diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index f58b96d..e67bbdb 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -16,82 +16,81 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  e2e:
-    name: E2E with Diagnostics
+  smoke:
+    name: Pipeline Smoke Gate
     runs-on: ubuntu-latest
-    timeout-minutes: 45
+    timeout-minutes: 15
 
     steps:
       - name: Checkout ShieldGuard
         uses: actions/checkout@v4
 
-      - name: Checkout SHIELD backend
-        uses: actions/checkout@v4
-        with:
-          repository: VrushankPatel/shield
-          path: shield
-
       - name: Set up Node.js
         uses: actions/setup-node@v4
         with:
           node-version: '20'
           cache: npm
 
-      - name: Set up Java
-        uses: actions/setup-java@v4
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Validate test suite discovery
+        run: npx jest --config jest.config.cjs --listTests
+
+      - name: Capture smoke diagnostics snapshot
+        run: node scripts/inspect-containers.cjs --logs --label ci-smoke
+
+      - name: Upload smoke artifacts
+        if: always()
+        uses: actions/upload-artifact@v4
         with:
-          distribution: temurin
-          java-version: '17'
-          cache: maven
+          name: shieldguard-smoke-${{ github.run_id }}-${{ github.run_attempt }}
+          if-no-files-found: warn
+          retention-days: 14
+          path: |
+            reports/**
 
-      - name: Install ShieldGuard dependencies
-        run: npm ci
+  e2e_external:
+    name: External SHIELD E2E
+    if: ${{ vars.SHIELD_BASE_URL != '' }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
 
-      - name: Build SHIELD backend jar
-        working-directory: ./shield
-        run: mvn -B -DskipTests package
+    steps:
+      - name: Checkout ShieldGuard
+        uses: actions/checkout@v4
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
 
-      - name: Execute ShieldGuard E2E suite
+      - name: Execute E2E suite against configured SHIELD host
         env:
-          SHIELD_BASE_URL: http://localhost:8080
-          SHIELD_AUTOSTART: 'true'
-          SHIELD_AUTOSTOP: 'true'
-          SHIELD_PROJECT_DIR: ./shield
-          SHIELD_RUN_SCRIPT: ./shield/run.sh
-          SHIELD_ENV_FILE: ./shield/dev.env
-          SHIELD_ROOT_CREDENTIAL_FILE: ./shield/root-bootstrap-credential.txt
-          SHIELD_INSTANCES: '2'
-          SHIELD_PROXY: haproxy
+          SHIELD_BASE_URL: ${{ vars.SHIELD_BASE_URL }}
+          SHIELD_HEALTH_PATH: ${{ vars.SHIELD_HEALTH_PATH || '/actuator/info' }}
+          SHIELD_AUTOSTART: 'false'
+          SHIELD_AUTOSTOP: 'false'
+          SHIELD_ROOT_PASSWORD: ${{ secrets.SHIELD_ROOT_PASSWORD }}
+          SHIELD_ADMIN_EMAIL: ${{ secrets.SHIELD_ADMIN_EMAIL }}
+          SHIELD_ADMIN_PASSWORD: ${{ secrets.SHIELD_ADMIN_PASSWORD }}
+          SHIELD_OTP_TEST_CODE: ${{ secrets.SHIELD_OTP_TEST_CODE }}
         run: npm run test:e2e
 
       - name: Capture failure diagnostics snapshot
         if: failure()
-        env:
-          SHIELD_PROJECT_DIR: ./shield
-          SHIELD_RUN_SCRIPT: ./shield/run.sh
-          SHIELD_ENV_FILE: ./shield/dev.env
-          SHIELD_INSTANCES: '2'
-          SHIELD_PROXY: haproxy
         run: node scripts/inspect-containers.cjs --logs --label ci-failure
 
-      - name: Stop SHIELD runtime
-        if: always()
-        env:
-          SHIELD_PROJECT_DIR: ./shield
-          SHIELD_RUN_SCRIPT: ./shield/run.sh
-          SHIELD_ENV_FILE: ./shield/dev.env
-          SHIELD_INSTANCES: '2'
-          SHIELD_PROXY: haproxy
-        run: npm run shield:stop
-        continue-on-error: true
-
-      - name: Upload diagnostics artifacts
+      - name: Upload e2e diagnostics artifacts
         if: always()
         uses: actions/upload-artifact@v4
         with:
-          name: shieldguard-diagnostics-${{ github.run_id }}-${{ github.run_attempt }}
+          name: shieldguard-e2e-${{ github.run_id }}-${{ github.run_attempt }}
           if-no-files-found: warn
           retention-days: 14
           path: |
             reports/**
-            shield/system_topologies/generated/**
diff --git a/README.md b/README.md
index 5ad39a0..417887a 100644
--- a/README.md
+++ b/README.md
@@ -166,12 +166,14 @@ npm run test:e2e:amenities-meeting
 GitHub Actions workflow: `.github/workflows/ci.yml`
 
 - Triggers on pull requests to `master` and pushes to `master`.
-- Checks out both repositories:
-  - `ShieldGuard` (this repo)
-  - `shield` backend (for runtime + API under test)
-- Builds SHIELD backend jar with Maven.
-- Runs `npm run test:e2e` with ShieldGuard diagnostics enabled.
-- Always uploads diagnostics artifacts (`reports/` and generated topology configs), including failure-context snapshots when runs fail.
+- `Pipeline Smoke Gate` job always runs:
+  - dependency install
+  - test-discovery check (`jest --listTests`)
+  - diagnostics snapshot artifact upload
+- `External SHIELD E2E` job runs only when repository variable `SHIELD_BASE_URL` is configured:
+  - executes `npm run test:e2e` against that host
+  - uses optional secrets (`SHIELD_ROOT_PASSWORD`, `SHIELD_ADMIN_EMAIL`, `SHIELD_ADMIN_PASSWORD`, `SHIELD_OTP_TEST_CODE`)
+  - uploads diagnostics artifacts on success/failure
 
 ## Contributor Workflow