From 2571a110c0b20391180d2adf0e1dc7356b25c520 Mon Sep 17 00:00:00 2001
From: Ignazio De Santis <ignaziodesantisofficial@gmail.com>
Date: Tue, 3 Mar 2026 21:12:35 +0800
Subject: [PATCH] docs: clarify README security posture, quickstart, and CI
 parity

---
 README.md | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 8ae6fc5..39e23f3 100644
--- a/README.md
+++ b/README.md
@@ -31,6 +31,7 @@ It pairs a local edge verifier with cloud telemetry and an admin dashboard, so a
 ## Security Posture
 
 - Local API is bound to localhost and protected by bearer token auth.
+- Admin dashboard and `/api/cloud/*` proxy use server-side session auth (HttpOnly cookie); browser-supplied admin tokens are ignored.
 - No iframe/browser embedding trust path for auth decisions.
 - Edge produces signed telemetry; cloud verifies signatures before persistence.
 - Audit logging is hash-chained for tamper evidence.
@@ -48,6 +49,15 @@ make docker-build
 make release-check
 ```
 
+Docker-first local startup:
+
+```bash
+make demo-up
+curl http://127.0.0.1:8000/health
+curl http://127.0.0.1:3000
+make demo-down
+```
+
 ## Quick Demo
 
 One command from repo root:
@@ -100,7 +110,7 @@ GitHub Actions runs the following on PRs and `main` pushes:
 - cloud pytest
 - desktop web build + cargo check
 - docker compose build (cloud + admin)
-- release parity gate (`make release-check` hardening equivalent)
+- release parity gate on PR + `main` (`make release-check`)
 
 ## Documentation