ci: refactoring some things and removing others

Lots of source additions here from long-standing notes over the past few
months. Squashed to make it neater than 219 commits.

- bump version to v1.2.4, Jun 2026
- expand Tor section with new "Traffic analysis and the limits of Tor" subsection
  guard node persistence, website fingerprinting, and a practical breakdown of
  when Tor is and is not sufficient
- expand hardware/firmware threat section with new subsections on firmware
  implants, USB attack hardware (O.MG Cable, Rubber Ducky), Evil Maid attacks,
  supply chain compromise, and a physical inspection checklist
- rename "Removing Metadata from Files/Documents/Pictures" section to "Metadata
  auditing"; add reference table of tools by file type; expand EXIF/XMP coverage,
  PDF metadata (font fingerprinting), and DOCX revision history with real-world
  source identification cases; restructure subsections
- add introductory paragraph to "Your Metadata" section
- add new appendix B8: operational security failure case studies with common
  threads
- add new appendix B9: post-quantum cryptography covering HNDL threat, NIST PQC
  standards, Signal's PQXDH, browser hybrid KEM, PGP limitations, VPN guidance,
  and Monero note
- add new appendix C1: stylometric analysis and writing style covering features
  measured, deployed tools, real cases (J.K. Rowling), effective and ineffective
  countermeasures including AI rewriting
- fix Dangerzone GitHub URL (firstlook -> freedomofpress)
- Remove duplicate footnote [^500]; minor wording fixes ("users" -> "people",
  passive voice tweaks, cross-reference updates)

- docs/index.md: both MSK and RSK GPG fingerprints in a collapsible tip admonition
  instead of bare text
- docs/about/index.md: convert Note admonitions to tip; reformat social media
  links into collapsible tip block
- docs/mirrors/index.md: simplify PDF download instructions to point to Releases;
- README.md: add star history chart
- mkdocs.yml: rename site to "The Hitchhiker's Guide"; update site description
  with hashtags

- sign.yml: remove commented-out workflow_run trigger and if: condition; add
  verify job that runs after sign, downloads artifacts, runs verify_pdf.py, and
  writes a full job summary with hashes; update artifact upload description; minor
  comment and whitespace cleanup
- release.yml, changelog.yml: replace decorative banner comments with single-line
  comments; fix trailing-space style in permissions block
- publish.yml: remove stale comment about nomaterial theme
- verify_pdf.py: full rewrite: replace single-hash-file lookup with flexible
  resolver that checks both bare hash files (.sha256, .b2sum) and two-column
  sumfiles (sha256sums.txt, b2sums.txt); add BLAKE2b verification alongside
  SHA-256; fix signature extension (.asc not .sig); improve CLI (--file,
  --export-dir flags; remove --all; default runs all checks); improve VirusTotal
  output with direct link; cleaner output formatting with ruled separators

.github/workflows/release.yml

@@ -18,8 +18,8 @@ on:
         type: boolean
 
 permissions:
-  contents: write  # create releases and tags
-  actions:  read   # download artifacts from other runs
+  contents: write # create releases and tags
+  actions:  read  # download artifacts from other runs
 
 jobs:
   release:
@@ -33,9 +33,7 @@ jobs:
           fetch-depth: 0
           sparse-checkout: pgp
 
-      # ------------------------------------------------------------------ #
-      #  Download artifacts from the specified sign run
-      # ------------------------------------------------------------------ #
+      # Download artifacts from the specified sign run
       - name: 📥 Download signatures artifact
         uses: actions/download-artifact@v4
         with:
@@ -55,9 +53,7 @@ jobs:
       - name: 📋 List release assets
         run: ls -lh release/
 
-      # ------------------------------------------------------------------ #
-      #  Read hashes for the release body
-      # ------------------------------------------------------------------ #
+      # Read hashes for the release body
       - name: "#️⃣ Read hashes"
         id: hashes
         run: |
@@ -67,9 +63,7 @@ jobs:
           echo "light_b2=$(read_hash thgtoa.pdf.b2sum)"           >> $GITHUB_OUTPUT
           echo "dark_b2=$(read_hash thgtoa-dark.pdf.b2sum)"       >> $GITHUB_OUTPUT
 
-      # ------------------------------------------------------------------ #
-      #  VirusTotal
-      # ------------------------------------------------------------------ #
+      # VirusTotal
       - name: 🦠 Upload PDFs to VirusTotal
         id: vt
         uses: crazy-max/ghaction-virustotal@v5
@@ -95,9 +89,7 @@ jobs:
             echo "dark_vt=(not built)" >> $GITHUB_OUTPUT
           fi
 
-      # ------------------------------------------------------------------ #
-      #  Generate release tag — timestamp + short SHA, always unique
-      # ------------------------------------------------------------------ #
+      # Generate release tag — timestamp + short SHA, always unique
       - name: 🏷️ Generate release tag
         id: tag
         run: |
@@ -109,9 +101,7 @@ jobs:
           echo "name=$NAME" >> $GITHUB_OUTPUT
           echo "Tag: $TAG"
 
-      # ------------------------------------------------------------------ #
-      #  Create GitHub Release
-      # ------------------------------------------------------------------ #
+      # Create GitHub Release
       - name: 🚀 Create GitHub Release
         uses: softprops/action-gh-release@v2
         with: