diff --git a/.github/workflows/code-warden.yml b/.github/workflows/code-warden.yml
index 1314939..5776012 100644
--- a/.github/workflows/code-warden.yml
+++ b/.github/workflows/code-warden.yml
@@ -25,14 +25,20 @@ jobs:
           cache: 'npm'
           cache-dependency-path: code-warden/package.json
 
-      - name: Lint — enforce file length limits
+      - name: Governance report
         working-directory: code-warden
-        run: npm run lint
+        run: npm run report
 
-      - name: Secrets — zero-trust scan
+      - name: Publish governance summary
+        if: always()
         working-directory: code-warden
-        run: npm run check-secrets
+        run: npm run report:md >> $GITHUB_STEP_SUMMARY
 
-      - name: Doctor — source integrity check
-        working-directory: code-warden
-        run: node install.js --doctor
+      - name: Upload governance artifact
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: code-warden-report
+          path: code-warden/.code-warden-report.json
+          if-no-files-found: ignore
+          retention-days: 90
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..5ed3f1e
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+node_modules/
+.code-warden-report.json