diff --git a/.env.example b/.env.example
new file mode 100644
index 0000000..633168b
--- /dev/null
+++ b/.env.example
@@ -0,0 +1,9 @@
+# dotnet-cqrs Environment Configuration
+# Copy to .env and fill in values before running
+
+# NuGet publishing (required for dotnet pack + push)
+NUGET_API_KEY=
+
+# Application URLs (for Svrnty.Sample project)
+ASPNETCORE_URLS=http://localhost:19898
+ASPNETCORE_ENVIRONMENT=Development
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 237cf39..86a0c74 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -32,3 +32,6 @@ jobs:
 
       - name: Test
         run: dotnet test Svrnty.CQRS.sln --no-build --verbosity normal
+
+      - name: Format check
+        run: dotnet format Svrnty.CQRS.sln --verify-no-changes
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 0000000..237a17a
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,47 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [JP]
+  pull_request:
+    branches: [JP]
+  schedule:
+    - cron: "0 8 * * 1" # Weekly on Monday at 08:00 UTC
+
+concurrency:
+  group: codeql-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: CodeQL Analysis
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [csharp]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: "10.0.x"
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Build
+        run: dotnet build Svrnty.CQRS.sln
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{ matrix.language }}"