repositories

## Blocked Issues

- [ ] #916 - CI implementation for `the-nexus`
- [ ] #917 - Reviewer assignment automation

## Implementation Notes

1. Gitea branch protection settings must be configured via the UI:
   - Settings > Branches > Branch Protection
   - Enable all rules listed above

2. `CODEOWNERS` file must be committed to the root of each repository

3. CI status should be verified before merging