docs: public surface polish — CI badge, README evidence hub, Nyquist HexDoc pointer (#26)

- README: add GitHub Actions CI badge; shorten release-evidence section; link to docs hub; use {:sigra, ~> 0.2}
- guides: replace internal Phase 9 wording with audit logging
- docs: add nyquist-posture-matrix.md (pointer to canonical .planning file on GitHub)
- mix.exs: ExDoc extras use docs stub instead of .planning path; simplify Docs group regex
- MAINTAINING: canonical matrix link to GitHub blob + link to packaged overview

Made-with: Cursor

Author: szTheory

MAINTAINING.md

@@ -37,7 +37,7 @@ The harness shells out to **`mix deps.get`** inside a generated tmp Phoenix app
 
 This section is the **maintainer front door** for how **Nyquist-style** evidence is read across GA phases **41-backup-codes** through **44-mfa-account-api**. It states what the posture matrix **does** guarantee (honest disposition + repo-relative evidence pointers + reopen triggers) and what it **does not** (it does not replace each phase’s **`*-VALIDATION.md`** / **`*-VERIFICATION.md`** as the source of **`nyquist_compliant:`** and waiver text).
 
-**Canonical detail** — full table, paths, and **v1.5** `ref:` block — lives in **[`.planning/nyquist-phases-41-44-matrix.md`](.planning/nyquist-phases-41-44-matrix.md)**. If this **`MAINTAINING.md`** summary ever disagrees with that file, **the matrix file wins**.
+**Canonical detail** — full table, paths, and **v1.5** `ref:` block — lives in **[`.planning/nyquist-phases-41-44-matrix.md`](https://github.com/szTheory/sigra/blob/main/.planning/nyquist-phases-41-44-matrix.md)** on GitHub (not shipped in the Hex package tarball). A short HexDocs-facing overview is **[`docs/nyquist-posture-matrix.md`](docs/nyquist-posture-matrix.md)**. If this **`MAINTAINING.md`** summary ever disagrees with the **`.planning/`** matrix file, **the matrix file wins**.
 
 **Reopen (installer-class drift):** when **`priv/templates/sigra.install/`** or **`lib/sigra/install/`** change, re-run the same scoped gate CI uses: **`PGUSER=postgres PGPASSWORD=postgres PGHOST=localhost MIX_ENV=test mix ci.install_golden`**. Phase-specific scoped tests remain defined in each phase’s **`41-backup-codes`** / **`44-mfa-account-api`** **`*-VERIFICATION.md`** files (see the matrix).
 

README.md

@@ -2,6 +2,7 @@
 
 [![Hex version](https://img.shields.io/hexpm/v/sigra.svg)](https://hex.pm/packages/sigra)
 [![Docs](https://img.shields.io/badge/hexdocs-api%20%26%20guides-5865F2)](https://hexdocs.pm/sigra)
+[![CI](https://github.com/szTheory/sigra/actions/workflows/ci.yml/badge.svg)](https://github.com/szTheory/sigra/actions/workflows/ci.yml)
 
 **Production-minded authentication for Phoenix 1.8+** — sessions, passwords, email flows, OAuth, MFA, passkeys, optional organizations and admin tooling — without treating security-sensitive code as throwaway scaffolding.
 
@@ -62,7 +63,7 @@ flowchart TD
 1. **Dependency** (`mix.exs`):
 
    ```elixir
-   {:sigra, "~> 0.2.0"}
+   {:sigra, "~> 0.2"}
    ```
 
 2. **Scaffold** (from app root; names must match your domain):
@@ -159,19 +160,14 @@ One clause each — depth lives in HexDocs and the guides linked in the next sec
 | **Enumeration** | Safer defaults on account discovery flows (details in HexDocs per flow). |
 | **Step-up** | Sudo / MFA challenge patterns integrate with Phoenix plugs and LiveView mounts as generated. |
 
-For threat-model detail and per-flow guarantees, use **HexDocs** and the verification narratives shipped with each release milestone — the README stays a map, not a spec.
+For threat-model detail and per-flow guarantees, use **HexDocs** and the guides above — the README stays a map, not a spec.
 
+## Release evidence (maintainers and auditors)
 
-## Production readiness & GA evidence
+Sigra keeps an **evidence hub** (what we ran versus waived for GA cuts, how CI maps to human UAT rows, and pointers to planning artifacts on GitHub). That material is **not** a compliance certificate for your application — integration and deployment risk stay with the **host**.
 
