Epic 3: Quickstart for normal humans — ISO/OVA/QCOW2 first, rebase advanced

Replace the Fedora-expertise-required quickstart with a "Choose Your Path"
table leading to four install methods:

- Path A: ISO (recommended) — download, flash USB, boot, setup wizard
- Path B: OVA — download, import into VirtualBox/VMware
- Path C: QCOW2 — download, create KVM VM
- Path D: Rebase (advanced) — for existing Fedora Silverblue operators

Zero references to "rebase" in beginner paths. Digest pinning moved to
"Advanced / Operator Install" section. Each path has copy-paste commands
for Linux/macOS/Windows and "What you should see after boot" descriptions.

Verification section: one canonical checksum command per platform (no extra
tools required for beginners). Advanced cosign/SLSA verification linked
separately.

README updated: quickstart table with links to each path, bootstrap
commands under "Advanced / Operator Install", new docs in tables.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: SecAI-Hub

README.md

@@ -46,41 +46,36 @@ Built on [uBlue](https://universal-blue.org/) (Fedora Atomic / Silverblue). All
 
 ## Quickstart
 
-### Install (Fedora Atomic)
+Download, verify, boot, run the setup wizard. See [docs/install/quickstart.md](docs/install/quickstart.md) for full details.
+
+| Method | Time | Best For |
+|--------|------|----------|
+| [**ISO**](docs/install/quickstart.md#path-a-install-from-iso-real-pc) (Recommended) | ~30 min | Real PC, full security |
+| [**OVA**](docs/install/quickstart.md#path-b-import-vm--virtualbox--vmware-ova) | ~15 min | Try it first (VirtualBox/VMware) |
+| [**QCOW2**](docs/install/quickstart.md#path-c-import-vm--kvm--proxmox--qemu-qcow2) | ~15 min | KVM / Proxmox |
+| [**Rebase**](docs/install/quickstart.md#path-d-advanced--rebase-from-existing-fedora) | ~45 min | Existing Fedora Silverblue |
+
+After boot, the setup wizard guides you through profile selection, system verification, and model import.
+
+### Advanced / Operator Install
+
+For production deployments with digest pinning and signing policy configuration:
 
 ```bash
-# 1. Download and review the signed bootstrap script
+# Review the bootstrap script, then run with a pinned digest
 curl -sSfL https://raw.githubusercontent.com/SecAI-Hub/SecAI_OS/main/files/scripts/secai-bootstrap.sh \
   -o /tmp/secai-bootstrap.sh
 less /tmp/secai-bootstrap.sh
-
-# 2. Run the bootstrap (configures signing policy + verified rebase)
-#    Use --digest from the latest release for production installs
 sudo bash /tmp/secai-bootstrap.sh --digest sha256:RELEASE_DIGEST
-
-# 3. Reboot and run the setup wizard
 sudo systemctl reboot
-sudo /usr/libexec/secure-ai/secai-setup-wizard.sh
 ```
 
-The bootstrap script verifies the image signature and configures the signing policy
-**before** the rebase, so the first pull uses the signed transport — no unverified
-pull is ever performed. See the [latest release](https://github.com/SecAI-Hub/SecAI_OS/releases/latest)
-for the digest, or omit `--digest` for evaluation.
-
-See [docs/install/](docs/install/) for detailed guides: [bare metal](docs/install/bare-metal.md) | [virtual machine](docs/install/vm.md) | [development](docs/install/dev.md) | [recovery](docs/install/recovery-bootstrap.md)
+See [bare metal](docs/install/bare-metal.md) | [virtual machine](docs/install/vm.md) | [development](docs/install/dev.md) | [recovery](docs/install/recovery-bootstrap.md)
 
 ### Get Your First Model
 
 Open `http://127.0.0.1:8480`, go to **Models**, and click **Download** on any model in the catalog. The 7-stage quarantine pipeline runs automatically. Once promoted, the model is ready to use.
 
