fix(landing): stop promising a SHA-256 in Windows install-help modal

[Relevant47]

Summary

The Windows install-help reassurance text promised users they could "verify the file hash below before running it", but the #ih-hash section never showed because /api/download.js never returns a sha256 field and the release pipeline doesn't publish .sha256 sidecars to compute one from. Replace the promise with a claim that's true today (source is on GitHub; can be read or built locally). The #ih-hash markup and JS branch are left in place so this PR is forward-compatible with a future Option A that ships hashes.

Files changed

• landing/index.html — single string change to STEPS.win.reassure (line 2936).

Fixes #44

Risk tier

Ambiguous direction — the issue offers two fixes and either one is defensible, so this is a DRAFT with needs-review. (Please apply the needs-review label — the bot's tooling in this environment can't create labels.) This is a one-line landing-page string change, so the change itself is low-risk — the review is about which option to take, not the diff.

Option chosen (B — remove the claim)

• Truthful with no infra changes. Ships immediately.
• Keeps the #ih-hash DOM and the openInstallHelp('win', data.sha256) call paths intact, so swapping back to Option A later requires zero re-edit on the landing side — just start returning sha256 from /api/download.js.

Option NOT taken (A — actually ship the hash)

The issue's Option A snippet looks for <asset>.sha256 sidecar files on the GitHub release. I checked .github/workflows/release.yml — the release pipeline does not produce .sha256 sidecars today (the only sha256 reference is signtool's timestamp digest). So Option A as written would always find null and the modal would still show nothing.

A real Option A would require, in order:

1. Add a step to release.yml that runs sha256sum FocusLock-Setup.exe > FocusLock-Setup.exe.sha256 (and the macOS equivalent) and uploads each sidecar to the GitHub release.
2. Update api/download.js to fetch the matching .sha256 asset, parse the hex, and include it in the JSON response.
3. Optionally cache the hash on the Vercel function to avoid an extra round-trip per click.

If you'd rather take Option A, this PR can be discarded and the work redone on the release/API side — no edits to the landing page would be needed there because the JS branch already wires data.sha256 through to the hash UI.

What a reviewer should verify

• The replacement reassurance still reads honestly (no remaining promise of unshipped behavior).
• The #ih-hash block at landing/index.html:2418-2420 stays in the DOM; only the prose changed.
• No other place tells the Windows user a hash will appear. (I grep'd sha256 / SHA-256 / hash and the remaining matches are the friend-lock copy at lines 1912 and 2167, which is a separate, accurate cryptographic claim.)

🤖 Generated with Claude Code

---

Generated by Claude Code

[netlify]

✅ Deploy Preview for focuslock-app ready!

Name	Link
🔨 Latest commit	2d3051b
🔍 Latest deploy log	https://app.netlify.com/projects/focuslock-app/deploys/6a1b985c3c7e260008bc6c77
😎 Deploy Preview	https://deploy-preview-46--focuslock-app.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
focus-lock	Ready	Preview, Comment	May 31, 2026 2:09am