diff --git a/.forgejo/workflows/ci.yml b/.forgejo/workflows/ci.yml
new file mode 100644
index 0000000..5d358e3
--- /dev/null
+++ b/.forgejo/workflows/ci.yml
@@ -0,0 +1,121 @@
+# Rumpk Sovereign Kernel CI
+# Two-stage build: Nim→C→.o (build_nim.sh) then Zig links everything (zig build)
+# Targets: riscv64 (primary), aarch64 (secondary)
+name: Rumpk CI
+
+on:
+  push:
+    branches: [unstable, main, stable, testing]
+  pull_request:
+    branches: [unstable, main]
+
+jobs:
+  build-riscv64:
+    name: Build RISC-V 64
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Verify toolchain
+        run: |
+          echo "=== Toolchain ==="
+          zig version
+          nim --version | head -1
+          echo "=== Target: riscv64-freestanding ==="
+
+      - name: Build LwIP (networking stack)
+        run: |
+          chmod +x build_lwip.sh
+          ./build_lwip.sh
+
+      - name: Compile Nim kernel to C objects
+        run: |
+          chmod +x build_nim.sh
+          ./build_nim.sh riscv64
+
+      - name: Build full kernel (userland + initrd + link)
+        run: |
+          chmod +x build_full.sh
+          ./build_full.sh riscv64
+
+      - name: Final Zig link
+        run: zig build
+
+      - name: Verify kernel ELF
+        run: |
+          ls -lh zig-out/bin/rumpk.elf
+          file zig-out/bin/rumpk.elf
+
+      - name: QEMU boot test (RISC-V)
+        run: |
+          timeout 30 qemu-system-riscv64 \
+            -M virt -cpu max -m 512M -nographic \
+            -kernel zig-out/bin/rumpk.elf \
+            2>&1 | tee /tmp/boot.log &
+          QEMU_PID=$!
+          sleep 20
+          kill $QEMU_PID 2>/dev/null || true
+          wait $QEMU_PID 2>/dev/null || true
+          echo "=== Boot log ==="
+          cat /tmp/boot.log
+          echo "=== Checking boot markers ==="
+          grep -q "Nim handoff" /tmp/boot.log && echo "PASS: Nim handoff reached" || echo "WARN: Nim handoff not found"
+          grep -q "init complete" /tmp/boot.log && echo "PASS: Init complete" || echo "WARN: Init not complete"
+
+  build-aarch64:
+    name: Build ARM64
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Verify toolchain
+        run: |
+          zig version
+          nim --version | head -1
+
+      - name: Compile Nim kernel to C objects (ARM64)
+        run: |
+          chmod +x build_nim.sh
+          ./build_nim.sh aarch64
+
+      - name: Build full kernel (ARM64)
+        run: |
+          chmod +x build_full.sh
+          ./build_full.sh aarch64
+
+      - name: Verify kernel ELF
+        run: |
+          ls -lh zig-out/bin/rumpk.elf
+          file zig-out/bin/rumpk.elf
+
+  security-scan:
+    name: Security Scan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Check for sensitive content
+        run: |
+          FAIL=0
+          # No agent/internal directories
+          if find . -path './.agent' -o -path './.vscode' -o -path './.kiro' | grep -q .; then
+            echo "FAIL: Sensitive directories found"
+            FAIL=1
+          fi
+          # No internal paths in tracked files
+          if git grep -l '/home/markus' -- ':!.git' 2>/dev/null | grep -q .; then
+            echo "FAIL: Internal paths found in tracked files:"
+            git grep -l '/home/markus' -- ':!.git'
+            FAIL=1
+          fi
+          # No compiled binaries tracked
+          BINS=$(find . -not -path './.git/*' -type f -executable -size +100k 2>/dev/null | head -5)
+          if [ -n "$BINS" ]; then
+            echo "WARN: Large executables found (check if intentional):"
+            echo "$BINS"
+          fi
+          if [ $FAIL -eq 1 ]; then
+            echo "Security scan FAILED"
+            exit 1
+          fi
+          echo "Security scan PASSED"