-Or via CLI:
-
-```bash
-sudo cp your-model.gguf /var/lib/secure-ai/quarantine/incoming/
-journalctl -u secure-ai-quarantine-watcher -f  # watch pipeline
-```
-
 ---
 
 ## Architecture
@@ -317,6 +312,8 @@ All CI jobs are defined in [`.github/workflows/ci.yml`](.github/workflows/ci.yml
 | [FAQ](docs/faq.md) | Common questions |
 | [Glossary](docs/glossary.md) | Key terms and concepts |
 | [Non-Goals](docs/non-goals.md) | What SecAI OS does NOT try to do |
+| [Why is this safe?](docs/why-is-this-safe.md) | Plain-language security explanation |
+| [Telemetry Policy](docs/telemetry-policy.md) | No-telemetry guarantee |
 
 ### Component Docs
 
@@ -349,6 +346,7 @@ All CI jobs are defined in [`.github/workflows/ci.yml`](.github/workflows/ci.yml
 
 | Guide | Description |
 |-------|-------------|
+| [Quickstart](docs/install/quickstart.md) | Choose your path: ISO, OVA, QCOW2, or rebase |
 | [Bare Metal](docs/install/bare-metal.md) | Fresh install on dedicated hardware |
 | [Virtual Machine](docs/install/vm.md) | VirtualBox, VMware, KVM/QEMU |
 | [Development](docs/install/dev.md) | Local dev without OS rebase |

