Document Windows portable USB flashing steps

Author: SecAI-Hub

README.md

@@ -215,6 +215,13 @@ Python services (`ui`, `agent`, `quarantine`, `diffusion-worker`, `search-mediat
 
 A signed bootable installer ISO is built by every tagged release using [build-container-installer](https://github.com/JasonN3/build-container-installer). Each release also includes a compressed portable USB image (`secai-os-*-usb.raw.xz`) built from the same bootc container so the OS can be flashed directly to a USB stick and run without first installing to the internal disk. Both artifacts are available as **workflow artifacts** (90-day retention) from the [Release workflow runs](https://github.com/SecAI-Hub/SecAI_OS/actions/workflows/release.yml), and their cosign signatures are published to the GitHub Release for verification.
 
+For Windows users writing the portable USB image:
+
+- Prefer **USBImager** for `*.raw.xz` because it can write compressed disk images directly.
+- In **Rufus**, keep **Boot selection** set to `Disk or ISO image`, click `SELECT`, and choose the portable USB image. If Rufus does not accept `*.raw.xz`, extract it to `*.raw` first with 7-Zip and select the extracted file instead.
+- Do **not** choose `MS-DOS`, `FreeDOS`, or `Non bootable` for the portable USB image.
+- Boot the USB in **UEFI** mode with Legacy/CSM disabled. If firmware still refuses the media, temporarily disable Secure Boot for troubleshooting.
+
 To build portable USB or VM media locally from the OCI image:
 
 ```bash

docs/install/quickstart.md

@@ -60,7 +60,63 @@ http://127.0.0.1:8480
 
 ---
 
-## Path B: Build a VM Image Locally
+## Path B: Run From a Portable USB
+
+This path is for evaluation directly from removable media without first installing to the internal disk.
+
+**1. Download the portable USB image**
+
+Get the latest `secai-os-*-usb.raw.xz` workflow artifact from the
+[Release workflow](https://github.com/SecAI-Hub/SecAI_OS/actions/workflows/release.yml).
+
+**2. Verify the checksum**
+
+Download `SHA256SUMS` from the matching release bundle or workflow output and
+confirm that the hash for `secai-os-*-usb.raw.xz` matches your download.
+
+**3. Write it to the USB drive**
+
+**Windows (recommended):**
+
+- Prefer **USBImager**. It can write `*.raw.xz` images directly.
+- Select the downloaded `secai-os-*-usb.raw.xz` file.
+- Select the USB drive.
+- Click `Write`.
+
+**Windows (Rufus fallback):**
+
+- Set **Boot selection** to `Disk or ISO image`.
+- Click `SELECT` and choose the portable USB image.
+- If Rufus does not accept `*.raw.xz`, extract it to `*.raw` first with 7-Zip and select the extracted file.
+- Do **not** choose `MS-DOS`, `FreeDOS`, or `Non bootable`.
+- If Rufus offers `DD` vs `ISO` write modes, choose `DD`.
+
+**Linux / macOS:**
+
+```bash
+# Linux
+xz -dk secai-os-<version>-x86_64-usb.raw.xz
+sudo dd if=secai-os-<version>-x86_64-usb.raw of=/dev/sdX bs=16M status=progress oflag=sync
+
+# macOS
+xz -dk secai-os-<version>-x86_64-usb.raw.xz
+sudo dd if=secai-os-<version>-x86_64-usb.raw of=/dev/rdiskN bs=16m
+sync
+```
+
+Replace `/dev/sdX` or `/dev/rdiskN` with the actual removable device.
+
+**4. Boot from the USB**
+
+- Use the firmware's explicit **UEFI USB** boot entry.
+- Disable **Legacy/CSM** mode.
+- If the USB still does not appear bootable, try one test with **Secure Boot temporarily disabled** to distinguish firmware policy issues from a bad write.
+
+**What you should see:** The system should boot directly from the USB image rather than showing the installer-only ISO menu.
+
+---
+
+## Path C: Build a VM Image Locally
 
 If you want a self-contained VM image without installing Fedora first, you can build one from the OCI image using the included scripts. This requires a Linux host with KVM/QEMU.
 
@@ -107,7 +163,7 @@ virsh domifaddr secai-os
 
 ---
 
-## Path C: Development Mode
+## Path D: Development Mode
 
 Run individual services locally for development without rebasing your OS. No security features (sandboxing, firewall, vault) are active.