diff --git a/build b/build
index e6b62f1..071a51c 100755
--- a/build
+++ b/build
@@ -717,7 +717,34 @@ openssl pkeyutl -verify -pubin -inkey pubkey.pem \
           <p style="font-size: 0.85rem;">Output is <code class="inline">Signature Verified Successfully</code> on a clean download. Any other output (or no output and a non-zero exit) means the bytes do not match the published signature — do not trust them.</p>
         </div>
       </div>
-      <p style="margin-top: var(--spacing-md); font-size: 0.9rem; color: var(--color-text-muted);">For server deployments, configure the public key once and forget it. Two equivalent ways: pass <code class="inline">ZDDC_APPS_PUBKEY=/path/to/pubkey.pem</code> when starting <code class="inline">zddc-server</code>, or paste the PEM contents inline as <code class="inline">apps_pubkey:</code> in the root <code class="inline">.zddc</code> file (root-only, like <code class="inline">admins:</code>). The resolver fetches the <code class="inline">.sig</code> automatically and rejects any unsigned or invalid-signature artifact, falling back to the embedded copy. Operators wanting to enforce signature verification on locally-saved artifacts (Path A, "drop a copy into your archive") run the <code class="inline">openssl</code> verify command above as part of their save workflow.</p>
+      <h3 style="margin-top: var(--spacing-lg);">Configure <code class="inline">zddc-server</code> to auto-verify</h3>
+      <p>For server deployments, configure the public key once and the apps fetcher verifies every <code class="inline">apps:</code>-pinned URL automatically. Two equivalent ways — pick whichever matches how you already manage config:</p>
+      <div class="grid-2" style="margin-top: var(--spacing-md);">
+        <div class="pin-card">
+          <h3>Env var (k8s, systemd, Docker)</h3>
+          <p>Save <code class="inline">pubkey.pem</code> on your server, then point <code class="inline">zddc-server</code> at it:</p>
+<pre>curl -o /etc/zddc/pubkey.pem \
+  https://zddc.varasys.io/pubkey.pem
+
+ZDDC_APPS_PUBKEY=/etc/zddc/pubkey.pem \
+ZDDC_ROOT=/srv/zddc ./zddc-server</pre>
+          <p style="font-size: 0.85rem;">Fits the deployment shape where env vars are already the config plumbing — Helm chart values, systemd unit-file <code class="inline">Environment=</code>, Docker <code class="inline">-e</code>.</p>
+        </div>
+        <div class="pin-card">
+          <h3>Inline in root <code class="inline">.zddc</code></h3>
+          <p>Paste the PEM contents under <code class="inline">apps_pubkey:</code> in the root <code class="inline">.zddc</code>:</p>
+<pre># &lt;ZDDC_ROOT&gt;/.zddc
+admins: [you@yourcompany.com]
+acl:
+  allow: ["*@yourcompany.com"]
+apps_pubkey: |
+  -----BEGIN PUBLIC KEY-----
+  MCowBQYDK2VwAyEAXXaxIUIyOFnhD1eZs02nEt3xZ8izOi7bURFcpJ9iWZY=
+  -----END PUBLIC KEY-----</pre>
+          <p style="font-size: 0.85rem;">Honored only at the root <code class="inline">.zddc</code> (root-only, like <code class="inline">admins:</code>). When both forms are set, the env var wins. Subtree <code class="inline">.zddc</code> files with <code class="inline">apps_pubkey:</code> are silently ignored — the trust anchor doesn't cascade.</p>
+        </div>
+      </div>
+      <p style="margin-top: var(--spacing-md); font-size: 0.9rem; color: var(--color-text-muted);">When configured, the resolver fetches the <code class="inline">.sig</code> automatically on every URL-pinned <code class="inline">apps:</code> entry and rejects any unsigned or invalid-signature artifact, falling back to the embedded copy. Operators enforcing signature verification on locally-saved artifacts (Path A, "drop a copy into your archive") run the <code class="inline">openssl</code> verify command above as part of their save workflow.</p>
     </section>
 
     <!-- ───────────── Channels explainer ───────────── -->