diff --git a/.githooks/pre-commit b/.githooks/pre-commit
new file mode 100755
index 0000000..6ab8e55
--- /dev/null
+++ b/.githooks/pre-commit
@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+repo_root="$(git rev-parse --show-toplevel 2>/dev/null || pwd)"
+"${repo_root}/scripts/check-chart.sh"
diff --git a/scripts/check-chart.sh b/scripts/check-chart.sh
new file mode 100755
index 0000000..41c6a80
--- /dev/null
+++ b/scripts/check-chart.sh
@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+repo_root="$(git rev-parse --show-toplevel 2>/dev/null || pwd)"
+chart_dir="${repo_root}/helm"
+rendered_manifest="$(mktemp --suffix=.yaml)"
+release_name="${RELEASE_NAME:-agentguard-ci}"
+
+cleanup() {
+  rm -f "${rendered_manifest}"
+}
+
+require_command() {
+  if ! command -v "$1" >/dev/null 2>&1; then
+    printf 'Missing required command: %s\n' "$1" >&2
+    exit 1
+  fi
+}
+
+run_kubectl_client_check() {
+  require_command kubectl
+  if ! kubectl apply --dry-run=client --validate=false -f "${rendered_manifest}" >/dev/null 2>&1; then
+    cat <<'EOF' >&2
+kubectl client dry-run failed.
+For Argo CRDs, this check can still be environment-sensitive and is optional here.
+Re-run without RUN_KUBECTL_CLIENT_CHECK=1, or use RUN_KUBECTL_SERVER_CHECK=1 against a cluster with the CRDs installed.
+EOF
+    exit 1
+  fi
+}
+
+run_kubectl_server_check() {
+  require_command kubectl
+  kubectl apply --dry-run=server -f "${rendered_manifest}" >/dev/null
+}
+
+trap cleanup EXIT
+
+require_command helm
+require_command argo
+
+printf '==> helm lint\n'
+helm lint "${chart_dir}"
+
+printf '==> helm template\n'
+helm template "${release_name}" "${chart_dir}" > "${rendered_manifest}"
+
+printf '==> argo lint --offline\n'
+argo lint --offline --kinds=clusterworkflowtemplates "${rendered_manifest}"
+
+if [[ "${RUN_KUBECTL_CLIENT_CHECK:-0}" == "1" ]]; then
+  printf '==> kubectl apply --dry-run=client\n'
+  run_kubectl_client_check
+fi
+
+if [[ "${RUN_KUBECTL_SERVER_CHECK:-0}" == "1" ]]; then
+  printf '==> kubectl apply --dry-run=server\n'
+  run_kubectl_server_check
+fi