diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 0000000..2c8c3b9
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,48 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+jobs:
+  links:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Lychee link check
+        uses: lycheeverse/lychee-action@v2
+        with:
+          args: >-
+            --no-progress
+            
+            --exclude-loopback
+            --max-redirects 5
+            --accept '200..=204,206,301..=308,403,429'
+            --exclude 'github.com/zenprocess/switchyard'
+            --exclude 'sonarcloud.io'
+            './**/*.md'
+          fail: true
+
+  leak-guard:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Scan for accidental leaks
+        shell: bash
+        run: |
+          set -e
+          # Excludes:
+          # - workflows dir (regex literals would self-match)
+          # - paper.md (intentional author byline)
+          # - bench/v2/results/* (raw LLM trajectories — sanitized in #11
+          #   but still under monitoring)
+          PATTERN='UNKNOWN @ file://|/home/[a-z][a-z0-9_-]+/(orchestrator|models)/|sk-ant-api03-[A-Za-z0-9_-]{20,}|sk-proj-[A-Za-z0-9_-]{20,}|-----BEGIN (RSA |EC |OPENSSH |DSA )?PRIVATE KEY-----'
+          if git ls-files \
+             | grep -vE '^\.github/workflows/' \
+             | grep -vE '^paper\.md$' \
+             | xargs -r grep -EHn "$PATTERN" 2>/dev/null; then
+            echo "::error::Leak guard found suspicious patterns above"
+            exit 1
+          fi
+          echo "Leak guard clean"