diff --git a/.github/workflows/codeguard.yml b/.github/workflows/codeguard.yml
index 03345c4..7e07258 100644
--- a/.github/workflows/codeguard.yml
+++ b/.github/workflows/codeguard.yml
@@ -1,10 +1,7 @@
-name: CodeGuard
-
+name: CodeGuard Governance
 on:
-  push:
-    branches: [master]
   pull_request:
-    branches: [master]
+    types: [opened, synchronize, reopened]
 
 permissions:
   contents: read
@@ -12,27 +9,19 @@ permissions:
 
 jobs:
   codeguard:
+    name: GuardSpine CodeGuard
     runs-on: ubuntu-latest
-    environment: codeguard-check
     steps:
       - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
 
-      - name: Run CodeGuard analysis
-        uses: DNYoussef/codeguard-action@main
+      - uses: DNYoussef/codeguard-action@v1
         with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
           risk_threshold: L3
           rubric: default
+          github_token: ${{ github.token }}
+          guardspine_api_key: ${{ secrets.GUARDSPINE_API_KEY }}
+          guardspine_api_url: https://backend-production-0f5d.up.railway.app/api/v1
           post_comment: "true"
           generate_bundle: "true"
-          fail_on_high_risk: "true"
-          ai_review: "true"
-          openrouter_api_key: ${{ secrets.OPENROUTER_API_KEY }}
-
-      - name: Upload evidence bundle
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: codeguard-evidence-bundle
-          path: .guardspine/
-          retention-days: 90
diff --git a/.guardspine/config.yml b/.guardspine/config.yml
new file mode 100644
index 0000000..d46e1f4
--- /dev/null
+++ b/.guardspine/config.yml
@@ -0,0 +1,17 @@
+# GuardSpine CodeGuard Configuration
+# Generated during onboarding
+
+api_url: https://backend-production-0f5d.up.railway.app/api/v1
+project_id: proj-6f3ab4e6183d
+
+rubric_packs:
+  - security-baseline
+  - pii-shield
+
+evidence:
+  upload: true
+  format: json
+  sign: true
+
+notifications:
+  slack_channel: