diff --git a/.gitea/workflows/build-host-agent.yml b/.gitea/workflows/build-host-agent.yml
new file mode 100644
index 0000000..24bfdc9
--- /dev/null
+++ b/.gitea/workflows/build-host-agent.yml
@@ -0,0 +1,115 @@
+name: Build Host Agent (Rust)
+
+# Rust agent ships on its own tag namespace (agent-v*) so it never collides
+# with the legacy Go pipeline (v*.*.*). Artifacts publish to the CDN /alpha/
+# channel — /host-agent/latest/ stays on the Go build until cutover.
+
+on:
+  push:
+    tags:
+      - 'agent-v*'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    env:
+      # Override the macOS toolchain names in corrosion-host-agent/.cargo/config.toml
+      # (real env beats the config [env] table).
+      CARGO_TARGET_X86_64_UNKNOWN_LINUX_MUSL_LINKER: musl-gcc
+      CC_x86_64_unknown_linux_musl: musl-gcc
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Get version from tag
+        id: version
+        run: echo "VERSION=${GITHUB_REF#refs/tags/agent-v}" >> $GITHUB_OUTPUT
+
+      - name: Verify tag matches Cargo.toml
+        run: |
+          CARGO_VERSION=$(grep '^version' corrosion-host-agent/Cargo.toml | head -1 | sed 's/.*"\(.*\)"/\1/')
+          if [ "${{ steps.version.outputs.VERSION }}" != "$CARGO_VERSION" ]; then
+            echo "Tag agent-v${{ steps.version.outputs.VERSION }} does not match Cargo.toml version $CARGO_VERSION"
+            exit 1
+          fi
+
+      - name: Install cross toolchains
+        run: |
+          sudo apt-get update -qq
+          sudo apt-get install -y -qq musl-tools gcc-mingw-w64-x86-64
+          rustup target add x86_64-unknown-linux-musl x86_64-pc-windows-gnu
+
+      - name: Build Linux AMD64 (static musl)
+        run: |
+          cd corrosion-host-agent
+          cargo build --release --target x86_64-unknown-linux-musl
+          mkdir -p bin
+          cp target/x86_64-unknown-linux-musl/release/corrosion-host-agent bin/corrosion-host-agent-linux-amd64
+          chmod +x bin/corrosion-host-agent-linux-amd64
+
+      - name: Build Windows AMD64 (mingw)
+        run: |
+          cd corrosion-host-agent
+          cargo build --release --target x86_64-pc-windows-gnu
+          cp target/x86_64-pc-windows-gnu/release/corrosion-host-agent.exe bin/corrosion-host-agent-windows-amd64.exe
+
+      - name: Generate checksums
+        run: |
+          cd corrosion-host-agent/bin
+          sha256sum corrosion-host-agent-linux-amd64 > checksums.txt
+          sha256sum corrosion-host-agent-windows-amd64.exe >> checksums.txt
+          cat checksums.txt
+
+      - name: Create Release
+        env:
+          RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
+        run: |
+          API_URL="${{ github.server_url }}/api/v1"
+          REPO="${{ github.repository }}"
+          VERSION="agent-v${{ steps.version.outputs.VERSION }}"
+
+          RESPONSE=$(curl -s -X POST \
+            -H "Authorization: token ${RELEASE_TOKEN}" \
+            -H "Content-Type: application/json" \
+            -d "{\"tag_name\": \"${VERSION}\", \"name\": \"Corrosion Host Agent ${VERSION}\", \"body\": \"Rust host agent release ${VERSION}\", \"draft\": false, \"prerelease\": true}" \
+            "${API_URL}/repos/${REPO}/releases")
+          RELEASE_ID=$(echo "$RESPONSE" | grep -o '"id":[0-9]*' | head -1 | grep -o '[0-9]*')
+
+          for f in corrosion-host-agent-linux-amd64 corrosion-host-agent-windows-amd64.exe checksums.txt; do
+            curl -s -X POST \
+              -H "Authorization: token ${RELEASE_TOKEN}" \
+              -H "Content-Type: application/octet-stream" \
+              --data-binary @corrosion-host-agent/bin/$f \
+              "${API_URL}/repos/${REPO}/releases/${RELEASE_ID}/assets?name=$f"
+          done
+
+      - name: Upload to CDN (alpha channel)
+        run: |
+          CDN_URL="https://cdn.corrosionmgmt.com"
+          VERSION="${{ steps.version.outputs.VERSION }}"
+
+          for f in corrosion-host-agent-linux-amd64 corrosion-host-agent-windows-amd64.exe checksums.txt; do
+            curl -s -X POST \
+              -F "file=@corrosion-host-agent/bin/$f" \
+              "${CDN_URL}/host-agent/alpha/$f"
+            curl -s -X POST \
+              -F "file=@corrosion-host-agent/bin/$f" \
+              "${CDN_URL}/host-agent/${VERSION}/$f"
+          done
+
+          echo "CDN upload complete: ${CDN_URL}/host-agent/alpha/"
+
+      - name: Build Summary
+        run: |
+          echo "## Corrosion Host Agent (Rust) Build Complete" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "**Version:** ${{ steps.version.outputs.VERSION }}" >> $GITHUB_STEP_SUMMARY
+          echo "**Commit:** ${GITHUB_SHA:0:7}" >> $GITHUB_STEP_SUMMARY
+          echo "**Channel:** alpha (latest/ untouched until cutover)" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "### Built Artifacts:" >> $GITHUB_STEP_SUMMARY
+          echo "- Linux AMD64 static musl ($(stat -c%s corrosion-host-agent/bin/corrosion-host-agent-linux-amd64) bytes)" >> $GITHUB_STEP_SUMMARY
+          echo "- Windows AMD64 mingw ($(stat -c%s corrosion-host-agent/bin/corrosion-host-agent-windows-amd64.exe) bytes)" >> $GITHUB_STEP_SUMMARY
+          echo "- SHA256 checksums" >> $GITHUB_STEP_SUMMARY