diff --git a/README.md b/README.md
index eae17a1..a652ba0 100644
--- a/README.md
+++ b/README.md
@@ -131,6 +131,13 @@ Use immutable version tags such as `docker.io/d8vik/specdock:v1.0.2`; the projec
 
 Download desktop installers from [GitHub Releases](https://github.com/dev-ik/specdock/releases). The desktop app runs the SpecDock API on `127.0.0.1` with proxy and mock features disabled by default; `Settings -> Desktop runtime` controls local mock/proxy settings. See [Desktop](docs/DESKTOP.md) for packaging and release workflow details.
 
+Desktop builds are unsigned. Verify `SHA256SUMS.txt` before bypassing platform
+warnings. On macOS, clear quarantine with
+`sudo xattr -dr com.apple.quarantine /Applications/SpecDock.app` and run
+`open /Applications/SpecDock.app`. On Windows, SmartScreen can warn; use
+`More info -> Run anyway` only after checksum verification. On Linux, make the
+AppImage executable with `chmod +x SpecDock*.AppImage` or use the `.tar.gz`.
+
 ## Configuration
 
 Public/demo deployments should keep backend proxy mode disabled:
@@ -226,24 +233,14 @@ docs            Architecture, security, deployment, smoke tests, and roadmap
 ## Documentation
 
 Start with the [master plan](docs/SPECDOCK_MASTER_PLAN.md),
-[implementation plan](docs/IMPLEMENTATION_PLAN.md), [API contracts](docs/API_CONTRACTS.md),
+[implementation plan](docs/IMPLEMENTATION_PLAN.md),
 [security guide](SECURITY.md), [release checklist](docs/RELEASE.md), and
 [roadmap](docs/ROADMAP.md).
 
 ## Open-Source Hygiene
 
-The repository intentionally ignores local-only files:
-
-```txt
-.env
-.history
-.playwright-mcp
-docs_deprecated
-docs/BOOTSTRAP_REPOSITORY.md
-docs/TASKS.md
-```
-
-Do not commit local credentials, private proxy targets, provider-specific hosting entrypoints, or generated build output.
+Do not commit local credentials, private proxy targets, provider-specific
+hosting entrypoints, or generated build output.
 
 ## License
 
diff --git a/docs/DESKTOP.md b/docs/DESKTOP.md
index 5abbf47..f7e05c4 100644
--- a/docs/DESKTOP.md
+++ b/docs/DESKTOP.md
@@ -53,6 +53,20 @@ sudo xattr -dr com.apple.quarantine /Applications/SpecDock.app
 open /Applications/SpecDock.app
 ```
 
+Unsigned Windows downloads can show Microsoft Defender SmartScreen warnings.
+Verify `SHA256SUMS.txt`, then choose `More info -> Run anyway` only if the
+checksum matches the GitHub Release asset.
+
+Linux AppImage downloads may need executable permissions:
+
+```bash
+chmod +x SpecDock*.AppImage
+./SpecDock*.AppImage
+```
+
+If AppImage does not start because FUSE is unavailable on your distribution,
+use the `.tar.gz` archive from the same release.
+
 The GitHub `Desktop Release` workflow maps repository secrets to those
 environment variables and verifies signatures when credentials are present. In
 GitHub, store the Apple `.p8` notarization key as `APPLE_API_KEY_BASE64`; the