diff --git a/.markdownlint.yaml b/.markdownlint.yaml
new file mode 100644
index 0000000..7135876
--- /dev/null
+++ b/.markdownlint.yaml
@@ -0,0 +1,7 @@
+# Project defaults for markdownlint / markdownlint-cli2
+# https://github.com/DavidAnson/markdownlint/blob/main/doc/Rules.md
+default: true
+MD007:
+  indent: 2
+# Prose and README tables are easier to maintain without strict wrapping
+MD013: false
diff --git a/.markdownlintignore b/.markdownlintignore
new file mode 100644
index 0000000..c2658d7
--- /dev/null
+++ b/.markdownlintignore
@@ -0,0 +1 @@
+node_modules/
diff --git a/.shellcheckrc b/.shellcheckrc
new file mode 100644
index 0000000..c0e228f
--- /dev/null
+++ b/.shellcheckrc
@@ -0,0 +1,4 @@
+# Allow following sourced files not passed on the command line (same as -x).
+external-sources=true
+# Resolve sources relative to each script's directory (e.g. utils.sh next to cli.sh).
+source-path=SCRIPTDIR
diff --git a/README.md b/README.md
index 26da4f3..f0f09a1 100644
--- a/README.md
+++ b/README.md
@@ -130,16 +130,56 @@ On push/PR to `master`, **Test Runner** (`.github/workflows/test-runner.yaml`) r
 
 ## What gets installed
 
-Illustrative list; see each `*.sh` for the exact Homebrew lines.
+Illustrative list; see each `*.sh` for exact commands and edge cases.
 
-### System configuration
+### Pre-install (`pre-install.sh`)
 
-- Homebrew and Xcode Command Line Tools (via `pre-install.sh`)
-- Firewall, stealth mode, guest account, Software Update and `pmset` behavior (via `system-config.sh`)
+- Homebrew (install if missing), `brew update`, `brew upgrade`, `brew cleanup`, analytics off
+- Xcode Command Line Tools and system software updates (`softwareupdate`)
 
-### Development, CLI, media, productivity, security
+### System defaults (`system-config.sh`)
 
-Examples include Node/Python tooling, Docker-related tooling, editors, browsers, media apps, productivity and security casks, and repositories—aligned with `dev.sh`, `cli.sh`, `media.sh`, `productivity.sh`, and `security.sh`.
+- Firewall, stealth mode, guest account, Software Update and `pmset` behavior (no Homebrew packages)
+
+### Home layout (`organizeHome.sh`)
+
+Creates `~/Books`, `~/Games`, `~/Hacking`, `~/Projects`; removes empty `~/Templates` if present (no Homebrew packages)
+
+### CLI tools (`cli.sh`)
+
+bat, curl, eza, fastfetch, fd, git, htop, jq, ripgrep, vim, wget
+
+### Media (`media.sh`)
+
+Brave Browser, DuckDuckGo, Spotify, VLC
+
+### Productivity (`productivity.sh`)
+
+- **Homebrew casks**: Balena Etcher, Notion, Proton Drive, Proton Mail, Standard Notes, Zoom
+- **Homebrew formula**: Raycast
+
+### Development (`dev.sh`)
+
+- **Homebrew formulas**: Node, Python 3.12, Colima, Docker, Docker Compose, GitHub CLI (`gh`), Neovim, Podman, Semgrep, ShellCheck, Tree-sitter, Angular CLI
+- **Homebrew casks**: Postman, Visual Studio Code
+- **Other Homebrew**: Sourcegraph app (from `sourcegraph/app` tap), Sourcegraph CLI (`src-cli`)
+- **Also**: NVM (official install script), `packer.nvim` for Neovim, optional Neovim / Vim / VS Code config from `src/dotfiles/`, global Git user settings and credential helper, `colima start`
+
+### Security (`security.sh`)
+
+- **Homebrew casks**: 1Password, 1Password CLI, Proton VPN, Signal, Burp Suite, OWASP ZAP
+- **Homebrew formulas**: OpenVPN, ExifTool, Nmap
+- **Also**: Proton Pass CLI (install script), clones **PayloadsAllTheThings** and **SecLists** into `~/Hacking/`, enables Application Firewall
+
+### Shell and terminal (`shell.sh`)
+
+- **Homebrew formulas**: Oh My Posh (`jandedobbeleer/oh-my-posh/oh-my-posh`), Ghostty, Zsh, tmux, zsh-autosuggestions, zsh-syntax-highlighting
+- **Homebrew casks**: Font Awesome Terminal Fonts, Fira Code, Meslo LG Nerd Font, Powerline Symbols
+- **Also**: optional Ghostty, tmux, and `.zshrc` from `src/dotfiles/`; default login shell set to Zsh
+
+### Post-install (`post-install.sh`)
+
+`brew` update, upgrade, and cleanup; prints `src/assets/wolf.txt` when present
 
