diff --git a/flake.nix b/flake.nix
index 914d26a..37348a5 100644
--- a/flake.nix
+++ b/flake.nix
@@ -80,6 +80,109 @@
         {
           formatter = treefmtEval.config.build.wrapper;
 
+          checks = {
+            formatting = treefmtEval.config.build.check ./.;
+
+            gitleaks =
+              pkgs.runCommand "check-gitleaks"
+                {
+                  nativeBuildInputs = [ pkgs.gitleaks ];
+                  src = pkgs.lib.fileset.toSource {
+                    root = ./.;
+                    fileset = pkgs.lib.fileset.gitTracked ./.;
+                  };
+                }
+                ''
+                  cd $src
+                  gitleaks detect --source . --config .gitleaks.toml --no-git
+                  touch $out
+                '';
+
+            uv-lock =
+              pkgs.runCommand "check-uv-lock"
+                {
+                  nativeBuildInputs = [
+                    pkgs.uv
+                    pkgs.cacert
+                  ];
+                  src = pkgs.lib.fileset.toSource {
+                    root = ./.;
+                    fileset = pkgs.lib.fileset.gitTracked ./.;
+                  };
+                  SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
+                }
+                ''
+                  cd $src
+                  export HOME=$(mktemp -d)
+                  uv lock --check
+                  touch $out
+                '';
+
+            ty =
+              pkgs.runCommand "check-ty"
+                {
+                  nativeBuildInputs = [
+                    pkgs.ty
+                    pkgs.uv
+                    pkgs.python313
+                    pkgs.cacert
+                  ];
+                  src = pkgs.lib.fileset.toSource {
+                    root = ./.;
+                    fileset = pkgs.lib.fileset.gitTracked ./.;
+                  };
+                  SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
+                }
+                ''
+                  cp -r $src/. ./workdir
+                  chmod -R u+w ./workdir
+                  cd ./workdir
+
+                  export HOME=$(mktemp -d)
+                  export UV_LINK_MODE=copy
+
+                  uv sync --all-extras --locked --python ${pkgs.python313}/bin/python3.13
+                  uv run ty check stackone_ai
+                  touch $out
+                '';
+
+            pytest =
+              pkgs.runCommand "check-pytest"
+                {
+                  nativeBuildInputs = [
+                    pkgs.uv
+                    pkgs.python313
+                    pkgs.bun
+                    pkgs.pnpm_10
+                    pkgs.typescript-go
+                    pkgs.git
+                    pkgs.cacert
+                  ];
+                  src = pkgs.lib.fileset.toSource {
+                    root = ./.;
+                    fileset = pkgs.lib.fileset.gitTracked ./.;
+                  };
+                  SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
+                }
+                ''
+                  cp -r $src/. ./workdir
+                  chmod -R u+w ./workdir
+                  cd ./workdir
+
+                  export HOME=$(mktemp -d)
+                  export UV_LINK_MODE=copy
+
+                  # Initialize git submodules
+                  git init
+                  git submodule update --init --recursive || true
+
+                  # Install dependencies and run tests
+                  uv sync --all-extras --locked --python ${pkgs.python313}/bin/python3.13
+                  uv run pytest
+                  touch $out
+                '';
+          };
+
           devShells.default = pkgs.mkShellNoCC {
             buildInputs = with pkgs; [
               uv