From 7b02654952d507ac955a585554639c7cccae6bcb Mon Sep 17 00:00:00 2001
From: Beon de Nood <beon@bigdune.net>
Date: Sat, 2 May 2026 13:56:42 -0400
Subject: [PATCH] docs: add binary integrity verification section (P0-4)

Document CAPISCIO_SKIP_CHECKSUM and CAPISCIO_CORE_VERSION env vars.
Explain the checksum verification behavior for the core binary download.

Ref: DOCS_REMEDIATION_PLAN P0-4 Part B
---
 README.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/README.md b/README.md
index 3b8523b..93a4af3 100644
--- a/README.md
+++ b/README.md
@@ -210,6 +210,18 @@ jobs:
           test-live: true
 ```
 
+## Binary Integrity Verification
+
+This action downloads the capiscio-core binary on first run and verifies its SHA-256 checksum
+against the published `checksums.txt` from the GitHub release.
+
+| Environment Variable | Description | Default |
+|---------------------|-------------|---------|
+| `CAPISCIO_SKIP_CHECKSUM` | Skip binary checksum verification (`true`/`false`) | `false` |
+| `CAPISCIO_CORE_VERSION` | Override the core binary version | Action default |
+
+> **Note:** Setting `CAPISCIO_SKIP_CHECKSUM=true` is not recommended for production workflows.
+
 ## License
 
 Apache-2.0 - See [LICENSE](LICENSE) for details