docs: move verification details to dedicated reference page

The installation page was bloated with 55 lines of SLSA/SHA256
verification details before users could see agent setup instructions.
Moved to /docs/reference/verifying-your-install/ with a one-line link.

For provenance purposes, this commit was AI assisted.

Author: backnotprop

apps/marketing/src/content/docs/getting-started/installation.md

@@ -51,60 +51,7 @@ Version pinning is fully supported from **v0.17.2 onwards**. v0.17.2 is the firs
 
 </details>
 
-### Verifying your install
-
-Every released binary is accompanied by a SHA256 sidecar (verified automatically on every install) and a [SLSA build provenance](https://slsa.dev/) attestation signed via Sigstore and recorded in the public transparency log. The SHA256 check is mandatory and always runs. Provenance verification is **optional** — it's only needed if you want a cryptographic link from the binary back to the exact commit and workflow run that built it.
-
-**Manual verification (recommended for one-off audits):**
-
-This requires the [GitHub CLI](https://cli.github.com) to be installed and authenticated (`gh auth login`). Replace `vX.Y.Z` with the tag of the version you installed — pinning the source ref and signer workflow is what gives you the "exact commit and workflow run" guarantee described above; `--repo` alone only proves the artifact was built by _some_ workflow in our repository.
-
-```bash
-# macOS / Linux
-gh attestation verify ~/.local/bin/plannotator \
-  --repo backnotprop/plannotator \
-  --source-ref refs/tags/vX.Y.Z \
-  --signer-workflow backnotprop/plannotator/.github/workflows/release.yml
-
-# Windows (PowerShell installer)
-gh attestation verify "$env:LOCALAPPDATA\plannotator\plannotator.exe" `
-  --repo backnotprop/plannotator `
-  --source-ref refs/tags/vX.Y.Z `
-  --signer-workflow backnotprop/plannotator/.github/workflows/release.yml
-
-# Windows (cmd installer)
-gh attestation verify "%USERPROFILE%\.local\bin\plannotator.exe" ^
-  --repo backnotprop/plannotator ^
-  --source-ref refs/tags/vX.Y.Z ^
-  --signer-workflow backnotprop/plannotator/.github/workflows/release.yml
-```
-
-For air-gapped or no-auth environments, see GitHub's docs on [verifying attestations offline](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/verifying-attestations-offline) (uses `gh attestation download` to fetch the bundle once, then verifies offline against it).
-
-**Automatic verification during install/upgrade (opt-in):**
-
-Provenance verification is **off by default** in the installer — the same default every major `curl | bash` installer uses (rustup, brew, bun, deno, helm). SHA256 verification always runs. To have the installer additionally run `gh attestation verify` on every upgrade, enable it via any of the three mechanisms below. Precedence is CLI flag > env var > config file > default.
-
-1. **Per-install flag** (one-shot, explicit):
-   ```bash
-   curl -fsSL https://plannotator.ai/install.sh | bash -s -- --verify-attestation
-   ```
-   PowerShell: `... -VerifyAttestation`. Windows cmd: `install.cmd --verify-attestation`.
-
-2. **Environment variable** (persist in your shell RC):
-   ```bash
-   export PLANNOTATOR_VERIFY_ATTESTATION=1
-   ```
-   Scoped to whichever shell sessions export it. Follows the same `PLANNOTATOR_*` convention as `PLANNOTATOR_REMOTE`, `PLANNOTATOR_PORT`, etc.
-
-3. **Config file** (persist shell-agnostic):
-   ```bash
-   mkdir -p ~/.plannotator
-   echo '{ "verifyAttestation": true }' > ~/.plannotator/config.json
-   ```
-   Or merge into an existing `~/.plannotator/config.json`. This applies regardless of which shell launches the installer — useful for GUI-launched terminals on macOS or `install.cmd` run from Explorer on Windows. Managed easily by dotfiles / Ansible / other provisioning tools.
-
-When enabled, the installer requires `gh` CLI installed and authenticated (`gh auth login`). If `gh` is missing or the check fails, the install hard-fails so you don't silently skip verification you asked for. To force-skip for a single install, pass `--skip-attestation` (bash/cmd) or `-SkipAttestation` (PowerShell).
+Every release includes SHA256 checksums (verified automatically) and optional [SLSA build provenance](/docs/reference/verifying-your-install/) attestations.
 
