Follow-up to umbrella #1130 after PR-F3 (#1184) merged.\n\nGoal\n- Complete trusted-release hardening by documenting and validating consumer-side verification for published artifacts and provenance.\n\nScope\n- Document how downstream users verify PyPI/TestPyPI attestations/provenance.\n- Document where SBOM artifacts live and how to retrieve/validate them.\n- Add release verification section to publish docs and link from SECURITY/README as appropriate.\n- Add a lightweight CI/docs check to keep verification commands current.\n\nOut of scope\n- Re-architecting release pipeline or changing package formats.\n\nAcceptance criteria\n- Verification instructions are reproducible by a maintainer from clean environment.\n- Docs clearly separate: (1) PyPI attestations/provenance vs (2) SBOM evidence artifacts.\n- Umbrella #1130 references this issue as next step.
Follow-up to umbrella #1130 after PR-F3 (#1184) merged.\n\nGoal\n- Complete trusted-release hardening by documenting and validating consumer-side verification for published artifacts and provenance.\n\nScope\n- Document how downstream users verify PyPI/TestPyPI attestations/provenance.\n- Document where SBOM artifacts live and how to retrieve/validate them.\n- Add release verification section to publish docs and link from SECURITY/README as appropriate.\n- Add a lightweight CI/docs check to keep verification commands current.\n\nOut of scope\n- Re-architecting release pipeline or changing package formats.\n\nAcceptance criteria\n- Verification instructions are reproducible by a maintainer from clean environment.\n- Docs clearly separate: (1) PyPI attestations/provenance vs (2) SBOM evidence artifacts.\n- Umbrella #1130 references this issue as next step.