The installer now downloads and verifies a .sha256 companion file before extracting and launching the menubar app. Build script and CI workflow generate the checksum alongside the zip. Adds SECURITY.md with reporting instructions. Addresses #215.
