diff --git a/.github/workflows/validate-strict.yaml b/.github/workflows/validate-strict.yaml
new file mode 100644
index 00000000..8cd053ff
--- /dev/null
+++ b/.github/workflows/validate-strict.yaml
@@ -0,0 +1,66 @@
+name: validate-strict
+
+on:
+  pull_request:
+    paths: &trigger_paths
+      - "kb/communities/**"
+      - "src/communitymech/schema/**"
+      - "src/communitymech/**/*.py"
+      - "scripts/**/*.py"
+      - "tests/**/*.py"
+      - "justfile"
+      - "pyproject.toml"
+      - "uv.lock"
+      - ".github/workflows/validate-strict.yaml"
+  push:
+    branches: [main]
+    paths: *trigger_paths
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  validate-strict:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: extractions/setup-just@v3
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.10"
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+        with:
+          version: "latest"
+          enable-cache: true
+
+      - name: Install dependencies
+        # --frozen fails the workflow if uv.lock is stale (don't silently
+        # re-resolve in CI). --all-extras keeps parity with the existing
+        # network-quality.yml workflow and ensures pytest + optional deps
+        # are available for the test step below.
+        run: uv sync --frozen --all-extras
+
+      - name: Run validate-strict (closed-schema LinkML validation)
+        run: just validate-strict
+
+      - name: Run audit-writers
+        run: just audit-writers
+
+      - name: Run tests
+        run: uv run pytest tests/ -q --no-cov
+
+      - name: Upload reports
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: validate-strict-reports-${{ github.run_id }}
+          path: |
+            reports/instance_validation_failures.tsv
+            reports/pipeline_writers_audit.tsv
+          if-no-files-found: warn