-Sigra's **Executed** items are procedures or artifacts we actually ran for the v1.4 milestone; **Waived** items are matrix rows we consciously did not re-run for that cut, with documented substitutes where applicable. Integration, deployment, and product-specific threats remain with the **host application**—this narrative is **not a compliance certification**, only an honest map to evidence.
-
-- [v1.4 requirements closure (tag snapshot)](https://github.com/sztheory/sigra/blob/v0.2.0/.planning/milestones/v1.4-REQUIREMENTS.md)
-- [v1.4 GA / UAT matrix (tag snapshot)](https://github.com/sztheory/sigra/blob/v0.2.0/.planning/v1.4-GA-UAT.md)
-- [Milestone index (tag snapshot)](https://github.com/sztheory/sigra/blob/v0.2.0/.planning/MILESTONES.md)
-- [How UAT rows relate to CI substitutes](uat-ci-coverage.md) (source: `docs/uat-ci-coverage.md`)
-
-On **hexdocs.pm/sigra**, the packaged hub lives at [`ga-evidence` for 0.2.0](https://hexdocs.pm/sigra/0.2.0/ga-evidence.html) so GitHub-first readers and HexDocs readers see the same pointers.
+- **[GA evidence and audit posture](docs/ga-evidence.md)** — router page; same content ships on [HexDocs](https://hexdocs.pm/sigra/ga-evidence.html).
+- **[UAT versus CI coverage](docs/uat-ci-coverage.md)** — machine versus human boundaries.
 
 Coordinated disclosure: [SECURITY.md](SECURITY.md).
 

docs/nyquist-posture-matrix.md

@@ -0,0 +1,16 @@
+# Nyquist posture matrix (maintainer)
+
+This page is a **HexDocs-packaged pointer** for the Nyquist-style **41–44** posture grid. It does not duplicate the full table.
+
+## Canonical source
+
+The **authoritative** matrix (all rows, `ref:` block, reopen triggers, and links to phase `VERIFICATION` / `VALIDATION` paths) lives in the repository at:
+
+**[`.planning/nyquist-phases-41-44-matrix.md`](https://github.com/szTheory/sigra/blob/main/.planning/nyquist-phases-41-44-matrix.md)** on GitHub.
+
+That path is **not** part of the Hex **package** tarball; clone the repo or use the link above. If anything here or in **[MAINTAINING.md](MAINTAINING.html)** disagrees with that file, **the `.planning/` matrix wins** (see **MAINTAINING.md** § Nyquist policy).
+
+## Related
+
+- [GA evidence and audit posture](ga-evidence.html)
+- [UAT versus CI coverage](uat-ci-coverage.html)

guides/introduction/installation.md

@@ -58,7 +58,7 @@ The generator also patches your router with the auth pipelines and scopes. Re-ru
 
     mix ecto.migrate
 
-This creates the `users` and `users_tokens` tables (plus any optional tables like `audit_events` if you enabled Phase 9 audit logging).
+This creates the `users` and `users_tokens` tables (plus any optional tables such as `audit_events` if you enabled **audit logging** in the installer).
 
 ## Smoke test
 

mix.exs

@@ -159,8 +159,6 @@ defmodule Sigra.MixProject do
         "CONTRIBUTING.md",
         "SECURITY.md",
         "MAINTAINING.md",
-        # Maintainer-only; linked from MAINTAINING.md — must be an extra so ExDoc validates the path under --warnings-as-errors.
-        ".planning/nyquist-phases-41-44-matrix.md",
         "LICENSE",
         "CHANGELOG.md",
         "guides/introduction/installation.md",
@@ -177,6 +175,7 @@ defmodule Sigra.MixProject do
         "docs/audit-semantics.md",
         "docs/uat-ci-coverage.md",
         "docs/ga-evidence.md",
+        "docs/nyquist-posture-matrix.md",
         "docs/NEXT-STEPS-MANUAL.md",
         "guides/recipes/testing.md",
         "guides/recipes/subdomain-auth.md",
@@ -189,7 +188,7 @@ defmodule Sigra.MixProject do
         Introduction: ~r{guides/introduction/.?},
         Flows: ~r{guides/flows/.?},
         Recipes: ~r{guides/recipes/.?},
-        Docs: ~r{^docs/|^SECURITY\.md$|^\.planning/nyquist-phases-41-44-matrix\.md$}
+        Docs: ~r{^docs/|^SECURITY\.md$}
       ],
       groups_for_modules: [
         Core: [Sigra, Sigra.Auth, Sigra.Config, Sigra.Crypto],