diff --git a/.forgejo/workflows/check.yaml b/.forgejo/workflows/check.yaml
index 8fde0b1..18b1d4c 100644
--- a/.forgejo/workflows/check.yaml
+++ b/.forgejo/workflows/check.yaml
@@ -1,31 +1,68 @@
-on: [push]
+on:
+  push:
+    paths:
+      - src/**
+      - tests/**
+      - .forgejo/**
+      - Cargo.toml
+      - Cargo.lock
+env:
+  JUST_VERSION: 1.45.0
+  JUST_SHA256SUM: dc3f958aaf8c6506dd90426e9b03f86dd15e74a6467ee0e54929f750af3d9e49
+  CARGO_LLVM_COV_VERSION: 0.6.21
+  CARGO_LLVM_COV_SHA256SUM: 57f491aedf7cdb261538ceb49cbb1ee9d27df7ca205a5e1a009caaf5cb911afb
 jobs:
-  print-content:
+  verify:
     runs-on: docker
+    timeout-minutes: 20
     container:
       image: rust:slim
     steps:
-      - name: install action dependencies
-        run: apt install --no-install-recommends --update -y nodejs just
-      - name: setup toolchain
+      - name: Install action dependencies
         run: |
-          rustup component add rustfmt clippy llvm-tools-preview
-          cargo install cargo-llvm-cov --locked
+          apt-get install --no-install-recommends --update -y nodejs curl
 
-      - name: checkout code
+      - name: Checkout code
         uses: actions/checkout@v6
 
-      - name: build
+      - name: Setup Rust toolchain
+        run: |
+          rustup component add rustfmt clippy llvm-tools-preview
+
+      - name: Setup additional tooling
+        run: |
+          fetch() {
+            repo="$1"; tag="$2"; filename="$3"; digest="$4"
+
+            curl -sSLO -w '%{stderr}HTTP %{response_code} %{url}\n' \
+                "https://github.com/$repo/releases/download/$tag/$filename"
+
+            printf '%s  %s\n' "$digest" "$filename" > digest
+            sha256sum --check digest && tar xf "$filename" -C tools
+          }
+
+          mkdir tools
+
+          fetch casey/just ${{ env.JUST_VERSION }} \
+            just-${{ env.JUST_VERSION }}-x86_64-unknown-linux-musl.tar.gz \
+            ${{ env.JUST_SHA256SUM }}
+          fetch taiki-e/cargo-llvm-cov v${{ env.CARGO_LLVM_COV_VERSION }} \
+            cargo-llvm-cov-x86_64-unknown-linux-gnu.tar.gz \
+            ${{ env.CARGO_LLVM_COV_SHA256SUM }}
+
+          mv -v tools/just tools/cargo-llvm-cov /usr/local/bin
+
+      - name: Build
         run: just build
 
-      - name: format
+      - name: Format
         run: just format-assess
-      - name: lint
+      - name: Lint
         run: just lint-assess
-      - name: check
-        run: just check-assess
-      - name: test
-        run: just test-assess
-      - name: coverage
+      - name: Cargo check
+        run: just check
+      - name: Test
+        run: just test
+      - name: Assess test coverage
         run: just cover-assess
 
diff --git a/.justfile b/.justfile
index 159f24e..f574647 100644
--- a/.justfile
+++ b/.justfile
@@ -167,8 +167,12 @@ cover-assess: test-cover
     {{ cover_cmd }} --fail-under-regions 95 report
 
 # Run all assessments
-[group: 'assess']
-verify: format-assess lint-assess check test cover-assess
+[script, group: 'assess']
+verify: && format-assess lint-assess check test cover-assess
+    if [ -n "$(git status --porcelain)" ]; then
+        echo "Git working tree is dirty: Commit or stash your changes first"
+        exit 1
+    fi
 
