docs: update readme

Author: 0x77dev

README.md

@@ -10,30 +10,23 @@ It’s designed to be a practical alternative to “traditional” PDF signing w
 
 The signed output stays minimal: the original PDF content is preserved and the signature is appended, keeping the file compliant so it still opens normally in standard PDF viewers.
 
-## Features
-
-* **Simple CLI**: `sign` and `verify` commands that compose well in pipelines.
-* **Works with your existing GPG setup**: Uses `gpg-agent` (smartcards/YubiKey supported) and reads your local keybox (`pubring.kbx`) for public key lookups.
-* **Hardware-friendly**: Private keys can stay on a smartcard/YubiKey.
-* **Lightweight distribution**: Standard Cargo binary (`cargo install …`) with no `gpg` subprocesses.
-
-## Security model
-
-* **No private keys in the tool**: All signing operations are performed by `gpg-agent`.
-* **Reduced key exposure**: Private keys never need to be loaded into this process.
-* **Explicit verification**: Verifies using your local keybox by default (no `gpg` subprocess), or a provided certificate via `--cert`.
-* **Privacy by default**: Signer UIDs (name/email) are not embedded in the signature unless enabled.
-
 ## Quickstart
 
-### Install
+### Install with Cargo
 
 ```bash
 cargo install --git https://github.com/0x77dev/pdf-sign --locked
 pdf-sign sign document.pdf --key 0xDEADBEEF
 ```
 
-### Local build/run
+### Install with Nix Profile
+
+```bash
+nix profile install github:0x77dev/pdf-sign#pdf-sign
+pdf-sign sign document.pdf --key 0xDEADBEEF
+```
+
+### Build from Source
 
 If you cloned the repo:
 
@@ -42,11 +35,16 @@ cargo build --release
 ./target/release/pdf-sign sign input.pdf --key 0xDEADBEEF
 ```
 
-### Nix (flake)
+With Nix (flake):
 
 ```bash
+# Development shell
 nix develop
 cargo build
+
+# Or build the package directly
+nix build
+./result/bin/pdf-sign sign input.pdf --key 0xDEADBEEF
 ```
 
 Remote (no clone):
@@ -55,21 +53,23 @@ Remote (no clone):
 # Run directly from GitHub
 nix run github:0x77dev/pdf-sign -- --help
 
-# Dev shell from GitHub
-nix develop github:0x77dev/pdf-sign -c cargo build
+# Build package from GitHub
+nix build github:0x77dev/pdf-sign#pdf-sign
 ```
 
-Build a package:
+## Features
 
-```bash
-nix build
-```
+* **Simple CLI**: `sign` and `verify` commands that compose well in pipelines.
+* **Works with your existing GPG setup**: Uses `gpg-agent` (smartcards/YubiKey supported) and reads your local keybox (`pubring.kbx`) for public key lookups.
+* **Hardware-friendly**: Private keys can stay on a smartcard/YubiKey.
+* **Lightweight distribution**: Standard Cargo binary (`cargo install …`) with no `gpg` subprocesses.
 
-Remote build:
+## Security model
 
-```bash
-nix build github:0x77dev/pdf-sign#pdf-sign
-```
+* **No private keys in the tool**: All signing operations are performed by `gpg-agent`.
+* **Reduced key exposure**: Private keys never need to be loaded into this process.
+* **Explicit verification**: Verifies using your local keybox by default (no `gpg` subprocess), or a provided certificate via `--cert`.
+* **Privacy by default**: Signer UIDs (name/email) are not embedded in the signature unless enabled.
 
 ## Methodology