diff --git a/docs/SECURITY-INTEGRATION.md b/docs/SECURITY-INTEGRATION.md
index 841ec58..d4593c4 100644
--- a/docs/SECURITY-INTEGRATION.md
+++ b/docs/SECURITY-INTEGRATION.md
@@ -67,6 +67,27 @@ This document details the integration of `php-aegis` and `sanctify-php` security
 - Direct php-aegis integration (requires 8.1+)
 - Stable and widely deployed
 
+### WordPress Version Policy
+
+**Hard Floor: WordPress 6.0+** - We do not support WordPress 5.x under any circumstances.
+
+**Rationale**: WordPress 5.x was designed for PHP 7.x and lacks modern security APIs, block editor maturity, and performance improvements present in 6.x. If you're running WordPress < 6.0, you're missing critical security patches and should upgrade immediately. Running outdated WordPress is one of the primary vectors for site compromise - this plugin cannot protect you from that fundamental vulnerability.
+
+**Actual Requirement: WordPress 6.4+**
+
+| WordPress Version | PHP Support | Our Support |
+|-------------------|-------------|-------------|
+| 5.x | PHP 7.4+ | ❌ Never |
+| 6.0-6.3 | PHP 8.0+ | ❌ No (below floor) |
+| 6.4 | PHP 8.2+ | ✅ **Minimum** |
+| 6.5+ | PHP 8.3+ | ✅ Supported |
+
+**Why 6.4 specifically?**
+- First version with full PHP 8.2 support
+- Improved security headers and CSP support
+- Modern block editor with security fixes
+- Active security updates
+
 ---
 
 ## Integration Architecture
@@ -171,3 +192,91 @@ For the sanctify-php upstream project:
 |---------|------|--------|
 | 1.1.0 | 2025-12-27 | Initial php-aegis integration (PHP 7.4 compat layer) |
 | 1.2.0 | 2025-12-27 | Full php-aegis integration, PHP 8.2+ requirement |
+
+---
+
+## Integration Learning Report
+
+This section documents lessons learned during the integration process, intended as feedback for the upstream `php-aegis` and `sanctify-php` projects.
+
+### php-aegis Integration Findings
+
+#### What Worked Well
+
+1. **Simple, focused API** - The `Validator` and `Sanitizer` classes have a clean, minimal interface that's easy to understand and integrate.
+2. **Zero dependencies** - No external dependencies means no version conflicts with WordPress or other plugins.
+3. **PSR-12 compliance** - Code quality is high and follows modern PHP standards.
+4. **Type safety** - Strict typing throughout helps catch bugs at development time.
+
+#### Issues Encountered
+
+| Issue | Severity | Description | Suggested Fix |
+|-------|----------|-------------|---------------|
+| PHP 8.1+ requirement | High | Many WordPress sites still run PHP 7.4/8.0. Initial integration required a compatibility shim. | Consider a `php-aegis-compat` package or conditional feature degradation |
+| No WordPress adapter | Medium | WordPress uses snake_case; php-aegis uses camelCase. Required wrapper methods. | Provide optional WordPress adapter |
+| Limited validator set | Low | Only email/url validation. Had to use native PHP for int/bool/ip validation. | Expand Validator class with more methods |
+
+#### Recommendations for php-aegis
+
+1. **Priority High**: Document PHP version requirement prominently in README
+2. **Priority Medium**: Consider WordPress/Laravel/Symfony adapters
+3. **Priority Low**: Add `Validator::int()`, `Validator::ip()`, `Validator::domain()` methods
+4. **Priority Low**: Add `Sanitizer::sql()` for prepared statement escaping hints
+
+### sanctify-php Integration Findings
+
+#### What Worked Well
+
+1. **WordPress-aware** - The `Sanctify.WordPress.Constraints` module understands WordPress-specific patterns (ABSPATH, nonces, capabilities).
+2. **Comprehensive detection** - Covers OWASP top 10 vulnerabilities with taint tracking.
+3. **SARIF output** - Standard format integrates with GitHub Security tab.
+
+#### Issues Encountered
+
+| Issue | Severity | Description | Suggested Fix |
+|-------|----------|-------------|---------------|
+| Haskell dependency | Critical | Requires full Haskell toolchain (GHC, Cabal). Most PHP developers don't have this. | Pre-built binaries for Linux/macOS/Windows |
+| No CI integration | High | No GitHub Action available. Had to write custom workflow (currently commented out). | Official `sanctify-php-action` |
+| Installation complexity | High | `cabal install` is unfamiliar to PHP ecosystem. | PHP Composer plugin that downloads binaries |
+| No incremental analysis | Medium | Full codebase scan on every run. Slow for large projects. | Cache analysis results, only re-scan changed files |
+
+#### Recommendations for sanctify-php
+
+1. **Priority Critical**: Pre-built binaries (eliminate Haskell requirement for end users)
+2. **Priority High**: GitHub Action for CI integration
+3. **Priority High**: Composer plugin wrapper (`composer require --dev hyperpolymath/sanctify-php`)
+4. **Priority Medium**: Incremental analysis mode for faster CI runs
+5. **Priority Low**: VS Code extension for real-time feedback
+
+### General Observations
+
+#### The PHP Security Library Ecosystem Gap
+
+There's a notable gap in the PHP ecosystem for security libraries that are:
+- Modern (PHP 8.0+)
+- WordPress-compatible
+- Zero-dependency
+- Well-documented
+
+php-aegis fills part of this gap but could expand to become a more comprehensive solution.
+
+#### Static Analysis Tool Adoption Barriers
+
+The biggest barrier to sanctify-php adoption is the Haskell dependency. PHP developers expect:
+- `composer require` installation
+- No external runtime dependencies
+- Sub-second startup time
+
+Consider compiling to a standalone binary or WASM for browser-based analysis.
+
+### Metrics
+
+| Metric | Before | After |
+|--------|--------|-------|
+| Files with `strict_types` | 0 | 24 (100%) |
+| Files with SPDX headers | 0 | 24 (100%) |
+| Centralized security class | No | Yes |
+| PHP version | 7.4+ | 8.2+ |
+| WordPress version | 5.8+ | 6.4+ |
+| External security deps | 0 | 1 (php-aegis) |
+| CI security checks | 0 | 4 (PHPStan, WPCS, patterns, strict_types) |