diff --git a/.github/BRANCH_PROTECTION.md b/.github/BRANCH_PROTECTION.md
new file mode 100644
index 0000000..11a8d7a
--- /dev/null
+++ b/.github/BRANCH_PROTECTION.md
@@ -0,0 +1,65 @@
+# Branch Protection Configuration
+
+To enforce CI checks and code reviews before merging to `main`, configure the following settings in your GitHub repository.
+
+## Steps to Configure
+
+1. Go to your repository on GitHub
+2. Navigate to **Settings** → **Branches**
+3. Click **Add branch protection rule**
+4. Configure the following:
+
+### Branch name pattern
+```
+main
+```
+
+### Protection Rules
+
+#### Require a pull request before merging
+- ✅ Enable this option
+- **Required approvals**: 1 (minimum)
+- ✅ Dismiss stale pull request approvals when new commits are pushed
+- ✅ Require review from Code Owners (optional, if you have CODEOWNERS file)
+
+#### Require status checks to pass before merging
+- ✅ Enable this option
+- ✅ Require branches to be up to date before merging
+- **Required status checks** (add these):
+  - `build-test`
+  - `sast-sbom`
+
+#### Additional Recommended Settings
+- ✅ Require conversation resolution before merging
+- ✅ Do not allow bypassing the above settings
+- ✅ Restrict who can push to matching branches (optional - for stricter control)
+
+## What This Achieves
+
+- **Automated Quality Gates**: All PRs must pass Maven tests, Go tests, linting, and security scans
+- **Human Review**: At least one team member must review and approve changes
+- **Security**: Trivy catches high/critical vulnerabilities before merge
+- **Traceability**: SBOM artifacts track dependencies for each build
+- **Consistency**: Prevents direct pushes to main, enforcing the PR workflow
+
+## Testing the Setup
+
+1. Create a test branch: `git checkout -b test/ci-validation`
+2. Make a small change and push
+3. Open a PR to `main`
+4. Verify that CI jobs run automatically
+5. Confirm that merge is blocked until:
+   - All CI checks pass (green)
+   - At least one approval is given
+
+## CI Job Details
+
+### build-test
+- Runs Maven tests for Java backend
+- Runs Go unit tests for CLI
+- Runs golangci-lint for Go code quality
+
+### sast-sbom
+- Trivy security scan (HIGH + CRITICAL vulnerabilities)
+- Generates Software Bill of Materials (SBOM) with Syft
+- Uploads SBOM as workflow artifact
diff --git a/.github/CI_STATUS.md b/.github/CI_STATUS.md
new file mode 100644
index 0000000..007b40c
--- /dev/null
+++ b/.github/CI_STATUS.md
@@ -0,0 +1,92 @@
+# CI Status & Known Issues
+
+## Current Test Status
+
+### Backend (Java/Maven)
+- **Local Build**: ❌ Fails (requires Java 21, local has Java 11)
+- **CI Build**: ✅ Will work (GitHub Actions uses Java 21)
+- **Tests**: Need Java 21 to run
+
+### CLI (Go)
+- **Build**: ✅ Compiles successfully
+- **Tests**: ❌ Some failures detected:
+  - `main_test.go`: undefined rootCmd references (5 failures)
+  - `client_test.go`: timeout test failure
+  - `parser_property_test.go`: empty intent validation failure
+  - `repair_decision_test.go`: multiple repair strategy failures
+  - `repair_strategies_test.go`: flag normalization and typo correction failures
+
+## What the CI Workflow Does
+
+The `.github/workflows/ci.yml` will:
+
+1. **Setup Environment**
+   - Java 21 (Temurin distribution)
+   - Go 1.21
+
+2. **Run Tests**
+   - Backend: `mvn -B -DskipTests=false test`
+   - CLI: `go test ./...`
+   - Linting: `golangci-lint run ./...`
+
+3. **Security Scanning**
+   - Trivy filesystem scan (HIGH + CRITICAL vulnerabilities)
+   - SBOM generation with Syft
+
+## Action Required Before CI Will Pass
+
+### Fix Go Test Failures
+The CLI has test failures that need to be fixed:
+
+```bash
+cd cli
+go test ./... -v
+```
+
+Key issues:
+- `main_test.go` references undefined `rootCmd` variable
+- Parser property tests failing on edge cases
+- Repair engine tests failing on specific strategies
+
+### Verify Java Tests
+Once you have Java 21 installed locally:
+
+```bash
+cd backend
+mvn test
+```
+
+## CI Will Block Merges If:
+- Maven tests fail
+- Go tests fail
+- golangci-lint reports issues
+- Trivy finds HIGH or CRITICAL vulnerabilities
+
+## Recommendation
+
+Before enabling branch protection:
+1. Fix the Go test failures in the CLI
+2. Ensure all tests pass locally with Java 21
+3. Push to a test branch and verify CI runs successfully
+4. Then enable branch protection rules
+
+## Testing the CI Locally
+
+You can test parts of the CI locally:
+
+```bash
+# Backend tests (requires Java 21)
+cd backend
+mvn clean test
+
+# CLI tests
+cd cli
+go test ./...
+
+# CLI linting
+cd cli
+golangci-lint run ./...
+
+# Security scan
+trivy fs --severity HIGH,CRITICAL .
+```
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 0000000..229ff12
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,68 @@
+name: CI
+
+on:
+  push:
+    branches: [ "main", "develop" ]
+  pull_request:
+    types: [opened, synchronize, reopened, edited]
+
+jobs:
+  build-test:
+    name: build-test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Java 21
+        uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: '21'
+
+      - name: Backend - Maven test
+        working-directory: backend
+        run: mvn -B -DskipTests=false test
+
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: '1.21'
+
+      - name: CLI - Go test
+        working-directory: cli
+        run: go test ./...
+        continue-on-error: false
+
+      - name: CLI - golangci-lint
+        working-directory: cli
+        run: |
+          curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.58.0
+          golangci-lint run ./...
+
+  sast-sbom:
+    name: sast-sbom
+    runs-on: ubuntu-latest
+    needs: build-test
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Trivy
+        run: |
+          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -
+
+      - name: Trivy filesystem scan (high+critical)
+        run: trivy fs --severity HIGH,CRITICAL .
+
+      - name: Generate SBOM with Syft
+        run: |
+          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -
+          syft packages . -o json > sbom.json
+
+      - name: Upload SBOM artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom
+          path: sbom.json