 alias v := verify
 
@@ -215,3 +219,5 @@ debug_vars := 'DEBUG=${DEBUG:-} DEBUG_FILTER=${DEBUG_FILTER:-}'
 watch_cmd := "watchexec -qc -r -e rs,toml,html --color always -- "
 cover_cmd := 'cargo llvm-cov --color always --ignore-filename-regex "main\.rs|dev\.rs"'
 just_cmd := 'just --timestamp --explain --command-color green'
+
+set unstable
diff --git a/docs/development/ci/ci.md b/docs/development/ci/ci.md
new file mode 100644
index 0000000..5b4f278
--- /dev/null
+++ b/docs/development/ci/ci.md
@@ -0,0 +1,84 @@
+# Continuous Integration
+
+A workflow defined at `.forgejo/workflows/check.yaml` performs several checks as defined in `.justfile`. This allows for the same commands to be run locally to similar effect.
+
+Beware however, some differences in the CI environment:
+
+- Git doesn't track empty directories, so any of those will be absent
+- The current image, [rust:slim](https://github.com/rust-lang/docker-rust/blob/c2c1f6504026242abc852c0ac82b3c30b4770dc5/stable/trixie/slim/Dockerfile), is based on Debian stable
+
+## Updating binaries fetched in CI
+
+The CI workflow has some hardcoded versions for the following tooling:
+
+| Tool           | Repository                  | Asset filename pattern                           |
+|:--------------:|:---------------------------:|-------------------------------------------------:|
+| just           | [casey/just][1]             | `just-1.45.0-x86_64-unknown-linux-musl.tar.gz`   |
+| cargo-llvm-cov | [taiki-e/cargo-llvm-cov][2] | `cargo-llvm-cov-x86_64-unknown-linux-gnu.tar.gz` |
+
+[1]: https://github.com/casey/just
+[2]: https://github.com/taiki-e/cargo-llvm-cov
+
+These should be relatively recent to keep up with development environments, but don't really need to change often unless an interesting feature or security patch is available. When updates are desirable, they must be done manually so the actual changes behind each release can be properly reviewed and tested.
+
+## Determining latest release
+
+A script is available in this directory to check for the last release on the tooling currently used. If a new release is available, it prints out some relevant information for deciding about an acting upon a CI workflow update.
+
+To update the version, just edit the `env` section at the top of the workflow file with the new version tag and corresponding sha256sum value.
+
+### Getting tooling release data from the GitHub API
+
+The `GET` endpoint `/repos/{owner}/{repo}/releases` can be used to list the existing releases.
+
+```sh
+curl -L \
+  -H "Accept: application/json" \
+  https://api.github.com/repos/OWNER/REPO/releases
+```
+
+This will return an array of release objects starting from the latest releases.
+
+Relevant response fields in these objects include:
+
+- `.tag_name`: Tag for specific, more detailed queries including assets (see below)
+- `.draft`: Release was marked as draft. If true, don't use the release in CI.
+- `.prerelease`: Release was marked as prerelease. If true, don't use the release in CI.
+- `.html_url`: Sometimes includes notes with notable release changes.
+- `.body`: Same as above, but directly in the response body.
+- `.created_at`: Date the release was created (even if as a draft)
+- `.published_at`: Date the release was published (e.g., from draft to published)
+
+The `GET`endpoints `/repos/{owner}/{repo}/releases/latest` and `/repos/{owner}/{repo}/releases/tags/{tag}` can be used to get information on the very latest release and on a specific release as referenced by its tag.
+
+```sh
+curl -L \
+  -H "Accept: application/json" \
+  https://api.github.com/repos/OWNER/REPO/releases/latest
+```
+
+```sh
+curl -L \
+  -H "Accept: application/json" \
+  https://api.github.com/repos/OWNER/REPO/releases/tags/TAG
+```
+
+For both of these endpoints, relevant fields include:
+
+- `.tag_name`: From the `latest` endpoint, allows constructing a canonical URI for the release
+- `.assets_url`: ?
+- `.html_url`, `.body`, `.draft`, `.prerelease`: See above
+
+- `.assets`: An array of asset objects
+- `.assets.[].name`: File name, to be matched with the table above
+- `.assets.[].digest`: Contains the sha256sum value
+- `.assets.[].url`: A URL that returns this asset object alone
+- `.assets.[].browser_download_url` Contains a download URL to fetch the actual asset
+
+For the GitHub API reference, see <https://docs.github.com/en/rest/releases/releases?apiVersion=2022-11-28>.
+
+## Notes
+
+Some other notes relevant to modifying the CI workflow:
+
+- `$PATH` in CI is `/usr/local/cargo/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin` as of [docker-rust](https://github.com/rust-lang/docker-rust) commit `c2c1f65`, 2025-12-27
diff --git a/docs/development/ci/tool-versions.sh b/docs/development/ci/tool-versions.sh
new file mode 100755
index 0000000..239b746
--- /dev/null
+++ b/docs/development/ci/tool-versions.sh
@@ -0,0 +1,45 @@
+#!/usr/bin/env sh
+
+tools="
+casey/just just-%VERSION%-x86_64-unknown-linux-musl.tar.gz
+taiki-e/cargo-llvm-cov cargo-llvm-cov-x86_64-unknown-linux-gnu.tar.gz
+"
+
+git_root=$(git rev-parse --show-toplevel)
+
+get_release() {
+    repo="$1"
+
+   curl -sSL \
+      -H "Accept: application/json" \
+      "https://api.github.com/repos/$repo/releases/latest"
+}
+
+q() { printf '%s' "$1" | jq -r "$2"; }
+
+printf '%s' "$tools" | while read -r repo asset_template; do
+    [ -n "$repo" ] || continue
+    release=$(get_release "$repo")
+    workflow_var=$(echo "$repo" | tr '[:lower:]' '[:upper:]' | tr '-' '_' | cut -d '/' -f 2)_VERSION
+    current=$(grep -m 1 "$workflow_var" "$git_root/.forgejo/workflows/check.yaml" | awk '{print $2}')
+    latest=$(q "$release" .tag_name | tr -d v)
+    echo "$repo"
+    echo "In use: $current"
+    echo "Latest: $latest"
+    if [ "$current" != "$latest" ]; then
+        echo "  Published: $(q "$release" .published_at)"
+        echo "  [ Draft: $(q "$release" .draft) ] [ Prerelease: $(q "$release" .prerelease) ]"
+        echo "  URL: $(q "$release" .html_url)"
+        echo "  $(q "$release" .body)"
+        asset_pattern=$(printf '%s' "$asset_template" | sed "s/%VERSION%/$latest/g")
+        asset=$(q "$release" ".assets[] | select(.name == \"$asset_pattern\")")
+        if [ -n "$asset" ]; then
+            echo "    Asset: $(q "$asset" .name)"
+            echo "    sha256sum: $(q "$asset" .digest)"
+            echo "    URL: $(q "$asset" .browser_download_url)"
+        else
+            echo " No asset matching pattern $asset_pattern in this release"
+        fi
+    fi
+    echo
+done
diff --git a/docs/notes.md b/docs/development/notes.md
similarity index 100%
rename from docs/notes.md
rename to docs/development/notes.md