diff --git a/.jules/sentinel.md b/.jules/sentinel.md
index 0880885..cae5ac0 100644
--- a/.jules/sentinel.md
+++ b/.jules/sentinel.md
@@ -13,7 +13,6 @@ second.
 **Prevention:** Wrap commands that create sensitive files in a subshell using
 `umask 077` to ensure the file is created with secure permissions (`600`)
 natively.
-# Sentinel Security Journal
 
 ## 2026-04-16 - Prevent TOCTOU and Symlink Attacks via Insecure Temporary Directories
 
@@ -21,10 +20,27 @@ natively.
 to predictable temporary paths like `/tmp/yq` or the current working directory,
 which risks local privilege escalation, symlink attacks, and overwriting
 existing files when executed with elevated privileges (`sudo`).
+
 **Learning:** Hardcoded temporary paths (`/tmp/...`) are insecure and
 susceptible to symlink hijacking by local attackers. Additionally, downloading
 directly to the current directory is poor practice and pollutes the workspace
 or risks naming collisions.
+
+**Prevention:** Always use securely generated random directories (e.g.,
+`TMP_DIR=$(mktemp -d)`) wrapped in a subshell `(...)` and paired with a local
+trap (`trap 'rm -rf "$TMP_DIR"' EXIT`) to ensure isolation and automatic
+cleanup upon exit.
+
+## 2026-04-18 - Prevent Insecure Artifact Downloads in APT Setup
+
+**Vulnerability:** Shell scripts were downloading executable artifacts directly
+to the current working directory, which risks overwriting existing files or
+executing attacker-controlled binaries when executed with elevated privileges
+(`sudo`).
+
+**Learning:** Downloading directly to the current directory is poor practice
+and pollutes the workspace or risks naming collisions.
+
 **Prevention:** Always use securely generated random directories (e.g.,
 `TMP_DIR=$(mktemp -d)`) wrapped in a subshell `(...)` and paired with a local
 trap (`trap 'rm -rf "$TMP_DIR"' EXIT`) to ensure isolation and automatic
diff --git a/tools/backup-projects.sh b/tools/backup-projects.sh
index 4ba391d..af933ca 100755
--- a/tools/backup-projects.sh
+++ b/tools/backup-projects.sh
@@ -269,6 +269,7 @@ sync_git_repos() {
             local repo_dir
             repo_dir=$(dirname "$git_dir")
             local repo_name
+            # shellcheck disable=SC2034
             repo_name=$(basename "$repo_dir")
             local relative_path="${repo_dir#$HOME/}"
 
@@ -292,7 +293,8 @@ sync_git_repos() {
                 # Commit local changes first (so pull --rebase doesn't fail)
                 if [[ -n $(git -C "$repo_dir" status --porcelain 2>/dev/null) ]]; then
                     git -C "$repo_dir" add -A 2>/dev/null
-                    local commit_msg="chore: auto-backup commit $(date '+%Y-%m-%d %H:%M')"
+                    local commit_msg
+                    commit_msg="chore: auto-backup commit $(date '+%Y-%m-%d %H:%M')"
                     git -C "$repo_dir" commit -m "$commit_msg" &>/dev/null || true
                 fi
 
diff --git a/tools/dotfiles b/tools/dotfiles
index 45dee95..8f1536b 100755
--- a/tools/dotfiles
+++ b/tools/dotfiles
@@ -38,6 +38,7 @@ if [[ -t 1 ]]; then
     BOLD='\033[1m'
     NC='\033[0m'
 else
+    # shellcheck disable=SC2034
     RED='' GREEN='' YELLOW='' BLUE='' CYAN='' DIM='' BOLD='' NC=''
 fi
 
@@ -344,6 +345,7 @@ cmd_logs() {
 }
 
 cmd_cron() {
+    # shellcheck disable=SC2034
     local CRON_DIR="$DOTFILES_DIR/cron"
     local CONFIG_FILE="${XDG_CONFIG_HOME:-$HOME/.config}/dotfiles/config.yaml"
 
diff --git a/tools/os_installers/apt.sh b/tools/os_installers/apt.sh
index 5f2b2df..cad1814 100644
--- a/tools/os_installers/apt.sh
+++ b/tools/os_installers/apt.sh
@@ -262,17 +262,19 @@ sudo apt install -y tesseract-ocr
 # Install PHP Composer
 echo "Installing Composer..."
 if ! command -v composer &> /dev/null; then
-    EXPECTED_CHECKSUM="$(php -r 'copy("https://composer.github.io/installer.sig", "php://stdout");')"
-    php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
-    ACTUAL_CHECKSUM="$(php -r "echo hash_file('sha384', 'composer-setup.php');")"
-
-    if [ "$EXPECTED_CHECKSUM" = "$ACTUAL_CHECKSUM" ]; then
-        sudo php composer-setup.php --quiet --install-dir=/usr/local/bin --filename=composer
-        rm composer-setup.php
-    else
-        >&2 echo 'ERROR: Invalid installer checksum for Composer'
-        rm composer-setup.php
-    fi
+    (
+        TMP_DIR=$(mktemp -d)
+        trap 'rm -rf "$TMP_DIR"' EXIT
+        EXPECTED_CHECKSUM="$(php -r 'copy("https://composer.github.io/installer.sig", "php://stdout");')"
+        php -r "copy('https://getcomposer.org/installer', '$TMP_DIR/composer-setup.php');"
+        ACTUAL_CHECKSUM="$(php -r "echo hash_file('sha384', '$TMP_DIR/composer-setup.php');")"
+
+        if [ "$EXPECTED_CHECKSUM" = "$ACTUAL_CHECKSUM" ]; then
+            sudo php "$TMP_DIR/composer-setup.php" --quiet --install-dir=/usr/local/bin --filename=composer
+        else
+            >&2 echo 'ERROR: Invalid installer checksum for Composer'
+        fi
+    )
 fi
 
 # Clean up