diff --git a/.github/workflows/badgesort.yml b/.github/workflows/badgesort.yml
index b60e59a..fd02df5 100644
--- a/.github/workflows/badgesort.yml
+++ b/.github/workflows/badgesort.yml
@@ -5,6 +5,9 @@ on:
     branches: [main]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -16,10 +19,10 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Generate badges
-        uses: docker://ghcr.io/chipwolf/badgesort:latest
+        uses: docker://ghcr.io/chipwolf/badgesort@sha256:a0b74fd865d8c93040f74c865272421e6ba4cdeb4b882990548f90e2debed04a
         with:
           slugs: >-
             bitwarden
@@ -40,7 +43,7 @@ jobs:
           output: README.md
 
       - name: Commit badge updates
-        uses: stefanzweifel/git-auto-commit-action@v7.1.0
+        uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 # v7.1.0
         with:
           commit_message: "chore: update badges"
           file_pattern: README.md
diff --git a/.github/workflows/megalinter.yml b/.github/workflows/megalinter.yml
index 6d67914..c6d1fcd 100644
--- a/.github/workflows/megalinter.yml
+++ b/.github/workflows/megalinter.yml
@@ -10,6 +10,10 @@ on:
       - reopened
       - closed
 
+permissions:
+  contents: read
+  security-events: write
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -19,21 +23,18 @@ jobs:
     name: MegaLinter
     runs-on: ubuntu-latest
     if: github.event.action != 'closed'
-    permissions:
-      contents: read
-      security-events: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 0
 
       - name: Run MegaLinter
-        uses: oxsecurity/megalinter@v9.4.0
+        uses: oxsecurity/megalinter@8fbdead70d1409964ab3d5afa885e18ee85388bb # v9.4.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Upload SARIF report
         if: always()
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@480db559a14342288b67e54bd959dd52dc3ee68f # v3
         with:
           sarif_file: megalinter-reports/megalinter-report.sarif
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 8024e28..15f4133 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -30,7 +30,7 @@ jobs:
     steps:
       - name: Release Please
         id: rp
-        uses: googleapis/release-please-action@v4.4.0
+        uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0
 
   # --- Build and attest container image ---
 
@@ -45,7 +45,7 @@ jobs:
       image: ${{ steps.image.outputs.name }}
       digest: ${{ steps.build.outputs.digest }}
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Lowercase image name
         id: image
@@ -55,7 +55,7 @@ jobs:
           IMAGE_NAME: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}
 
       - name: Log in to GHCR
-        uses: docker/login-action@v4
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4
         with:
           registry: ${{ env.IMAGE_REGISTRY }}
           username: ${{ github.actor }}
@@ -63,7 +63,7 @@ jobs:
 
       - name: Build and push
         id: build
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
         with:
           context: .
           push: true
@@ -77,7 +77,7 @@ jobs:
       actions: read
       id-token: write
       packages: write
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@f7dd8c54c2067bafc12ca7a55595d5ee9b75204a # v2.1.0
     with:
       image: ${{ needs.build.outputs.image }}
       digest: ${{ needs.build.outputs.digest }}
@@ -96,7 +96,7 @@ jobs:
     outputs:
       hashes: ${{ steps.hash.outputs.hashes }}
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Interpolate repo URL in install scripts
         env:
@@ -127,7 +127,7 @@ jobs:
       actions: read
       id-token: write
       contents: write
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@f7dd8c54c2067bafc12ca7a55595d5ee9b75204a # v2.1.0
     with:
       base64-subjects: ${{ needs.upload-scripts.outputs.hashes }}
       upload-assets: true
diff --git a/Dockerfile b/Dockerfile
index 8d01177..f6a2300 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,9 +1,13 @@
 # Builds a pre-baked dotfiles overlay image for GitHub Codespaces.
 # The resulting image layers (minus the base) are pulled and extracted
 # into a codespace by install.sh for fast dotfiles provisioning.
-FROM mcr.microsoft.com/devcontainers/universal:latest
+FROM mcr.microsoft.com/devcontainers/universal:2
 
