diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index efecd91..5ee6175 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -1,53 +1,123 @@
-name: CI/CD Pipeline
+name: ci (build + e2e-ssm)
 
 on:
   push:
-    branches:
-      - master
+    branches: [ main ]          # o "master" si tu repo usa master
   pull_request:
-    branches:
-      - master
+    branches: [ main ]
+  workflow_dispatch: {}          # permite lanzarlo manual
 
 jobs:
-  build:
-    name: Build and Deploy with Docker Compose
+  build-test:
+    name: Build & Test & Publish
     runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup .NET 9
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: '9.0.x'
+
+      - name: Restore
+        run: dotnet restore
+
+      - name: Build (Release)
+        run: dotnet build -c Release --no-restore
+
+      # Omití este paso si aún no tenés tests
+      - name: Test
+        run: dotnet test -c Release --no-build --verbosity normal
+
+      - name: Publish Worker
+        run: dotnet publish ComSi.Sync.Worker/ComSi.Sync.Worker.csproj -c Release -o out
+
+      # GHES/Gitea: usar v3 (v4 no está soportado)
+      - name: Upload artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: comsi-sync-worker
+          path: out/**
+
+  e2e-run:
+    name: E2E run with SSM tunnels
+    needs: build-test
+    runs-on: ubuntu-latest
+    env:
+      # AWS
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      AWS_DEFAULT_REGION: ${{ secrets.AWS_REGION }}
+      SSM_INSTANCE_ID: ${{ secrets.SSM_INSTANCE_ID }}
+
+      # Conexiones por túnel local (ajustá nombres según tu appsettings)
+      COMSI_SYNC__MYSQL__CONNECTION: Server=127.0.0.1;Port=3307;Database=${{ secrets.MYSQL_DB }};User Id=${{ secrets.MYSQL_USER }};Password=${{ secrets.MYSQL_PASSWORD }};SslMode=None;AllowPublicKeyRetrieval=True
+      COMSI_SYNC__POSTGRES__CONNECTION: Host=127.0.0.1;Port=5544;Database=${{ secrets.PG_DB }};Username=${{ secrets.PG_USER }};Password=${{ secrets.PG_PASSWORD }};SSL Mode=Disable
+
+      # Opcional: modo “procesar y salir” si lo soporta tu Worker
+      COMSI_SYNC__RUN_ONCE: "true"
+      DOTNET_ENVIRONMENT: "CI"
 
     steps:
-      # Paso 1: Checkout del código
-      - name: Checkout Code
-        uses: actions/checkout@v2
+      - uses: actions/checkout@v4
 
-      # Paso 2: Verificar estructura de archivos (Debug)
-      - name: Debug - Mostrar contenido del repositorio
+      - name: Download published worker
+        uses: actions/download-artifact@v3
+        with:
+          name: comsi-sync-worker
+          path: ./worker
+
+      # AWS CLI v2
+      - name: Install AWS CLI v2
+        run: |
+          sudo apt-get update && sudo apt-get install -y unzip netcat
+          curl -fsSL "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o /tmp/awscliv2.zip
+          unzip -q /tmp/awscliv2.zip -d /tmp
+          sudo /tmp/aws/install --update
+          aws --version
+
+      # Session Manager Plugin
+      - name: Install session-manager-plugin
+        run: |
+          curl -fsSL -o /tmp/session-manager-plugin.deb https://s3.amazonaws.com/session-manager-downloads/plugin/latest/ubuntu_64bit/session-manager-plugin.deb
+          sudo dpkg -i /tmp/session-manager-plugin.deb || sudo apt-get -f install -y
+          session-manager-plugin --version
+
+      # Túnel MySQL
+      - name: Start SSM tunnel (MySQL 3307)
+        run: |
+          nohup aws ssm start-session \
+            --target "${SSM_INSTANCE_ID}" \
+            --document-name "AWS-StartPortForwardingSession" \
+            --parameters "portNumber=[3307],localPortNumber=[3307]" \
+            > ssm-mysql.log 2>&1 & echo $! > ssm-mysql.pid
+          sleep 2; tail -n +1 ssm-mysql.log || true
+
+      # Túnel Postgres
+      - name: Start SSM tunnel (Postgres 5544)
+        run: |
+          nohup aws ssm start-session \
+            --target "${SSM_INSTANCE_ID}" \
+            --document-name "AWS-StartPortForwardingSession" \
+            --parameters "portNumber=[5544],localPortNumber=[5544]" \
+            > ssm-pg.log 2>&1 & echo $! > ssm-pg.pid
+          sleep 2; tail -n +1 ssm-pg.log || true
+
+      - name: Check local ports
+        run: |
+          nc -zv 127.0.0.1 3307
+          nc -zv 127.0.0.1 5544
+
+      # Ejecuta el publish framework-dependent (DLL)
+      - name: Run worker (single-shot)
+        working-directory: ./worker
         run: |
-          echo "📂 Directorio actual:"
-          pwd
-          echo "📄 Contenido del directorio:"
           ls -la
-          echo "📂 Contenido de phronCare.API:"
-          ls -la phronCare.API
-          echo "📂 Contenido de phronCare.UIBlazor:"
-          ls -la phronCare.UIBlazor
+          dotnet ComSi.Sync.Worker.dll
 
-      # Paso 3: Construir la imagen Docker para la API
-      - name: Build API Docker Image
+      - name: Stop SSM tunnels
+        if: always()
         run: |
-          docker build -t phroncare-api -f phronCare.API/Dockerfile .
-
-      # Paso 4: Construir la imagen Docker para la UI
-      - name: Build UI Docker Image
-        run: |
-          docker build -t phroncare-ui -f phronCare.UIBlazor/Dockerfile .
-
-      # Paso 5: Instalar Docker Compose (si no está instalado)
-      - name: Install Docker Compose
-        run: |
-          sudo apt update
-          sudo apt install -y docker-compose
-
-      # Paso 6: Configuración y despliegue con Docker Compose
-      - name: Deploy with Docker Compose
-        run: |
-          docker-compose down
-          docker-compose up -d
+          if [ -f ssm-mysql.pid ]; then kill "$(cat ssm-mysql.pid)" || true; fi
+          if [ -f ssm-pg.pid ]; then kill "$(cat ssm-pg.pid)" || true; fi
+          pkill -f "aws ssm start-session" || true