diff --git a/.github/workflows/fork-ci.yml b/.github/workflows/fork-ci.yml
index ccc5bc8..9fe1bce 100644
--- a/.github/workflows/fork-ci.yml
+++ b/.github/workflows/fork-ci.yml
@@ -94,7 +94,7 @@ jobs:
         run: |
           python -m pip install --upgrade pip
           pip install -r requirements.txt
-          pip install pytest pytest-asyncio
+          pip install pytest pytest-asyncio httpx
       - name: collect tests
         # Collection imports test modules without running them. Catches
         # ImportError / SyntaxError / fixture-parse errors without
@@ -106,6 +106,68 @@ jobs:
         run: |
           pytest --collect-only -q tests/ test_*.py 2>&1 | tail -40
 
+  pytest-run:
+    name: pytest (credit middleware)
+    runs-on: ubuntu-latest
+    services:
+      postgres:
+        image: postgres:16
+        env:
+          POSTGRES_DB: moltstack
+          POSTGRES_USER: moltstack
+          POSTGRES_PASSWORD: ci-pw
+        ports:
+          - 5432:5432
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+          cache: pip
+          cache-dependency-path: requirements.txt
+      - name: install requirements + pytest
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements.txt
+          pip install pytest pytest-asyncio httpx
+      - name: init test DB schema
+        # init_db.sql uses IF NOT EXISTS — idempotent, safe to run
+        # repeatedly. Uses plain text password via PGPASSWORD — safe
+        # because this runs in an ephemeral CI container.
+        env:
+          PGPASSWORD: ci-pw
+          PGUSER: moltstack
+        run: |
+          psql -h localhost -U moltstack -d moltstack -f init_db.sql
+          # CI schema alignment: columns/tables present on live DB but missing from init_db.sql
+          psql -h localhost -U moltstack -d moltstack -c "ALTER TABLE api_keys ADD COLUMN IF NOT EXISTS email TEXT;"
+          # request_log is referenced by middleware during test runs. Table not in
+          # init_db.sql — add minimal schema so INSERTs don't flood the log.
+          psql -h localhost -U moltstack -d moltstack -c "CREATE TABLE IF NOT EXISTS request_log (id BIGSERIAL PRIMARY KEY, endpoint TEXT, method TEXT, status_code INT, ip TEXT, user_agent TEXT, response_ms FLOAT, source TEXT, ip_org TEXT, ip_country TEXT, created_at TIMESTAMPTZ DEFAULT NOW());"
+      - name: run credit middleware tests
+        # These tests require a live Postgres because credit_middleware
+        # connects via db_pool (asyncpg). The service container provides
+        # a fresh Postgres on localhost:5432.
+        # MOLTRUST_ADMIN_USERS needs a valid bcrypt hash for the format
+        # check — the placeholder below passes the regex but won't match
+        # any real password.
+        env:
+          MOLTRUST_API_KEYS: 'mt_ci_placeholder_key'
+          NONCE_SECRET: 'ci-placeholder-nonce-secret'
+          MOLTSTACK_DB_PW: 'ci-pw'
+          DB_NAME: moltstack
+          DB_HOST: localhost
+          MOLTRUST_ADMIN_USERS: 'ci-admin:admin:$2b$12$ciplaceholderhashforadminusersformatcheck'
+          MOLTRUST_ENV: 'ci'
+          CREDITS_ENABLED: 'true'
+        run: |
+          python -m pytest tests/test_credit_middleware.py -v --tb=short 2>&1
+
   ruff:
     name: ruff (informational)
     runs-on: ubuntu-latest