 USER codespace
 COPY --chown=codespace:codespace . /tmp/dotfiles
 RUN CODESPACES=1 DOTFILES_NO_OVERLAY=1 /tmp/dotfiles/install.sh \
     && rm -rf /tmp/dotfiles /home/codespace/.config/chezmoi
+
+# Lightweight runtime sanity check for the pre-baked Codespaces overlay image.
+HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
+    CMD ["/bin/sh", "-c", "test -d /home/codespace && test -f /home/codespace/.zshrc"]
diff --git a/home/Documents/PowerShell/Microsoft.PowerShell_profile.ps1 b/home/Documents/PowerShell/Microsoft.PowerShell_profile.ps1
index 784a4fb..d2c4e59 100644
--- a/home/Documents/PowerShell/Microsoft.PowerShell_profile.ps1
+++ b/home/Documents/PowerShell/Microsoft.PowerShell_profile.ps1
@@ -10,7 +10,8 @@ if (Get-Module -ListAvailable -Name PSReadLine) {
 if (Get-Command oh-my-posh -ErrorAction SilentlyContinue) {
     $ompTheme = Join-Path $env:USERPROFILE ".config\oh-my-posh\theme.omp.json"
     if (Test-Path $ompTheme) {
-        oh-my-posh init pwsh --config $ompTheme | Invoke-Expression
+        $ompInitScript = oh-my-posh init pwsh --config $ompTheme | Out-String
+        . ([ScriptBlock]::Create($ompInitScript))
     }
 }
 
@@ -18,5 +19,6 @@ Set-Alias -Name which -Value Get-Command
 Set-Alias -Name ll -Value Get-ChildItem
 
 if (Get-Command mise -ErrorAction SilentlyContinue) {
-    mise activate pwsh | Out-String | Invoke-Expression
+    $miseInitScript = mise activate pwsh | Out-String
+    . ([ScriptBlock]::Create($miseInitScript))
 }
diff --git a/home/dot_scripts/executable_brew-review b/home/dot_scripts/executable_brew-review
index 90e28e7..d67a28a 100644
--- a/home/dot_scripts/executable_brew-review
+++ b/home/dot_scripts/executable_brew-review
@@ -181,8 +181,16 @@ if [ ${#extras[@]} -gt 0 ]; then
       printf "  %s" "$key"
       if [ -n "$tap_formulae" ] || [ -n "$tap_casks" ]; then
         echo " (contains installed packages:"
-        [ -n "$tap_formulae" ] && echo "$tap_formulae" | sed 's/^/     formula: /'
-        [ -n "$tap_casks" ] && echo "$tap_casks" | sed 's/^/     cask: /'
+        if [ -n "$tap_formulae" ]; then
+          while IFS= read -r formula; do
+            printf "     formula: %s\n" "$formula"
+          done <<< "$tap_formulae"
+        fi
+        if [ -n "$tap_casks" ]; then
+          while IFS= read -r cask; do
+            printf "     cask: %s\n" "$cask"
+          done <<< "$tap_casks"
+        fi
         printf "  )"
       fi
       echo ""
diff --git a/install.ps1 b/install.ps1
index 60eec9f..b417ab4 100644
--- a/install.ps1
+++ b/install.ps1
@@ -31,9 +31,20 @@ if (-not $isAdmin) {
 # Install Chocolatey if not present
 if (-not (Get-Command choco -ErrorAction SilentlyContinue)) {
     Write-Host "Installing Chocolatey..." -ForegroundColor Cyan
-    Set-ExecutionPolicy Bypass -Scope Process -Force
     [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072
-    Invoke-Expression ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
+    $chocoBootstrapPath = Join-Path $env:TEMP "chocolatey-install.ps1"
+    Invoke-WebRequest -Uri "https://community.chocolatey.org/install.ps1" -OutFile $chocoBootstrapPath
+    # Run Chocolatey's bootstrap in an isolated PowerShell process with per-process policy bypass.
+    # This avoids mutating execution policy from inside this installer script.
+    $chocoResult = Start-Process powershell -ArgumentList @(
+        "-NoProfile",
+        "-ExecutionPolicy", "Bypass",
+        "-File", $chocoBootstrapPath
+    ) -Wait -PassThru
+    Remove-Item $chocoBootstrapPath -ErrorAction SilentlyContinue
+    if ($chocoResult.ExitCode -ne 0) {
+        throw "Chocolatey installation failed with exit code $($chocoResult.ExitCode)."
+    }
     $env:PATH = "$env:ALLUSERSPROFILE\chocolatey\bin;$env:PATH"
 }
 
diff --git a/release-please-config.json b/release-please-config.json
index 68dc92d..d9255a8 100644
--- a/release-please-config.json
+++ b/release-please-config.json
@@ -1,5 +1,4 @@
 {
-  "bootstrap-sha": "db9b37e6209d5b8750ad1ae59c98c0c809bca65a",
   "packages": {
     ".": {
       "release-type": "simple",