 ### Configuration files
 
diff --git a/src/scripts/cli.sh b/src/scripts/cli.sh
index 7446db9..9e805bf 100755
--- a/src/scripts/cli.sh
+++ b/src/scripts/cli.sh
@@ -1,5 +1,6 @@
 #!/bin/bash
 
+# shellcheck source=utils.sh
 source "$(dirname "$0")/utils.sh"
 
 brew install bat curl eza fastfetch fd git htop jq ripgrep vim wget 2>>"$ERROR_LOG_FILE" || true
diff --git a/src/scripts/dev.sh b/src/scripts/dev.sh
index 398010f..54b874c 100755
--- a/src/scripts/dev.sh
+++ b/src/scripts/dev.sh
@@ -1,5 +1,6 @@
 #!/bin/bash
 
+# shellcheck source=utils.sh
 source "$(dirname "$0")/utils.sh"
 
 brew install node python@3.12 colima docker docker-compose gh neovim podman semgrep shellcheck tree-sitter angular-cli 2>>"$ERROR_LOG_FILE" || true
diff --git a/src/scripts/master.sh b/src/scripts/master.sh
index d1d23fd..931c59c 100755
--- a/src/scripts/master.sh
+++ b/src/scripts/master.sh
@@ -1,5 +1,6 @@
 #!/bin/bash
 
+# shellcheck source=utils.sh
 source "$(dirname "$0")/utils.sh"
 
 if [[ "$OSTYPE" != "darwin"* ]]; then
diff --git a/src/scripts/media.sh b/src/scripts/media.sh
index c252c1b..d31d89a 100755
--- a/src/scripts/media.sh
+++ b/src/scripts/media.sh
@@ -1,5 +1,6 @@
 #!/bin/bash
 
+# shellcheck source=utils.sh
 source "$(dirname "$0")/utils.sh"
 
 brew install --cask brave-browser duckduckgo spotify vlc 2>>"$ERROR_LOG_FILE" || true
diff --git a/src/scripts/organizeHome.sh b/src/scripts/organizeHome.sh
index cac44bb..34f196f 100755
--- a/src/scripts/organizeHome.sh
+++ b/src/scripts/organizeHome.sh
@@ -1,6 +1,9 @@
 #!/bin/bash
 
+# shellcheck source=utils.sh
 source "$(dirname "$0")/utils.sh"
 
-[[ -d "$HOME/Templates" ]] && rmdir "$HOME/Templates" 2>>"$ERROR_LOG_FILE" || true
+if [[ -d "$HOME/Templates" ]]; then
+    rmdir "$HOME/Templates" 2>>"$ERROR_LOG_FILE" || true
+fi
 mkdir -p "$HOME/Books" "$HOME/Games" "$HOME/Hacking" "$HOME/Projects" 2>>"$ERROR_LOG_FILE" || true
diff --git a/src/scripts/post-install.sh b/src/scripts/post-install.sh
index bf745ef..6e430f7 100755
--- a/src/scripts/post-install.sh
+++ b/src/scripts/post-install.sh
@@ -1,5 +1,6 @@
 #!/bin/bash
 
+# shellcheck source=utils.sh
 source "$(dirname "$0")/utils.sh"
 
 brew update 2>>"$ERROR_LOG_FILE" || true
diff --git a/src/scripts/pre-install.sh b/src/scripts/pre-install.sh
index 838da36..be2e0b5 100755
--- a/src/scripts/pre-install.sh
+++ b/src/scripts/pre-install.sh
@@ -1,5 +1,6 @@
 #!/bin/bash
 
+# shellcheck source=utils.sh
 source "$(dirname "$0")/utils.sh"
 
 if ! command -v brew >/dev/null 2>&1; then
diff --git a/src/scripts/productivity.sh b/src/scripts/productivity.sh
index 22d8cc0..8034819 100755
--- a/src/scripts/productivity.sh
+++ b/src/scripts/productivity.sh
@@ -1,6 +1,7 @@
 #!/bin/bash
 
+# shellcheck source=utils.sh
 source "$(dirname "$0")/utils.sh"
 