 ## Claude Code
 

apps/marketing/src/content/docs/reference/verifying-your-install.md

@@ -0,0 +1,73 @@
+---
+title: "Verifying Your Install"
+description: "SHA256 checksums and SLSA build provenance verification for Plannotator binaries."
+sidebar:
+  order: 4
+section: "Reference"
+---
+
+Every released binary is accompanied by a SHA256 sidecar (verified automatically on every install) and a [SLSA build provenance](https://slsa.dev/) attestation signed via Sigstore and recorded in the public transparency log. The SHA256 check is mandatory and always runs. Provenance verification is **optional** — it's only needed if you want a cryptographic link from the binary back to the exact commit and workflow run that built it.
+
+## Manual verification
+
+Recommended for one-off audits. Requires the [GitHub CLI](https://cli.github.com) installed and authenticated (`gh auth login`). Replace `vX.Y.Z` with the tag of the version you installed — pinning the source ref and signer workflow gives you the "exact commit and workflow run" guarantee; `--repo` alone only proves the artifact was built by _some_ workflow in our repository.
+
+**macOS / Linux:**
+
+```bash
+gh attestation verify ~/.local/bin/plannotator \
+  --repo backnotprop/plannotator \
+  --source-ref refs/tags/vX.Y.Z \
+  --signer-workflow backnotprop/plannotator/.github/workflows/release.yml
+```
+
+**Windows (PowerShell installer):**
+
+```powershell
+gh attestation verify "$env:LOCALAPPDATA\plannotator\plannotator.exe" `
+  --repo backnotprop/plannotator `
+  --source-ref refs/tags/vX.Y.Z `
+  --signer-workflow backnotprop/plannotator/.github/workflows/release.yml
+```
+
+**Windows (CMD installer):**
+
+```cmd
+gh attestation verify "%USERPROFILE%\.local\bin\plannotator.exe" ^
+  --repo backnotprop/plannotator ^
+  --source-ref refs/tags/vX.Y.Z ^
+  --signer-workflow backnotprop/plannotator/.github/workflows/release.yml
+```
+
+For air-gapped or no-auth environments, see GitHub's docs on [verifying attestations offline](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/verifying-attestations-offline).
+
+## Automatic verification during install
+
+Provenance verification is **off by default** — the same default every major `curl | bash` installer uses (rustup, brew, bun, deno, helm). To have the installer additionally run `gh attestation verify` on every upgrade, enable it via any of the three mechanisms below. Precedence is CLI flag > env var > config file > default.
+
+**1. Per-install flag** (one-shot):
+
+```bash
+curl -fsSL https://plannotator.ai/install.sh | bash -s -- --verify-attestation
+```
+
+PowerShell: `... -VerifyAttestation`. Windows CMD: `install.cmd --verify-attestation`.
+
+**2. Environment variable** (persist in your shell RC):
+
+```bash
+export PLANNOTATOR_VERIFY_ATTESTATION=1
+```
+
+**3. Config file** (persist shell-agnostic):
+
+```bash
+mkdir -p ~/.plannotator
+echo '{ "verifyAttestation": true }' > ~/.plannotator/config.json
+```
+
+When enabled, the installer requires `gh` CLI installed and authenticated (`gh auth login`). If `gh` is missing or the check fails, the install hard-fails so you don't silently skip verification. To force-skip for a single install, pass `--skip-attestation` (bash/cmd) or `-SkipAttestation` (PowerShell).
+
+## Supported versions
+
+Version pinning and provenance verification are fully supported from **v0.17.2 onwards** — the first release to ship native ARM64 Windows binaries and SLSA attestations. Pinning to a pre-v0.17.2 tag may work for default installs on macOS, Linux, and x64 Windows, but ARM64 Windows hosts will get a 404 and provenance verification will be rejected by the installer's pre-flight check.