diff --git a/.duvet/.gitignore b/.duvet/.gitignore
new file mode 100644
index 000000000..93956e36d
--- /dev/null
+++ b/.duvet/.gitignore
@@ -0,0 +1,3 @@
+reports/
+requirements/
+specification/
\ No newline at end of file
diff --git a/.duvet/config.toml b/.duvet/config.toml
new file mode 100644
index 000000000..9c8d5692f
--- /dev/null
+++ b/.duvet/config.toml
@@ -0,0 +1,21 @@
+'$schema' = "https://awslabs.github.io/duvet/config/v0.4.0.json"
+
+[[source]]
+pattern = "src/**/*.java"
+
+# Include required specifications here
+[[specification]]
+source = "specification/s3-encryption/client.md"
+[[specification]]
+source = "specification/s3-encryption/materials/keyrings.md"
+[[specification]]
+source = "specification/s3-encryption/materials/s3-keyring.md"
+[[specification]]
+source = "specification/s3-encryption/materials/s3-kms-keyring.md"
+
+[report.html]
+enabled = true
+
+# Enable snapshots to prevent requirement coverage regressions
+[report.snapshot]
+enabled = false
diff --git a/.github/workflows/duvet.yml b/.github/workflows/duvet.yml
new file mode 100644
index 000000000..366348689
--- /dev/null
+++ b/.github/workflows/duvet.yml
@@ -0,0 +1,44 @@
+name: duvet
+
+on:
+  workflow_call:
+    # Optional inputs that can be provided when calling this workflow
+
+jobs:
+  test:
+    runs-on: macos-latest
+    permissions:
+      id-token: write
+      contents: read
+      pages: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+        with:
+          submodules: true
+
+      - name: Setup Rust toolchain
+        uses: actions-rust-lang/setup-rust-toolchain@v1
+        with:
+          toolchain: stable
+
+      - name: Clone duvet repository  
+        run: git clone https://github.com/awslabs/duvet.git /tmp/duvet
+
+      - name: Build and install duvet
+        run: |
+          cd /tmp/duvet
+          cargo xtask build
+          cargo install --path ./duvet
+
+      - name: Run duvet
+        run: make duvet
+
+      - name: Upload duvet reports
+        uses: actions/upload-artifact@v4
+        with:
+          name: reports
+          include-hidden-files: true
+          path: .duvet/reports/report.html
+          
diff --git a/.gitmodules b/.gitmodules
index b4e128ffa..dfb50261f 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -1,3 +1,4 @@
-[submodule "specification"]
+[submodule "private_aws"]
 	path = specification
-	url = git@github.com:awslabs/aws-encryption-sdk-specification.git
\ No newline at end of file
+	url = git@github.com:awslabs/private-aws-encryption-sdk-specification-staging.git
+	branch = tonyknap/todo-cbc-encryption
diff --git a/Makefile b/Makefile
index 1c60b7a64..1288d27da 100644
--- a/Makefile
+++ b/Makefile
@@ -1,15 +1,12 @@
 # Used for misc supporting functions like Duvet and prettier. Builds, tests, etc. should use the usual Java/Maven tooling.
 
-duvet: | duvet_extract duvet_report
-
-duvet_extract:
-	rm -rf compliance
-	$(foreach file, $(shell find specification/s3-encryption -name '*.md'), duvet extract -o compliance -f MARKDOWN $(file);)
+duvet: | duvet_clean duvet_report
 
 duvet_report:
-	duvet \
-		report \
-		--spec-pattern "compliance/**/*.toml" \
-		--source-pattern "src/**/*.java" \
-		--source-pattern "compliance_exceptions/*.txt" \
-		--html specification_compliance_report.html
+	duvet report
+
+duvet-view-report-mac:
+	open .duvet/reports/report.html
+
+duvet_clean:
+	rm -rf .duvet/reports/ .duvet/requirements/