refactor(peer): name streamed integrity boundary

NEXT_STEPS item 4 needed the streamed-install integrity model to be a
conscious decision. Keep the current runtime behavior, but name it as
sender archive integrity: the receiver verifies streamed file size and
RAR CRC32 from the sender's archive metadata before committing the
install transaction.

This protects against truncation, transport corruption, and stream
provider bugs. It deliberately does not claim malicious-peer protection,
because the sender controls both the streamed bytes and the RAR metadata.
The docs now say that trusted content requires a future catalog schema
with catalog-owned archive or extracted-file SHA-256 hashes.

Test Plan:
- just fmt
- just test
- just clippy
- python3 crates/lanspread-peer-cli/scripts/run_extended_scenarios.py S41 --build-image
- git diff --check
- git diff --cached --check

Refs: NEXT_STEPS.md item 4

crates/lanspread-peer/ARCHITECTURE.md

@@ -166,6 +166,18 @@ Most scans become O(number of game dirs), with full recursion only when needed.
   scratch sentinel files. `local/` and install transaction metadata are
   preserved, so a cancelled update of an installed game settles as local-only.
 
+### Streamed install integrity
+
+- Low-disk streamed installs request archive-derived file bytes from one peer
+  and write them directly into the install transaction staging directory.
+- The receiver verifies every streamed file against the sender archive's file
+  size and RAR CRC32 before the transaction may commit. This catches truncated
+  streams, transport corruption, and provider bugs.
+- This is not malicious-peer protection: the peer controls both the archive
+  metadata and the streamed bytes. A trusted-content model needs catalog-owned
+  hashes, either for the root archives or for extracted files, and receiver-side
+  SHA-256 verification against those catalog values before commit.
+
 ## Fault tolerance rules
 
 - Every peer is keyed by `peer_id`, not by IP address.