docs/install/quickstart.md

@@ -0,0 +1,174 @@
+# Quickstart
+
+Get SecAI OS running in the fewest steps possible. Choose the path that fits your hardware.
+
+## Choose Your Install Path
+
+| Method | Time | Difficulty | Best For |
+|--------|------|-----------|----------|
+| **ISO** (Recommended) | ~30 min | Easy | Real PC, full security |
+| **VM Import (OVA)** | ~15 min | Easy | Try it first (VirtualBox/VMware) |
+| **VM Import (QCOW2)** | ~15 min | Easy | KVM / Proxmox / QEMU |
+| **Rebase** (Advanced) | ~45 min | Moderate | Existing Fedora Silverblue |
+
+---
+
+## Path A: Install from ISO (Real PC)
+
+This gives you the full security stack including Secure Boot, TPM2, and hardware isolation.
+
+**1. Download the ISO**
+
+Go to the [latest release](https://github.com/SecAI-Hub/SecAI_OS/releases/latest) and download `secai-os-<version>-x86_64.iso`.
+
+**2. Write to USB**
+
+Linux/macOS:
+```bash
+sudo dd if=secai-os-*.iso of=/dev/sdX bs=4M status=progress
+sync
+```
+
+Windows: Use [Rufus](https://rufus.ie) — select the ISO, choose your USB drive, and click Start.
+
+**3. Boot from USB**
+
+Restart your computer. Enter the boot menu (usually F12, F2, or Esc) and select the USB drive. Follow the installer prompts.
+
+**4. First boot**
+
+After installation completes and the system reboots, open a browser to:
+```
+http://127.0.0.1:8480
+```
+
+**What you should see:** The SecAI OS setup wizard. It will ask you to choose a privacy profile, verify system health, and import your first AI model.
+
+---
+
+## Path B: Import VM — VirtualBox / VMware (OVA)
+
+For evaluation. Note: VM installs cannot use TPM2 sealing or Secure Boot chain verification.
+
+**1. Download the OVA**
+
+Go to the [latest release](https://github.com/SecAI-Hub/SecAI_OS/releases/latest) and download `secai-os-<version>.ova`.
+
+> OVA may not be available in every release. If absent, use Path C (QCOW2) or Path A (ISO).
+
+**2. Import**
+
+- **VirtualBox:** File → Import Appliance → select the OVA → Import
+- **VMware:** File → Open → select the OVA → Import
+
+**3. Start the VM and open the UI**
+
+Start the VM. After boot, open a browser to the VM's IP on port 8480:
+```
+http://<vm-ip>:8480
+```
+
+If using NAT networking, forward port 8480 from the VM to your host, then use `http://127.0.0.1:8480`.
+
+**What you should see:** The setup wizard with profile selection, system check, and model import.
+
+---
+
+## Path C: Import VM — KVM / Proxmox / QEMU (QCOW2)
+
+**1. Download the QCOW2**
+
+Go to the [latest release](https://github.com/SecAI-Hub/SecAI_OS/releases/latest) and download `secai-os-<version>.qcow2`.
+
+> QCOW2 may not be available in every release. If absent, use Path A (ISO).
+
+**2. Create a VM**
+
+```bash
+# Example: create and start a KVM VM using the downloaded disk
+virt-install \
+  --name secai-os \
+  --memory 16384 \
+  --vcpus 4 \
+  --disk path=secai-os-*.qcow2,format=qcow2 \
+  --import \
+  --os-variant fedora42 \
+  --network default \
+  --noautoconsole
+```
+
+**3. Access the UI**
+
+```bash
+# Find the VM's IP
+virsh domifaddr secai-os
+# Open in browser
+xdg-open http://<vm-ip>:8480
+```
+
+**What you should see:** The setup wizard.
+
+---
+
+## Path D: Advanced — Rebase from Existing Fedora
+
+If you already have Fedora Silverblue (F42+), you can rebase directly. This is the operator path.
+
+See [bare-metal.md](bare-metal.md) for the full bootstrap flow with digest pinning and signing policy configuration.
+
+```bash
+# Quick version (evaluation only — use --digest for production)
+curl -sSfL https://raw.githubusercontent.com/SecAI-Hub/SecAI_OS/main/files/scripts/secai-bootstrap.sh \
+  -o /tmp/secai-bootstrap.sh
+less /tmp/secai-bootstrap.sh   # Review first
+sudo bash /tmp/secai-bootstrap.sh
+sudo systemctl reboot
+```
+
+After reboot, open `http://127.0.0.1:8480` and run the setup wizard.
+
+---
+
+## After Boot: First-Time Setup
+
+Regardless of install path, the setup wizard guides you through:
+
+1. **Choose your privacy level** — Maximum Privacy (default), Web-Assisted Research, or Full Lab
+2. **System check** — verifies core services are running
+3. **Import a model** — upload a `.gguf` model file (it goes through the 7-stage quarantine pipeline automatically)
+4. **Start chatting** — once the model is promoted, you're ready
+
+---
+
+## Verify Your Install (Optional)
+
+After downloading any release artifact, you can verify its integrity.
+
+**Linux / macOS:**
+```bash
+curl -sSfL https://github.com/SecAI-Hub/SecAI_OS/releases/latest/download/SHA256SUMS -o SHA256SUMS
+sha256sum -c SHA256SUMS --ignore-missing
+```
+
+**Windows (PowerShell):**
+```powershell
+Invoke-WebRequest -Uri "https://github.com/SecAI-Hub/SecAI_OS/releases/latest/download/SHA256SUMS" -OutFile SHA256SUMS
+$expected = (Get-Content SHA256SUMS | Select-String "secai-os").Line.Split()[0]
+$actual = (Get-FileHash "secai-os-*.iso" -Algorithm SHA256).Hash.ToLower()
+if ($expected -eq $actual) { "OK: checksum matches" } else { "FAIL: checksum mismatch" }
+```
+
+For advanced verification (cosign signatures, SLSA3 provenance), see [sample-release-bundle.md](../docs/sample-release-bundle.md) or run:
+```bash
+make verify-release
+```
+
+---
+
+## Next Steps
+
+- [Import a GGUF Model](../examples/import-gguf-model.md)
+- [Enable Web Search](../examples/enable-web-search.md)
+- [Vault Management](../examples/lock-unlock-vault.md)
+- [Security Dashboard](http://127.0.0.1:8480/security) — verify your appliance health
+- [Why is this safe?](../docs/why-is-this-safe.md) — plain-language security explanation