update docs

michaelliao · michaelliao · commit c0fca9134ae5 · 2026-05-22T23:15:54.000+08:00
diff --git a/docs/index.md b/docs/index.md
@@ -49,14 +49,16 @@ Your master password derives a key that unwraps the Data Encryption Key (DEK). T
 
 ## Requirements
 
-- Java 25 or later (bundled in the release package)
+- A modern desktop OS (Windows 10+, macOS 12+, or a recent Linux). The release is shipped as a self-contained Native AOT binary — no runtime install required.
 - Chrome browser (for the extension)
 
 ## Build from Source
 
+The desktop app is a C#/.NET project compiled with Native AOT. From the repository root:
+
 ```bash
-cd desktop
-mvn clean package
+dotnet publish MyPasswordDesktop/MyPasswordDesktop.csproj \
+    -c Release -r <rid> --self-contained true -o publish
 ```
 
-The app image is output to `desktop/target/dist/`.
+Replace `<rid>` with your target runtime: `win-x64`, `osx-arm64`, `osx-x64`, or `linux-x64`. The standalone binary is written to `publish/`.
diff --git a/docs/key-gen.md b/docs/key-gen.md
@@ -14,7 +14,7 @@ MyPassword uses a two-layer encryption architecture. A random **Data Encryption
 
 ## DEK Generation
 
-A 256-bit DEK is generated using `java.security.SecureRandom` when the vault is first created. This key is never stored in plaintext — it is always wrapped by a derived key.
+A 256-bit DEK is generated using a cryptographically secure random number generator (.NET's `System.Security.Cryptography.RandomNumberGenerator`) when the vault is first created. This key is never stored in plaintext — it is always wrapped by a derived key.
 
 ## Master Password Path
 
@@ -198,7 +198,7 @@ If OAuth recovery is enabled and the attacker gains control of the linked Google
 
 ### 3. Memory Dump While Unlocked
 
-While the vault is unlocked, the DEK is held in plaintext in JVM heap memory. An attacker with local access (e.g. malware, physical access to an unlocked machine) could dump the process memory and extract the DEK.
+While the vault is unlocked, the DEK is held in plaintext in process memory. An attacker with local access (e.g. malware, physical access to an unlocked machine) could dump the process memory and extract the DEK.
 
 **Mitigation:** The 10-minute auto-lock reduces the exposure window. Lock the vault manually when stepping away. Keep the OS and software up to date.
 