-brew install --cask balenaetcher chatgpt notion proton-drive proton-mail standard-notes zoom 2>>"$ERROR_LOG_FILE" || true
+brew install --cask balenaetcher notion proton-drive proton-mail standard-notes zoom 2>>"$ERROR_LOG_FILE" || true
 brew install raycast 2>>"$ERROR_LOG_FILE" || true
diff --git a/src/scripts/security.sh b/src/scripts/security.sh
index b35afe2..cd3e583 100755
--- a/src/scripts/security.sh
+++ b/src/scripts/security.sh
@@ -1,5 +1,6 @@
 #!/bin/bash
 
+# shellcheck source=utils.sh
 source "$(dirname "$0")/utils.sh"
 
 brew install --cask 1password 1password-cli 2>>"$ERROR_LOG_FILE" || true
@@ -11,9 +12,10 @@ brew install --cask burp-suite zap 2>>"$ERROR_LOG_FILE" || true
 # Install Proton Pass CLI
 curl -fsSL https://proton.me/download/pass-cli/install.sh | bash 2>>"$ERROR_LOG_FILE" || true
 export PATH="/Users/garret/.local/bin:$PATH"
-# Add PATH to .zshrc if not already present
-if ! grep -q 'export PATH="/Users/garret/.local/bin:$PATH"' "$HOME/.zshrc" 2>/dev/null; then
-    echo 'export PATH="/Users/garret/.local/bin:$PATH"' >> "$HOME/.zshrc" 2>>"$ERROR_LOG_FILE" || true
+# Add PATH to .zshrc if not already present ($PATH must expand when zsh reads .zshrc, not here)
+path_line="export PATH=\"/Users/garret/.local/bin:\$PATH\""
+if ! grep -qF "$path_line" "$HOME/.zshrc" 2>/dev/null; then
+    echo "$path_line" >> "$HOME/.zshrc" 2>>"$ERROR_LOG_FILE" || true
 fi
 
 sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on 2>>"$ERROR_LOG_FILE" || true
diff --git a/src/scripts/shell.sh b/src/scripts/shell.sh
index 7a4879b..9914c41 100755
--- a/src/scripts/shell.sh
+++ b/src/scripts/shell.sh
@@ -1,5 +1,6 @@
 #!/bin/bash
 
+# shellcheck source=utils.sh
 source "$(dirname "$0")/utils.sh"
 
 brew install jandedobbeleer/oh-my-posh/oh-my-posh 2>>"$ERROR_LOG_FILE" || true
diff --git a/src/scripts/system-config.sh b/src/scripts/system-config.sh
index a851fd0..aaba237 100755
--- a/src/scripts/system-config.sh
+++ b/src/scripts/system-config.sh
@@ -4,6 +4,7 @@
 # security, developer-oriented defaults, and Apple Silicon–friendly power tuning).
 # Run on macOS; many changes apply after Dock / Finder / ControlCenter / SystemUIServer restart.
 
+# shellcheck source=utils.sh
 source "$(dirname "$0")/utils.sh"
 
 if [[ "$OSTYPE" != "darwin"* ]]; then
diff --git a/src/scripts/utils.sh b/src/scripts/utils.sh
index 05322ca..0de8d2b 100644
--- a/src/scripts/utils.sh
+++ b/src/scripts/utils.sh
@@ -8,7 +8,8 @@ mkdir -p "$(dirname "$ERROR_LOG_FILE")"
 
 log_error() {
     local message="$1"
-    local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
+    local timestamp
+    timestamp=$(date '+%Y-%m-%d %H:%M:%S')
     echo -e "\033[0;31m[ERROR]\033[0m $message" >&2
     echo "[$timestamp] [ERROR] $message" >> "$ERROR_LOG_FILE"
 }
@@ -26,7 +27,8 @@ copy_file_safe() {
         return 0
     fi
 
-    local dest_dir=$(dirname "$destination")
+    local dest_dir
+    dest_dir=$(dirname "$destination")
     ensure_directory "$dest_dir"
 
     cp "$source" "$destination" 2>>"$ERROR_LOG_FILE" || true
@@ -40,7 +42,8 @@ copy_directory_safe() {
         return 0
     fi
 
-    local dest_dir=$(dirname "$destination")
+    local dest_dir
+    dest_dir=$(dirname "$destination")
     ensure_directory "$dest_dir"
 
     cp -r "$source" "$destination" 2>>"$ERROR_LOG_FILE" || true