diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 0000000..007b3a8
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,19 @@
+name: CI
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+      - "moltenhub-*"
+
+jobs:
+  validate-repo:
+    name: Validate Repository
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Run repository validator
+        run: ./scripts/validate-repo.sh
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..aeb490e
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,4 @@
+.codex
+.task-logs/
+.moltenhub-agents-*.md
+AGENTS.md
diff --git a/README.md b/README.md
index a46ae92..3f4238b 100644
--- a/README.md
+++ b/README.md
@@ -1 +1,19 @@
-# .github
\ No newline at end of file
+# MoltenBot `.github` Repository
+
+This repository contains organization-level metadata and guardrails used by automation for the `Molten-Bot` GitHub org.
+
+## Repository Layout
+
+- `profile/README.md`: public organization profile content.
+- `scripts/validate-repo.sh`: local and CI repository policy validator.
+- `.github/workflows/ci.yml`: CI entrypoint that runs repository validation.
+
+## Task Routing
+
+Use this repository for:
+
+- organization profile documentation updates.
+- GitHub automation and repository policy checks.
+- git hygiene updates that prevent generated task artifacts from being committed.
+
+Do not use this repository for product/runtime application features. Those belong in the corresponding service repositories.
diff --git a/scripts/validate-repo.sh b/scripts/validate-repo.sh
new file mode 100755
index 0000000..e160f79
--- /dev/null
+++ b/scripts/validate-repo.sh
@@ -0,0 +1,69 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+repo_root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+cd "$repo_root"
+
+error_count=0
+
+report_error() {
+  echo "error: $1" >&2
+  error_count=$((error_count + 1))
+}
+
+required_files=(
+  ".gitignore"
+  "README.md"
+  "profile/README.md"
+  "scripts/validate-repo.sh"
+  ".github/workflows/ci.yml"
+)
+
+for required_file in "${required_files[@]}"; do
+  if [[ ! -f "$required_file" ]]; then
+    report_error "missing required file '$required_file'"
+  fi
+done
+
+required_ignore_patterns=(
+  ".codex"
+  ".task-logs/"
+  ".moltenhub-agents-*.md"
+)
+
+if [[ -f ".gitignore" ]]; then
+  for required_ignore_pattern in "${required_ignore_patterns[@]}"; do
+    if ! grep -Fxq "$required_ignore_pattern" .gitignore; then
+      report_error ".gitignore is missing '$required_ignore_pattern'"
+    fi
+  done
+fi
+
+if git ls-files --error-unmatch .codex >/dev/null 2>&1; then
+  report_error ".codex is tracked but should be ignored"
+fi
+
+if git ls-files | grep -Eq '^\.task-logs/'; then
+  report_error "files under .task-logs/ are tracked but should be ignored"
+fi
+
+if git ls-files | grep -Eq '^\.moltenhub-agents-[0-9]+\.md$'; then
+  report_error ".moltenhub-agents-*.md files are tracked but should be ignored"
+fi
+
+if [[ -f "README.md" ]] && ! grep -Eq '^[[:space:]]*##[[:space:]]+Task Routing[[:space:]]*$' README.md; then
+  report_error "README.md must include the 'Task Routing' section"
+fi
+
+while IFS= read -r markdown_file; do
+  if grep -Eq '[[:blank:]]+$' "$markdown_file"; then
+    report_error "trailing whitespace found in $markdown_file"
+  fi
+done < <(git ls-files '*.md')
+
+if (( error_count > 0 )); then
+  echo "validation failed with $error_count error(s)" >&2
+  exit 1
+fi
+
+echo "validation passed"