diff --git a/.github/workflows/go-ci.yml b/.github/workflows/go-ci.yml
index f3c18fa..7d24522 100644
--- a/.github/workflows/go-ci.yml
+++ b/.github/workflows/go-ci.yml
@@ -18,6 +18,12 @@ on:
         description: Run `go run . schema | json.tool` contract check
         type: boolean
         default: true
+      vuln-check:
+        description: >-
+          Run govulncheck against the module's known-vuln database. Escape hatch
+          for the rare case of an un-patchable transitive vuln; keep it on.
+        type: boolean
+        default: true
 
 permissions:
   contents: read
@@ -31,6 +37,17 @@ jobs:
         with:
           go-version: ${{ inputs.go-version }}
           check-latest: true
+      - name: gofmt (must be clean)
+        # The house Go gate starts with `fmt`; CI fails on any non-gofmt'd file
+        # rather than silently reformatting it.
+        run: |
+          unformatted=$(gofmt -l .)
+          if [ -n "$unformatted" ]; then
+            echo "::error::these files are not gofmt-clean:"; echo "$unformatted"
+            exit 1
+          fi
+      - name: vet
+        run: go vet ./...
       - name: lint
         # Build golangci-lint with the repo's Go toolchain: prebuilt releases are
         # built with an older Go and reject newer go.mod language versions.
@@ -40,6 +57,13 @@ jobs:
           "$(go env GOPATH)/bin/golangci-lint" run
       - name: test
         run: go test -race -cover ./...
+      - name: govulncheck (known-vuln dependency + call-graph scan)
+        # Completes the documented house gate (fmt+vet+lint+test-race+govulncheck).
+        # Queries the live Go vuln DB; the pinned binary only fixes the analyzer.
+        if: ${{ inputs.vuln-check }}
+        run: |
+          go install golang.org/x/vuln/cmd/govulncheck@v1.1.4
+          "$(go env GOPATH)/bin/govulncheck" ./...
       - name: schema contract (must emit valid JSON)
         if: ${{ inputs.schema-check }}
         run: go run . schema | python3 -m json.tool > /dev/null