diff --git a/.github/workflows/freeze-envelope.yml b/.github/workflows/freeze-envelope.yml
new file mode 100644
index 0000000..fea1da7
--- /dev/null
+++ b/.github/workflows/freeze-envelope.yml
@@ -0,0 +1,15 @@
+name: Freeze Envelope Byte Contract
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  freeze-envelope:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@stable
+      - name: Assert EventEnvelope byte contract
+        run: cargo test -p vaultmesh-command-center test_event_envelope_canonicalization_bytes
+
diff --git a/COOLING_CHECKLIST.md b/COOLING_CHECKLIST.md
index e12332e..b0e08ad 100644
--- a/COOLING_CHECKLIST.md
+++ b/COOLING_CHECKLIST.md
@@ -2,3 +2,8 @@
 
 For the next 30 days, treat these as frozen invariants: do not change `EventEnvelope` `format`/`schema` semantics, do not reorder top-level envelope fields, do not change timestamp precision (UTC `Z`, seconds-only), do not change payload key-sorting rules (objects sorted recursively; arrays preserve order), do not change the JSONL newline byte contract (one LF per line), and do not silently change hash algorithms when/if leaf hashing is introduced—only evolve via an explicit schema/version bump.
 
+No envelope changes without: a payload schema bump, a full replay audit rerun, and a new freeze tag.
+
+Freeze tag: `v0.8-freeze-envelope-v0` currently exists locally; when ready to publish, push it (and the commit) with:
+- `git push origin 1830e0f:main`
+- `git push origin v0.8-freeze-envelope-v0`