diff --git a/.gitea/workflows/ci.yaml b/.gitea/workflows/ci.yaml
new file mode 100644
index 0000000..55054fb
--- /dev/null
+++ b/.gitea/workflows/ci.yaml
@@ -0,0 +1,22 @@
+# ABOUTME: Runs cargo audit (RustSec CVE scan) against the locked dependency tree.
+# ABOUTME: Supply-chain gate — fails on a known advisory.
+
+name: Audit
+
+on:
+  push:
+    branches: [main]
+    tags: ['v*']
+  pull_request:
+    branches: [main]
+
+jobs:
+  cargo-audit:
+    runs-on: moonarch
+    steps:
+      - name: Checkout
+        run: git clone http://gitea:3000/nevaforget/moonlock.git src
+      - name: Install cargo-audit
+        run: cargo install cargo-audit --locked
+      - name: Audit
+        run: cd src && cargo audit
diff --git a/.gitignore b/.gitignore
index 96f8630..31653c2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,7 +1,3 @@
 /target
 
-# makepkg build artifacts
-pkg/src/
-pkg/pkg/
-pkg/moonlock/
-pkg/*.pkg.tar.*
+.pytest_cache/
diff --git a/DECISIONS.md b/DECISIONS.md
index 6c16947..8bce45b 100644
--- a/DECISIONS.md
+++ b/DECISIONS.md
@@ -2,6 +2,13 @@
 
 Architectural and design decisions for Moonlock, in reverse chronological order.
 
+## 2026-06-17 – Add cargo-audit CI gate, remove orphaned `-git` PKGBUILD
+
+- **Who**: ClaudeCode, Dom
+- **Why**: A hygiene audit found supply chain and dependency health clean (`cargo audit` 0.22.2: 0 vulnerabilities across 116 crates), but flagged repo-hygiene gaps: CI (`.gitea/workflows/`) only auto-bumped pkgver and ran no vulnerability scan, so a future advisory against a locked dependency would go undetected; `pkg/PKGBUILD` was an orphaned `moonlock-git` VCS PKGBUILD (`pkgver=0.4.1.r1...`, two minor versions behind v0.6.18) left over from the pre-tag-build era — the canonical packaging now lives in `moonarch-pkgbuilds/moonlock/PKGBUILD` and is auto-bumped by `update-pkgver.yaml`; a stray `.pytest_cache/` sat in the repo root of this pure-Rust project, only suppressed by a user-global gitignore.
+- **Tradeoffs**: CI gate scoped to `cargo audit` only, not `cargo test`/`clippy`/`build` — `cargo audit` parses `Cargo.lock` and needs no GTK4/PAM build environment, whereas the broader checks depend on the `moonarch` runner having the full dev toolchain, which is unverified and beyond the hygiene scope. `cargo install cargo-audit` recompiles per run (~2-3 min); accepted, caching deferred. Open risk: the runner must provide a Rust toolchain (`cargo`); `update-pkgver.yaml` only uses `git`, so this needs validation on first run. Deleting `pkg/PKGBUILD` rather than updating it: it is not in the build pipeline and the `-git` variant was abandoned at the tag-build switch (see `moonarch-pkgbuilds/DECISIONS.md` 2026-06-10).
+- **How**: New `.gitea/workflows/ci.yaml` (`Audit` workflow, triggers on push to `main`, `v*` tags, and PRs to `main`) clones the repo and runs `cargo audit`. Removed `pkg/PKGBUILD` and the empty `pkg/` dir; dropped the now-dead `pkg/*` makepkg-artifact lines from `.gitignore` and added `.pytest_cache/`. No version bump — no code or behavior change to the binary.
+
 ## 2026-06-17 – Restore hardened release profile after the crash hunt (v0.6.18)
 
 - **Who**: ClaudeCode, Dom
diff --git a/pkg/PKGBUILD b/pkg/PKGBUILD
deleted file mode 100644
index bdb9492..0000000
--- a/pkg/PKGBUILD
+++ /dev/null
@@ -1,51 +0,0 @@
-# ABOUTME: PKGBUILD for Moonlock — secure Wayland lockscreen.
-# ABOUTME: Builds from git source with automatic version detection.
-
-# Maintainer: Dominik Kressler
-
-pkgname=moonlock-git
-pkgver=0.4.1.r1.g78bcf90
-pkgrel=1
-pkgdesc="A secure Wayland lockscreen with GTK4, PAM and fingerprint support"
-arch=('x86_64')
-url="https://gitea.moonarch.de/nevaforget/moonlock"
-license=('MIT')
-depends=(
-    'gtk4'
-    'gtk4-layer-shell'
-    'gtk-session-lock'
-    'pam'
-    'systemd-libs'
-)
-makedepends=(
-    'git'
-    'cargo'
-)
-optdepends=(
-    'fprintd: fingerprint authentication support'
-)
-provides=('moonlock')
-conflicts=('moonlock')
-source=("git+${url}.git")
-sha256sums=('SKIP')
-
-pkgver() {
-    cd "$srcdir/moonlock"
-    git describe --long --tags | sed 's/^v//;s/-/.r/;s/-/./'
-}
-
-build() {
-    cd "$srcdir/moonlock"
-    cargo build --release --locked
-}
-
-package() {
-    cd "$srcdir/moonlock"
-    install -Dm755 target/release/moonlock "$pkgdir/usr/bin/moonlock"
-
-    # PAM configuration
-    install -Dm644 config/moonlock-pam "$pkgdir/etc/pam.d/moonlock"
-
-    # Example config
-    install -Dm644 config/moonlock.toml.example "$pkgdir/etc/moonlock/moonlock.toml.example"
-}