Security Notes

This preview package is an offline local demo. It does not collect data, call external APIs, or require login credentials.

Recommended production release practices:
- publish SHA-256 checksum files beside each ZIP
- keep release manifests immutable after publication
- version each package
- archive each released ZIP and manifest
- sign releases once production signing infrastructure is ready
