Install ergonomics: GitHub release workflow + install.sh + README quickstart

For 'people should say just use iamroot' framing, the install gate is
the single biggest discoverability bottleneck. This commit makes it:

  curl -sSL https://github.com/KaraZajac/IAMROOT/releases/latest/download/install.sh | sh

.github/workflows/release.yml:
- Triggers on semver tag push (v*.*.*) + manual dispatch.
- Matrix build for x86_64 (gcc) and arm64 (aarch64-linux-gnu-gcc cross).
- Per-arch sha256sum alongside the binary.
- Auto-generates release notes pointing at CVES.md / ROADMAP.md and
  including the install one-liner with the version-specific URL.
- Publishes via softprops/action-gh-release@v2.

install.sh (also uploaded as a release artifact, so the curl|sh
above is stable):
- Detects arch (x86_64 / aarch64 → arm64).
- Pulls iamroot-<arch> + iamroot-<arch>.sha256 from the requested
  version (default: latest).
- Verifies sha256 via sha256sum or shasum -a 256.
- Installs to /usr/local/bin/iamroot (or $IAMROOT_PREFIX). Uses sudo
  iff /usr/local/bin isn't already writable.
- Prints quickstart hints + ethics pointer at the end.
- Env knobs: IAMROOT_VERSION, IAMROOT_PREFIX, IAMROOT_REPO.

README.md gains a 'Quickstart' section at the top with the four
canonical commands: install, --scan, --audit, --detect-rules,
fleet-scan. Lands the 'curl|bash and go' UX as the first thing
visitors see.

.github/workflows/release.yml

@@ -0,0 +1,120 @@
+name: release
+
+# Triggers on semver tag push (v0.1.0, v0.1.1, etc.). Builds release
+# artifacts for x86_64 and arm64, then publishes them on a GitHub
+# Release matching the tag.
+#
+# Maintainer flow:
+#   git tag v0.1.0
+#   git push origin v0.1.0
+#   → CI builds + publishes release with iamroot-x86_64 + iamroot-arm64
+
+on:
+  push:
+    tags: ['v*.*.*']
+  workflow_dispatch:   # allow manual re-runs
+
+permissions:
+  contents: write      # needed by softprops/action-gh-release
+
+jobs:
+  build:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - target: x86_64
+            cc: gcc
+            apt: build-essential
+          - target: arm64
+            cc: aarch64-linux-gnu-gcc
+            apt: build-essential gcc-aarch64-linux-gnu
+    name: build (${{ matrix.target }})
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: install build deps
+        run: |
+          sudo apt-get update -qq
+          sudo apt-get install -y --no-install-recommends ${{ matrix.apt }} linux-libc-dev
+
+      - name: build
+        env:
+          CC: ${{ matrix.cc }}
+        run: |
+          make
+          file iamroot
+          ls -la iamroot
+
+      - name: rename + checksum
+        run: |
+          mv iamroot iamroot-${{ matrix.target }}
+          sha256sum iamroot-${{ matrix.target }} > iamroot-${{ matrix.target }}.sha256
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: iamroot-${{ matrix.target }}
+          path: |
+            iamroot-${{ matrix.target }}
+            iamroot-${{ matrix.target }}.sha256
+
+  release:
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/download-artifact@v4
+        with:
+          path: dist
+
+      - name: flatten artifacts
+        run: |
+          find dist -type f -exec mv {} . \;
+          ls -la iamroot-*
+
+      - name: collect release notes
+        id: notes
+        run: |
+          tag="${GITHUB_REF#refs/tags/}"
+          echo "tag=$tag" >> "$GITHUB_OUTPUT"
+          # Pull the latest entry from CVES.md / ROADMAP.md for the body
+          {
+            echo "## IAMROOT $tag"
+            echo
+            echo "Pre-built binaries for x86_64 and arm64. Checksums alongside."
+            echo
+            echo "### Install"
+            echo
+            echo '```bash'
+            echo "curl -sSLfo /tmp/iamroot https://github.com/${GITHUB_REPOSITORY}/releases/download/${tag}/iamroot-\$(uname -m | sed s/aarch64/arm64/)"
+            echo "chmod +x /tmp/iamroot && sudo mv /tmp/iamroot /usr/local/bin/iamroot"
+            echo "iamroot --version"
+            echo '```'
+            echo
+            echo "Or one-shot via the install script:"
+            echo
+            echo '```bash'
+            echo "curl -sSL https://github.com/${GITHUB_REPOSITORY}/releases/download/${tag}/install.sh | sh"
+            echo '```'
+            echo
+            echo "### What's in this release"
+            echo
+            echo "See [\`CVES.md\`](https://github.com/${GITHUB_REPOSITORY}/blob/${tag}/CVES.md) for the curated CVE inventory."
+            echo "See [\`ROADMAP.md\`](https://github.com/${GITHUB_REPOSITORY}/blob/${tag}/ROADMAP.md) for phase progress."
+          } > release-notes.md
+
+      - name: publish release
+        uses: softprops/action-gh-release@v2
+        with:
+          tag_name: ${{ steps.notes.outputs.tag }}
+          name: IAMROOT ${{ steps.notes.outputs.tag }}
+          body_path: release-notes.md
+          files: |
+            iamroot-x86_64
+            iamroot-x86_64.sha256
+            iamroot-arm64
+            iamroot-arm64.sha256
+            install.sh
+          fail_on_unmatched_files: false   # install.sh may not exist at first tag